1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

How to Disable AiProtection By Mac Address

Discussion in 'ASUSWRT - Official' started by Neil62, Jun 1, 2018.

  1. Neil62

    Neil62 Regular Contributor

    Joined:
    Dec 9, 2017
    Messages:
    58
    Does anybody know how you can totally disable/bypass the use of ASUS AiProtection/whitelist for a certain nominated Mac addresse/s from the web GUI screens?

    Is this even Possible or not? I cant seem to find a way by Mac address, i.e bypass/don't use AiProtection for this mac address.
     
    Last edited: Jun 1, 2018
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. Jason A

    Jason A New Around Here

    Joined:
    Jun 2, 2018
    Messages:
    2
    No :(
     
    Ronald Schwerer likes this.
  4. Adrian Knight

    Adrian Knight Regular Contributor

    Joined:
    Jun 2, 2018
    Messages:
    54
    another question would be, does the device listed in the DMZ be excluded from AiProtection?
     
  5. AndreiV

    AndreiV Very Senior Member

    Joined:
    Aug 25, 2015
    Messages:
    546
    Location:
    UK
    AIProtection would be totally pointless if you open a door to exploits .

    It protects the router against exploits and inspects the traffic even before it reaches the firewall.
     
  6. Neil62

    Neil62 Regular Contributor

    Joined:
    Dec 9, 2017
    Messages:
    58
    As an administrator of the router the decision should be left to the administrator, and why not have the option as an administrator by mac addresses/s?
     
    JasonPearce likes this.
  7. AndreiV

    AndreiV Very Senior Member

    Joined:
    Aug 25, 2015
    Messages:
    546
    Location:
    UK
    You either want security or you don't.

    It's like fitting security locks to protect your house then leaving the back door open for your mates ........ and then anyone else that wants to come in
     
  8. Adrian Knight

    Adrian Knight Regular Contributor

    Joined:
    Jun 2, 2018
    Messages:
    54
    Totally agree with you on this, but it looks like another half thought out idea.

    I do not use AiProtection, but probably would if I could turn it on for only guest networks, but then we go into the issue of guest networks not working with AiMess etc ...
     
    Last edited: Jun 3, 2018
  9. AndreiV

    AndreiV Very Senior Member

    Joined:
    Aug 25, 2015
    Messages:
    546
    Location:
    UK

    So, you think it a good idea to bypass security for one device and allow in the exploits and malware that AiProtection is there to stop?

    You enforce security on some devices but not your own thereby infecting your router and the rest of your network ?

    That is well thought out?
     
    fax likes this.
  10. Adrian Knight

    Adrian Knight Regular Contributor

    Joined:
    Jun 2, 2018
    Messages:
    54
    Actually no, our own in house devices have their own protection, but maybe not our customers devices, so I think it would be a good idea to protect them.
     
  11. AndreiV

    AndreiV Very Senior Member

    Joined:
    Aug 25, 2015
    Messages:
    546
    Location:
    UK

    Which is exactly the reason GUEST WiFi on your router offers the settings to prevent the use of your Intranet.
     
  12. Neil62

    Neil62 Regular Contributor

    Joined:
    Dec 9, 2017
    Messages:
    58
    My point is this, if those devices which are nominated by mac address to bypass AiProection, and assuming the administrator of the router has taken all security risks into consideration, i.e. are running their own security (rules of administrator), you should be able to by pass AiProtection, deemed by the administrator of that router for that nominated device, all/any others (devices/Guests), use AiProtection should it be enabled. It should be an administrator decision at the end of the day. Why have a software restriction, it should be decision (Administrator) based?.
    How many people actuality use the AiProtection provided by ASUS, its disabled on startup by default anyway?
     
