What's new

Option to disable wirless login?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

cooloutac

Very Senior Member
Does asus merlin have an option to disable wireless login like some routers or openwrt and dd-wrt have?

I notice the stock firmware does not have this option so wondering if Merlin does. Only options are to disable wan and add specific ip address. But imo this is not enough login security. Disabling wireless login should be basic security on all routers.

I mean we all don't live in the boondocks or woods and ip address and macs can be spoofed from a guy parked in front of my house lol...
 
I mean we all don't live in the boondocks or woods and ip address and macs can be spoofed from a guy parked in front of my house lol...

What is WPA2 lol

I mean, I get your point, I’ve set up similar policies for an OpenWRT device.

Perhaps a middle ground would be explicitly specifying which IPs can login.
 
well then I guess I don't use a vpn so I guess no reason to use merlin.

Open source really getting abandoned. As I said the asus router stock firmware already lets you specify an ip, but thats even easier to spoof then mac address. at least its patching constantly when dd-wrt and other open source communities haven't updated for the ac68u in years?

The ISP routers even let you disable wireless logins. I'm starting to wonder if I would of been better off buying a commercial isp router. Like Actiontec. I'm a little in shock. I think consumer routers are going to be as dead as open source software is soon.

Its just a sad day when isp routers have progressed to the point of being way more secure then consumer routers. What is the world coming to. That backdoor port isnot being exploited by anyone, yet they have all the security options to stop most low level actors that consumer routers no longer have cause most morons constantly parrot that they are trivial, which in turn is really are making open source obsolete and its communities seemingly naive ghost towns. Inside sabotage?

AGAIN> I don't live in the woods or no mans land where you don't have neighbors all around your apartment or house. Also in this day and age.... Only A FOOL trusts all the iot devices on his wireless lan.

And telling me to disable wireless is a real facetious and impractical reply.

RIP consumer router and open source communities. Don't blame the FTC or manufacturers, blame yourselves.
 
And telling me to disable wireless is a real facetious and impractical reply.
I sorry if I offended you but I gave you the answer to what I thought your question was. :confused:

Reading your reply I have absolutely no idea what you are taking about.

@kfp's reply talks about WPA2 but that is not mentioned at all in your initial post. So I can't help but think that there has been some other conversation going on that I'm not aware of, or your original post has been changed.
 
'I sorry if I offended you but I gave you the answer to what I thought your question was. :confused:

Reading your reply I have absolutely no idea what you are taking about.

@kfp's reply talks about WPA2 but that is not mentioned at all in your initial post. So I can't help but think that there has been some other conversation going on that I'm not aware of, or your original post has been changed.[/QUOTE]
sorry if I sounded hostile. Just so disappointed in how much times have changed. We are really being taught to keep ourselves vulnerable. Its sad times when there are no more alternatives.
 
Last edited:
Does asus merlin have an option to disable wireless login like some routers or openwrt and dd-wrt have?

Captive Portal Logins for Guest WiFi - some have it, some don't...

Depends on what you're asking for...
 
'I sorry if I offended you but I gave you the answer to what I thought your question was. [emoji53]

Reading your reply I have absolutely no idea what you are taking about.

<snip>
sorry if I sounded hostile. Just so disappointed in how much times have changed. We are really being taught to keep ourselves vulnerable. Its sad times when there are no more alternatives.

I didn’t watch the video but just from the description it says WPS, so that’s the flaw not WPA2...
 
I sorry if I offended you but I gave you the answer to what I thought your question was. :confused:

Reading your reply I have absolutely no idea what you are taking about.

@kfp's reply talks about WPA2 but that is not mentioned at all in your initial post. So I can't help but think that there has been some other conversation going on that I'm not aware of, or your original post has been changed.

I guessed OP meant web UI login from wireless devices. IE admin functions are only available if you can reach the router physically via cable.
 
Based off the discussion so far, OP definitely meant preventing wireless LAN clients from reaching the web UI.

Short answer: no there is currently no GUI option to prevent wireless LAN clients from hitting the web UI. At least on all the Asus router's I dealt with.

Workarounds: schedule wireless radios to turn off when not in use at certain time's, as mentioned above, use a specific IP for reaching it. Use guest network to connect wireless LAN clients and prevent intranet access (which should be closes to what you're trying to do)

Also, note only 1 login is allowed at any one time to the web UI, so specifying an IP wouldn't be a bad idea

Sent from my LG-H830 using Tapatalk
 
  • Like
Reactions: kfp
He's asking for an option that prevents logging into the webui if you are connected over Wifi. No, that setting isn't implemented, largely because this entire project is being developed by one single developer out of his spare time. The code base is so large and complex that Asus has an entire team of full time developers working on it. Just keeping in sync with their own code is already taking the vast majority of my development time, therefore I no longer have the time to work on adding anything new.

