Clean Installation Guide for wannabe techies :)

[RebornVampie]

There is much (outdated) information and I didnt find a step by step manual so I am trying to create one while fixing the network myself. I am trying to summarize it one topic. I have used OTHER peoples information. I am an ICU nurse with an interest in technology and usually am able to fix things with comprehensive reading. I appreciate feedback and recommendations.

Situation:
- Current setup: ONT -> ISP router - AC68U (merlin, wired) as acces point, AX58U (merlin, wired) as second access point.
- New setup: ONT -> AX88U pro (merlin) as main router - AX88u (asus, wired) as node - AX58u (asus, wired) as node.
House is three stories, classical European stone house from 1980s. We laid preproduced high quality CAT6A cables to every floor.

Reason:
My girlfriend and me are moving in together and this is a good moment to have a system overhaul.

Goals:
get an easily managable network running maximum capacity both on WiFi and LAN by using AiMesh. Have a safe protected WiFi.
Devices: 2 synology (DS218+ (externally accessable (VPN, Plex etc)), DS416), Hue lights, google audio x4, google home speaker x2, Somfy Connexoon (Sunshade + Shutters), Honeywell Round WiFi, Toshiba AC, Imou camera's x5, solar panels. Phones, laptops, computers. (Getting them managed in homekit as soon as we are living together . Everything works individually now.)

Basic setup:
1. download and extract current firmware of every router to PC (ozarkedge, jan 6th). Merlin on main and original Asus on nodes. Advantage: easy update, turn auto update OFF
2. wire the PC to router LAN (ozarkedge, jan 6th)
3. browse to the router's default LAN IP address (ozarkedge, jan 6th)
4. perform the quick internet setup routine, skipping WAN (ozarkedge, jan 6th)
5. upload the current firmware (ozarkedge, jan 6th)
6. Hard Reset that firmware to its default settings (ozarkedge, jan 6th) How To: https://www.asus.com/us/support/faq/1039074/
7. perform the quick internet setup routine for real. (ozarkedge, jan 6th)

AiMesh setup (wired backhaul (main LAN to node WAN) is best performance):
8. login to main router
9. press search (1-2 minutes)
10. click add (2-5 minutes).
Do it one by one.

11. settings

ASUS AiMesh Setup Guide: 100% Solid Tips | Dong Knows Tech

Looking for a detail step-by-step guide to get yourself a proper AiMesh setup? You're at the right spot for that robust home Wi-Fi system.

dongknows.com

Sources: https://www.snbforums.com/threads/asus-rt-axu88-pro-install-and-setup-questions.93475/

 

[Tech9]

New setup: ONT -> AX88U pro (merlin) as main router - AX88u (asus, wired) as node - AX58u (asus, wired) as node.

Firmware 3006/3004 mix, not all main router features will be available to the nodes.

 

[RebornVampie]

What would you recommend? I am pretty far in setting up the main router.

Can I downgrade without losing settings?

 

[Tech9]

The new VLAN related features come with 3006 firmware. Your nodes are locked to 3004 firmware. All routers on 3006 firmware is the only guaranteed compatibility combination. This means something like RT-AX88U Pro main with 2x RT-AX86U Pro nodes… in case you want to invest in AX-class devices and AiMesh. With Ethernet infrastructure available your hardware options extend beyond consumer products.

 

[RebornVampie]

Ah crap, I thought I read well into it. Bought two new routers to be able to have AIMesh with ax6000 . Ill try if vlan will work by directly connecting the tv to the ax88u pro. Thank you.

 

[Tech9]

Ah crap

Not your fault. Asus marketing is all about AiMesh Compatible without explaining what exactly. What we know is based on user experience and feedback. With 3006 main router and 3004.388 nodes you may have Guest Network propagation to nodes (with some limitations), but not VLAN to node LAN ports. Your main router will have VLAN to LAN port available. Perhaps no big deal for your use case, but disappointing when you start with limitations on a new equipment. For this reason I often suggest identical units on the same firmware (Asus) or lower cost SMB gear (Omada/UniFi) for new installations with Ethernet infrastructure available.

