Thursday, January 3, 2013

Setup and Tweak Your New Asus RT-AC66U or N66U Router! (partially OT)

Asus has been doing an increasingly impressive job in the "home" WiFi router market. With impressive performance approaching enterprise class routing capability and second-to-none Wifi performance, (for an unmanaged single unit) they're hard to beat for the enthusiast market. By using something like TomatoUSB firmware you can get many enterprise-class features. While I may write an article in the future on Tomato or DD-WRT tweaking, I'm going to go through the setup here using the new "Merlin" firmware. Eric Sauvageau, the author of the modified firmware, states of this:

"The primary goals of this project are to fix bugs, add a few basic features and tweaks to the original firmware. This firmware will try to remain as close as possible to the original firmware."

Sounds good to me. I've spent alot of time with Tomato and DD-WRT on my home network, and a change of pace might be nice. Also, you get the piece of mind that you're using mainly the manufacturers' code on this newer hardware.

Note: Some ideas covered in this article may apply to other consumer or enterprise level hardware.

Assumptions:
  • You have purchased either a RT-AC66U or RT-N66U (Update 7/6/13: RT-AC56U now supported asw well)
  • You have backed up, memorized, or otherwise, your old router settings
  • You're comfortable with the basics; I'm not going to re-cover the manual 
  • You have power and an internet connection. Setup will be easier and more reliable if you also have a house or apartment, which you should be inside of during this tutorial. 
Let's get to work:
  1. Connect the router as described in the manual. If you have a DHCP server (other than the one on the router from your ISP) you'll either need to temporarily disable it or ensure it's assigning the 192.168.1.x range excluding .1.
  2. Perform the initial "Quick Internet Setup" wizard
  3. After/if it prompts you to update firmware, go ahead and do so.
  4. If desired, (and some of my steps will assume this is done) download the "Merlin" firmware from here. In the interface click "Administration->Firmware Upgrade" and specify the path to the trx file. 
  5. Now that we've upgraded, let's highlight important setup steps. I'm not going to cover the specifics of your environment, just things I recommend you pay attention to. First, navigate to "Wireless->WPS"  and set it to "OFF". Most implementations of WPS are NOT secure at all. For more information, see: This episode of the wonderful Security Now! podcast or this lifehacker article. There are many ways to get a complex WiFi key to nearly any device securely.
  6. Navigate to "Wireless->Professional" and check the "Tx Power adjustment" and reduce it if possible. (Some experimentation required) Make sure you use the dropdown and do both 2.4ghz and 5ghz. Lowering your broadcast power will slightly shorten the range so you aren't broadcasting to your neighbors (polite) and may lengthen your hardware life. (See effect @ "Tools->Radios Temperature")
  7. If you disabled the DHCP server, make sure you go to "LAN->DHCP Server->Log DHCP Queries" and hit "Disable".
  8. To log stats, insert a USB thumb drive. It can be tiny and slow if you want. Navigate to "System Log->General Log" hit "Refresh". Copy the contents down and search them for the mount messages. In my case, the only message was "Jan  3 18:47:16 hotplug[1032]: USB vfat fs at /dev/sda mounted on /tmp/mnt/1GB", and that corresponds to @ /mnt/1GB for short since /mnt is a symlink to /tmp/mnt. Write this down. 
  9. Navigate to "Tools->Other Settings" and set "Traffic history location" to "Custom location".
  10. Set "Save history location" to the value you wrote down in step 8, select "Create or reset data files" (if this is the first time you have done this on this disk) and hit "Apply". 
  11. (Added 1/12/13) Unless you're using STP with your other switches, etc. navigate to  "Lan->Switch Control" and set "Spanning-Tree Protocol" to "Off".  Cool that it supports STP though! (Update 10/11/2013: There has been some confusion on this, so to simplify: If you have more than one switch not including this Asus router, leave STP enabled. Otherwise, disable it. If you would like to better understand see this.)
  12. (Added 1/20/13) If you aren't using IPv6 (yet), navigate to "IPv6"->"Auto Configuration Setting"->"Enable Router Advertisement" and set it to "Disable"
  13. (Added 1/20/13) Let's disable some other services that most people won't need. Unless you're using this router as a filesharing and/or DLNA device, do the following: Navigate to "USB Application"->"Media Server"->"Enable DLNA Media Server" and set it to "Off".
  14. (Continued from #13) Navigate to "USB Application"->"Network Place/Samba Share"->"Disable Share" and click "OK" to confirm disabling the service.
  15. (Continued from #13) Navigate to "USB Application"->"Miscellaneous Setting" and turn off "Force as Master Browser" and "Set as WINS Server" and click "Apply". 
  16. (Added 2/4/2013) Recommended: Though I haven't tested (update 6/7, it's fine as of now, so if you need UPnP go ahead) to see if this firmware is impacted by the recent discovery that a substantial number of firmwares expose UPnP to the external interface of the router(!!) I still recommend turning it of if it's feasible. This means you'll have to forward ports manually, but if you're reading this I suspect you know how to do so anyhow. (If not, comment as such and perhaps I'll write an article about it) To disable the UPnP service navigate to "Advanced Settings->WAN->Internet Connection->Basic Config->Enable UPnP" and set it to "No" Update 5/27/2013:  How to forward ports: 
    1. To forward ports, first determine what ports your service/application uses. While a search for "(Service) forward ports" generally returns the  ports needed for that service, you can also use something like portforward.com to look it up. Note that the port spaces of TCP and UDP protocols are separate, so make sure you get the protocol right and know that the port numbers can overlap. There are some pre-baked shortcuts in the Merlin/Asus firmware on the port forwarding page (listed in the next step) that will populate the ports for you; it may be worth checking those out to save some time.
    2. After you determine your ports, open the manage interface of your Asus router and navigate to "Wan->Virtual Server/Port Forwarding"
    3. Ensure "Enable Port Forwarding" is set to "Yes". 
    4. Under "Port forwarding List" type the name of your application under "Service Name". This entry is cosmetic only and serves to identify this forward. 
    5. Under "Port Range" enter the port(s) needed for this application. To open a range, separate the lowest port and the top port with a ":". For example, to open up ports 80 through 90 you would put "80:90". You can also put non-joining port ranges on the same rule by adding more ports after a comma. For example, to open ports 80 and 90, you would put "80,90".
    6. On "Local IP" put the IP address of the machine hosting the service you would like to expose to the internet. If you don't know this address and you're (as default) using the DHCP server on the router you can find the address by going to the DHCP management on your router. 
    7. On "Local Port" you generally want to put exactly what you put under "Port Range". The exception to this rule would be if you want to expose an internal port as a different port externally. 
    8. Under "Protocol" select the proper protocol; TCP, UDP, or Both. Again, note that selecting "Both" would result in both sets of ports being opened. 
    9. Click the plus icon "Add/Delete" and then click "Apply" at the bottom. Note that if your IP address changes then you'll need to update the rule. 



  17. (Added 7/20/2013,Critical) A vulnerability has been discovered with the AICloud software. There is an official firmware that has been released that is reported but not confirmed to fix the problem, but that includes a very poor wifi driver so I would not recommend its use unless you have no 5ghz WiFi clients. The Merlin 372_30_2 build does not address this problem because Eric based it on a pre-release 372 version that didn't yet include the fix. (Confusing versioning by Asus..) If you don't run that new stock FW make sure you disable the AICloud! (AICloud->Smart Disk/Cloud Access) Update 7/24/13: There is a Merlin build that addresses this issue now available. See below for links.  Update 2/18/14: There have been stories about either this exploit and/or a potentially newly found exploit involving FTP and the AI cloud feature. I think the best advice at this time is from Eric (the author of the firmware).  The point: Because it is uncertain if this is entirely based on the old vulnerability, disable these features until the full nature of the exploit is disclosed and confirmed fixed.   Update 3/16/14: This should be fixed with the newest build (374.40) but frankly I would still leave them off.
  18. (Added 11/3/2013) If you notice that your WiFi continues to loose connectivity and you need to reboot the router to fix it, try naming your 2.4Ghz and 5Ghz radios differently. I've noticed that some dual band devices (the iPad specifically) will bounce between frequency spectra and this will cause the Asus to become confused and stop relaying requests to the DHCP server correctly. To do so go to Wireless->General and dropdown between "2.4Ghz" and "5Ghz", ensuring they have different SSIDs so that your devices will target one of the two explicitly.
If I find any other important info I'll add it. Enjoy!

