"The primary goals of this project are to fix bugs, add a few basic features and tweaks to the original firmware. This firmware will try to remain as close as possible to the original firmware."
Sounds good to me. I've spent alot of time with Tomato and DD-WRT on my home network, and a change of pace might be nice. Also, you get the piece of mind that you're using mainly the manufacturers' code on this newer hardware.
Note: Some ideas covered in this article may apply to other consumer or enterprise level hardware.
- You have purchased either a RT-AC66U or RT-N66U (Update 7/6/13: RT-AC56U now supported asw well)
- You have backed up, memorized, or otherwise, your old router settings
- You're comfortable with the basics; I'm not going to re-cover the manual
- You have power and an internet connection. Setup will be easier and more reliable if you also have a house or apartment, which you should be inside of during this tutorial.
- Connect the router as described in the manual. If you have a DHCP server (other than the one on the router from your ISP) you'll either need to temporarily disable it or ensure it's assigning the 192.168.1.x range excluding .1.
- Perform the initial "Quick Internet Setup" wizard
- After/if it prompts you to update firmware, go ahead and do so.
- If desired, (and some of my steps will assume this is done) download the "Merlin" firmware from here. In the interface click "Administration->Firmware Upgrade" and specify the path to the trx file.
- Now that we've upgraded, let's highlight important setup steps. I'm not going to cover the specifics of your environment, just things I recommend you pay attention to. First, navigate to "Wireless->WPS" and set it to "OFF". Most implementations of WPS are NOT secure at all. For more information, see: This episode of the wonderful Security Now! podcast or this lifehacker article. There are many ways to get a complex WiFi key to nearly any device securely.
- Navigate to "Wireless->Professional" and check the "Tx Power adjustment" and reduce it if possible. (Some experimentation required) Make sure you use the dropdown and do both 2.4ghz and 5ghz. Lowering your broadcast power will slightly shorten the range so you aren't broadcasting to your neighbors (polite) and may lengthen your hardware life. (See effect @ "Tools->Radios Temperature")
- If you disabled the DHCP server, make sure you go to "LAN->DHCP Server->Log DHCP Queries" and hit "Disable".
- To log stats, insert a USB thumb drive. It can be tiny and slow if you want. Navigate to "System Log->General Log" hit "Refresh". Copy the contents down and search them for the mount messages. In my case, the only message was "Jan 3 18:47:16 hotplug: USB vfat fs at /dev/sda mounted on /tmp/mnt/1GB", and that corresponds to @ /mnt/1GB for short since /mnt is a symlink to /tmp/mnt. Write this down.
- Navigate to "Tools->Other Settings" and set "Traffic history location" to "Custom location".
- Set "Save history location" to the value you wrote down in step 8, select "Create or reset data files" (if this is the first time you have done this on this disk) and hit "Apply".
- (Added 1/12/13) Unless you're using STP with your other switches, etc. navigate to "Lan->Switch Control" and set "Spanning-Tree Protocol" to "Off". Cool that it supports STP though! (Update 10/11/2013: There has been some confusion on this, so to simplify: If you have more than one switch not including this Asus router, leave STP enabled. Otherwise, disable it. If you would like to better understand see this.)
- (Added 1/20/13) If you aren't using IPv6 (yet), navigate to "IPv6"->"Auto Configuration Setting"->"Enable Router Advertisement" and set it to "Disable".
- (Added 1/20/13) Let's disable some other services that most people won't need. Unless you're using this router as a filesharing and/or DLNA device, do the following: Navigate to "USB Application"->"Media Server"->"Enable DLNA Media Server" and set it to "Off".
- (Continued from #13) Navigate to "USB Application"->"Network Place/Samba Share"->"Disable Share" and click "OK" to confirm disabling the service.
- (Continued from #13) Navigate to "USB Application"->"Miscellaneous Setting" and turn off "Force as Master Browser" and "Set as WINS Server" and click "Apply".
