What's new

Simple way to making full use of an ASUS router while as an AP

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

System Error Message

Part of the Furniture
A lot of us have ASUS wifi routers used only for wifi rather than for routing, In the case where your asus router is only an AP and your main router is something else like pfsense, mikrotik or ubiquiti or any router that has a PPPOE server and can do port forwarding will do.

1) install RMerlin's firmware or a variation of it. Although not entirely needed i have not tested this with stock firmware and his firmware has some additional features too.

Asus routers come with a lot of features not related to being a router such as VPN server and client, usb applications like file sharing, media server, ai cloud, printer sharing, download master. A lot of these dont work when the router is in AP mode or working as an AP.

2) make sure the DHCP server is set to disable on the AP itself and make sure it is in wireless router mode.

3) set up the PPPOE server on your main router, make sure it can only be accessed from LAN. Give it a different subnet (local address is your LAN address, remote address will be on another subnet). Make sure it is bridged to your LAN and has a username and password (you need both, it cannot be without either). You can also disable compression and encryption for this as well.

4) connect your asus AP on both the LAN and WAN port to your network. Dont use the LAN port as WAN port as this could cause issues in terms of switching. Enable your WAN and set it to PPPOE, enter the username and password for the user your PPPOE server is set to and set to use dynamic IP and DNS from it. Make sure to disable NAT and UPNP.

Once thats done and it connects go to network tools and try something simple like pinging google.com . If it doesnt work check your PPPOE server settings on the main router. With this and the use of port forwarding you can use your asus router behind the main router as a VPN server and use all the extra features that asus routers come with that require direct internet to the device, only this time it will not be exposed to the internet and that idle CPU can be put to good use as well and free up some CPU from your main router in the case of vpn.

If you like RMerlin's firmware dont forget to donate to him if you have extra cash.

edit: another way is to use layer 3 segmentation with static IP but you shouldnt forget to set the rules on your router to NAT the new subnet and any relevant firewall/QoS rules or such, hence why i suggested PPPOE as you wont have to change your firewall/QoS on your main router. If you are an advanced user layer 3 segmentation will have better performance.
 
Last edited:
A lot of us have ASUS wifi routers used only for wifi rather than for routing, In the case where your asus router is only an AP and your main router is something else like pfsense, mikrotik or ubiquiti or any router that has a PPPOE server and can do port forwarding will do.

1) install RMerlin's firmware or a variation of it. Although not entirely needed i have not tested this with stock firmware and his firmware has some additional features too.

Asus routers come with a lot of features not related to being a router such as VPN server and client, usb applications like file sharing, media server, ai cloud, printer sharing, download master. A lot of these dont work when the router is in AP mode or working as an AP.

2) make sure the DHCP server is set to disable on the AP itself and make sure it is in wireless router mode.

3) set up the PPPOE server on your main router, make sure it can only be accessed from LAN. Give it a different subnet (local address is your LAN address, remote address will be on another subnet). Make sure it is bridged to your LAN and has a username and password (you need both, it cannot be without either). You can also disable compression and encryption for this as well.

4) connect your asus AP on both the LAN and WAN port to your network. Dont use the LAN port as WAN port as this could cause issues in terms of switching. Enable your WAN and set it to PPPOE, enter the username and password for the user your PPPOE server is set to and set to use dynamic IP and DNS from it. Make sure to disable NAT and UPNP.

Once thats done and it connects go to network tools and try something simple like pinging google.com . If it doesnt work check your PPPOE server settings on the main router. With this and the use of port forwarding you can use your asus router behind the main router as a VPN server and use all the extra features that asus routers come with that require direct internet to the device, only this time it will not be exposed to the internet and that idle CPU can be put to good use as well and free up some CPU from your main router in the case of vpn.

