RT-AC5300 Performance & Security Guide

[daviworld]

I don't know if this will be helpful to anyone. But, thought I would share my set-up and hopefully help some people in their quest for performance and security.
Check page 2, post #34 for 2019 updated/added info
--------------------------------------------------------------
Let's start with Guest Network
Typically in my own network

• I set access time of 12hrs
• Prevent intranet access(LAN)
• Assign WPA2 as authentication method and a easy password for guest(NOT YOUR MAIN PASSWORD)
• I only set up guest on my 2.4GHz Radio, more on that below
• No MAC filtering unless you use this network for special purposes

Next AiProtection
Click Network Protection
I highly and strongly recommend turning on all the protection feature's, as this is essentially your UTM(Unified Threat Management)

• Router Security Assessment - (Scan, click on thing's to change and secure or disable thing's you don't need or use. Shoot for a score of 15)
• Malicious Site Blocking - (using Trend Micro engine, will block bad site's)
• Two-Way IPS - (can detect and shape traffic, actively monitoring and blocking threat's)
• Infected Device Prevention and Blocking - (This will isolate a infected device from the rest of your device's, to prevent an infection from spreading across your network. If you're familiar with VLAN's, think of that one device being put in its own VLAN with no contact with the rest of the device's)
• Parental Control - (control internet access for device's, by setting a time schedule, also include a web filter for blocking content)
• DNS Filtering - Force your client's to use specified DNS, I have mines set to router for quicker DNS lookup's

*an important note, when you see hit's, this mean's it was an attack/exploit your router was successfully able to prevent. Anytime you see a hit in your two-way IPS, a good measure is to add the IP to your firewall block list or firewall block script(Skynet)

Next Adaptive QoS
In Bandwidth Monitor, turning it on you will take a small performance hit. Up to you if you decide to use it, I typically leave mine's off unless troubleshooting networking issue's. Lastly, since I use FreshJR QoS script, I have left the priority at default for all device's(gray). However, you are more than welcome to use the priority label's. Click on the Tab QoS..... Also, in the Web History Tab, I turn it on, as it is useful to see what site's my client device's are connecting to and how often.

In QoS

• Enabled
• Adaptive QoS
• Manual Setting [(Not Automatic) add your speedtest or ISP bandwidth, for instance I have 1GBps down and 20Mbps up. So, I'll add 950 down and 19 up]
• Wan Overhead DOCISIS 3.0 = 18 ( choose a preset for your modem)
• For Network Mode I usually choose Customize

*The reason you don't add your full bandwidth is due to bufferbloat, it is generally recommended to choose 85-95% of your total bandwidth, hence 95% of 1000 is 950 and 95% of 20 is 19. Also note when measuring ISP speed we use Megabit's not Megabyte's. a culmination of byte's will = that file on your PC... 8 bit's = 1 byte
I recommend using FreshJR Adaptive QoS script for the customization and dslreports speedtest

*Second important notice as I run OpenVPN client's 24/7, your OpenVPN traffic is seen as upload traffic, so in my above example you would input 950 in both the download AND upload

Next Traffic Analyzer

• Honestly I leave the statistics in here off, since if I turn this on. It lock's up my GUI VPN page, and I can only turn only my client's via NVRAM command's, although if you have different need's feel free to use this.

Next Game Boost

• I don't use this feature so I have no comment on its functionality

Next USB Application
I only use Media Services and Server's in this section, click on it

• In Media Server - (if you enjoy streaming content from your router, to your LAN device's, enable UPnP [ONLY ON THIS PAGE, NOT THE WAN PAGE] , name your media server, use a manual path
• In Network Place (Samba) Share Tab -

1. Enable Share
2. DON'T enable allow guest login's(will let anyone in)
3. Add SMB v2 preferably/SMB v1 + v2
4. Add workgroup name and device name
5. Yes, Force as Master Browser
6. No, WINS Server
7. Click Apply
8. Add a different account from your root to use for your share access
9. set permission's for folder's you want this new account to access
10. Save Permission's
11. Check access, make sure port's 139 & 445 is open on machine and SMB & NETBIOS enabled

• FTP Tab - I would leave this disabled, since it isn't using SFTP or FTPS (secure versions), however merlin's version use's FTPS(enable TLS option)
• *Note When Samba enabled, port's 139, and 445 will be open on your router. Make sure these port's and/or services NETBIOS & SMB are running and open. When not using share's I recommend turning this off until you need this, unless you do frequent network transfer 's

Next AiCloud 2.0

Disable, Disable, Disable, Disable, Disable, if you don't want hole's exposed in your network, please do not enable any AiCloud service's at all!

