RT-AC87U AiProtection

[RMerlin]

This thread is a bit old nut wanted to ask- do you use Trend Micro yourself on your router @RMerlin?

Yes. I use Adaptive QoS (with Apps analysis enabled), as well as Traffic Analyzer, Malicious site blocking and Vulnerability Protection.

 

[DroidST]

Yes. I use Adaptive QoS (with Apps analysis enabled), as well as Traffic Analyzer, Malicious site blocking and Vulnerability Protection.

@RMerlin After researching, I decided to enable these as well last night. As I already use OpenDNS (VIP), I also enabled the router's DNS filtering (I may create a new thread on a question or two on that later).

Looks like you have Infected Device Prevention and Blocking disabled for your personal network.. is that correct and if so, your thoughts on that option?

Thank you in advance!

 

[RMerlin]

@RMerlin After researching, I decided to enable these as well last night. As I already use OpenDNS (VIP), I also enabled the router's DNS filtering (I may create a new thread on a question or two on that later).

One difference between OpenDNS and the Trend Micro WRS (Web Reputation Service) is that WRS analyzes the whole URL, while a DNS-based solution can only detect the server. So for example, if Walmart's website were to become compromised and serve a malware from a specific URL, WRS would only block the affected page, while OpenDNS would block the entire site.

(Walmart was just the first name that came through my mind, what I mean is even large corporations have been occasionally compromised.)

Looks like you have Infected Device Prevention and Blocking disabled for your personal network.. is that correct and if so, your thoughts on that option?

I currently disable it simply because I have no need for it. I'm the only person here, and I trust myself not to have my devices infected, due to the other layers of protections in place.

I have no idea how efficient that feature actually is.

 

[DroidST]

Well, we have 3 houses on our property here and kids and Parents (seniors), not very careful on the links they click on (avast on the pc's here). I've been using OpenDNS to block the categories we see fit and in the router, I placed OpenDNS servers in the config and did Static DNS on the devices that specific adults only use/control. However, the problem with this solution has been that a person/child could simply enter manual DNS entries if they figured that out. Even the 8 year old figure that out.

I just realized with this Asus's AiProtection DNS filtering, I can do a global policy (Global Filter Mode and select OpenDNS Home) for OpenDNS and defeat any manual attempt to bypass this while connected to our network (and appears from my limited testing to intercept the client DNS requests regardless how the client's DNS is configured and force OpenDNS servers. In DNS Filtering Client List, I add the clients for adults and setup as No Filtering.

I still even have the OpenDNS servers in the 68u's WAN DNS settings (I know I can change those to my non OpenDNS servers and change in the DNS filtering Client Lists to Router from No Filtering but want to test more to make sure the global policy can't be defeated).

I currently disable it simply because I have no need for it. I'm the only person here, and I trust myself not to have my devices infected, due to the other layers of protections in place.

I have no idea how efficient that feature actually is.

I'm going to enable Infected Device Prevention and Blocking and see how it works.

 

[DroidST]

btw, you probably don't remember but I posted about a WDS Update since my 68u after updating to your current appeared to say that WPA2-AES would work with WDS. I am coming from years of using DD-WRT in a 4 dual radio / dual band router WDS setup (using various Linksys / Cisco models over the years). I would back haul using WDS on 5GHz and have clients on 2.4GHz.

With the Asus 68u as primary, I have started to do something that should have been done long ago... running cable including direct burial and setting up 3 (I will test coverage after 2, may just get 2 more Asus models) AP's on our property (vs WDS). Of course, this increases wireless performance greatly. One run done, more work to do! Fun time in crawl spaces!

Loving the 68u and your work!

 

[Wutikorn]

Well, we have 3 houses on our property here and kids and Parents (seniors), not very careful on the links they click on (avast on the pc's here). I've been using OpenDNS to block the categories we see fit and in the router, I placed OpenDNS servers in the config and did Static DNS on the devices that specific adults only use/control. However, the problem with this solution has been that a person/child could simply enter manual DNS entries if they figured that out. Even the 8 year old figure that out.

I just realized with this Asus's AiProtection DNS filtering, I can do a global policy (Global Filter Mode and select OpenDNS Home) for OpenDNS and defeat any manual attempt to bypass this while connected to our network (and appears from my limited testing to intercept the client DNS requests regardless how the client's DNS is configured and force OpenDNS servers. In DNS Filtering Client List, I add the clients for adults and setup as No Filtering.

