Configuring AiProtection in Asuswrt-Merlin and Asuswrt

One of the selling points for Asus wireless routers is their AiProtection feature, providing real-time network monitoring and protection with its Trend Micro Deep Packet Inspection engine. This is a kind of enterprise-level security made available in Asus home routers.

AiProtection is signature based, which you can update its signature in Administration > Firmware Upgrade > Signature Version > Check. This is of no rival to today's enterprise-level security that uses machine learning and/or deep learning technology, but it is much better than none.

Router Security Assessment check your router settings for security best practices. If you enabled something that has potential to decrease the security protection, it will warn you by flagging that setting as a risk. It will provide you a direct link to disable that particular setting.

However, if you are clear on your requirement to enable certain settings, such as port forwarding, you can just ignore the warning.

To get the best from AiProtection, you should enable all the features of Malicious Sites Blocking, Two-Way IPS and Infected Device Prevention and Blocking.

Malicious Sites Blocking will prevent any computer in your local network to access to known malicious websites that can bring harm to your computer, such as infecting your computer with trojans, viruses, malwares, ransomwares, etc. Your computers should be installed with antivirus and Internet security software that performs this job. However, you will be surprised that there might be still some sites not detected by your computer's Internet security software but eventually blocked by your Asus router. Enabling Malicious Sites Blocking will provide double-layer protection from malicious websites on top of your computer's Internet security software. If you have a firewall with similar function behind your router, then you will have triple-layer protection.

Two-Way IPS will detect and block exploitation of a known network vulnerability, either from the Internet into your local network, or from compromized computers or IoT devices in your network trying to attack other computers or IoT devices in the Internet. This will, to certain extend, help you to protect unpatched vulnerability of your computers or IoT devices from being exploited and hacked.

Infected Device Prevention and Blocking will try to block the communication between compromised computers or IoT devices in your network and the hacker's command and control server. In this way, the hacker will not be able to easily take remote control of your compromised computers or IoT devices.

If you click on the Alert Preference button and set your email (Gmail / AOL / QQ / 163) there, you will be able to receive email alerts from your router whenever AiProtection alert is triggered.

The firmware actually provide reports for these AiProtection features in their respective tab so that you can known what threats have been intercepted, and which hosts are affected.

Parental Controls consist of Web & Apps Filters and Time Scheduling.

Parental Controls are host based and block traffic based on the source MAC address of the host accessing to the Internet. It is automatically enabled if you set one or more family members in Asus Router mobile apps as below 18 years-old and assign one or more hosts under them. The mobile apps will block them from accessing to Adult websites.

Beside adult websites, Web & Apps Filters can also block a host from accessing to Instant Message and Communication, P2P and File Transfer, and Streaming and Entertainment in the Internet.

Note that you can expand each of the 4 categories for finer blocking settings. For example, Adult category consists of Pornography, Illegal and Violence and Gambling sub-categories.

Enabling Web & Apps Filters will consume some of your router's CPU and memory, and will make web browsing slightly slower.

If you are using Asuswrt-Merlin firmware, there is another alternative called DNS Filter to do the filtering at the DNS server.

Time Scheduling function allows you to set time blocks in each of the days in a week that a particular host is allowed to access Internet. Internet access will be blocked for that particular host when the time is outside the allowed timeframe. You can set multiple blocks within a day.

This is only useful if the host is dedicated to a person or some persons that need to obey to your time scheduling. If it is a shared computer used by the whole family, then every family member will need to obey to the time scheduling when using that computer. There will be no exception.

You will notice that if you have any of the Parental Controls settings enabled, there are additional Port Forwarding entries automatically defined in your router. Those Port Forwarding entries will disappear after you disabled the setting.

Parental Controls are nice features to have. For better router performance, you might want to disable them, unless necessary to use them to guard your children Internet access.

Configuring Guest Network in Asuswrt-Merlin and Asuswrt

If you are reluctant to give out your WiFi password to your guests who want to borrow your WiFi to get their mobiles devices to connect to the Internet when they are visiting your place, you can set up a Guest Network for them.

Guest Network is a useful function to allow guest or public Internet access while separating them from your own internal network. Asus Guest Network also has some advanced features for you to impose restrictions such as access time, bandwidth limiting, MAC filter, etc.

The Guest Network function in Asuswrt-Merlin firmware should be the same as in original Asuswrt firmware. It allows you to configure up to 3 separate Guest Networks for 2.4GHz wireless band and up to another 3 separate Guest Networks for 5GHz wireless band.

If your Asus router has two 5GHz wireless bands, then you'll have yet another 3 separate Guest Networks for your second 5GHz wireless band.

It is advisable for you to set an SSID for Guest Network that is different from your regular WiFi SSID.

If you set the Authentication Method to "Open System", anyone around your wireless router can connect to your Guest Network without the need of any password. It is advisable to set the Authentication Method to "WPA2-Personal" and set the WPA Pre-Shared Key as the password to connect to your Guest Network, which can be different from your regular WiFi password.

You can optionally restrict the Access Time of this particular Guest Network. For example, if you set the Access Time to 2 hours, the Internet access for this Guest Network will be cut off 2 hours after you clicked on the Apply button.

You can also optionally limit the Download Bandwidth and/or Upload Bandwidth for this Guest Network. If you set the value to 0 Mb/s or higher than your Internet access bandwidth assigned by your ISP, then it is not restricted.

