Differences

This shows you the differences between two versions of the page.

--- admin-access [2024/11/28 22:59] – [SSL Certificate] -Condense hogwild
+++ admin-access [2025/08/23 05:43] (current) – [Telnet Daemon] -Resize screenshot to 332 hogwild
@@ Line 6: / Line 6: @@
 ===== Web Admin =====
-This section has settings to control who can access FreshTomato's web interface, how, and from where. You can also which menus stay nested or shown. Finally, it also has settings for the interface's color scheme.  \\   \\ **Local Access:  **here, choose the web protocols allowed for communication with the web interface via LAN. \\ Port and Wireless access options appear, depending on the selection you choose. \\  \\
+Settings here control who can access the web interface, how, and from where. You can choose which menus stay nested or shown and settings for the interface's color scheme.
+ \\
+**Local Access:** here, choose the web protocols allowed for communication with the web interface via LAN. \\ Port and Wireless access options appear, depending on your selection. \\  \\  {{::administration-admin_access-web_admin-local_access_to_allow_wireless_access-2025.3.png?351}}
+ \\
   * Disabled - disables all LAN access to FreshTomato's web\\ interface via web protocols.
-  * HTTP - lets LAN Ethernet clients access the web interface via HTTP.
+  * HTTP - lets LAN Ethernet clients access the web interface via HTTP only.
-    * HTTP Port - enter the port on which to allow HTTP administration \\ traffic to flow. (Default: 80).
+    * HTTP Port - enter the port on which to allow HTTP  \\ administration traffic to flow. (Default: 80).
-    * Allow Wireless Access - lets LAN WiFi clients access the \\ web interface. (Default: enabled).
-  * HTTPS - allows Ethernet LAN clients to access the web interface \\ via HTTPS (SSL-encrypted web).
+  * HTTPS - lets Ethernet LAN clients access the web interface \\ via HTTPS only.
-    * HTTPS port: the HTTPS port to use. (Appears only if  \\ HTTPS is a chosen option).
+    * HTTPS port: the HTTPS port to use.
-    * Allow Wireless Access - lets LAN WiFi clients access  \\ THE web interface via HTTPS. (Default: enabled).
-  * HTTP and HTTPS - allows Ethernet LAN clients to access the \\ web interface via HTTP and HTTPS.
+  * HTTP and HTTPS - lets Ethernet LAN clients to access  \\ the web interface via HTTP and HTTPS.
     * HTTP Port - the port on which HTTP administration  \\ traffic will flow. (Default: 80).
     * HTTPS port: the HTTPS port to use. (shows only if  \\ HTTPS is a chosen option).
-    * Allow Wireless Access - lets LAN WiFi clients access  \\ the web interface. (Default: enabled).
- \\
- \\ {{::administration-admin_access-web_admin-2024.3.png?539}}
  \\
+**Listen on LAN1 (br1):** sets whether admin services (web interface/SSH/Telnet) listen for connections on the "LAN1 (br1) interface.
-==== SSL Certificate ====
+If you have multiple LANs, this lets clients on the LAN1/br1 network connect to/manage the router from their local network.
-These options appear if you've chosen "HTTPS" or "HTTP and HTTPS" in //Local Access//.
  \\
-**Common Name (CN): **the human-friendly name of the SSL web administration certificate to generate.
+  * Allow Wireless Access - lets LAN WiFi clients access \\ the web interface.The WiFi clients will be able to access \\ the web interface via whichever methods have been selected \\ in Local Access. (Default: enabled).
-Technically, this represents the server name protected by the SSL certificate. In this case, FreshTomato is acting as the server.
+ \\
-The certificate is valid only if the requested hostname matches the certificate common name. If you connect to an address that doesn't match the certificate's common name, your browser will display a warning message. Thus, if you were to connect to FreshTomato, and the address detected didn't match the one in the certificate, you'd receive a warning.
+**Unmount JFFS during upgrade:** if enabled, unmounts any JFFS partitions during firmware upgrades.
-Officially, this field is optional. However, it is unwise to leave it empty. Starting with release 2024.4, this field uses "FT" as the default. \\  \\
+This safeguard feature is supported since r2021.2.
-**Regenerate: **checking this makes FreshTomato generate a new certificate.
+ \\
-It then restarts the httpd service to load the new certificate.
