[GT-AXE11000] Router Security Assessment advise

[stroper]

I am new to ASUS family and trying to harden the router by adjusting security settings.

• I have no idea regarding UPnP service. I do have an Xbox One console which is not yet connected to the router.
• I have explicitly enabled remote access from WAN and restricted it to specific local IP addresses. I am quite surprised that the router doesn't let me restrict WAN access by MAC address (of course that can be spoofed).
• I have enabled auto firmware update option in addition to scheduled reboots every day during nighttime.

Any suggestions would be helpful. Thanks!

 

[dave14305]

I have explicitly enabled remote access from WAN and restricted it to specific local IP addresses. I am quite surprised that the router doesn't let me restrict WAN access by MAC address (of course that can be spoofed).

Remote access from WAN is almost always a bad idea. Access restrictions apply to LAN access to the router Web interface, not the WAN access.

 

[stroper]

Remote access from WAN is always a bad idea. Access restrictions apply to LAN access to the router Web interface, not the WAN access.

Interesting. I couldn't access the router by DDNS from outside of my network. I tried to access the site from my phone LTE and browser says timed out. This router is connected to ATT modem in a passthrough mode. I did lookup for the DDNS name via ASUS lookup page, and I got the right public IP address.

I ran traceroute from the ATT modem to this DDNS name and got timed out too. However, nslookup from ATT modem to DDNS name is worked.

Any thoughts why this is not accessible from WAN?

 

[stroper]

Remote access from WAN is always a bad idea. Access restrictions apply to LAN access to the router Web interface, not the WAN access.

Never mind. I have added the dynamic public IP address of my phone for testing to the access restriction list and I was able to access the site fine. So, it does seem to be the access control list is applicable for both public and private IP addresses.

I didn't see any other best practices in terms of accessing the router admin page outside of network other than enabling public access to WAN or enabling in Instant Guard which I believe connects to ASUS for access control.

Any thoughts?

 

[dave14305]

So, it does seem to be the access control list is applicable for both public and private IP addresses.

Apparently so. My error.

I didn't see any other best practices in terms of accessing the router admin page outside of network other than enabling public access to WAN or enabling in Instant Guard which I believe connects to ASUS for access control.

Enabling the VPN Server is the best practice.

 

[stroper]

Apparently so. My error.

Enabling the VPN Server is the best practice.

Sounds good. Thank you.