 

[Tech9]

Bought two new routers

If the new routers are the above mentioned RT-AX88U and RT-AX58U - they perhaps have 1-2 years before landing on End-of-Life list. Not the best models to purchase in mid 2025. RT-AX86U Pro is the the cheapest option running 3006 firmware and with VLAN support.

Regular forum members @visortgw and @jksmurf have experimented a lot with mixed firmware AiMesh and shared valuable details. You may want to read the previous (quite long) discussions here on SNB Forums for additional information and realistic expectations.

 

[RebornVampie]

Thank you for your input. Ill try and sell the RT-AX88u and buy a GT-AX6000.
Saw one second hand and it also has ax6000 and 3006 firmware.

Ill keep the ax58u for the attic and maybe disconnect it if its a bottleneck.

That would be ok, right?

 

[Tech9]

For a new network I would prefer new equipment. Saved money may turn into huge waste of time dealing with hard to diagnose intermittent issues.

 

[RebornVampie]

Hi,
I have a question about VLANs and how to set them up. I really searched in the forum and internet. I need some step-by-step advice.

After configuring everything, I now have a super stable network—thank you! I had to replace some cables, but now the speed is superb.

Sorry for the newbie question, but I have many IoT devices and security cameras (solar panels, Google Chromecast Audio, Somfy shutters, etc.). I’d like to put them on a separate network, segmented from my Synology and other devices, but still be able to access them from the main network.

I noticed the IoT setup in Asus Merlin firmware mentions wired connections, but I can’t choose which devices to assign. I have assigned all devices manual DHCP IP addresses.

I’m using a TP-Link TL-SG108E Light Managed 1Gb switch to add more ports and connect my IoT devices. I also have Asus routers: AX88U Pro, GT-AX6000, and AX58U.

Could you recommend some up-to-date reading material or guides on how to set this up with the latest Merlin 380.06? Most resources I find are outdated or inaccurate—for example, this video (

) doesn’t represent how my router setup looks. I do not have that advanced screen :/.

Thanks in advance for your help!

 

[RebornVampie]

sorry to reply on my own topic, I forgot to change the subnetmask.

 

[Tech9]

Could you recommend some up-to-date reading material

What about from Asus?

[Wireless Router] What is VLAN and how to setup in ASUS Wireless Router? | Official Support | ASUS Global

As mentioned previously the node running 3004.388 firmware will have limited compatibility in WLAN networks propagation and no LAN port VLAN control options. Mixed AiMesh is not documented by Asus, but this is what we know from users' shared experience.

 

[RebornVampie]

Thank you Tech9. That AX58U is on my attic and doesn't do much. I switch it off when I dont need it.

I am struggling with interVLAN communication. As you've seen its been over a month, I have honestly tried fixing it for a while.
I would like VLAN 1 to be able to communicate with ALL of my network. But VLAN 52 and 53 need to be isolated of the rest. Just so my synology on 192.168.2.10 can read out my solar panels with home assistant AND my Synology Security center can watch the rtsp or even onvif of my imou camera's. I noticed that I communicate over the internet with my IOT devices, not through LAN. When I am on the same VLAN, I can access all streams and devices.

I discovered SSH commands and used chatGPT to help make firewall-start script for firewall rules. I tried masqueredes etc

My network is setup by using Guest Network Pro.
VLAN 1 br0 is my main network where most of my devices are on, my synology's but also because of mDNS apple homepod, google home, hue, ikea dirigera, printer
VLAN 52 br52 is my IoT network which has most IoT devices. My camera's, oven, AC, etc.
VLAN 53 br53 is my guest network, for people who come to visit
VLAN 300 is my ISPs media channel

This is the set of rules I have running at the moment but I cant even ping to my VLAN 52 device from VLAN 1.

