What's new

Harden Asus GT-AX11000 on Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

ali.

Occasional Visitor
Hello all,

I have taken following steps to harden the router running on Merlin
  1. Installed Diversion
  2. Installed Skynet
  3. Using existing Trend Micro AIProtection
  4. Using ADGuard home for DNS lookup (Quad9, Cloudflare, OpenDNS)
What additional steps I can take to further harden the router to secure my LAN.

Would switching to PfSense as main router and firewall be any better than what I have above?

Thanks in advance
 
I have taken following steps to harden

You don't need two DNS-blockers (Diversion/AGH) and perhaps don't need IP-blocker (Skynet). This doesn't "harden" anything. Just adds more work for the router and makes it less reliable - as reliable as the USB stick you used in the process. If you have IPv6 enabled on top - may be even worse.

Would switching to PfSense

You have to know pfSense first. It does what you tell it to do. Not as user friendly as home router. Above average networking knowledge required.
 
You don't need two DNS-blockers (Diversion/AGH) and perhaps don't need IP-blocker (Skynet). This doesn't "harden" anything. Just adds more work for the router and makes it less reliable - as reliable as the USB stick you used in the process. If you have IPv6 enabled on top - may be even worse.
Fair comment, so what steps you suggest then. Should I pair down all these excessive add-ons and do what exactly? And yes IPv6 is enabled.
 
With IPv6 enabled you have to duplicate your IPv4 protection for IPv6. Otherwise whatever you "harden" on IPv4 simply doesn't matter. Skynet is IPv4 only. Diversion has double blocklists with extra workload. I have no good experience with AGH and IPv6 - managed to go around it. I don't like USB stick use in terms of reliability. Better use a small SSD in external USB enclosure if you insist on custom scripts requiring USB storage. I don't think the scripts are really needed to "harden" the router. Whatever is built-in is hard enough for home use. If you have public IPv4 address available and don't need IPv6 - keep it default Disabled. I constantly discover something not working properly in Asuswrt with IPv6 enabled including in latest 388_22525 firmware. I would wait for Asuswrt-Merlin 388.2 and skip the initial 388.1 release. Reasons why in the release thread. On your router you can do whatever you want though.
 
Read this thread, some useful information:


Don't install scripts just because someone else is using some. Install only what you need and try to understand what scripts do and how.
 
Hello all,

I have taken following steps to harden the router running on Merlin
  1. Installed Diversion
  2. Installed Skynet
  3. Using existing Trend Micro AIProtection
  4. Using ADGuard home for DNS lookup (Quad9, Cloudflare, OpenDNS)
What additional steps I can take to further harden the router to secure my LAN.

Would switching to PfSense as main router and firewall be any better than what I have above?

Thanks in advance
I'm running a similar setup to yours: Diversion (Lite), Skynet with AIProtect and CAKE enabled on a USB stick (32GB) with no issues. Try it out and let us know how everything is going. I used FlexQOS in the past but I wanted to try CAKE. Best of luck.
 
Yes that's true. My speeds are way under 300 so it works well for me. Flex would be their best option for faster ISP.
 
Last edited:
Hello all,

I have taken following steps to harden the router running on Merlin
  1. Installed Diversion
  2. Installed Skynet
  3. Using existing Trend Micro AIProtection
  4. Using ADGuard home for DNS lookup (Quad9, Cloudflare, OpenDNS)
What additional steps I can take to further harden the router to secure my LAN.

Would switching to PfSense as main router and firewall be any better than what I have above?

Thanks in advance
Hello, you could do further harden by blocking malicious actors. (Get a list form greynoise.io, export to Skynet) Geoblocks, ASN's with bad actors. TM AI Protection isn't a bad source for threat intel. Most of the big security vendors use each others threat intel. You're filtering your DNS which is great, it also blocks sites with bad history. I do security hygiene for a living :) While PFsense gives good protection, especially with plugins. OPNsense (fork of PFsense) is pretty straightforward as well. Also patch software as needed, and stay on top of CVE's by checking Merlins site for fixes or security patches. If you've got servers see if you can disable SSLv2/3. Disable remote connection to the router if you don't need it. Use a really strong router password. Review DNS logs. Export syslog from your router as well to something like https://demo.gravwell.cloud/playbooks/8435227e-8f74-4523-b317-572e95802cb4 they have a free community version. I hope this helps. Thanks for taking security serious :)
 
with bad actors

Yes!

nicolas-cage-you.gif
 
I only commented on bad actors. Had to delete some movies after the reminder. Applying the security hygiene suggested. ;)
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top