Wifi network settup - RT-AC86U w or w/t RPi 3B - advice request

some.jimmy

Occasional Visitor
Hi,
need a consultancy and advice, if I may.

For my flat 110 sqm / 1100 sqf I have RT-AC5300 running currently (with the most recent Meriln soft) and RT-AC86U waiting to be a replacement for the above one. Have around 10 mobile and smart home devices connected via wifi. No device is wired to the router.
Recently bought RPi 3B thinking about having Pi-hole, Unbound and personal cloud settled on attached usb drive (fast 128 Gb m.2 ssd hard drive).
My current router RT-AC5300 is with Merlin software, Skynet, Diversion, pixelserv-tls.

Following past recommendations here I will change my router to RT-AC86U. My dream is to have effective firewall installed on router level (Skynet), highly effective adblocker (Pi-hole or Diversion or AdGuard Home) on router level and last, but not least personal cloud with local connection as well as from outside the local network.mThe last one for files and maybe hosting services like password manager files, bookmarks, news feed, search engine, etc. Therefore it must be secure. Main factors are: effectivenes, wifi speed (close to max provided by my ISP) and stabilty.

1. Is it worth, as of today, to use Pi-hole rather than Diversion?
My concern for Diversion is that it is possible to use only two blocklists. With Pi-hole I can use different local blocklists. I know that I can prepare my own list from differen ones, but I am affraid to mix-up something. As we know the human factor (me - in that case) is always the weekest. :)
2. If not Diversion or Pi-hole, maybe AdGuard Home? I have not tried this one yet, but I think it gives the possibility to use more than two custom blocklists.
3. The cloud - I thought for instaling OpenMediaVault on RPi and connect ub hard drive to RPi. However I am not sure if it is a good idea, becaue RPi 3B ha only UB 2.0 ports, which will decreae the speed possible to obtain from ssd hard drive. Maybe it is better (more effective) to connect disc directly to the AC86U router (USB 3.0) and create personal cloud that way. At this point the human factor comes up - how to make a personal cloud, accessible localy and non-localy, using router's soft?
4. By connecting RPi to the AC86U router I hope to have stable, low cpu and memory usage, while main always online apps, are on RPi (Pi-hole/ADH, OMV, etc). But, again, I may be mistaken thinking that way. Any advice/correction?
5. As for the further configuration of wifi network I am thinking about main wifi network for the main devices and two guest networks (Yaz's soft) one for smart home devices and one for guests. The latter on 2,4 GHz. Am I thinking correctly? Will it be efficient enough?

I would appreciate for any answer, feedback, tutorial or link, which may help me.

SJ
 

bbunge

Part of the Furniture
1. Diversion with Merlin firmware. Pi-Hole with Asus firmware with th ePi IP in LAN/DHCP Server/DNS Server
2. Diversion Standard and Pi-Hole both use the same default blocklist
3. Pi 3B+ makes a good NAS in spite of the USB2. Better than using the router for storage. My Pi 3B+ is currently running BOINC and processing data for World Community Grid. Has been used as a Pi-Hole with Stubby. Didn't like using Unbound.
4. Connect the Pi to the router with Ethernet cable and disable WIFI and Bluetooth. Put the router and Pi on a small UPS
5. Works for me...

Opinion - If you really do not need all the Merlin features, use the Asus stock firmware on the router. It will be much happier. You can really block too much. I have been a Merlin fan for years and have recently, just a few minutes ago in fact, gone back to Asus firmware. I had run 386.4 with Diversion since it was released but realized I really did not need all that stuff. :)
 

some.jimmy

Occasional Visitor
Many thanks @bbunge for your reply. May I ask some additional questions? :)

1. Understood - Diversion with Merlin or Pi-hole with Asus' stock firmware. But, there are no Skynet and other scripts in the second case, right? What is your opinion on stock's firmware firewall then? Or there is anything alternative?
2. Diversion and Pi-hole use the same blocklist - but Pi-hole gives the possibility to add other lists. Not only one, but more. For example country localized. AdGuard Home has the same possibility as Pi-hole, if I am not mistaken.
3. Cloud - May I ask what software do you use? :) What area should I explore? Is it OpenMediaVault, or just file sharing server?

Appreciate your feedback.

