VPN traffic redirect and kill switch problem

[usmerit]

Hello,
im using Merlin 380.68_4 on RT-N66U and I noticed two problems with VPN. Need some advice or help. Im using OpenVPN client with "Redirect Internet traffic Policy Rules (strict)" and "Block routed clients if tunnel goes down" in rules I have clients added with Iface VPN, and it works fine clients connect with VPN... but when I restart router:
1. OpenVPN don't reconnect auto (is there any way to make him do it auto?) there is set connection retry to 5 seconds, but it look like it apply only when connection drop and not after router is restarted but wasen't able to check it.
2. And what's most important when VPN wasen't connected all clients have access to internet by normal IP not VPN, kill switch in "Block routed clients if tunnel goes down" do not work...
in log I see:
rc_service: httpd 1194:notify_rc start_vpnclient1 but after that nothing happen, vpn do not reconnect

Then I decided to restore router to factory defaults and config it again, and kill switch works till first router restart, after that no more kill switch again real IP and no kill switch

And OpenVPN on this firmware faild dns leak test... it leak oryginal DNS from ISP

any ideas?

 

[st3v3n]

usmerit, In theAdvanced/WAN settings section (see pic), have you un-ticked the 'connect to DNS server automatically' removed all ISP DNS servers listings (nothing in either field), then saved? In your Lan>DHCP server, if you set the range (pic) and then chose or allow the router to auto/assign a manual IP for each device (pic), saving after each step, the devices will always stay in that range and will handle in OpvenVPN. Most of this is covered throughout RMerlin's fine wiki, and can take a while to absorb.

The N66 is a good router, but it's getting long in the tooth, with one core; depending how many devices you're routing, if they stay in that range above and as explained in the fine wiki, the DNS 'Exclusive' and 'Policy/Strict/Block, if tunnel goes down' this should work to keep them from 'seeing/talking to' your ISP and vice versa, if you save after each step, before setting the VPN to turn on automatically/start with WAN.

If for some reason the OpenVPN client isn't starting automatically, the devices still shouldn't be connecting to WAN/ISP,, as long as the settings are set and sticking. You might try a reboot, unplug power for 30 seconds, plug back in, then restart the router cleanly (not a reset). Allow it to take a few minutes to settle down before rechecking all of the settings. Read the wiki and the site on everything related to your model and vpn issues, as much as you can; almost every issues is covered (somewhere) in the forum and in the wiki See if that helps. Cheers

 

[usmerit]

I think there is some problem/bug with this firmware...

1. yes I set WAN and unticked 'connect to DNS server automatically' but when I leave then DNS Server1 empty, Internet stop working, WAN icon is green VPN connect but no way to open any website (dns error), windows network incon show that internet is working but no webiste works. Then even VPN connection stop working and button was set to OFF, when I try set it to ON "Updating to 100%" and again back to off.
2. when I put google DNS then router get crazy, VPN have all the time status connecting, and it's not connecting, bad handshakeand retry all over. After fifth router restart (by power button) he finaly connect to VPN, but before he connected all network device had access to internet with real IP. When he connected to VPN all devices have VPN IP.
3. Factory restore option is not working (updating to 100%) and no factory settings, had to do it hard way.

Reasuming: if 'connect to DNS server automatically' is set to NO and it have no dns IP, then intrnet is not working, VPN sometimes connect but no internet, or button always get back to OFF
Autoreconnect is not working, VPN is set to start with WAN but it dosen't
Factory restore option not working have to do it hard way
After setting back DNS manualy and 5 restart of router he start working, but before VPN connect killswitch is not working and devices have real IP (connection made manualy by on/off button)

I read tons of manuals in last week, I do all correct, but there is something wrong in soft
Start to miss my ddwrt router


Any ideas?

 

[st3v3n]

Usmerit; Keep at this for a while and eventually you'll be successful, if you follow Merlin's wiki and the manual; many VPNs have Asus or Merlin setup guides, so study them. If your ISP doesn't require you to use a unique ID name and doesn't require you to use their DNS servers, there's no reason you can't use any DNS service you wish in conjunction with your VPN. ISPs like if you use their DNS and servers so they can harvest and sell your information. No current regulation or law requires you to use a particular DNS if it's not in your TOS; if you're in a different country, check your regs. Your router's WAN always connects to the modem and and the ISP's servers.

