amtm LONG time Asus/Merlin, first time amtm -- reassurance please

[David Cavalli]

I've used Asus routers for over 15 years and Merlin firmware for at least 7. I've dug under the hood and manually managed a bunch of things at their lower level. I can't say why I've avoided amtm for so
long other than I like to be "hands-on". My self-managed Linux server had a hacker attack the other day, but my self-programmed firewall held. Talked to a friend about it (who bought Asus and uses Merlin at my suggestion) and mused if my new Asus RT-AX88U Pro would have been able to handle it. "Well, Skynet and forget it, right?" *NO* idea what he meant last week. Some minor research later and I'm *stunned* how much our "community scripts" can do. Over the past week, I bought a Samsung Bar Plus 128GB, loaded Entware and took the Skynet plunge. (I also downloaded most of the "utility" scripts that look like they don't take up many resources.) When I had the RT-AC68U, I had to keep that thing *SO* fine tuned, because there just wasn't enough NVRAM. I optimized everything. Bought the new router as the old one outlived its era, but really haven't looked into what it can do. Today, I have the opposite problem. While Skynet + "utilities" aren't doing much to eat into the power of my Asus, I'm concerned that I don't want to bloatware my perfectly-running router. In looking at the scripts available, I think Unbound and Diversion are probably the next "must haves" I want to install. YazFI looks like it's a good way to manage Guest WiFi (which I am manually right now). But this is where I'm concerned. How do I know what is "too much" for this rig? I want to go with what I "need" then "want", but would rather have stability.

I'm guessing that I probably could load *ALL* of this and more, but didn't want to push my luck with the newfound stability of the 3006.102.6 and now .7 releases. Then I remembered that Skynet blocked 22k IPs the first night! For all I know, I have a Ferrari and I'm still scared to drive 25 MPH on the freeway.

Any reassurance that my list of planned scripts is "smart" would be appreciated. Any guidance of things I've missed would be awesome. Other suggestions aprpeciated. After avoiding amtm forever, I don't want to go the opposite direction without understanding.

Thanks in advance!

 

[ColinTaylor]

Your router is the gateway between the untrusted internet and your home network. Every additional service or feature is another potential point of failure. That's true whether it's part of the base firmware or a user created addon. Case in point, AiCloud.

So don't install/enable things "just because you can". For example, you said Skynet blocked 22k IPs. But those IPs almost certainly would have been blocked by the router's own firewall (or AiProtection) without Skynet. So you may have added complexity and a dependency on a working USB drive, for no particular gain.

That's not to say you shouldn't install/enable any additional features. Just make sure they're worthwhile to you and not just what someone else uses.

 

[dave14305]

Diversion is a very safe bet. Unbound, not so much. YazFi is not compatible with your firmware. Don't duplicate features the firmware already provides (ntp, syslogging, speedtests, DNS servers) or doesn't need (connection monitoring).

If it doesn't make the router safer or faster, why do you want it?

Then, if you still want them after considering those points, go ahead. But take backups first.

 

[jksmurf]

I can't say why I've avoided amtm for so
long other than I like to be "hands-on"

Lol, yeah, very much picked that up when I suggested you run YazDHCP back in this thread. You're all over it.

I know you like to know what is honking along under the hood, but if you're installing other stuff under amtm, I'd still recommend you try YazDHCP and let that replace your dnsmasq.conf.add, dnsmasq-X.conf in your sig. Eventually it just gets easier (IMO) doing it that way. I modified/updated those .add and .confs in the past too but for ease of maintenance, I prefer the addon.

Pretty much agree with what the two posters above have to say though, I have looked at and uninstalled a number of scripts as they don't add anything for me.
This is my lot. I am vacillating on whether Skynet is helping or even hindering but I do enjoy Diversion and Tailmon has been great for me.

 

[Tech9]

After avoiding amtm forever, I don't want to go the opposite direction without understanding.

