Secure Asus RT-AX3000 home network router

[GoldWing]

I've recently upgraded to an Asus RT-AX3000 to have a home router that is WiFi 6 (a.k.a 802.11ax or WPA3) compatible.

With the upgrade I'm trying to secure the router and home network as much as possible, and learning in the process. I'm no network expert.

Because I would like to enable HTTPS login to the router with 2 home wired (i.e. J45) PCs to the router I'm thinking the Let's Encrypt alternative is the best route.

Questions:

1) How can I make sure the router connects to the internet via port 80 for domain validation and certificate renewal? See the "RT-AX3000_WAN_DDNS_tab2.jpg" image below of what I believe is the correct area to setup Let Encrypt within the RT-AX3000 which would be Advanced Settings > WAN > DDNS tab. I did do some searching and found some information about port forwarding per the URL of "https://www.asustor.com/knowledge/detail/?group_id=1006" which I do not for sure is applicable, and do not know about the NAS settings applicability.

2) How do I obtain the Let's Encrypt certificate for the router?

3) Is having port 80 open for Let's Encrpt a security issue for the home network? I did some research on this issue and did find the URL of "https://letsencrypt.org/docs/allow-port-80/" on Let's Encrypt, but would appreciate other users / experts feedback on this issue. I"m not sure my E Setting below is going to cause a problem for Let's Enrcrypt, so your feedback would be appreciated.


I've followed Asus FAQ 1039292 at https://www.asus.com/support/FAQ/1039292. What I've done so far is below. Besides the questions above I would appreciate an evaluation of what I'm attempting to do to secure the router and my home network.

A) Download and OpenVPN file from NordVPN and uploaded the VPN client file into the RT-AX3000 to provide a VPN tunnel from the router to the internet, knowing this is not going to secure WiFI connections to the router in an urban setting with a lot of WiFI around. Some streaming services do not like VPN's so occasionally I do turn the router's VPN client off, and use the NordVPN client on my Laptop either wired or with WiFI. Noting B below the problem with using NordVPN's cient on the PCs is that the Laptop's NordVPN client does override the router's DNS setting with Cloudflare.

B) Used Cloudflare for DNS using Strict rule for DoT connections on port 853.

c) Enabled AirProtection by Trend Micro.

D) Enabled the Traffic Analyzer by Trend Micro.

E) Enabled the firewall

F) Enabled Access Restrictions on the Advanced Settings > Administration > System tab per the "RT-AX3000_Local_Remote_Restrictions.jpg" image below.

Your feedback and opinions would be appreciated!

Thank You!

GoldWing

 

[Tech9]

Are you securing the router from your own devices with HTTPS and restricted access? This is not needed on most home networks.

Use the router's default settings for what you are not familiar with. It's secure enough by default. You don't need all-network VPN as well.

What's the DDNS account used for?

 

[bbunge]

You did not show your DoT settings and I would like to recommend you use Cloudflare Secure as this filters malware. Recommended setup in the attached image. Quad9 or CleanBrowsing are alternatives. With these you do not need to specify port 853.
T9 is right, you do not need Lets Encrypt unless you plan to access your router from the web. No need to allow port forwards either. Access restrictions in the Administration/Systems area can get you into trouble which would require a router reset. HTTPS access does not add security when you access the router from the LAN. And I recommend you run WPA2/WPA3-personal as some of your clients may not like WPA3. I have a couple of clients that do not like WPA2/WPA3-Personal so I've set up a guest network with just WPA2-Personal for them.

You should also be on Firmware version 3.0.0.4.386.49674

 

[Tech9]

There are way more alternatives available. AdGuard DNS blocks ads as well. OpenDNS allows free custom filtering categories.

My suggestion to @GoldWing - reset this router to factory defaults and stop playing with settings until you know what they do.

 

[GoldWing]

Are you securing the router from your own devices with HTTPS and restricted access?

No. The point was to provide a HTTPS secure login to the 2 wired (i.e. J45) PCs connected to the router. Unless I missed something the Asus certificate that you can download from within the router's Web GUI interface can be used on only 1 PC (i.e. 2 <> 1).

This is not needed on most home networks.

I'm doing it to learn. You are entitled to your opinion which I disagree.