The ISP can see you're running OpenVPN traffic to an IP range, and they probably who all of the VPNs are. The ISP aren't really able to tell what's in your tunnel (though certain entities can); it's a standoff so far. You can't bypass the ISP, only route through it's service. If you select a UDP 443 VPN server; almost all normal internet traffic uses port 80 and 443, so it's the fastest and best solution to date, and most ISPs haven't begun wholesale block of OpenVPN traffic. If you're concerned with net neutrality on December 14th, offer your best wishes to your favorite congress-critter; this will affects everyone, a side note.

Your router should always be able to see the IP address the ISP assigns your service. You can enter any DNS service you want in the WAN DNS field, but if you aren't going to use the ISP's DNS or servers, doing so is an empty gesture. We have no trouble accessing any tunnel without a DNS server address in the WAN tab.

As long as you aren't doing anything the men-in-black care about, just keep an eye for tunnel drops. If your tunnel drops and you're not doing anything too untoward, the ISP will either warn you, or disconnect your service. Since you don't want to use the ISP's DNS, un-tick the auto-connect box and don't list any DNS in the WAN fields.

Instead of listing DNS in WAN, list any DNS servers you wish in the LAN-DHCP-DNS fields. You can use the VPN provider's internal DNS server in the first field, followed by google, Level3, OpenNIC, etc. Be sure the DNS servers have the security/speed/location you want. Your VPN provider's DNS network may or may not use what you enter in the DNS fields. You can try, it will either append or ignore those DNS listings. VPNs usually have their own DNS solutions, which is what I've found. If your PC or devices are dropped to WAN instead of the VPN, then the PC or device will attempt to connect to the ISP, even if you've disabled the auto connect and don't have a DNS listed, so be vigilant.

If your PC isn't finding your VPN tunnel's DNS, you can try this; in your Windows Network/Sharing Center/LAC, right-click on LAC; look at TCP/IPv4 properties/General tab. If those settings are on automatic, your PC should be routing to the VPN automatically. If you forget you've tried this, it will cause you a headache; you can try placing your VPN provider's internal DNS in the "use the following DNS" field; click OK/Close/Close. The PC will then -only- see the VPN's DNS address and won't try to use the ISPs DNS, even if you drop the PC's route to WAN. Test it only after you've got the VPN up and running or it will confuse you and there's no sense in muddying the issue.

If the PC's static IP is in the correct range as above, and routed to the VPN on the OpenVPN client page, it should work if your config is written properly by your provider. Not sure why you've reset-restored the router so many times; don't let the process frazzle you, sometimes it takes longer than you want or expect. It's doubtful the router is harmed, but it may be a bit confused, or a setting isn't displaying correctly which may require one final factory default on your current firmware. If that fails, you could try reverting to a pre-v380.68 build just to check.

If you keep a log of the steps you take as you go, you'll be able to retrace all moves when things go wrong. Only one error such as forgetting a save can make the router act erratically with a config, if it can connect at all. All routers have one main purpose, to route your traffic over the networks you set. The more complex tasks older routers have to work will make them struggle to the point of pain. It may sound old-school, but a checklist will help. Don't carry your previous settings forward from the last try.

First, download a fresh OpenVPN config from your provider. Scan the config file after you've downloaded it.

After you've reset the router to factory default, let it run and look it over before setting it up again prior to loading the new config into your client. Be sure your cert/keys/username/PW are entered, save the page then, STOP. Don't change the basic config settings just yet, take a screen grab, then turn it on. If the config works, let it run while you look at the logs run and perform run tests on the router and PC. If the tunnel/client doesn't run, try turning it on again. If it doesn't connect, run something is either missing, conflicting or incomplete. Search for this specific topic on the forum, then go through the router and recheck your settings.

If the client settings are OK or you've made a correction, try restarting the tunnel and it should run; do more testing and let it run some more. If the tunnel starts and runs, and the router is responsive, you can begin to try changes, one at a time. If the router acts strangely or the tunnel drops, Stop. Roll back the change that broke the config before trying a different setting. Good luck!

 

[usmerit]

st3v3n Thank you for so long description and your time. But we are going in different direction.