+{{::administration-admin_access-web_admin-unmount_jffs_during_upgrade_to_port-2025.3.png?584}}
- \\ \\ **Save in NVRAM:** checking this saves the newly-generated certificate in NVRAM.
  \\
-**Remote Access:**  lets you select whether/how a user can remotely access the web interface.
+**Allow Remote Upgrade:** allows authenticated Internet/WAN clients to upgrade firmware via the web interface.
  \\
-  * Disabled - prevents all access to the web interface via the \\ WAN port/Internet. Only LAN clients will be able to access the \\ web interface. This is the default and recommended setting \\ for security reasons.
+**Remote Access:** lets you specify which, if any protocols are allowed remote access to the web interface.\\   \\
-  * HTTP - allows web access to the WAN interface/Internet \\ only via HTTP protocol.
+  * Disabled - no remote access to the web interface is permitted.
-  * HTTPS - allows web access to the WAN interface/Internet \\ only via HTTPS protocol (SSL-encrypted web).
+  * HTTP - remote access via HTTP is permitted. \\
+    * Port - the HTTP port on which the router will listen \\ for web traffic on the WAN interface.
- \\  \\
+  * HTTPS - remote access via HTTPS is permitted. \\
+    * Port - the HTTPS port on which the router will listen \\ for web traffic on the WAN interface.
-**Unmount JFFS during upgrade:** if enabled, unmounts any JFFS partitions during firmware upgrades.
+ \\ \\
-This feature is supported starting with release 2021.2.
+**SSL Certificate:**
- \\
+These options appear only if "HTTPS" or "HTTP and HTTPS" is selected in //Local Access//.
-**Allow Remote Upgrade:** allows authenticated Internet/WAN clients to upgrade firmware via the web interface.
+ \\ {{::administration-admin_access-ssl_cert-2025.3.png?529}}
  \\
-**Remote Access:** lets you specify which, if any protocols are allowed remote access to the web interface.
+  * Common Name (CN) - the plain English name of the SSL web administration certificate to generate. \\ \\ This is the server name protected by the SSL certificate. \\ In this case, FreshTomato acts as the server. The certificate \\ is valid only if the requested hostname matches the \\ certificate common name. If you connect to an address \\ that doesn't match the certificate's common name, your browser \\ will display a warning message. If you were to connect to FreshTomato, \\ and the address detected didn't match the one in the certificate, \\ you'd receive a warning. Officially, this field is optional. \\ However, it's unwise to leave it empty. Starting with r2024.4, \\ this field uses "FT" as the default. \\  \\
+  * Regenerate - makes FreshTomato generate a new certificate. \\ It then restarts the httpd service to load the new certificate.\\  \\
+  * Save in NVRAM - this saves the new certificate in NVRAM.
- \\
+ \\   \\
-  * Disabled - no remote access to the web interface will be permitted.
+**UI files path:** here, set the directory containing files that provide the web interface. \\ \\ CAUTION: Don't change this unless you're experienced. It could prevent access to the web interface.
-  * HTTP - remote access via HTTP will be permitted.
-  * HTTPS - remote access via HTTPS will be permitted.
  \\
-**Allow Wireless Access:**  lets WiFi (and Ethernet) clients access the web interface.
+{{::administration-admin_access-ui_files_path_to_theme_ui-2025.3.png?516}}
-(Default: Disabled).
  \\
-**Directory with GUI files:** here, choose the directory containing files that provide the web interface. \\ \\ CAUTION: Don't change this unless you're experienced. It could prevent access to the web interface.
+**Theme UI:** here, choose the color scheme of the web interface. (Default: Default).
  \\
-**Theme UI:** here, choose the color scheme (theme) of the web interface. (Default: Default).
+**Open Menus:** menus checked here show their submenus as open.
+Unchecked menu names will display their submenus as nested.
  \\
-**Open Menus:** menus checked here shows their submenus as open.
+{{::administration-admin_access-open_menus-2025.3.png?258}}
-Unchecked menu names will display their submenus as nested.
  \\
-===== SSH Daemon =====
+===== SSH Server =====
