What's new

Looking to install merlin firmware (coming from stock)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

zero7404

Regular Contributor
Hello,

i'm interested in trying out merlin firmware.
primarily because i think it is likely much more up-to-date than the regular Asus release channel I am on for my RT-AC87R (or U).

reason is basically i want to know that i have the latest Trend security features for the firewall, and also want to make sure that major issues/bugs since my firmware version (3.0.0.4.382_51939) were likely resolved in the newer merlin firmware versions.

how would i go about installing a merlin firmware (uploading to router via wifi, using a restore method, etc.) is there an ordered or specific procedure to do it right ?

from what i was told, restoring a configuration file to the new firmware is not a good idea .... so that means i likely will have to manually configure everything from scratch. in order to do that, i'd have to prep and document the settings/mac addresses, ip addresses and wifi settings for everything. it's laborious and would rather avoid doing it manually. but willing to do it if the benefits of having the new firmware are worth it in terms of security and performance.
 
Hello,

i'm interested in trying out merlin firmware.
primarily because i think it is likely much more up-to-date than the regular Asus release channel I am on for my RT-AC87R (or U).

reason is basically i want to know that i have the latest Trend security features for the firewall, and also want to make sure that major issues/bugs since my firmware version (3.0.0.4.382_51939) were likely resolved in the newer merlin firmware versions.

how would i go about installing a merlin firmware (uploading to router via wifi, using a restore method, etc.) is there an ordered or specific procedure to do it right ?

from what i was told, restoring a configuration file to the new firmware is not a good idea .... so that means i likely will have to manually configure everything from scratch. in order to do that, i'd have to prep and document the settings/mac addresses, ip addresses and wifi settings for everything. it's laborious and would rather avoid doing it manually. but willing to do it if the benefits of having the new firmware are worth it in terms of security and performance.

Merlin relies Asus publishing their source code so he’s at their mercy as far as being able to incorporate any features they develop. My understanding is that trend is closed source so Merlin isn’t able to change any of that code. The Merlin specific security features i use are dns filtering and dns over Tls. I also use Skynet. Installing Merlin firmware is as easy as uploading the corresponding file for your device on the update firmware page of the webui.
 
thanks for this information. i'll read these articles and maybe perform some routine items like resetting the NVRAM.

concerning merlin firmware .... i still think it's a step up and improvement from the stock firmware. even if i may not use the added functionality.

i can't find which article refers to actually flashing the router with the merlin firmware ....
 
Installing Asus stock firmware or Merlin firmware is simply a matter of downloading the correct file, then (after unzipping of course) selecting the file in the GUI. Done. No fancy steps required. A reset and manual configuration is usually the next preferred step if switching between the 2 versions, but may or may not be necessary if simply updating within that stream in the future.
 
Installing Asus stock firmware or Merlin firmware is simply a matter of downloading the correct file, then (after unzipping of course) selecting the file in the GUI. Done. No fancy steps required. A reset and manual configuration is usually the next preferred step if switching between the 2 versions, but may or may not be necessary if simply updating within that stream in the future.

thanks ....

should I consider doing an NVRAM reset before or after installing the merlin firmware ?

another question .... does merlin firmware have a connection to the server that stores the latest firmware updates ? in case it is possible to simply go into the firmware upgrade tab and check for the latest merlin firmware ?

not sure if that's possible or whether I would manually check the web site (either one is ok with me). so long as I don't need to do a full-up manual configuration of the router each time i update the firmware version.
 
The firmware you want to try/test or use should be flashed first. Then, do a full M&M Config and possibly a Nuclear Reset (please look for the link in my signature below for those and other guides and information).

No automatic update possible for RMerlin firmware (as it should be).

https://www.asuswrt-merlin.net/download

The above URL is all you need to check to see if you have the latest version installed or not. :)

After initially flashing RMerlin firmware and a full and proper M&M/Nuclear setup, you will be able to go for many versions with a 'dirty' upgrade (by just flashing the latest firmware available). No need to do another full/proper reset unless your router/network becomes unstable or unreliable in any way.

However, do read the changelog files as they will specifically point out routers and firmware versions that necessitate a reset. Possibly because of new wireless drivers or some such major change. Even then though, your specific router/network may continue to work as you desire. Consider yourself lucky and enjoy it will you can. With the first signs of 'weird' behavior, which a fast google/forum search doesn't find you a quick solution, then be prepared to do the full M&M Config reset then.

HTH. :)
 
The firmware you want to try/test or use should be flashed first. Then, do a full M&M Config and possibly a Nuclear Reset (please look for the link in my signature below for those and other guides and information).