Next Wireless

• Smart Connect Enabled - Actually Pretty Good With Some Minor Tweak's
• I usually only use my 5GHz network for band as all my client's are AC client's and my apartment is covered with a signal throughout. So, I disable my 2.4GHz band, using it only for AP Isolation and older device's or security cam's
• Hide SSID, up to you, will stop a casual user, but your SSID is broadcasted in plain text in your wireless packet's, so if someone used a sniffer, Hiding your SSID wouldn't stop them.
• Authentication Method - WPA2 Personal
• set a strong Wireless password
• The other setting's can be set to auto
• Protected Management Frames - Capable (protects against dissociation attacks) *note however that required broke IoT devices, only smartphone, Console, and PC responded; on capable the smart TV and IP cam finally connected
• In Wireless MAC Filter, will be up to you to use it or not, spoofing MAC's are trivial today
• In the Professional Tab - We will change a couple of the default's the rest are ok

1. For the 2.4GHz professional setting's
2. enable radio, my personal say is no if you don't have old client's or don't need the distance
3. enable wireless scheduler, again depends on you. But, if your radio's aren't broadcasting, then their is no WI-FI to hack
4. Multicast Rate - choose OFDM 6 (good low settings for VoIP, adjust higher if experiencing issues)
5. Preamble Type - choose Short... choose long slower and older devices)
6. Beacon Interval - set to 1000 - decreases the amount of times a client receives the wireless beacon
7. DTIM Interval - 3 or below, set higher for better performance if you have a strong router, otherwise it may crash.
8. TX Burst - if higher than 4 device's disable, can cause network lag
9. WMM APSD - disable if your mobile devices experience disconnect or crashes, otherwise leave enabled
10. Optimize AMPDU Aggregation - Enable: High error environment or multiple devices. Slower performance.
    Disable: Low error environment with less devices. Faster performance.
11. Airtime Fairness - disable, enable only for older devices
12. MU-MIMO - disable if your client's don't support this feature, otherwise keep enabled
13. Universal Beamforming - disable was made before explicit beamforming. use this instead
14. Explicit Beamforming - all AC enabled devices support this feature, disable if you don't have AC client's
15. Modulation Scheme is set to their highest MCS 11
16. TX Power Adjustment - Slide to Performance
17. IGMP Snooping - Disabled
18. AP Isloation - Yes or no depending on your need's

1. For the 5GHz professional setting's
2. Everything the same as above
3. Note Explict Beamforming will be 802.11ac beamforming in the 5GHz setting's
4. leave other default's alone

• In the WPS Tab - disable this on all radio band's, I only needed this once due to having a 64 character password, and my smart TV wouldn't connect until I added it via WPS, which I immediately turned off after the Smart TV connected

 

[daviworld]

Next LAN

• subnet mask can only be a 24 bit mask or 255.255.255.0
• so your network would look like this 192.168.1.x or 192.168.1.0/24 for reference which can IP 254 host
• DHCP - create domain name if you want, set your range in-between 2-254 or lower,
• enable manual assignment for static reserved IP's for client's
• DNS Server & Gateway will be your router IP if left blank
• Lease time - default is 86400 which = 1 day, *note however that DHCP will renew a lease at it's half time mark which is 43200 or half a day
• Switch Control - Enable Jumbo frame only if you plan on using it in a intranet or local network setup where each network end point will support jumbo frame's, otherwise you can disable it. STP - disable for performance boost, it prevents network loops, however I would recommend leaving it enabled, if you have a router behind your mind one. Nat Acceleration/ CTF - I have mine's set to auto, it recommended to disabled this if using QoS or you are trying to improve performance, I say go with your own personal network need's
• Bonding/Link Aggregation - Depend's on you and your network need's
• DNS REBIND Protection - Yes
• DNSSEC Signed Validation - Yes (will break with DNS server's that don't fully support DNSSEC)

