What's new

Help with Asus Firewall

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Vernon

New Around Here
Asus RT-AX88U with Merlin 386.2_6.

I appreciate any help. I've configured routers before, but I find the Asus firmware to be pretty awful.

Firewall > General Tab

01. I assume the firewall at the top of the page under "General" is the IPV4 firewall.

02. What is the difference between the options under "logged packets type"; dropped or accepted?

03. I assume that the Inbound Firewall rules at the bottom apply to both IPV4 and IPV6?

04. Does anyone know a reasonable set of inbound firewall rules that I can just use?

Firewall > Network Services Filter

01. I assume that to have the network services filter always on you just check Mon-Fri and leave the Time of Day at 00:00 - 23:59?

02. In the Network Services Filter table at the bottom:
02.01. Does Source IP let you specify a specific machine on your lan? Is destination IP a specific machine that a computer on your lan could connect to?

03. I assume that the first Port Range column refers to a port range on your local machine and the second Port Range column is a port on the destination IP?

So if you wanted to prevent a specific machine on your lan from telnet-ing to a specific IP address on the internet you would configure it like this:

Source IP | Port Range | Destination IP | Port Range | Protocol |
192.168.1.5 | 23 | 172.214.4.174 | 23 | TCP |

Which means that your local 1.5 machine WOULD be able to use telnet to reach some other machine on the internet?

And if you left the Source IP/Port Range and Destination IP/Port Range columns blank:

Source IP | Port Range | Destination IP | Port Range | Protocol |
| 23 | | 23 | TCP |

Then no machines on your lan could use port 23 to reach any machine on the internet?
 
1. Yes.
2. It is what it says. Create syslog (System Log - General Log) entries for dropped or accepted incoming connections.
3. No, just IPv6.
4. The defaults are fine. By default the firewall drops all unsolicited incoming traffic.

1. Yes. And of course set Enable Network Services Filter to yes.
2. Yes.
3. Yes.

So if you wanted to prevent a specific machine on your lan from telnet-ing to a specific IP address on the internet you would configure it like this:
Code:
Source IP   | Port Range | Destination IP | Port Range | Protocol |
192.168.1.5 | 23         | 172.214.4.174  | 23         | TCP      |
Not quite. The source port for a telnet connection is ephemeral so you would leave that field blank.
Which means that your local 1.5 machine WOULD be able to use telnet to reach some other machine on the internet?
Yes.

And if you left the Source IP/Port Range and Destination IP/Port Range columns blank:
Code:
Source IP | Port Range | Destination IP | Port Range | Protocol |
          | 23         |                | 23         | TCP      |
Then no machines on your lan could use port 23 to reach any machine on the internet?

Not quite. It would be this if you want to stop all machines connecting to any remote telnet server:
Code:
Source IP | Port Range | Destination IP | Port Range | Protocol |
          |            |                | 23         | TCP      |
 
Last edited:
Thank you, Colin! Do you know of an existing list of ports to block in the Network Services Filter tab?
 
I want to block outgoing ports at the router level, for example, ssh, ftp, telnet, 3389, etc. I've blocked about 20 or so right now, but it would be a lot easier if someone had already compiled a list. Michael Horowitz at routersecurity.org mentions many ports he feels should be blocked, but they are scattered across his fairly large site. I'd be particularly interested in blocking "phone home" ports used by apps or even the router itself.

As an example, Asus firmware has a bunch interesting services you can enable such as AIMesh, AIProtection, etc. In the past, if you enabled any of these services, data from your router would be sent to Trend Micro.


In 2017, I don't think there was any way to prevent Asus from sending your router traffic data to Trend Micro. There was a bit of an outcry I believe and the fix that Asus still has today is that, if you enable any of their free services, your traffic data is still sent to Trend Micro, but there's a "Withdraw" button on the Administration > Privacy tab.