Note 1: If you enable "Tools->Other Settings->Enable advanced (per IP) monitoring" it will disable hardware acceleration. While you most likely won't notice this unless you've got an internet connection approaching 100Mbit, be aware that you may loose some performance for that functionality.

Note 2: Check out "USB Application-> 3G/4G"... very interesting stuff.

Note 3: I'm investigating an issue that results in WiFi being unable to communicate with the LAN ports. It manifests itself in the log as: Jan 11 17:05:23 kernel: eth1: received packet with  own address as source address . I'll post updates on this later.

Update 2/2/2013: Merlin posted a new beta build. DiscussionChangelog .

Update 2/23/2013: More new builds & bugs fixed! Release Thread and changelog.

Update 3/16/2013: Another new build! Release Thread, Changelog

Update 3/29/2013: Eric just uploaded a new beta build based on a beta release from Asus. A couple exciting changes here including new wireless driver and tools. Note that you'll need to re-add you WoL clients (if you had any) because Asus added a new WoL tool. Also, note this warning from Eric:
"New wireless driver. This new driver brings quite a few improvements over the older one. Note that if you experience any issue with this new driver, it is strongly recommended to revert back to factory defaults, and re-configuring your router. There are a few low-level changes, and some new default values that you won't pick up until you revert back to factory defaults.Release Thread, Changelog, Download

Update 4/4/2013: It looks like some folks are having issues on the new build with the 5Ghz radio. There is quite a lively discussion going on and Eric has answered quite a few questions.

Update 7/6/2013: A new build has been released that introduces support for the RT-AC56U! Release ThreadChangelog, Download

Update 7/24/2013: Another new build, (3.0.0.4.372.31) this time fixing the AI Cloud security issue and introducing the Yandex DNS filtering service. Be wary though that Yandex is in Russia, so if you use this feature (off by default) it may noticeably slow internet browsing since it redirects all your DNS queries. Release Thread, Changelog, Download.


Update 10/3/2013: Eric has been hard at work on a new build(3.0.0.4.374.33) based on a new source that includes fixes to general performance, parental controls, and more. Note this warning from Merlin: 

"IMPORTANT:
Due to the SDK change on the RT-N66U, you *MUST* revert back to factory default and manually reconfigure your router if coming from an older firmware! The only exception is if you were previously running either the Pixie Dust release (3.0.0.4.374.32-sdk6), or a previous beta of 3.0.0.4.374.33 (except for the -sdk5 Beta, of course).

Asus also recommends doing the same for the other models, however feel free to try without doing so. It might work fine for most people, but be prepared to do a factory default reset + reconfiguration if you run into any odd issues.

And by "manually reconfigure", I really mean it. Reloading saved settings would totally nullify the action of resetting to factory defaults, since you will just end back to where you started, with all the same (possibly invalid) settings.
"

Release Thread, Changelog, Download.

Update 12/14/2013: New build! (3.0.0.4.374.35_4) GPL 374.339 (Time machine support for some models), Asus' OpenVPN implementation. (Note this is a total overhaul), Namecheap DDNS, and more.  Release Thread(With Changelog), Download.

Update 1/22/2014: New build! (3.0.0.4.374.38) GPL 374.2078, major driver/SDK changes. RT-N16 is not supported by this build. This is SDK6 only. In short, if you have issues with this build, particularily with wi-fi performance, fall back to an earlier build. That said, the feedback in the forum regarding this build has been great thus far. Note: in most situations, Eric does recommend resetting to factory defaults & manually re-configuring. Release Thread With Changelog, Download

Update 2/16/2014: New build, out for a bit. (3.0.0.4.374.39) Dumps SDK5 and adds a new parental control option to use DNS services to block category based URLs as well as bug fixes. Release Thread, Changelog, Download

Update 3/16/2014: New build: 374.40. Not stable for the RT-AC68U but fixes the RT-N16. DNSFilter enhanced along with IPv6 fixes. This build should also address the highly publicized security issues from last month, but I would still recommend highly against enabling FTP, "Cloud AI", or any other outward facing services on principal. Release Thread, Changelog, Download.

Update 6/6/2014: New build: 374.43. Another new release from Eric today, mostly bugfixes. One feature added; the ability to force a DDNS refresh after a configurable number of days. Release Thread, Changelog, Download. Also, SmallNetBuilder forum member "000111" (7?) had the great idea to start a donation thread for Eric. If you appreciate his efforts it's worth considering heading over to this thread and throwing him a few bucks for the effort.

108 comments:

thehin said...

Nice Job. I like your firmware. keep up the good work.

Toby Meyer said...

Thanks thehin, but I'm not the author of the firmware, just this blog post about the router. :) The firmware author is Eric Suvageau and his homepage can be found here. I'm thankful that he has taken this on since that default firmware leaves a bit to be desired.

Thanks for reading!

scottylomez said...

Hi Toby
You may not have an opinion on this, but...
Having just bought this router and wanting to use the inbuilt BT download app, I can't find a way to configure the app to connect to my VPN service to enable anonymous BT downloads as if I was using my pc securely.
Do you have any advice or ideas on how at achieve this - as I haven't!
Great router with excellent range and through put though.
Thanks for any advice !!
Scott.

Constantine said...

Thanks for all your hard work in compiling these extra tweaks. I truly appreciate it! I look forward to hearing about any other modifications you make in the future. Thanks again for this post!

Toby Meyer said...

Hey Constantine, thank you very much for your kind words. :)

Toby Meyer said...

Hey scottylomez!
I'm by no means a bittorrent guru, but hopefully I can get you pointed in the right direction. You won't find this option in the GUI but it looks like the package the router uses is called Transmission. The config file can be manipulated by turning on SSH access ("Administration"->"Enable SSH"->"Yes"... make sure "Allow SSH access from WAN" is off!) and then connecting with your favorite terminal client (Putty, etc) using the same login you use for the web interface. The main conf file can be found @ /tmp/mnt/(sdb1)/asusware/etc/dm2_transmission.conf where (sdb1) is what your drive is mounted as. You can find that by looking @ the entry in the system log when you plug it in. For guidance on how to configure the transmission client, look here and here. Good luck!

scottylomez said...

Wow - thanks Toby - might be a bit out of my depth but will have a go later.
If I break the transmission config file, will I only break the .
'Download Master' application , meaning a reinstall will fix any damage?

scottylomez said...
This comment has been removed by the author.
Toby Meyer said...

@scottylomez
Yup, you can always "Uninstall" and then "Install" again from the GUI and it will re-extract the contents from the firmware. Alternatively, you can backup the config file before you start by just doing something like cp dm2_transmission.conf dm2_transmission.conf.orig . The firmware won't touch your custom file.

giBiLatoR said...

Hey Toby,

Great job on the writeup!

Having just bought a AC66U I would love to flash tomato on it! although not very tech savvy...

I have read that tomato isn't currently supported by the AC66U, does this writeup definitely work with it?

Josh

Toby Meyer said...

Hi Josh, thanks!

This software is the actual firmware made by Asus with some very welcome changes made by Eric Savageau. It works so well with the original hardware that you can use the built in Asus flash utility to go back and forth or upgrade. I'm sure you'll find it quite easy to use. Good luck & have fun!

