has been doing an increasingly impressive job in the "home" WiFi router market. With impressive
performance approaching enterprise class routing capability and second-to-none
Wifi performance, (for an unmanaged single unit) they're hard to beat for the enthusiast market. By using something like TomatoUSB
firmware you can get many enterprise-class features. While I may write an article in the future on Tomato or DD-WRT tweaking, I'm going to go through the setup here using the new "Merlin"
firmware. Eric Sauvageau
, the author of the modified firmware, states of this:
"The primary goals of this project are to fix bugs, add a few basic
features and tweaks to the original firmware. This firmware will try to
remain as close as possible to the original firmware.
Sounds good to me. I've spent alot of time with Tomato and DD-WRT on my home network, and a change of pace might be nice. Also, you get the piece of mind that you're using mainly the manufacturers' code on this newer hardware.
Note: Some ideas covered in this article may apply to other consumer or enterprise level hardware.
- You have purchased either a RT-AC66U or RT-N66U (Update 7/6/13: RT-AC56U now supported asw well)
- You have backed up, memorized, or otherwise, your old router settings
- You're comfortable with the basics; I'm not going to re-cover the manual
- You have power and an internet connection. Setup will be easier and more reliable if you also have a house or apartment, which you should be inside of during this tutorial.
Let's get to work:
- Connect the router as described in the manual. If you have a DHCP server (other than the one on the router from your ISP) you'll either need to temporarily disable it or ensure it's assigning the 192.168.1.x range excluding .1.
- Perform the initial "Quick Internet Setup" wizard
- After/if it prompts you to update firmware, go ahead and do so.
- If desired, (and some of my steps will assume this is done) download the "Merlin" firmware from here. In the interface click "Administration->Firmware Upgrade" and specify the path to the trx file.
- Now that we've upgraded, let's highlight important setup steps. I'm not going to cover the specifics of your environment, just things I recommend you pay attention to. First, navigate to "Wireless->WPS" and set it to "OFF". Most implementations of WPS are NOT secure at all. For more information, see: This episode of the wonderful Security Now! podcast or this lifehacker article. There are many ways to get a complex WiFi key to nearly any device securely.
- Navigate to "Wireless->Professional" and check the "Tx Power adjustment" and reduce it if possible. (Some experimentation required) Make sure you use the dropdown and do both 2.4ghz and 5ghz. Lowering your broadcast power will slightly shorten the range so you aren't broadcasting to your neighbors (polite) and may lengthen your hardware life. (See effect @ "Tools->Radios Temperature")
- If you disabled the DHCP server, make sure you go to "LAN->DHCP Server->Log DHCP Queries" and hit "Disable".
- To log stats, insert a USB thumb drive. It can be tiny and slow if you want. Navigate to "System Log->General Log" hit "Refresh". Copy the contents down and search them for the mount messages. In my case, the only message was "Jan 3 18:47:16 hotplug: USB vfat fs at /dev/sda mounted on /tmp/mnt/1GB", and that corresponds to @ /mnt/1GB for short since /mnt is a symlink to /tmp/mnt. Write this down.
- Navigate to "Tools->Other Settings" and set "Traffic history location" to "Custom location".
- Set "Save history location" to the value you wrote down in step 8, select "Create or reset data files" (if this is the first time you have done this on this disk) and hit "Apply".
- (Added 1/12/13) Unless you're using STP with your other switches, etc. navigate to "Lan->Switch Control" and set "Spanning-Tree Protocol" to "Off". Cool that it supports STP though! (Update 10/11/2013: There has been some confusion on this, so to simplify: If you have more than one switch not including this Asus router, leave STP enabled. Otherwise, disable it. If you would like to better understand see this.)
- (Added 1/20/13) If you aren't using IPv6 (yet), navigate to "IPv6"->"Auto Configuration Setting"->"Enable Router Advertisement" and set it to "Disable".
- (Added 1/20/13) Let's disable some other services that most people won't need. Unless you're using this router as a filesharing and/or DLNA device, do the following: Navigate to "USB Application"->"Media Server"->"Enable DLNA Media Server" and set it to "Off".
- (Continued from #13) Navigate to "USB Application"->"Network Place/Samba Share"->"Disable Share" and click "OK" to confirm disabling the service.
- (Continued from #13) Navigate to "USB Application"->"Miscellaneous Setting" and turn off "Force as Master Browser" and "Set as WINS Server" and click "Apply".