Use the router's default settings for what you are not familiar with. It's secure enough by default. You don't need all-network VPN as well.

Generally agree because most of what Asus suggest in their FAQ 1039292 at https://www.asus.com/support/FAQ/1039292 is the default setting. However a few default settings need to be changed to follow Asus's FAQ 1039292 suggestions. As mentioned previously this provides learning lessons to me on how to be more secure.

What's the DDNS account used for?

It is suggested by Asus per method #2 in their FAQ 1034294 per URL of https://www.asus.com/us/support/FAQ/1034294/ to use Let's Encrypt to provide an HTTPS secure login which is why I asked question #2 and #3. Either I misunderstand FAQ 1034294 and the additional reading that I've done, or there are additional issues which from my understanding need to be addressed. See the other URLs that I've provided in my original post.

Your feedback and opinions are appreciated.

Thank You!

Regards,

GoldWing

 

[Tech9]

Your feedback and opinions are appreciated.

No more feedback and opinions from me. Good luck.

 

[ColinTaylor]

Yes, you are misunderstanding the FAQ. "Method 2: Let's Encrypt function" is only applicable if you're wanting to access the router remotely from the internet.

If you're only accessing the router from your LAN you can either use HTTP or HTTPS and ignore the warning (it's your router so you know you can trust it). If the warning really bothers you then use "Method 1: Install certificate".

 

[GoldWing]

You did not show your DoT settings and I would like to recommend you use Cloudflare Secure as this filters malware. Recommended setup in the attached image. Quad9 or CleanBrowsing are alternatives. With these you do not need to specify port 853.

I've am presently using Cloudflare which aren't apparently the Secure filter that you are using. See the "RT-AX3000_DNS_DoT_Settings.jpg" image attached.

T9 is right, you do not need Lets Encrypt unless you plan to access your router from the web. No need to allow port forwards either. Access restrictions in the Administration/Systems area can get you into trouble which would require a router reset. HTTPS access does not add security when you access the router from the LAN.

As I've previously stated to T9 trying stuff is how I learn. I may want access to my LAN from the Web in the future. I don't know for sure which is another reason to learn now. I learn by doing. If I crash and burn, I just pick the pieces up later.

I've already done a number of resets on this new RT-AX3000. In the process I'm becoming more familiar with the settings in the RT-AX3000's Web GUI interface.

And I recommend you run WPA2/WPA3-personal as some of your clients may not like WPA3. I have a couple of clients that do not like WPA2/WPA3-Personal so I've set up a guest network with just WPA2-Personal for them.

You should also be on Firmware version 3.0.0.4.386.49674

I am using WPA3 on the 5 GHz setting for my iPhone connection, and my Laptop when I am doing less secure stuff. When I login to financial accounts, insurance accounts, Health Care Network provider accounts I do like to use a wired J45 connection.

I would still like someone's input on making the Let's Encrypt function work with the RT-AX3000. I do like to learn, and do not mind picking up the pieces later. I've picked up pieces professionally in the past. I've learned you need patience when putting the puzzle together again which in most instances provide additional learning lessons.

Your feedback and opinions are appreciated.

Thank You!

Regards,

GoldWing

 

[GoldWing]

Good luck.

Thanks!

 

[Justinh]

I may want access to my LAN from the Web

Opening up the web admin GUI from the internet won't give you access to your LAN devices. If you want to access your router to administrate the router from the internet, then you should indeed install a TLS cert (or live with the self-signed cert).

For the LE cert, just follow the instructions is what I'd advise. I think your questions about process will be answered as you experience it. I don't think you'll need to create any port forward rules to get/renew certs.

I'd also suggest to ignore the ASUSTOR stuff (that is for NAS devices, not routers).

 

[bbunge]

I've am presently using Cloudflare which aren't apparently the Secure filter that you are using. See the "RT-AX3000_DNS_DoT_Settings.jpg" image attached.


As I've previously stated to T9 trying stuff is how I learn. I may want access to my LAN from the Web in the future. I don't know for sure which is another reason to learn now. I learn by doing. If I crash and burn, I just pick the pieces up later.

