bought an ASUS AC-87U Router, do I still need an AV?

Hi guys,
Is there a yearly fee for the Trend AIProtection or how does it work?

/E

 

Lifetime free with router purchase.

 

If you use a non-ASUS firmware do you lose the Trend AIProtection?

 

Yes, I was talking about this Victek

 

That brings so much more value to this router for consumers. I am taking serious consideration into making my next router purchase one of these higher end ASUS routers. I would likely place it behind my initial OpenWrt router, yet in front of another OpenWrt. One of them is dealing with Snort for IDS while the other is filtering on the DNS level for advertisements and malware. I would probably want to make use of this ASUS router WiFi capability as well, so it's a tricky placement. I wish dearly that one day some of these more recent ASUS models will support OpenWrt because that way I could do Snort, filtering and all within the one router since it is so powerful. And with the USB slot, the sky is the limits.

 

Ahh! Great!

Thx

/E

 

not with Merlin, in fact, with Merlin, it adds a third category to the AI protection, that is DNS Blocking where you can choose from several DNS servers like Norton Safe or OpenDNS

 

Does that actually make router use that DNS service or it just uses it for fingerprinting in some other way?

 

With Merlin and other firmware makers, is there any concern for safety when it comes to backdoor s into the router etc?

/E

 

How is this DNS setting any different than the default one which allows you to choose DNS servers? Seems like an identical thing...

 

ASUS disables AiProtection if you place the ASUS into Bridge or AP mode, which annoys me. So if you want Trend scanning, ASUS has to be your primary gateway device.

Edit: I was thinking.. What if we left everything on. Turned off DHCP on the gateway, then assigned a static to the ASUS with DHCP on? I'd have to test this, but it's possible we may be able to keep the scanning while putting the ASUS behind another gateway appliance/router. I should probably test this, then we can use it as a second layer+AP behind a gateway.

 

Can I just install this Firmware over the Asus one?
Thanks

 

Backup config. Install Merlin, reboot, then RESET router. Then go in and restore your configuration. THEN reboot again. (not reset, reboot)

 

Thanks a lot Mayahana.

 

I'd actually feel more comfortable with ASUS behind a Layer 7 NGFW, Untangle, ZyXEL, or whatever. But I still want to take advantage of AiProtection. So if you want it as a AP you can simply toss it behind any other gateway, then you lose the AiProtection, and are really just using it as a speedy enterprise class(almost) WAP. Being cheaper than most enterprise WAP's this isn't a bad idea. Second scenario may be to remove DHCP from your gateway, assign a static route to WAN1 on the ASUS, and set the ASUS to do DHCP. I just setup something similar with a CISCO on primary, pointing to a static Fortigate, so they could use the Fortigate scanning with a Cisco primary.

I'd have to rework my entire network to do this with ASUS and Untangle. Not something I care to do on a production system.

A final option.. Run Merlin Firmware, then lock the device down as I instructed earlier using ghetto-vlan. Recapping that here;

 

Two bugs found so far with ASUS on these current FWs;

1) Time Interval Bug - requiring a workaround of changing countries.
2) Admin lockdown bugs relating to HTTPS, and Port Variances.

The second one is RIDICULOUS. Basically if you adjust administration access security, you bork up the push for blocked websites. In otherwords, when a website is blocked, trend polls http version of it's subnet root. (http://192.168.1.1/bad_site.htm) But when you change admin settings to use HTTPS or even a different port you cause a 404 error on the router for every blocked website. So the router TRIES to point to the above bad_site notification, and instead cannot reach it because it's pointing to the above one, and the new admin settings are https://192.168.1.1:9909/bad_site.htm... Error page is generated. (disclaimer - bad website is still blocked, but instead of notification, a 404 is generated)

The elephant in the room here is.. Are bad website notifications REALLY being served via admin credential logins on the local subnet?? I really need to get with some engineers at ASUS, or maybe Merlin can help me address some of this? ASUS is doing really good with this router, but they need to step it up with the firmware. Ideally the bad website push should be on an interface segregation, and independent of any logins to the router. Wonder what's going on there?

 

You can, but it is recommended to do a factory restore and start from scratch if you want to unleash the full potential of the firmware.

With that being said, I simply upgraded from the official non merlin firmware to the latest merlin and had no issues

 

The default one you have to configure manually, the one in Merlin is preconfigured for the most popular DNS servers unless there is such an option that I haven't seen, please tell me

 

I can't comment on that as I don't know the technicality of how it works, but it's there, is hassle free, so I like it

 

That should work as long as you disable DHCP on the gateway, with the ASUS router being the only one in the setup having DHCP enabled. That is essentially how my setup is right now. And as long as they are on the same subnet and all. Might have to disable UPnP as well. There is a very basic description of my setup in Spoiler below. Obviously somewhat of a poor man's setup, but it does an amazing job and for free. I get most of my OpenWrt compatible routers from thrift shops. Soon I would like to simplify by spending good money on a much more powerful router that is compatible with OpenWrt and would have the processing power to do all of what I need without the need for multiple routers. But I believe what you were suggesting about the ASUS router should work as long as DHCP is disabled. Please do let us know how that works out if you do test it out later as I am very curious.

Modem {hardwired} 1)D-Link DIR-615 C1 {hardwired} 2)D-Link DIR-615 C1 {hardwired} 3)D-Link DIR-816L {wireless-ac} to all iPhone and laptop clients

Spoiler: Setup

1)D-Link DIR-615 C1

• OpenWrt flashed, sole purpose of filtering advertisements/malware on DNS level, serving 1x1 pixel transparent image to browsers
  
• DHCP enabled

2)D-Link DIR-615 C1

• OpenWrt flashed, sole purpose for Snort IDS, hardware is working in setup but Snort is not yet filtering
• DHCP disabled

3)D-Link DIR-816L

• Stock D-Link firmware, would be OpenWrt but not yet supported
• Sole purpose is giving Wireless AC access to laptop and iPhone clients after having been filtered first by the first two OpenWrt routers
• DHCP disabled

 

So a useless setting really. Manually in ASUS means clicking a checkbox, and entering IP addresses... LOL

To clarify my issue 2 above. Bad Websites are being served on a subnet root HTTP call to http://192.168.1.1... If you change credentials to access admin on the device, the calls for a bad website are served with an error page. Which tells me ASUS are pretty lousy with firmware, as they forgot to program a procedure call in for the AIProtection to change its default display page on block to whatever the new admin settings are. So this brings up a few questions I have. Why does this bug exist? Does it mean 'nobody' at ASUS is actually testing the 'security' of the device? That is ... Changing admin credentials, ports, and encryption? Or did they assume nobody would bother changing anything from default? Either one is... Troublesome. It may be a storm in a tea cup, as Aiprotection 'assumes' you are on default credentials or it breaks the notification. It STILL protects you, but serves error pages to people rather than notifications.

Can anyone confirm if Merlin's FW fixes this? I am not home to verify.

 

I have PMed you my TeamViewer credentials, you can test on my system bro

 

I have had contact with ASUS support regarding one of their combined modem/routers, one of the issues was that it did not work properly with a couple of CISCO ATA boxes (IP phone related) SIP traffic worked on and off.
I am not lying when I say that I have the longest mail conversation known to man with their support, lasting for almost 2 months before they gave up and told me to buy another router.
They always had great hardware, but their software division seems to have problems.
Did anyone contact their support regarding the issues you all mentioned here?

/E

 

Mayhana just logged in to my system and tested the error, it exists even with the Merlin Firmwar

 

I sent an email to Merlin