Settings question for RT-AC87U

[John35]

I've just gone from the factory firmware to 11.2 and have a couple of questions on the settings I was hoping people could help me with, note I did a reset to factory defaults...

Is there any way to load in an exported Client list, as I only see an Export button (do I have to type all the names in again)?

In Professional settings 2.4GHz it defaults to several things I had the other way around, are they good ideas with this firmware?:
Enable IGMP Snooping - now = Disable (I had Enable)
Optimize AMPDU aggregation - now = Disable (I had Enable)
Explicit Beamforming - now = Enable (I had Disble)
Universal Beamforming - now = Enable (I had Disble)
(I thought Beamforming had assorted issues, is it all good now, or just with caveats, I have some recollection on something about Apple devices?)

In Wireless Professional settings 5GHz it defaults to several things I had the other way around, are they good ideas with this firmware?:
Enable IGMP Snooping - now = Disable (I had Enable)
Explicit Beamforming - now = Enable (I had Disble)
Universal Beamforming - now = Enable (I had Disble)

In WAN-> Internet Connection I had uPNP disabled, we now seem to have a Secure uPNP option - is it safe to leave uPNP enabled with the secure option selected (whatever that does)?

Is this a sensible set of options at get started with secure DNS?
Connect to DNS Server automatically - Yes
Forward local domain queries to upstream DNS - Yes
Enable DNS Rebind protection - No
Enable DNSSEC support - Yes
Validate unsigned DNSSEC replies - Yes
DNS Privacy Protocol - None DNS-over-TLS (DoT)
DNS-over-TLS Profile - Strict
DNS-over-TLS Server List (Max Limit : 8)
8.8.8.8 dns.google
8.8.4.4 dns.google

I changed the default USB mode from 3.0 to 2.0 as I thought 3.0 caused issues, unless that has been sorted on the RT-AC87U?

I didn't enable the local time server, but did notice there doesn't seem to be an option for "Last" Sunday as the start/end time, is there a number you can pick that will do that as UK people might care? Also are those times just for the local NTP server?

I did the LetsEncrypt certificate thing, but get a certificate error when trying to securely access it via its IP address, using the link provided in the firmware - is that okay anyway as the cert has the DDNS address? The DDNS address also doesn't work, but http://iplookup.asus.com/nslookup.php finds an IP address, so it's made it some way out into the World.

Also a catch-all question to finish - are there any changes people usually make to the Merlin defaults that I might care about? (I made a number of changes I'm happy with in addition to the above, but they are mostly obvious things.)

 

[Grisu]

USB3.0 can interfere with 2.4G on all devices, it mostly depends on shielding of USB client and cable! On the other side some devices have problems how Asus implemented 2.0 limitation, you have to find best for your individual case.
5th sunday works as last sunday!

 

[John35]

Oh and one other thing, I have an entry in the Clients list of ASUS with a 169.254 address - I don't remember that from before and wanted to check what feature it was for? (I assume it's a feature and not an external device?)

 

[Zastoff]

Oh and one other thing, I have an entry in the Clients list of ASUS with a 169.254 address - I don't remember that from before and wanted to check what feature it was for? (I assume it's a feature and not an external device?)

It`s your 5Ghz (Quantenna) internal adress (should not show in clients but i does on the 87u..a bug)

 

[John35]

It`s your 5Ghz (Quantenna) internal adress (should not show in clients but i does on the 87u..a bug)

Thanks - BTW how's the Alpha2 of 12 on an 87u?

Oh and do you use Beam-forming on yours?

 

[Zastoff]

Thanks - BTW how's the Alpha2 of 12 on an 87u?

Oh and do you use Beam-forming on yours?

https://www.snbforums.com/threads/384-12_alpha-builds-testing-all-variants.56639/page-21#post-495043
Apart from those issues with Network map and Disable leds and these(Jun 4 17:20:58 kernel: [truncated] t 2TQ Undefined op out 2TQ Undefined op out 2TQ Undefined op out 2TQ) in syslog it feels stable
Uptime 1 days 8 hours 32 minute(s) 13 seconds on alpha2

Universal Beamforming disabled on both 2,4 & 5Ghz

 

[John35]

https://www.snbforums.com/threads/384-12_alpha-builds-testing-all-variants.56639/page-21#post-495043
Apart from those issues with Network map and Disable leds and these(Jun 4 17:20:58 kernel: [truncated] t 2TQ Undefined op out 2TQ Undefined op out 2TQ Undefined op out 2TQ) in syslog it feels stable
Uptime 1 days 8 hours 32 minute(s) 13 seconds on alpha2

Universal Beamforming disabled on both 2,4 & 5Ghz

Thanks - so do I assume you have the other Beamforming options enabled?
(i.e. "802.11ac Beamforming" on 5G and "Explicit Beamforming" on 2.4G.)

