Security Issue ASUS RT-AX82U

Hi there,

I recently accquired an 82U and have discovered that with UPnP off and no port forwarding established, that connections are not being restricted by the NAT function. For example, my XBox will report an Open NAT when using this router regardless.

ASUS 2nd line support have been laughable, suggesting putting the XB into the DMZ or setting up the router as an access point.

The router is connected to the 'net via an HG612 3B and I've had the router replaced once already, and I've tried several previous firmwares with full factory resets after each.

So, anyone know if this applies to more than this ASUS model, or if it is just a result of faulty hardware design. Whichever way, it's a bit worrying...

I have an AX88U so these might be slightly different.

Is the firewall on? On the left menu in the Advanced section is "Firewall" and the on the right panel check the on/off switch.

Perhaps check under the WAN heading in the right hand panel the option for NAT Type is set as you want, I have Symmetric, but the other option is Fullcone.

The way game consoles report NAT is not obvious to me, but most gamers WANT an OpenNAT. This doesn't mean the NAT is disabled (you wouldn't have internet for any more than the router itself) it is down to the type of NAT being performed.

If nobody else has an idea, you could try the US based SmallNetBuilder forum where ASUS router products are extremely well known.

Yes, the firewall is enabled, NAT type is set appropriately. It's not just the XBox, evrything is behaving as though UPnP is enabled or the NAT is just passing through traffic indiscriminately.

Thanks for helping out though!

In reply to a post by PokeyOaks:

Yes, the firewall is enabled, NAT type is set appropriately. It's not just the XBox, evrything is behaving as though UPnP is enabled or the NAT is just passing through traffic indiscriminately.

Well that is normal! If you want to block/manage outbound traffic then you can set up some firewall rules.

Home routers normally let everything connect outbound through the NAT from my 1999 Linksys BEFSR41 which did not have WiFi to the latest WiFi 6 router.

Thanks for helping out though!

You're welcome.

In reply to a post by PokeyOaks:

Hi there,

I recently accquired an 82U and have discovered that with UPnP off and no port forwarding established, that connections are not being restricted by the NAT function. For example, my XBox will report an Open NAT when using this router regardless.

ASUS 2nd line support have been laughable, suggesting putting the XB into the DMZ or setting up the router as an access point.

The router is connected to the 'net via an HG612 3B and I've had the router replaced once already, and I've tried several previous firmwares with full factory resets after each.

So, anyone know if this applies to more than this ASUS model, or if it is just a result of faulty hardware design. Whichever way, it's a bit worrying...

This may be down to a fundamental misunderstanding of how domestic routers with NAT functionality typically operate.

Had you previously had another router block outbound traffic by default? I would agree with @jchamier that would be an extremely unusual characteristic 'out of the box'.

There appears to have been some misunderstanding. I am referring to incoming traffic!! I'm not *that* dim!

In reply to a post by PokeyOaks:

There appears to have been some misunderstanding. I am referring to incoming traffic!! I'm not *that* dim!

A device inside your network make a request and receives a response. What other *unsolicited* inbound traffic are you otherwise receiving?

In reply to a post by Pheasant:

A device inside your network make a request and receives a response. What other *unsolicited* inbound traffic are you otherwise receiving?

I think this is a gamer request.

I'd expect you're correct given the OP detail. However that aside, I still can't see how a bog standard NAT router is going to be openly allowing external traffic to pass, unless something from the inside is keeping some sort of tunnel open.

Got any clues?

In reply to a post by Pheasant:

I'd expect you're correct given the OP detail. However that aside, I still can't see how a bog standard NAT router is going to be openly allowing external traffic to pass, unless something from the inside is keeping some sort of tunnel open.

I'm equally confused, as I read the original post as a problem with the type of NAT outbound, which is why I replied with where my ASUS has a choice of NAT type and the firewall option.

I wonder if this is down to a game or game server using something proprietary, akin to STUN, but we won't know unless the OP returns.

Guessing - maybe they really need UPnP to dynamically open ports, but have read some security advice, or had family/friends tell them that UPnP is a "problem" and now they think the expensive WiFi 6 router is to blame.

In reply to a post by PokeyOaks:

There appears to have been some misunderstanding. I am referring to incoming traffic!! I'm not *that* dim!

And how are you testing this?

This makes no sense. NAT is not a many to many relationship. Are you saying that if you just opened up a web server on any computer that it would be accessible from the internet? How would your router know how to NAT this to the correct device?

This sounds like something specific to your XBOX - maybe "open NAT" simply means that you are behind NAT but is is open on the outbound, as per what people here are thinking.

There's quite a few home routers that once you open a port outbound to access something will allow traffic inbound on the same port.
This may or may not be what is going on here.

Thanks
Dan

In reply to a post by danielhyde:

There's quite a few home routers that once you open a port outbound to access something will allow traffic inbound on the same port. This may or may not be what is going on here.

On a default setup of all home routers, you don't "open a port" outbound, you just connect, otherwise VoIP, email, HTTP/HTTPS would all fail. The NAT engine watches the traffic from your machine, creates a state table, and retransmits the packet with the public IP. When the reply comes back to the ephemeral high port, the NAT engine rewrites it to the internal device.

The problem is unsolicited inbound that doesn't match an outbound, that is where the NAT has no idea where to send to. At that point the terms "open a port" normally mean "map a port to an IP" so you can tell the NAT that unsoliciated inbound on port xxxx is forwarded to internal IP xxxxx.

So I'm confused at a network level as to what "open a port" actually means, if it is not gamer slang for port forwarding???

Yeah I know that, I was using terminology that the OP would understand.
I've experienced first hand when using SIP phones on some home routers that once it has connected outbound you can connect inbound and call the phone directly.
This is caused by the router allowing traffic back through the NAT state created by the outbound connection.

Thanks
Dan

We’re all saying the same thing in a roundabout way - the router of course allows solicited inbound traffic, based on a device on the internal network making some request or opening some sort of tunnel.

There is no way a consumer NAT router is going to allow unsolicited inbound traffic / by default.

The OP has yet to provide any evidence or data to support his claim/concern that that is happening (over and above from the loose description(s) his games boxes are giving him).

Hence why I think this is all illusory rather than real.