1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Router Setup Questions, Merlin FW 384.14_2 on RT-AC68U

Discussion in 'Asuswrt-Merlin' started by TotalRouterNoob, Jan 27, 2020.

  1. TotalRouterNoob

    TotalRouterNoob New Around Here

    Joined:
    Jan 27, 2020
    Messages:
    7
    I've been reading this forum for a while, trying to learn from the good folks here but still have lots of questions on my router settings. I searched but can’t find answers that I can understand for the questions below. My router has remote access from WAN, telnet, ssh, dmz, upnp, port forwarding, IPv6, servers all turned off/disabled. There are no custom scripts or any NAS attached. Please remember, I’m a noob when answering and trying to get my router setup as securely as possible. Thank you so much for any help.
    1. Under "System Log/Routing Table" it shows the following info and I don't remember anything being there previously. What does the below text mean, is this a security issue?:
    IPv4 Routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    192.168.xxx.xx * 255.255.xxx.x U 0 0 0 LAN

    1) Under Tools/Advanced Tweaks & Hacks
    a) Firewall: Drop IPv6 neighbour solicitation broadcast? What is the purpose/meaning of this setting, I don’t use IPv6 at this time.
    b) Disable asusnat tunnel Y/N? Can’t find a definitive answer on what the asusnat tunnel is. Please explain.
    c) Dhcpd: send empty WPAD w/carriage return. Can someone explain what this is?
    d) WAN: Use local caching DNS server as system resolver. Can someone explain what this is?

    2) Under LAN/DNS Filter, do I need to add all my devices’ MAC addresses in order for the DNS-based filtering to work?

    3) WAN/Internet Connection:
    a) Forward local domain queries to upstream DNS. What does this mean?
    b) Enable DNS Rebind protection. What does this mean?

    4) Under System/Remote Access Configuration:
    a) Remote Access Restrictions: What is the purpose of this setting? Remote access from WAN is disabled.

    5) LAN and WAN/DNS Server Settings: I guess I never realized there were DNS server settings under both the LAN and WAN pages. Could someone explain how I should set those up, both under LAN and WAN? Right now my LAN DNS server setting is blank and WAN DNS server setting is OpenDNS. I'm guessing I don't want OpenDNS resolving stuff on my LAN?

    TIAA!!!!!
     
  2. dave14305

    dave14305 Part of the Furniture

    Joined:
    May 19, 2018
    Messages:
    2,168
    Location:
    USA
    This is a normal for LAN traffic.
    There are tool tips if you hover over the descriptions of most of those options, except asusnat tunnel. In general, the most secure option is to leave it at Merlin's defaults.
    No. Only add specific devices if you want them to be filtered differently from the Global mode at the top (e.g. exceptions to the Global setting).
    a) means local hostnames from your network (e.g. mylaptop.home.lan). These should not be sent out to the WAN DNS servers because they would have no knowledge of your private addresses. Leave it No.
    b) see tool-tip. It's more secure to enable it, but safer to leave it disabled in case it causes issues and you aren't technical enough to customize the underlying configuration.
    Generally, LAN DHCP DNS servers are left blank so that machines on your LAN receive only the router IP as their DNS server. Then the router forwards queries out to your WAN DNS servers. And because of question 3) a) they will not receive hostnames from your LAN. If you want all your network to be filtered with OpenDNS, leave LAN DNS blank, set WAN DNS to OpenDNS, and set DNSFilter Global mode to Router.
     
    a5m likes this.
  3. TotalRouterNoob

    TotalRouterNoob New Around Here

    Joined:
    Jan 27, 2020
    Messages:
    7
    Thanks Dave14305!

    Should I Leave "Remote Access Restrictions" at "No"? Like I said above I have remote access from WAN disabled.
     
  4. dave14305

    dave14305 Part of the Furniture

    Joined:
    May 19, 2018
    Messages:
    2,168
    Location:
    USA
    It’s usable on the LAN as well, but you could end up locking yourself out of your router. Leave it off.
     
  5. TotalRouterNoob

    TotalRouterNoob New Around Here

    Joined:
    Jan 27, 2020
    Messages:
    7
    So are you saying that "Remote Access Restrictions" could keep devices on my LAN from getting into the router settings? There are a couple devices on my LAN that I don't want to have access to my Router config but I do have a specific computer on the LAN that I do want to be able to get into the router settings via the browser gui, would that setting help me in that instance?... keeping certain devices out of the router settings but allowing other devices into the router settings? Hope that makes sense.
     
  6. dave14305

    dave14305 Part of the Furniture

    Joined:
    May 19, 2018
    Messages:
    2,168
    Location:
    USA
    Yes, but it restricts based on LAN IP address, so you would want to assign a fixed IP on the DHCP server page so that you don’t have to worry about your “allowed” device IP changing and then being locked out of the router.

    IMO, you’re better off with a strong password and not restricting access.
     
  7. TotalRouterNoob

    TotalRouterNoob New Around Here

    Joined:
    Jan 27, 2020
    Messages:
    7
    For "Disable Asusnat tunnel", I clicked yes. I always read if you don't use something to disable it for security purposes. The only thing I could find on it was a post on SNB from 2015, and they thought it had something to do with the Asus Router App for phones and I don't want to access my router through my phone. Especially since I read the phone app turns on access from WAN. If disabling the Asusnat tunnel is an insecure setting, please let me know.
     
    dave14305 likes this.