 

[Zastoff]

Thanks - so do I assume you have the other Beamforming options enabled?
(i.e. "802.11ac Beamforming" on 5G and "Explicit Beamforming" on 2.4G.)

Yes 802.11ac Beamforming on 5G and Explicit Beamforming on 2.4G is Enabled

 

[John35]

Yes 802.11ac Beamforming on 5G and Explicit Beamforming on 2.4G is Enabled

Is there some logic behind this, or it has just seemed to work well?

 

[Zastoff]

Is there some logic behind this, or it has just seemed to work well?

Read about recommended settings here on this forum several times
Universal Beamforming, Airtime Fairness, Multi-User MIMO "can" cause trouble
Best is to test how things work out in your environment Control Channels, Channel bandwidth and so on
Some info:
https://www.snbforums.com/threads/guide-troubleshooting-wifi-issues.12825/

 

[John35]

So does anyone have a view of whether I have a sensible set of values for DNS?
Thanks!

 

[dave14305]

Is this a sensible set of options at get started with secure DNS?
Connect to DNS Server automatically - Yes
Forward local domain queries to upstream DNS - Yes
Enable DNS Rebind protection - No
Enable DNSSEC support - Yes
Validate unsigned DNSSEC replies - Yes
DNS Privacy Protocol - None DNS-over-TLS (DoT)
DNS-over-TLS Profile - Strict
DNS-over-TLS Server List (Max Limit : 8)
8.8.8.8 dns.google
8.8.4.4 dns.google

Disable “Forward local domain queries to upstream DNS”. Google dns won’t be aware of your local hostnames.

Does your ISP DNS support DNSSEC? If not, you may want to override “Connect to DNS servers automatically” and add a DNSSEC-capable set of servers in case of troubles with DoT startup.

It probably wouldn’t hurt to enable DNS rebind protection as a security measure.

 

[John35]

Disable “Forward local domain queries to upstream DNS”. Google dns won’t be aware of your local hostnames.

Does your ISP DNS support DNSSEC? If not, you may want to override “Connect to DNS servers automatically” and add a DNSSEC-capable set of servers in case of troubles with DoT startup.

It probably wouldn’t hurt to enable DNS rebind protection as a security measure.

Thank you, although I'm a little confused - if I turn off "Connect to DNS servers automatically” it wants some DNS server names, but if I really want to use DNS -over-TLS why doesn't it just use those? I also turned DNSSEC off.

Oh and any opinion on a solid choice of servers for TLS access, the Google ones were just place-holders in my example? I've historically used OpenDNS but wasn't sure of their TLS support, so went with Quad9 (for malicious domain filtering) then Google.

So I have:
Connect to DNS Server automatically - No
208.67.220.220
8.8.8.8
Forward local domain queries to upstream DNS - No
Enable DNS Rebind protection - Yes
Enable DNSSEC support - No
DNS Privacy Protocol - None DNS-over-TLS (DoT)
DNS-over-TLS Profile - Strict
DNS-over-TLS Server List (Max Limit : 8)
9.9.9.9 dns.Quad9.net
8.8.8.8 dns.google

But what makes it use DNS Privacy?

Also I'm considering turning uPNP off so any info on whether the secure option makes it okay to have enabled would be most appreciated?

 

[dave14305]

Thank you, although I'm a little confused - if I turn off "Connect to DNS servers automatically” it wants some DNS server names, but if I really want to use DNS -over-TLS why doesn't it just use those? I also turned DNSSEC off.

Oh and any opinion on a solid choice of servers for TLS access, the Google ones were just place-holders in my example? I've historically used OpenDNS but wasn't sure of their TLS support, so went with Quad9 (for malicious domain filtering) then Google.

So I have:
Connect to DNS Server automatically - No
208.67.220.220
8.8.8.8
Forward local domain queries to upstream DNS - No
Enable DNS Rebind protection - Yes
Enable DNSSEC support - No
DNS Privacy Protocol - None DNS-over-TLS (DoT)
DNS-over-TLS Profile - Strict
DNS-over-TLS Server List (Max Limit : 8)
9.9.9.9 dns.Quad9.net
8.8.8.8 dns.google

But what makes it use DNS Privacy?

