New user questions

[Qwinn]

Hullo everyone. Finally installed merlin and really liking it so far. Transition was amazingly smooth - didn't even lose my public IP address during the firmware update, which used to get reset if I sneezed too hard near the stock firmware.

So I have some questions regarding configuration and which addons it makes sense to use specific to my setup. (Yes, I searched forums and read what I could for hours, it helped me I think to ask the right questions but that's it.)

Running on a GTE-AXE16000. My inclination is that as it has 2G of RAM, a swap file should be entirely unnecessary, since I don't think I'll be installing much in the way that *needs* a swap anyway (read on for that) and 2G should be more than enough.

Currently I have redundant pihole-unbound servers running on two other machines within my LAN. These work beautifully and trouble-free, so I'm not really tempted to use Diversion in any way. Skynet is still under consideration, although at this point I'm not sure I'll get any use out of it other than maybe better logging on intrusion attempts? I'd normally like the idea of filtering out traffic by country, but unfortunately, determined that's a no go for work related reasons. So I don't know if *just* logging would be adequate reason to install skynet. I'd assume there'd be another more lightweight script that could give me that? I can't think of what else I could really use Skynet for that the stock firewall doesn't give me. Some details on any good use cases for Skynet's enhanced features aside from per-country blocking would be appreciated. (Note that I do forward some ports for Plex server and some crypto mining, but that's it - no web servers or ssh wan access or anything like that. Also no VPN configured yet aside from just enabling InstantGuard, which I'm not finding much use for yet).

So far I've just installed (via AMTM) scmerlin and yazfi (so that I can assign quad9 as dns for guest network, since it can't reach my piholes). When I tried to install ntpmerlin, it's demanding entware and thus an external drive. I've currently got a 28GB usb stick plugged in to the 2.0 port (because my reading indicates speed isn't an issue) and ready for me to format it when I get a chance to reboot the router. I do not currently have an external SSD to hook up to this (I know that's the general recommendation), but I'm hoping that a USB stick that isn't using swap or heavy Diversion/Unbound usage should be okay? Please advise yes/no/probably on that.

Regarding ntpmerlin, once I have that set up: I'm inclined to choose chrony with redirect, while leaving my clients running systemd-timesyncd. My theory is that if the router NTP chrony server were to fail, then the redirects would also fail, so the client NTP requests would just get passed on to pool.ntp.org or whatever. Is that how it would work? And most importantly, will I lose some/any of the benefits of chrony over ntp unless I also change the clients to use chrony?

Finally - does merlin have a definitive best practice method of getting rid of the annoying every-minute dns query to dns.msftncsi.com? Search results on this topic are all over the place. I'd far prefer the connectivity check to just ping 9.9.9.9 or something, but as far as I can tell trying to get stock or merlin to disable the DNS check and just use the ping method is completely non-functional, despite the apparent option to do it that way in the GUIs.

Any plugs for other must-have addons would be appreciated.

Thanks for any help!

 

[Tech9]

There is no must-have addons. All addons are optional based on personal needs or preferences. Once this router moves to Asuswrt 5.0 base firmware (Asuswrt first followed by Asuswrt-Merlin) you have to redo your configuration because YazFi won't be compatible with the new Guest Network Pro. Basically what you are doing right now is a temporary setup. Not sure why you need scMerlin and ntpMerlin. If you want Skynet for some reason - it requires swap file of 2GB size. If you continue using USB stick your setup will be as reliable as the USB stick. Keep it simple and you'll be happier.

 

[Qwinn]

There is no must-have addons. All addons are optional based on personal needs or preferences. Once this router moves to Asuswrt 5.0 base firmware (Asuswrt first followed by Asuswrt-Merlin) you have to redo your configuration because YazFi won't be compatible with the new Guest Network Pro. Basically what you are doing right now is a temporary setup. Not sure why you need scMerlin and ntpMerlin. If you want Skynet for some reason - it requires swap file of 2GB size. If you continue using USB stick your setup will be as reliable as the USB stick. Keep it simple and you'll be happier.