No automatic update possible for RMerlin firmware (as it should be).

https://www.asuswrt-merlin.net/download

The above URL is all you need to check to see if you have the latest version installed or not. :)

After initially flashing RMerlin firmware and a full and proper M&M/Nuclear setup, you will be able to go for many versions with a 'dirty' upgrade (by just flashing the latest firmware available). No need to do another full/proper reset unless your router/network becomes unstable or unreliable in any way.

However, do read the changelog files as they will specifically point out routers and firmware versions that necessitate a reset. Possibly because of new wireless drivers or some such major change. Even then though, your specific router/network may continue to work as you desire. Consider yourself lucky and enjoy it will you can. With the first signs of 'weird' behavior, which a fast google/forum search doesn't find you a quick solution, then be prepared to do the full M&M Config reset then.

HTH. :)

understood, thanks.

just to remind at how little i know here about the topic .... how would i go about 'flashing' RMerlin the first time ?

just in case the procedure is not as simple as post # 5 states ....
 
some other notes I wanted to mention related to this ....

how does RMerlin compare to stock firmwares as far as : router firewall security ?

the stock firmware many times reverts back to the uncleared state in the tabs 'Malicious Sites Blocking' and 'Two-Way IPS', after i specifically hit the trash can in those tabs to clear out the logged attacks ....

more important to me, is to protect my home network and my NAS, so i am somewhat unsure whether the AC87 is fully blocking all attacks and sometimes I wonder whether i need an additional hardware firewall between the modem and router. if anyone has some suggestions that I can look into (additional hardware, firmware tweaks, NAS tweaks, etc.) I'd appreciate that too.

my NAS has outside world access via the manufacturer's provided features, which is an account I created with the manufacturer and linked the device to it. I do not use port forwarding or uPnP on the router .... even though some of those features affect some functionality on the Xbox One that's also connected.
 
@zero7404 I would not use the NAS provided access. That is just one more attack vector you're open to.

OpenVPN is what I would use instead.

RMerlin is sometimes more secure than stock and sometimes stock is more secure than RMerlin firmware, depending on which one 'jumps' first to issue a fix (as noted by RMerlin himself in another thread). :)

The AiProtection behavior you are referring to is a closed source blob from TrendMicro. Nothing possible for RMerlin to 'fix' on his own.

With RMerlin firmware, here are some improvements.

vhttps://www.snbforums.com/threads/open-wrt-security-hole.63024/#post-565448

In addition, you can install/enable DoT, Skynet, Diversion and other scripts that will 'harden' your router against outsiders with RMerlin firmware installed. Something that is not possible with stock at all.
 
@zero7404 I would not use the NAS provided access. That is just one more attack vector you're open to.

OpenVPN is what I would use instead.

RMerlin is sometimes more secure than stock and sometimes stock is more secure than RMerlin firmware, depending on which one 'jumps' first to issue a fix (as noted by RMerlin himself in another thread). :)

The AiProtection behavior you are referring to is a closed source blob from TrendMicro. Nothing possible for RMerlin to 'fix' on his own.

With RMerlin firmware, here are some improvements.

vhttps://www.snbforums.com/threads/open-wrt-security-hole.63024/#post-565448

In addition, you can install/enable DoT, Skynet, Diversion and other scripts that will 'harden' your router against outsiders with RMerlin firmware installed. Something that is not possible with stock at all.


Thanks for this info, it's interesting that I can add additional security scripts with RMerlin ... can you give some references to the scripts so I can read up on them ?
Sounds like RMerlin is definitely worth installing, if I can do that.

For OpenVPN, how would you suggest using VPN with a NAS ? I am thinking that I could setup a VPN server on the NAS but I'm not sure that my particular NAS would be capable of hosting a VPN server.
 
With RMerlin 384.15_0 release final or later, amtm is installed by default. The amtm step-by-step guide below is a good place to start (you just don't need to install amtm, of course).

amtm Step-by-Step https://www.snbforums.com/threads/amtm-step-by-step-install-guide-l-ld.56237/#post-483421

To see if your router is supported see the link below.

https://www.asuswrt-merlin.net/about

To see a list of amtm supported scripts see the following link.

https://diversion.ch/amtm.html

If you have a supported router, you will want to follow the M&M Config and possibly the Nuclear Reset guides to give the firmware the best chance of giving you a stable and reliable experience as possible.

M&M Config https://www.snbforums.com/threads/n...l-and-manual-configuration.27115/#post-205573

Nuclear Reset https://www.snbforums.com/threads/major-issues-w-rt-ac86u.56342/page-4#post-495710

As for connecting to your NAS over VPN, I would recommend an OpenVPN server (built right into the firmware) which will allow you to connect to your entire network securely. I would not set up a VPN on the NAS itself (the router is much more secure).