About your list of installed scripts:

Skynet is best for limiting yourself. It will claim blocked IPs just because they are found in blocklists. Many folks believe Skynet is a Firewall because of somewhat tricky description. The built-in firewall blocks all unsolicited connections by default. Community blocklists, slow updates, false positives, visible to whoever is interested. For security adds little value. USB stick requirement makes your setup as reliable as the USB stick. Depending on use case it may have more drawbacks than benefits. Skynet is best for freaking out people who don't know how it works, this is for sure.

Disk Check you installed because you added a disk. It wasn't heeded before. You have crated swap file as well. It's there mostly for compatibility reasons, don't look at it as RAM extension. If your router gets to active swapping on 0.1% of RAM speed drive - it's dead, reboot.

ntpMerlin duplicates built-in feature working well enough. I see nothing to optimize there with custom scripts, needless complication. scMerlin is one of the scripts RMerlin himself recommends to avoid. Not sure about current state, but it used to break GUI and cause issues frequently. Most of the shortcuts it offers you perhaps already know how to do in SSH without custom script.

ui/scribe and connmon are going to steal your time. Because you know there is something ordering logs and monitoring the connection you'll be looking at the GUI more often then before. If you have nothing much to monitor and your router is working just fine they are not needed.

Your previous no scripts configuration was better for reliability.

 

[bennor]

... my new Asus RT-AX88U Pro ..... YazFI looks like it's a good way to manage Guest WiFi (which I am manually right now).

Like others said, YazFi is not supported under 3006.102.x firmware. The 3006.102.x firmware's Guest Network Pro feature already has a number of YazFi features included with it. And for those few YazFi features like one-way and two-way to guest that Guest Network Pro does not have one can use custom firewall scripting (ex:/jffs/scripts/firewall-start) to allow such traffic. Use the forum search feature, plenty of prior discussion (some with examples) of using custom scripting with Guest Network Pro.

 

[David Cavalli]

Wow. Really glad I posted. Really concerned about my current setup.

If it doesn't make the router safer or faster, why do you want it?

I think this was the exact point. After talking to my friend, then reading about Skynet, the thought was, "Why is it there if it *doesn't* make things better on the router...?"

Every additional service or feature is another potential point of failure.
For example, you said Skynet blocked 22k IPs. But those IPs almost certainly would have been blocked by the router's own firewall (or AiProtection) without Skynet.

This is exactly the heart of my current issue. I *thought* (last week) that my router was great and doing well. I was concerned that it *wasn't* because of the mere existence of this script and that many use it. I don't use a blocklist on my cloud server, and thought this fronting the router made it better. If I understand right, it's adding a dead-bolt to my current dead-bolt. Skynet, out!

Your previous no scripts configuration was better for reliability.

Who knew how smart I was last week and how dumb I am today???

I'd still recommend you try YazDHCP and let that replace your dnsmasq.conf.add, dnsmasq-X.conf in your sig. Eventually it just gets easier (IMO) doing it that way. I modified/updated those .add and .confs in the past too but for ease of maintenance, I prefer the addon.

I do enjoy Diversion

Which brings me back to "last week me". Why install a script when I have something functional? I *am* good under the hood, and there I think I'll stay.

After reviewing *all* this, I now think *none* of the scripts I had installed are good for me... The "KISS" method as almost always worked for every technical project for me. Disk check is the only one to keep because of the USB already in there. At this point, it's a matter of choosing between Diversion and pi-hole (or equivalent). Since I spent the $20 on the USB, I'm leaning towards Diversion.

Like others said, YazFi is not supported under 3006.102.x firmware.

And *this* is why I left DD-WRT and bought Asus routers with Merlin support for the past 7 years... While I'm impressed with the amtm roster of supporting functionality, it's the Merlin *community* (and base firmware) that keeps me coming back and recommending it whole-heartedly.

Thanks for the feedback, everyone!

