What's new

Is the 2.5GbE LAN/WAN port a security risk?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I did a quick look through of the English AX86U PDF manual. Not surprised that there was nothing about using the 2.5 GB port for WAN. Thought it should be in the QIS area but it wasn't.
OE, have you tried it?

I've used the 2.5G WAN port...

I picked up a free cable modem upgrade from my ISP a few weeks ago and since it had a 2.5GbE port, I tried it... seems to work but I don't need it with 200/10 service and only two of us here.

I set WAN\Dual WAN\Primary WAN to 2.5G WAN and wired the 2.5G port to my cable modem. The default WAN/Internet port becomes LAN port5. I have not actually reset the firmware yet, but I trust doing so will swap the ports back to their defaults.

I have had a few brief instances of my browser not reaching websites. Been wondering about that... if there is some dual WAN timing/detection side affect going on that could be causing this.

Today I reverted to not using the 2.5G port and will keep an eye out for that browser glitch.

OE
 
Last edited:
And the answer is: Failsafe!

I took my router back to Asus firmware 300438646061, factory reset with initialize, on reboot I powered down. Moved the WAN cable to my ONT to the 2.5 GB port and powered the router on. When I started to configure the router the auto config did not find the WAN cable attached and I got an animated graphic prompting to connect a cable to the WAN port or a USB cable. I tried a manual config with no luck.

So OE, you and any unknowing newbie are safe. The 2.5 GB port has to be configured to WAN after initial setup with a cable in the WAN port.
 

Attachments

  • AX86U_2.5GB_WAN.jpg
    AX86U_2.5GB_WAN.jpg
    72.7 KB · Views: 91
I have had a few brief instances of my browser not reaching websites. Been wondering about that... if there is some dual WAN timing/detection side affect going on that could be causing this.

Nope... have seen it now without using the 2.5G WAN port. Perhaps it's related to the new cable modem, DoT, Quad9 and/or AiProtection... so many possibilities. :)

OE
 
And the answer is: Failsafe!

I took my router back to Asus firmware 300438646061, factory reset with initialize, on reboot I powered down. Moved the WAN cable to my ONT to the 2.5 GB port and powered the router on. When I started to configure the router the auto config did not find the WAN cable attached and I got an animated graphic prompting to connect a cable to the WAN port or a USB cable. I tried a manual config with no luck.

So OE, you and any unknowing newbie are safe. The 2.5 GB port has to be configured to WAN after initial setup with a cable in the WAN port.

You seem to be confirming the obvious... that reset firmware expects a WAN cable in the default WAN/Internet port.

What I want to know is if the WAN cable in the default LAN port5... the 2.5G port... presents a security risk to any other connected LAN clients... never mind the rest of the router. I didn't think this would be so hard to comprehend.

OE
 
I want to know is if the WAN cable in the default LAN port5... the 2.5G port... presents a security risk to any other connected LAN clients...
I think it's obvious that the HARD RESET converts the port back to LAN which is a CLIENT not SERVER configuration which doesn't present any IP traffic until it's reconfigured to do so. The configuration error not detecting it as a WAN port indicates no outside traffic will be permitted through the FW.

If you want to test it then test it and figure it out. @bbunge tested it and showed that it doesn't present a risk until the rest of the router is setup correctly. The hard default pushes it back to a factory config which doesn't have the port enabled for inbound traffic. If the FW has been changed to something other than factory default image and that image has been changed to set the primary function of the 2.5G port to be the WAN upon hard reset then that's something the dev or you would need to change to make that happen.

There's a ROM chip that stores the factory settings and pushes them upon initialization back to defaults. I have a .conf file on m AP that restores the settings as well. I overrode it with my own setup though to bring it back to my last known good options I configured instead of the BS from the factory that leaves everything wide open w/o security / PSK enabled properly. Routers though typically have a hardcoded set of variables that are invoked upon defaulting the device. When you step outside of Asus world though other OEM's may behave differently and can be configured to do something else.
 
The configuration error not detecting it as a WAN port indicates no outside traffic will be permitted through the FW.

