bought an ASUS AC-87U Router, do I still need an AV?

Got a reply within minutes via Twitter:

Nothing he can do......

"The TrendMicro code is closed source."

 

So the bug isn't within the ASUS code on the firmware, but in the Trend code within the firmware? Hopefully this is something that Trend can easily push out a fix for these ASUS consumers.

 

Did you report to ASUS?

/E

 

no I don't know how to contact ASUS

please guide t3h m3h

 

He shouldn't need to access the Trend code. Trend detects a malicious link, and hands it back to the router. Which is how Trend knows if the default Subnet exists, and what it is. UNLESS Trend has hardcoded 192.168.1.1 as the subnet for URL blocking returns? If that's the case I would find it ludicrous as you could easily 'break' the AIProtection by assigning statics, or if you required a different Subnet...

So Merlin needs to determine;

1) Is Trend hardcoded with 192.168.1.1?
2) If not, then how does the ASUS hand off IP's to Trend, and at that point fix the firmware to send the correct credentials.

The only way I would see Merlin not able to fix this is if Trend has 192.168.1.1 hardcoded, and that would be... Unimaginable? Please check with Merlin on this, there SHOULD be something in the firmware code where it sends the correct IP allocations/subnets to Trend. If not.. Well..

 

I tweeted your post to him. Thanks for the technical explanation!

 

I was thinking of possible workarounds for this bug using routing, or statics, or virtual IP's. But I cannot think of anything at this time as any change would impact gateway device access. One workaround I was toying with somewhat worked, but resulted in a certificate error each time a web page was blocked. I think it's possible they didn't bother with this because they didn't want to deal with HTTPS root certificate issues?

Wild, My thought is to move the Untangle to the Gateway, with DHCP ON (into WAN1). Then attach the WAN1 ASUS with DHCP Server OFF into a LAN port on Untangle creating a WAN to LAN cascade. Then the switches, and systems all go through the ASUS on it's LAN/Wireless. I don't see why this wouldn't work, and would actually significantly increase my capabilities, while also giving me the comfort of knowing Untangle is on the front end with all of my tweaks on it.

Thoughts Wild?

 

Here you go:
https://vip.asus.com/VIP2/Services/QuestionForm/TechQuery

Please report back if you got the time.

/E

 

That setup should work and would be more effective and efficient. But it all comes down to how Trend is doing their filtration on the ASUS, and as you mentioned also regarding whether it's hardcoded or not to certain subnet for filtration. If it works and you still receive proper Trend filtration that would be golden. Keep us all informed if you give that a try.

 

I might try this tonight, knowing my OCD about this stuff.

Turn off DHCP on the ASUS, and drop it off the network. Pull Untangle out of bridge mode, connect it to the modem, with the ASUS connected from WAN1 to LAN (untangle) and reboot everything.. I should know in 10 minutes if it works, if not tweak it a bit, and see.. Worse case, toss the bridge mode back on, tuck the ASUS back behind it, and reboot everything. Firewall and NAT turned off on the ASUS obviously, especially to avoid double natting.

 

What do you make of these tweets that I got:

"The closed source code does a redirection to http://%s/blocking.asp. The IP is obviously retrieved from nvram and not hardcoded"

"The BWDPI closed source code isn't all written by TM, Asus's own code that uses TM's prorprietary bits is also closed source."

"router/bwdpi $ strings prebuilt/* | grep "blocking.asp" redirect_url=http://%s/blocking.asp"

"Finally, blocking.asp is obviously served without requiring authentication so the whole LAN can access it without being logged in"

 

This is all linux script. %s is calling the %subnet from nvram, the problem is - it's looking for only HTTP, instead %p (protocol) so that's the bug I am pointing out, which apparently can't be fixed because it is closed source. I've moved my full Untangle (with full license) to the gateway, however I found another bug in the ASUS FW that won't allow it to cede DHCP even with the DHCP server disabled so I am unable to place it behind the Untangle in the configuration I am going for here.