08223872-b870-11e2-9c1f-000bcdcb471e said...

@toby interesting read. Does this Merlin firmware allow of url traffic monitoring? so one can easily see what sites are visited and then deciding if they should be blocked our not?

Toby Meyer said...

Hey there,
Unfortunately the default firmware does not allow for URL monitoring and the Merlin firmware hasn't added it in. The closest thing is URL filtering which is included, and that can be found @ Advanced-> Firewall-> URL Filter. That filter allows for individual words anywhere in the URL, i.e. "uglypuppies" would block http://host.theuglypuppieshouse.com as well as http://uglypuppies.net.

If you really needed the functionality remember that this firmware uses busybox so you could in theory add one of the many URL monitoring packages available for that manually.

Hopefully that addresses your question; thanks for reading!

SuperG said...

cool article, thanks
did everything you recommended except #16, please explain the need for port forwarding, and how to.

thanks

Toby Meyer said...

Hey SuperG, thanks for the comment. I've added a short tutorial on how to forward ports after point 16. Let me know if you have any other questions. Thanks!

beeker said...

Still issues with parental control on 3.0.0.4.270. Will set alright but will not close down access to the internet at the set time. If anyone is on the internet, access is still possible so of no use. Is there a fix?

psychosunshine said...

Does anyone know if you can get notification when someone connects to the wireless side of the router? I would like know if someone gets on my network.

Toby Meyer said...

Hi @psychosunshine;

Great question... I haven't tried this yet but one could install IW on optware and then use a script to monitor and report on clients. Here are some links to get started:

Init optware

Get IW

IW monitoring script

Otherwise you could try scraping sysinfo (used for the default Tools page) but I don't think that has all the information you would be looking for.

Toby Meyer said...

Hey @beeker!

Good observation; I was able to recreate your issue. Any new connections are blocked, but existing connections (I.E. Netflix, etc)remain open. It looks as if the parental controls use IPTables forwarding rules with the TIME module. Here's an example:

Chain FORWARD (policy DROP)
target prot opt source destination
PControls all -- 0.0.0.0/0 0.0.0.0/0 TIME from 1:0 on Sun MAC 40:25:XX:XX:XX:XX
DROP all -- 0.0.0.0/0 0.0.0.0/0 MAC 40:25:C2:3E:D9:1C
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Chain PControls (8 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

This has do do with the way IPTables evaluates connections. I tried adding an explicit MAC filter via a cron job and that didn't do the trick either; have you considered scheduling a reboot job to correspond with the time that the access is turned off? That would obviously kill all sessions. Another option would be to try installing tcpkill as optware and cron that.

Bob Loblaw said...

I just bought the RT-AC66U and I have a slight problem. I set up the router the way it shows in the manual but I can't seem to move past that step. The WAN and LAN lights are solid blue and stable, but the Power light flashes very slowly.

When I go into "Network & Sharing Center" there's an "!" between the PC and "Unknown Network" and an "X" between the "Unknown Network" and Internet.

I also tried the "192.168.1.1" address, but it comes up as not working.

I did notice one strange thing: my PC's ethernet port emitted a green light with my last router, but with this one, its red & green O.o

I keep hearing how great and easy to setup this router is, but I'm failing at this setup pretty hard. Any and all help is appreciated.

Romas Cesas said...

I have read everything here and the Merlin website but I don't really see anything about the probem I am having with the AC66U I have. Bought it back in March to replace a Linksys router (network seemed sluggish and erratic). Just last week I suddenly noticed that the wireless computers were being identified but I could not connect to them whereas the wireless computers could access every LAN computer. It gets better. The wireless computers can't access each other.
The only reason I finally noticed this is that my one wireless computer runs my music system and I listen on other computers. I have a lot duplicated on the LAN system but not everything, so I finally noticed that I was missing songs when I changed settings on my media player (JRiver) and noticed that there were no files from that computer.
I don't recall if there was a connectivity problem from the very beginning.
I am on the latest ASUS beta build and am ready to try the lastest Merlin beta; but before I do any suggestions?
I have checked all the settings and I have it rather basic. Nothing fancy because I'm not good at networking.
There was the comment about wireless not communicating with LAN and I'm not sure if that would be related.
Thanks.

Toby Meyer said...

Hi @Bob,

Boy that's tough to help on that one; there are so many variables there that I can't help much without seeing it. I can say that you probably don't have anything to worry about with the extra light on your PC; I'm guessing your old router had 100Mbit switch ports while the new Asus router has 1Gbit. Your now faster LAN connection is most likely displayed by your PC with that extra light over the NIC. As for the other issue, all I can say with the limited information is to double check the connections and ensure your internet service is working directly on the device from your service provider.

Nice nickname btw. :)

Toby Meyer said...

Hi there Romas,

Unfortunately I have not been able to re-produce your issue. I did a test between a few machines and devices on my WiFi network without issue. Here are some things to check:

-Ensure you're using the standard wireless and not guest wireless for your devices.
-Make sure your device is set to AP only on the Wireless->Bridge page
-(unlikely) make sure there isn't a huge amount of interference in your environment. This is very unlikely to cause what you're reporting but if you're in a high density location it may be worth doing a quick verification.
- Make sure you don't have any odd static routes set that would render wireless clients unable to see each other. (LAN->Route, by default empty)

When troubleshooting, make sure you use IP addresses (IPCONFIG on windows hosts) to take name lookup out of the loop. Good luck!

Romas Cesas said...

Thanks Toby,
Checked those settings. No issues there.
This weekend I will do a reset on the router and see if that cures it all.
Will let you know if that works.

Romas Cesas said...

Found the problem. I have Kaspersky on all my computers and apparently with the last update (which was within the last month) it changed the settings to public network on the wireless computers. changed it to a local network and now everything works as it should.
Way too many settings to go through on Kaspersky. (and I am also on Win8).

Toby Meyer said...

Excellent, I'm glad you found the problem. Thanks for following up Romas; good to know that Kaspersky does that by default now.

vh57 said...

Do you know if there is a way to use OpenDNS only on a Guest network?

Toby Meyer said...

Hey @vh57,

Great question. I think this may be possible by using a custom dnsmasq.conf file, but I haven't tried it yet. To give it a shot, create the custom dnsmasq.conf file as outlined in Merllin's readme. In short, you would change the settings to what you want out of the GUI, copy /tmp/etc/dnsmasq.conf to /jffs/configs/ . You would then need to change the DHCP scopes to be interface specific. Since the router expects a certain range it will be easiest to take the DHCP range setup by the GUI and split it into the number of subnets you want based on the number of guest networks enabled. For example, if you have a guest network on the 2.4ghz range and one on the 5ghz range then you would need to add two to each of the other standard interfaces you want to serve up DHCP on. Count the total interfaces and divide the DHCP scope up accordingly. After determining this, edit you custom dnsmasq.conf file (under the jffs... dir) to have scopes per their interface. The guest network interfaces are as follows:

2.4Ghz: wl0.x where x= the number representing the guest network from 1 to 3, I.E. wl0.1 for the first guest network.

5Ghz: wl1.x where x= the number representing the guest network from 1 to 3, I.E. wl1.1 for the first guest network.

For an example of how to setup multiple scopes in DNSMASQ, see this link. Essentially you will change the DHCP scope options to have the interface as a prefix to the argument, I.E.:

dhcp-option=wl0.1,6,208.67.222.222,208.67.220.220

You'll need to specify all the other options for each, and you'll need to specify a scope for each interface including the "standard" interfaces as well. Using this, you can specify what options (including DNS servers) you want on each scope.

Once you're done, save the file and restart the router. You should now get the DNS servers and other DHCP options associated with the scope served on that interface.