  13. DummyPLUG

    DummyPLUG Regular Contributor

    Joined:
    Nov 27, 2017
    Messages:
    113
    Just because you don't have any problem doesn't means it is not a good decision, in one of our network we are using CCR1072 as main router which the main part of the network is protect by some firewall, the asus is behind the ccr1072 and have it own public IP to provide wifi for our guest, we had enable aiprotection as it is bettter then nothing for our guest, but from time to time we have some guest device that is outdate/strange enough to trigger aiprotection so we need to disable aiprotection for all guest. We don't use our firewall to protect the asus as it had very strict rule which will just give trouble to our guest, and not powerful enough to protect the whole network. If we can just disable for the specific device only we still can get notification when something happen. Now you tell me do you think it is a bad idea?

    p.s. why we using asus for guest wifi? because it is much cheaper then business class AP, but we are phasing out all AC68u due to some bug
     
    Last edited: Jun 6, 2018
  14. AndreiV

    AndreiV Very Senior Member

    Joined:
    Aug 25, 2015
    Messages:
    546
    Location:
    UK
    Yes, it is a totally stupid idea.

    AiProtection has several selectable functions , the main function is intrusion protection , if you bypass that protection for one device , your router and ALL attached devices are exposed .


    https://www.asus.com/AiProtection/
    https://www.asus.com/support/FAQ/1012070/
     
  15. DummyPLUG

    DummyPLUG Regular Contributor

    Joined:
    Nov 27, 2017
    Messages:
    113
    We don't rely on aiprotection for protection, we use fortigate and checkpoint to protect our main network, as I said, aiprotection is just a "better then nothing" solution for our guest.
    By the way our guest can still infect each others even if nothing is bypass
     
    Grisu likes this.
  16. AndreiV

    AndreiV Very Senior Member

    Joined:
    Aug 25, 2015
    Messages:
    546
    Location:
    UK

    But the ASUS guest settings prevent your guests seeing each other or your network .

     
  17. Adrian Knight

    Adrian Knight Regular Contributor

    Joined:
    Jun 2, 2018
    Messages:
    54
    How do you know how others want to configure their network? You made this same comment to me, and the reply would be "Our customers need to connect to our intranet to access file servers"
     
    Grisu likes this.
  18. JasonPearce

    JasonPearce New Around Here

    Joined:
    Oct 7, 2018
    Messages:
    4
    AiProtection inspects both egress and ingress traffic, taking action (permitting or blocking) on traffic in either direction. No only does it project your network from the internet, but it protects the internet from your network.

    Most of your comments have been about ingress traffic. But some users might want to disable egress traffic inspection from specific machines in their network. I can think of three likely examples.

    Cryptocurrency Mining:
    AiProtection will block egress traffic from a cryptocurency miner. A user may want to use AiProtection to block all ingress traffic, but permit egress traffic from her miner.

    Kali Linux:
    Or similar penetration testing Linux distributions will also have egress traffic blocked by AiProtection. A security-minded researcher would still want AiProtection to inspect her ingress traffic, but would want to whitelist her Kali Linux machine.

    False Positives:
    I've noticed users complaining about potential false positives. If AiProtection is falsely blocking outgoing traffic from their web cam, media player, or NAS; their only means of enabling that outgoing traffic to the internet is to disable both egress and ingress monitoring by AiProtection. If the network admin could simply whitelist a MAC or IP, then the rest of her network would remain protected.​

    Without the ability to whitelist netflow to specific machines within a network, AiProtection will inspect and potentially block all egress and ingress traffic. It shouldn't be all or nothing. There are conditions where an admin will want to selectively control exceptions.
     
    badbob001 and Neil62 like this.
  19. badbob001

    badbob001 Occasional Visitor

    Joined:
    Oct 30, 2012
    Messages:
    22
    I suppose an easy workaround is to install a second asus router with aiprotection disabled and have the special-case systems connect to that. Maybe you can isolate this router in a dmz so it only has access to the internet.

    I do wish asus would make aiprotection more flexible. For example, I wish time scheduling and web/app filters were combined so that I can schedule when to block certain web/apps instead of just blocking all internet access. This would also required that the list allow for duplicate client entries so I can block certain things on one schedule and block others on another schedules.
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!