Sometimes port releases are bitch – even if all settings are apparently correct. These tips will help.
What to do if the configured port sharing does not work with the Fritzbox.
© ADragan / Shutterstock.com
You have set up several shares in the Fritzbox. Both refer to the web interface of home network devices, for example a NAS and an IP camera. External access works with one device, but not with the other.
In the Fritzbox menu, check the information in the “Internet -› Approvals – ›Port Approvals” menu. In the entries for the externally assigned ports, a warning signal appears once in the form of an exclamation mark. The Fritzbox signals that it has assigned a different port than the one you specified when setting up. This happens when this port has already been forwarded for another device or the Fritzbox itself. This is often the case for ports 80 and 443.
You now have two options: On the one hand, you can use the external port that the Fritzbox automatically assigned for access by entering it after the colon in the access address. To do this, however, you must also enter this port on the home network device or the application that you want to reach via the Internet.
Or you edit the port release in the Fritzbox: With “Port to device” the original port number remains, with “Port external desired” you enter any port number that is not used otherwise. If you save the changes, you can access the home network service with this port number in the web address.
The browser sounds an alarm when it is accessed
For example, the browser warns of an insecure connection when accessing the web interface of the home NAS. If you are using a certificate, this message does not appear.
You have set up port forwarding on the browser menu of your NAS system. It works in principle, but whenever you enter the web address, the browser issues a security warning: The connection is not secure. You can usually still get to the NAS via an option such as “Advanced”. But the constant warning is annoying.
If the browser connects to a web server using the secure HTTPS protocol, the web server identifies itself as trustworthy with an SSL certificate. Most websites buy these from certificate providers. Make your NAS system accessible from the Internet, it also offers server services and requires a certificate: On many NAS systems you can request a free certificate from the free Let’s Encrypt certification authority.
With a Synology NAS, for example, this can be done in the menu “Control Panel -› Security – ›Certificate”. If you link the certificate with the DynDNS address of the NAS system, the error message will not appear in future when accessing via browser.
DNS Rebind Protection error message
This error message appears if the Fritzbox does not know the web address with which you want to reach a home network device. You should therefore save them in the router menu.
You want to reach a home network device via port forwarding. To do this, you have obtained a permanent web address from a DynDNS service. But if you enter this in the browser, you will receive an error message: “The DNS rebind protection of your FRITZ! Box has rejected your request for security reasons.”
The router blocks access to the unknown web address. Because behind this could be a DNS rebind attack in which an attacker redirects requests to a manipulated website in order to distribute malware. But since you know that this web address is harmless, you can store it as trustworthy in the Fritzbox. This happens in the router menu under “Home network -› Network – ›Network settings”. Click on the blue link “further settings”. In the box under “DNS rebind protection”, enter the web addresses for which the exception should apply. Separate the individual addresses with a line break.
Port control: How to check your shares
With a regular check you can keep track of open ports on the router. You should definitely deactivate shares that you no longer need.
With port sharing, you weaken the protective function of your router. There is little risk if you only open ports that you need and secure the procedure as described. Nevertheless, you should regularly check which ports are open and, if necessary, terminate shares that you no longer use or only rarely use.
The first port of call for this is the router menu: There you should find a list of the port shares that have been set up. In the Fritzbox, for example, go to the “Diagnosis -› Security ”menu. Here under “1. Connection, Internet “the ports that are open for external access to router services such as user interface, VPN or telephony. In addition, the Fritzbox shows the port shares on home network devices. You can make changes by clicking on “Edit”. If you activate the push service in the Fritzbox (“System -› Push Service “), the router informs you about changes to the settings in the menu, including port sharing. To do this, select the entry “Change notice”.
Open ports can also be found using free port scanners such as Nmap or online services such as www.dnstools.ch/port-scanner.html. The device that performs the scan must be outside of its own network. Important: You are only allowed to check the public IP address of your own router from the Internet. For many online services, you have to confirm that the public IP address that has been determined has been assigned to you before the scan. By scanning a third-party IP address, you may be liable to prosecution.
Using an online service such as dnstools.ch, you can check externally which ports are open on your router and close them in the router menu if necessary.
More on the subject:
Port sharing: This is how access to the router & home network works
Set up port sharing with Fritzbox & Speedport & Co.