Next WAN

• WAN TYPE- Automatic, unless you have a dedicated IP in which case choose static
• Enable WAN- Yes - (Internet yes)
• Enable NAT - Yes - (no if using for a performance boost, allows many client's behind a router to use a single public IP address.
• Enable UPnP - No (please don't open this up to the WAN)
• Connect To DNS Server Automatically - No (set your own DNS server's, set to yes to use ISP DNS server's for possibly faster DNS responses. I recommend choosing a provider who use's DNSSEC & DoH(DNS Over TLS)/DNSCrypt so your queries are authenticated and confidential )
• Tab over to Dual Wan - Will maximize performance and throughput, up to you
• I don't use DMZ, Port Trigger, Port Forwarding, or DDNS - too much exposure to the WAN
• Tab Over to Nat Passthrough - I disable PPTP Passthrough and L2TP Passthrough, no sense letting through insecure protocols

Next Alexa & IFTTT

• No, just no, a security nightmare

Next IPv6

• Disabled - until this becomes more mainstream or you have an inherent need for this, I would leave this disabled for now.

Next VPN

• I don't have any OpenVPN server's set up, as I don't want my router to have any remoting capabilities other than SSH on LAN only
• Set up Profile as usual
• For DNS - set Exclusive to use only VPN Provider DNS server's or disabled to ignore VPN Provider DNS Server's and use WAN provided DNS Server's
• Redirect Internet Traffic - set to Policy Rule's/Policy Rule's Strict and check yes for "block routed client's connection's" which is useful for IP leak's. Be careful as this kill switch is powerful. If you use more than 1 client at a time such as I do, keep note if you have a client that utilize different VPN's. For example if host1 is blocked on vpnclient 1 and you switch to vpnclient 2 where host1 is also connected to. You need to remove the rule from vpnclient 1 and add it to vpnclient 2
• *If you have the opportunity, disable compression for better performance
• some extra custom config rule's I add to all my VPN custom section

1. auth-nocache - won't cache credential's in memory
   disable-occ - suppresses a harmless OpenVPN warning
   mute-replay-warnings - I use timestamp's, so not worried about replay warning's
   pull-filter ignore "ifconfig-ipv6" ignore ipv6 configs
   pull-filter ignore "route-ipv6" ignore ipv6 route's

Next Firewall

• Enable Firewall - Yes, I would disable only if you have a different edge router, since this is your first line of defense.
• Enable DoS Protection - Yes, it will stop various kind's of DoS attack's. Disable if you want a extra bit of performance.. disabled by default
• Respond to ICMP Ping Request from WAN - No (this essentially lets attacker's know this is a live network, while setting it to no would require further probing if they were really interested
• *Note in the URL Filter & Network Services Filter tab's, you can block domain's, or services(HTTP, ftp, etc). URL Filter has a 1000 byte char limit, can also use Diversion script to block any random domain via HOST file

Next Administration

• Operation Mode: Wireless Router
• Tab over to "System"
• Change Router Login Name from admin
• Change Router Password to something strong
• Enable custom script's and jffs - Yes if you plan on using your own or other user's script's
• Set your time zone in GMT
• NTP Server - I used the IP address of the pool closes to me, to avoid DNS issues, if your time is out of sync your OpenVPN client's will not connect. Using the name is also fine, such as us.pool.ntp.org, etc. Also, your signature will fail to update with out of sync time
• Auto Logout - I set it to a value lower than the default
• Enable WAN down browser redirect - No
  
