ASUS router IP Filter FAQ

This document describes the IP Filter facilities on the ASUS router, so far as I understand them.

This is based on my experiences with an ASUS AAM6000EV router, firmware revision 71146a1, connecting to Eclipse Internet.


  1. What is IP Filter?
    IP Filter is a simple inbound packet-filtering firewall for the ASUS router.
  2. What does "a simple inbound packet-filtering firewall" mean?
    If you are asking that question, then maybe you should be using NAT.
  3. Is documentation available for IP Filter?
  4. There are the Additional setup instructions for the Asus ADSL router IP Filter function written by Solwise. These describe how IP Filter should work once the bugs are fixed.
  5. If the router is configured to use NAT, do I need to enable IP Filter?
    No, because NAT will prevent all unsolicited inbound access to your LAN hosts, except where you specifically configure your router to allow it.
  6. If the router is configured in bridged mode (non-NAT), do I need to enable IP Filter?
    I would strongly advise you to use IP Filter to at least prevent access to your router's configuration from the Internet - see my notes about this. Alternatively you can disable the router configuration by http and telnet, if the bugs in IP Filter mean that running IP Filter is not possible.
  7. Can I rely on IP Filter to protect my LAN hosts, without any other firewall?
    No! Not in my opinion, anyway. IP Filter has some key limitations which preclude it from being suitable as the only protection from hackers for your hosts:- Multiple lines of defence minimise the chances of unwanted intrusions, and IP Filter is a line of defence - but it is not adequate on its own. I would not consider running any host that was directly routable from the Internet without a decent firewall. [If you are running NAT then it is a different matter.]
    When it comes to protecting your router, however, then IP Filter is all you've got. It is essential to protect the router from being reconfigured by anyone on the Internet who guesses your user name and password - which many people will have probably left on their widely known default values. Someone reconfiguring your router does not mean they've hacked into your computers. But it does mean a hacker can switch off all the firewall rules and / or switch off your Intenet access. Hence in my ASUS router bridged setup it advises you both to change the user name and password, and to prevent access to the router with IP Filter.
  8. How do I enable IP Filter?
    You need to check the IP Filter check box in the channel configuration. Then save and reset the router.
  9. Where do I find the IP Filter configuration?
    From the router's web interface, select Network Service then IP Filter.
  10. Can I configure IP Filter from the command line interface (telnet or serial cable)?
  11. Can IP Filter filter outbound (from the LAN) packets?
    Not, so far as I can see - it's just for filtering inbound packets.
  12. Can IP Filter filter inbound (from the Internet) packets going to the LAN?
  13. Can IP Filter filter inbound (from the Internet) packets going to the router?
    Yes. This is very important for preventing access from hackers to the router's configuration.
  14. Can IP Filter packets going from the LAN to the router?
    Not so far as I can see - it's just for filtering inbound (Internet to LAN) packets.
  15. How are IP Filter rules arranged?
  16. In what order are IP Filter rules applied?
    When you add Groups to a Channel, they are always listed in order of the Group Number, regardless of the order in which they are added. So I suspect that the rules are applied in order of the Group Number, which is also the point at which the Policy (allow or deny) is specified. However, I haven't specifically tested this yet. Has anyone tested this?
    Also, due to the bugs in IP Filter, it is very risky having rules that rely on packets being allowed instead of denied. If every Policy is deny, then the order is not important, and this becomes a non-question.
  17. Do I have to click SAVE for IP Filter rules to be applied?
    No, I don't think so. However, there's no harm in it, and it might do some good, so I always tend to press SAVE at the end.
  18. Do I have to reset the router for IP Filter rules to be applied?
    No, they're active once you've submitted them. In fact, don't reset the router after entering IP Filter rules, since there are bugs in IP Filter that will render them useless.
  19. What does IP Filter do when a packet breaks the filtering rules?
    It appears to reject the packet with an ICMP Type 3 (Destination Unreachable Error). This is the same as when inbound packets arrive when the router is configured for NAT. It would be more hacker-unfriendly if it just dropped the packet silently, instead of advertising the presence of a host.
  20. Are there any known bugs in IP Filter?
    Yes! In particular, if you router is reset (either deliberately, or because of a power failure, etc.), then:-

Last modified 16/03/2002.