What's new

3 Router Config Advice

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

John Adams

New Around Here
Hi all,

Long time lurker and fan. Merlin if you are reading this I've used your firmware for a while now, love it and thank you.

That said ... the recent DNS over TLS support that has been added looks so promising I'm willing to rethink my network configuration to get it. I've always meant to tighten up security in our home network, and this looks like a good next step. I'm not sure how to get it though with what I have and I'm looking for any suggestions on how to do better.

Hardware config...
- Canadian, have a bell modem issued HomeHub2000. Currently the wifi is off, it's acting as my DHCP server and I've configured the DNS to Cloudflare. It's statically configured as 192.168.2.1. I can't put it into bridge mode myself, but I could call tech support to do it. I *hate* their tech support, so i've avoided that because I have been working fine without it, but I'm not above it. The modem does not support DNS over TLS or IPV6.
- Two Asus routers running Merlin firmware, respectively 192.168.2 & 3. Wifi is on for both, configured for the same ssid's, non overlapping channels. Routers are 87U & 86U respectively, I have a fairly large house but the two routers seem to cover it well.
- All are hardwired together with Cat5. Lan ports are plugged into 2 & 3. modems.
- Bell has PPOE connections, I have the password for those connection. I used to have PPOE configured for all the routers in the past, but I couldn't see a benefit so I'm just using the bell modem to get the WAN IP's to keep it simple.
- I have some services accessible over wireless that I want to have working through the house ... NAS, Sonos, Plex media server etc
- no real good reason for the .2.1 subnet, other than it feels a little more secure to be non standard

So with all that ... any suggestions on a good way to migrate to getting to a good DNS over TLS configuration for all the wireless clients ? I know not everyone will have it, so I would set it optimistic, but it would be really nice to beef up privacy where I can.

A few other wish list items ...
- I'd like to turn on IPv6 for the network and use it. Only a nice to have.
- It would be nice to have the option to run a VPN on the 86u. (look US based)

Thanks in advance for any suggestions,

John

ps Yes I know I can setup my browsers to be better, run a VPN cient etc. I want the network to protect not only my pc's priacy, but the kids, their phones, my wife's phone by default. I know enough about security to know this is a small step, but it feels like an important one.
 
If you can configure the DNS statically, then you can configure it to point at a local box on your network that runs something like the “PiHole” software, which will answer your local clients over port 53 UDP, but you can configure it to do DNS-over-HTTPS to Cloudflare for the upstream connections.

That would also allow you to install your own network-level adblockers that run for everything on your local network, etc....

There are more options here, which you might want to explore for safety and for fallback when Cloudflare goes down.

But that is at least the basic concept — run your own local DNS server as a “proxy”, and have it configured to do all the security, etc... stuff that you want


Sent from my iPad using Tapatalk Pro
 
Thank you ! I hadn't even thought of that as an option, although I've read about the PiHole and have been 'waiting' for the right problem to solve to introduce it to the network.

After browsing the pihole site I have a bit of reading and planning to do, and some computer parts that may need to appear in my router closet :) If I get it all working I'll repost here as an update.
 
bell modem issued HomeHub2000... Routers are 87U & 86U respectively,

It may require some extra wires, but I would do it this way:

1. HomeHub2000 (LAN port) -> (WAN port) RT-AC86U Main Router (LAN port) -> (LAN port) RT-AC87U Access Point
2. Set RT-AC86U in DMZ on HomeHub2000 to avoid double NAT complications

This way you can use all the Asuswrt-Merlin potential on your main router and forget about Bell's HomeHub2000.
 
Usually you will use WAN port on AP to connect to parent router.

You don't tell me what I usually use, OK? :D

In this case, when the router has AP Mode, you can use WAN or LAN. But this is why I don't usually use WAN for APs:

- Some routers don't have dedicated AP Mode, so Static IP, DHCP Off and LAN port turns them into an AP.
- Many routers work faster when dedicated AP Mode in not used. WAN-LAN traffic is often slower than LAN-LAN switching.
- Using LAN port allows visual identification of Routers and APs. Little trick saves some time, if no issues with NTP.
 
It may require some extra wires, but I would do it this way:

1. HomeHub2000 (LAN port) -> (WAN port) RT-AC86U Main Router (LAN port) -> (LAN port) RT-AC87U Access Point
2. Set RT-AC86U in DMZ on HomeHub2000 to avoid double NAT complications

This way you can use all the Asuswrt-Merlin potential on your main router and forget about Bell's HomeHub2000.

Another possibility is to flash the latest beta of Merlin to both RT-AC units and AiMesh them, and use the scripts for firewall, adblocking, pixelserv, QoS...it seems to me that all of the elements are in place. OP may even be able to lose the non-asus AP and maintain coverage.
 
Last edited:
Another possibility is to flash the latest beta of Merlin to both RT-AC units and AiMesh them

RT-AC87U does't support AiMesh as per ASUS. Is AiMesh working on it with Merlin?
And why to transfer data between routers over WiFi if there is already a LAN cable to the AP?
 
