[Official Release] AiMesh Firmware v3.0.0.4.384.20308 for All Supported Products

[Quad80]

I totally understood dabears's requirement, please refer my response as I said. When you changed WPS setting, it's only applying in Router, it's not applying to Node.

I just try to let you know something about the current design.

我從使用 Tapatalk 的 ASUS_Z012DA 發送

And I'm trying to understand if this is being fixed. You've not been clear on this and seem to think that the WPS on the node only means that it is capable of using WPS, which is very much not the case. What we're seeing is that WPS is active on the node, which makes no sense if it is off on the router.

Are you saying that WPS must remain active on the 2.4GHz band on any and all nodes in an AiMesh setup? Is this by purposeful design (i.e., not going to be fixed)?

I know how it currently behaves. I'm more interested in knowing if this behavior will ever be fixed. If not, then AiMesh has a serious security flaw in it that isn't going to be apparent to many users who will likely otherwise (and incorrectly) assume the router settings for WPS on the router will fully propagate to the node.

 

[RandomName23]

I want a guest network on my node to isolate known IoT clients from my intranet. At this point, I don't care if they can see each other on that guest network. Is it possible to configure the AiMesh router to achieve this isolation for these specific IoT clients in the absence of a working guest network?

OE

Currently you can only have guest network on main router. ASUS is working on the node aspect.

 

[bbunge]

Im trying again, I have 3x ac86u, one as main router and two that I use as nodes (one in the hallway and one in the bedroom, I have an Escam K108 Mini NVR s that I use for 5hd hikvision camera ,and when i insert the network cable from nvr to the asus node i always lose the connection from the node to nvr i can see that the network lamp stops lithing for a few seconds then it works again, very unstable connection and yes i have tried several network cables, and I have also tried the same node that I use in the hallway still bad unstable, the node I use in the bedroom, I also use on my computers and it works well stable but not stable to my nvr,but if i connect my nvr to my ac86u main router,then it works good. The node in the bedroom works well to my computers using cables to my computers,but not to my nvr as i use for my surveillance camera,im using all my nodes wireless.nodes working great but not on my nvr using cable,but cable to my main router its working,tried for 2days now im giving up,need som help,using cable to my node from nvr losing conections,the light also go away some secunds on the node also.I got a new nvr box foscam yesterday 21/2-2018, nvr i still have the same problem?now im using cable in the citchen cable to the node new cable to the node from the foscan nvr sgot the same problem please whats wrong,why is this problem,never had this problem on my orby rbk53.dont want to go back to orbi

Looks like that K108 does not get very high marks in reviews I've seen. Therefore, your problem may not be with the mesh but with the K108. I've not been able to find much as far as instructions for it. You may want to factory reset the NVR and try again or move it to the router LAN ports. Better yet use Zoneminder on an old PC to record your cameras.

 

[RandomName23]

And I'm trying to understand if this is being fixed. You've not been clear on this and seem to think that the WPS on the node only means that it is capable of using WPS, which is very much not the case. What we're seeing is that WPS is active on the node, which makes no sense if it is off on the router.

Are you saying that WPS must remain active on the 2.4GHz band on any and all nodes in an AiMesh setup? Is this by purposeful design (i.e., not going to be fixed)?

I know how it currently behaves. I'm more interested in knowing if this behavior will ever be fixed. If not, then AiMesh has a serious security flaw in it that isn't going to be apparent to many users who will likely otherwise (and incorrectly) assume the router settings for WPS on the router will fully propagate to the node.

First, I had mentioned previously I had thought there should be a nvram setting for each radio band in your router but I don't believe that is the case, it looks like you can only enable WPS on a single radio at a time. At least in the UI once I enable it I can't change the radio band until I disable it. This would explain why WPS is only on the 2.4 band on the mesh nodes I suppose.

Second, what you believe seems to be incorrect. @arthurlien has mentioned that just because a SSID advertises WPS doesn't mean that it is activated and he is correct. There are two ways to connect a client to WPS. First, you press the WPS button on the router itself or in the UI you start the WPS button there. Second, if your client supports it you can get a pin number from the client which then has to be input into the WPS section on the router UI. Either approach requires you to physically activate WPS for the client to connect. I just tested this for you and I could not connect even though the node was advertising WPS because the WPS connection process was not started by anyone.

So, again...Unless you physically press the WPS button to start a WPS discovery process nobody can connect via WPS even though your SSID indicates that it supports it. Also, instructions have been provided on how to turn it off via NVRAM if you feel that insecure about it.