If you like RMerlin's firmware dont forget to donate to him if you have extra cash.

edit: another way is to use layer 3 segmentation with static IP but you shouldnt forget to set the rules on your router to NAT the new subnet and any relevant firewall/QoS rules or such, hence why i suggested PPPOE as you wont have to change your firewall/QoS on your main router. If you are an advanced user layer 3 segmentation will have better performance.
I am an illiterate when it comes to networking, however, just one comment and question: could you not achieve the same thing by connecting to second router to the LAN of the first router?? Leave the second router in router mode and enable DHCP, would this work ok or are we talking apples and oranges here?

Have a good day,
unclebuk
 
I am an illiterate when it comes to networking, however, just one comment and question: could you not achieve the same thing by connecting to second router to the LAN of the first router?? Leave the second router in router mode and enable DHCP, would this work ok or are we talking apples and oranges here?

Have a good day,
unclebuk
not if you want to avoid double NAT and have all clients on the same network.
 
I am an illiterate when it comes to networking, however, just one comment and question: could you not achieve the same thing by connecting to second router to the LAN of the first router?? Leave the second router in router mode and enable DHCP, would this work ok or are we talking apples and oranges here?

Have a good day,
unclebuk
While being in a double NAT setup works fine it makes your network more complicated so unless you have a better reason than just wanting to use the feature set of the second router then keep things simple and continue using it as an AP.
 
The point is so that everything in your LAN can see each other so that all the features on the asus router will work and can be used whether on wifi or wire. If you're gonna do double NAT, whats the point of having the first router? Might as well just use your asus router as your main router.
 
The point is so that everything in your LAN can see each other so that all the features on the asus router will work and can be used whether on wifi or wire. If you're gonna do double NAT, whats the point of having the first router? Might as well just use your asus router as your main router.
BINGO! That is one of the big advantages of a double NAT setup so not everything can see/connect to everything else. I run a double NAT with my IoT and guest network on the first router and my private home LAN on the router behind the first router. If my Iot would be hacked it would be much more difficult for the intruder to access my primary network.

Could the same thing be accomplished with VLANs, probably yes but with two routers double NATed it is quick and simple.
 
BINGO! That is one of the big advantages of a double NAT setup so not everything can see/connect to everything else. I run a double NAT with my IoT and guest network on the first router and my private home LAN on the router behind the first router. If my Iot would be hacked it would be much more difficult for the intruder to access my primary network.

Could the same thing be accomplished with VLANs, probably yes but with two routers double NATed it is quick and simple.
Its worse than that. Devices behind the 2nd NAT can see devices behind the 1st NAT but not the other way round.
 
Its worse than that. Devices behind the 2nd NAT can see devices behind the 1st NAT but not the other way round.

That is why I sandbox all the IoT and guest networks on the first NAT. Then by not allowing any administrative access from the WAN on the second NAT devices on the first NAT can't in any straight forward method get into the second WAN. Also all the devices on the first NAT that connect using WiFi connect using one of the six guest networks on which intranet access is banned making it difficult for devices on the first NAT to communicate with each other (which they have not legitimate reason for doing) . Depending on the IoT device I also have them using a different VPN client than the VPN client and server I use on my second NAT .

The VPN has a NAT firewall, which for devices that are connected using the VPN, blocks outside host from establishing unsolicited connections. It also includes a packet filter which helps prevents corrupted packets from exploiting router vulnerabilities.

Having the double NATed network enables a level of security that using VLANs alone may not be able to provide and is just one reason that having a double NAT might be right for them. The downside of course is the complexity and the slight increase in latency and power consumption that comes from adding extra network hardware to any network.

http://www.speedtest.net/my-result/6117428996

As you can see download speeds are fine even connecting to a VPN server 1,000 miles from my physical location.
 
So how would a double NAT for me?

I have a NAS connected to my router, setup as AP, which requires remote access and also provides Time Machine backup for my Macs on the LAN. Behind the AP is a FiOS router with wireless disabled. I would like to replace the AP with a 3-pack mesh (Asus Hive when its available) running in router mode so I can utilize guest networking.

