Asus/Merlin Firewall features?

[BrKe]

Hello. I'm looking to replace my router with something a little more feature rich. I'm still on DSL at the moment so ideally would like a DSL and WAN router to future proof.

I've seen the Asus DSL-AX82U and saw that there is a version of Merlin for it too (but an off shoot?). I've tried to find some info, but just wondered if anyone with experience of this line of routers or the firmware could help please?

I like a lot of the features that come with the router (Ai and QoS look good), but I have a couple of specific requirements about the firewall.

1 I've seen some info about inbound rules not working, is this fixed or is there a workaround? I need to open certain ports up to my LAN from the WAN.

2 The opposite of above! For the majority of internal clients, they should be allowed to the internet. But for certain ones, I would like to restrict the ports they are able to connect to the WAN on. On my current router this is called "Service filtering". In the stock Asus it looks like it only allows 32 entries but I will need more. Is this possible? Currently, I have to block groups of ports, but I'm happy to block all ports and only allow exceptions if this is possible for these clients too. (I don't know if I need to use this or if there is a way of creating outbound firewall rules?)

Any pointers would be appreciated!

 

[ColinTaylor]

1. Ignore the Inbound Firewall Rules, you would use the WAN - Virtual Server / Port Forwarding rules. These work the same as on any other router.

2. Yes you can use the Network Services Filter to create Allow or Deny lists of source/destination addresses and/or ports. In Merlin's firmware you can have more than the stock 32 rules. Not sure how many on the DSL-AX82U, but on the RT-AX86U it's upto 128. But there's also AiProtection - Web & Apps Filters which allows you to block certain categories of sites, like porn and gambling. Similarly you could use an upstream DNS filtering service to restrict access to those sites.

 

[BrKe]

1. Ignore the Inbound Firewall Rules, you would use the WAN - Virtual Server / Port Forwarding rules. These work the same as on any other router.

2. Yes you can use the Network Services Filter to create Allow or Deny lists of source/destination addresses and/or ports. In Merlin's firmware you can have more than the stock 32 rules. Not sure how many on the DSL-AX82U, but on the RT-AX86U it's upto 128. But there's also AiProtection - Web & Apps Filters which allows you to block certain categories of sites, like porn and gambling. Similarly you could use an upstream DNS filtering service to restrict access to those sites.

Thanks for the info. The incoming sounds like it will be fine then.

Outbound, can the Network Services Filter have rangers of ports do you know in one entry? What I'm looking to achieve isn't blocking categories of sites for these devices, but blocking access to certain ports on the internet.


For example, 192.168.1.50 I might only want to be able to access the internet on ports TCP and UDP 53, 80, 123, 443 and block all other ports for it.

 

[ColinTaylor]

A limitation of Network Services Filter is that you're creating a global Allow or Deny list of rules. You can't mix and match allow and deny rules on a rule-by-rule basis.

You can create rules that have a port range (e.g. 21000:22000), but not a list (e.g. 53, 80, 123, 443). Port lists would have to be created as separate rules.

If you're using Merlin's firmware (or the fork) you have the option of create any iptables rules you like using a firewall-start script. This would have to be created and administered through SSH and would not be reflected in the webUI.

 

[BrKe]

Thanks again.

No problem with the global rules, as by standard everything internal to out would be allowed and the exception would be block.

It's good the rule can have a port range, do you know if it can also have an internal IP range? Eg 192.168.0.50:192.168.0.59? Destination IP would be everything.

With

iptables

do you know if these rules work in addition to the ones in the UI or replace them? So, I can create the majority of rules on the UI and only use

iptables

for the extra blocking I need? Or would I have to use

iptables

for everything?

I'd rather the wan to internal rules, NAT etc done in the UI and only the roles to block these specific things in

iptables

 

[ColinTaylor]

The source/destination IP cannot be a range as such but it can be given as a CIDR. So you can use a CIDR calculator to cut down on the number of individual rules.

Any custom iptables rules will work independently of the GUI rules. So provided you take time to check where you insert them and the order of precedence it shouldn't be a problem.

 

[BrKe]

So, does the GUi create the iptables rules so I can print them off when I've created the ones in the GUi and then ensure the block rules they are manually created using the command line are inserted at a certain point?

CIDR could be an option for me if the GUI accepts that so it might be something I can do also.

 

[ColinTaylor]

Yes. You can SSH into the router and issue an iptables-save command to see all of the current firewall rules.

 

[BrKe]

That's great appreciate your time and help.