1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

new to Asus routers - help would be appreciated !

Discussion in 'ASUS AC Routers & Adapters' started by hasarouter, Nov 6, 2018.

Tags:
  1. hasarouter

    hasarouter Occasional Visitor

    Joined:
    Nov 5, 2018
    Messages:
    14
    Hi,

    I just bought an Asus AT-AC88U and I have some generic questions on the router itself

    my firmware is : 2.094
    and AiMesh Router: Current Version : 3.0.0.4.384_32799-gfe72567

    a. are these the latest versions
    b. is there a mail service I can subscribe to and hear once there are firmware updates?
    c. I'm slightly confused at to what is the AiMesh Router software
    d. does it support DNS over HTTPs (DoH) ?
    e. when I connect to the router via HTTPs, I see an invalid certificate that's issued by the 192.168.1.1 - is this expected? it strikes me as odd, wouldn't a certificate signed by Asus had been more natural ?
    f. it asks for an email password to send email alerts, why does it need it?, email address should be sufficient
    g. is there a way to turn on SPI - matching each incoming packet with an outgoing one
    h. does someone have experience with using WPA enterprise, ie does it work well with IoT devices ?
    i. I see the router stores in plaintext the password for the WiFi, is it possible to change this to storing a hash of the password ?
    j. can I enable administrative access only from a LAN port ( to disable admin access via the WiFi )

    Thanks !
     
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,757
    Location:
    UK
    1. There's no such thing as an AT-AC88U so I guess you mean RT-AC88U.

    a) I don't know why they use the word "Firmware" there, it's misleading. Maybe another translation problem from Chinese.
    2.094 is the "signature" version of the AiProtection database. It will update itself periodically.
    The actual firmware version is 3.0.0.4.384_32799-gfe72567. You can check for the latest firmware here: https://www.asus.com/us/Networking/RT-AC88U/HelpDesk_BIOS/
    3.0.0.4.384.32799 is the current version.
    b) No.
    c) See a), it's the actual firmware version.
    d) I don't believe so.
    e) That's normal.
    f) Don't know, don't use it.
    g) SPI is always on, the router wouldn't work otherwise.
    h) Never used it. You would have to setup a RADIUS server on your LAN. I doubt many IoT devices support it.
    i) No.
    j) No, you can only restrict it by IP.
     
    hasarouter likes this.
  4. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    28,266
    Location:
    Canada
    d) No.
    f) Because SMTP servers require user authentication to allow email relaying.
     
    hasarouter likes this.
  5. Grisu

    Grisu Very Senior Member

    Joined:
    Aug 28, 2014
    Messages:
    1,294
    b) only shown as exlamation mark in GUI network map on right top corner
    c) Aimesh is for meshing more asus routers together and only need to configure the parent router, nodes will find their best backhaul via LAN or WLAN and configure themselves but still with limited functionality. AiCloud are some special Asus features.
    j) with a workaround, hide your main SSID with strong password and allow all clients only via guest network, so they cant access router GUI. And disable LAN access too of course.
     
    hasarouter likes this.
  6. hasarouter

    hasarouter Occasional Visitor

    Joined:
    Nov 5, 2018
    Messages:
    14
    I don't think they do - at least I'm certain 15 years ago SMTP required no authentication , which is why I'm surprised it needs a password
     
  7. hasarouter

    hasarouter Occasional Visitor

    Joined:
    Nov 5, 2018
    Messages:
    14
    Re j) is it really hidden or it's just that it doesn't show up in the lists of WiFi's to connect to - eg can an attacker discover a hidden WiFi network ?
     
  8. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,757
    Location:
    UK
    hasarouter likes this.
  9. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    13,491
    Location:
    San Diego, CA
    It does pretty much these days - client auth is needed, and many require TLS/SSL auth, even over trust tunnels like VPN or internal SMTP hosts.
     