There may be some other entware/optware options to accomplish the same by running multiple DHCP servers bound to specific interfaces, but I think this would be worth a try before going down that route. If you get a chance let us know if it works and if you have any additional questions feel free to ask!

musicaeespaco said...

Dear toby - I have a question - I know you're not official support but I love this site and learned alot from your post!

I just got an N66u after an old WRT54GL with tomato :-) I'm loving it mostly, and 5ghz on my laptop is amazing!

The problem is that I have a real "dead zone" for mobile devices, in the same place that it a) previously worked with the outdated WRT54GL and b) works with laptops on 2.4Ghz (not to mention 5ghZ).

This is on an iphone 5 AND a newish android device, so i don't think its the mobile hardware thats slow.

Do you have any recommendations on what I should do with the settings? I'm running pretty much vanilla asus firmware (updated to latest), but would be happy to install custom FW if you think that'd help. thanks again very much for any help and insight toby!!

James

Toby Meyer said...

Hi James! Thanks for posting. Making this sort of determination can be a bit difficult there are so many possible causes of interference. Here's where I'd start:

1> Adjust antennas to get the best signal in that spot using something like inSSIDer to determine signal strength. (it's kinda fun to use anyhow :) )
2> Force devices to use the 2.4 Ghz range by disabling or changing the SSID on the 5Ghz range. Since 2.4 was working for you previously perhaps there is something interfering with the 5Ghz spectrum.
3>You could try upping the transmit power (I know the Merlin FW can do it) but I doubt that will help much. For why, see this.
4>Try changing the channel bandwidth from "auto", "20/40", "20/40/80"(5Ghz) to "20". Channel bonding can exacerbate reception issues when the signal strength is low.

Hopefully one of those points helps you re-mediate the issue. Good luck!

Dave C said...

Hi Toby, great work, and a great read. I was wondering if there is a 'simple' (insert chuckle) way to make my rtac66u have user/ip/mac connection limits, and/or bandwidth limits over wifi? even daily/weekly/monthly data qouta's being assigned per mac address would be really cool to!

Thanks in advance if you have any idea's, or can point me in the right direction.

Toby Meyer said...

Hey Dave, thanks for the kind words! You could do connection limits on a per IP (or block of IPs) basis using the connlimit module, which is installed with the IPtables build on the Asus devices. If, for example, you wanted to limit everyone on the 192.168.1 subnet to a total of 500 HTTP connections, you could use the command:

iptables -A FORWARD -s 192.168.1.0/24 -p tcp --syn --dport 80 -m connlimit --connlimit-above 500 -j REJECT


Where -A is append, FORWARD is the forwarding chain (think of it like the router chain), -s 192.168.1.0/24 is the source IP range, -dport 80 is the port, -m connlimit is the connlimit module, --connlimit-above 500 is the number of concurrent sessions, and -j REJECT is the action to be taken ouside that range.

This could be targeted to an individual IP as well; if you wanted to limit to WiFi only you may be able to use -i eth1 instead of -s IPADDR to limit based on input interface rather than IP. Keep in mind that due to the way connections are maintained you'll have to play with the values to get the desired effort. You can see connections being tracked on the System Log->Active Connections page.


To add this rule to your IPTables every boot, you will need to use a shell script. You can find more information about setting up scripts here and here. In short, you'll need to format the JFFS partition, create the scripts directory, create a firewall-start script. As Eric points out in his readme, make sure you chmod a+rx /jffs/scripts/* after adding to mark it as executable, and make sure the script starts with #!/bin/sh.


On fully fledged Linux installs, you can use the quota module to create a limit on a per host/service basis but it's not installed on the Asus platform. (cat /proc/net/ip_tables_matches) Connbytes is there which may facilitate something close to what you're looking for so you may want to look into that module.
Feel free to post any other questions or findings you have.

Good luck!

Downward_Spiral said...

Hi

I'm a professional working in network design and came across your page when trying to find if a feature existed on the RT-AC66U.

Do you know if I can policy route or more accurately send particular IPs/hosts down a VPN tunnel and others to natively route straight out the internet connection?

I live in Singapore and want to have a VPN tunnel to the UK (Any provider like StrongVPN for example) from the RT-AC66U.

However I will only have this app on my TV and do not want ALL traffic to go down the tunnel ... hence the question.

Do you know if this is possible on the ASUS firmware?

Excellent page and content

Ryan

Dave C said...

Thanks Toby, that's some great leads :)

Looks like I will have to get my ssh on, been awhile ;)

Actually I only need it against specific ip's, as I'm using dhcp by MAC address. The issue is, well.... Kids.

As good as the wireless on a rtac66u is, it is a shared resource, just like a old hub, as opposed to switch. I'm sure I'm not telling you anything you don't already know, just explaining my reasons really. To many wireless devices, and kids that want to stream or otherwise download flat out. I need to restrict their given ip addresses to less connections, less bandwidth, and assign quotas so they can't exceed my providers quota.

Then everyone can access fairly well, and without ending up throttled to dial up speeds!

Thanks again, I will check out your suggestions! :)

Chris Jones said...

Hey Toby:

Fabulous blog and an awesome resource for those of us fortunate enough to be surfing on the Dark Knight with the Merlin firmware.

Yesterday, after experiencing some strange problems on my router with an older firmware (where I was not able to access the router interface from any wireless client on the LAN), I decided to reset the router and upgrade to the 3.0.0.4.372.31 FW. It runs *much* better, except I am not able to make any changes to the Administration -> System page, so I can't enable connection to the router from the WAN or any of the other functions on that page.

The System page doesn't seem to fully display (the tabbed menu at the top does not appear), and when I press the Apply button, nothing happens.

Any ideas? Thanks!

Dave C said...

Chris, I'm running that fw also with no issues. Did you reset to factory defaults and either upload your saved settings, or redo from scratch? (After flashing new firmware if course) If that doesn't work I'd reflash it perhaps, an clear Nvram, and try again.

Toby Meyer said...

Hey @Downward_Spiral,

Great question; this one is a bit tricky. Unfortunately static routes, as I'm sure you know, route by the destination rather than the source, so they're out of the question. Here are a couple ways you could tackle the problem:

- Set static routes based on destination after OpenVPN client init. Here is a good conversation along those lines. Essentially this will route all machines on your network over the VPN for specific sites (Netflix, etc.) and route traffic not destined for those sites directly out.

- A second routing device: While there are devices made for this specific purpose it may be cheaper depending on what you have on hand to setup a VM as another router that sends all traffic through the VPN. That way, you could use that VM as the VPN client and direct all devices(your TV) that you want VPNed through that box as the default gateway. As another potential solution along the same lines, here's an amazing project that uses a rasperry Pi as the router! (talk about cheap)

- You could get at VPN service that is DNS selective like unblock-us or overplay. These work by replacing your standard DNS servers, which you would have to insert into your router configuration. When you request the IP of a service that is generally region blocked like netflix, the service returns an IP address of one of their servers and the creates a session on the fly to dynamically route your access to that site through their servers.

Good luck!

Toby Meyer said...

@ Dave C,

Ahhh, that makes sense. :) In addition you could try using the QoS functionality to limit bandwidth, but as I'm sure you found it doesn't really work on incoming bandwidth.

@ Chris,
Thanks for the compmliment! I think @Dave C has got your answer. I've only had that happen once and Dave's instructions were exactly what cured it!

Dave C said...

Quite right, QoS on this is not very good. I did try using it, but with 20 odd devices, both wireless and wired, all it seemed to do was make everything for everyone one incredibly slow, regardless of priorities given.

I have a new issue now, but I think it's a genuine bug rather than a config thing. The parental controls no longer seem to work. If enabled, and a schedule set for a given MAC address, it seems to just block that MAC address at all times, regardless of the schedule.