 

[Quad80]

First, I had mentioned previously I had thought there should be a nvram setting for each radio band in your router but I don't believe that is the case, it looks like you can only enable WPS on a single radio at a time. At least in the UI once I enable it I can't change the radio band until I disable it. This would explain why WPS is only on the 2.4 band on the mesh nodes I suppose.

Second, what you believe seems to be incorrect. @arthurlien has mentioned that just because a SSID advertises WPS doesn't mean that it is activated and he is correct. There are two ways to connect a client to WPS. First, you press the WPS button on the router itself or in the UI you start the WPS button there. Second, if your client supports it you can get a pin number from the client which then has to be input into the WPS section on the router UI. Either approach requires you to physically activate WPS for the client to connect. I just tested this for you and I could not connect even though the node was advertising WPS because the WPS connection process was not started by anyone.

So, again...Unless you physically press the WPS button to start a WPS discovery process nobody can connect via WPS even though your SSID indicates that it supports it. Also, instructions have been provided on how to turn it off via NVRAM if you feel that insecure about it.

First, thank you for testing and for all your info. I was just looking into telnet options, because I was getting a bit frustrated at the process. You may have just saved me some time here.

Second, then what is @dabears seeing? It is entirely possible I am misunderstanding what he is saying, but I thought that he was saying he was able to connect to WPS, despite it being off at the router.

Third, will all WPS-capable routers advertise their WPS capabilities? Because, in the past, I have had other routers and they never showed WPS as being advertised, despite having the capability. Similarly, if it is simply a matter of "I can do this," not necessarily "I will allow you to do this" ("this" being WPS in our case), why does it not advertise on the router? Even if it can only advertise for one band at a time, why does my router not show WPS for the 2.4 GHz band to match the node? That seems weirdly inconsistent to me. I'd think they'd either both be on or both be off, since all settings at the router are supposed to propagate to the node, I thought.

Fourth, why, if it has to be enabled purposefully by a button press at the router (either physical or virtual) do security experts tell you to disable WPS entirely? If it was solely a physical access security risk, then obviously it's a lot less of an issue. However, just some basic poking around shows that people can scan networks, find those with WPS enabled, and (at the very least) brute force their way in using various tools to guess at/discover a working PIN to connect (e.g., https://null-byte.wonderhowto.com/h...king-wps-pin-get-password-with-bully-0158819/). Nowhere does it say you need physical access to the router. Heck, once you have physical access, why would you need to bother to crack it?

Lastly, you mention I can turn off the WPS via NVRAM if I'm feeling insecure about it, but didn't you just say (and correct me if I'm wrong), that it can only be toggled one radio at a time? So which command would I need to use to turn it off at the node? Is it wps_enable, or wps_enable_x? I'm getting a bit confused with this.

Please don't take my inquisition here as a personal attack. I'm just trying to understand what is going on and to reconcile your information here with what I'm reading elsewhere and what others are reporting on these forums. Thanks!

 

[RandomName23]

First, thank you for testing and for all your info. I was just looking into telnet options, because I was getting a bit frustrated at the process. You may have just saved me some time here.

Second, then what is @dabears seeing? It is entirely possible I am misunderstanding what he is saying, but I thought that he was saying he was able to connect to WPS, despite it being off at the router.

Third, will all WPS-capable routers advertise their WPS capabilities? Because, in the past, I have had other routers and they never showed WPS as being advertised, despite having the capability. Similarly, if it is simply a matter of "I can do this," not necessarily "I will allow you to do this" ("this" being WPS in our case), why does it not advertise on the router? Even if it can only advertise for one band at a time, why does my router not show WPS for the 2.4 GHz band to match the node? That seems weirdly inconsistent to me. I'd think they'd either both be on or both be off, since all settings at the router are supposed to propagate to the node, I thought.

Fourth, why, if it has to be enabled purposefully by a button press at the router (either physical or virtual) do security experts tell you to disable WPS entirely? If it was solely a physical access security risk, then obviously it's a lot less of an issue. However, just some basic poking around shows that people can scan networks, find those with WPS enabled, and (at the very least) brute force their way in using various tools to guess at/discover a working PIN to connect (e.g., https://null-byte.wonderhowto.com/h...king-wps-pin-get-password-with-bully-0158819/). Nowhere does it say you need physical access to the router. Heck, once you have physical access, why would you need to bother to crack it?

Lastly, you mention I can turn off the WPS via NVRAM if I'm feeling insecure about it, but didn't you just say (and correct me if I'm wrong), that it can only be toggled one radio at a time? So which command would I need to use to turn it off at the node? Is it wps_enable, or wps_enable_x? I'm getting a bit confused with this.

