Hi
I just upgraded our 2860 to the latest firmware 3.8.8_BT over a stable VPN connection. The upgrade completed successfully using the .all file and after the router rebooted I was able to log in and check the settings.
I was slightly surprised to see that some of the security settings had changed, including the System Maintenance/Management/Internet Access control which I had disabled in accordance with the Draytek advisory last week. We don't usually use this anyway and access the device remotely only over VPN.
I unchecked the box (and also disabled TLS below 2.0) but when going to save the settings got a warning something along the lines of "are sure you want to do this for LAN1" so I left it unconfirmed to think about it. The system then timed out on me and I now can't log in using the web interface! The router is still running and supporting my VPN connection - I just can't get back in to check the settings with a browser.
Can someone please point me to information on how to get round this either over VPN or locally? I backed up the config before I started onto USB, but don't know how I would reload it without the web interface... Doh!

Try the WAN IP both locally and via Wi-fi or externally from mobile. Also try other LAN ports if you’ve got different LANs setup as the access control is per LAN.

If you’re not sure of the current wan ip then use a ‘what is my ip’ search on google

You should be able to plug the usb onto a pc to grab the cfg.

Hi Macavity
Thanks for taking the time to respond.
We don't use any of the other LAN IP ranges but it may be that they are enabled. Unfortunately today coincides with a grid outage for an upgrade at our router location so I can't check either remotely or locally as the router is off! I'll have a look tomorrow when we should be back up hopefully.

My understanding however was that the LAN1 subnet was always allowed to access all router services no matter what the settings for "allow management from the internet" so I wonder if they have changed something with this latest firmware. See the screen at

https://www.draytek.co.uk/support/guides/kb-remotemanagement?highlight=WyJ3ZWIiLCJ3ZWInbid3YWxrIiwiJ3dlYiIsImludGVyZmFjZSIsImludGVyZmFjZSdzIiwiaXMiLCJpbmFjY2Vzc2libGUiLCJ3ZWIgaW50ZXJmYWNlIiwid2ViIGludGVyZmFjZSBpcyIsImludGVyZmFjZSBpcyJd

for confirmation of this.

So if I can't get the web interface working is the only solution to restore the config with TFTP or what?

Andrew:

A light just went on here as I had the same issue a while back on a 2925. It used to be that LAN1 always had access to the router, but that was changed some firmwares ago so that you could explicitly choose which LANs had access. This was added as a LAN Access Management tab under system management.

I seem to remember that depending which firmware version you were upgrading from, management for all LANs got disabled by default and changing something on the WAN/Web management tab and saving (or timeout!) then resulted in a complete lockout on the LAN-side. My guess is that you've fallen foul of this too, hence the "are you sure you want to do this for Lan1" message that you got...

Unfortunately, like you, the changes I'd made were to disable WAN management so the only way back into the thing was a factory reset and restore.

Best of luck!
Pete.

Hi Pete

Many thanks for your input.

It seems very likely that is what I have fallen foul of.

Oh, the joys of IT!

andrewc wrote: Oh, the joys of IT!

All part of the fun!

It's kind of embarrassing when you lock yourself out of your own router though...