ASUS Router Security

[bennor]

(I think that prevents any other machine from taking that IP address)

No need to "think". It will prevent other devices from obtaining that same address from the router's DHCP Server. A reserved IP is (typically) tied to the MAC address of a specific device.

 

[Crimliar]

If you restrict access to just permitted MAC addresses, I'd also set up a second device - just in case.

 

[JCW3]

No need to "think". It will prevent other devices from obtaining that same address from the router's DHCP Server. A reserved IP is (typically) tied to the MAC address of a specific device.

I understand that the DHCP server will not assign that IP address to any other MAC, but (another ignorant question)...

What happens if the device that tries to connect is set up with a fixed IP address that happens to be that reserved one? Will the router only allow such fixed-address devices to connect outside the DHCP address range (like my network printer)?

 

[ColinTaylor]

What happens if the device that tries to connect is set up with a fixed IP address that happens to be that reserved one? Will the router only allow such fixed-address devices to connect outside the DHCP address range (like my network printer)?

Yes. There are usually ways around things. This is only a home router after all.

 

[Tech9]

What happens if the device that tries to connect is set up with a fixed IP address that happens to be that reserved one?

Well, on your network with you reserving the IPs and your printer with fixed IP... memory issues concern happens.

You can reserve the same IP for a device with fixed IP though. If you reset the router/device, the IP will stay the same.

 

[sfx2000]

What happens if the device that tries to connect is set up with a fixed IP address that happens to be that reserved one? Will the router only allow such fixed-address devices to connect outside the DHCP address range (like my network printer)?

1) If you have two devices with the same IP, you'll get a conflict message (sometimes...) on the machine that is trying to use an existing address - if that address is not in use, the fixed IP machine could use it, but again, when the device has the reservation connects, you'll have a conflict.

Always best to use static IP's outside of the DHCP scope, and reserve DHCP IP's for desired clients.

2) yes, the router will allow devices that are outside of the DHCP scope to attach if they have fixed/static IP's

 

[ironclad]

Bit of a late response but you can set up iptables rules (even in AP mode for some reason) to restrict access to the web UI. Adjust this as necessary:

iptables -A INPUT \! -s 192.168.1.0/24 -d 192.168.1.1 -p tcp --dport 8443 -j DROP
iptables -A INPUT \! -s 192.168.1.0/24 -d 192.168.1.1 -p tcp --dport 80-j DROP
(only the first one is necessary if your Web UI is HTTPS only)

Might require Merlin-WRT for jffs script support. Not all jffs scripts start up in AP mode. I think firewall-start doesn't work in AP mode so I put this in /jffs/scripts/init-start.

 

[JCW3]

Let us know how it works out... that's part of the give and take around here.

OE

Thanks, everyone, for all the help!

To close the loop on this: Yes, the combination of IP address reservations and access restrictions does work for me on both routers. At first there were unexplained anomalies -- my machine got the wrong IP address and could not connect to the Web page -- but something (perhaps a router reboot?) straightened everything out. (I now have the routers set up for weekly reboots.)

This appears to give pretty good protection for the router settings, unless somebody is able to spoof one of the right MAC addresses and connect wirelessly... (I have good control over wired connections.) -- JCW3