Please don't take my inquisition here as a personal attack. I'm just trying to understand what is going on and to reconcile your information here with what I'm reading elsewhere and what others are reporting on these forums. Thanks!

Not all settings from the router propagate to the nodes. WPS is one of them, but you can change the settings via NVRAM. I would think all routers act the same way in regards to WPS advertisement. Just be glad you didn’t have one of the Linksys or Cisco models that had a UI option to turn it off but never actually turned it off.

WPS used to be in discovery mode full time that is where the security risk comes in because you could brute force the pin. Most routers don’t support that method because it is insecure. This is why you have to physically enable WPS discovery and it usually will auto shutoff after 2 minutes or so if nothing connects to it.

For the nvram set both wps_enable and wps_enable_x to 0

 

[OzarkEdge]

Please don't take my inquisition here as a personal attack. I'm just trying to understand what is going on and to reconcile your information here with what I'm reading elsewhere and what others are reporting on these forums. Thanks!

Here is what is going on...

I enabled WPS for 2.4 GHz on my AiMesh router, placed my Android mobile within range of my AiMesh node, pressed the Android WPS soft button, pressed the node's WPS button until the power LED began to flash (about 2-3 seconds), and then the Android mobile connected to my secured 2.4 GHz WLAN. This is how it should work.

I then disabled WPS for 2.4 GHz on my AiMesh router... etc. ...and was still able to connect using the WPS button method. This is not how it should be, but it is the current AiMesh implementation.

AiMesh is still under development. If you want more control granularity than is currently implemented... you'll have to wait and hope for it.

OE

 

[Quad80]

WPS used to be in discovery mode full time that is where the security risk comes in because you could brute force the pin. Most routers don’t support that method because it is insecure. This is why you have to physically enable WPS discovery and it usually will auto shutoff after 2 minutes or so if nothing connects to it.

Knowing this could have saved a ton of time and typing

To be fair, I've clearly stated I have no idea what I'm talking about and am trying to learn. I just learned something else! Apparently I was going off old info. If WPS has been changed over the years to prevent the original insecurities, then we're all good here. I guess I'm not sure what @dabears is talking about, and it would be great for him to clarify if/when he ever returns.

 

[Quad80]

Here is what is going on...

I enabled WPS for 2.4 GHz on my AiMesh router, placed my Android mobile within range of my AiMesh node, pressed the Android WPS soft button, pressed the node's WPS button until the power LED began to flash (about 2-3 seconds), and then the Android mobile connected to my secured 2.4 GHz WLAN. This is how it should work.

I then disabled WPS for 2.4 GHz on my AiMesh router... etc. ...and was still able to connect using the WPS button method. This is not how it should be, but it is the current AiMesh implementation.

AiMesh is still under development. If you want more control granularity than is currently implemented... you'll have to wait and hope for it.

OE

But, to be perfectly clear, you needed to push the WPS button. This seems to be the key I was missing. Whereas @RandomName23 has just informed me that WPS used to be always on and always in discovery mode, later/current implementations (and those on Asus) require the button to be pressed and it will only remain open for a short window, then close entirely, thus blocking the original insecurities of WPS. If that is incorrect, please continue to school me, as I do not want to spread any kind of FUD.

 

[RandomName23]

Here is what is going on...

I enabled WPS for 2.4 GHz on my AiMesh router, placed my Android mobile within range of my AiMesh node, pressed the Android WPS soft button, pressed the node's WPS button until the power LED began to flash (about 2-3 seconds), and then the Android mobile connected to my secured 2.4 GHz WLAN. This is how it should work.

I then disabled WPS for 2.4 GHz on my AiMesh router... etc. ...and was still able to connect using the WPS button method. This is not how it should be, but it is the current AiMesh implementation.

AiMesh is still under development. If you want more control granularity than is currently implemented... you'll have to wait and hope for it.

OE

And while not ideal if you turn off WPS on the node using the NVRAM commands you shouldn’t be able to connect even if you push the WPS button

 

[OzarkEdge]

But, to be perfectly clear, you needed to push the WPS button. This seems to be the key I was missing. Whereas @RandomName23 has just informed me that WPS used to be always on and always in discovery mode, later/current implementations (and those on Asus) require the button to be pressed and it will only remain open for a short window, then close entirely, thus blocking the original insecurities of WPS. If that is incorrect, please continue to school me, as I do not want to spread any kind of FUD.