I have moved the ASUS into WAP mode until the bugs in the FW and Closed Source aspects are addressed. I already have a licensed commercial version of Untangle, I might as well use it on the gateway. Untangle is a Layer 7 FW (Application Layer), while the ASUS is a Layer 5 Firewall (Session Layer). I really like to take advantage of that. I peel apart encrypted traffic on my untangle for processing, and since some malware/URLs comes through encrypted sessions these days this is handy to have. I really love the ASUS RT-AC87, no question it's a very powerful high grade consumer product though so I am not knocking it. I do already miss the Trend scanning since moving it off of the gateway - a very powerful aspect indeed.

Also I want to run my own DNS and Web Caching on a local SSD drive, which I can do with Untangle, this can improve performance/response. My caching has been online for about 8 hours, and has about 32,000 websites cached. Not too bad given it's not too busy around the home during the week. Nevertheless, having the RT-AC87 in AP Mode is quite the waste of one of it's best aspects - Trend... <sigh> I will probably Now IF ASUS released a cheaper model with trend, I could put it on the gateway w/Trend active (radios disabled), toss the Untangle in bridge mode, then place the RT-AC87 in AP mode as usual... But so far ASUS doesn't seem to be publishing when they are going to introduce Trend to lower priced modems.

Bugs so far;

1) Won't cede DHCP correctly.
2) Blocking ASP error when encrytion or port changes are enabled.
3) Time bug posted elsewhere.
4) 5Ghz dropout bug. (apparently addressed in new FW)

 

ASUS just added Trend to lower priced models via free Firmware Updates! I am thinking of purchasing a second one, and placing it on the Gateway with the radios disabled, and the Untangle behind it in bridge mode with full UTM activated. This is a lot cheaper than a Gbe UTM ($1000+, and $500+ a year), and just as powerful. (if not more)

ASUS RT-AC68U Firmware version 3.0.0.4.378.3813
[Important] This version included AiProtection and AdaptiveQoS. After firmware updated, please press the reset button more than five seconds to reset the router to avoid some compatibility issues.

New features
1. Added AiProtection with triple-strength total network security, plus robust parental controls and privacy protection
2. Added Adaptive QoS. Applications and tasks can be prioritized easily using drag-and-drop presets for gaming, media streaming, VoIP, web browsing and file transfers.

 

Here's a cheaper model of ASUS with Trend Scanning, and AiProtection features!

http://ec2-54-202-251-7.us-west-2.compute.amazonaws.com:8080/AiProtection_HomeProtection.asp

 

That link brings up a very cool simulation of the AC87U firmware settings, but nothing about a cheaper ASUS model AFAICT.

 

Shows new FW running on AC87U. Anything else can be searched in a search engine =D

 

Here is the firmware download page confirming that AIProtection has been added to the ASUS RT-AC68U

https://www.asus.com/Networking/RTAC68U/HelpDesk_Download/

 

For those cheaper ASUS models that are now receiving this firmware update, that is certainly something special and a worthwhile firmware update for sure. I'm not sure that I've ever seen such an impressive feature-set added within a simple firmware update. I may consider getting one of those cheaper ASUS models now as well. But I will wait a bit to see if it gets added to any more.

Mayahana, that is unfortunate about the DHCP bug that you've found. Such a simple thing too which should have worked well for your setup. Hopefully you have got some contacts within Trend that may help escalate some of those bugs that you found as well with their contacts at ASUS, especially since one or two of those bugs might be a shared effort between both teams.

 

I believe the next step down from the AC68U is the AC66U. Unfortunately AIProtection hasn't been added to the AC66U yet.

 

and it probably won't be. It would likely throttle that too much. I had an AC66U and sold it because it was doubtful it could support AiProtection. We will see if they can shoehorn it in.

 

I see that the 68U CPU is dual core at 800mhz while the 66U is single core at 600mhz so you may be right about the 66U not having enough power to support AIProtection without bogging down.

 

It would be great to hear from someone using the AC68U about how it's performing with the added AIProtection. In particular I'd like to know what the impact is on throughput / connection speed.

 

I do not believe AiProtection impacts throughput at all. You can test this on the 87U by enabling and disabling, and testing. I've found no difference. I would expect the same with the 68U to be honest, as it has the needed CPU to do it, while it appears the 66U doesn't even have the CPU needed to access the cloud infrastructure.

 

With or without AiProtection, the speeds are the same including webpage loading which is quiet surprising how well Trend has pulled this one off

 

Oh lord...

https://www.asus.com/Networking/RTAC3200/