• Redirect webui to router.asus.com - Yes or No your choice
• Enable reboot scheduler - Your choice, I used it in the past, but it always corrupted my USB drive after some point, so now I do manual reboots
• Enable SSH - LAN Only, only use WAN + LAN if you need to remote, but I highly recommend against this method
  
• Allow Port Forwarding - No
• SSH Port - change to something else or leave it as the default 22
  
• Enable SSH Brute Force Protection - Yes, will prevent dictionary attacks
  
• Add your SSH key I used ED25519, much more better than the aging RSA
• Idle Timeout - set to a lower value or leave the default
  
• Authentication Method - HTTPS, I personally use this option. But, you're more than welcome to keep HTTP or use BOTH. Just change default port from 80
  
• HTTPS LAN Port - default is 8443, or you can choose your own
• Enable Web Access From WAN - No!
• Allow only from specified IP address - No, unless you want to add the security benefit's, otherwise it may just create a convenience issue
• Tab over to Firmware Upgrade
• Use the latest stable firmware and make sure your signature is up to date
• *Note when your signature is not up to date, certain security & network function's will fail, a common way to tell your signature is out of date. Check your syslog and look for QoS_registration _failed entries. You can also force a update by rebooting your router.

*Instead of using the save and restore function, I would recommend using John's Save & Restore NVRAM script, since the entire router is saved in NVRAM. you can use this when backing up and restoring 384 -> 384. If going from 380 -> 384 save your important stuff to a good ol fashion .txt file and restore manually (don't be lazy lol)

Next Network Tools

• Tab over to Smart Connect Rule
• If following my guide you should only be using 5GHz-1 & 5GHz-2, if so proceed below.
• Enable Load balancing - Yes, on both 5GHz-1 and 5GHz-2
• RSSI - Less -0 dBm. The reason for not specifying a distance is because we are assuming your 5GHz network can reach all of your active area's.
  
• PHY Rate Less - Disable on 5GHz-1
  
• PHY Rate Less - on 5GHz-2 set to <650, since I have a 1Gbps link, I am using 650; adjust for your own bandwidth accordingly
• PHY Rate Greater - >500 set on the 5GHz-1
• PHY Rate Greater - Disabled on the 5GHz-2
  
• VHT - on 5GHz-1 set to All
• VHT - on the 5GHz-2 set to AC only
  
• Target Band - Each other
• Bandwidth utilization - 60% on both the 5GHz-1 and 5GHz-2
• Window Time - Default, 180sec
• Count's - Default, 2 ( how many time's the client can switch band's back and forth in-between the dwell time
• Dwell Time- default, 3600sec

*This set-up is geared towards balancing the load, but also placing the faster client's on 5GHz-2 and the slower AC client's on the 5GHz-1 band, been using this set-up for a couple week's and haven't had any complaint's.

Next Tools

• Tab over to Other Settings
• Memory Management - No, passes to kernel I believe, but help's with performance
• Disable Asus Nat Tunnel - Yes, may have to re-enable after a reboot

If you have been following this guide, then your only open port's during test should be 53 DNS, or 53, 139, and 445 with Samba share's enabled. Lastly, if you use the ASUS mobile app, it will enable DDNS & Remoting via WAN.
-----------------------------------------------------------------------------------------
Sources:
https://routerguide.net/generic-optimization-guides/
https://www.smallnetbuilder.com/wir...us-rt-ac3200-smart-connect-the-missing-manual
https://www.routersecurity.org/testrouter.php
https://github.com/RMerl/asuswrt-merlin/wiki
https://www.snbforums.com/threads/s...mic-malware-country-manual-ip-blocking.16798/
https://www.snbforums.com/threads/diversion-the-router-ad-blocker.48538/
https://www.snbforums.com/threads/pixelserv-a-better-one-pixel-webserver-for-adblock.26114/
https://www.snbforums.com/threads/amtm-the-snbforum-asuswrt-merlin-terminal-menu-v1-1.42415/
https://www.snbforums.com/threads/user-nvram-save-restore-utility-r26-2.19521/
https://www.snbforums.com/threads/r...ements-custom-rules-and-inner-workings.36836/
https://www.grc.com/x/ne.dll?bh0bkyd2

 

[jack ryan]

Thanks daviworld. I give it a try later.