Everything appears fine, it just won't let it out. All reachable on the LAN side, just doesn't want to allow it to reach the net. Quite frustrating! I have mailed Merlin to see if he can shed any light as its only been in the last couple of firmware versions that this started happening.

Anyone else use the parental controls and found this issue?

Les gites de Liaven said...

Hi Toby, very nice blog, full of usefull information !
I was wondering if you could describe a little bit more the log capabilities of the merlin's firmware ?
My idea is to leave the 66U in an apartment, for free wifi to my customers, but according to the law , i have to track ip @, dates, mac @ ... So i want all the log information to be transmitted throught internet for example in order to keep them.
Is there any means to do that ?

Toby Meyer said...

Hey @Dave! I've heard of some issues with parental controls, but I'm not experiencing your issue. I did write a comment that discussed the workings of the controls on 6/22 directed to beeker... perhaps that info would assist you in your pursuit.

@Les gites de Liaven:
That sounds like an undertaking, perhaps one for its own article. I'd start here:
Setup a USB stick as outlined in the article. You should be able to see it under the /mnt (/tmp/mnt) directory. You'll probably need a big one if you plan on logging that much! Next, change your iptables rules in the forwarding chain to log; for override info see my comment to Dave from 8/15. For how to do IPTables logging, see this and this(tips section). I would take other measures though as well because there of a few issues: for starters note that by default clients won't be isolated from each other and as Dave and I discussed it will be very easy for one client to exhaust network bandwidth. Good luck!

Dave C said...

Yeah I emailed Eric and he said he has seen a few reports of the parental controls no longer working, both on his, and the stock firmware but hasn't had a chance to look into it as yet.

As for the logging, agreed, use a USB stick as described, rather than the routers ram (default I think) and then perhaps a small script via crontab to make a copy at a given time, email forward or email it etc and then delete the original so it doesn't get overloaded, perhaps daily or weekly? I'm a bit out of the loop with *nix but should be do-able?

Toby Meyer said...

Good call Dave! Cron was added by Eric and could be used for this and many other tasks. For more info:

- Merlin Readme mentioning the Cron support
- Using the cru command which is included in the Merlin firmware

thepope said...

Nice write up, I just have a noob question about why I temporarily disable the DHCP server, don't I need this service to connect to the internet afterwards. If its just a temporary procedure while I make the tweaks, can I unplug the modem or should a disable it in System Preferences > Network.

Toby Meyer said...

@thepope:
I could have worded that part better... I was referring to if you have an internal DHCP server other than the router from your service provider. You'll need to leave that one (the ISP router) on. I've updated the post with more specific instructions. Thanks for reading!

Jasper Chance said...

Hi toby,
I've been searching the net on how to optomise my gaming experience with the AC66U as lately i have been getting lag spikes with the game im playing, Heroes of Newerth... I know this is probably not what u expecting but any advice would be great cheers
Jasper

Toby Meyer said...

Hi Jasper,
Tough to say but generally I would doubt that the router would be to blame. Most games use UDP, so buffer bloat wouldn't be an issue unless it was extreme circumstances. (though I haven't seen buffer bloat on this router) The only way it could be caused locally is by overall bandwidth exhaustion, and in that case there isn't much you can do about it. While some vendors tout "gaming priority"/QoS solutions, those don't really work (including on this router) because cooperation with the QoS tags need be honored by every router along the way. Obviously that would never happen, which is why those solutions aren't effective.

Anyhow: I'd start by making sure you're not exhausting your bandwidth in any other way. You can use the traffic manager->Traffic Monitor tool on the router to ensure nothing else is using any bandwidth and then try playing the game again.

If you've ensured that there is nothing else sapping your bandwidth inside your network and the problems persist, the issue is either with your PC or your connection. There are all sorts of routes to go from there; connection wise I'd try pingtest.net first; their test emphasizes packet loss & latency, which is what is important in your situation. (rather than bandwidth)

Hopefully this helps; good luck!

Dave C said...

Jasper, ill just add, whilst not with this particular game, I have been through my fair share of online gaming latency issues, and it's never been really anything to do with my router, but the ISPs routers, between me and a given games server. Can even be your own streets lines (especially if overhead lines).
If you're sure that you have done everything right as far as the router is concerned, as in, either using upnp (I prefer not to for security reasons) or have forwarded the correct ports to your machine (or console for that matter) then have a look at your modem first. You should be able to gain some insight from it. If its an Adsl connection for example you might check your sync speed, and line attenuation against your relative line distance to the exchange, and also see that your SNR (signal to noise ratio) is within acceptable limits. ISPs often 'profile' accounts as high as 12SNR but will put it to 6 which will significantly help your latency, if the lines and distance to exchange will cope with it. It is possible to tweak it down to about 4, which is better again but any lower and stability becomes an issue.
If you're sure that is all ok, then it's time to suss out what's going on between you and the game server.

Dave C said...

It's not always easy to make ISP's get off their butts to check out what's going on... so you need to arm yourself with some information to get them interested enough.

So, you at this point should already know that the router, and modem are ok, so run some tests.

Launch the game, and connect to the server, but alt tab back to the desktop once its connected.

Run 'cmd' and in the cmd prompt type 'netstat -ano'.

This will give you a list of all connections, with the PID's (process identifiers) so you can see what exactly is using ports or connections.

Launch task manager (cntrl-alt-del) and make sure 'pid' is checked under the view menu, and 'select columns'.

Now you can match the PID of all running programs to what is listed in your command prompt, an therefore know whats using what over the net.

So, now you should have identified the IP of the server your game is connected to.

Either in the same command prompt, or a new one if you like, type:

pathping IP-address-of-gameservergoes-here >> c:\pathping.txt

It takes awhile to run... about 5-6mins, but when its finished, the cursor will return to a normal prompt, and if you look in the root of your C: you will find a file called 'pathping.txt'.

Open it up and you'll find a traceroute from you to the game server, and then some statistics.

What it does is ping each router or server in your path to the destination 100 times each, and lets you know how many are lost for each.

More than 3% loss is fairly bad.
If you can identify consistent losses from the same servers in the path, and you give this information to your ISP they should be able to do something about it. Either themselves if they own them, or by contacting the relevant ISP that is forwarding your connection for them.

They might also get a telstra tech out to run line tests between you and the exchange.

Its a bit of a pain in the butt, but i've found its the only way to get through the tier 1 script reading 'techs' that don't really know what they're talking about and get an admin / tech that does ;)

Hope this helps.. good luck!

Dave C said...

Whoops! forgot to add, if you see in your pathping stat's, servers that are showing 100% loss, ignore them, they are more than likely firewalls that are deliberately not responding to the ping request. You're looking for ones that do respond, but not consistently.

Jasper Chance said...

Thanks toby and Dave for all the input ill get on it and see if anything works... bare in mind that the netcomm router that i was using b4 didnt have any of these problems. Thanks again guys

J said...

Is there a way to allow only certain IP addresses through the router?

Toby Meyer said...

Hi J,

I'm not sure if you mean in or out, but either way.. yes. You can use IPTables rules to block or allow nearly any connection. For the official documentation, see here. You'll need to follow the instructions (don't forget the part under "Creating Scripts")on setting up user scripts to enable custom IPTables rules. To get you started, here's a rule that would drop all outgoing packets from 192.168.1.10:

iptables -A FORWARD -s 192.168.1.10 -j DROP

Good luck!

huzzyz said...

Hey Toby,

Was wondering if you could help me figure this out. I have done just about everything 2.5/5 Ghz both provide transmissions of only 145mbps. Nothing pushes it above. I am currently using the stock firmware.

Toby Meyer said...

Heyya huzzyz;

There are a lot of things that could cause a slow transmission rate. Have you tried different devices to see if the rate differs across them? Note that it's not just the router but the client that dictates the effective rate.