Like I told before unticked 'connect to DNS server automatically' and epty dns fields then PC have problem, your description to config DNS on PC is a solution. But still none of it solve problem of not working killswitch, it only work after tunel start, then is connection drop yes traffic is blocked. But when router restart or is power off and on first seconds (if autoconnect kick in) or till I manualy connect to VPN then all devices in network have real IP, kill switch have no effect. I upgraded to 380.69 same situation (router web interface become extra slow when I try to enter VPN config page). Still autoconnect sometimes works fine and sometimes it's just not connecting.

If we users have to treat router with merlin software like egg, be gentle wait and wait and wait, and hope that setting will kick in (or not) thats clear signal that firmware is not what it should be. I my case I use VPN to connect to my servers network and manage them. but many people use VPN for security reason and they just cant rely on Merlin firmware to mch, I had big hopes for this firmware...

And yes I did read manuals and follow wiki but it's just not working as should be, kill switch is not working before router connect to VPN, autoconnect sometimes work sometimes not...

 

[john9527]

Thank you for so long description and your time. But we are going in different direction.

Just a couple of items to consider...I don't know if they apply to your situation or not.
- If you are using a browser to test access, remember that it has it's own cache. It can appear that there is internet access, but the browser is really refreshing from it's cache.
- If you are running in a dual-stack environment with IPv6, the kill switch does not apply to IPv6 (the current VPN client does not support IPv6). In fact, you will have VPN leaks to WAN IPv6 even when the VPN is up. If you are running a VPN, make sure IPv6 is disabled.

 

[usmerit]

Hi john9527
- I'm aware of cache in browser, each time to check IP I use private mode and check TTL in ping
- IPv6 is disabled

 

[st3v3n]

There's something definitely wrong and/or missing from OP's description in this process; perhaps it's the order in how he's attempted to lay it out (or lack thereof ) in the description, from his perceptive of kill-switches,'waiting, waiting' then sometimes the router is semi-working, sometimes not. It's all a bit vague to formulate any working hypothesis.

When added to the statement 'users treating Merlin FW like eggs' that's a bit much for me to try to spend more quality time puzzling further. With the language-translation barrier from OP's point of view, it makes this situation more difficult than it should be unless we're in a non-serious situation. If the tunnel works and the router is configured properly, the tunnel shouldn't be dropping, unless there's a conflict.

The description seems all over the map. Without a process being followed it's going to be difficult to help OP as he's too frustrated and blaming the FW. Perhaps the router was dropped on it's head as a child? (defective?). Constant restores, reboots etc, suggests OP might be better off bringing in a second set of eyes. A new perspective at the physical level is needed, or to simply substitute a known good router instead of blaming what he's not familiar with. Doubtful the router is at fault, but OP doesn't state if it's new or an eBay / rummage sale unit. Bumping the N66 to the newly firmware isn't going to stabilize anything and only adds uncertainty, since there's clear, good starting point where the router may have been stable.

When there's no stable beginning point, it's always best to take the unit back to the very start and work logically. I can't ascertain that there was ever a beginning, only continual problems. Reverting to a lower firmware version and establishing a baseline makes more sense than upgrading, if OP knows such a state existed and if he has enough patience to test. This is beginning to resembles a non-sequitur paradox, if eggs are to be believed. Good luck.

 

[Martineau]

....when router restart or is power off and on first seconds (if autoconnect kick in) or till I manualy connect to VPN then all devices in network have real IP, kill switch have no effect.

I understand your frustration and YES, it is possible to break the firmware's VPN KILL switch during the boot process, but most users would not know what they need to do to explicity break it.

So I suggest you try inserting two firewall rules using the following code in init-start

# Old-skool method of ensuring LAN device that must ONLY use the VPN Client is BLOCKED from using the WAN until the VPN Client is correctly established.
#
#    iptables -I FORWARD -i br0 -s <ip-address to be blocked> -o $(nvram get wan0_interface) -j DROP
#
# However, if you want to ensure that ALL LAN clients (except the router) are explicitly BLOCKED from the WAN during the BOOT then use:
#
LAN_IPADDR=$(nvram get lan_ipaddr)
LAN_SUBNET_PREFIX=${LAN_IPADDR%.*}
WAN=$(nvram get wan0_interface)
iptables -I FORWARD -i br0 -s $LAN_SUBNET_PREFIX.0/24 -o $WAN -j DROP
iptables -I FORWARD -i br0 -s $LAN_IPADDR             -o $WAN -j ACCEPT
#
# but setting the 'Prohibit' directive in the VPN routing 11x table saves having to identify the individual I/P addresses that MUST be blocked!
#
#      see /usr/bin/vpnrouting.sh

Ensure VPN Client is configured 'Start with WAN=NO' then reboot.