I still even have the OpenDNS servers in the 68u's WAN DNS settings (I know I can change those to my non OpenDNS servers and change in the DNS filtering Client Lists to Router from No Filtering but want to test more to make sure the global policy can't be defeated)..

So how did you set Asus's AiProtection DNS filtering as global policy that defeat attempt to bypass? Do you mean parental control? Someone else on the network are using the network to do torrent. It does not really matter in Thailand, but I still don't like them to do that. I can only now set parental control to block Peer to Peer, but I have to do this manually after I see that someone do torrent in Traffic Monitor.

Edit: I really want to have either AiProtection(Parental Control) for whole Guest network or have Parental Control that make exception instead(like blocking all Peer to Peer except the PC I allow).

 

[DroidST]

In AiProtection, under DNS filtering, there is this option: Global Filter Mode.

Since I use OpenDNS Home VIP, I selected OpenDNS Home for that option.

In WAN, WAN DNS Setting Option, I selected "No" for Connect to DNS server automatically and entered OpenDNS's DNS servers in those two DNS Server field. I actually had this set before even trying AiProtection as this is the method I used previously with my DD-WRT setup. This required anyone connecting to our network and using DHCP to use OpenDNS servers and the restrictions I have there. HOWEVER, anyone could just manually enter DNS servers in their client to get around this. I did this for my clients and other adults at the Estate.

When I tested with my existing Clients (with manually entered DNS servers on that Client), I was still forced to use those OpenDNS servers (as configured under AiProtection). Only after I added my Client(s) to AiProtection DNS-based filtering Client List, each with the option "No Filtering" was I able to use the manually entered DNS servers on those Clients.

Unless I am missing something here, I assume this is how it is supposed to work.. to force Clients to use those DNS servers setup in AiProtection DNS-Filtering.

I also understand that I can enter my non OpenDNS servers under WAN, WAN DNS Setting Option and when I add Clients to the DNS filtering Client List, I'd select Router vs No Filtering - I wouldn't have to manually enter the non OpenDNS servers on those Clients. I have not done this at this point, things appear to be working right now as I want but I will do more testing.

 

[DroidST]

Edit: I really want to have either AiProtection(Parental Control) for whole Guest network or have Parental Control that make exception instead(like blocking all Peer to Peer except the PC I allow).

I haven't enabled any option under Parental Controls tab. I just took a look at it and there are 4 options to control there.. one being P2P and File Transfer. It's not clear to me how these options work yet. I don't see a Custom option either.

You select a Client and which unwanted category. Not sure this would work for your needs.

Enter all the Clients except your PC and test. Not a Global Policy though - Actually, they should mimic the way it's done in DNS Filtering, you select unwanted categories which become global, then enter Clients with various options (No Filtering, only block option 1, only block option 2 etc, custom).

EDIT: You may be able to use OpenDNS to help with what you want to do (for some) - it appears other are, but I think you need the VIP option.. perhaps there is a trial for OpenDNS Home VIP available. You would add your PC Client with No Filtering.

 

[Wutikorn]

In AiProtection, under DNS filtering, there is this option: Global Filter Mode.

Since I use OpenDNS Home VIP, I selected OpenDNS Home for that option.

Do you know if that is part of differences between Asuswrt-Merlin and stock firmware or not. Because all I see in AiProtection is Network Protection and Parental Control. Have you ever used Parental control in AiProtection, is there global setting for that in Asuswrt-Merlin?

 

[DroidST]

I purchased this 68u from Walmart last year when I saw one on the shelf (closeout?) and showed a priced of $105. I jumped. I already had been researching Asus routers and knew the 68u was a good one. No brainer for me at that price.

I also knew I would be using Merlin's fork.

Once home, I immediately updated to Merlin's current version back then.. did some testing but life took me elsewhere..

This month, updated to 380.59 (just released) and replaced my Primary Router and changed my network config (one new cable run to spare 610n DD-WRT AP, 1 spare 610n DD-WRT Repeater Bridge, 1 spare 610n DD-WRT Client Bridge . Still have my old DD-WRT 4 Router WDS Setup if needed, ready to go. It hasn't been needed!!!!!

Never used/tested shipping f/w or Asus's current stock f/w. I updated to Merlin's immediately.

I have never enabled/used (or hit "Apply") Parental Controls (under AiProtection, Parental Controls tab). I purchased, updated to Merlin's current in 2015 that month, then just now to current.

Which model do you have?