Also I'm considering turning uPNP off so any info on whether the secure option makes it okay to have enabled would be most appreciated?

It will use DNS Privacy by default, the “normal” DNS servers are a safety net during boot up (they become more important in 384.12, but save that concern for another day).

The popular choice for DoT servers has been Cloudflare. I find it hard personally to think of Google and Privacy in the same sentence. If you’re used to OpenDNS, perhaps for some filtering, you might prefer Quad9 for malware protection.

Using two different companies in DNS Privacy list gives you diversity in the unlikely event of an outage of either one, but it will alternate between each server in round robin fashion, and not as a primary/secondary way like traditional DNS. So one request will go to Quad9, but the next will go to Google where there is no filtering.

You can leave DNSSEC on if you abandon OpenDNS in your config and go with Quad9 primary and secondary in both DNS areas. If you need family level filtering for youngsters, Cleanbrowsing is an option, but not thought to be as resilient as the big 3 (cloudflare, Quad9, Google).

 

[John35]

It will use DNS Privacy by default, the “normal” DNS servers are a safety net during boot up (they become more important in 384.12, but save that concern for another day).

The popular choice for DoT servers has been Cloudflare. I find it hard personally to think of Google and Privacy in the same sentence. If you’re used to OpenDNS, perhaps for some filtering, you might prefer Quad9 for malware protection.

Using two different companies in DNS Privacy list gives you diversity in the unlikely event of an outage of either one, but it will alternate between each server in round robin fashion, and not as a primary/secondary way like traditional DNS. So one request will go to Quad9, but the next will go to Google where there is no filtering.

You can leave DNSSEC on if you abandon OpenDNS in your config and go with Quad9 primary and secondary in both DNS areas. If you need family level filtering for youngsters, Cleanbrowsing is an option, but not thought to be as resilient as the big 3 (cloudflare, Quad9, Google).

That's really useful, thank you.

So if I abandon Google in the TLS list and just have Quad9 I assume it'll just use standard DNS if that goes down?

Also any thoughts on Strict vs Opportunistic?

 

[dave14305]

That's really useful, thank you.

So if I abandon Google in the TLS list and just have Quad9 I assume it'll just use standard DNS if that goes down?

Also any thoughts on Strict vs Opportunistic?

No, it won’t fallback on standard DNS if DoT/stubby dies. But at that point you have other problems most likely. Use both 9.9.9.9 and the secondary 149.112.112.112 (Triple-112 doesn’t roll off the tongue).

Strict is the way to go if your goal is Privacy. Opportunistic can end up unencrypted if there are TLS negotiation issues.

 

[John35]

No, it won’t fallback on standard DNS if DoT/stubby dies. But at that point you have other problems most likely. Use both 9.9.9.9 and the secondary 149.112.112.112 (Triple-112 doesn’t roll off the tongue).

Strict is the way to go if your goal is Privacy. Opportunistic can end up unencrypted if there are TLS negotiation issues.

Okay, didn't see that coming, thanks.

 

[John35]

I'm mostly there now, thanks to all for the help... especially the stuff on secure DNS.

What I have left is firstly why are the defaults for the following "disabled"?
Enable IGMP Snooping
Optimize AMPDU aggregation

Secondly is LetsEncrypt only useful if I wanted to access the router from the WAN, as it doesn't seem to play nice with Chrome or IE internally?

 

[martinr]

....,
Secondly is LetsEncrypt only useful if I wanted to access the router from the WAN, as it doesn't seem to play nice with Chrome or IE internally?

The only acceptable way you should access the router remotely is over a vpn eg using OpenVPN Server on your router:

Merlin says:

“Personally however, I do not recommend opening even HTTPS to the WAN. Asuswrt's web server is poorly secured, and has had numerous security issues over the years. Best to limit it to LAN only, and use a VPN to remotely access it.”

https://www.snbforums.com/threads/e...wan-but-keep-http-from-lan.42521/#post-361843

 

[RMerlin]

Merlin says:

I swear, some of you must be keeping a library of things I've said over the years LOL

Soon available at Amazon: The Book of Merlin

The first 500 copies will come with a bookmark, with "Have you done a factory default reset recently?" written on it, and signed by L&LD.