Hopefully no LAN devices (except the router) should have access via the WAN.

You should now check the status of the KILL switch that is normally implemented by '/usr/sbin/vpnrouting.sh' and also the additional manual old-skool method

e.g. assuming you are using VPN Client 1

ip route show table ovpnc1

iptables -nvL FORWARD --line -t filter

If you can provide the output of the diagnostic commands, we may be able to identify why in your setup the VPN KILL switch during the BOOT is ineffective.

NOTE: To prevent DNS leaks then the VPN Client should be configured with 'Accept DNS configuration=Exclusive'

 

[st3v3n]

Bravo Martieau, succinct and well put.

 

[usmerit]

st3v3n : all this irony and comedy approach to the topic is not needed. Already in your previous statements, you started to go away from the topics and presented the lack of understanding of the problem and maybe the lack of knowledge and you start to explain obvious solutions. Thank you for all the help, but maybe stop trying to help, nothing good comes out from it. And I think we are not stepping in any language barier, maybe you but not me.

Martineau : thank you for your solution, old fashion way but probably the best. I will try it and get back with feedback. I'm afraid that there is some error in soft. I just try on my RT-AC66U and the problem stay same. Before VPN kick in and connect all network clients use VAN even when there is "kill switch", after VPN connect all network clients are routed thru VPN without broblem, try to simulate VPN drop and then "kill switch" works fine (all network clients are cut off from internet). Kill switch is not working only from cold start to first VPN connection (both manual and auto). And to be clear both routers are new. I ordered now RT-AC68U just for test then I will see if the problem stay on this model to.


to remove all doubt, steps I took to config both routers:
1. Upgrade from stock firmware to merlin
2. WLAN config
3. WAN config "Connect to DNS Server automatically" set to NO, both DNS empty
4. LAN config, DHCP server config range 2-100, Enable Manual Assignment and IP assign to network clients.
5. VPN config, import of ovpn file, all setting base on VPN providers requirements, Redirect Internet traffic - Policy Rules (strict), Block routed clients if tunnel goes down - YES, Rules for routing client... - 192.168.1.0/24 iface VPN, Start with WAN - YES, Poll Interval - 1, Connection Retry - 5
6. Reboot

And now they are different scenarios.
1. If Connect to DNS Server automatically (set to no) dns are empty, VPN connect but DNS on all network clients is unable to resolve address, ping works fine.
2. If I now add DNS in Connect to DNS Server automatically (set to no) and save it, then Reboot router get crazy, got this error in log: WAN_Connection: ISP's DHCP did not function properly. VPN is not connecting, same error Network unreachable, restarting, when I try use ON/OFF switch in VPN client, it ubgrade to 100% then get back to OFF state. Power off router, power back same, wait 10-15 minutes, bower off, wait 5 minutes bower back (now sometimes 1 someties 3 cycles router start working, WAN DHCP ok, all network clients have access to internet with real IP, now sometimes autoconnect kick in and connect VPN, sometimes I have to do in manualy.

One more thing I noticed on N66U with 380.69 5G radio drop connection to wireles clients from time to time, no regular time intervals. GUI in VPN section become wery slow.

 

[Martineau]

1. If Connect to DNS Server automatically (set to no) dns are empty, VPN connect but DNS on all network clients is unable to resolve address, ping works fine.

2. If I now add DNS in Connect to DNS Server automatically (set to no) and save it, then Reboot router get crazy, got this error in log: WAN_Connection: ISP's DHCP did not function properly.

My diagnosis is that you have no idea how to configure DNS correctly on the router.

You can choose from two options to correctly configure the router's DNS:

1. 'Connect to DNS Server automatically=YES' means you will configure the router to use your ISP DNS.
or
2. 'Connect to DNS Server automatically=NO' means you MUST specifiy Public DNS Servers such as Google/OpenDNS/TorGuard etc.

The DNS Server fields should not be blank.

   e.g.Google
       DNS Server1=8.8.8.8
       DNS Server2=8.8.4.4
   or OpenDNS
       DNS Server1=208.67.222.222
       DNS Server2=208.67.220.220
   or TorGuard
       DNS Server1=104.223.91.194
       DNS Server2=104.223.91.210
   etc.