RT-AC87U does't support AiMesh as per ASUS. Is AiMesh working on it with Merlin?
Merlin wont/cant add Aimesh support if it is not supported by Asus, this router still got 382 firmware (pre-Aimesh) and Asus wont add it.
 
RT-AC87U does't support AiMesh as per ASUS. Is AiMesh working on it with Merlin?
And why to transfer data between routers over WiFi if there is already a LAN cable to the AP?

I was mistaken then. Apologies.
The cabled connection between hub and node under AiMesh makes for better stability of that function...more ubiquitous and reliable wifi.


Sent from my iPhone using Tapatalk
 
The cabled connection between hub and node under AiMesh makes for better stability of that function

Not necessarily better. The technology is not perfect. I have tested AiMesh and I'm not impressed. It's OK only for convenience, when cable connection is not an option, click -> click -> done user friendly solution. In reality AiMesh will auto-select the connection it will use, wired or wireless. If it sees 1300Mbps wireless link, for example, it will use wireless. But you can actually have better throughput on Gigabit cable due to no interference from other routers using the same wireless channels.
 
Well thank you for all the discussion and advice!

So while I didn't mention it, I have both a Cat5 Cable and a telephone jack done with Cat5 going to both routers ... whomever originally built the house wired up both options to where the routers are currently sitting. That means the two wire solution to either router is a possibility, and I think VAL D. has convinced me to give that a try as the simplest networking solution to start. I'll try and convert the phone cable (they were done with Cat5 as well as far as I can tell, so Gigabit I think is possible) and use the DMZ'd router. I'm not using a phone at either location, so I won't be putting out anyone if I do.

I've never done the telephone / ethernet conversion before though, and prolonged internet outages at my house are hard to convince my family to take. I'll only be able to do it in a couple of weeks when I'm off and have the house & internet to myself for a day or two, I'll post back when I do.

A couple of comments ... AiMesh sounds like it would be nice ... my interest in it would be good wifi handoff through the house and maybe better wifi channel selection / co-ordination. Selecting the backhaul correctly would be nice, but I don't think a dealbreaker for me. I would hope that AiMesh continues to get better by then and maybe the problem goes away (along with a solid 811.x standard). I was very disappointed it is not available for the 87 which has been a pretty solid router for me. I'm thinking in a year maybe I'll replace it with the AX-88u, either if the 87 stops working or if firmware updates for the 87 stop. I just replaced a 66u with the 86u, the power button on it stopped working which forced me into an upgrade. I am guessing in a year there might be 811.x devices in my house, and I'd want to try hosting a wireless VPN secured network with it.

I do want to do PiHole as suggested, but as the next step. If Merlin can handle the DNS-sec, then I think the remaining reason to do so is DNS stats (pihole does that well), ad blocking and maybe a bit more network protection. Tech geek guy inside of me is kind of burning to give one of the new Pi's a whirl :)

Thanks again for taking the time to read this, I very much appreciate the advice and i'll post back to the thread when / if I get it working.
 
Just take the Node off Auto Select and ‘force’ it down Ethernet.
 
Tech geek guy inside of me is kind of burning to give one of the new Pi's a whirl :)
Does elmwood have stock, or are you sourcing elsewhere??
 
No, wired will be prefered over wireless if both are available and set to auto!

I really hope so - https://www.asus.com/us/support/FAQ/1035140/
"AiMesh analyzes the wireless signal strength for each frequency band available, and then determines automatically whether a wireless or wired connection is best to serve as the inter-router connection backbone."

I do want to do PiHole as suggested, but as the next step.

Run Diversion script first and see if you like the results. Pi-Hole works the same way - domain based ad filtering. I personally don't use network ad-blocking due to complications with some websites and services. Whoever wants to block something may use per-device solutions, adjusted to specific needs.
 
I really hope so - https://www.asus.com/us/support/FAQ/1035140/
"AiMesh analyzes the wireless signal strength for each frequency band available, and then determines automatically whether a wireless or wired connection is best to serve as the inter-router connection backbone."



Run Diversion script first and see if you like the results. Pi-Hole works the same way - domain based ad filtering. I personally don't use network ad-blocking due to complications with some websites and services. Whoever wants to block something may use per-device solutions, adjusted to specific needs.

signal strength should always be better over copper, so it should always use the ethernet connection.

I've been using Merlin's firmware for some time now - on an n66u that lasted quite some time, now an 86u - and it has come quite far, always becoming more stable and transparent and easier to configure with each update. to me, there is no reason to go outside the family for solutions, as they're more often than not in development here before I know I need them, so I'll concur with the suggestion of Diversion, especially if installed using the amtm script: amtm lets you add a swap file for the router to the USB drive, and then easily install and update some of the scripts that are discussed on this forum. If you haven't tried the QoS, FreshJR changed the internet for me; for those concerned with monitoring what happens on their home network and what device does what (I'm thinking those with kids who have their own portals to the Matrix), you can quietly and discreetly monitor/filter as necessary.
 
for those concerned with monitoring what happens on their home network and what device does what

You have to be more concerned about third-party companies monitoring you during that monitoring process. It was possible before without sending data out as part of a “free service”.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top