If you are referring to this configuration error:

1645567220615.png


Note that it is discussing the default WAN/Internet port, not the 2.5G port that would still have the WAN cable plugged into it... into the LAN switch.

OE
 
Where's Tech9 when I really need an answer! :)

I'm so sorry, sir! It won't happen again. I was working. Please, accept my apology.

How are you today?

I believe you are totally safe for two reasons:

1) I've learned Asus routers don't reset easily - you need to follow a 10-step guide to do that. You can search for proper reset links around.

2) When the reset happens eventually, especially a proper one, you'll get a red WAN light and no Internet. If your modem is in bridge mode, your router's LAN side won't get an IP from your ISP, guaranteed. Your router won't be able to give an IP to your ISP either, otherwise you'll f*$k up the entire neighborhood. If your modem is in modem/router mode, you'll get two separate networks with own DHCP servers connected by a cable. Both routers will wonder what the f*$k is goin on and if the owner is still in good mental health. This will happen behind first router's firewall, so the issue stays in the family.

:)
 
I don't reset routers when they're still connected to the network and ISP.

They perform at their best for me when they're reset (fully) and properly configured before connecting to the internet or the local network.

Yes, that means that only the WiFi is used to configure the router, out of the box, for Asus routers. It is one of my 'tests' for new hardware (or hardware I haven't touched before).
 
I don't reset routers when they're still connected to the network and ISP.

They perform at their best for me when they're reset (fully) and properly configured before connecting to the internet or the local network.

Yes, that means that only the WiFi is used to configure the router, out of the box, for Asus routers. It is one of my 'tests' for new hardware (or hardware I haven't touched before).

For the sake of this topic, after you do your thing, assume you inadvertently plug the WAN cable into a LAN port and then run out to help a neighbor catch her cat.

Consensus seems to be that it is not a security risk until proven otherwise.

OE
 
For the sake of argument, let's assume that I did do that. The only thing that would be connected would be the router to the ISP and my wirelessly connected computer. I would also be logged in to the GUI and checking that I have a Public IP (it's what I do).

While the scenario isn't totally impossible, it is akin to needing descriptive warnings for what would be otherwise common sense (i.e. remove children from clothing before washing article).

Anyone this happens to will learn (quickly).

We can't save everyone; some are at distinct levels from others.
 
For the sake of argument, let's assume that I did do that. The only thing that would be connected would be the router to the ISP and my wirelessly connected computer. I would also be logged in to the GUI and checking that I have a Public IP (it's what I do).

While the scenario isn't totally impossible, it is akin to needing descriptive warnings for what would be otherwise common sense (i.e. remove children from clothing before washing article).

Anyone this happens to will learn (quickly).

We can't save everyone; some are at distinct levels from others.
You initially configure a router over WIFI?
Even Asus recommends:
Use a wired connection when setting up your wireless router to
avoid possible setup problems.

While I have configured a router without a WAN connection I always use an Ethernet connected PC. Sorry but you are not as high in my esteme as you were...
 
You initially configure a router over WIFI?
Even Asus recommends:
Use a wired connection when setting up your wireless router to
avoid possible setup problems.

While I have configured a router without a WAN connection I always use an Ethernet connected PC. Sorry but you are not as high in my esteme as you were...

WiFi shaming? Who'd a thunk it. :)

The real shame here is OEMs stripping too many ports off of laptops to compete with each other on cost and weight and power efficiency. The same nonsense has ruined tents... they are cheap and ultra light with mesh from floor to ceiling and nearly useless for shelter. Zero marginal cost will not end well for real goods. Someday we'll all be wireless admins.

OE
 
WiFi shaming? Who'd a thunk it. :)

The real shame here is OEMs stripping too many ports off of laptops to compete with each other on cost and weight and power efficiency. The same nonsense has ruined tents... they are cheap and ultra light with mesh from floor to ceiling and nearly useless for shelter. Zero marginal cost will not end well for real goods. Someday we'll all be wireless admins.

OE
Remember when laptops had PCMCIE slots? I still have a 250 MB PCMCIE hard drive. When it was new it doubled the capacity of the Toshiba laptop!
 
run out to help a neighbor catch her cat.