You're welcome to write the code and submit a patch for that feature.
 
Code:
ebtables -I INPUT -i (wireless interface) -p ip4 --ip-protocol tcp --ip-destination $(nvram get lan_ipaddr) --ip-destination-port 80 -j DROP
Thanks. This is a firewall rule for blocking access from Wifi to Asus login page?
BR!
 
He's asking for an option that prevents logging into the webui if you are connected over Wifi. No, that setting isn't implemented, largely because this entire project is being developed by one single developer out of his spare time. The code base is so large and complex that Asus has an entire team of full time developers working on it. Just keeping in sync with their own code is already taking the vast majority of my development time, therefore I no longer have the time to work on adding anything new.

You're welcome to write the code and submit a patch for that feature.
I am not skilled in programming code, I imagine someone who is can look at the openwrt or dd-wrt source codes to get an idea. I don't consider it a feature but basic security. Ty for your time and effort. Unfortunately it might not be worth it anymore.

I don't think consumer routers nowadays can be any safer then most iot devices. The will is no longer there like it was in the 90s. I recommend people stick with their ISP routers in the future if security is a concern. No way I would have said such a thing 10 years ago, but we have become so socially engineered now by our enemies that more defensive alternatives no longer exist.
 
Thanks. This is a firewall rule for blocking access from Wifi to Asus login page?
BR!
no its not, you can accomplish same thing by specifying ip adress for login in the gui. Thats just a fancy way of doing it.

We have options to specify admin ip address, filter mac addresses, and use https protocol. Also radius server but this eliminates most devices.

But the most important feature, which is to disable admin from wireless lan altogether, is not available.

I guess there is a reason Asus was sued by the FTC for having terrible security. But most other companies are not much better. If they have ability to disable wireless login, they are lacking security in other areas. Unbelievably the most secure routers I see now, are ISP routers. ISP routers are notorious for having government backdoor/"maintenance" ports open. But this is not something the average cracker will be exploiting, and most of them have all the basic security options one could think of.

For example asus doesn't even let you filter outgoing connections, only incoming. But majority of ISP routers have very advanced firewalls compared to these garbage consumer ones.

Its not 1999 anymore, consider your home lan hostile.

I come from the days of using tomato on a linkys wrt54g, man have we gone severely backwards!

Open source software use to be the answer to lackluster security of stock firmware. Guess they no longer exist. I had a feeling though, tks to the FTC at least Asus is constantly patching. Seems thats the only security benefits we get nowadays, which is better then most other companies. Though not enough.

Seems fancy streaming features, and offensive exploits are all anybody cares about. Defensive security is boring. So they want us vulnerable and complacent to joy at our expense.
 
Last edited:
no its not, you can accomplish same thing by specifying ip adress for login in the gui. Thats just a fancy way of doing it.
No it isn't. You misunderstand what that command is doing. That command blocks all traffic from the specified wireless interface to the router's GUI, which is what you asked for.

For example asus doesn't even let you filter outgoing connections, only incoming.
Outgoing connections can be filtered in the Network Services Filter.
 
no its not, you can accomplish same thing by specifying ip adress for login in the gui. Thats just a fancy way of doing it.

No. The gui is just an IP whitelist with no concepts of interfaces. Doing it with ebtables is a bit more precise since you can specify the interface you want to block.

Also, what’s with the constant ranting about consumer grade embedded devices sucking at security? It wasn’t much better in 1999.

What’s your threat model and what are you protecting against?
 
Its not 1999 anymore, consider your home lan hostile.

I come from the days of using tomato on a linkys wrt54g, man have we gone severely backwards!
Those routers are still readily available if you consider them so highly. The 90s as I recall was a lot of 802.11b and WEP and I’m not confident that it was as good as you remember it
 
Code:
ebtables -I INPUT -i (wireless interface) -p ip4 --ip-protocol tcp --ip-destination $(nvram get lan_ipaddr) --ip-destination-port 80 -j DROP

Hi. Could you please fill one example? It is correct the one below supposing (wireless interface) = wlan1?

Code:
 ebtables -I INPUT -i wlan1 -p ip4 --ip-protocol tcp --ip-destination $(nvram get lan_ipaddr) ---port 80 -j DROP

Thanks!

Sent from my ONE A2003 using Tapatalk
 
Hi. Could you please fill one example? It is correct the one below supposing (wireless interface) = wlan1?
No, not wlan1. The names of the interfaces vary between models, but for most of the routers (like the RT-AC68U) its:

2.4GHz primary = eth1
5GHz primary = eth2

2.4GHz guest1 = wl0.1
2.4GHz guest2 = wl0.2
2.4GHz guest3 = wl0.3

5GHz guest1 = wl1.1
5GHz guest2 = wl1.2
5GHz guest3 = wl1.3
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top