I've never used WPS until now. I've always disabled WPS... push button access to my network is a non-starter. The WPS button method has been on routers for a l-o-n-g time. It is explained in the ASUS router firmware where you enable it. Read up and then forget about... nobody uses it... until now (required by AiMesh to add nodes). I trust ASUS to resolve this issue on their terms to my satisfaction... this is not their first rodeo.

OE

 

[OzarkEdge]

And while not ideal if you turn off WPS on the node using the NVRAM commands you shouldn’t be able to connect even if you push the WPS button

Right. It's a don't care. The node is locked up with the whole network. If they can push its buttons, they can jump on the LAN with an Ethernet cable.

OE

 

[RandomName23]

I've never used WPS until now. I've always disabled WPS... push button access to my network is a non-starter. The WPS button method has been on routers for a l-o-n-g time. It is explained in the ASUS router firmware where you enable it. Read up and then forget about... nobody uses it... until now (required by AiMesh to add nodes). I trust ASUS to resolve this issue on their terms to my satisfaction... this is not their first rodeo.

OE

My guess is ASUS may not fix this as it could be required for Aimesh to function correctly. Think about how a password change will work. It either has to change it on the node then hope it works on the router or it has to use WPS to reconnect the node...hard to do if it is off. Maybe there are other ways.

 

[Quad80]

I've never used WPS until now. I've always disabled WPS... push button access to my network is a non-starter. The WPS button method has been on routers for a l-o-n-g time. It is explained in the ASUS router firmware where you enable it. Read up and then forget about... nobody uses it... until now (required by AiMesh to add nodes). I trust ASUS to resolve this issue on their terms to my satisfaction... this is not their first rodeo.

OE

I've never used it either. The notes in the UI don't really answer all my questions, unfortunately. The issue here is that my limited knowledge is such that it makes it hard to understand the exact issue and whether or not Asus is addressing it. The wiki entry for WPS does not necessarily say the push button method resolves the known security issues, first discovered in 2011. What it does say, is "Vendors could also patch the vulnerability by adding a lock-down period if the Wi-Fi access point detects a brute-force attack in progress, which disables the PIN method for long enough to make the attack impractical." Impractical, but not impossible. I suppose impractical is largely sufficient for someone such as myself, but how Asus routers may or may not protect themselves from these attacks still isn't clear.

From what I'm hearing here, it would seem that a physical/virtual initiation/opening of WPS discovery mode by button press would keep WPS secure until such a time as said button is pressed, and then it would only open until a connection is made or for a window of up to ~2 minutes, then it closes off. In the non-discovery mode, it should not be possible to connect anything via WPS. However, this does not seem to be explicitly stated anywhere that I can find (certainly not in the wiki).

I would assume that Asus would have this under control, but as is clearly indicated in the wiki for WPS, there are/were OEMs that had toggles to switch on/off WPS that didn't actually work, so it's not like manufacturers always get things right.

I feel I must stress I'm not trying to be argumentative. I'm simply trying to understand what may or may not be happening here, at least for my knowledge if nothing else. I'm not personally overly concerned someone is going to try to hack my WiFi, but, likewise, if there is a security issue here, it should be squashed quickly. I'm starting to feel like this is under control, but still a few nagging questions here.

 

[Quad80]

My guess is ASUS may not fix this as it could be required for Aimesh to function correctly. Think about how a password change will work. It either has to change it on the node then hope it works on the router or it has to use WPS to reconnect the node...hard to do if it is off. Maybe there are other ways.

Yes, this would make sense. But, if that were indeed the case, couldn't @arthurlien have just said it's a requirement for Aimesh to function? So as far as I know, he has not confirmed this. In fact, it would seem others on this forum have had it disabled in nvram and have seen no ill effects, so the fact that it's always on is still odd, at least without some kind of official confirmation that it's necessary by design.

And further, if it *is* necessary by design, how often does it open itself up? If the real risk of WPS penetration is when it's in active discovery mode, how often does the system need to open it so the node can be rediscovered? Does it only do it when a change is made in the settings (e.g., password), and then close it up once that connection is made? Or does it cycle into discovery mode on some kind of interval?

I could be totally talking out of my arse here, but again, just trying to figure out how this is supposed to work. I'm clearly in over my head, but I'm trying to learn, honest!

 

[OzarkEdge]

My guess is ASUS may not fix this as it could be required for Aimesh to function correctly. Think about how a password change will work. It either has to change it on the node then hope it works on the router or it has to use WPS to reconnect the node...hard to do if it is off. Maybe there are other ways.

