What's new

what is the best wireless consumer router for security?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

cooloutac

Very Senior Member
I'm starting to think asus and merlin is not the way to go. I liked asus cause they update their firmware with security updates quite frequently. But I feel most of its advocates are against using vpns and secure operating systems. Even Merlin himself doesn't seem to be much into security. I got the ac86u but the ap isolation and the guest network on it is a total joke, and it seems ai trend micro is extremely buggy on it when using a vpn which I also find suspcious.

Is there any other options? I mean even if I build a pfsense router I still need some wireless access point that is trustworthy. are there any suggestions?
 
Asus is still the best consumer router regarding security, particularly with RMerlin firmware. If you are using any router as a simple AP, then security is not an issue for the WiFi access point, but rather everything that comes before it.
 
I'm starting to think asus and merlin is not the way to go. I liked asus cause they update their firmware with security updates quite frequently. But I feel most of its advocates are against using vpns and secure operating systems. Even Merlin himself doesn't seem to be much into security. I got the ac86u but the ap isolation and the guest network on it is a total joke, and it seems ai trend micro is extremely buggy on it when using a vpn which I also find suspcious.

Is there any other options? I mean even if I build a pfsense router I still need some wireless access point that is trustworthy. are there any suggestions?

Google it. You'll reach a broader audience.

OE
 
Asus is still the best consumer router regarding security, particularly with RMerlin firmware. If you are using any router as a simple AP, then security is not an issue for the WiFi access point, but rather everything that comes before it.

Merlin does have some security features missing in stock. I have the dnssec and dns rebind options on for example. but the ap isolation and guest network options don't really isolate the devices. I find that very disconcerting. If this is the best security the average consumer can hope for, we as a society are in for some rough times ahead. Security still seems to be a far off after thought even in this era. Some people even convince themselves it something to be avoided.
 
that routeros firewall software sure looks powerful tempting not sure about the hardware on that microtik for my needs though.
 
An Asus, RMerlin powered router with judicious use of amtm and other available scripts is as secure as possible.

The biggest source of security issues is with the user at that point.
 
I'm usint this device in two small offices. One have about 30 devices and vpn connection, second maybe less. With some of firewall/vlan rules, can handle 500/250 internet connection without any problem. They have also some more expensive models or check something from Ubiquiti company.
 
I have a side experiment going where I'm testing OpenWRT on an idle Raspberry Pi 4 with an extra Ethernet dongle, using an old Asus N66U with John's fork as an AP. Very different world from ASUSWRT-Merlin, but a way to see if the grass is any greener on the other side. Plus I can experiment with CAKE on OpenWRT.
 
  • Like
Reactions: KW.
thanks!
I'm usint this device in two small offices. One have about 30 devices and vpn connection, second maybe less. With some of firewall/vlan rules, can handle 500/250 internet connection without any problem. They have also some more expensive models or check something from Ubiquiti company.

thanks!
 
I have a side experiment going where I'm testing OpenWRT on an idle Raspberry Pi 4 with an extra Ethernet dongle, using an old Asus N66U with John's fork as an AP. Very different world from ASUSWRT-Merlin, but a way to see if the grass is any greener on the other side. Plus I can experiment with CAKE on OpenWRT.

Sounds like fun. I use to use tomato years ago on a wrt54g and I loved it. would of loved to put some opensource firmware on the ac86u but it seems only the 68u and ac3200 is supported. When I first got my ac66u_1 I ididn't see tha tlisted either, but learned later possibly the 68u firmware would of worked. I basically used stock on the ac66u_b1 for 2 and half years no issues. i figured i would get security updates the fastest that way since it would be more maintained. Merlin seemed to trail a month or sometimes longer behind but I think he has gotten better in that regard. but now i've recently added tons of iot devices and wanted more wireless range i upgraded to the ac86u. now that i'm trying to use more advanced features like vpn and guest networks, its been a nightmare.

Someone on these forums pointed out to me about pihole that looks interesting. Wanted to see how well it worked to block ads. Right now i got a raspberry pi running as a print server, To make an old usb printer into a wireless printer. That has now since been retired and I think I will start playing around with my pi too.
 
