[GT-AXE11000] Router Security Assessment advise

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

stroper

Occasional Visitor
I am new to ASUS family and trying to harden the router by adjusting security settings.
  • I have no idea regarding UPnP service. I do have an Xbox One console which is not yet connected to the router.
  • I have explicitly enabled remote access from WAN and restricted it to specific local IP addresses. I am quite surprised that the router doesn't let me restrict WAN access by MAC address (of course that can be spoofed).
  • I have enabled auto firmware update option in addition to scheduled reboots every day during nighttime.
Any suggestions would be helpful. Thanks!

1623298102064.png

1623298236702.png
 

dave14305

Part of the Furniture
I have explicitly enabled remote access from WAN and restricted it to specific local IP addresses. I am quite surprised that the router doesn't let me restrict WAN access by MAC address (of course that can be spoofed).
Remote access from WAN is almost always a bad idea. Access restrictions apply to LAN access to the router Web interface, not the WAN access.
 

stroper

Occasional Visitor
Remote access from WAN is always a bad idea. Access restrictions apply to LAN access to the router Web interface, not the WAN access.
Interesting. I couldn't access the router by DDNS from outside of my network. I tried to access the site from my phone LTE and browser says timed out. This router is connected to ATT modem in a passthrough mode. I did lookup for the DDNS name via ASUS lookup page, and I got the right public IP address.

I ran traceroute from the ATT modem to this DDNS name and got timed out too. However, nslookup from ATT modem to DDNS name is worked.

Any thoughts why this is not accessible from WAN?
 

stroper

Occasional Visitor
Remote access from WAN is always a bad idea. Access restrictions apply to LAN access to the router Web interface, not the WAN access.
Never mind. I have added the dynamic public IP address of my phone for testing to the access restriction list and I was able to access the site fine. So, it does seem to be the access control list is applicable for both public and private IP addresses.

I didn't see any other best practices in terms of accessing the router admin page outside of network other than enabling public access to WAN or enabling in Instant Guard which I believe connects to ASUS for access control.

Any thoughts?
 

dave14305

Part of the Furniture
So, it does seem to be the access control list is applicable for both public and private IP addresses.
Apparently so. My error.
I didn't see any other best practices in terms of accessing the router admin page outside of network other than enabling public access to WAN or enabling in Instant Guard which I believe connects to ASUS for access control.
Enabling the VPN Server is the best practice.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top