My ASUSWRT RT-AX86U_388.22068 + RT-AC86U_386.48260 AiMesh
cable ISP ~300/10Mbps
router covers 3x1650sf
node at 77ft covers detached 1750sf
wired backhaul,
MoCA 2.5/1GbE
wireless backhauls disabled, 2.4acx3/5.0acx4, -66/-74dBm RSSI, 216/877Mbps
Smart Connect disabled, 2.4/5.0 same SSIDs OE/OE or different SSIDs OE-24/OE, plus OE Guest/OE Guest
WiFi6/ax enabled*, 2.4 fixed/5.0 1,3-fixed
Roaming Assistant disabled
CloudFlare encrypted DNS with security filtering*
AiProtection Pro enabled*
AiMesh extends coverage, improves roaming, centralizes admin, maintains backhauls and backup router, and can be incrementally built/upgraded. No account/app/subscription/fee required.
Install Notes
* Security-related
o AiMesh = best spec router/AP/root node + nodes
Mixing models, topologies, backhauls is permitted
AP Mode root node is wired to non-AiMesh LAN
o
ASUSWRT fw:
AX86U/S,
AC86U,
EOL
Reset FAQ
Reset button/webUI Restore/node removal - clears settings in NVRAM; reboot restores fw defaults from CFE (fw defaults)
Hard Reset via WPS button/webUI Restore+Initialize - also clears data logged in /jffs partition (fw defaults+clear data)
Rescue Mode
Router KB
o Confirm ISP cable shield is grounded to Earth at demarc*
o Use a UPS to protect data/hardware*
o Use a
WiFi analyzer to monitor WiFi
o
Power OFF router, modem, wait (cycle power)
o Wire router WAN to modem, router LAN to PC
o Power ON router, wait
Monitor LEDs; Power LED flashes 3 times when ready
o
Hold Reset button until Power LED flashing, wait
o Power ON modem
o Browse to router LAN IP (default IP 192.168.50.1) or URL router.ASUS.com to login to webUI
o
Perform Quick Internet Setup (QIS) to check/upload fw, wait
See new fw link to review release notes
o Browse to router.asus.com/ajax_coretmp.asp to confirm CPU temp <86C (85% Tj max)
o
Perform Restore+Initialize, wait
o Power OFF router/open WiFi*, modem
o Repeat for node
o Disconnect node WAN, LAN; place in range of router 5.0 WLAN
o Wire router WAN to modem, router LAN to PC
o Power ON router, wait; then modem
o
Perform QIS and minimal configuration
- disable Smart Connect; set same SSIDs (client band steers) or different SSIDs (user band steers/segregates clients)
Or enable SC (not for AC1900/AC68/AC66); set same SSIDs (client+router band steers)
- set 2.4/5.0 WLANs
ssids (Aa-Zz 0-9 space,.'&()_-); Hide SSID No; Wireless Mode Auto, enable 802.11ax/WiFi6 mode*
-
enable WiFi Agile Multiband, Target Wake Time
- set Authentication Method to WPA2/WPA3-Personal, same WPA Key (Aa-Zz 0-9), Protected Management Frames to Capable*
Beware
compatibility
- set max Channel Bandwidth, Control Channel
2.4 fixed:
20MHz bw; ch 1-11 (
1,6,11)
See
US-FCC Rules
5.0 1,2a-fixed:
160MHz bw; ch
36-48,
52-64 (omit DFS/2a)
5.0 2c-fixed: 160MHz bw; ch
100-128 (omit DFS/2c)
5.0 3,4-fixed: 160MHz bw; ch 149-161,165-177 (omit 4)
5.0 1,2a,2c,3-unfixed: 20/40/80/160MHz bw; ch Auto, exclude DFS/2a,2c (36-48,
52-64,100-144,149-165)
5.0 1,3-fixed:
80MHz bw,
disable 160MHz; ch
36-48,149-161
5.0 1,3-unfixed: 20/40/80MHz bw, disable 160MHz; ch Auto, exclude DFS/2a,2c (36-48,
52-64,100-144,149-165)
Wireless Log lists noise, DFS status, client/node connection details
Start with U-NII bands
1,2a-fixed; if all clients/nodes support bands 2a,2c, include respective DFS control channels, and 2c-fixed. If RADAR/DFS prohibits bands 2a,2c, switch to
1,3-fixed (no DFS; max Tx power; no LTE noise on ch 36-48).