So the question is, if I use any of these cool services, and I click on the Withdraw button. How can I make sure my router traffic data isn't being sent to Trend Micro, and how can I make it more difficult for applications on my lan machines to pull the same stunt.

That being said, it's probably easier to set the Firewall > Network Services Filter tab > Filter Table Type control to "Whitelist", in which case it would be easier if someone had already compiled a list of outgoing ports that you shouldn't block.

And that is basically what I'm trying to accomplish.

Thank you!

-Vern
 
It's important to note that the Network Services Filter only applies to LAN to WAN traffic (as stated on its page). So it doesn't effect any services running on the router itself.

Regarding blacklisting ports, I think that's a fairly hopeless task. You can look at a list of official and some unofficial ports like this: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers But I doubt it could ever be complete.

I was also going to suggest whitelisting if you want to be really restrictive. Either way is fairly pointless IMHO. If there's something specific that you're trying to block (e.g. porn or a online games) that's another matter. But trying to block everything I think is probably the wrong approach.


Regarding that blog post from 2017, it has been discussed many times and was debunked at the time.
 
Last edited:
Hello,
Following this thread. Additional question per the "Firewall > General Tab" line of thinking.

My Chamberlain MyQ WIFI garage door opener manual says that I need to open a series of TCP and UDP ports on my router.

I've had trouble understanding what is the correct way to do this in my ASUS router configuration for my ZenWIFI AX. Below are the three options I've read about but have yet been able to figure out which is is the correct way to go.

1) How can I somehow open the required ports in the "Firewall > General Tab." I've read the ASUS manual, but it does not describe the "Inbound Firewall Rules" section or how to open ports.

2) I've defined a set IP address for the garage opener in my DHCP already. Should I add port forwarding for all the required ports in "WAN > Virtual Server / Port Forwarding"? Does this prevent other IP address devices from using those ports and should I care?

3) Or should I add all the required ports to the section "WAN > Port Trigger"? Would that be the best way to dynamically allow short term access to those ports to any device asking for them?

Thank you for any links, documentation or direction you can provide.
 
My Chamberlain MyQ WIFI garage door opener manual says that I need to open a series of TCP and UDP ports on my router.
You need to provide details of exactly what they mean by this. What ports, and more importantly, in which direction? This is a mistake that gamer kiddies make all the time, all outgoing ports are already open by default.
 
You need to provide details of exactly what they mean by this. What ports, and more importantly, in which direction? This is a mistake that gamer kiddies make all the time, all outgoing ports are already open by default.
I really wish I knew exactly what they mean. That is part of my confusion. Below is what they say online. Not enough to answer all questions I'm afraid.

Verify inbound and outbound TCP port 8883 is open.

Inbound and outbound TCP/UDP ports 9122, 4444, 5101-5104, and 4101-4104 open
 
I really wish I knew exactly what they mean. That is part of my confusion. Below is what they say online. Not enough to answer all questions I'm afraid.

Verify inbound and outbound TCP port 8883 is open.

Inbound and outbound TCP/UDP ports 9122, 4444, 5101-5104, and 4101-4104 open
The implication is that they're only talking about outbound connections. Otherwise they would mention port forwarding, etc.

They say: "Verify the port is not being blocked by your router or a firewall product", which it isn't. "Not having this port open will cause the myQ Wi-Fi product to not connect to the server" which again sounds like they're talking about outbound connections to their server on the internet.

So there appears to be nothing to do. What is the problem you're seeing?
 
The implication is that they're only talking about outbound connections. Otherwise they would mention port forwarding, etc.

They say: "Verify the port is not being blocked by your router or a firewall product", which it isn't. "Not having this port open will cause the myQ Wi-Fi product to not connect to the server" which again sounds like they're talking about outbound connections to their server on the internet.

So there appears to be nothing to do. What is the problem you're seeing?
Thank you for this review. That all makes sense. With this new information I plan to do a hard reset of the device and start from scratch without any special changes to my router. Thank you again. Much appreciated!
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top