I see! I was wondering why in all my searching I was seeing Asus documentation referring to a "VLAN" tab under the LAN section, as well as references to Guest Network Pro that I couldn't find anywhere under either stock or merlin. And it specifically said that AXE16000 should have those features, so it was very confusing. Thanks for clearing that up. Guess it's slated for, but hasn't actually been released for my router yet then.

Why do I need scMerlin? Cause the restart services functionality seems a very nice thing to have in the GUI. Why do I need ntpMerlin? Because previously I have every individual machine doing it's own wan ntp lookups, which is wasteful and more likely to cause desync issues between my machines (I have them doing cooperative crypto mining, making consistent timing important), and as chrony is supposed to be more accurate than ntp this seemed a good way to resolve both issues in one shot.

Oh, and thanks for clearing up that Skynet will demand that swap. That leads to me deciding not to use Skynet, barring someone advising of some awesome feature I'm unaware of and haven't found in my searching yet.

 

[Tech9]

If you need to restart services - this is not a good thing, something must be wrong. scMerlin for this convenience hijacks your entire GUI in case you haven't noticed already. Asuswrt-Merlin has built-in NTP server with NTP requests interception, right there in the GUI. It's your router and you can do whatever you want with it, but the more excited you get with tinkering right off the bat the closer you get to the next factory reset.

 

[ColinTaylor]

Why do I need ntpMerlin? Because previously I have every individual machine doing it's own wan ntp lookups, which is wasteful and more likely to cause desync issues between my machines (I have them doing cooperative crypto mining, making consistent timing important), and as chrony is supposed to be more accurate than ntp this seemed a good way to resolve both issues in one shot.

You don't need to install ntpMerlin, it's just another point of failure. Merlin already has a built-in NTP server option (Administration - System > Enable local NTP server) that is more than good enough.

 

[Qwinn]

Yes, I had already enabled the merlin version of NTP with redirect, and it does appear to be working fine. The inclination to use ntpmerlin was to switch to chrony, which from my understanding is significantly more accurate and deals much better with any interruption to services than ntp. Is this not the case?

As for scmerlin hijacking my GUI - aside from it adding those hover-submenus, no, I hadn't really noticed a hijacking. What am I missing?

I'm surprised to hear these opinions. From all my reading of prior threads, these addons seemed to be considered among the top installed and most beneficial addons. Given I wasn't even going with Diversion or Unbound and probably not even Skynet, I thought the few meager addons I was thinking of adding were already very lightweight compared to what most people were using. Never thought the main reaction I'd get would be that I was being heavyhanded. Oh well.

 

[Tech9]

I personally won't run any addons on the router. What is available in Asuswrt-Merlin is plenty and it works best with no USB sticks and unnecessary complications. As mentioned above - just additional points of failure requiring extra attention and maintenance. Diversion has alternatives as simple as upstream filtering DNS service (with typical DNS-blocking limitations), Skynet is an IP-blocker tool not every user needs (slow community blocklists, built-in firewall already blocks unsolicited inbound connections by default), Unbound has pros and cons to evaluate before installing it (slow start until cache is built, no encryption as resolver, etc). I wouldn't purchase this router to begin with because it's lagging behind on software support (no Asuswrt 5.0 yet) and Asus focus already shifted to Wi-Fi 7 models. You asked for an opinion, here is mine.

 

[ColinTaylor]

Yes, I had already enabled the merlin version of NTP with redirect, and it does appear to be working fine. The inclination to use ntpmerlin was to switch to chrony, which from my understanding is significantly more accurate and deals much better with any interruption to services than ntp. Is this not the case?

It sounds like you're trying to fix a problem that doesn't exist. YMMV of course, but if your clients require constantly updating their system clock to sub-millisecond accuracy I'd say that's either badly written software or faulty hardware.

I'm surprised to hear these opinions. From all my reading of prior threads, these addons seemed to be considered among the top installed and most beneficial addons.

You have to bear in mind that most of the posters on this forum are either Asus geeks that want to experiment with addons "just because you can", or they're not very knowledgeable and just install everything that sounds like it might be useful. If you have a genuine need for an addon then by all means use it, but don't install stuff just because other people do.