If you enable Access Intranet, the devices connected to this Guest Network is able to access to networked devices connected to any of the LAN ports of your Asus router. If you use a switch to expand the network linked to a LAN port, all the devices connected to the switch are also accessible by the Guest Network. In this way, your Intranet is exposed to your guest.

If you disable Access Intranet, your guest won't be able to access to any networked devices connected to the LAN ports of your Asus router. However, they can still access to the devices connected to your WiFi, including those connected to your regular WiFi network.

If you want to also disable access to your WiFi connected devices, you can Set AP Isolated for a particular wireless band under Advanced Settings > Wireless > Professional. However, this setting is not Guest Network specific, and will affect all the devices connected to that particular wireless band.

If you want to only isolate the Guest Network from other wireless devices, you can explore into YazFi expansion for Asuswrt-Merlin. You can click here to find out more information about YazFi expansion in SNBForums, including its installation method and sample configuration file.

You can also optionally make use of MAC Filter to specify which mobile devices is allowed or not allowed to connect to this particular Guest Network.

Update firmware of Asus wireless router to the enhanced Asuswrt-Merlin version

Asuswrt-Merlin is a 3rd party enhanced version of Asuswrt, which is the official firmware in used by all recent Asus wireless routers. Asuswrt was originally forked out from the Tomato-RT/Tomato-USB firmware, which in turn developed base on the codes of Linux-based HyperWRT, a 3rd party enhanced firmware for Linksys routers.

Asuswrt-Merlin is mainly developed and maintained by Eric Sauvageau (a.k.a. RMerlin) based on the Asuswrt firmware developed and maintained by Asus technical team.

Asuswrt consists of open sourced GPL codes as well as closed source proprietary components. Asus releases the source codes of Asuswrt firmware in their website, with the closed source portion included as compiled binary codes. This GPL release includes everything needed to completely recompile a working firmware, with the exact same features as found in their firmware releases, making it possible to enhance it into Asuswrt-Merlin firmware.

The general goal of Asuswrt-Merlin project is to provide an alternative to the original firmware, and remain in sync with Asus's own development of each firmware release, so that new features and bugfixes development in original Asuswrt firmware can be trickled down into the subsequent Asuswrt-Merlin firmware.

Asuswrt-Merlin is intended to improve but not to replace the original Asuswrt firmware functionality. Its priorities are: Stability > Performance > Additional Features.

The website of Asuswrt-Merlin is https://asuswrt.lostrealm.ca, and you can click here to view the list of its enhancements made on top of the original Asuswrt firmware.

There is an Asuswrt-Merlin forum in the SNBForums for community discussion and support of this firmware, and RMerlin himself is an active participant and moderator there.

To date, Asuswrt-Merlin is made available and supported for the following Asus wireless routers:

• RT-AC66U_B1
• RT-AC68U, RT-AC68P, RT-AC68UF, RT-AC1900, RT-AC1900P
• RT-AC86U, RT-AC2900
• RT-AC87U
• RT-AC88U
• RT-AC3100
• RT-AC3200
• RT-AC5300

You can check for new release of Asuswrt-Merlin firmware at the following places:

• If your router is already installed with Asuswrt-Merlin firmware, you can check for new firmware version by clicking the Check button in Administration > Firmware Upgrade > Firmware Version in the firmware's web GUI.

• By manually checking at the Current Release information at the Asuswrt-Merlin website.

• By manually searching for new topic in Asuswrt-Merlin forum with title "[Release] Asus-Merlin 384.x is now available".

You can click here to go to the download webpage of Asuswrt-Merlin firmware in its website, or click here to go to its main download site at SourceForge.

At the SourceForge download site, select your Asus router model correctly, then select Release, and download the latest version of firmware accordingly. The firmware is packaged in a ZIP file.

After the download, you need to unzip the file. Before uploading the firmware file to your Asus router, it is advisable for you to check for its SHA256 signature and match it with the checksum information inside the sha256sum.sha256 file. This is to make sure you won't upload a corrupted file to your router and potentially brick the router.

The easiest way to perform a file checksum in Windows is by using 7-Zip. Once you have installed 7-Zip in your Windows computer, you can right click on the file, select "CRC SHA" and then select "SHA-256" to get the SHA256 signature of the file.

If you want to install Asuswrt-Merlin firmware into a new router, make sure you have gone through the Quick Internet Setup wizard to get the initial configuration of the original firmware. You don't need to do this if you are installing to router already in used, be it currently running on original Asuswrt firmware or Asuswrt-Merlin firmware.

It is advisable for you to manually record down your major settings by using printscreen, and also make a backup of your existing settings by going to Administration > Restore/Save/Upload Settings. Save both your Router Settings and JFFS Partition (the later might not be applicable to stock firmware) to your local computer.

Then, you can proceed to go to Firmware Upgrade section, click on Choose File, select the Asuswrt-Merlin firmware file which you have downloaded, and Upload it to your router. The firmware updating process will begin, and your router will be rebooted.

Normally, your router will be up-and-running with no lost of previous settings after the firmware update. If you find it not working properly, you can try to Initialize your router to Factory Default, take out your printed screens and redo all your settings from scratch. If you still facing any problem, you can go to SNBForums and seek for help there.