- (Added 2/4/2013) Recommended: Though I
haven't tested(update 6/7, it's fine as of now, so if you need UPnP go ahead) to see if this firmware is impacted by the recent discovery that a substantial number of firmwares expose UPnP to the external interface of the router(!!) I still recommend turning it of if it's feasible. This means you'll have to forward ports manually, but if you're reading this I suspect you know how to do so anyhow. (If not, comment as such and perhaps I'll write an article about it) To disable the UPnP service navigate to "Advanced Settings->WAN->Internet Connection->Basic Config->Enable UPnP" and set it to "No" Update 5/27/2013: How to forward ports:
- To forward ports, first determine what ports your service/application uses. While a search for "(Service) forward ports" generally returns the ports needed for that service, you can also use something like portforward.com to look it up. Note that the port spaces of TCP and UDP protocols are separate, so make sure you get the protocol right and know that the port numbers can overlap. There are some pre-baked shortcuts in the Merlin/Asus firmware on the port forwarding page (listed in the next step) that will populate the ports for you; it may be worth checking those out to save some time.
- After you determine your ports, open the manage interface of your Asus router and navigate to "Wan->Virtual Server/Port Forwarding"
- Ensure "Enable Port Forwarding" is set to "Yes".
- Under "Port forwarding List" type the name of your application under "Service Name". This entry is cosmetic only and serves to identify this forward.
- Under "Port Range" enter the port(s) needed for this application. To open a range, separate the lowest port and the top port with a ":". For example, to open up ports 80 through 90 you would put "80:90". You can also put non-joining port ranges on the same rule by adding more ports after a comma. For example, to open ports 80 and 90, you would put "80,90".
- On "Local IP" put the IP address of the machine hosting the service you would like to expose to the internet. If you don't know this address and you're (as default) using the DHCP server on the router you can find the address by going to the DHCP management on your router.
- On "Local Port" you generally want to put exactly what you put under "Port Range". The exception to this rule would be if you want to expose an internal port as a different port externally.
- Under "Protocol" select the proper protocol; TCP, UDP, or Both. Again, note that selecting "Both" would result in both sets of ports being opened.
- Click the plus icon "Add/Delete" and then click "Apply" at the bottom. Note that if your IP address changes then you'll need to update the rule.
- (Added 7/20/2013,Critical) A vulnerability has been discovered with the AICloud software. There is an official firmware that has been released that is reported but not confirmed to fix the problem, but that includes a very poor wifi driver so I would not recommend its use unless you have no 5ghz WiFi clients. The Merlin 372_30_2 build does not address this problem because Eric based it on a pre-release 372 version that didn't yet include the fix. (Confusing versioning by Asus..) If you don't run that new stock FW make sure you disable the AICloud! (AICloud->Smart Disk/Cloud Access) Update 7/24/13: There is a Merlin build that addresses this issue now available. See below for links. Update 2/18/14: There have been stories about either this exploit and/or a potentially newly found exploit involving FTP and the AI cloud feature. I think the best advice at this time is from Eric (the author of the firmware). The point: Because it is uncertain if this is entirely based on the old vulnerability, disable these features until the full nature of the exploit is disclosed and confirmed fixed. Update 3/16/14: This should be fixed with the newest build (374.40) but frankly I would still leave them off.
- (Added 11/3/2013) If you notice that your WiFi continues to loose connectivity and you need to reboot the router to fix it, try naming your 2.4Ghz and 5Ghz radios differently. I've noticed that some dual band devices (the iPad specifically) will bounce between frequency spectra and this will cause the Asus to become confused and stop relaying requests to the DHCP server correctly. To do so go to Wireless->General and dropdown between "2.4Ghz" and "5Ghz", ensuring they have different SSIDs so that your devices will target one of the two explicitly.
Note 1: If you enable "Tools->Other Settings->Enable advanced (per IP) monitoring" it will disable hardware acceleration. While you most likely won't notice this unless you've got an internet connection approaching 100Mbit, be aware that you may loose some performance for that functionality.
