Noob wanna get Pro

seke1111

Occasional Visitor
Hey, as the title states i'm pretty new when it comes to Networking.
I've been using Asuswrt-Merlin for a while now with my RT-AC68U but never had the time to study it the way i'd like to, so now i take some time to do that.

What i have done so far on a clean firmware install:
- Enabled DoT
- Enabled QoS unfortunately with Device Priority. Did testings with and without multiple times, result gives me less Bufferbloat and no particular loss in speeds even with my 500/500 fiber. Should be better to not use it in my case from what i've read but apparently not, might be due to a lot of devices connected?
(want to use FlexQoS to be able to use fq_codel if i remember right but i haven't been that smart to understand how to properly set it up or even begin. I got Dyscalculia (opposite of Dyslexia) that makes me suffer particularly in the math/calculating area so no matter how many times i try to re-read guides i have a hard time organizing in my head. I also am unsure with how to start and continuing the setup with scripts even after reading.)
- Enabled AiProtection, nothing tells me to not use it and i haven't been impacted by it
- Disabled UPnP
- Disabled WPS
- Disabling services i don't use such as AiDisk etc (rule of thumb, don't use it? disable)
- USB Mode in 3.0 (default, was unsure if it should change it to 2.0 in regards of EMI?)

That's about it.
I would love to know more about what the actual common recommended settings to change for Security, Performance and Bufferbloat are.
Got to start somewhere and where's better than asking you guys for advice and recommendations for a newcomer? :D
Once i learn the basics, i'll learn more and more advanced things.

EDIT: Decided to settle on these settings on RT-AC68U
- Enabled DoT
- Disabled QoS (500/500 fiber, works better from different testings with multiple devices)
(wanted to use FlexQoS to be able to use the fq_codel but it's not worth using for me)
- Disabled AiProtection (protected through other means and this did indeed reduce hardware load when testing) - shoutout to Tech9 for pointing that out
- Disabled UPnP
- Disabled WPS
- Disabling services i don't use such as AiDisk etc (rule of thumb, don't use it? disable)
- USB Mode in 3.0 (still complexed with finding an accurate answer from trusted sources so i'm leaving it at default)
 
Last edited:

Tech9

Part of the Furniture
result gives me less Bufferbloat

What you have set looks right, with exception of QoS. You perhaps don't need QoS on 500/500 fiber. Online bufferbloat tests are not accurate. Your router has relatively slow by modern standards hardware and with QoS disabled you may find your network more responsive. Monitor AiProtection blocks - too many false positives. It sometimes restricts access to legit websites for no reason. Don't use the router for NAS - it may become unstable.
 

seke1111

Occasional Visitor
What you have set looks right, with exception of QoS. You perhaps don't need QoS on 500/500 fiber. Online bufferbloat tests are not accurate. Your router has relatively slow by modern standards hardware and with QoS disabled you may find your network more responsive. Monitor AiProtection blocks - too many false positives. It sometimes restricts access to legit websites for no reason. Don't use the router for NAS - it may become unstable.
Alright thanks for the heads up on QoS. I'll disable QoS and Game Accelerator (it auto-enables when enabling QoS) completely. That should make the last piece if i understand correctly? :D
 

Tech9

Part of the Furniture
That should make the last piece if i understand correctly?

I don't know details about your settings, but from experience this router works best with no TrendMicro involvement and Wi-Fi set on higher 149-161 channels. The simpler the setup on this hardware - the better. It has a common traffic spikes bug in Traffic Monitor on 386 code base. Make sure NAT acceleration is always enabled, otherwise your WAN-LAN traffic will be limited to about 200Mbps. This means no device prioritization in Traditional QoS, no per IP traffic monitoring. Your Parental Controls, Time Scheduling may not work reliably with NAT acceleration enabled though, in case you use this option. In general - this a is an old model router and for best network experience you have to think about possible upgrade. Newer routers have not only faster hardware, but AC Wave 2 support will boost both speed and range to your existing AC clients, plus you'll get future AX clients support.
 

seke1111

Occasional Visitor
I don't know details about your settings, but from experience this router works best with no TrendMicro involvement and Wi-Fi set on higher 149-161 channels. The simpler the setup on this hardware - the better. It has a common traffic spikes bug in Traffic Monitor on 386 code base. Make sure NAT acceleration is always enabled, otherwise your WAN-LAN traffic will be limited to about 200Mbps. This means no device prioritization in Traditional QoS, no per IP traffic monitoring. Your Parental Controls, Time Scheduling may not work reliably with NAT acceleration enabled though, in case you use this option. In general - this a is an old model router and for best network experience you have to think about possible upgrade.
NAT should be enabled by default, since i get around my speed on every speedtesting site if i'm not misunderstanding the 200Mbps limitation. I'm not using Parental Controls etc so that is off the table.
Is it a big difference with TrendMicro off vs on? Hate the gutfeeling with feeling unsecure, bad characteristic of mine :(
 

Tech9

Part of the Furniture
Is it a big difference with TrendMicro off vs on?