 

[dave14305]

I was concerned that it *wasn't* because of the mere existence of this script and that many use it. I don't use a blocklist on my cloud server, and thought this fronting the router made it better. If I understand right, it's adding a dead-bolt to my current dead-bolt. Skynet, out!

If you have open ports on the WAN (e.g. port forwards, VPN servers, etc.), Skynet will help to prevent known malicious IPs from attacking the exposed ports. But if you don't have that, the normal firewall will suffice.

The other use for Skynet is to block any outgoing traffic to known malicious IPs, if you are afraid someone on the network might be susceptible to malware/phishing/etc. The default firewall won't do this, but AiProtection might catch some but maybe not all of that traffic.

Since I spent the $20 on the USB, I'm leaning towards Diversion.

I would suggest disabling the Diversion logging after an initial break-in period to tune your allowlist. It will reduce reliance on the USB drive during normal dnsmasq operation.

 

[David Cavalli]

If you have open ports on the WAN (e.g. port forwards, VPN servers, etc.), Skynet will help to prevent known malicious IPs from attacking the exposed ports. But if you don't have that, the normal firewall will suffice.

The other use for Skynet is to block any outgoing traffic to known malicious IPs, if you are afraid someone on the network might be susceptible to malware/phishing/etc. The default firewall won't do this, but AiProtection might catch some but maybe not all of that traffic.

I would suggest disabling the Diversion logging after an initial break-in period to tune your allowlist. It will reduce reliance on the USB drive during normal dnsmasq operation.

So you're saying it's a *smart* deadbolt on top of my deadbolt. I *do* have some port forwards and a ton of IoT devices that might have outbound traffic... I guess if I'm keeping the USB for Diversion, keeping Skynet might be a good long-term duo for the router. Thanks!

 

[Untried3868]

So you're saying it's a *smart* deadbolt on top of my deadbolt. I *do* have some port forwards and a ton of IoT devices that might have outbound traffic... I guess if I'm keeping the USB for Diversion, keeping Skynet might be a good long-term duo for the router. Thanks!

Couldn't Pihole (or similar) perform the same function?

 

[David Cavalli]

Couldn't Pihole (or similar) perform the same function?

At this point, it's a matter of choosing between Diversion and pi-hole (or equivalent). Since I spent the $20 on the USB, I'm leaning towards Diversion.

Well, yes! I manage a couple of home/cloud servers, and I think I'm still leaning towards Diversion. The "pro" case for Diversion, for me, is that I spent the $20 already and it's built-in. Running it on one of my external servers would make *two* central points of failure for my family internet uptime. The only "pro" case I see for pi-hole (or equivalent) is that it looks like it has a better UI graphically, more visual data and possibly better control.
Today, Diversion as the simple built-in test is easier than firing up another Docker container.

 

[Tech9]

Who knew how smart I was last week and how dumb I am today???

The more things you start installing, uninstalling, replacing, adjusting, blocking, filtering, logging, monitoring, etc. the lower the quality of your life will be. Write that down. Your setup was perfect before because you know what you need and how to do it. After you're done exploring go back to your cleaner better setup.

 

[Tech9]

looks like it has a better UI graphically

Since you are getting closer to factory reset anyway... take a look at AdGuard Home. The installer is in AMTM, the best UI for ad-blocker in my opinion and with better built-in features. Relatively light weight too.

GitHub - AdguardTeam/AdGuardHome: Network-wide ads & trackers blocking DNS server

Network-wide ads & trackers blocking DNS server. Contribute to AdguardTeam/AdGuardHome development by creating an account on GitHub.

github.com

AdGuardHome - [RELEASE] Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI)

Asuswrt-Merlin-AdGuardHome-Installer The Official Installer of AdGuardHome for Asuswrt-Merlin Requirements: ARM based ASUS routers (not bridges or access points) that use Asuswrt-Merlin Firmware JFFS support and enabled REQUIRES ENTWARE(!) for package management, and a separate USB drive for...

www.snbforums.com