If you attempt to define your VPN ISP DNS servers, your WAN IP will usually be BLOCKED from using the VPN ISP's private DNS servers.

However, once the VPN Client connection is established, then provided the VPN Client 'Accept DNS Configuration=Exclusive' is set, this will force any LAN device in the table with 'Iface=VPN' to use the VPN ISP private DNS server. (No DNS leak)
e.g. Policy table entries

LAN      192.168.1.0/24   0.0.0.0   VPN
ROUTER   192.168.1.1   0.0.0.0   WAN

NOTE: If you set 'Accept DNS Configuration=Relaxed' then you can enter the GUI panel

AiProtection->DNSFILTER

to further specify which LAN devices use a specific DNS server from the drop-down list list or manually specify Custom DNS servers.

 

[usmerit]

Martineau thx, I know how to configure DNS, but evryware where I ask geniuses told to leave it empty, even saw like 10 tutorials on VPN in Asuswrt Merlin to leave it blank. Yes I know it's stupid and I have to have DNS to resolve domain names... but I saw stranger things in network configuraton, and it's my first time with Merlin firmware. But yes we have solved dns leak problem. Kill switch left and autoconnect I will try your sugestion with firewall later when I get back home.

 

[RMerlin]

geniuses told to leave it empty, even saw like 10 tutorials on VPN in Asuswrt Merlin to leave it blank. Yes I know it's stupid and I have to have DNS to resolve domain names...

Leaving the WAN DNS fields empty means the router will use those provided by your ISP.

Leaving the LAN DNS field empty means the DHCP server will push the router's own IP to your clients - this is usually what you want, to ensure that the router handles all name resolutions, both LAN and WAN.

The second one should only be changed if you run an actual nameserver within your LAN and you wish all clients to use it. This is usually the case for people with a Windows Server on their LAN (tho normally they should also leave DHCP duties on the server).

 

[st3v3n]

usmerit, How any OP describes their problem and all the steps taken, makes it easier for anyone who time to reply directly to a handle to understand what you need re your request for; ideas. You didn't request specific steps, so the reply offered you information you didn't like/want/need. VPN drops covers a lot of territory' you stated you had many resets-restores and many manuals, which implies almost anything. If you'd like a specific reply, be specific instead of being critical when someone tries to help. "Language barriers" wasn't directed at you nor as insult but that's how you read it; my mistake. The reply to you was meant as encouragement, since there were no steps listed in the request for ideas, and you received good ideas. Written language is a barrier, when only 'ideas' are solicited. The reply directed solely to your handle was meant as help, not amusement, and didn't imply you could've been a troll; Many trolls appear on forums everywhere asking for help. Ignoring any reply to your handle instead of dissing any member with social tags, missing DDWRT/treating Merlin's FW like eggs/ironic/comedic/stop helping/comparing genius, etc, will assure you won't get further replies. The second half of post #11 was more comprehensive than #1, #3, or #5. The members who specifically responded are as good as they come. Good day.

 

[GK59]

Hi, apologies ahead for reviving a months old thread but I just stumbled across this thread today via a search on issues with VPN kill switch and really learned some things here. I'm attaching my settings on my Asus RT-N66U router with Merlin 380.70 FW installed the other day, any input would be hugely appreciated as to if things look good, btw my VPN service is with ExpressVPN and I'm using Comodo Secure DNS servers atm.

 

[st3v3n]

GK59, are you having any specific problems or issues with the way the router is connecting to your ISP/VPN. Can't offer you any guidance on Comodo Seucre DNS, but usually your VPN's built-in DNS servers are fairly secure, or as much as as you can get. If you're using Comodo DNS for your redirected traffic, that traffic which isn't running over your VPN, it may or may not be better than what your ISP offers, depending on your physical location. That doesn't imply Comodo isn't appropriate for your use or that it isn't any good, to each his own, and It's difficult to guess only from checking the four pics. If you have sufficient bandwidth for your needs, then you're getting good mileage out of what's rapidly becoming an older router. Hope this helps, cheers.

 

[GK59]

GK59, are you having any specific problems or issues with the way the router is connecting to your ISP/VPN. Can't offer you any guidance on Comodo Seucre DNS, but usually your VPN's built-in DNS servers are fairly secure, or as much as as you can get. If you're using Comodo DNS for your redirected traffic, that traffic which isn't running over your VPN, it may or may not be better than what your ISP offers, depending on your physical location. That doesn't imply Comodo isn't appropriate for your use or that it isn't any good, to each his own, and It's difficult to guess only from checking the four pics. If you have sufficient bandwidth for your needs, then you're getting good mileage out of what's rapidly becoming an older router. Hope this helps, cheers.