  10. hasarouter

    hasarouter Occasional Visitor

    Joined:
    Nov 5, 2018
    Messages:
    14
  11. hasarouter

    hasarouter Occasional Visitor

    Joined:
    Nov 5, 2018
    Messages:
    14
    Thanks for this, it looks like I'm out of date with respect to networking protocols
     
  12. hasarouter

    hasarouter Occasional Visitor

    Joined:
    Nov 5, 2018
    Messages:
    14
    One more question, I have upnp switched off yet chromecast, sonos, skype, telegram all work - is upnp really off or there's a catch ?
     
  13. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,757
    Location:
    UK
    I don't use any of those things, but chromecast and sonos sound like things that stream media over the local network. So they wouldn't use UPnP, just multicast traffic.

    Just to be clear here, I'm assuming we're talking about UPnP IGD, i.e. the automatic forwarding of ports through the firewall. There is another, completely different UPnP called "UPnP AV" which deals with streaming local media (like DLNA).

    You can check if there's any port forwarding currently happening at System Log > Port Forwarding.
     
    hasarouter likes this.
  14. hasarouter

    hasarouter Occasional Visitor

    Joined:
    Nov 5, 2018
    Messages:
    14
    Thanks ! and I guess Skype these days is no longer P2P-based and instead each client talks to Microsoft servers

    So effectively upnp would only be needed for a camera to watch our home while we're away I guess - are there any cameras you're aware of that do not require upnp ? ( it's entirely possible, if they could ie connect to the manufacturer's servers instead of letting the client app connect to the camera )
     
  15. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,757
    Location:
    UK
    Sorry, I don't know anything about cameras. Like you, I'd guess that there must be some that don't require port forwarding. I'd imagine any of the high-end "Nest"-like devices that can be administered from "the cloud". The cheap Chinese devices won't because it would require the manufacturer to maintain an ongoing server infrastructure.
     
    hasarouter likes this.
  16. OzarkEdge

    OzarkEdge Very Senior Member

    Joined:
    Feb 14, 2018
    Messages:
    755
    Location:
    USA
    I've never enabled UPnP and have never had related issues... Skype and Chromecast have always worked... as does a Wyze Cam camera.

    OE
     
    hasarouter likes this.
  17. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    28,266
    Location:
    Canada
    The SMTP protocol in itself when dealing MTA-to-MTA doesn't require authentication. However mail submission (MUA to MTA) will require authentication to prevent spammer abuse.

    Many ISPs will use ACLs to provide unauthenticated access to their own customers (i.e. no authentication might be needed if you are submitting a mail from an IP address belonging to that ISP). In the router's case, it cannot guess what SMTP your ISP uses, therefore it relies on a public SMTP - in this case, Google's.
     
    hasarouter likes this.
  18. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    13,491
    Location:
    San Diego, CA
    MTA and MUA - these days, between SPF/DKIM and DMARC - even if one can find an "open" relay, you'll likely get bounced... SPF and DKIM do start to build, or should I say rebuild, the circle of trust around SMTP.

    MUA to MTA - the trust relationship is built on the edge with the SMTP user/pass there, whether it is SSL or TLS (or combination thereof).

    There's still open SMTP on port 25, but thru efforts of groups like M3AAWG (the Anti-SPAM, anti-malware industry group, search for them if curious), open relays are going away, or becoming more difficult to use.

    ssmtp - it's a small application that acts as an outgoing MUA, and does support TLS/SSL to a valid account - it's in the debian repos, and perhaps in the redhat as well - I think entware also has a version in their repository. I host a github source repo for historical purposes...
     
    hasarouter likes this.
  19. hasarouter

    hasarouter Occasional Visitor

    Joined:
    Nov 5, 2018
    Messages:
    14
    Thanks @RMerlin , @sfx2000 - it's been a bit since I had worked with an SMTP server, it's actually good to hear fake mail is essentially dead, though I wish I didn't have to give my email password to the router (which stores it in plaintext it seems)
     
  20. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    13,491
    Location:
    San Diego, CA
    Even ssmtp stores the password in plain text unfortunately, so one has to consider the read/write permissions in the directory where the config is stored - but this also goes towards general device and account security - only trusted users should be able to access the device in the first place, and then, admin privileges from there to edit/view files on the host...
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!