I'd start by giving this article a read; it's one of my favorites. After that, make sure interference isn't an issue and that your channel widths for either 2.4 or 5 aren't limited on the client device. Note that in most situations, you'll have a better shot at high transfer rates on the 5ghz spectrum.

Andreas Siegert said...

Nicely done!

Furthermore I'd like to know, whether there is a way to move the standard web interface port from 80 to something else, like eg. 808 ?

Thanks for a hint :-)

rcxyz said...

Hi Toby -- I just purchased an RT-N66U to replace a Linksys wireless router that I'm running in bridge mode. The Linksys has a wired connection to a TP-Link TR-860 router. Do you know how if the RT-N66U can operate in this fashion, and, if so, do you know how I can set it up? I've tried logging into the device using the IP address assigned by the router, but that doesn't work.

Thanks!

Toby Meyer said...

Hi @Andreas Siegert,

Thanks! I think the easiest way may be to add a NAT rule rather than change the port on the daemon. (That would require using the services-start module with some other mods) To add a NAT rule, you'll need to setup a nat-start script. To do so, follow the instructions to setup scripts. (Make sure you pay attention to the "creating scripts" section) Before doing that, you'll need to make sure the JFFS partition is enabled as well, which is under the Administration->System heading. Try the following rules:

-A 192.168.1.1 -p tcp -m tcp --dport 808 -j DNAT --to-destination 192.168.1.1:80

That is assuming your router is at 192.168.1.1. Change those values accordingly if not. You could also make a reference if you wanted to have multiple internal NAT rules like this:

-A PREROUTING -d 192.168.1.1 -j ISERVER

Then reference the "ISERVER" in other rules. After making that script, ensure it's in the right place and reboot. I haven't tried this approach, so if you do please let us know back here if it works!

Thanks!

Toby Meyer said...

Hi @rcxyz,
I'm not exactly sure what you're trying to do so forgive me if my advice is not applicable. If I understand correctly, your R860 provides access to the internet and you would like to hook your clients through the N66U and then out through the R860. If that is correct, it should be relatively easy to accomplish; the only issue with your approach is that you need to login to what the N66U considers to be the "internal" interface. Logging into the interface that is pulling a DHCP address from the R860 will not work because the router (N66U) considers that to be external and the web portal is not exposed on that interface. When you first setup the N66U you'll need to manage it using 192.168.1.1. If this conflicts with your current IP schema you'll need to isolate it with a workstation, do initial setup, change its (N66U) IP, then hook it back up to your R860. You would then set your clients to route through whichever device you want by setting their default gateway to the IP of the appropriate device. Make sure you only have one active DHCP server; i.e. if your R860 is handing out addresses turn it off on the N66U. That said, if you want all the firewall features, etc of the N66U then you'll want to turn off the R860 DHCP and make sure all the clients are behind the N66U.

Hopefully that helps, feel free to post up if you would like more help!

Dave C said...

I might add, that I run a bridged setup with a rtac66u, and a netgear cable modem/router/wifi. If your R860 supports bridge mode, put it into that, then connect your n66u and reset it so it goes thru the initial setup. It should pickup and control the other router pretty much purely as a modem from there.
If it doesn't support this, you'll have to try it as Toby suggests.
If it does, but you run into issues, you'll just have to reset the primary router to get it back. Take note of default addresses for both etc, and if your machine has two LAN ports make use of them and run 1 to each until you get it right ;)

Toby Meyer said...

Thanks Dave!

stonetownmike said...

"Note 3: I'm investigating an issue that results in WiFi being unable to communicate with the LAN ports. It manifests itself in the log as: Jan 11 17:05:23 kernel: eth1: received packet with own address as source address . I'll post updates on this later."
I get this message every day. Any clues?

Toby Meyer said...

Hi @StoneTownMike:

I haven't fully yet, but I know that the occurrences of it went down dramatically once I did point #18. (naming radios differently) If you're not having any routing problems I wouldn't worry about it. Thanks for reading!

SeGA - the Movie said...

Thanks Toby.

I have replaced a linksys with This assus and suddenly I am no longer visible to the p2p peers.
The port forwarding setting is pretty straight forward and still noluck.
Even with DMZ setting, I'm still not visible (I'm using PFPortChecker to test this)

Any advice?

Toby Meyer said...

Hey @Sega! I can't think of any reason it wouldn't work on the new router; you may want to double check which ports your program is expecting to be forwarded and try re-implementing forwarding with the steps outlined in step #16. Good luck!

Ruby said...

I'm having a reoccurring issue as of late with the router that causes all devices connected to via wireless to lose connectivity. It's as if the WAP reboots itself or turns off is radio signal. This happened tonight specifically where my Lenovo laptop, Macbook Pro, and iPad all dropped wireless connectivity. The modem was fine and live. All lights on the router were also active (as far as I could tell). This also happened before I updated to the most recent firmware (3.0.0.4.374_726). I've done most of your instructions other than the dual SSIDs for 2.4 vs 5ghz which seems obnoxious to have to do (no offense to you at all). Any ideas?

Toby Meyer said...

Hi @Ruby!

Thanks for Reading; I was having the same problem with this router and I tracked the problem to the iPad hopping back and forth between the channels. While I don't like changing the SSID names between 2.4Ghz and 5Ghz, I haven't had the issue since I changed them. I'd recommend giving that a shot and seeing if the problem goes away. Good luck!

Suncoast Equine said...

I have an RT-N66R on a shelf in the closet. To extend range (particularly to the north and south) I replaced the 3 smaller antennas with 3 much longer 15 db gain antennas. They came with a short coaxial cord which allowed me to place them 4 feet higher. My questions are, 1) What does the distance need to be between each antenna; 2) Do they need to be angled 45, 90 and 135 degrees to horizontal; and 3) If I need my best range to be to the north and south of my router's location, should the 3 antenna be positioned in a straight line north/south or east west?

Toby Meyer said...

Hi @Suncoast Equine!

That's a great question, and not an easy one to answer. RF coverage can be nearly a career in and of itself. The direction angle, and placement of your antennas will depend entirely on the specifics of the antennas selected. I like to approach the problem by studying the transmission pattern of the antenna in question (which should be available in the manufacturer docs) and then visualize the pattern when I setup. After that, I confirm coverage with a tool like inSSIDer or similar.

There are also some great articles out there to help with the process. One of my favorite sites out there, small net builder, has a few good articles: Choosing an Antenna, Fixing your Wireless Network, and this article that directly addresses many of your concerns.

I'm sure with a bit of tweaking you'll have the coverage handled in no time. Have fun!

Kevin Liu said...

Hi Toby
I really like your articles and upgraded to the latest firmware 374.35_4. I have a internet speed problem and wonder if you can give me some pointers. My noticed my internet speed dropped a day ago and did a speed test using www.speedtest.net with and without RT-AC66U (hard wired to desktop). The ping and download speed without the router are 23ms and >10 MbPS. With the router, the ping and download are 1500ms and 2Mbps. I have reset the router back to factory settings a couple times. The strange thing is that the first speed test was on par right after I reset or reboot the router and the speed tests were bad after. I wonder if you have seen that happen to Asus router before? Thanks.
Kevin.

Toby Meyer said...

Hi @Kevin

Thanks for the compliment! Re: Your issue, that's a tough one. I have not seen that issue myself so without the ability to reproduce it is very difficult to say what could be wrong. You've already taken the prudent steps of taking it out of the loop and resetting to factory defaults; I'd add the following to try:
-Revert to older firmware; (x.x.x.x.x.2x series, reset factory again)
-Make sure Jumbo frames are disabled (Advanced->LAN->Switch Control->Enable Jumbo Frame->No)
-Toggle HW Accel (Advanced->LAN->Switch Control->Enable HW Accelerator->Change)
-Ensure you don't have some odd speed/duplex negotiation issues either to or from your Asus router. Hard-set link speeds and duplex where available.