There is more information for you to read/learn about in the link in my signature below too (including many of the above links already posted here for your convenience). :)

HTH. :)
 
would it be safe to restore my saved configuration file from the stock 382 to the new merlin 384.13 ?

if not, then the next best thing would be to export the mac and ip assignments i have made to all my connected devices. wondering if there's a way to get a text file or csv or something out of the stock firmware that i can use to expedite setting up again.

i use mac address filtering for all wireless connections to the router except for the guest broadcasts.
 
Last edited:
No. It would effectively negate any reset you would be doing.

Too many changes from 382.xx to the latest 384.16_0.

What router are we talking about here, btw? :)
 
No. It would effectively negate any reset you would be doing.

Too many changes from 382.xx to the latest 384.16_0.

What router are we talking about here, btw? :)

RT-AC87R (U) is router in question.
 
@zero7404 note that the router model you have is on 'limited support' going forward and it will depend on if Asus can bring the code up to current and comparable standards (compared to the other RMerlin supported models) and thus allow RMerlin to continue supporting it with minimal extra work (and workarounds).

The current firmware for it is RT-AC87U: 384.13_6 as per the link below, but note it should have all the important 'modern' features the other supported routers enjoy with the 384.16_0 release too (at least for now).

https://www.asuswrt-merlin.net/download

As mentioned above already, simply download the proper zipped file for your router. Unzip and then compare the hash to the included readme to ensure the download was not corrupted (a free utility such as HashTab is highly recommended) and then simply go to the router GUI, click on the version of the firmware (near the top) which will take you to the Firmware Update tab and then click the 'update' link and point to the unzipped file you just downloaded and verified.

After it has rebooted and you have verified that the version matches the version you flashed, proceed with the M&M Config to get the benefits of the RMerlin defaults properly enabled.

HTH.
 
@zero7404 note that the router model you have is on 'limited support' going forward and it will depend on if Asus can bring the code up to current and comparable standards (compared to the other RMerlin supported models) and thus allow RMerlin to continue supporting it with minimal extra work (and workarounds).

The current firmware for it is RT-AC87U: 384.13_6 as per the link below, but note it should have all the important 'modern' features the other supported routers enjoy with the 384.16_0 release too (at least for now).

https://www.asuswrt-merlin.net/download

As mentioned above already, simply download the proper zipped file for your router. Unzip and then compare the hash to the included readme to ensure the download was not corrupted (a free utility such as HashTab is highly recommended) and then simply go to the router GUI, click on the version of the firmware (near the top) which will take you to the Firmware Update tab and then click the 'update' link and point to the unzipped file you just downloaded and verified.

After it has rebooted and you have verified that the version matches the version you flashed, proceed with the M&M Config to get the benefits of the RMerlin defaults properly enabled.

HTH.

thanks ....

I did read about my router's support winding down, and believed that updating with RMerlin firmware would breathe a few more years into it (I've had it for about 4-5 years now, that's not bad). Hopefully I'm right on this point. Main concern is making sure that the trend micro security updates in the near term will keep the firewall polished enough to fend off attacks on my home network from the outside.

concerning the m&m config steps in post #3 of the thread you mentioned .... that's from back in 2015, still valid ?

what parts of the nuclear reset instructions is the most important or necessary ? I'd rather just do only the essential steps if any of them are necessary following the flash to RMerlin. If anything I should do before flashing, could you kindly remind what specifically I should do ?

Lastly, after flashing, and following the m&m procedure .... can i expect to have any issues with my devices accessing the internet ? basically, i'm asking after i flash and do the m&m steps, would that cause problems with any of my networked devices ?

Here are the devices I use (all connected to the router), all of them are set to static IP in the router's interface:

wired - Roku Ultra
wired - Xbox One S
wired - NAS
wired - LTE extender

wireless - 3 tablets
wireless - 5 phones
wireless - printer
wireless - 5 computers

not ready yet to explore openvpn, i need to learn more about how that would work.
i would appreciate some tips if any tweaks that i can make .... for example: if having an xbox one connected to the router could lead to some venerability of other devices that are also behind the router firewall.

uPnP is off
i have port forwarding enabled in order to allow the LTE extender to work (manually added the ports)

I documented as much as I could concerning my existing configuration, in order to set them up again the same way.
 
Wired devices should experience no issues. If you use the same SSID and password, then the wireless devices should not have any issues either. It will all be transparent. However, in some cases, it is better to use a new SSID and add the wireless devices one at a time. Personally, I've not had to do this, but some devices can be finicky. Also, sometimes simply deleting the SSID configuration on those devices, then re-adding it solves it too.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top