Sent from my iPhone using Tapatalk

 

[AZDNice]

Thanks David for your time in this. I was just going through a total reconfig with New FW and came across this and will definitely incorporate it in the setup. However, I did set mine to "Authenticate using HTTPS" selection(not Both) under the Administration Authentication Tab but didn't "Enable web access from WAN" or create certificate as I read that I should have. Now when I try to log onto the router via web browser i get an error. Is there any way to get back in to fix this or do I have to do a factory reset and reconfigure everything all over? Any Help I can get prior to doing this WHOLE task over would be greatly appreciated!

 

[wiz]

nice Guide!

 

[username0475]

Ditto Nice Guide.
Good place starter for non-enthusiast or non-professionals.

 

[daviworld]

Thanks David for your time in this. I was just going through a total reconfig with New FW and came across this and will definitely incorporate it in the setup. However, I did set mine to "Authenticate using HTTPS" selection(not Both) under the Administration Authentication Tab but didn't "Enable web access from WAN" or create certificate as I read that I should have. Now when I try to log onto the router via web browser i get an error. Is there any way to get back in to fix this or do I have to do a factory reset and reconfigure everything all over? Any Help I can get prior to doing this WHOLE task over would be greatly appreciated!

I have mines set to HTTPS only as well. After that change you will have to navigate to https://192.168.1.1:8443 (or whatever you set your router IP to) to login to your router from now on. You will get a security warning from Chrome & Firefox about a self-signed certificate, but you can bypass it, since you know it is from your router. In Firefox click to add an exception and in chrome choose advanced and choose to proceed.

Ditto Nice Guide.
Good place starter for non-enthusiast or non-professionals.

Thank you everyone lol

 

[AZDNice]

I have mines set to HTTPS only as well. After that change you will have to navigate to https://192.168.1.1:8443 (or whatever you set your router IP to) to login to your router from now on. You will get a security warning from Chrome & Firefox about a self-signed certificate, but you can bypass it, since you know it is from your router. In Firefox click to add an exception and in chrome choose advanced and choose to proceed.



Thank you everyone lol

Daviworld!!!! That was it: In Firefox click to add an exception and in chrome choose advanced and choose to proceed.
thanks for your help. I would love to add SkyNet and the Malicious IP Blocking now...but I'm a little gun shy now...lol. If you can point me in the direction of tuts for them that also would be greatly appreciated!

 

[daviworld]

Daviworld!!!! That was it: In Firefox click to add an exception and in chrome choose advanced and choose to proceed.
thanks for your help. I would love to add SkyNet and the Malicious IP Blocking now...but I'm a little gun shy now...lol. If you can point me in the direction of tuts for them that also would be greatly appreciated!

Awesome! Hey, happens to all of us every now and then.

for Skynet here's Adamm's thread the maintainer of Skynet and he is very active and responsive

https://www.snbforums.com/threads/s...mic-malware-country-manual-ip-blocking.16798/

Installing and stuff is on the first page, but if you need help or have any trouble with Skynet Adamm usually respond's pretty quickly

the Aiprotection Malicious IP blocking is more automatic in that is uses signatures to flag and block malicious IP's, and just requires enabling and accepting the EULA from Trend Micro since they will read any packet's they deem suspicious

While Skynet uses a reputation list at https://iplists.firehol.org/ to block malicious IP's

 

[AZDNice]

Awesome! Hey, happens to all of us every now and then.

for Skynet here's Adamm's thread the maintainer of Skynet and he is very active and responsive

https://www.snbforums.com/threads/s...mic-malware-country-manual-ip-blocking.16798/

Installing and stuff is on the first page, but if you need help or have any trouble with Skynet Adamm usually respond's pretty quickly

the Aiprotection Malicious IP blocking is more automatic in that is uses signatures to flag and block malicious IP's, and just requires enabling and accepting the EULA from Trend Micro since they will read any packet's they deem suspicious

While Skynet uses a reputation list at https://iplists.firehol.org/ to block malicious IP's

Will do sir. And the portion of AI Protection is exactly now confirmed by you. I will look into them both. SkyNet :https://www.snbforums.com/threads/s...mic-malware-country-manual-ip-blocking.16798/

 

[best.binoculars]

• subnet mask can only be a 24 bit mask or 255.255.255.0

I don't understand, is that the firmware limitation? So you can't use other size of subnet mask?

