Router Setup Questions, Merlin FW 384.14_2 on RT-AC68U

[TotalRouterNoob]

I've been reading this forum for a while, trying to learn from the good folks here but still have lots of questions on my router settings. I searched but can’t find answers that I can understand for the questions below. My router has remote access from WAN, telnet, ssh, dmz, upnp, port forwarding, IPv6, servers all turned off/disabled. There are no custom scripts or any NAS attached. Please remember, I’m a noob when answering and trying to get my router setup as securely as possible. Thank you so much for any help.

1. Under "System Log/Routing Table" it shows the following info and I don't remember anything being there previously. What does the below text mean, is this a security issue?:

IPv4 Routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.xxx.xx * 255.255.xxx.x U 0 0 0 LAN

1) Under Tools/Advanced Tweaks & Hacks
a) Firewall: Drop IPv6 neighbour solicitation broadcast? What is the purpose/meaning of this setting, I don’t use IPv6 at this time.
b) Disable asusnat tunnel Y/N? Can’t find a definitive answer on what the asusnat tunnel is. Please explain.
c) Dhcpd: send empty WPAD w/carriage return. Can someone explain what this is?
d) WAN: Use local caching DNS server as system resolver. Can someone explain what this is?

2) Under LAN/DNS Filter, do I need to add all my devices’ MAC addresses in order for the DNS-based filtering to work?

3) WAN/Internet Connection:
a) Forward local domain queries to upstream DNS. What does this mean?
b) Enable DNS Rebind protection. What does this mean?

4) Under System/Remote Access Configuration:
a) Remote Access Restrictions: What is the purpose of this setting? Remote access from WAN is disabled.

5) LAN and WAN/DNS Server Settings: I guess I never realized there were DNS server settings under both the LAN and WAN pages. Could someone explain how I should set those up, both under LAN and WAN? Right now my LAN DNS server setting is blank and WAN DNS server setting is OpenDNS. I'm guessing I don't want OpenDNS resolving stuff on my LAN?

TIAA!!!!!

 

[dave14305]

1. Under "System Log/Routing Table" it shows the following info and I don't remember anything being there previously. What does the below text mean, is this a security issue?:

IPv4 Routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.xxx.xx * 255.255.xxx.x U 0 0 0 LAN

This is a normal for LAN traffic.

1) Under Tools/Advanced Tweaks & Hacks
a) Firewall: Drop IPv6 neighbour solicitation broadcast? What is the purpose/meaning of this setting, I don’t use IPv6 at this time.
b) Disable asusnat tunnel Y/N? Can’t find a definitive answer on what the asusnat tunnel is. Please explain.
c) Dhcpd: send empty WPAD w/carriage return. Can someone explain what this is?
d) WAN: Use local caching DNS server as system resolver. Can someone explain what this is?

There are tool tips if you hover over the descriptions of most of those options, except asusnat tunnel. In general, the most secure option is to leave it at Merlin's defaults.

2) Under LAN/DNS Filter, do I need to add all my devices’ MAC addresses in order for the DNS-based filtering to work?

No. Only add specific devices if you want them to be filtered differently from the Global mode at the top (e.g. exceptions to the Global setting).

3) WAN/Internet Connection:
a) Forward local domain queries to upstream DNS. What does this mean?
b) Enable DNS Rebind protection. What does this mean?

a) means local hostnames from your network (e.g. mylaptop.home.lan). These should not be sent out to the WAN DNS servers because they would have no knowledge of your private addresses. Leave it No.
b) see tool-tip. It's more secure to enable it, but safer to leave it disabled in case it causes issues and you aren't technical enough to customize the underlying configuration.

5) LAN and WAN/DNS Server Settings: I guess I never realized there were DNS server settings under both the LAN and WAN pages. Could someone explain how I should set those up, both under LAN and WAN? Right now my LAN DNS server setting is blank and WAN DNS server setting is OpenDNS. I'm guessing I don't want OpenDNS resolving stuff on my LAN?

Generally, LAN DHCP DNS servers are left blank so that machines on your LAN receive only the router IP as their DNS server. Then the router forwards queries out to your WAN DNS servers. And because of question 3) a) they will not receive hostnames from your LAN. If you want all your network to be filtered with OpenDNS, leave LAN DNS blank, set WAN DNS to OpenDNS, and set DNSFilter Global mode to Router.

 

[TotalRouterNoob]

Thanks Dave14305!

Should I Leave "Remote Access Restrictions" at "No"? Like I said above I have remote access from WAN disabled.

 

[dave14305]

Thanks Dave14305!

Should I Leave "Remote Access Restrictions" at "No"? Like I said above I have remote access from WAN disabled.

It’s usable on the LAN as well, but you could end up locking yourself out of your router. Leave it off.

 

[TotalRouterNoob]

So are you saying that "Remote Access Restrictions" could keep devices on my LAN from getting into the router settings? There are a couple devices on my LAN that I don't want to have access to my Router config but I do have a specific computer on the LAN that I do want to be able to get into the router settings via the browser gui, would that setting help me in that instance?... keeping certain devices out of the router settings but allowing other devices into the router settings? Hope that makes sense.

 

[dave14305]

So are you saying that "Remote Access Restrictions" could keep devices on my LAN from getting into the router settings? There are a couple devices on my LAN that I don't want to have access to my Router config but I do have a specific computer on the LAN that I do want to be able to get into the router settings via the browser gui, would that setting help me in that instance?... keeping certain devices out of the router settings but allowing other devices into the router settings? Hope that makes sense.

Yes, but it restricts based on LAN IP address, so you would want to assign a fixed IP on the DHCP server page so that you don’t have to worry about your “allowed” device IP changing and then being locked out of the router.

IMO, you’re better off with a strong password and not restricting access.

 

[TotalRouterNoob]

For "Disable Asusnat tunnel", I clicked yes. I always read if you don't use something to disable it for security purposes. The only thing I could find on it was a post on SNB from 2015, and they thought it had something to do with the Asus Router App for phones and I don't want to access my router through my phone. Especially since I read the phone app turns on access from WAN. If disabling the Asusnat tunnel is an insecure setting, please let me know.