Firewall-start

#!/bin/sh

# NAS can access solar panels
iptables -I FORWARD -i br0 -o br52 -s 192.168.2.10 -d 192.168.52.5 -p tcp --dport 80 -j ACCEPT

# br0 access to br52 and br53
iptables -I FORWARD -i br0 -o br52 -s 192.168.2.0/24 -d 192.168.52.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o br53 -s 192.168.2.0/24 -d 192.168.53.0/24 -j ACCEPT

# DROP traffic from br52 to br0 and br53
iptables -I FORWARD -i br52 -o br0  -s 192.168.52.0/24 -d 192.168.2.0/24  -j DROP
iptables -I FORWARD -i br52 -o br53 -s 192.168.52.0/24 -d 192.168.53.0/24 -j DROP

# DROP traffic from br53 to br0 and br52
iptables -I FORWARD -i br53 -o br0  -s 192.168.53.0/24 -d 192.168.2.0/24  -j DROP
iptables -I FORWARD -i br53 -o br52 -s 192.168.53.0/24 -d 192.168.52.0/24 -j DROP

What am I doing wrong or missing? I hope I can fix it by making the right firewall-start file.
Alternatively I am thinking to get a wifi dongle to connect to VLAN 52 over wifi, but it beats the purpose of separating everything in the first place.

 

[bennor]

@RebornVampie, if you haven't done so already, see some iptables firewall-start script examples at the following links. ChatGPT sometimes gets things wrong when it comes to scripting.

Trying to understand Guest Network Pro limitations

Using an AX-86U Pro on FW 3006.102.4_beta1, I'm experimenting with Guest Network Pro and VLANs and I must be missing something. I've created a VLAN (tagged as 3) and set ethernet port 3 as an access port tagged with that VLAN. I've then created a new guest network with that same VLAN, turned on...

www.snbforums.com

And this one specifically for communicating between Guest Network Pro profiles (two of them, br52 and br53, in the example script):

https://www.snbforums.com/threads/t...work-pro-limitations.94438/page-2#post-952832

iptables -I FORWARD -i br52 -s 192.168.52.0/24 -d 192.168.53.0/24 -j ACCEPT
iptables -I FORWARD -i br53 -s 192.168.53.0/24 -d 192.168.52.0/24 -j ACCEPT

Edit to add: There are several other iptables scripting in 3006.102.x Asus-Merlin firmware discussions that may be relevant including these:

mDNs / Bonjour / Multicast

Hi everyone, I am having issues with 3 HomePods in my home. I have 2 AirPlay receivers which work flawlessly, however my HomePods are very hit and miss to work, I took one on holiday and noticed it was much better than at home. Are there any settings or things to enable/check to ensure mDNs /...

www.snbforums.com

Allowing main network to access guest networks

Hi everyone, Running on the 3006 firmware version, I have 3 guest networks that are isolated from everything. I'd like to have the main network (192.168.0.0/24 on br0) be able to reach one-way to those 3 guest subnets. I currently achieve this with a firewall-start script that runs the...

www.snbforums.com

Iptables functionality on 3006.102.4

Dirty upgrade from 3004 to 3006.102.4 on my AX88u-Pro a couple days ago. All looked good so far, except I have some iptables rules in firewall-start that do not seem to work anymore. One set of rules dnat'd any DNS other than those in the cleanbrowsing ranges. Ie, if a device used any...

www.snbforums.com

 

[RebornVampie]

Thank you. I have read the topics. What I did is open all traffic between my synology (192.168.2.10) and br52 (IoT) and br53. To be honest, I wanted my synology not to be visible for guests and my iot but I dont know how to get it working elsewise. My synology has only https and 2fa but still I would have preferred to have it closed off as possible.

steps I did (for future readers). enable SSH in asus GUI (lan only)
open PuTTy -> login
create script file: vi /jffs/scripts/firewall-start
add this in the file (right click):

#!/bin/sh
iptables -I FORWARD -i br52 -s 192.168.52.0/24 -d 192.168.2.10 -j ACCEPT
iptables -I FORWARD -i br53 -s 192.168.53.0/24 -d 192.168.2.10 -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.2.10 -d 192.168.52.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.2.10 -d 192.168.53.0/24 -j ACCEPT

save it: escape -> :wq
give rights to access the file: chmod a+rx /jffs/scripts/firewall-start
restart firewall: service restart_firewall
check if the rules are implemented: iptables -L -v -n --line-numbers

Thank you for your help!