 

[daviworld]

Yes, I haven't tried smaller subnet's, but you definitely can't go over a 24 bit mask

I don't understand, is that the firmware limitation? So you can't use other size of subnet mask?

Sent from my LG-H830 using Tapatalk

 

[HuskyHerder]

you definitely can't go over a 24 bit mask

I have used a /21 and a /20 before on the 5300. I decided, I hated it as no devices above the /24 show up in the network map.

I pulled mine back to a /24 in just a few days.
I thought I would be super geek and assign an address range for each user area of the house / user. I don't know why, kinda bored one weekend. lol


10.0.0.x network devices, 10.0.1.x me, 2.x wife, 3.x kid 1, 4.x kid 2, 5.x kid 3, 6.x kid 4, 7.x guest, etc etc -- 10.0.15.x


I went back the old standby /24 and using 10.0.1.x - 10 me and all my devices, 11-20 wife, etc etc, I always leave room for expansion and separation. Most of the time I only need a max of 4 for each user. So that /21,/20 experiment ended quickly.

Cross reference to prove I am not crazy someone else did it too. https://www.snbforums.com/threads/client-status-hard-coded-for-24-bit-subnets.20668/

 

[Geraner]

Great guide!
I have recently written a Blog article about "How to setup a home network with extra security for free".
I'm also using a Asus router, but adding extra protection to all connected devices by using a Raspberry Pi, Pi-Hole, extra block lists, and Quad9 DNS.

 

[kfp]

I'm also using a Asus router, but adding extra protection to all connected devices by using a Raspberry Pi, Pi-Hole, extra block lists, and Quad9 DNS.

You can do all of that directly on the Asus router already, why use a RPi?

 

[daviworld]

I have used a /21 and a /20 before on the 5300. I decided, I hated it as no devices above the /24 show up in the network map.

I pulled mine back to a /24 in just a few days.
I thought I would be super geek and assign an address range for each user area of the house / user. I don't know why, kinda bored one weekend. lol


10.0.0.x network devices, 10.0.1.x me, 2.x wife, 3.x kid 1, 4.x kid 2, 5.x kid 3, 6.x kid 4, 7.x guest, etc etc -- 10.0.15.x


I went back the old standby /24 and using 10.0.1.x - 10 me and all my devices, 11-20 wife, etc etc, I always leave room for expansion and separation. Most of the time I only need a max of 4 for each user. So that /21,/20 experiment ended quickly.

Cross reference to prove I am not crazy someone else did it too. https://www.snbforums.com/threads/client-status-hard-coded-for-24-bit-subnets.20668/

hahaha, I was doing extreme subnetting when I originally tested it. Such as 10.x.x.x/4 and 10.x.x.x/8 which it wouldn't let me do. I didn't know about the /21 and /20 CIDR's but it's good thing to know it's possible if one really wanted to deviate from a /24 bit mask, learn something new everyday

Great guide!
I have recently written a Blog article about "How to setup a home network with extra security for free".
I'm also using a Asus router, but adding extra protection to all connected devices by using a Raspberry Pi, Pi-Hole, extra block lists, and Quad9 DNS.

Thanks for the article it was a good read, as kfp said all this is achievable currently with your router on Merlin's firmware. But, if you wanted a fun project to do on the weekend, I could see how experimenting with different security control's could be enticing

 

[Marin]

What initially started as a Smart Connect guide, snowballed into a full-blown performance & security guide for the RT-AC5300, I don't know if this will be helpful to anyone. But, thought I would share my set-up and hopefully help some people in their quest for performance and security.