 

[Tech9]

Also don't report issues in Asuswrt-Merlin release threads when your system is loaded with 3rd party scripts, please. If something is not working as expected start fresh and try again with clean Asuswrt-Merlin. RMerlin doesn't support 3rd party scripts. Complex custom setup - you're on your own.

 

[Qwinn]

I personally won't run any addons on the router. What is available in Asuswrt-Merlin is plenty and it works best with no USB sticks and unnecessary complications. As mentioned above - just additional points of failure requiring extra attention and maintenance. Diversion has alternatives as simple as upstream filtering DNS service (with typical DNS-blocking limitations), Skynet is an IP-blocker tool not every user needs (slow community blocklists, built-in firewall already blocks unsolicited inbound connections by default), Unbound has pros and cons to evaluate before installing it (slow start until cache is built, no encryption as resolver, etc). I wouldn't purchase this router to begin with because it's lagging behind on software support (no Asuswrt 5.0 yet) and Asus focus already shifted to Wi-Fi 7 models. You asked for an opinion, here is mine.

I see, so the main thing Skynet gives you is IP based rules as opposed to port rules. That clears that up. And yeah, I've no current use for IP based rules (that wouldn't interfere with work, anyway) so that settles that.

As I mentioned in my OP, I already have the alternatives to Diversion set up (redundant pihole/unbound servers elsewhere in my LAN). RE unbound having "no encryption as resolver", my understanding was that NO resolver can have encryption, because nameservers don't and probably never will support encryption.

Shame that the AXE16000 isn't getting the quicker software support. But at least it is eventually supposed to get the VLAN functionality. The only models that are supposed to support it eventually per the Asus docs are:

• GT-AX11000 Pro, GT-AX6000, GT-AXE16000, RT-AX86U Pro, RT-AX88U Pro
• ZenWiFi Pro ET12, ZenWIFI Pro XT12(only provide beta firmware)

At any rate, already bought it, and it's a terrific router in most respects, so too late now.

 

[Tech9]

Asuswrt 5.0 firmware will come to your router at some point, perhaps Asuswrt-Merlin based on it as well, but you'll have to rethink your configuration and perhaps start from scratch again. Hopefully the base is better because folks on Asuswrt 5.0 find it rough on the edges.

 

[Qwinn]

It sounds like you're trying to fix a problem that doesn't exist. YMMV of course, but if your clients require constantly updating their system clock to sub-millisecond accuracy I'd say that's either badly written software or faulty hardware.

I'm running coordinated CPU crypto mining across 5 servers all of which have to maintain a synchronized vdf heartbeat pulse every single second. And if they are not synchronized, it can cause me to lose blocks. This is not a typical use case, and if improved time sync accuracy is available, not to mention cleaner recovery in the case of internet service interruption, I'd be an idiot not to consider it.

 

[Qwinn]

Asuswrt 5.0 firmware will come to your router at some point, perhaps Asuswrt-Merlin based on it as well, but you'll have to rethink your configuration and perhaps start from scratch again. Hopefully the base is better because folks on Asuswrt 5.0 find it rough on the edges.

As far as "rethinking my configuration", are you only referring to YazFi here? I only installed it yesterday because I didn't know about any other upcoming options (I mean, Guest Network Pro was mentioned but I didn't actually have it). I have no problem at all uninstalling it before doing my next firmware update. If there's something else about my configuration I need to rethink in light of coming changes, please let me know.

 

[bennor]

Currently I have redundant pihole-unbound servers running on two other machines within my LAN.

So far I've just installed (via AMTM) scmerlin and yazfi (so that I can assign quad9 as dns for guest network, since it can't reach my piholes).

Why cannot your YazFi clients reach your Pi-Holes? (Assuming you are not using AiMesh or AP nodes, YazFi doesn't work with those.)

No issues here assigning my two local network Pi-Holes + Unbound to YazFi clients. I don't use AiMesh or AP nodes at the moment. I just put the Pi-Hole IP addresses in the YazFi DNS fields and save the changes.

As to all the rest. Use the add-on scripts or don't. Some go and create more problems when they tinker and install addons thinking they need them (for what ever reason). Review each of the add-ons and decide which you think you need for your use case. Then install each one, one at at a time, testing after install to ensure it works as you expected before you go installing another add-on.