SJ
 

Tech9

Part of the Furniture
need a consultancy and advice

1) Pi-hole - more configurable and with better UI
2) Pi-hole again
3) Don't use the router with attached storage
4) Correct
5) Careful with GN1 quirks

My dream is to have effective firewall installed on router level (Skynet)

Your dream may turn into your nightmare. I wouldn't use Skynet at all with its default blocklists. You don't need Skynet in general.
 

some.jimmy

Occasional Visitor
Hi @Tech9,
thank you for your reply and recommendations. And sorry for late reaction from my side.
Your dream may turn into your nightmare. I wouldn't use Skynet at all with its default blocklists. You don't need Skynet in general.
Frankly, that changes the whole perspective I have from reading the SNB forums. :) Many suggest using Merlin's software, beacuse it gives the possibiity for customisation by scripts. I have Skynet and Diversion scrits installed on my RT-AC5300. So far I have no issue with Skynet, or I have not noticed any. I have rised once a topic of "zero" incoming blocks by the firewall. It wa trange to me, that not even one piece of intenet dust tried to break my router's firewall. There was a long topic, where you @Tech9 replied and commented, where on of SNB members found thousands incoming blocks from one or two IPs. Mine was/is the oposite situation. Nobody wants to hack me. :) But seriously, it was strange to me and I started to thing if my Skynet's configuration is messed up.
As I mentioned in the first post I am just before changing the router to RT-AC86U and will try it with stock software. I undertand that it is good option to rely on router's firewall settings? If not Skynet, then it must be stock firewall, right?

Both DNS-based, not very effective today. I wouldn't run network-wide adblock, but browser uBlock Origin. The best adblock solution.
Well.... Pi-hole or Diversion or AdGuard Home are the adblocking soultions for my local wifi network, wth my wife's and kids' devices mostly. I have uBlock Origin installed on my devices - laptops and smartphone and this addon is abolutely the best. However my family does not have it on their devices. They do not follow my personal fight agains ads :) , therefore I have to make crucial decisions for them. :)
As for chosing between Pi-hole and Diversion and AdGuard Home, the answer depends on wheter I will instal Merlin or not on my new router. If not Diversion will not be an option. Only PI-hole or AdGuard Home on RPi3B.

SJ
 

some.jimmy

Occasional Visitor
Your dream may turn into your nightmare. I wouldn't use Skynet at all with its default blocklists. You don't need Skynet in general.
Actually my first dream is to have the fastes possible and stable wifi connection at home. For the moment (RT-AC5300 router) I have three four different networks created, one for each band and one, additional, guest network combined from 2,4GHz and 5Ghz (one of the bands). The maximum download speed I have is 750 mb/s. My current wifi speeds are:
for 2,4GHz - around 60.70 mb/s
for first 5GHZ - around 350 mb/s
for second 5GHz -around 300 mb/s
the guest network (2,4GHz+5GHz) - around 300 mb/s
They are not used at once al the time.
Is this normal, that the router spreads the speed to each network/band and does not relocates "the pipe" accoring the acctual network needs? I doubt, but I am affraid I might be wrong.
SJ
 

some.jimmy

Occasional Visitor
3) Don't use the router with attached storage
One last thing I would like to rise up.
Why do not use the router with attached storage? If I want to build prvate cloud, then I should connect the storage to RPi, right? Should I ue OpenMediaVault or just regular soft or settings on Pi-hole? This is a complete terra nova for me, so I may ask dumb questions. Sorry about that. :)
RBi3B has only two USB2.0 slots, therefore it will not read and write data on m2 ssd drive with maxiumum possible speeds for the hard drive, but only limited by USB2.0. Am I right?
SJ
 

Tech9

Part of the Furniture
where on of SNB members found thousands incoming blocks from one or two IPs

They are blocked anyway by the router's firewall. Skynet is only displaying what was recognized as matching IP's in blocklists. This is one of my problems with Skynet - it makes you think it works hard to protect you. In fact, most of the time it just shows you what's in the blocklists. Enable in Firewall, Logged packets type - Dropped and watch what your default firewall does. Looks like Skynet "working hard", doesn't it?

I undertand that it is good option to rely on router's firewall settings? If not Skynet, then it must be stock firewall, right?

The router's firewall is enabled by default. It blocks all unsolicited inbound connections. Skynet in default configuration "blocks" what is blocked already. If you run Skynet with outbound blocking, you may eventually have some benefits - it prevent you from accessing blacklisted IP's. Don't forget your router has AiProtection, your computer has Antivirus software and modern browsers use Safe Browsing filters. You already have 3x layers of protection.