I'm not sure if AiProtection is more about your security or gathering usage data for TrendMicro. You pay with your data for this service. All modern browsers have Safe Browsing engines. You can use filtering DNS service like Quad9, OpenDNS, CleanBrowsing, etc. Disabling TrendMicro on this hardware reduces the load significantly. Test it and see how it goes. You may get actually more responsive network with lower latency.
 

seke1111

Occasional Visitor
I'm not sure if AiProtection is more about your security or gathering usage data for TrendMicro. You pay with your data for this service. All modern browsers have Safe Browsing engines. You can use filtering DNS service like Quad9, OpenDNS, CleanBrowsing, etc. Disabling TrendMicro on this hardware reduces the load significantly. Test it and see how it goes. You may get actually more responsive network with lower latency.
Okay i see. I'm using CF as DoT with the 1.1.1.1, is that enough? I like using CF so i will most likely stick to that. Or is 1.1.1.1 not filtered? Disabling AiProtection sounds like a good idea, if it means i can stick with CF setup in the router.
 

Tech9

Part of the Furniture

Tech9

Part of the Furniture
CleanBrowsing is very effective and used widely in schools and non-profits. Quad9 become popular and shows good results with little false positives. OpenDNS is Cisco Umbrella based popular service. Cloudflare got later in the filtered DNS game, not sure how effective the service is.
 
Last edited:

seke1111

Occasional Visitor
CleanBrowsing is very effective and used widely in schools and non-profits. Quad9 become popular and shows good results with little false positives. OpenDNS is Cisco Umbrella based popular service. Cloudflare got later in the filtered DNS game, not sure how effective the service is.
Alright! I'll test out the filtered malware CF, see how it works out. I'll change if it results in a mess! :D
 

Tech9

Part of the Furniture
If you have IPv6 enabled on your router, your DNS filtering efforts may not work.
 

heysoundude

Part of the Furniture
IPv6 is disabled, not using that xD
I can understand why, with the earlier disclosure of your Dyscalc... condition, but in other ways you're doing yourself a disservice. <flame suit on because Tech9 and I disagree on this>

I'd also reconsider the DoT config, if a IPv6 re-ponder is happening - unbound is actually very well-implemented in the Merlin scripts; my devices ping my network DNS in under 1 microsecond (usec). If the privacy of your queries to Auth servers is the impetus behind having it set up, isn't it more likely those will be lost in the noise of all the google, amazon etc little tracker apps calling home at every web page load? Also - you're tunnelled to a 3rd party; what are THEY doing with your query data?

(you haven't mentioned adblocking at the router - you haven't set up diversion or the other one yet?)
 

seke1111

Occasional Visitor
I can understand why, with the earlier disclosure of your Dyscalc... condition, but in other ways you're doing yourself a disservice. <flame suit on because Tech9 and I disagree on this>

I'd also reconsider the DoT config, if a IPv6 re-ponder is happening - unbound is actually very well-implemented in the Merlin scripts; my devices ping my network DNS in under 1 microsecond (usec). If the privacy of your queries to Auth servers is the impetus behind having it set up, isn't it more likely those will be lost in the noise of all the google, amazon etc little tracker apps calling home at every web page load? Also - you're tunnelled to a 3rd party; what are THEY doing with your query data?

(you haven't mentioned adblocking at the router - you haven't set up diversion or the other one yet?)
I did read through a lot of things since i want to get good understanding of what i want, and how i want it. But i ended up taking a breather to focus on the basics first instead of going full force craycray mode which would most likely result in me doing a lot of mistakes, unnecessary mistakes because i'm hasty. I've accepted that i clearly can't multitask, rip. So what i did is, since i'm not very sure about how to setup the script and use it (outside of just enabling scripting) i was alright with having the blocks on the web so i'm not without. I'm all ears for learning, gotta get good! :D
 

Tech9

Part of the Furniture
but in other ways you're doing yourself a disservice

If he has no issues with IPv6 disabled, he is saving himself unnecessary trouble.

my devices ping my network DNS in under 1 microsecond

Your DNS server is much slower on first query than public DNS servers and it can reveal your external WAN IP.

you haven't set up diversion or the other one yet?

Why he needs Diversion on the router when uBlock Origin is much more effective and can be enabled/disabled in one click?

flame suit on because Tech9 and I disagree on this

It won't save you. :)
 

Tech9

Part of the Furniture
I'm all ears for learning

There is a lot of smoke around. Make sure you don't catch fire and burn.

Keep it simple and use your free time for more enjoyable activities than playing with your router's settings. ;)
 

kernol

Very Senior Member
...
Why he needs Diversion on the router when uBlock Origin is much more effective and can be enabled/disabled in one click?
...
@Tech9 - "+1" and fully agree that uBlock Origin is the way to go for blocking adverts within browsers - but it is only a browser extension ... so does nothing for blocking adverts on devices or within Apps ... nor for blocking telemetry initiated by so many Apps these days that constantly "phone home".

Curious to know what your solution to those would be ... for a non-coder seeking as simple a solution as possible?
I turned to Diversion with uiDivStats - is there a better way?.
 

Tech9

Part of the Furniture
Curious to know what your solution to those would be ...

I'm past the blocking obsession. On my home network my family members are free to chose what they want to see. No one here has issues with tracking cookies and telemetry. I run pfSense firewall with pfBlockerNG package. For IP blocking I have FireHOL only, for DNS blocking I have malware, phishing, crypto, etc. standard lists. The reason is Unbound as resolver. I had it as forwarder to OpenDNS before. Light setup Suricata for what uses http, no proxy. Guest Network with a bit more content filtering, some friends have younger age kids. All the phones are iPhones, all the PCs run Windows 11 - secure enough. I have no Internet connected "smart" things. I do have a lot of home automation, but everything is locally controlled. No microphones to Google or Amazon. I guess, everyone has to find own best solution. My solution is education, not enforcement.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top