Good day, Sir!

How are you today?

In case you don't know - domestic cats get to 40km/h speed in 2 seconds and have 6x faster reaction time than us, humans. Catching a cat bare hands outdoors is as likely as catching a paying customer with bare home router configuration skills. I have suspicions the accent in this story is on her - the neighbor, not the cat. In this case where the WAN cable is plugged simply doesn't matter. Other much greater dangers may impact your life irreversibly.

Please, be wise and stay safe!

:)
 
Good day, Sir!

How are you today?

In case you don't know - domestic cats get to 40km/h speed in 2 seconds and have 6x faster reaction time than us, humans. Catching a cat bare hands outdoors is as likely as catching a paying customer with bare home router configuration skills. I have suspicions the accent in this story is on her - the neighbor, not the cat. In this case where the WAN cable is plugged simply doesn't matter. Other much greater dangers may impact your life irreversibly.

Please, be wise and stay safe!

:)

Actually, the accent was on both... her to get him out of the house and the cat to keep him out long enough for the hackers to find his open network. :)

OE
 
Remember when laptops had PCMCIE slots? I still have a 250 MB PCMCIE hard drive. When it was new it doubled the capacity of the Toshiba laptop!

Oh yeah... I remember spending $1600 for 4MB of RAM to help an 80286 PC run AutoCAD on DOS. We've come a long way since then!

OE
 
Last edited:
You initially configure a router over WIFI?
Even Asus recommends:
Use a wired connection when setting up your wireless router to
avoid possible setup problems.

While I have configured a router without a WAN connection I always use an Ethernet connected PC. Sorry but you are not as high in my esteme as you were...

I initially configure all Asus routers over WiFi, yes.

That's not true for a few years now.


[Wireless Router] How to set up ASUS Wi-Fi router via ASUS Router App? (QIS, Quick Internet Setup) | Official Support | ASUS Global

You can set up your wireless router by wired or wireless.

[Wireless Router] How to use the QIS (Quick Internet Setup) to set up Router ? (Web GUI) | Official Support | ASUS Global

You can set up your wireless router by wired or wireless.

Even RMerlin has stated several times that flashing firmware to an Asus router is much less of a hair-pulling experience than other brands (which is potentially more destructive than simply setting one up). The reason is that Asus verifies the firmware that is uploaded, before trying to blindly flash what the router received.

We have to try to keep up with the times. Old ways are thrown out when new procedures become available (and proven).

I always had an issue in trying to set up (specifically, connect the router to the WAN) a router before it was fully ready as I saw fit. This 'issue' has been solved for me for an awfully long time now. This is what also allows me to configure the router as much as possible at the office or my home before I actually install it in a customer's space.

For me with this process, the benefits are many. Including testing the radios when the router is barely out of the box. And yes, I do connect to both, reboot the router several times, and do not necessarily do all this set up with the router in the same room as my laptop either.

The laptop has downloaded all the files and utilities I need, while I'm in set up/test mode with the new contender.

This is also the reason why I can set up more than one router at a time (cost savings passed on to the customer).
 
This is exactly what I'm talking about. You ship your routers to someone, he configures them and sends them back to you. No more WAN cable mistakes. All the cats caught on time and returned to respective owners. Trouble-free and with cost savings on top. Too bad there is no such service in the US and some have to do it themselves. Sorry, @OzarkEdge. :D

(I knew it's coming...)
 
Oh yeah... I remember spending $1600 for 4MB of RAM to help an 80286 PC run AutoCAD on DOS. We've come a long way since then!

OE
We did document imaging with HP Scanners attached to 8086's with netbui protocol and stored the images on 16 inch magneto-optical platters off of a Tandem server. Then we took the storage to juke box MO disks attached to an 8086. Using netbt we took the scanning and storage global on the early internet. Then came viruses, firewalls and increased security and the fun Internet changed forever...
 
Is there a latency penalty using the 2.5gbe port over the wan port? I have a RT-AX86U, I think the gbe port is made by Realtek, and the other ports are all Broadcom?
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top