 

[ColinTaylor]

I'm running coordinated CPU crypto mining across 5 servers all of which have to maintain a synchronized vdf heartbeat pulse every single second. And if they are not synchronized, it can cause me to lose blocks. This is not a typical use case, and if improved time sync accuracy is available, not to mention cleaner recovery in the case of internet service interruption, I'd be an idiot not to consider it.

Yes consider it, but I'd suggest you try it with the built-in option first and only install additional software if you need to.

I don't know exactly what you mean by "cleaner recovery in the case of internet service interruption" but I doubt ntpMerlin would be any different than what's built-in. Even without an internet connection the router's time of day clock will still be running. And you said all your clients will be syncing to the router so that shouldn't be a problem as they'd still all be in sync with each other.

 

[Qwinn]

Why cannot your YazFi clients reach your Pi-Holes? (Assuming you are not using AiMesh or AP nodes, YazFi doesn't work with those.)

No issues here assigning my two local network Pi-Holes + Unbound to YazFi clients. I don't use AiMesh or AP nodes at the moment. I just put the Pi-Hole IP addresses in the YazFi DNS fields and save the changes.

As to all the rest. Use the add-on scripts or don't. Some go and create more problems when they tinker and install addons thinking they need them (for what ever reason). Review each of the add-ons and decide which you think you need for your use case. Then install each one, one at at a time, testing after install to ensure it works as you expected before you go installing another add-on.

I installed YazFi in the first place because my guest network, being a different subnet, could not access my DNS servers on my main intranet subnet.

If I can tell YazFi to cross the subnet boundary and access my dns servers on the different subnet, by using the different subnet 192.168.x.x, that's cool, didn't know it could do that as well (I mean, the whole point of guest network is isolation from the main network, so being able to easily hop over and access that intranet for DNS isn't exactly intuitive). Or do you have to leave intranet access from the guest network on to accomplish that? Again, that would seem to me to obviate the point.

 

[Tech9]

If there's something else about my configuration I need to rethink in light of coming changes, please let me know.

When the firmware moves to Asuswrt 5.0 base you may have to reset your router anyway and start fresh. Based on available options you'll decide what is best for you to run on it as compatible addons. Keep in mind Jack Yaz (the J scripts) is not an active SNB Forums member anymore since he moved to a different platform. Some of the scripts he created are supported by others, but you have to check the current state when the time comes.

 

[Qwinn]

Yes consider it, but I'd suggest you try it with the built-in option first and only install additional software if you need to.

I don't know exactly what you mean by "cleaner recovery in the case of internet service interruption" but I doubt ntpMerlin would be any different than what's built-in. Even without an internet connection the router's time of day clock will still be running. And you said all your clients will be syncing to the router so that shouldn't be a problem as they'd still all be in sync with each other.

Here is a breakdown of how chrony compares to ntp, from the official Redhat documentation. Redhat (the enterprise solution) uses chrony by default, whereas debian uses systemd-timesyncd that is just ntp or ntpsec based.

Reading the great number of advantages that the far newer chrony implementation has, and in light of my use case, it kinda seems a no brainer to go with chrony.

Chapter 18. Configuring NTP Using the chrony Suite | Red Hat Product Documentation

Chapter 18. Configuring NTP Using the chrony Suite | Red Hat Documentation

docs.redhat.com

 

[Tech9]

Reading about advantages and actually getting advantages in your use case are two different things. If everything works well with the built-in Asuswrt-Merlin tools - simplicity is the best advantage.

 

[Qwinn]

Reading about advantages and actually getting advantages in your use case are two different things. If everything works well with the built-in Asuswrt-Merlin tools - simplicity is the best advantage.

Yes, I was actually typing as I received that that, all that said, I'm happy to see if just going to the server-based ntp setup that merlin provides is enough to solve my issue of occasionally losing a block due to unsynced vdf. Possible that just going to the client server model alone for ntp lookups will fix it. So, sure, I'll hold off on the ntpmerlin/chrony solution until it happens again.

(Only happens once a week or so, mind you, so probably won't know for quite a while.)