Hopefully one of those helps you out; problems like that one can be tricky. Good luck!

Carl said...

Hi Toby - just found your post. Great reading. My problem is this. I purchased a slightly used RT N66R from a friend in New York. I live in Wisconsin. After also just purchasing a new 16GB Apple ipad Air, I found Apps I installed on the iPad, like "Find My ipad" and a Download Speed Test app all think I am located in New York. I took the iPad to our local library and found using their wi-fi, it correctly located it near the library. The speed test app also selected a location to ping in Wisconsin.

I suspect the router is the cause. Any ideas? What can I do to resolve this issue. I have tried resetting the router by holding in the button for at lease 20 seconds, but this does not change anything after reentering the setup data. Hope you can help.
Carl

Toby Meyer said...

Hey @Carl,

Thanks for the kind words! I'm wondering if the incorrect NY info is a result of how the iPad pulls location data; assuming you have the wi-fi version of the iPad Air, it's not actually capable of pulling real geo location. Using solely wifi the iPad is only capable of determining your location via crowd-sourced data from devices with a GPS. For example, if you had an iPhone that hooked to your wi-fi, that would send the geo-data to Apple, which Apple would then use to determine your location on your iPad. That would explain why it works at the library but not at your house. More info on this can be found here and here.

That said, I'm not sure if the crowd sourcing stores MAC address of the AP or what; if so it is possible that the person you bought it from had connected to the wifi with an Apple device that reported that information, and that would explain why Apple is telling you that your iPad is located where you bought it from.

If that's the case, invite a bunch of friends with iPhones over, have them connect to your wi-fi, then open their maps app and determine their location. (this discussed @ Apple here.) After I had a few folks over at my place I'm now identified correctly; previously according to Apple I was located in Siberia. :)

Good luck!

Carl said...

Thanks for your explanation Toby. Yes you are correct my iPod Air is Wi-Fi only. Over the Christmas holidays I hope to have a few visitors that may have an iPhone and have an opportunity to try your suggestion.

I will check back after trying the iPhone theory and report mysuccess or failure. I sure thought the used ASUS router was causing the problem because it was retaining location info in some memory chip. I see it is possible to change the IP address. Is this a possible solution? Carl

Keng said...

HI, nice write up. I have a question about the router. I have the ac66 version. On my speedtest.net my download speed is about 33mbps on all device. But on my phone which is a galaxy s4 which supports the 5ghz ac the speed would be 33mbps for a day then drops to 14mbps after that then I would have to reboot the router to get it back to where it was. Any help would be greatly appriciated

Toby Meyer said...

@Carl:

I doubt it; internal IP addresses won't matter as I'm sure Apple wouldn't use that as the key for the geo-data since it wouldn't be unique. I'm guessing your external IP is assigned via DHCP from your ISP so there is no controlling that. If I were a betting man though(good thing I'm not), I would put my piles and piles of gold doubloons on the MAC address of the wi-fi access point being the index.

@Keng,
Thanks! That is odd. If you reboot your phone (not just standby but a full reboot) does the problem go away?

Dave C said...

Keng, I'll take a stab and say I think it has something to do with the logging options, being that they get put in ram by default. File gets larger, and less ram available, its ability to network suffers. I had some similiar issues at one stage. Disable Per IP logging if you don't need it. Make sure hardware acceleration is enabled. You can also stick a cheap thumbstick in, enable your jffs partition, and have it store logs there instead. Alternatively, you could just schedule a reboot of your router in the middle of the night, every night via cron.

Anonymous said...

I like the Merlin or Stock interface of the RT-AC66U much better than the dated dd-wrt.

Is there anyway to limit or stop P2P downloading on this firmware better than dd-wrt?

Toby Meyer said...

Hey @Anonymous,

That can be difficult, but made much easier if you know the machine you are targeting. If you know the MAC or (preferably) IP of the machine you could create custom firewall and/or QOS rules.

Generally speaking though, distinguishing P2P traffic from other type of traffic for all your machines can be very difficult. If it is bittorrent you can try the solution outlined here. For more information on custom firewall rules look through the comments in this thread.

Good luck!

Unknown said...

Whenever I try to access admin interface over HTTPS it gets veeeeeery slow. Anyone else? I'm on latest .39 release.

Dave C said...

Hi Toby,
I have an odd one for you. So, I bought a Asus EA-N66 adapter to get 5G to any ethernet enabled device around the house, works brilliantly with my ps3. But the issue is, if i use FTP to download from my ps3 to my pc, over 5g, I can get about 10mb/s, but upload to it, and its about 3mb/s. Any idea's for why its so slow the other way? I can't seem to find the cause..

Dave C said...

That is of course through my RT-AC66U ;)

Anton said...

I tried to upgrade to the latest firmware and had to rollback to the 276 version for the N66U. Experienced 75% reduction in wireless speeds for both 2.4 and 5 frequencies with the newer firmware. Did a complete reset before upgrading, still no luck. The only thing that restored my wireless speeds was reinstalling the 276 firmware. This issue needs to be addressed by ASUS. I have seen some pople report the same issue with the newer AC66U router also.

Jarda Zborovsky said...

can I on RT-N66U restrict some online games, facebook and others web apps to a specific computer on LAN and specific time? Wired and wireless? If so is there anywhere "How to"? Thnx

Toby Meyer said...

Hey @Jarda!

That may be possible (see the firewall rule discussions in the comments here) but I think it would be less work to put a parental restriction product (i.e. NetNanny) directly on the PC you're trying to control provided you have access to it and can prevent the user from using an administrative account.

If you're looking for an exercise in learning IPTables, however, it may be worth the effort. :)

Toby Meyer said...

Hey @Dave! Hope you're doing well...

I'm thinking that might have to do with your signal strength/connection methodology of your PC vs. PS3. Perhaps in this case your PS3 has a better connection; when it is the sender it is responsible for much more data than the other end, but when you switch roles the weakness of the PC connection could be causing the issue.

If you look @ your System Log->Wireless log you should be able to get connection type and strength stats; hopefully that will help you get to the bottom of it...

Dave C said...

Hi Toby,

Good idea.
Actually my PC is connected to the rtac66u via ethernet, so its just the router to the ean66.
I had a look, on first connection it showed 405rx/450tx (that's not a typo), on 5ghz band. After a little bit, it dropped to 6/6.
So i ftp'd into it, and it picked up to 6rx/450tx.
Download from it, back to my pc and it holds 450tx, but when sending the other way, if i keep refreshing the wireless log, it shows its rx rate switching between 450 and 6 every few seconds... Maybe it is an RMA of the ean66.

Toby Meyer said...

Hey @Dave! interesting... one last thing to check: if you set the "Channel Bandwidth" (Advanced->Wireless->General->Channel bandwidth)setting to a specific value rather than auto(20/40/80) is it more consistent?

Dave C said...

Hi Toby,

Nope, did try that. Made no real difference, except making it a bit slower, for obvious reasons, on the low end of the scale.

All good, have been advised by Asus to RA it after some discussion. It shouldn't be switching like that.

Thanks for your help though :)

Unknown said...

Hey Toby!

I have a Lacie d2 NAS connected via ethernet to the AC66U. It seems to work fine for awhile but then loses connection to the router. Is this the router or the NAS?

I don't do any port forwarding. I keep it rather simple otherwise.

The NAS serves as my time machine backup and some torrent use. But I also turn off the 'torrent machine' when not in use to avoid unwanted traffic.

The router was originally rebooting on its own every 12 hours or so. Then I cloned the MAC address and it appears (at the moment) to be stable. But the NAS issue still persists during its uptime.

Toby Meyer said...

Hi @Unknown!