Last edited:
An Asus, RMerlin powered router with judicious use of amtm and other available scripts is as secure as possible.

The biggest source of security issues is with the user at that point.

so you have no explanation as to why ap isolation and guest network options don't really isolate those devices properly? did you look at mikrotiks routeros sofware? thats professional status man it makes the asus firmware look like a toy.
 
Make up your mind what you want to discuss. Consumer or 'professional'. Being right at any cost is not a threads' intent.

I can't waste any more time on you today.
 
. I got the ac86u but the ap isolation and the guest network on it is a total joke, and it seems ai trend micro is extremely buggy on it when using a vpn which I also find suspcious.

I run two or three VPN clients on my AC86 and also a VPN server and have no problems with stability.

That being said VPN clients connecting to commercial VPN servers and providing security is as much hype as actual security. VPNs are only really secure if you control both ends of the connection.

I suggest you read up on VPNs before deciding you want to use them for real security.

If you want isolation for both WiFi and Ethernet connected devices consider adding a smart switch to your network so you can use VLANs.

Before switching to Tomato be sure you find a branch that is still being updated and maintained.
 
I run two or three VPN clients on my AC86 and also a VPN server and have no problems with stability.

That being said VPN clients connecting to commercial VPN servers and providing security is as much hype as actual security. VPNs are only really secure if you control both ends of the connection.

I suggest you read up on VPNs before deciding you want to use them for real security.

If you want isolation for both WiFi and Ethernet connected devices consider adding a smart switch to your network so you can use VLANs.

Before switching to Tomato be sure you find a branch that is still being updated and maintained.

do you also run ai trend micro and adaptive qos ? Because thats where the problem lies and hence the title of my thread. https://www.snbforums.com/threads/ai-trend-micro-protection-vs-vpn.67229/page-2#post-628346

You are parroting what the other two people said and I'm kind of tired of hearing it. What you are saying is meaningless cause as I keep saying, those endpoints are insecure and backdoored out of the box. Why even mention a VPN when you say you need to control both end points. You might as well try to convince the world at that point there is no security under any circumstances. Just use the words "security" and "privacy" in place of "VPN". Maybe you need to define security. I think you are under the impression everyone using a VPN is a criminal hiding from the gov't or something. Thats ridiculous and shameful. Or trying to hide from the corporations they use online credentials with. lmao maybe you are trying to say that you trust your isp more then these commercial vpn providers. I find that ridiculous as well.

Also don't ignore everything in between those two endpoints, which is most of the random world, and what people using a VPN are obviously trying to protect from. When people tell me they use a vpn for travel but not on their home network. My first thought is their home network might be even more public lmao..

I can add a better router like that mikrotik ap that another poster linked. the routeros firmware on that looks great. I wouldn't need an extra switch to create a proper vlan with that thing. It can act alone as a router, and only 70 dollars? Why even trust the asus router at all at that point if thats the case? The thing holding me back on the mikrotik right now is I need strong wifi to reach my shed and I'm not sure that mikrotik has better wifi then the ac66u_b1 I have that struggled with it. Anyone able to compare how far the range on that hap ac2 is to an ac68u or ac86u? i looked at the hap ac3 but not sure there either. Mikrotik defines their range in their specheets, but of course Asus does not. Already according to most of you there is no point in me owning the ac86u which I got solely for vpn use, as i'm sure most people do. I don't understand why anyone would buy the ac86u now if not for vpn use.

The reason I never switched to tomato on the older router I have is for that very reason. Which I stated in my post, already saying the router is not supported. not sure why you think i'm going to use it. Lots of things are no longer maintained its the direction society has been headed. We call security defined as hackers that destroy things, and we shun the hackers that build things as the criminals. The gov't and society put pressure against them. And its extremely ironic to me. . Everyone goes offensive cause its easier and less pressured, more exciting and it pays better. They want people vulnerable, its in their nature and its good for business whether civilian sector or gov't. Everything is victimless to them. But Eventually we are going to be left with rubble. And we will have people who encouraged it and preached against defensive security as useless being the reason why.
 
Last edited:
Make up your mind what you want to discuss. Consumer or 'professional'. Being right at any cost is not a threads' intent.

I can't waste any more time on you today.

