How can I do this using AsusWRT?

[Tech9]

GT-AX11000... 2.0Ghz/4 core

You must have ordered GT-AX11000 Pro (2022) and not GT-AX11000 (2018).

I am not sure what wifi 6 is or if I even have a device that can use it.

The same Wi-Fi Gen like your GS-AX3000 router - AX-class device or Wi-Fi 6.

 

[dwp]

You must have ordered GT-AX11000 Pro (2022) and not GT-AX11000 (2018).



The same Wi-Fi Gen like your GS-AX3000 router - AX-class device or Wi-Fi 6.

Thanks. It is pro. Didnt know so old. Unwise? Any better choice? Asus AI suggested it.

 

[Tech9]

Asus AI suggested it

Stick to your trusted source of information. I'm sure ASUS AI can answer all your questions.

 

[dwp]

Stick to your trusted source of information. I'm sure ASUS AI can answer all your questions.

Well, I am not always so sure. But I think that "wifi router for 50+ devices" should be simple enough for it to understand/answer. Thanks

 

[UltrashRicco]

@NoLight thanks for pointing to @jacklul 's collection of scripts for Asus routers running stock firmware!

I played around with the scripts, managed to install the framework and some scripts, especially force-dns, but I did not seem to manage to have it work. The iptables rules would not implement due to the chains not existing or something...
Troubleshooting seemed overcomplicated and inaccessible to me, as the scripts looked complex and very hard to understand for me, when the goal is just to implement a few iptables rules.

After some thinking and as I am already using a Raspberry Pi to host Pihole with Unbound as my LAN DNS, and seeing that the LAN DHCP options in AsusWRT allow to specifiy a gateway for the LAN, I though it might be possible to use the Pi as the LAN gateway, with the Pi itself having the Asus router as its gateway.

Guess what? It works! The Pi does not even need to have several ETH ports, nor to be placed between the ONT and the router or between the router and the clients on the LAN, it just connects to one of the router's LAN ports as any other LAN client would.

On the Pi, you are free to implement all iptables NAT rules that you need to redirect all DNS requests to the PiHole, block DoT, etc. I used Claude AI to check the feasability and guide me through the implementation steps (all from CLI over SSH).

At the router level, it only took specifying the Pi's IP as the LAN gateway.
The router still acts as the DHCP server, as I have a dozen static DHCP devices already configured in there.
Actually you could replace the Pi with any other device, like a physical firewall, or OpenSense or pfsense in a VM or a container running on your NAS, etc.

This helped me understand the CLI network tools quite a bit better. I guess the next step would be to migrate from AsusWRT to OpenWRT. This is tempting in order to unlock all the potential of the hardware and remove all restrictions, and have the firewall rules implemented onto the actual gateway directly.
The router could also run AdGuard (no PiHole package for OpenWRT), and I could get rid of the Pi altogether, but I love its ease of use running Debian-based distros.

The only thing remaining would be to use iptables and ipset in order to implement rules blocking all traffic to a public list of DNSs, only allowing outbound requests from Unbound to the root hints servers list, which should block DoH. Tutorials are available.

Thanks again for pointing to the scripts, they are still quite interesting and certainly useful to extend the featureset and useability of an Asus router on stock firmware!

Regards!

[Edit] DoH blocking was achieved (can never be 100%) by following this article and adapting it (intended for pfsense): Your Smart TV is probably ignoring your PiHole - LabZilla
Claude AI suggested adding 2 more sources of DoH-specific DNS lists on top of the public DNS list mentionned in the article.

 

[bbunge]

For some time now, I have been feeling like my GS-AX3000 (bought in 2022) has been really struggling with the number of connected devices - even if they are not pushing lots of data. Just turning on one or 2 more devices (even if connected through an access point with different SSID) for temporary testing purposes seems to cause significant problems. It has been a frustrating balancing act for a while now.

Given that routers in the USA are going to be banned (don't get me started), I decided I ought to just upgrade. So just placed an order for a GT-AX11000 which I hope will be a significant upgrade. As well as having more antennae that Carters has little blue pills, this model increases RAM from 512M to 1G, uses faster RAM (DDR4), increases CPU from 1.5 Ghz/3core to 2.0Ghz/4 core, and is 64-bit vs 32-bit. On top of all that, it is supported by Merlin - so this kind of thing might become much more easy!

I am not sure what wifi 6 is or if I even have a device that can use it.

I dislike having to migrate all my settings and face a new learning curve. But the time has come.

I don't think you will gain much other than a new router. The AX3000 is a WIFI 6 router. More antenna does not mean much. Faster ptocessor with more RAM - maybe. Copy the settings from the old router manually and do not use a settings file from the old router! The good thing is you can use the AX3000 as an AiMesh node to extend range!
As for the US router ban? Stay tuned. I doubt it will ever be implemented.

