Asus-Merlin Firewall

[colourofsound]

I have never used a firewall at home...firewalls on consumer level routers have usually been more hassle than they're worth. Plus with dynamic IPs from my ISP, I've never seen the need.

However, after a bit of a scammer-related security scare; I want to enable it. I'm used to managing enterprise-level firewalls (Palo Alto; Barracuda) but honestly I just find myself frustrated with a simple 'on/off' firewall like on the ASUS routers.

When I turned it on, only some sites would work, my work VPN died; it was very unreliable and I can't see how you can configure it (or troubleshoot it)

What am I missing here? I'd expect it to allow all outbound traffic which should be fine. Is there maybe a Merlin app with a more configurable firewall?

Thanks in advance.

 

[colourofsound]

I've turned AI Protection on...no limitations so far that I can see.

 

[bennor]

A router, when configured for normal router operation mode, will have a firewall active. The Asus router (you didn't list your model or firmware version) has a firewall already enabled when the router is configured for Wireless Router Mode. AiProtection is just a feature enhancement on top of the standard included Asus router firewall. Some use AiProtection, others don't. Generally, outside of specific requirements or needs, one should always use a firewall both on their router and on their local computers (and other devices if possible). When it comes to network security multiple layers of security (firewall, antivirus, malware protection, ad blocking, etc) is best method to reduce, limit and in may cases prevent network intrusions and to prevent one's devices from being compromised. It is a very, very bad idea to have any device connected to the internet without some sort of firewall or other method(s) to prevent that device from being compromised.

For most people there isn't a need to configure the Asus fireweall settings. And using the VPN options on the Asus router shouldn't present a problem or issue with the Asus router firewall as they tend to work in conjunction with the firewall. If you need to poke holes in the firewall for certain features, programs, or game apps then look at the port forwarding options in the Asus router GUI. Standard warning, opening up port forwarding ports may present potential security issues.

[Wireless Router] How to set up Virtual Server/Port Forwarding Rules on ASUS Router?

For Asus routers see the GUI > Firewall menu option from the left column of menu items. Example Firewall page showing the firewall feature enabled:

 

[ColinTaylor]

I have never used a firewall at home...firewalls on consumer level routers have usually been more hassle than they're worth. Plus with dynamic IPs from my ISP, I've never seen the need.

However, after a bit of a scammer-related security scare; I want to enable it. I'm used to managing enterprise-level firewalls (Palo Alto; Barracuda) but honestly I just find myself frustrated with a simple 'on/off' firewall like on the ASUS routers.

When I turned it on, only some sites would work, my work VPN died; it was very unreliable and I can't see how you can configure it (or troubleshoot it)

What am I missing here? I'd expect it to allow all outbound traffic which should be fine. Is there maybe a Merlin app with a more configurable firewall?

Thanks in advance.

I don't know why you're having problems. Home routers are pretty much plug and play. The router's firewall should not be disabled as you will be opening it up to attack from every bot on the internet (even if you do have a dynamic IP address). It is a stateful firewall that by default will block all unsolicited incoming connections but allow replies to established outgoing connections.

P.S. This is assuming that your router is connected directly to the internet (i.e. it has a public IP address) and isn't behind another router that has it's own firewall.

 

[colourofsound]

I don't know why you're having problems. Home routers are pretty much plug and play. The router's firewall should not be disabled as you will be opening it up to attack from every bot on the internet (even if you do have a dynamic IP address). It is a stateful firewall that by default will block all unsolicited incoming connections but allow replies to established outgoing connections.

P.S. This is assuming that your router is connected directly to the internet (i.e. it has a public IP address) and isn't behind another router that has it's own firewall.

Yeah I'm not sure why I'm having issues either. As I said, its not like its my first rodeo with firewalls; I've been managing enterprise ones for years. But every time I enable a consumer firewall it just doesn't seem to work; and theres not much feedback to figure out why. Its the only router/firewall I have.

A router, when configured for normal router operation mode, will have a firewall active. The Asus router (you didn't list your model or firmware version) has a firewall already enabled when the router is configured for Wireless Router Mode.

This has never been my experience. Every consumer router I've ever had; whether it be one bundled from an ISP or one I've bought myself (like this ASUS DSL-AX82U) has had its firewall off by default. Maybe its a UK thing? But I can almost guarantee that the majority of consumer-grade, ISP provided routers in the UK will have firewalls disabled by default.

 

[ColinTaylor]

This has never been my experience. Every consumer router I've ever had; whether it be one bundled from an ISP or one I've bought myself (like this ASUS DSL-AX82U) has had its firewall off by default. Maybe its a UK thing? But I can almost guarantee that the majority of consumer-grade, ISP provided routers in the UK will have firewalls disabled by default.

