Basic Asus ACxxU firewall questions

[JarleH]

I am new to consumer firewalls so to speak, my old firewall that I have used since let me see...about year 2006, was a Sonicwall business firewall, and had a very different gui. In the Asus firewall gui things are a bit 'dumbed down' so to speak, to make it easier for normal users, so I have a few questions

Got my AC56U yesterday and got it set up, at least as far as my knowledge goes.

Since I am new to the brand there are a few things I am wondering about:
- do the firewall per definition stop ANY traffic from outside, if it is not initialized from the inside?

- do you guys use the (auto) port triggering/opening feature? Isnt this a bit unsecure, if lets say you get a trojan/virus, and it then auto opens ports in the router and start doing its destruction? (I have turned this off and use manual port opening)

- the only openings in the router that I have done is opening for steam (incomming)
https://support.steampowered.com/kb_article.php?ref=8571-GLVN-8711
Normally I do not think this is neede, but for a few old tech games like the Dawn of War 2 games (and maybe CoH games) I think this is needed for problemfree/'lagfree' play. Sounds about right?

- outgoing EVERYTHING is open by default right?

- if a program is upnp, it will auto open ports in the firewall right?

In general I am pleased so far, but I have 2 comments to Asus:
1- in the manual for the firewall the user name and password for login was NOT clearly stated in the start as it shoule have been, it was in the 'back' of the manual, this should be moved to the initial setup section
2- I had a strange experience with initial setup. First it ran a firmware update in the setup, but after the setup was finished and I ran firmware search manually, it was still not updated to the latest one, and it updated once more. Kinda strange it did not update to the newest one right away...

Hoping for a hassle free home-IT-life with my new Asus firewall

jarle

 

[JarleH]

No reply at all? Shouldnt this be easy questions to answer for people with alot more insight then me on Asus routers?

jarle

 

[krum]

I am new to consumer firewalls so to speak, my old firewall that I have used since let me see...about year 2006, was a Sonicwall business firewall, and had a very different gui. In the Asus firewall gui things are a bit 'dumbed down' so to speak, to make it easier for normal users, so I have a few questions

Got my AC56U yesterday and got it set up, at least as far as my knowledge goes.

Since I am new to the brand there are a few things I am wondering about:
- do the firewall per definition stop ANY traffic from outside, if it is not initialized from the inside?

- do you guys use the (auto) port triggering/opening feature? Isnt this a bit unsecure, if lets say you get a trojan/virus, and it then auto opens ports in the router and start doing its destruction? (I have turned this off and use manual port opening)

- the only openings in the router that I have done is opening for steam (incomming)
https://support.steampowered.com/kb_article.php?ref=8571-GLVN-8711
Normally I do not think this is neede, but for a few old tech games like the Dawn of War 2 games (and maybe CoH games) I think this is needed for problemfree/'lagfree' play. Sounds about right?

- outgoing EVERYTHING is open by default right?

- if a program is upnp, it will auto open ports in the firewall right?

In general I am pleased so far, but I have 2 comments to Asus:
1- in the manual for the firewall the user name and password for login was NOT clearly stated in the start as it shoule have been, it was in the 'back' of the manual, this should be moved to the initial setup section
2- I had a strange experience with initial setup. First it ran a firmware update in the setup, but after the setup was finished and I ran firmware search manually, it was still not updated to the latest one, and it updated once more. Kinda strange it did not update to the newest one right away...

Hoping for a hassle free home-IT-life with my new Asus firewall

jarle

- outgoing EVERYTHING is open by default right?
Correct

- if a program is upnp, it will auto open ports in the firewall right?
Correct

You really don't want to allow on the firewall unless you would like traffic coming into your network; Like hosting a Web server or FTP server.