Before when I tried doing a double NAT subnet I could not access Time Machine with the NAS on the 192.168.1.x network from 192.168.2.x - and when I moved the NAS to the subnet network even port forwarding would not allow remote access to the NAS.
 
This is why i suggest not to use double NAT if you need both networks to see each other. Its likely the feature on the NAS requires layer 2 for it to work.
 
If I interpret this correctly, the internet comes to the FIOS router which is going all the routing. Connected to the FIOS router is an AP...however, it sounds like the AP is doing DHCP hence the second subnet. I think you are making this too complex.

My setup is very similar to your...NAS that need access from outside your network...MAC computers that backup to the NAS with time machine. Here is a response I wrote yesterday in another thread:

<<I have almost the same setup as you because I have to use the ISP modem/router as it controls internet and TV. The ISP router is set as 192.168.0.1. I set the DHCP range on the ISP modem as 192.168.0.100 to 192.168.0.200. Then on my Asus RT-AC68U I assigned a static WAN address of 192.168.0.2, and the gateway of 192.168.0.1. Since I do access my NAS from outside the network I did one more thing to the ISP modem...I assigned the DMZ port to 192.168.0.2 once the Asus router was registered with the ISP router. Yes, I have double NAT...on the Asus (router is 192.168.1.1 and is has a DHCP range of 192.168.1.2 to 192.168.1.210), configure it normally...NAT ON, Firewall ON. This works great...I have gigabit WAN and I routinely get ~920 down in this configuration.

The Asus router does all the network Wi-Fi and network transfers...the ISP router just acts as a gateway to the internet. I have full NAS access from external to my network>>

So all of my network (wired and wireless) is handled by the Asus wireless router. I forward a few ports in the Asus router to allow access to the NAS from external. Mac computers are on the same subnet as NAS. IF I want isolation for IOT devices, I will turn on the 2.4 GHz Wi-Fi in the ISP router (subnet 192.168.0.x) to allow total isolation from the main subnet (192.168.1.x). Additionally, I can view any device from the 192.168.0.x subnet from the 192.168.1.x subnet making it easy to setup and maintain the IOT devices.
 
I will be re-reading this thread in more detail (which I landed on via a Google Search) in the next few weeks.

I had a similar question/situation. I am happy to make a new thread with more details, but the main question is as follows:

I currently see AiCloud 2.0 options in my RT-AC56R acting as the Wi-Fi Access Point that is running Merlin firmware version 380.63_2. Has this inability to use AiCloud/other router features in Access Point Mode been addressed by Asus/RMerlin through subsequent firmware updates since this thread was started?

Thanks!

-------------------------------------------------------

More details:

I am currently using a Verizon G1100 as the main router in the utility closet connected to Ethernet WAN, with 3 additional LAN cables plugged in that go to various LAN jacks (wall plates) throughout my home. Wi-Fi is disabled on the G1100, as I currently have an RT-AC56R acting as the Wi-Fi Access Point in one of the rooms with a LAN jack. It is running Merlin firmware version 380.63_2.

This works well enough, but I am looking to dabble with AiCloud. I would like to set up an extremely basic "personal cloud" that is remotely accessible, taking advantage of the USB ports on the RT-AC56R to connect a hard drive. From what I am reading, this thread was originally started since this wasn't initially possible.

I would like to do this with keeping the G1100 where it is, since the utility closet (and specifically the metal wiring box) will likely significantly weaken the Wi-Fi signal of any router.

Since there are no additional firmware updates for the RT-AC56R, I am in talks to buy an RT-AC68U locally. I don't think it's strictly necessary as the RT-AC56R has been working well for years, but acquiring an RT-AC68U will give me a little better peace of mind as well as a throughput and range boost. However, if I use as the main router in the utility closet, it will negate most of the Wi-Fi advantages.
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top