I'm also in the UK and my experience over many, many routers is the opposite. I've never seen a home router that had the firewall disabled by default. Certainly that's always been the case with all Asus routers. Just like stock firmware, Merlin's firmware also defaults to the firewall being enabled. Merlin doesn't make firmware for the DSL-AX82U so perhaps the version you're using has a non-standard default setting. Or maybe it's an ADSL/VDSL thing (I use cable a modem).

 

[Ripshod]

Not a UK thing. Firewalls have always defaulted to "on" on my asus routers - DSL-AC68U DSL-AC88U RT-AC88U RT-AX88U, and the same for a Netgear D7000 and a Vodafone THG3000. Manufacturers just wouldn't leave the door open like that.

 

[bennor]

This has never been my experience. Every consumer router I've ever had; whether it be one bundled from an ISP or one I've bought myself (like this ASUS DSL-AX82U) has had its firewall off by default. Maybe its a UK thing? But I can almost guarantee that the majority of consumer-grade, ISP provided routers in the UK will have firewalls disabled by default.

Never, ever heard of, or seen, a consumer grade router (in the US or otherwise) having it's firewall disabled out of the box when configured for WiFi router/gateway mode. Never. They all have had the firewall enabled by default. In every single instance for the firewall to be disabled required user intervention or in extreme cases was an ISP (or possibly in remote cases government) requirement. But for consumer routers like Asus, Linksys, Netgear, TP-Link, Belkin, etc the firewall has been enabled by default in wireless router mode. Shrugs

Edit: Like RIpshod said, manufacturers in this day and age won't leave a door open like that. They'd likely get sued either by customers or be forced by the government have that door closed. Its happened more than once (even with Asus I believe) that router manufacturers have been forced to modify their firmware to ensure various security features were enabled. Like requiring passwords for WiFi, admin interface access, disabling guest SMB USB drive access (like with Asus routers), etc.

 

[colourofsound]

Maybe its a DSL thing then - I've only ever had copper/FTTC etc so I've always needed a modem/router - and the Gnuton firmware I used on my DSL-AC82U had it disabled by default.

 

[Ripshod]

Maybe its a DSL thing then - I've only ever had copper/FTTC etc so I've always needed a modem/router - and the Gnuton firmware I used on my DSL-AC82U had it disabled by default.

See my remark above.

 

[colourofsound]

I don't have any reason to make this up; just relaying my experiences.

Anyway - I assume there isn't a more configurable firewall app for Merlin?

 

[ColinTaylor]

Anyway - I assume there isn't a more configurable firewall app for Merlin?

There are various firewall-related settings in the GUI. What do you want to do?

 

[colourofsound]

I suppose I want to see or know what is being blocked; so I can pin down why certain things start breaking when I enable it. I can't see any firewall specific traffic logs; would you see blocked traffic in System Log -> Connections? I don't want to start adding Inbound rules at random really without some cause, if that makes sense?

 

[ColinTaylor]

Bear in mind this is a home router, not a business or enterprise router. It is very low spec and not designed to continuously log a lot of firewall data.

That said, look the the "Firewall" settings. You can choose to log all dropped packets. AiProtection also has it own logging but that's more aimed at blocking malicious traffic between the LAN clients and the internet.

 

[colourofsound]

Okidoke. Thanks for your help. It might be I need to get something a bit more involved if I still have issues.

 

[RMerlin]

You are using NAT. Everything inbound gets dropped by the firewall, except anything for which you configured a port forward, or that you manually exposed (such as if you enable the VPN server).

 

[eightiescalling]

Bear in mind this is a home router, not a business or enterprise router. It is very low spec and not designed to continuously log a lot of firewall data.

Not to mention the automatic reaction of most home users to panic when they see the reality of a firewall drop logs...

That's a support overhead most ISPs and router manufacturers would rather avoid. Just because it's not shouting about something doesn't mean it's not doing its job.

 

[Tech9]

I have never used a firewall at home...

Plus with dynamic IPs from my ISP, I've never seen the need.

Dynamic IP good enough? And you manage enterprise level firewalls?

 

[colourofsound]

Dynamic IP good enough? And you manage enterprise level firewalls?

Why would I pay for a static for my home when I don’t need one…?
Edit: oh, I see what you mean. I seem to be getting a lot of flack for this haha; the long and short of it is I’ve not really thought about it all that much.

Not to mention the automatic reaction of most home users to panic when they see the reality of a firewall drop logs...

That's a support overhead most ISPs and router manufacturers would rather avoid. Just because it's not shouting about something doesn't mean it's not doing its job.

Also users would just see ‘block all incoming traffic’ and assume Netflix wouldn’t work

Firewall has now been on for a day and I don’t appear to be having the same issues as last time. Little bit odd.

Only thing is that some sites just won’t resolve immediately; they load forever. Flipping to 4G and back again fixes it; but the initial resolution doesn’t seem to work. I have been seeing this since moving to DNS-over-TLS

 

[ColinTaylor]

I have been seeing this since moving to DNS-over-TLS

Some people have mentioned this before about DoT in general.