Sounds like you're following good best practices though I'm a bit confused about the 12 hour reboot/MAC address clone need; that may indicate that you had a low level firmware misconfiguration or even a hardware problem. If you have the time, it may be worthwhile to try a full settings reset as Eric outlines here. Beyond that, I'd point at the LaCie device, but that's only a hunch based on having seen other connectivity issues running similar devices connected to Linux.

As a last resort, it may be worth a try to see if scheduling a daily reboot when it won't bother you to see if it helps the situation. You can find instructions on doing that here.

Good luck!

Dao Savat said...

one question, how do i disable the option where i can only get to setup page by wired and not wireless?

thanks!

Toby Meyer said...

Hey @Dao,

By default on the Merlin (and I believe the Asus standard) you should be able to access the management page from WiFi as well as wired. There is, however, a way to limit access to specific IPs under the administration->system page. Perhaps you have some IPs listed there?

Dao Savat said...

I'll take a look, I've been hack by a 14 yr old from an ipod/playbook/laptop

Brandon Ozard said...

Hi Toby,

I just recently updated the firmware to 3.0.0.4.374_5517.
I attached a 2GB USB Stick to the router in hopes to log anything such as firewall traffic.
I can't seem to find the options you mentioned. Could you please let me know how to save this info to it please?
Thank you very much in advance!
Brandon

Saturated said...

Hello Brandon,

I think your issue may be that you are using the stock ASUS firmware, rather than the "merlin" version, which has extra goodies, such as (maybe) the choice of logging destination. The stock firmware zip from ASUS is called FW_RT_N66U_30043745517.zip. The latest Merlin version (as of this comment)is called RT-N66U_3.0.0.4_374.42_0.zip.

BTW, the memory stick I stuck in (FAT formatted) doesn't automount. I had to ssh in and do it by hand.

Hank

Toby Meyer said...

Thanks @Hank (Saturated), excellent observation! Hopefully that will get you going @Brandon.

While the stock Asus firmware has come a long way, it is still missing some of the functionality that the Merlin build has. I recently switched back and forth and I still recommend the Merlin build. Note that since Eric has based it off of Asus' released source, generally speaking it differs only in the added functionality and bug fixes.

Thanks!

tallncool said...

Not sure what seems to be the problem but I can't get the merlin parental control to work with dns filtering. Only global filter works for me. I enabled the dns filter set the global filtering mode to none and added all the clients to filter with Norton Family; It does not work. If I change global filter mode to Norton Fmaily all the clients are filtered but if I set to none then individual clients are not being filtered. Any ideas what am I doing wrong? Searched around on https://github.com/RMerl/asuswrt-merlin/wiki and smallnetbuilder
but couldn't find a basic tutorial to point out if anything is wrong. I am using the latest Merlin firmware.

This is what I have:
Enable DNS-based Filtering ON
Global Filter Mode None
Custom (user-defined) DNS 1 Default
Custom (user-defined) DNS 2 Default
Custom (user-defined) DNS 3 Default
Client List (Max Limit : 64)

Clients Name Clients MAC Address Filter Mode Add / Delete
[Select the DHCP client.]
Client ABC Norton Family

Tobbe Wilson said...

Hi,
I bought this new RT-AC66U router todau and found that it was fairly easy to setup...jawn.

Until my wife got home and started her iPad....

Everything wired works fine both internal and external but all wireless is completely dead, no connection what so ever to the internet and this lead me to your site and the Merlin builds which i now have installed the latest version of.
Lots of new good fucnctions but still now wireless connection outside the house and i cannot find out why????

Toby Meyer said...

Hi @tallncool!

Unfortunately I don't have much experience with the new DNS filtering; I recently had to roll back to an older build to avoid and issue specific to my setup. If you exhaust all options in setting up the new firmware and DNS filtering is one of your primary goals, you could consider rolling back to a build pre-.39; I have tested the old Yandex service and that works fine. That said, I know folks using the new one successfully, so perhaps try switching from Norton to Yandex or OpenDNS to see if the behavior changes?

@Tobee (nice name :)) Try making sure your 5Ghz radio and your 2.4 Ghz radio have a different SSID name. I had this same issue with Apple devices and found it was because they were bouncing between the two different spectrums, causing issues with DHCP. By naming them differently (SSID, SSID-5Ghz) it ensured that the devices stuck to one or the other and my problems went away. Hopefully that fixes the problem for you. Good luck!

jonathan maas said...

Hello, I just recently picked up the RT-N66R, and I have been having issues getting two xbox ones to be able to join the same game. Ive narrowed it down to it being an issue with the NAT type. Before this router I never had any issues being able to join the other xbox's games. I tried turning the UPnP off and just porting but no luck there. Any ideas to why I would be running into this issue with the new router?

Toby Meyer said...

Hi Jonathan!

Have you had luck using multiple XBoxes before with the same game? This problem is common because some Xbox Live services may want to use a specific port; since you only have one IP address there is only one of that specific port to attach to. When two boxes attempt to play through the same public IP they often have problems since only one can be forwarded at a time. (generally the UPnP or NAT rules have a 1->1 relationship) There are some routers out there that use some tricks with UPnP to attempt to solve this problem (to varying degrees of success) but unfortunately this may not be one of them.

A lot of games don't need a specific port and work fine, but it looks like you have run into a case where one does.

The XBox Live site has a bit of guidance on this here. Either way, in your case the only hope to have it work at all would be UPnP due to the dynamic nature of the need. You could play around with one Xbox in the DMZ to see if the rules handle the UPnP requests differently, but that's a long-shot.

redfox said...

Hi Toby, I have been trying to find a solution for my odd problem - would appreciate any ideas. I have the Asus rt-n66u and it was functioning well for over 6 months, but now 2.4 Ghz is a joke (5Ghz perfect). I have updated to the latest asus firmware (3.0.0.4.376_1071). The internet provider gives me 20Mbps - always perfect and good on 5Ghz. 2.4 GHz- constant fluctuation, slow, ranging from 1Mbps to 3Mbps, occasionally achieving 20. Sometimes it just completely drops, no internet. Pinging the router gives me spikes of 1 to 150 ms. Going crazy, searched the net, checked different channels etc, no success. Any ideas, recommendations? Would truly appreciate :-).

Toby Meyer said...

Hi @redfox,

It sounds like that may be spectrum interference, and not necessarily from a competing WiFi AP. The 2.4ghz range is popular for all sorts of devices, and perhaps someone setup camp with a cheap cordless phone or something similar. The best way to detect this is by using a site survey tool... unfortunately the best aren't cheap (see this link). You could give cheaper/free apps such as Wifi Analyzer for Android a shot, but most of those apps only look for WiFi based interference rather than anything on the spectrum.

Short of the more expensive solutions you could move your equipment around to assess which direction the interference may be coming from.

Hopefully that gets you started... good luck!

redfox said...

Thank you, I will keep trying (somehow site survey tools seem a bit out of pocket range :-)) - I did try Android wifi analyzer, but nothing new shows up - no other local wifi networks. What really drives me crazy that its so intermittent - sometimes the 2.4ghz is ok for hours, and then it just looses connection totally - while 5ghz just works. No cordless phone, etc. Will try to test a different router at least to make sure that its not the asus. Thanks anyway.

Hung Huynh said...

My Microwave interferes with the 2.4 Ghz spectrum. Streaming will always buffers when MW is on. Switched to 5 Ghz, prob. solved.

Unknown said...

Question: What settings within my AsUS 68U router are needed for optimizing a wired xbox one? NAT Acceleration? UPNP on or off? I already Port Forward but want to make sure eveything is optimized for best low latency gaming.

Toby Meyer said...

Hi @Unnamed! If you're comfortable forwarding ports then there is no need for UPnP; as for NAT-Acceleration go ahead and turn it on, including "Level 2" if your firmware revision supports it.