Hi st3v3n, I have a 77mbs up/down fibre optic connection which is rock solid. I've been shopping out routers and may make a move pretty soon I think given posts I've read on this one's age and limited capabilities. I was having an issue with "service state" switch staying off at random times for whatever reason which was annoying me so I changed a few settings to hopefully remedy this and is why I posted pics. I just inserted the Comodo DNS addresses to get away from prying Google which were suggested by EVPN and also looking at OpenNIC for their settings. In the end I want to harden this router as much as humanly possible at the source. Thanks again for your response here, really appreciate it.

 

[st3v3n]

GK, 77 Mb isn't shabby for this model; we have no fiber locally to compare but the last time 66 was in active service (it's in standy, mode; always good to have one just in case) we were pleased to get 25 Mb down. Many will continue to use this until there's no longer any support, but John's build is very popular for it, if you've looked at his fork.

Not sure what's going on with your service state issue, but I'll bet if you keep searching, you'll find it on the forum. Usually everything that can be asked, has been, and also answered; several times over.

Depending how your ISP has your service set up or provisioned for, to get the full speed, you'll want a newer model that can handle the new generation of Merlin; preferably a model with on board CPU encryption and plenty of RAM/NVRANm especially if you're streaming video.

As for nosy Google, considering the billions of searches run daily times millions of people running them, they have sworn that they don't keep the data. Maybe, maybe not but unless you're into things that will get you automatic problems not mentioned here, your searches will likely be lost in the noise, if that's any consolation. Unless there's a reason not to use only OpenVPN for all of your traffic, if you have traffic you really must drop to WAN/ISP and Comodo's servers, you'll be more secure if you don't use anything except your OpenVPN connections with Express. If you feel you're comfortable with their handling of your OpenVPN traffic, that's what would probably keep your searches secure as you can hope for these days.

We don't drop any traffic to WAN/ISP;; ever;we have an entry only to append to google for Apple devices, on the rare off chance they have issues, but it's not something that's happened often;. If you use only OpenVPN and entre another DNS server or servers, usally the VPN will append extra DNS entries or will ignore them, unless it's set for only non-VPN traffic. Nothing is ever powered up or connected unless the VPN is already up and running on the router. Do read about the other issues if you upgrade and use the server on the router, to access your service from elsewhere, avoid it if at all possible. Also, the Asus mobile app has serious problems and should not be trusted at present.

Take care if you go with OpenNIC, it's not what it used to be. You may learn that your pick of what the site offers you may have you bouncing off somewhere else; say Antarctica or some other remote place you hadn't considered; that is probably not the kind of exposure you want. What's om Antarctica isn't meant for public use. There are still many choices for DNS so keep looking. No idea what options Express provides for your OpenVPN DNS solution, but they must be decent or it wouldn't cost as much; they generally don't offer discounts. Those who have stayed with them over the years till rave about them. Hope this helps, Cheers.

 

[GK59]

First off, thanks st3v3n for such phenomenal reply, complete and to the point. My main focus is financial, health related and general personal privacy. Thus far I am pretty satisfied with ExpressVPN but exploring other options before i decide to renew for an entire year with them. My "service state" issue seems to have resolved itself, having been on now straight for the past few days on the current 380.70 fw.

...to get the full speed, you'll want a newer model that can handle the new generation of Merlin; preferably a model with on board CPU encryption and plenty of RAM/NVRANm especially if you're streaming video.

I have been combing thru the guides, rankings and various user threads here and have narrowed my search to a pair of models, well actually I considered the AC1900 but frankly I should've bought that a year ago. Anyhow the RT-AC86U and the RT-AC5300, 5th and 4th respectively on the rankings. The GT-AC5300 is nice, very nice but would be overkill in our modest townhouse so I trust the other two would fit that bill you mention in the above quote, I'm leaning towards the RT-AC86U for the extra mem.

I never access the router from outside my network, ever only within. Thanks for the info on OpenNIC, good advice. I hadn't tried them yet and will stay for now with Comodo and see how that goes. Your post has been enormously helpful in my learning, thank you once again.