Note 2: Check out "USB Application-> 3G/4G"... very interesting stuff.
Note 3: I'm investigating an issue that results in WiFi being unable to communicate with the LAN ports. It manifests itself in the log as: Jan 11 17:05:23 kernel: eth1: received packet with own address as source address . I'll post updates on this later.
Update 2/2/2013: Merlin posted a new beta build. Discussion, Changelog .
Update 2/23/2013: More new builds & bugs fixed! Release Thread and changelog.
Update 3/16/2013: Another new build! Release Thread, Changelog
Update 3/29/2013: Eric just uploaded a new beta build based on a beta release from Asus. A couple exciting changes here including new wireless driver and tools. Note that you'll need to re-add you WoL clients (if you had any) because Asus added a new WoL tool. Also, note this warning from Eric:
"New wireless driver. This new driver brings quite a few improvements over the older one. Note that if you experience any issue with this new driver, it is strongly recommended to revert back to factory defaults, and re-configuring your router. There are a few low-level changes, and some new default values that you won't pick up until you revert back to factory defaults." Release Thread, Changelog, Download
Update 4/4/2013: It looks like some folks are having issues on the new build with the 5Ghz radio. There is quite a lively discussion going on and Eric has answered quite a few questions.
Update 7/6/2013: A new build has been released that introduces support for the RT-AC56U! Release Thread, Changelog, Download
Update 7/24/2013: Another new build, (22.214.171.124.372.31) this time fixing the AI Cloud security issue and introducing the Yandex DNS filtering service. Be wary though that Yandex is in Russia, so if you use this feature (off by default) it may noticeably slow internet browsing since it redirects all your DNS queries. Release Thread, Changelog, Download.
Update 10/3/2013: Eric has been hard at work on a new build(126.96.36.199.374.33) based on a new source that includes fixes to general performance, parental controls, and more. Note this warning from Merlin:
Due to the SDK change on the RT-N66U, you *MUST* revert back to factory default and manually reconfigure your router if coming from an older firmware! The only exception is if you were previously running either the Pixie Dust release (188.8.131.52.374.32-sdk6), or a previous beta of 184.108.40.206.374.33 (except for the -sdk5 Beta, of course).
Asus also recommends doing the same for the other models, however feel free to try without doing so. It might work fine for most people, but be prepared to do a factory default reset + reconfiguration if you run into any odd issues.
And by "manually reconfigure", I really mean it. Reloading saved settings would totally nullify the action of resetting to factory defaults, since you will just end back to where you started, with all the same (possibly invalid) settings."
Release Thread, Changelog, Download.
Update 12/14/2013: New build! (220.127.116.11.374.35_4) GPL 374.339 (Time machine support for some models), Asus' OpenVPN implementation. (Note this is a total overhaul), Namecheap DDNS, and more. Release Thread(With Changelog), Download.
Update 1/22/2014: New build! (18.104.22.168.374.38) GPL 374.2078, major driver/SDK changes. RT-N16 is not supported by this build. This is SDK6 only. In short, if you have issues with this build, particularily with wi-fi performance, fall back to an earlier build. That said, the feedback in the forum regarding this build has been great thus far. Note: in most situations, Eric does recommend resetting to factory defaults & manually re-configuring. Release Thread With Changelog, Download
Update 2/16/2014: New build, out for a bit. (22.214.171.124.374.39) Dumps SDK5 and adds a new parental control option to use DNS services to block category based URLs as well as bug fixes. Release Thread, Changelog, Download
Update 3/16/2014: New build: 374.40. Not stable for the RT-AC68U but fixes the RT-N16. DNSFilter enhanced along with IPv6 fixes. This build should also address the highly publicized security issues from last month, but I would still recommend highly against enabling FTP, "Cloud AI", or any other outward facing services on principal. Release Thread, Changelog, Download.