Set fixed control channel with least noise <-84dBm and best connections. If WiFi interference persists, switch to -unfixed settings to let router vary max bw/ch to coexist
Clients connect with their best mode, bandwidth, authentication permitted
6.0 WLANs require WiFi6e (more radio spectrum; no DFS; less range)
- disable WPS*
- disable Roaming Assistant (client node steers)
Or enable RA (router node steers); deploy node; increment 2.4 RSSI threshold until stationary 2.4 clients boot to near node
802.11k,v is supported
- confirm 2.4/5.0 Airtime Fairness disabled (compatibility)
- disable 2.4/5.0 Universal Beamforming (proprietary)
- set router LAN static IP (192.168.1.1), DHCP server IP Pool of dynamic and manually-assigned/reserved IPs (192.168.1.10-254 leaves static IPs .1-9 for client use)
- disable unused WAN UPnP, QoS GeForce NOW QoS UPnP control*
- set WAN DNS Server1,2, DNS-over-TLS (DoT), Strict, DoT Server1,2
(1.1.1.2 1.0.0.2 security.cloudflare-dns.com)*;
other DNSPs
Disable DoT for Wyze IoT setup
- confirm Dual WAN\Primary WAN set to 1G WAN (2.5G LAN/WAN defaults to 2.5G LAN5 after QIS)
Or set Primary WAN to 2.5G WAN; wire 2.5G LAN/WAN to modem (default WAN becomes LAN5 after reboot)
- disable SIP Passthrough (SIP ALG)
- confirm both firewalls enabled*
- confirm Login Captcha enabled*
- set USB Mode to USB 2.0 (shield 2.4 WLANs from USB 3.x EMI)
- set Time Zone, DST (3, 2nd Sun; 11, 1st Sun; 5th = last)
- confirm Telnet, SSH, Web Access from WAN disabled*
- confirm Auto Firmware Upgrade disabled*
o Power OFF-pause-ON router, wait
o Browse to
Shields UP! to confirm port security*
o Power ON node, wait
o
Confirm all WLANs are broadcasting/stable
- if all nodes are wired backhaul, enable Ethernet Backhaul Mode to disable all wireless backhauls (all WiFi for client use only; no failover)
-
if wireless backhaul only, confirm WPS enabled before and disabled after adding node*
- search/add reset node, wait
- confirm node Backhaul Connection Priority WAN only, or Auto
- set 2.4/5.0 guest1 WLANs
ssids (use guest2 WLANs instead for standalone router), WPA2-Personal, same WPA Key, Access intranet disabled*, all nodes
Guest1 IPs will be .101,2.x (not reserveable; VLANs 501,2)
Guest2,3 WLANs are on root node only
AP Mode guest WLANs are NOT isolated from intranet*
- enable
AiProtection*
Administration\Privacy\Withdraw disables all Trend Micro features
- disable unused USB\media servers, Network Place Share on all nodes
SMB 2.0 is supported
o
Deploy nodes high, in the clear, in range of router 5.0 WLAN; not too near ~40ft/far ~80ft/many; not one-over-the-other
Do not co-locate with other 2.4/5/6GHz EMI; disable unused WiFi Direct APs in printers, etc.
o Tilt
\ | / antennas (2-3 dBi gain) for multi-level; straighten
| | | for level
o Adjust wireless backhaul distance/path for 5.0 connection RSSI >-66dBm
o Ideally, wire backhaul from router LAN to node WAN/multi-gigabit LAN/WAN;
other scenarios
Beware
managed switch settings
o Vary node location/orientation to adjust 5.0 signal coverage/overlap to affect roaming/node steering (a small change can matter)
o
Adjust Smart Connect rules to affect band steering
o Reboot AiMesh\System, wait; then client to affect change/clear conditions before troubleshooting
o Confirm integrity of cables/connectors (RG-59/Cat5e min); respect coax/fiber/UTP min bend radius; wire stationary clients
o Upgrade client adapter OEM driver
o Configure WLAN client adapter properties to affect band steering; forget connections to clear conditions and only make connection needed
o Avoid app/voice admin*
o Use new network before adding to it, one change at a time; take notes
FW Upgrade
o Save settings to .cfg file for recovery (unique to fw)
o Download fw to wired PC
Run
WinMD5 to verify ASUSWRT file MD5 checksum value
Review release notes
o Eject/disconnect USB storage (free RAM; secure data)*
o Reboot AiMesh\System, wait
o Upload fw to nodes,
wait; then root node,
wait
FW Reinstall
o Remove nodes from AiMesh to Reset, wait
o Restore+Initialize root node to Hard Reset, wait
o Configure root node from scratch; do not Restore from .cfg file
OE