- (Added 2/4/2013) Recommended: Though I
haven't tested (update 6/7, it's fine as of now, so if you need UPnP go ahead) to see if this firmware is impacted by the recent discovery that a substantial number of firmwares expose UPnP to the external interface of the router(!!) I still recommend turning it of if it's feasible. This means you'll have to forward ports manually, but if you're reading this I suspect you know how to do so anyhow. (If not, comment as such and perhaps I'll write an article about it) To disable the UPnP service navigate to "Advanced Settings->WAN->Internet Connection->Basic Config->Enable UPnP" and set it to "No" Update 5/27/2013: How to forward ports:
- To forward ports, first determine what ports your service/application uses. While a search for "(Service) forward ports" generally returns the ports needed for that service, you can also use something like portforward.com to look it up. Note that the port spaces of TCP and UDP protocols are separate, so make sure you get the protocol right and know that the port numbers can overlap. There are some pre-baked shortcuts in the Merlin/Asus firmware on the port forwarding page (listed in the next step) that will populate the ports for you; it may be worth checking those out to save some time.
- After you determine your ports, open the manage interface of your Asus router and navigate to "Wan->Virtual Server/Port Forwarding"
- Ensure "Enable Port Forwarding" is set to "Yes".
- Under "Port forwarding List" type the name of your application under "Service Name". This entry is cosmetic only and serves to identify this forward.
- Under "Port Range" enter the port(s) needed for this application. To open a range, separate the lowest port and the top port with a ":". For example, to open up ports 80 through 90 you would put "80:90". You can also put non-joining port ranges on the same rule by adding more ports after a comma. For example, to open ports 80 and 90, you would put "80,90".
- On "Local IP" put the IP address of the machine hosting the service you would like to expose to the internet. If you don't know this address and you're (as default) using the DHCP server on the router you can find the address by going to the DHCP management on your router.
- On "Local Port" you generally want to put exactly what you put under "Port Range". The exception to this rule would be if you want to expose an internal port as a different port externally.
- Under "Protocol" select the proper protocol; TCP, UDP, or Both. Again, note that selecting "Both" would result in both sets of ports being opened.
- Click the plus icon "Add/Delete" and then click "Apply" at the bottom. Note that if your IP address changes then you'll need to update the rule.
- (Added 7/20/2013,Critical) A vulnerability has been discovered with the AICloud software. There is an official firmware that has been released that is reported but not confirmed to fix the problem, but that includes a very poor wifi driver so I would not recommend its use unless you have no 5ghz WiFi clients. The Merlin 372_30_2 build does not address this problem because Eric based it on a pre-release 372 version that didn't yet include the fix. (Confusing versioning by Asus..) If you don't run that new stock FW make sure you disable the AICloud! (AICloud->Smart Disk/Cloud Access) Update 7/24/13: There is a Merlin build that addresses this issue now available. See below for links. Update 2/18/14: There have been stories about either this exploit and/or a potentially newly found exploit involving FTP and the AI cloud feature. I think the best advice at this time is from Eric (the author of the firmware). The point: Because it is uncertain if this is entirely based on the old vulnerability, disable these features until the full nature of the exploit is disclosed and confirmed fixed. Update 3/16/14: This should be fixed with the newest build (374.40) but frankly I would still leave them off.
- (Added 11/3/2013) If you notice that your WiFi continues to loose connectivity and you need to reboot the router to fix it, try naming your 2.4Ghz and 5Ghz radios differently. I've noticed that some dual band devices (the iPad specifically) will bounce between frequency spectra and this will cause the Asus to become confused and stop relaying requests to the DHCP server correctly. To do so go to Wireless->General and dropdown between "2.4Ghz" and "5Ghz", ensuring they have different SSIDs so that your devices will target one of the two explicitly.
If I find any other important info I'll add it. Enjoy!
Note 1: If you enable "Tools->Other Settings->Enable advanced (per IP) monitoring
" it will disable hardware acceleration. While you most likely won't notice this unless you've got an internet connection approaching 100Mbit, be aware that you may loose some performance for that functionality.
Note 2: Check out "USB Application-> 3G/4G
"... very interesting stuff.
Note 3: I'm investigating an issue that results in WiFi being unable to communicate with the LAN ports. It manifests itself in the log as: Jan 11 17:05:23 kernel: eth1: received packet with own address as source address
. I'll post updates on this later.
Update 2/2/2013: Merlin posted a new beta build. Discussion
Update 2/23/2013: More new builds & bugs fixed! Release Thread
Update 3/16/2013: Another new build! Release Thread
Update 3/29/2013: Eric just uploaded a new beta build based on a beta release from Asus. A couple exciting changes here including new wireless driver and tools. Note that you'll need to re-add you WoL clients (if you had any) because Asus added a new WoL tool. Also, note this warning from Eric:
"New wireless driver. This new driver brings quite a few improvements
over the older one. Note that if you experience any issue with this new
driver, it is strongly recommended to revert back to factory defaults,
and re-configuring your router. There are a few low-level changes, and
some new default values that you won't pick up until you revert back to
" Release Thread
Update 4/4/2013: It looks like some folks are having issues on the new build with the 5Ghz radio. There is quite a lively discussion
going on and Eric has answered quite a few questions.