Chris

 

[Edbert]

I am new to consumer firewalls so to speak, my old firewall that I have used since let me see...about year 2006, was a Sonicwall business firewall, and had a very different gui. In the Asus firewall gui things are a bit 'dumbed down' so to speak, to make it easier for normal users, so I have a few questions

I'm new to these forums, if bringing up an old thread is frowned upon over starting a new one then please say so nicely

I have a brand new AC66U and am having some VERY basic questions as well. Like the OP I am pretty well versed in enterprise firewalls from Sonic/CheckPoint/Cisco, however unlike the OP I have also used consumer class devices from Netgear/D-Link/Linksys. This Asus has a much different configuration interface and I need essentially a sanity check.

The quick start pamphlet is useless for anything other than just connecting it and running an out-of-the-box config. So I download the 70 page PDF manual and do not see a firewall section, then I use search and the word "firewall" is not even in there!

The firewall tab in the configuration GUI essentially is either on or off with no option to make exceptions/conduits. This is baffling to me. The services filter tab that is within the firewall section only affects outbound traffic I think, is that right? So do I have a firewall that either blocks everything or nothing? Or does the "port forwarding" feature control all pass-through (inbound) traffic and override any firewall settings?

 

[geops]

I'm new to these forums, if bringing up an old thread is frowned upon over starting a new one then please say so nicely

I have a brand new AC66U and am having some VERY basic questions as well. Like the OP I am pretty well versed in enterprise firewalls from Sonic/CheckPoint/Cisco, however unlike the OP I have also used consumer class devices from Netgear/D-Link/Linksys. This Asus has a much different configuration interface and I need essentially a sanity check.

The quick start pamphlet is useless for anything other than just connecting it and running an out-of-the-box config. So I download the 70 page PDF manual and do not see a firewall section, then I use search and the word "firewall" is not even in there!

The firewall tab in the configuration GUI essentially is either on or off with no option to make exceptions/conduits. This is baffling to me. The services filter tab that is within the firewall section only affects outbound traffic I think, is that right? So do I have a firewall that either blocks everything or nothing? Or does the "port forwarding" feature control all pass-through (inbound) traffic and override any firewall settings?

Port forwarding creates the inbound pass-through (natted) and overwrites the deny all. Just add the ports you need incoming in the port forwarding rules and you'll be set. If you want ipv6 firewalling, then you'll need the merlin's firmware or to add rules manually in ip6tables.

 

[RMerlin]

I'm new to these forums, if bringing up an old thread is frowned upon over starting a new one then please say so nicely

I have a brand new AC66U and am having some VERY basic questions as well. Like the OP I am pretty well versed in enterprise firewalls from Sonic/CheckPoint/Cisco, however unlike the OP I have also used consumer class devices from Netgear/D-Link/Linksys. This Asus has a much different configuration interface and I need essentially a sanity check.

The quick start pamphlet is useless for anything other than just connecting it and running an out-of-the-box config. So I download the 70 page PDF manual and do not see a firewall section, then I use search and the word "firewall" is not even in there!

The firewall tab in the configuration GUI essentially is either on or off with no option to make exceptions/conduits. This is baffling to me. The services filter tab that is within the firewall section only affects outbound traffic I think, is that right? So do I have a firewall that either blocks everything or nothing? Or does the "port forwarding" feature control all pass-through (inbound) traffic and override any firewall settings?

By default (and as used by 95% of users), the router works in NAT. That means you don't have access lists like in a traditional business-class firewall, but instead you forward ports to specific devices on your LAN. By design, NAT doesn't allow any traffic in onto your LAN, unless a connection has already been established by an outgoing client (this is the stateful part of the firewall, inherent to NAT).

The level of configuration possible is somewhat limited (can't select a source IP, for example) because this is a bit beyond what typical home users need. To go beyond that, you will need to go through the custom firmware routes, and be familiar with iptables.

 

[Edbert]

Thanks for the replies and sanity check.

The level of configuration possible is somewhat limited (can't select a source IP, for example) because this is a bit beyond what typical home users need.

It appeared this might be possible with the whitelist feature, but I haven't tried messing with that yet.