I am loving asuswrt-merlin - just two questions

[vw-kombi]

I have been using a RT-AC68U as an access point with its default shipped firmware for over a year. My primary router (Dlink DIR-890L) running DD-WRT had major issues getting a utility YAMON to work properly on all releases I tried (Shortcut forwarding issues with many releases, then tried kong releases, then gave up). I was getting little/no support from a dd-wrt forum post.

I finally bit the bullet, swapped the routers around and put the latest asus-wrt merlin on there. The dlink is the access point for one end of the house now.

That was yesterday morning and I was impressed with the additional features the Asus-Merlin router mode has (it was an AP since it was bought). So I worked though my required config :

1 - added about 40 reserved IP's, there is another 40 or so dhcp on top of that.
2 - added 6 roku smart dns re-routes, thanks to this forum for instructions on those
3 - activated the traffic monitoring (added a USB) - wow, amazing - no need for YAMON, does all I need
4 - installed the iphone app - really wow, amazing
5 - added my wifi's - no issues there, roaming between all the access points and back (non asus AP's) is fine
6 - installed ddns - asuscomm.com, and the letsencrypt certs (really wow). Duckdns is no more now.
7 - piggy backed the letsencypt certs into my emby media solution with http port forward (really really wow)
8 - activated the sysloggin to my main pc
9 - the client renaming for the dhcp randoms - fantastic.
9 - tried to break it with torrents and stuff - cant seem to.

I am literally blown away with all this, the ease of setting it up, the 'sexyness' of the look and feel - that interface - miindblowing. - I just wish I tried this years ago instead of DD-WRT.

So, enough with the asus/merlin appreciation thread, I just have two questions :

1 - It defaulted to allowing the GUI to be accessed remotely on the ddns, with the letsencypt certs - so that amazing iphone app works from anywhere, that is one thing I was a bit hesitant to leave turned on. Anybody have any comments on that from a remote security perspective ? I guess I could set up a VPN for it but what are the risks of leaving it?

2 - My nvram is just over 59 - is that too big ?

Thanks to all in advance.

 

[jrmwvu04]

4 - installed the iphone app - really wow, amazing

1 - It defaulted to allowing the GUI to be accessed remotely on the ddns, with the letsencypt certs - so that amazing iphone app works from anywhere, that is one thing I was a bit hesitant to leave turned on. Anybody have any comments on that from a remote security perspective ? I guess I could set up a VPN for it but what are the risks of leaving it?

The iPhone app enables ddns and the GUI wan access silently per many user reports. Definitely do not leave this enabled and I would go so far as to say get rid of that app until such time as they fix that behavior. It’s no good. The httpd daemon seems to constantly have new vulnerabilities discovered. Several posts on this board about hostile takeovers of users’ routers with this as the suspected attack vector.

Otherwise, welcome to asuswrt-Merlin.

 

[vw-kombi]

@jrmwvu04 Thanks for that. I have disabled it from the wan. Still a nice app for LAN only use however if I don't feel like logging on to the router to find out the kid thats doing the download hogging.

 

[jrmwvu04]

@jrmwvu04 Thanks for that. I have disabled it from the wan. Still a nice app for LAN only use however if I don't feel like logging on to the router to find out the kid thats doing the download hogging.

Just be mindful that it will (as far as I know, if I’m wrong hopefully someone will correct me) flip that wan access back on every time you use it.

 

[OMNI619]

Don't forget to make some donations to developers

Sent from my SAMSUNG-SM-G920AZ using Tapatalk

 

[FreshJR]

@jrmwvu04 Thanks for that. I have disabled it from the wan.

I think the app silently reenables that feature each time you use it.

It's a major security hole. I would stop using the app until they fix it.

 

[ColinTaylor]

2 - My nvram is just over 59 - is that too big ?

59 what? Per cent, kB, bananas?

I have a pretty minimal setup and mine is: 49920 / 65536 bytes (76% utilized)

Less than 60,000 bytes used is more than enough.

 

[heysoundude]

I am literally blown away with all this, the ease of setting it up, the 'sexyness' of the look and feel - that interface - miindblowing. - I just wish I tried this years ago instead of DD-WRT.

Have you tried any of the scripts yet? amtm, ab-solution, pixelserv, skynet? you'll be re-blown... uh, blown again? yeah, best to stop before I get in trouble...Welcome to the club/cult/family

 

[vw-kombi]

Thanks again for all the replies/comments. I got nothing constructive from DD-WRT posts, and no fixes.

Re NVRAM, 59870b (bytes not bananas, hehe). Only reason I ask is on dd-wrt I was at 48. I have spot checked it and it does not seem to grow.