--------------------------------------------------------------
Let's start with Guest Network
Typically in my own network

• I set access time of 12hrs
• Prevent intranet access(LAN)
• Assign WPA2 as authentication method and a easy password for guest(NOT YOUR MAIN PASSWORD)
• I only set up guest on my 2.4GHz Radio, more on that below
• No MAC filtering unless you use this network for special purposes

Next AiProtection
Click Network Protection
I highly and strongly recommend turning on all the protection feature's, as this is essentially your UTM(Unified Threat Management)

• Router Security Assessment - (Scan, click on thing's to change and secure or disable thing's you don't need or use. Shoot for a score of 15)
• Malicious Site Blocking - (using Trend Micro engine, will block bad site's)
• Two-Way IPS - (can detect and shape traffic, actively monitoring and blocking threat's)
• Infected Device Prevention and Blocking - (This will isolate a infected device from the rest of your device's, to prevent an infection from spreading across your network. If you're familiar with VLAN's, think of that one device being put in its own VLAN with no contact with the rest of the device's)
• Parental Control - (control internet access for device's, by setting a time schedule, also include a web filter for blocking content)
• DNS Filtering - Force your client's to use specified DNS, I have mines set to router for quicker DNS lookup's

*an important note, when you see hit's, this mean's it was an attack/exploit your router was successfully able to prevent. Anytime you see a hit in your two-way IPS, a good measure is to add the IP to your firewall block list or firewall block script(Skynet)

Next Adaptive QoS
In Bandwidth Monitor, turning it on you will take a small performance hit. Up to you if you decide to use it, I typically leave mine's off unless troubleshooting networking issue's. Lastly, since I use FreshJR QoS script, I have left the priority at default for all device's(gray). However, you are more than welcome to use the priority label's. Click on the Tab QoS..... Also, in the Web History Tab, I turn it on, as it is useful to see what site's my client device's are connecting to and how often.

In QoS

• Enabled
• Adaptive QoS
• Manual Setting [(Not Automatic) add your speedtest or ISP bandwidth, for instance I have 1GBps down and 20Mbps up. So, I'll add 950 down and 19 up]
• Wan Overhead DOCISIS 3.0 = 18 ( choose a preset for your modem)
• For Network Mode I usually choose Customize

*The reason you don't add your full bandwidth is due to bufferbloat, it is generally recommended to choose 85-95% of your total bandwidth, hence 95% of 1000 is 950 and 95% of 20 is 19. Also note when measuring ISP speed we use Megabit's not Megabyte's. a culmination of byte's will = that file on your PC... 8 bit's = 1 byte
I recommend using FreshJR Adaptive QoS script for the customization and dslreports speedtest

*Second important notice as I run OpenVPN client's 24/7, your OpenVPN traffic is seen as upload traffic, so in my above example you would input 950 in both the download AND upload

Next Traffic Analyzer

• Honestly I leave the statistics in here off, since if I turn this on. It lock's up my GUI VPN page, and I can only turn only my client's via NVRAM command's, although if you have different need's feel free to use this.

Next Game Boost

• I don't use this feature so I have no comment on its functionality

Next USB Application
I only use Media Services and Server's in this section, click on it

• In Media Server - (if you enjoy streaming content from your router, to your LAN device's, enable UPnP [ONLY ON THIS PAGE, NOT THE WAN PAGE] , name your media server, use a manual path
• In Network Place (Samba) Share Tab -

1. Enable Share
2. DON'T enable allow guest login's(will let anyone in)
3. Add SMB v2 preferably/SMB v1 + v2
4. Add workgroup name and device name
5. Yes, Force as Master Browser
6. No, WINS Server
7. Click Apply
8. Add a different account from your root to use for your share access
9. set permission's for folder's you want this new account to access
10. Save Permission's
11. Check access, make sure port's 139 & 445 is open on machine and SMB & NETBIOS enabled

• FTP Tab - I would leave this disabled, since it isn't using SFTP or FTPS (secure versions), however merlin's version use's FTPS(enable TLS option)
• *Note When Samba enabled, port's 139, and 445 will be open on your router. Make sure these port's and/or services NETBIOS & SMB are running and open. When not using share's I recommend turning this off until you need this, unless you do frequent network transfer 's

Next AiCloud 2.0

Disable, Disable, Disable, Disable, Disable, if you don't want hole's exposed in your network, please do not enable any AiCloud service's at all!