 

[jacklul]

@UltrashRicco Seems like your router doesn't load xt_comment automatically in your case (or you don't have the module at all)
Does running "modprobe xt_comment" allow you to run the script?
I think I'll just add that command to relevant scripts...
My bad, they are there! So definitely missing a module!

Note that setting Pi as your LAN gateway will severely limit your internet performance, unless you already have slow ISP.

 

[UltrashRicco]

Hi @jacklul, thanks for your help!

The USB drive mounts fine and scripts seem to be running allright.
I had no idea "xt-comment" was needed. I do not know what it is nor what it does, nor can I find any information about it! It does not seem to be installed/present anyway:

My setup is running fine!
I did expect a significant drop in performance using the Raspberry Pi as the gateway indeed, but not at all. I have a symmetrical 500Mbps FTTH connection, that I use over a WireGuard VPN tunnel.

Performance is equivalent to what it was with the Asus router as the gateway. The Raspberry pi CPU load and memory usage remain extremely low (but I am not heavily using the network either, let's say it is idle with a couple of clients browsing and playing YouTube videos). The Pi is a Raspberry Pi 4 with 4GB of RAM. Both the Pi and the router use ARM processors. I do not know how they compare to one another, but the Pi might even actually have more processing power than the router? Having it run as the gateway (all LAN traffic going through) does not seem to impact it much at all.

With no VPN activated, upload/download speeds are pretty close to what is advertised (the Pi is still the gateway here):
With the VPN activated, upload/download speeds logically go down a bit and ping increases (the ping is usually a little higher. Pi is the gateway here too), but I am totally fine with these figures!

No communication with a DNS server is possible, and yet it is still correctly resolved by Unbound:

I just came up with the setup yesterday. I am happy with it so far, as I experienced no issue/downside yet.

 

[jacklul]

Hi @jacklul, thanks for your help!

The USB drive mounts fine and scripts seem to be running allright.
I had no idea "xt-comment" was needed. I do not know what it is nor what it does, nor can I find any information about it! It does not seem to be installed/present anyway:

It allows me to put comments on the iptables rules so they can be more easily identified when troubleshooting.
I will take a look if I actually need to use them and can make them optional/dev only.

Edit: I've pushed changes to the repository - xt_comment module is no longer required.

 

[UltrashRicco]

It allows me to put comments on the iptables rules so they can be more easily identified when troubleshooting.
I will take a look if I actually need to use them and can make them optional/dev only.

Edit: I've pushed changes to the repository - xt_comment module is no longer required.

@jacklul I tried to test it. I think I updated the framework correctly ? (jas.sh update)
Still getting the same xt_comment issue, but at least the force-dns script seems to launch this time:

Shall I prepare the USB drive from scratch again? I do not mind, as I have absolutely nothing useful on it so far.
Thanks!

[Edit] it broke DNS resolution, so I guess the script is doing something.
I will not be using force-dns as I found my external gateway solution to deal with firewall rules instead, but I will definitely check the other scripts!
That is, before I move on th OpenWRT.

 

[jacklul]

@jacklul I tried to test it. I think I updated the framework correctly ? (jas.sh update)
Still getting the same xt_comment issue, but at least the force-dns script seems to launch this time:
View attachment 71265

Shall I prepare the USB drive from scratch again? I do not mind, as I have absolutely nothing useful on it so far.
Thanks!

[Edit] it broke DNS resolution, so I guess the script is doing something.
I will not be using force-dns as I found my external gateway solution to deal with firewall rules instead, but I will definitely check the other scripts!
That is, before I move on th OpenWRT.

It didn't update, you would see 'updated' instead of checkmark if it did.
The install worked though, it should be working now.

 

[UltrashRicco]

It didn't update, you would see 'updated' instead of checkmark if it did.
The install worked though, it should be working now.

It would appear so, as the message "Forcing DNS servers: 192.168.x.x" is shown, indeed.

 

[UltrashRicco]

Hi, I found this program "WRT settings" that can decrypt, read and write Asus routers configuration files! You can modify nvram settings directly, use with caution!
I have not tested modifying a file yet, but it reads config files with no problem (Asus TUF-AX6000 router).
Would the changes made to the config file/nvram settings be permanent and survive reboots, etc?
Link to the tool: https://medo64.com/wrtsettings/
GitHub repo: https://github.com/medo64/WrtSettings

 

[ColinTaylor]

Hi, I found this program "WRT settings" that can decrypt, read and write Asus routers configuration files! You can modify nvram settings directly, use with caution!
I have not tested modifying a file yet, but it reads config files with no problem (Asus TUF-AX6000 router).
Would the changes made to the config file/nvram settings be permanent and survive reboots, etc?
Link to the tool: https://medo64.com/wrtsettings/
GitHub repo: https://github.com/medo64/WrtSettings

WRT Settings is a very useful utility, especially its ability to save settings as a text file. But personally I don't trust it to write nvram variables. It hasn't been updated for 7 years (AC56U, AC66U, AC68U) and as it says on its homepage in large letters, "No longer supported. It might or might not work for your use case.".