Update 7/6/2013: A new build has been released that introduces support for the RT-AC56U! Release Thread
Update 7/24/2013: Another new build, (18.104.22.168.372.31) this time fixing the AI Cloud security issue and introducing the Yandex
DNS filtering service. Be wary though that Yandex is in Russia, so if you use this feature (off by default) it may noticeably slow internet browsing since it redirects all your DNS queries. Release Thread
Update 10/3/2013: Eric has been hard at work on a new
build(22.214.171.124.374.33) based on a new source that includes fixes to
general performance, parental controls, and more. Note this warning from
Due to the SDK change on the RT-N66U, you *MUST* revert back to factory
default and manually reconfigure your router if coming from an older
firmware! The only exception is if you were previously running either
the Pixie Dust release (126.96.36.199.374.32-sdk6), or a previous beta of
188.8.131.52.374.33 (except for the -sdk5 Beta, of course).
Asus also recommends doing the same for the other models, however feel
free to try without doing so. It might work fine for most people, but
be prepared to do a factory default reset + reconfiguration if you run
into any odd issues.
And by "manually reconfigure", I really mean it. Reloading saved
settings would totally nullify the action of resetting to factory
defaults, since you will just end back to where you started, with all
the same (possibly invalid) settings.
Update 12/14/2013: New build! (184.108.40.206.374.35_4) GPL 374.339 (Time machine support for some models), Asus' OpenVPN implementation. (Note this is a total overhaul), Namecheap DDNS, and more. Release Thread
(With Changelog), Download
Update 1/22/2014: New build! (220.127.116.11.374.38) GPL 374.2078, major driver/SDK changes. RT-N16 is not supported by this build. This is SDK6 only. In short, if you have issues with this build, particularily with wi-fi performance, fall back to an earlier build. That said, the feedback in the forum regarding this build has been great thus far. Note:
in most situations, Eric does recommend resetting to factory defaults & manually re-configuring. Release Thread With Changelog
Update 2/16/2014: New build, out for a bit. (18.104.22.168.374.39) Dumps SDK5 and adds a new parental control option to use DNS services to block category based URLs as well as bug fixes. Release Thread
Update 3/16/2014: New build: 374.40. Not stable for the RT-AC68U but fixes the RT-N16. DNSFilter enhanced along with IPv6 fixes. This build should also address the highly publicized security issues from last month, but I would still recommend highly against enabling FTP, "Cloud AI", or any other outward facing services on principal. Release Thread
Update 6/6/2014: New build: 374.43. Another new release from Eric today, mostly bugfixes. One feature added; the ability to force a DDNS refresh after a configurable number of days. Release Thread
. Also, SmallNetBuilder forum member "000111" (7?) had the great idea to start a donation thread for Eric. If you appreciate his efforts it's worth considering heading over to this thread
and throwing him a few bucks for the effort.
Update 11/7/2014: New build: 376.48_1. Merge with Asus code 22.214.171.124.376_2769, Samba upgraded to 3.6.24, Miniupnpd to 1.9, Dropbear to 2014.66, OpenSSL 1.0.0o, SNMP enhanced, RT-AC68P support. Release Thread
. Also, Eric (Merlin)
warns of a but that causes wifi issues. Quoting him: "Note: Previous firmwares (both Asuswrt-Merlin and stock Asus) suffered from a bug where some nvram settings might end up being corrupted, which can lead to the loss of the 2.4 or 5 GHz settings on the webui with newer firmwares. To fix the issue, either do a factory default reset, or run the following commands over SSH:
nvram set wl0_band=2
nvram set wl1_band=1
The actual bug was fixed both on my end and by Asus a few releases ago, however the corrupted setting will cause issues starting with newer firmware versions if not corrected.
Update 8/292015: There have been several new builds, the last of which was great, but this update is to address how to perform source based routing with Merlin/Busybox:
In my case I've got two different internet connections and I want to selectively route different machines through different internet gateways. To accomplish routing traffic based on the source, we'll use the ip rule
and ip route
commands. First, make the rule:
ip rule add from [IP]/[CIDR] table [NAME]
where [IP] is the from addr or range, [CIDR] is the applicable CIDR
bitmask, and [NAME] is a unique integer to call the route, i.e.
ip rule add from 10.0.0.1.22/32 table 10
then the custom route:
ip route add default via [Gateway IP] table [NAME] dev [ADAPTER]
where [Gateway IP] is the IP of the desired gateway, [NAME] is the same integer as referenced above, and [ADAPTER] is the NIC to which the rule applies, i.e.
ip route add default via 10.0.0.254 table 10 dev eth0
You can re-use the route for multiple rules if desired. To make these rules persistent you'll need to use user scripts
.I use services-start with a 10 second sleep in the beginning. Have fun!