I've already done a number of resets on this new RT-AX3000. In the process I'm becoming more familiar with the settings in the RT-AX3000's Web GUI interface.



I am using WPA3 on the 5 GHz setting for my iPhone connection, and my Laptop when I am doing less secure stuff. When I login to financial accounts, insurance accounts, Health Care Network provider accounts I do like to use a wired J45 connection.

I would still like someone's input on making the Let's Encrypt function work with the RT-AX3000. I do like to learn, and do not mind picking up the pieces later. I've picked up pieces professionally in the past. I've learned you need patience when putting the puzzle together again which in most instances provide additional learning lessons.

Your feedback and opinions are appreciated.

Thank You!

Regards,

GoldWing

AS a couple of us old heads have stated, the Lets Encrypt will not enhance the security of the connection between the router and a PC on the LAN, wired or wireless. Yes, you can play with it but you will become frustrated in time and give up.

Remove port 853 from your DoT settings. Stubby, which handles DoT uses port 853 by default. And the recommendation to use a filtering DNS service such as Quad9 or Cloudflare Secure is really important in keeping your browsing safe! Even if you are careful without it you will get hit in time.
The Cloudflare Secure is a manual entry: use IP addresses 1.1.1.2 and 1.0.0.2 and security.cloudflare-dns.com
Unless you have hacker neighbors the WIFI security is as good as using an Ethernet connection. WPA2 can be hacked and WPA3 is not a finished product and has some known bugs. However, the trouble to hack a home network WIFI is just not worth it.

 

[GoldWing]

For the LE cert, just follow the instructions is what I'd advise. I think your questions about process will be answered as you experience it. I don't think you'll need to create any port forward rules to get/renew certs.

I did use LE and got the DDNS to work on WAN. See the "RegistrationIsSuccessful_w_IssuedToErased.jpg" file attached. The problem was that I couldn't log back in after logging out of the router with the suggested URL. I was still able to log into the router using the IP address because I had authentication set to both, so tried port forwarding with the suggested URL with no luck.

I tried exporting the Asus certificate from the router, and the Authentication set to HTTPS only with a subsequent successful login. So I'm guessing LE had problems with port 80, or something else was not working properly.

I appreciate your feedback and opinions!

Thank You!

Regards,

GoldWing

 

[GoldWing]

And the recommendation to use a filtering DNS service such as Quad9 or Cloudflare Secure is really important in keeping your browsing safe! Even if you are careful without it you will get hit in time.

Doesn't AirProtection included in the Asus RT-AX3000 Web GUI provide similar protection as a DNS filtering service? See https://www.asus.com/support/FAQ/1008719 for Asus's selling points.

I appreciate your feedback and opinions.

Thank You!

Regards,

GoldWing

 

[bbunge]

Doesn't AirProtection included in the Asus RT-AX3000 Web GUI provide similar protection as a DNS filtering service? See https://www.asus.com/support/FAQ/1008719 for Asus's selling points.

I appreciate your feedback and opinions.

Thank You!

Regards,

GoldWing

No.

 

[ColinTaylor]

No.

Why not? Isn't that what AiProtection's "Malicious sites blocking" option does?

 

[Ripshod]

Why not? Isn't that what AiProtection's "Malicious sites blocking" option does?

No. Malicious sites blocking just prevents devices on the network accessing malicious sites. It's a one way thing.

 

[ColinTaylor]

No. Malicious sites blocking just prevents devices on the network accessing malicious sites. It's a one way thing.

How is that practically different from a DNS service preventing access to those same malicious sites?

 

[Ripshod]

Horses for courses. If you trust Trend Micro use AIProtection. If you trust a DNS service that's kept fully up to date use that. Use both if you want.
I don't share my connection with teenagers or black hats so my choice is made for me. I'm the only one responsible in my household.

 

[ColinTaylor]

Horses for courses. If you trust Trend Micro use AIProtection. If you trust a DNS service that's kept fully up to date use that. Use both if you want.
I don't share my connection with teenagers or black hats so my choice is made for me. I'm the only one responsible in my household.

Thanks. So effectively there's little difference. It's just a matter of preference.

 

[Tech9]

No.

Yes. It can't do packed inspection on this hardware and it can't see encrypted data - it blocks sites based on URL.