 

[UltrashRicco]

WRT Settings is a very useful utility, especially its ability to save settings as a text file. But personally I don't trust it to write nvram variables. It hasn't been updated for 7 years (AC56U, AC66U, AC68U) and as it says on its homepage in large letters, "No longer supported. It might or might not work for your use case.".

Worth testing! Do you know whether the nvram settings set by the config file would be persistent?
It is still overly complicated compared to a less restricted FW.

I did manage to come up with a basic working wan (PPPoE + vlan), lan and wlan configuration for OpenWRT on the TUF-AX6000, but it definitely is not very user-frienly, although it is perfectly fine for linux enthusiasts and control freaks. It really unleashes all the potential of the HW.
I want to come up with the same configuration with OpenWRT that I currently have with AsusWRT (static DHCP leases, VPNs) and test OpenWRT as a daily driver for a while, like how easy/hard it is to switch from one VPN to another, to route a LAN client through one tunnel or another, etc.
Asus' VPN Fusion does quite a decent job at that, but eventually relies on the basic linux networking tools available on any linux machine.

Flashing back and forth between AsusWRT and OpenWRT is easy enough to make testing possible (keep your settings files in order to restore them after flashing!).

OpenWRT has quite a steep learning curve and the fragmented documentation definitely does not help in that regard!

 

[RMerlin]

Also, some nvram values such as the webui password are now encrypted - unsure how such an application might handle that.

 

[ColinTaylor]

Worth testing! Do you know whether the nvram settings set by the config file would be persistent?
It is still overly complicated compared to a less restricted FW.

I did manage to come up with a basic working wan (PPPoE + vlan), lan and wlan configuration for OpenWRT on the TUF-AX6000, but it definitely is not very user-frienly, although it is perfectly fine for linux enthusiasts and control freaks. It really unleashes all the potential of the HW.
I want to come up with the same configuration with OpenWRT that I currently have with AsusWRT (static DHCP leases, VPNs) and test OpenWRT as a daily driver for a while, like how easy/hard it is to switch from one VPN to another, to route a LAN client through one tunnel or another, etc.
Asus' VPN Fusion does quite a decent job at that, but eventually relies on the basic linux networking tools available on any linux machine.

Flashing back and forth between AsusWRT and OpenWRT is easy enough to make testing possible (keep your settings files in order to restore them after flashing!).

OpenWRT has quite a steep learning curve and the fragmented documentation definitely does not help in that regard!

I don't see much use in that utility for writing because you'd have to write the entire contents of nvram. Given the question mark over it's current and future compatibility that's not something I'd risk when there are better, "supported" methods using the nvram command. But in the right circumstances it might be worth the risk. I suppose the worst that could happen is the router doesn't boot, in which case you'd just need to do a factory reset to recover.

 

[UltrashRicco]

Also, some nvram values such as the webui password are now encrypted - unsure how such an application might handle that.

I checked: my webGUI password is not showing, so I guess the utility just cannot decrypt nor output it.

 

[RMerlin]

I checked: my webGUI password is not showing, so I guess the utility just cannot decrypt nor output it.

Just make sure the app does not try to overwrite it. If someone tried to edit the password in his config file (for instance if he lost his password), the written password would probably lack encryption, and therefore not work.

 

[dwp]

I

Since they are saying USB mount script works for them a script like this could do the trick:

#!/bin/sh
# /jffs/scripts/firewall-setup.sh

if ! iptables -t nat -C PREROUTING -d 114.114.114.114 -p udp --dport 53 -j REDIRECT > /dev/null 2>&1; then
    iptables -t nat -A PREROUTING -d 114.114.114.114 -p udp --dport 53 -j REDIRECT
fi

if ! iptables -t nat -C PREROUTING -d 114.114.114.114 -p tcp --dport 53 -j REDIRECT > /dev/null 2>&1; then
    iptables -t nat -A PREROUTING -d 114.114.114.114 -p tcp --dport 53 -j REDIRECT
fi

if [ -f /jffs/hosts ] && ! grep -Fq "# modified" /cte/hosts; then
    cat /jffs/hosts >> /cte/hosts
    echo "# modified" >> /cte/hosts
    killall -SIGHUP dnsmasq
fi

cru a firewall-setup "*/1 * * * * $(readlink -f $0)"

Replace "/cte" with "/etc", I had to replace it otherwise forum prevents me from sending this post.

/jffs/hosts is where you would put your hosts additions.
Once this script runs it schedules itself to run every minute - if firmware reverted the changes it will reapply them.

I cannot thank you enough for this. It seems to work great!