What's new

Are Asus routers running ASUSWRT-Merlin affected by NAT Slipstreaming? Mitigations?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

1.
Disabled everything in WAN -> NAT Passthrough.

2.
Also added:

modprobe -r nf_nat_ftp
modprobe -r nf_conntrack_ftp

to /jffs/scripts/firewall-start

3. In Terminal
nvram set vts_ftpport=0
nvram commit

No drawbacks/errors/speed issues with Alexa/IOT and other stuff so far. My VOIP-Phone is also working as intended.

Update: 03.03.21
VoWifi on Xiaomi is not working correctly
(also Icon is not visible in Phone UI)
 
Last edited:
1.
Disabled everything in WAN -> NAT Passthrough.

2.
Also added:

modprobe -r nf_nat_ftp
modprobe -r nf_conntrack_ftp

to /jffs/scripts/firewall-start

3. In Terminal
nvram set vts_ftpport=0
nvram commit

No drawbacks/errors/speed issues with Alexa/IOT and other stuff so far. My VOIP-Phone is also working as intended.

Update: 03.03.21
VoWifi on Xiaomi is not working correctly
(also Icon is not visible in Phone UI)
Any updates on VoWifi issues? I'm on a OnePlus 8Pro and am having issues with VoWifi intermittently dropping. Call quality on VoWifi also doesn't seem to be the greatest, either. Rt ax88u in use. Interestingly, switching back to rt 3100ac on stock setting fixes the issue for me.
 
Any updates on VoWifi issues? I'm on a OnePlus 8Pro and am having issues with VoWifi intermittently dropping. Call quality on VoWifi also doesn't seem to be the greatest, either. Rt ax88u in use. Interestingly, switching back to rt 3100ac on stock setting fixes the issue for me.

I know that my Amazon Echo device will not work without 2 items still having NAT Passthrough enabled... unless newer firmware has solved that issue (haven't tested it recently). Perhaps your device still needs Passthrough enabled on One or More services?

..or maybe try this site which refers to a memory management issue: https://docs.epicollect.net/mobile-application/xiaomi-troubleshooting

1660589266552.png
 
Last edited:
I know that my Amazon Echo device will not work without 2 items still having NAT Passthrough enabled... unless newer firmware has solved that issue (haven't tested it recently). Perhaps your device still needs Passthrough enabled on One or More services?

..or maybe this site refers to a memory management issue: https://docs.epicollect.net/mobile-application/xiaomi-troubleshooting

View attachment 43561
The image above shows your cuttent NAT settings? To be clear VoWifi is working for you with these settings or not?
 
The image above shows your cuttent NAT settings? To be clear VoWifi is working for you with these settings or not?
Yes, those are my current NAT Passthrough settings. Without those settings my Amazon Echo would not function.

I'm just suggesting that (if NAT Passthrough is the culprit) having ALL NAT Passthrough disabled may not work for some cases like myself and perhaps you.

I don't have VoWiFi (Voice over WiFi?). So some experimentation with enabling ALL NAT Passthrough (and seeing if VoWiFi works right) THEN disabling NAT Passthrough one by one and seeing what item(s) are causing the problem.

Once you identify the REQUIRED NAT Passthrough item(s) that must be enabled to operate VoWiFi properly THEN you can again disable the other NAT Passthrough items.
 
Last edited:
Some Wifi Calling providers use IPSEC, so you need to enable that passthrough if this is the case for your provider.
 
I've disabled all so far with no issue. I just need to add the lines to disable the FTP ALG once and for all.

Will report if any other users reports anything on my end.

Thanks for this heads up. I wonder if this can be added to a Skynet etc. best practice for hardening. I know @Adamm already includes disabling WAN access etc as part of the Skynet script checks.

Cheers again and thanks for this.
 
Hello,

How to disable FTP ALG please? When I enter 0 I get

Please enter a value between 1 to 65535
 
Hello,

How to disable FTP ALG please? When I enter 0 I get

Please enter a value between 1 to 65535
Look at the prior post #23 by @Wycleff in this thread...

Look at item [3. In Terminal] << you have to be in a SSH session on your router.

After you enter those 2 commands try:
nvram get vts_ftpport
0 << this is the result you should see if your ftpport is now "0" (which will also show the same "0" on the asuswrt FTP ALG port GUI)
 
Last edited:
I disable all those options and even change the default port for FTP_ALG.

Ring Cameras, SIP VOIP to DECT phone all work fine. Not found a case yet where its broken something.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top