Next Wireless

• Smart Connect Enabled - Actually Pretty Good With Some Minor Tweak's
• I usually only use my 5GHz network for band as all my client's are AC client's and my apartment is covered with a signal throughout. So, I disable my 2.4GHz band, using it only for AP Isolation and older device's or security cam's
• Hide SSID, up to you, will stop a casual user, but your SSID is broadcasted in plain text in your wireless packet's, so if someone used a sniffer, Hiding your SSID wouldn't stop them.
• Authentication Method - WPA2 Personal
• set a strong Wireless password
• The other setting's can be set to auto
• Protected Management Frames - Capable (protects against dissociation attacks) *note however that required broke IoT devices, only smartphone, Console, and PC responded; on capable the smart TV and IP cam finally connected
• In Wireless MAC Filter, will be up to you to use it or not, spoofing MAC's are trivial today
• In the Professional Tab - We will change a couple of the default's the rest are ok

1. For the 2.4GHz professional setting's
2. enable radio, my personal say is no if you don't have old client's or don't need the distance
3. enable wireless scheduler, again depends on you. But, if your radio's aren't broadcasting, then their is no WI-FI to hack
4. Multicast Rate - choose OFDM 6 (good low settings for VoIP, adjust higher if experiencing issues)
5. Preamble Type - choose Short... choose long slower and older devices)
6. Beacon Interval - set to 1000 - decreases the amount of times a client receives the wireless beacon
7. DTIM Interval - 3 or below, set higher for better performance if you have a strong router, otherwise it may crash.
8. TX Burst - if higher than 4 device's disable, can cause network lag
9. WMM APSD - disable if your mobile devices experience disconnect or crashes, otherwise leave enabled
10. Optimize AMPDU Aggregation - Enable: High error environment or multiple devices. Slower performance.
    Disable: Low error environment with less devices. Faster performance.
11. Airtime Fairness - disable, enable only for older devices
12. MU-MIMO - disable if your client's don't support this feature, otherwise keep enabled
13. Universal Beamforming - disable was made before explicit beamforming. use this instead
14. Explicit Beamforming - all AC enabled devices support this feature, disable if you don't have AC client's
15. Modulation Scheme is set to their highest MCS 11
16. TX Power Adjustment - Slide to Performance
17. IGMP Snooping - Disabled
18. AP Isloation - Yes or no depending on your need's

1. For the 5GHz professional setting's
2. Everything the same as above
3. Note Explict Beamforming will be 802.11ac beamforming in the 5GHz setting's
4. leave other default's alone

• In the WPS Tab - disable this on all radio band's, I only needed this once due to having a 64 character password, and my smart TV wouldn't connect until I added it via WPS, which I immediately turned off after the Smart TV connected

Thank you for putting together such a great guide! A majority of these recommendations obviously apply to other Asus routers.

Would there be anything specific or different to recommend for the Asus RT-AC86U?

Marin

 

[daviworld]

If I recall that's the one with the crypto chip that's good for VPN's. But, naw I tried to make it general enough so people on other models could apply, tweak, or adjust to their specific need's

Thank you for putting together such a great guide! A majority of these recommendations obviously apply to other Asus routers.

Would there be anything specific or different to recommend for the Asus RT-AC86U?

Marin

Sent from my LG-H830 using Tapatalk

 

[Geraner]

You can do all of that directly on the Asus router already, why use a RPi?

Never thought about it. What is the best guide to run Pi-Hole directly on the RT-AC86U for example, with Merlin firmware?

 

[kfp]

Never thought about it. What is the best guide to run Pi-Hole directly on the RT-AC86U for example, with Merlin firmware?

AB-solution is the equivalent in Asuswrt-verse.