We can only guess. As I see it, it's a niggling detail that is not on their critical path to market... their marketing horse is leading their development cart. Why... maybe because every wave of home networking consumption coming in has more and more plug and play options to choose from like push button powerline extenders w/WiFi, and cuddly little hockey puck mesh systems you could buy shrink-wrapped in the checkout lane. It's innovate and market and vice-versa or else lose market share. I'm impressed.

OE

 

[Neil62]

Hrre is my bucket list for AiMesh:

Guest accounts working on nodes
Mac filtering by nodes
Being able to schedule reboots of nodes
Client list on nodes to include band connected to
Fix the client listing, never works

 

[Quad80]

We can only guess. As I see it, it's a niggling detail that is not on their critical path to market... their marketing horse is leading their development cart. Why... maybe because every wave of home networking consumption coming in has more and more plug and play options to choose from like push button powerline extenders w/WiFi, and cuddly little hockey puck mesh systems you could buy shrink-wrapped in the checkout lane. It's innovate and market and vice-versa or else lose market share. I'm impressed.

OE

I think that's what gives me the most "fear" here. That Asus may be taking some short cuts in the name of simplicity and creating a "mesh" network of their own in a consumer market consumed by this current buzz word. Hell, that's all WPS ever was. It was a shortcut to make it easier for people to attach things to their wifi. But, as we all know, these shortcuts often lead to things being insecure, as is clearly the case with WPS. I can only hope that Asus is not going down this path and has an eye on security. I think there are still some outstanding issues @arthurlien should clarify on this matter, but maybe I'm just being dense.

Hrre is my bucket list for AiMesh: Fix the client listing, never works

Sweet mercy, yes. I think it has gotten better, but it still refreshes all the time, shows known disconnected clients for prolonged periods, has started showing nodes as clients out of nowhere, etc. It's a pretty basic feature that has been problematic since I've been using my RT-AC3100 for a little over a year now.

 

[OzarkEdge]

I've never used it either. The notes in the UI don't really answer all my questions, unfortunately. The issue here is that my limited knowledge is such that it makes it hard to understand the exact issue and whether or not Asus is addressing it. The wiki entry for WPS does not necessarily say the push button method resolves the known security issues, first discovered in 2011. What it does say, is "Vendors could also patch the vulnerability by adding a lock-down period if the Wi-Fi access point detects a brute-force attack in progress, which disables the PIN method for long enough to make the attack impractical." Impractical, but not impossible. I suppose impractical is largely sufficient for someone such as myself, but how Asus routers may or may not protect themselves from these attacks still isn't clear.

From what I'm hearing here, it would seem that a physical/virtual initiation/opening of WPS discovery mode by button press would keep WPS secure until such a time as said button is pressed, and then it would only open until a connection is made or for a window of up to ~2 minutes, then it closes off. In the non-discovery mode, it should not be possible to connect anything via WPS. However, this does not seem to be explicitly stated anywhere that I can find (certainly not in the wiki).

I would assume that Asus would have this under control, but as is clearly indicated in the wiki for WPS, there are/were OEMs that had toggles to switch on/off WPS that didn't actually work, so it's not like manufacturers always get things right.

I feel I must stress I'm not trying to be argumentative. I'm simply trying to understand what may or may not be happening here, at least for my knowledge if nothing else. I'm not personally overly concerned someone is going to try to hack my WiFi, but, likewise, if there is a security issue here, it should be squashed quickly. I'm starting to feel like this is under control, but still a few nagging questions here.

But, your mission is beyond the scope of this thread.

OE

 

[Quad80]

But, your mission is beyond the scope of this thread.

OE

Is it, though? Because it's a matter of possible security within the firmware. It sounds like we may have established that the WPS is not vulnerable to a brute force attack, even if advertised on the nodes, but it's still unclear how it functions and thus what security issues may remain within the Aimesh system. If it is opening itself to discovery in a regular pattern to stay synced, that's a security issue. We know WPS is necessary to establish the original connection, we know if you turn it off on the router that it still functions as a mesh system, but we don't know if it ever opens itself up or when, to either stay connected or sync up any changes (e.g., password or SSID change).

Am I being overly paranoid? Has this been resolved to the satisfaction of everyone else here? If so, I'll shut up and focus on other things like maybe we should get the client list fixed once and for all. If not, then I would consider it an important matter to be resolved in an official capacity.

I promise I'm not trying to be a pedantic butt. It's possible I'm still one, but it's not on purpose