Asus RT-AC86U - Questions about Merlin Firmware, Selective routing and Guest networks

[Vampiry_Yazo]

Hi All,

I'm new to this forum so I hope I'm creating this thread in the right section.
So I want to buy Asus RT-AC86U to achieve decent speeds using OpenVPN. However, I have a couple of questions before I buy this expensive router. They are:

1) Does all revisions of the said router are compatible with Merlin firmware ?

2) What is the official website for Merlin Firmware ? I'm asking because when I google for it, I have strange canadian domain called "https://asuswrt.lostrealm.ca" claiming to be the official website.

3) How many Guest Wi-Fi's I can create and do they use VLAN's under the hood ?

4) Does Merlin Firmware allows selective routing ? If so, how difficult is it to set it up and does it work for all interfaces like LAN/WLAN and Guest Wi-Fi's etc ? ALso, is it possible to use selective routing either per device or whole selected network so whoever connects to it a selective routing is automatically applied ?

5) Is it possible to completely remove/disable WPS ?

I hope someone can lend me their hand and help me out here
Vampiry_Yazo

 

[dave14305]

What is the official website for Merlin Firmware ? I'm asking because when I google for it, I have strange canadian domain called "https://asuswrt.lostrealm.ca" claiming to be the official website.

Yes, that’s his official home page. Support questions are in the dedicated forum:
https://www.snbforums.com/forums/asuswrt-merlin.42/

 

[ColinTaylor]

1) I don't remember seeing anybody report that there's more than one revision.

3) 3 for 2.4GHz and 3 for 5GHz. No they don't use VLANs.

4) If by "selective routing" you're referring to VPN then Merlin has policy based routing. But it works by IP address, not interfaces. So you couldn't for example route only traffic originating from a guest WiFi.

5) Well you can turn it off if that's what you mean.

 

[Vampiry_Yazo]

3) 3 for 2.4GHz and 3 for 5GHz. No they don't use VLANs.

So, how is it a Guest Network if it's not separated from the main network ?

 

[ColinTaylor]

So, how is it a Guest Network if it's not separated from the main network ?

I'm assuming the 86U works the same way as all the earlier models. So it uses ebtables (netfilter) to block/allow traffic between interfaces.

 

[Vampiry_Yazo]

I'm assuming the 86U works the same way as all the earlier models. So it uses ebtables (netfilter) to block/allow traffic between interfaces.

This sounds like there are some firewall rules in place. How secure is this compared to VLANs ? For example, can a client from Guest Network infect someone from main network ? I'm worried about security with those "Guest Wi-Fi's" as I don't know how they work. I think some use VLAN's but not sure about Asus routers.

 

[ColinTaylor]

As I said, Asus doesn't use VLANs, it uses netfilter to drop packets as they traverse the internal bridge. That means traffic from the guest network can't get to the LAN. If you don't trust netfilter then you don't trust Linux .

 

[Vampiry_Yazo]

4) If by "selective routing" you're referring to VPN then Merlin has policy based routing. But it works by IP address, not interfaces. So you couldn't for example route only traffic originating from a guest WiFi.

Ok, I see. I would need to setup the policy based routing for each individual device. So, when my VPN is active I can also set policy based routing so that selected device can actualy use my WAN IP from my ISP ? Also, does Guest Wi-Fi have its own IP Range or is it the same as the main network ? Since it's to do with routing and data flow, I assume that netfilter is taking care of it ?

That means traffic from the guest network can't get to the LAN.

and my "normal" Wi-Fi ?

5) Well you can turn it off if that's what you mean.

Yeah, WPS have a lot of vulnerabilities but unfortunately even if it's turned off on some routers the said device can still be vulnerable. I have also heard that the routers which have a "WPS Button" are less vulnerable because the attacker needs to physically press the button instead of just making a request for it when cracking the PIN code.

 

[ColinTaylor]

So, when my VPN is active I can also set policy based routing so that selected device can actualy use my WAN IP from my ISP ?

Correct.

Also, does Guest Wi-Fi have its own IP Range or is it the same as the main network ?

No, it's the same address range.

and my "normal" Wi-Fi ?

Is unaffected.

Yeah, WPS have a lot of vulnerabilities but unfortunately even if it's turned off on some routers the said device can still be vulnerable. I have also heard that the routers which have a "WPS Button" are less vulnerable because the attacker needs to physically press the button instead of just making a request for it when cracking the PIN code.

There was some discussion about that on here a while back. IIRC the router isn't vulnerable, but you'd have to check the old posts for confirmation.

 

[RMerlin]

2) What is the official website for Merlin Firmware ? I'm asking because when I google for it, I have strange canadian domain called "https://asuswrt.lostrealm.ca" claiming to be the official website.

What's strange about it? It's my personal domain, which I've owned for close to 20 years. It's a Canadian TLD simply because I'm Canadian.

I didn't want to register a new domain because I suspected using the word "asuswrt" might be problematic for legal reasons. So I decided to make it a sub-domain of my personal domain.