RT-AC66U users in 2021, which firmware do you recommend others using?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

domic

Occasional Visitor
I got back my good old RT-AC66U again after a relative got to use it for a few years and I want to hear which firmware the rest of you use today.
I am aware of the dropped support for Asuswrt-Merlin, which ended on 380.70 I believe, but it's feature rich despite being a security risk.
There's also the stock Asuswrt firmware that's been updated for security patches. (I'm on 3.0.0.4.382, latest stable version at time of writing.)
Then there's John's fork on 374.something, you lose some features, but it's updated.

I don't know what other forks/firmwares for this decide exists today in mid-late 2021, but if you know any, please share them with me.

Is it still 'safe' to run Merlin 380.70 last firmware release today (if say AMTM/Entware etc maybe has update patches for those who still use that Merlin version?
 

ColinTaylor

Part of the Furniture
I'd guess that 380.70 would be safe if you aren't exposing any of the router's services to the internet and your internal LAN is secure. Once you start opening up ports for things like AiCloud or VPN that's a different matter.

Apart from stock, Merlin and John's firmware the only other one I would consider for that particular model is Fresh Tomato.
 

domic

Occasional Visitor
I'd guess that 380.70 would be safe if you aren't exposing any of the router's services to the internet and your internal LAN is secure. Once you start opening up ports for things like AiCloud or VPN that's a different matter.

Apart from stock, Merlin and John's firmware the only other one I would consider for that particular model is Fresh Tomato.
Care to elaborate on Fresh Tomato for a newcomer of that firmware family? I've used OpenWRT in the past but have fallen in love with the Streamlined experience of Asuswrt-Merlin. It's a lot easier to recover from any disastrous misconfiguration and alot simpler to understand than dealing with package managers and a pure Linux environment like OpenWRT was.
 

L&LD

Part of the Furniture
@john9527 (based on current RMerlin firmware as possible) is the only real option for you.
 

Tech9

Very Senior Member
Care to elaborate on Fresh Tomato

I would keep this router on stock Asus firmware. This is the newest Asuswrt base available for it. The last firmware update is from Feb 2021 and includes many security fixes. FreshTomato is excellent feature rich firmware, but for this specific RT-AC66U router it doesn't have working hardware acceleration module. Your router will be limited to about 150Mbps WAN-LAN speeds. You can "upgrade" the router a little - find AC1900P/AC86U antennas on eBay. They work better than originally supplied ones, extending the 5GHz range to almost equal to RT-AC68U variants.


AC2900-antennas.jpg
 

ColinTaylor

Part of the Furniture
@domic If you tell us what your requirements are we would be better placed to offer specific recommendations.
 

Tech9

Very Senior Member
@domic, RT-AC66U is a single core MIPS router. If you plan to run scripts on it, think twice. This hardware is good for basic Internet access or Access Point.
 

L&LD

Part of the Furniture
Do you mean I should choose John's fork?

Yes.

It's everything you asked for, but the hardware may be a little limited depending on your ISP speeds and the scripts you think you can use on it.
 

domic

Occasional Visitor
Thank you all for your time and energy. I will stick with Merlin's last build for now
until I've done enough research on the John fork.
I've disabled any
ports/services to the WAN interface that could be a risk, or changed ports for the critical services I'd like to use, like VPN and remote access to web gui.
 

Tech9

Very Senior Member
or changed ports for the critical services I'd like to use, like VPN and remote access to web gui.

Did you leave WEB Access from WAN enabled? If you did, disable it and use the VPN to access your GUI instead.
 

domic

Occasional Visitor
Did you leave WEB Access from WAN enabled? If you did, disable it and use the VPN to access your GUI instead.
HTTPS only, I generated a new certificate, and I use good password measures, different passwords and usernames for each service like VPN, SSH etc.
But I'll ask you naively like this then for arguments sake: "What's the harm?"
 

Tech9

Very Senior Member
"What's the harm?"

The web server is known to be not very secure. You’re running >2 years old firmware now - even worse. Someone will get access to your router’s settings first, reconfigure your VPN and make your entire internal network part of his own. No big deal. Scanners already know the port.
 

domic

Occasional Visitor
The web server is known to be not very secure. You’re running >2 years old firmware now - even worse. Someone will get access to your router’s settings first, reconfigure your VPN and make your entire internal network part of his own. No big deal. Scanners already know the port.
Thank you. That's more than enough reason to disable the web GUI on WAN. Fixing that now.
 

Tech9

Very Senior Member
Leave the OpenVPN port only open, use a non standard port. Monitor the logs from time to time for suspicious activity. OpenVPN in this firmware is also >2 years old version. Use DNS-over-TLS to trusted DNS servers, it will help minimize recently discovered Dnsmasq issues. Should be secure enough.
 

Adooni

Senior Member
you should move to John RMerlin fork or FreshTomato.
from security point of view is not good idea to use "soft" that is 2y old.
 

Adooni

Senior Member
u right most of time people write on this forum negative info about FreshTomato and I missed it that you proposed it.
RT-AC66U as one of few routers that for FT that do not supported bcm_nat (is supported only by RT-N branch and AC66U is K26RT‑AC.) and this is the reason sped will be limited to about 150Mbit.
 

Tech9

Very Senior Member
people write on this forum negative info about FreshTomato

FreshTomato has perhaps more configuration options and more modern GUI + VLANs support, but Asuswrt-Merlin has overall better performance and better Custom Scripts ecosystem + TrendMicro, if someone wants it. I would run Asuswrt-Merlin on all supported Asus hardware routers and FreshTomato on supported non-Asus hardware. Asuswrt-Merlin is guaranteed to work on supported Asus hardware. FreshTomato is subject to test. It may or may not work as expected on all listed as supported routers. Negative info? No - my own experience.
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top