-The Secure SHell tunneling protocol lets you make secure local and remote connections to FreshTomato. With the help of the Dropbear service, it also lets you make SSH connections //though //the router to LAN client devices. Settings here let you enable/disable the SSH Daemon and the Dropbear daemon, and configure their operation.
+The Secure SHell tunneling protocol lets you make secure local and remote connections to FreshTomato. With the help of the Dropbear service, it also lets you make SSH connections //through //the router to LAN clients. Settings here let you enable/disable the SSH Daemon and the Dropbear daemon, and configure their operation.
  \\
-**Enable at Startup:**  checking this starts the SSH Daemon when the router boots. (Default: Enabled).
+**Enable on Startup:** checking this starts the SSH Server when the router boots.
+When started, the green Up indicator near the bottom of this section appears.
+(Default: Enabled).
  \\
-**Extended MOTD:**  enables the Message of the Day function.
+**Extended MOTD:** enables the Message of the Day function.
-This displays a custom message when you first log in via Telnet. It can be important information, updates about the system or just a personal greeting from the administrator.
- \\ {{::administration-admin_access-ssh_daemon-2024.3.png?550}}
+This displays a custom message at log in via Telnet. It can be important information, an update notice or a personal greeting from the administrator.
  \\
-**Remote Access:**  allows SSH connections from remote WAN/Internet clients. (Default: Disabled).
+{{::administration-admin_access-ssh_server-2025.3.png?500}}
  \\
-**Remote Forwarding:  **enables the Dropbear service/daemon.
+**Allow Password Login: **lets clients login via SSH with only the normal administrative username/password.
-Dropbear provides SSH services on the router, including SSH port tunneling and forwarding. Don't confuse this with standard (local) Port Forwarding.
+An authorized encryption key isn't needed. When disabled, SSH requires an authorized key to let clients logon.
-For example, say you want to access a PC on your LAN via Remote Desktop. However, you don't want the security risk of using standard port forwarding to open a port for RDP to the Internet.
+\\
-Instead, you (the SSH client) can make a connection into the router (the SSH Server.) You can configure Dropbear to forward/tunnel SSH traffic through the router to another network host. In this case, say "127.0.0.1:1234" gets tunneled/forwarded through SSH to a PC with address: "192.168.1.66:3389".
+**LAN Port: **sets the port on which SSH traffic flows.
-This way, when you are connected to the the router via SSH, you can run RDP on your machine, connect to 127.0.0.1:1234 and you're securely connected to 192.168.1.66 on your LAN. All traffic flows through SSH, and thus is encrypted. (To be fair, RDP already uses encryption, but it's weaker than SSH encryption). In such cases, the SSH server is known as a "//jump host//", and the final destination PC is known as a "//target host//". \\  \\
+Changing this from the default is highly recommended. Port 22 is constantly scanned by Internet hackers.
-**Port:  **sets the port on which SSH traffic flows.
+(Default: 22).
-Changing this from the default is highly recommended. Port 22 is constantly scanned by Internet hackers. (Default: 22).
+\\
- \\
+**Port Forwarding:  **enables the Dropbear daemon.
-**Allow Password Login:  **lets clients login via SSH with only the normal administrative username/password.
+Dropbear provides SSH services on the router, including SSH port tunneling/forwarding. Don't confuse this with standard (local) Port Forwarding.
-No authorized encryption key is needed. When disabled, SSH requires an authorized key to allow clients to logon.
+For example, you want to access a PC on your LAN via Remote Desktop. However, you don't want the security risk of using standard port forwarding to open a port for RDP to the Internet.
- \\
+Instead, you (the SSH client) can make a connection into the router (the SSH Server.) You can configure Dropbear to forward/tunnel SSH traffic through the router to another network host. In this case, say "127.0.0.1:1234" gets tunneled/forwarded through SSH to a PC with address: "192.168.1.66:3389".
-**Authorized Keys:**  one or more encryption keys that authorize an SSH client to access to the LAN.