I accept your concession. The asus stock, nor merlin firmware, properly isolate devices when using guest network or ap isolation feature. I think you must know this. A look at this mikrotik firmware seems to have the ability to do it properly. I consider anything selling for 70 dollars on amazon as consumer. Do you work for Asus or something, get kickbacks when you install their routers for clients? I'm not understanding the apprehension.
 
I have a side experiment going where I'm testing OpenWRT on an idle Raspberry Pi 4 with an extra Ethernet dongle, using an old Asus N66U with John's fork as an AP. Very different world from ASUSWRT-Merlin, but a way to see if the grass is any greener on the other side. Plus I can experiment with CAKE on OpenWRT.
Interesting. BTW, I've found CAKE to be the best option for me in the past. Unfortunately I no longer have anything that runs it...
 
Even Merlin himself doesn't seem to be much into security.

Eh?

- I'm the one who first implemented OpenVPN support in Asuswrt and Asuswrt-Merlin, to replace PPTP
- My firmware got DoT support a year ago, something that very few routers offer yet
- I upgraded to OpenSSL 1.1 long before any home router manufacturer did, adding TLS 1.3 and GCM cipher support among other things
- I added TLS support to the firmware's FTP server to make FTP still usable security-wise
- I added https support to the firmware before Asus did
- I added SSH support to the firmware before Asus did (and I also removed telnet)

So, I don't know where you are coming from with these claims. I've always been far more proactive at security than the vast majority of home router manufacturers are.

but the ap isolation and guest network options don't really isolate the devices. I find that very disconcerting. I

Anything related to wifi is closed source and outside of my control.
 
sorry m
Eh?

- I'm the one who first implemented OpenVPN support in Asuswrt and Asuswrt-Merlin, to replace PPTP
- My firmware got DoT support a year ago, something that very few routers offer yet
- I upgraded to OpenSSL 1.1 long before any home router manufacturer did, adding TLS 1.3 and GCM cipher support among other things
- I added TLS support to the firmware's FTP server to make FTP still usable security-wise
- I added https support to the firmware before Asus did
- I added SSH support to the firmware before Asus did (and I also removed telnet)

So, I don't know where you are coming from with these claims. I've always been far more proactive at security than the vast majority of home router manufacturers are.



Anything related to wifi is closed source and outside of my control.
Eh?

- I'm the one who first implemented OpenVPN support in Asuswrt and Asuswrt-Merlin, to replace PPTP
- My firmware got DoT support a year ago, something that very few routers offer yet
- I upgraded to OpenSSL 1.1 long before any home router manufacturer did, adding TLS 1.3 and GCM cipher support among other things
- I added TLS support to the firmware's FTP server to make FTP still usable security-wise
- I added https support to the firmware before Asus did
- I added SSH support to the firmware before Asus did (and I also removed telnet)

So, I don't know where you are coming from with these claims. I've always been far more proactive at security than the vast majority of home router manufacturers are.



Anything related to wifi is closed source and outside of my control.


i meant no offense. was really just referring to the fact I used the stock on my ac66u over your firmware for 2 years cause you always lagged over a month behind with the security patches. hopefully thats changed now. And you parrot the same thing these guys say about vpns and ai protection. I've already had that discussion with you. I did mention you also have dnsec and rebind protection in my post if you read it. And i keep talking about how vpn only works properly with your firmware, which is the reason i'm using it. when I use the stock firmware i get easily flagged and blocked by my isp and other networks. So in order for all my devices to work properly with vpn i have to use the merlin firmware for sure. Otherwise I'd be on stock.

And i'm not blaming you for the wifi, i'm stating its a problem with stock as well. wifi has always been problem and still is. closed source drivers, ridiculous wireless charges. I've never understood it. Basically the same laws do not apply to wireless that apply to wired. We dont' get the same consumer protections and I think that plays a part in its lack of transparency and security.

And let me just say as I talked about in my previous post, we need more people like you Merlin cause you are one of the rare "builders" i talk about. What you do is harder and less rewarding and less exciting, then what most people call hacking or security. Your one of the few defensive guys out there, when everyone goes offense. We need more balance in society. So you what you do is very commendable and don't take my criticism too hard.
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top