New user here; GNU/Linux desktop user since 1993, some experience with iptables (and its predecessor ipchains) and setting up routers, firewalls or VPN on commodity PC hardware in the late 1990s. For the past 20 years, I have used closed-source routers, nothing fancier than setting up some NAT rules for making some TCP/IP ports on the LAN accessible from the Internet.
Yesterday I bought a second-hand RT-AC86U. I immediately upgraded it to AsusWRT-Merlin 386.7 and installed Entware, mainly for rsync and prosody (XMPP), which I migrated from a Raspberry Pi 2.
Everything works well so far, except:
Yesterday I bought a second-hand RT-AC86U. I immediately upgraded it to AsusWRT-Merlin 386.7 and installed Entware, mainly for rsync and prosody (XMPP), which I migrated from a Raspberry Pi 2.
Everything works well so far, except:
- I did not figure out how to create persistent Linux user accounts for running services, so I reused the pre-existing user and group "nat" for Prosody. The paths were a bit different from what I had on Raspbian or Debian, but it was not hard to adjust the files.
- Enabling the firewall in the web UI affects the output of iptables -L, but the inbound rule for TCP port 5222 (XMPP client-to-server connections) does not. That is, if I enable the firewall, Prosody can only receive connections from the LAN, not WAN. How to do this properly in the web UI, or via the command line? I did not find anything relevant in the wiki.
- It would be nice to maintain a LetsEncrypt certificate when not using any DDNS provider, and have it available to all SSL based software that runs on the router (such as Prosody). I get the public IPv4 address via DHCP, but it is basically static as long as I will not shut down the router for some longer time. Thus, I would prefer to do the DDNS part "manually", just specify the name to LetsEncrypt.