Do you guys use Firewall ?

[EVO2point0]

Hi folks.

I've recently replaced RT-AC68U with RT-AC88U and been happy with increased Wi-Fi coverage.

So far, I have had Firewall and AiProtection disabled on Asus routers and wondering if you gurus use those security features within Asus routers ?

 

[Deleted member 22229]

Yes you need the firewall unless you have another device performing the firewall function. The firewall is the only wall between you and the internet not having one will leave your network open to hack or worse. Bottom line a firewall is a must.

 

[fax]

I have AiProtection and Firewall turned ON. AiProtection provides a real added value in terms of protection without any noticeable overheads, at least here.

 

[RMerlin]

You should never disable the firewall on the router unless you have a very specific reason for doing so.

 

[EVO2point0]

Thanks, guys.
I was always under impression that NAT is safe enough (in other words, firewall is not necessary) for average home users. Hence, I never used it with previous AC68U (with Asus AiProrection disabled, too).

Heck, I’ve always disabled Windows Firewall since it was introduced back in Windows XP SP2. Only recently, Microsoft UWP games requiring Windows 10 firewall made me to turn it back on in Windows.

With that being said, if this is a bad habit of mine, I always am willing to learn and change.

 

[RMerlin]

NAT might protect your LAN, but it won't protect your router itself.

 

[Trentors]

Thanks, guys.
Heck, I’ve always disabled Windows Firewall since it was introduced back in Windows XP SP2. Only recently, Microsoft UWP games requiring Windows 10 firewall made me to turn it back on in Windows.

With that being said, if this is a bad habit of mine, I always am willing to learn and change.

Why would you disable a firewalls? It makes no sense. Yes a NAT may deal with most attacks but some it does not and why take that risk? Please read this (and enable all your firewalls):
https://f5.com/resources/white-papers/the-myth-of-network-address-translation-as-security

And AIProtection you also disable? Why? If any of your devices are compromised (which can happen in these IoT) days the IPS will prevent you from being a part of a botnet. And it will also prevent connections to many malicious sites and URL's.

10-15 years ago som router manufacturers claimed their cheap devices had a firewall by using NAT. Luckily nobody does that today. It may have been sufficient back then in some cases but 15 years ago is a long time in the lifespan of the commonly used internet.

 

[st3v3n]

Welcome EVO, maybe you have your AC88 router behind an firewall appliance or a PC PfSense home-built firewall/router PC (or any other firewall/router solution), but that would be the -only- reason to disabled the firewall in your AC88U..

 

[EVO2point0]

Trentors, thanks for the post and link. I will read it shortly.
I guess, perhaps, it's my OCD. I tend to disable whichever features (and/or services in Windows) that I don't use. Every device has finite computing resources. By disabling or turning off features that I don't think necessary saves resources which *may* result in better performance. However, I also understand that when it comes to "security" I need to look at it from different perspective.

Thanks guys for the input. I've just enabled the firewall on my AC88U. Does the firewall setting page (screenshot below) look good enough ? (DoS protection is default off, it seems. I left it as it is.)

 

[Trentors]

You are welcome.


I understand you completely but resources in a high-end modern router is not so scarce that basic security must be disabled. Not on a computer either.


This also goes for AIProtection. Unless you have a 1gbit connection there is no difference. These advanced features like QoS will actually IMPROVE performance depending on your connection.


My advice is always use default settings unless you are 100% sure (and up to date) what you are doing. As an example, I have heard people enabling automatic defragmentation in Windows 10 since it is disabled when users are using SSDs. They are using the old conventional thinking on a technology that is actually HURT by a defragmentation tool (and it has NO impact on performance).

 

[fax]

(DoS protection is default off, it seems. I left it as it is.)

I was once highly recommended by an ASUS developer to turn ON DoS protection..., I trust the developer knows well the innerworks of the firmware and I have it ON since then. But don't ask me why this was "highly" reccomended.

 

[EVO2point0]

You are welcome.


I understand you completely but resources in a high-end modern router is not so scarce that basic security must be disabled. Not on a computer either.


This also goes for AIProtection. Unless you have a 1gbit connection there is no difference. These advanced features like QoS will actually IMPROVE performance depending on your connection.


My advice is always use default settings unless you are 100% sure (and up to date) what you are doing. As an example, I have heard people enabling automatic defragmentation in Windows 10 since it is disabled when users are using SSDs. They are using the old conventional thinking on a technology that is actually HURT by a defragmentation tool (and it has NO impact on performance).

Understood.
I will also enable to AiProtection and see.

As for the QoS, I have it disabled. FWIW, I'm using a 1Gbps FTTH (WAN) at home, RT-AC88U serving 1 Synology NAS (wired), 4 desktop PCs (wired), 2 laptops (wireless), TV (wired) and several mobile devices such as smartphones and tablets.

 

[sfx2000]

Heck, I’ve always disabled Windows Firewall since it was introduced back in Windows XP SP2. Only recently, Microsoft UWP games requiring Windows 10 firewall made me to turn it back on in Windows.

NAT is a firewall in and of itself, but as @RMerlin points out, NAT doesn't protect the router/gateway - the SPI firewall does (and AsusWRT has a number of scripts to configure things correctly in most cases there).

End-points - these days - it's a very good idea to keep Microsoft and Apple's firewalls up and running - "just in case" and it's good sense with laptops that move around on different networks (e.g. moving from home to office to coffee shop to airport and hotel on travel...)

 

[st3v3n]

As sfx2000 so wisely states, one can never have enough protection. I had 'something' that tickled the internal software firewall the other night, how it got through PfSense, I never found a clue; I spent a couple of hours head-scratching over it, and trying to run it down but still don't know exactly what it was or how it was done, and how it made it through PfSense since the system is isolated. The OS and browser was sand-boxed and nothing is ever downloaded. ( too bad I had to let all of my system analysts go home when their H1B visas expired (and if you believe that last part I also have some fine beachfront property in Nome I'd let go for a low price). Seriously, even with the the Router Nat firewall and DoS it's always a good idea to have a software firewall on your system, but the DoS on the router has never done much on my 3200; the Trend goodies may help some folks, but they seem to drag the AC3200 down too much for my taste when it's pulling duty. I always keep our Airport Extreme's firewall up and humming, so far, so good. Cheers.