What's new

Questions about stock firmware on new RT-AX89X

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

AMRoberts

New Around Here
Gigabit fiber finally arrived at my home, and that upgrade demonstrated immediately that my venerable RT-N66U was no longer up to the task. The replacement RT-AX89X went into operation without any serious issues, but I'd appreciate any advice about:
  • AiProtection - Not enabled out-of-the-box; any consensus with respect to whether this is worth the (assumed) increase in load on the router?

  • Wireless MAC Filter - Is there any value in locking down my wireless to only my known devices? I live on a busy corner with lots of walkers passing by with their devices, would an accept list of only wireless devices within my house cut down on load from any of these devices trying to associate with my network, or does it just add load for checking every packet from a station for a valid MAC address?

  • IPv6 Firewall - Given that IPv6 is disabled, should the IPv6 Firewall also be disabled, or does it need to be enabled?

  • Any other recommendations?
Thanks,
Alan
 
  • AiProtection - Not enabled out-of-the-box; any consensus with respect to whether this is worth the (assumed) increase in load on the router?

Search for existing discussions here.

  • Wireless MAC Filter - Is there any value in locking down my wireless to only my known devices? I live on a busy corner with lots of walkers passing by with their devices, would an accept list of only wireless devices within my house cut down on load from any of these devices trying to associate with my network, or does it just add load for checking every packet from a station for a valid MAC address?

I would not bother... some devices these days are using randomized MAC addresses. Secure your WiFi with WPA2 or better.

  • IPv6 Firewall - Given that IPv6 is disabled, should the IPv6 Firewall also be disabled, or does it need to be enabled?

Leave the defaults until you study up and learn otherwise. I would not disable any firewalls.

OE
 
@OzarkEdge comments are good.

In my use case, I do prefer activating AiProtect. I have observed a few malicious websites blocked by AiProtect. I chose to use it from a perspective of "layers of protection".

Disable Wireless > WPS (considered a security risk)

Disable WAN > Internet Connection >UPnP (the security risk is still debated)

Since I live in an area that has close neighbors and can see more than 20 SSIDs within range, I use MAC filtering for all my WiFi devices. But as @OzarkEdge notes, you can't have randomized MAC addresses activated on your devices. And this condition means your devices may be more vulnerable in WiFi locations outside your home.

I also use Guest WiFi (list #2 or 3 - not #1) for all my IOT WiFi devices and isolate them from the rest of my LAN. In this way, each IOT device can access the internet, but they can't talk to any of my private LAN devices. But be mindful of which devices you might need access to (e.g. security camera).

I suggest you consider changing your DNS provider. I have tried a few and have chosen "Safe" Quad9 9.9.9.9 for now. Allegedly, it helps avoid/block malicious websites and may overlap with AiProtect's purpose

If you have a network printer, I suggest you use a static IP for it. This means you will need to assign your DHCP range and choose a static IP outside that range. This step will help avoid "printer not found" issues that happen if your printer goes to sleep and wakes up with a different DHCP IP address.

LAST, and perhaps most important, DOCUMENT your changes to your router so you don't have to remember what you have done.
 
Search for existing discussions here.
Will give it another try.

... some devices these days are using randomized MAC addresses.
For the devices I have that do this you can select randomized MAC versus device MAC on each wireless connection profile, so I already have them set to use device MAC when they are connecting "at home."

Secure your WiFi with WPA2 or better.
Everything went to WPA2 when I set up the new 89X, I was worried about some of the older devices but everything had enough hardware/driver brains to get there. Does WPA3 have a performance penalty compared to WPA2? The settings include a WPA2/WPA3-Personal option, if it isn't going to cost me in terms of performance or router load I could set that and allow capable clients to use WPA3.

Leave the defaults until you study up and learn otherwise. I would not disable any firewalls.

OE
Getting my brain wrapped around IPv6 is low on my priority list right now, so defaults it is.

Thanks,
Alan
 
Disable Wireless > WPS (considered a security risk)

Disable WAN > Internet Connection >UPnP (the security risk is still debated)
Already done

Since I live in an area that has close neighbors and can see more than 20 SSIDs within range, I use MAC filtering for all my WiFi devices.
Wow, thought my corner with a dozen in view was bad enough.

I also use Guest WiFi (list #2 or 3 - not #1) for all my IOT WiFi devices and isolate them from the rest of my LAN. In this way, each IOT device can access the internet, but they can't talk to any of my private LAN devices.
Thanks, hadn't thought about that. At the moment everything I consider to be in that category is on a wired connection, but I'll make myself a note to consider that if I add WiFi IOT nodes.

I suggest you consider changing your DNS provider.
I already use an internal DHCP/DNS provider, a Raspberry Pi running Pi-Hole for ad-blocking with unbound as the Pi-Hole's upstream resolver. The 89X has a (disabled) DHCP scope defined for emergency purposes just in case the Pi fails and I need to get back on the air before I can replace the Pi. I'll look into Quad9 for the router's DNS settings.

If you have a network printer, I suggest you use a static IP for it. This means you will need to assign your DHCP range and choose a static IP outside that range.
I believe I'm getting the same result using static IP assignments for my printer (and other served resources on the LAN) in my DHCP setup.

LAST, and perhaps most important, DOCUMENT your changes to your router
My network documentation document has been open in another window since I started to configure the 89X. :)

Thanks,
Alan
 
Hi, to continue a bit with the config on the AX89X, I'm wondering if anybody can help with LAN / IPTV settings. I'm in the UK looking to run the BT TV box with the 89X instead of the isp provided one. I understand that the tv box needs IGMP Snooping. This option is not available in the IPTV section, but it is in the wireless section. It's not the same, correct? Anybody know why this option is not enabled in the 89X? I do have multicast routing enabled, and some channels work sometimes, for a couple of minutes, before freezing.

Any ideas?

Thanks,
Pete
 
I haven't tried re-enabling it lately but AiProtection would cause my RT-AX89X to reboot randomly at least every couple of weeks. No issues until I got up to around 40 devices. It might have been something with my specific setup so try it but if you see reboots, disabling it will solve it.

All I do is enable IPV6, for my Nest Protests, and assign 4 or 5 static addresses. Then I'll add a RP-AX56 as an AIMesh node and that's it. I really haven't found any good reason to mess with anything else. I figure unless I have specific reasons for changing something, keeping it as stock as I can is probably best.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top