+This way, when you are connected to the the router via SSH, you can run RDP on your machine, connect to 127.0.0.1:1234 and you're securely connected to 192.168.1.66 on your LAN. All traffic flows through SSH, and thus is encrypted. (To be fair, RDP already uses encryption, but it's weaker than SSH encryption). In such cases, the SSH server is known as a "//jump host//", and the final destination PC is known as a "//target host//". \\  \\
+**WAN Access:** Allows SSH Server access via the WAN interface.
+ \\ **Authorized Keys:** here, enter one or more encryption keys that authorize an SSH client to access to the LAN.
  \\
@@ Line 153: / Line 157: @@
 **Stop Now/Start Now:** clicking this instantly stops/starts SSH, whichever is the opposite of its current state.
-The button will display its current state, and later the opposite option after you click on it. The SSH daemon will start again at next bootup (if //Enable at Startup//) is enabled.
+The button displays its current state, and then the opposite state after you click on it. SSH will start again at next bootup (if //Enable at Startup// is enabled).
 ===== Telnet Daemon =====
-(Terminal EmuLation over the NEtwork) is a protocol which allows LAN and remote connections via a command-line interface. Unlike SSH, Telnet is not a secure protocol.
+The (Terminal EmuLation over the NEtwork) protocol allows LAN and remote connections via a command-line interface. Unlike SSH, Telnet is not secure.
- \\
 **Enable at Startup:** enables the Telnet Daemon, allowing Telnet connections to FreshTomato.
+ \\ {{::administration-admin_access-telnet_daemon-2025.3.png?332}}\\
  \\
@@ Line 172: / Line 176: @@
 **Stop Now / Start Now. **clicking Stop Now immediately stops the Telnet Daemon.
-When Telnet has stopped, the button reads: "Start Now". Clicking "Start Now" immediately starts Telnet again. The Telnet daemon will restart at next reboot (if Enable at Startup is checked).
+When Telnet has stopped, the button reads: "Start Now". Clicking "Start Now" immediately starts Telnet again. The Telnet daemon will restart at next reboot (if Enable at Startup is checked).\\
- \\ {{::administration-admin_access-telnet_daemon-2024.3.png?335}}
 ===== Admin Restrictions =====
-**Allowed Remote IP Address:** the IP addresses/ DNS names of hosts to allow to connect to the FreshTomato web interface.
+**Allowed Remote IP Address:** the IP addresses/DNS names of hosts to allow to connect to the router's web interface.
 Addresses can be individual, comma-separated, or a dash-separated range, ("1.1.1.1-2.2.2.2"). The setting applies to local and remote administration via HTTP, HTTPS, SSH (if enabled) and Telnet (if enabled).
@@ Line 185: / Line 187: @@
  \\
-**Limit Connection Attempts: ** specifies whether the number of SSH or Telnet connection attempts will be limited to number (n) at certain frequency (f). (Default: 3 connection attempts every 60 seconds).
+{{::administration-admin_access-admin_restrictions-2025.3.png?569}}
+ \\
+**Remote Web Port Protection:**  sets a firewall rule to prevent brute force attacks on ports used for remote administration.
+This option is available only when Remote Access is set to HTTP/HTTPS. Some users report that enabling this feature slowed their remote web access connection.
+ \\
+**Limit Connection Attempts: **Specifies whether SSH/Telnet connection attempts are limited to (//n)// attempts per frequency (//f)//.
 Checking SSH limits the number of SSH connection attempts to number n at frequency f (in seconds). Checking Telnet works similarly.
- \\ {{::administration-admin_access-admin_restrictions-2024.3.png?688}}
+(Default: 3 connection attempts every 60 seconds).
@@ Line 196: / Line 208: @@
 You are strongly urged to change these from the default settings to keep the router and network secure.
- \\
+ \\ **Username:** the FreshTomato logon Username to set. An empty field sets the username: "root". (Default: "root").
-**Username:** the FreshTomato logon Username to set. An empty field sets the username: "root". (Default: "root").
+ \\  \\ {{::administration-admin_access-username_password-2025.3.png?534}}
  \\
@@ Line 207: / Line 219: @@
 **Re-enter to confirm:** enter the password again to confirm it's correct. It will change only when this text and text in the //Password// field match.
- \\
-{{::administration-admin_access-username_password-2024.3.png?523}}
  \\

FreshTomato Wiki

User Tools

Site Tools

Differences

Page Tools