Re remote gui - I have used it a few times and it is still disabled for remote access, maybe a diff firmware silently re-activated it, or maybe it is time based ? I will keep an eye on it and re-check every time I run the app and report back if that changes.

amtm, ab-solution, pixelserv, skynet? I will look into them, but with only a bit of nvram left, I am worried about breaking it. Just going to enjoy it for a while.

and finally, I def will be contributing to the project for sure!!!!!!

 

[Emmanuel_m41]

Have you tried any of the scripts yet? amtm, ab-solution, pixelserv, skynet? you'll be re-blown... uh, blown again? yeah, best to stop before I get in trouble...Welcome to the club/cult/family

I am new here too, but i can say it feels so good to be part of this club/cult/family

 

[heysoundude]

Thanks again for all the replies/comments. I got nothing constructive from DD-WRT posts, and no fixes.

Re NVRAM, 59870b (bytes not bananas, hehe). Only reason I ask is on dd-wrt I was at 48. I have spot checked it and it does not seem to grow.

Re remote gui - I have used it a few times and it is still disabled for remote access, maybe a diff firmware silently re-activated it, or maybe it is time based ? I will keep an eye on it and re-check every time I run the app and report back if that changes.

amtm, ab-solution, pixelserv, skynet? I will look into them, but with only a bit of nvram left, I am worried about breaking it. Just going to enjoy it for a while.

and finally, I def will be contributing to the project for sure!!!!!!

amtm will allow you to set up a swap file, so you shouldn’t worry too much about over-taxing your RAM with the additional scripts. Even a 4gb USB drive is plenty for entware etc unless you get bigtime into logging. Be safe, have fun.

 

[vw-kombi]

I have a 16GB USB connected which is writing the traffic monitoring stuff. I assume I can use the same one ? Does it have to be formatted in a specific way (as in a linux friendly way), or is fat32 ok ? I will investigate.

Investigated, installed it, created a 512Mg swap file. Not quite sure what it does (i.e does it need a router reboot etc), but I will read up.

Nice1. Fantastic forum.

One question - before I embark on adding more stuff that may use the USB., should I buy a better USB3 device and plug into the USB3 instead ? Then reset everything up there (before I lose too much traffic history if I do this much later).

 

[heysoundude]

“Better?” If the USB drive you’re using is usb3, that’s where it should be plugged in, otherwise it’s slowing itself down and working harder, as I understand things.
If you were thinking about upgrading, you could buy an SSD and partition it for storage and system purposes (a network drive can come in handy...)
I seem to recall that a linux-friendly format of the storage medium is required for full script functionality - ext2 or ext3 - and you have to enable something in the router's firmware...aicloud perhaps?

 

[HuskyHerder]

ext2 or ext3 - and you have to enable something in the router's firmware.

I think you mean :

Administration > System > Enable JFFS custom scripts and configs > YES

And not AICloud

AB-Solution recommends ext2 format but will use ext3 or ext4

I personally went with ext2 as highly recommended.
http://www.ab-solution.info/install/requirements.html

I am using USB3 in USB2 port with no issues. Its what I had lying around. From my reading the scripts don't necessarily need the faster speed of the USB3.

 

[vw-kombi]

I will buy a USB3 one for the usb3 slot today. Ta.

 

[ColinTaylor]

I will buy a USB3 one for the usb3 slot today. Ta.

Just don't expect it to make a noticeable difference. USB flash drives on the router are fine for things that aren't I/O intensive, like storing traffic stats or loading ad-block lists. Once you start doing things that require a lot of I/O like media streaming or moving large files around you come up against the router's other limitations, like its weak CPU and lack of RAM. In other words keep it simple and don't expect your router to perform like a NAS.

 

[vw-kombi]

Maybe I mistakenly assumed that the swap file should be on the fastest drive possible ?

 

[ColinTaylor]

Maybe I mistakenly assumed that the swap file should be on the fastest drive possible ?

Yes, that's true. But I was talking about general disk read/write operations like copying files, not the swap file particularly.

Note that @heysoundude 's reply in post #11 could be misleading. You said in post #9 "but with only a bit of nvram left, I am worried about breaking it". @heysoundude then said "amtm will allow you to set up a swap file, so you shouldn’t worry too much about over-taxing your RAM with the additional scripts". NVRAM and RAM are entirely different things and are unrelated to each other. The amount (and use) of NVRAM is unaffected by RAM or swap.

 

[heysoundude]

It's quite possible (read: highly likely) I'm unclear/confused on the architecture/makeup of the electronics as well...
thanks for enlightening/clarifying @ColinTaylor