Is this normal, that the router spreads the speed to each network/band

The router doesn't spread anything. Your maximum speed is limited by the clients' capabilities. Common 2-stream AC client can do about 500Mbps in ideal conditions, 300Mbps average is about right. On 2.4GHz 60Mbps is excellent. Folks in dense residential areas may never see above 30Mbps. Your 4-stream AC router can do Gigabit on Wi-Fi using single 5GHz radio to single 4-stream AC client, in case you're lucky to find/own one.

Why do not use the router with attached storage?

Because it doesn't work well. The tiny router hardware with limited RAM can't do much. Think slower than Raspberry Pi hardware with 1/4 RAM available at best. USB attached storage is usable for light file sharing only. If you expect NAS performance - hot happening. Your router will become unstable with high volume transfers - not enough resources. Use the router as a router if you want stable and dependable network.
 
Last edited:

Tech9

Part of the Furniture
As for chosing between Pi-hole and Diversion and AdGuard Home, the answer depends on wheter I will instal Merlin or not on my new router. If not Diversion will not be an option. Only PI-hole or AdGuard Home on RPi3B.

Or AdGuard free DNS. Very similar results without using any scripts.
 

some.jimmy

Occasional Visitor
Enable in Firewall, Logged packets type - Dropped and watch what your default firewall does. Looks like Skynet "working hard", doesn't it?
Well.... I have checked "System logs" and I have "skynet-0.log" name and it hows around 20 entries, counting from May last year. Nothing more., which is weird because I use Skynet much longer.

Don't forget your router has AiProtection
Hmmm... Another confusing issue. Shall we switch AiProtection on, or kep it off? Is this setting good or bad? There are different opinions about Trend Micro's part of the Asus routers.
 

Tech9

Part of the Furniture
Recently I have started to use NextDNS on my mobile

NextDNS perhaps does the better job, but it's a paid service. AdGuard has a free DNS service. You have options.

Well.... I have checked "System logs" and I have "skynet-0.log" name and it hows around 20 entries

Disable Skynet and enable dropped packets logging in GUI, Firewall. You'll see in syslog what the default firewall does.

Shall we switch AiProtection on, or kep it off?

Your call. Read the links provided when EULA pops up, make a decision. Usually we pay with our data for "free" services.
 

some.jimmy

Occasional Visitor
Hi,
again, thank you for taking time and reply.
NextDNS perhaps does the better job, but it's a paid service. AdGuard has a free DNS service. You have options.
It is paid, but I am using the free version so far and it is more effective in blocking ads, than free AdGuard DNS. Both checked on two websites: adblock-tester and d3ward.github.io, and both servers on mobile and pc devices. On mobile Mull results are 100% blocked, but Bromite has 95% blocked. Which is strange, because of Bromite adblock features, even strenghten with wider blocklist. With AdGuard free DNS the results, especially on adblock-tester are even lower on Bromite.

Disable Skynet and enable dropped packets logging in GUI, Firewall. You'll see in syslog what the default firewall does.
Hmmm.... I have disabled Skynet and have dropped packages logging switched on in GUI, but.... I cannot find any syslog showing any change or, should I mention, I do not know where to find the information your wrote about . In GUI -> Advanced settings -> System logs I have one System messages box and lower skynet-0.log and syslog-ng.log boxes in logs.
Where should I see the router's reaction for switching Skynet on to off?

SJ
 

Tech9

Part of the Furniture
Where should I see the router's reaction for switching Skynet on to off?

What reaction do you expect to see? Dropped packets logging is off by default. If you want to see what the router's firewall is doing, enable it. It will start flooding your syslog faster than Skynet. The setting is in Firewall section:

Untitled_fw.png


Change None to Dropped, hit Apply at the bottom. Watch the syslog messages. Switch back to None when you are satisfied.
 

some.jimmy

Occasional Visitor
Hi,
What reaction do you expect to see? Dropped packets logging is off by default. If you want to see what the router's firewall is doing, enable it. It will start flooding your syslog faster than Skynet.
Well... I was expecting to see logs. :)
But first, yes I had scribe installed. Sorry for not mentioning that earlier. I have uninstalled it minutes ago. Now I have one system log window in GUI.
As for "Logged packets type" I had and have it on "dropped", not on "none" (default setting).
I have temporarily stopped Skynet and in system logs window there are entries (some, not a flood) from "kernel:". Default message log level had on "notice", now I have changed to "info" (to see what will happen). "Log only messages more urgent than" is on "debug". I do not recall to change it at all from when I started to use this router.
SJ
 
Last edited:

some.jimmy

Occasional Visitor
No.
Just found one entry in system log: kernel: DROP... .
When the Skynet has been switched on again this entry disappeared from the syslog.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top