 

[Wutikorn]

I have Asus RT-AC68U C1, I'm not sure where I can set my account to show my current router like you. But I will not be home for a month so I did not want to install Asuswrt-Merlin at the beginning. I wish there is Global Parental Control with exception rules. I prefer not to use OpenDNS as the servers are far from my location. So for now, I will just manually block P2P connection when I see someone using it. I hope

 

[DroidST]

I have Asus RT-AC68U C1, I'm not sure where I can set my account to show my current router like you.

http://www.snbforums.com/account/signature

You have the current 68u H/W Version (I'm A1), with higher CPU Frequency and other..

Above posts are as of: Asus RT‑AC68U (H/W Ver A1) - Asuswrt-Merlin 380.59 (since I will update my sig as I update Asuswrt-Merlin versions / Asus Hardware)

 

[Wutikorn]

http://www.snbforums.com/account/signature

You have the current H/W Version (I'm A1), with higher CPU Frequency and other..

Yeah, I realized that after I bought it. I was lucky that the place I bought it from just put the new stock in. And thank you for info about signature.

 

[RMerlin]

Do you know if that is part of differences between Asuswrt-Merlin and stock firmware or not. Because all I see in AiProtection is Network Protection and Parental Control. Have you ever used Parental control in AiProtection, is there global setting for that in Asuswrt-Merlin?

Yes, DNSFilter is a feature that was developed by me, and is only available in my firmware.

Sent from my Nexus 9 using Tapatalk

 

[DroidST]

Yes, DNSFilter is a feature that was developed by me, and is only available in my firmware.

Sent from my Nexus 9 using Tapatalk

I didn't know that!

However, Long ago, I knew to go to third party f/w... after several months of research, Asus was my choice (moving forward) and it was clear to me, RMerlin's fork would be my choice!

 

[Ge Th]

The thing is that is is a safety and security issues with your router and computer
Here I will send some links that you can read more about this
AiProtection: What It Is and How It Works - Routeria
The Asus RT-AC68U router - it's fast but it also secure?
Trend Micro and ASUS Team Up Again to Protect Home Users against IoT Security Threats | Trend Micro Newsroom
https://www.trendmicro.de/cloud-con...hite-papers/wp-securing-your-home-routers.pdf

 

[amigoccs]

Review: ASUSWRT router firmware also talk abut Ai Protection and catch my eyes:

"...There is, however, a catch in using these services. ASUSWRT will collect and transmit data about which websites you visit to Trend Micro, if you use any of the following features in ASUSWRT..."

And EULA:

"...Forwarded Data may include information on potential security risks as well as URLs of websites visited that the Software deem potentially fraudulent and/or executable files or content that are identified as potential malware. Forwarded Data may also include email messages identified as spam or malware that contains personally identifiable information or other sensitive data stored in files on Your router'..."

I am a little bit worry what has been capture by Asus and send to Trend Micro. It seems not just URL only.

Have a nice day!

 

[RMerlin]

Review: ASUSWRT router firmware also talk abut Ai Protection and catch my eyes:

"...There is, however, a catch in using these services. ASUSWRT will collect and transmit data about which websites you visit to Trend Micro, if you use any of the following features in ASUSWRT..."

And EULA:

"...Forwarded Data may include information on potential security risks as well as URLs of websites visited that the Software deem potentially fraudulent and/or executable files or content that are identified as potential malware. Forwarded Data may also include email messages identified as spam or malware that contains personally identifiable information or other sensitive data stored in files on Your router'..."

I am a little bit worry what has been capture by Asus and send to Trend Micro. It seems not just URL only.

Have a nice day!

Key word that everyone is overlooking in the EULA is "may". Take a look at other EULAs sometime, they always are quite inclusive as to what they might do, without implying it's what they are actively doing. It's a blanket way of covering their legal asses if by accident they captured more than they intended.

People will have to do some traffic analyzing to determine what is actively sent. From a technical point of view, my guess is they only send either the URL or a hash of it when you use the malicious website protection feature.

 

[csalsa]

In the Asuswrt-Merlin firmware, how does the DNS Filter (part of section AiProtection) work with VPN OpenVPN client?
DNS addresses can be set on the client side using 'dhcp-option DNS' or pushed from the OpenVPN Server during the handshake. Does the DNS Filter override VPN client configuration?

So far, I have not found a way to test for DNS leaking with using VPN Client that has DNS set. I have seen in the System log entries for:

dnsmasq[751]: using nameserver xxx.xxx.xxx.xxx#53​

which implies the VPN connection is configured correctly.
At this time, I have not enabled DNS Filter but successfully running the OpenVPN VPN client on firmware version: 382.2_beta3

 

[Dave in NM]

Does AIProtection slow down throughput? Would a solution like CUJO be better?