Sunday, November 18, 2018

Configuring IPv6 settings in Asuswrt-Merlin for TM UniFi

All the IPv4 blocks have already fully allocated, and IPv4 should be exhausted any time from now. Although the Internet transition from IPv4 to IPv6 has been prolonged, it is advisable to make use of IPv6 now in parallel with IPv4.

In fact, many websites are found to be faster when accessed using IPv6.

Below are my settings on IPv6 for TM UniFi for your reference:

  • Connection type: Native
  • Interface: PPP
  • DHCP-PD: Enable
  • Release prefix on exit: Enable
  • Auto Configuration Setting: Stateless
  • Connect to DNS Server automatically: Disable (you can choose Enable to use the DNS servers of TM UniFi)
  • IPv6 DNS Server: you can choose to use any of the public DNS servers below:
    • Google: 2001:4860:4860::8888, 2001:4860:4860::8844
    • OpenDNS: 2620:0:ccc::2, 2620:0:ccd::2
    • CloudFlare: 2606:4700:4700:0:0:0:0:1111, 2606:4700:4700:0:0:0:0:1001
    • UncensoredDNS: 2001:67c:28a4::, 2a01:3a0:53:53::
  • Enable Router Advertisement: Enable
If your IPv6 is working, you will be able to see your LAN IPv6 Address, LAN Prefix Length and LAN IPv6 Prefix shown on the screen. More information can be found in the System Log > IPv6 screen.

Saturday, November 17, 2018

Configuring WAN settings in Asuswrt-Merlin for TM UniFi

Below is my Internet Connection setting for TM UniFi:

  • WAN Connection Type: PPPoE
  • Enable WAN: Yes
  • Enable NAT: Yes
  • NAT Type: Symmetric
  • Enable UPnP: No (for better security control)
  • Get the WAN IP automatically: Yes
  • Connect to DNS Server automatically: No (set as Yes to use the DNS servers of your ISP)
  • DNS Server: you can use the DNS servers of your ISP, or any of the public DNS servers below:
    • Cloudflare: 1.1.1.1, 1.0.0.1
    • FreeDNS: 45.33.97.5, 37.235.1.177
    • Google: 8.8.8.8, 8.8.4.4
    • Level3: 209.244.0.3, 209.244.0.4
    • OpenDNS: 208.67.222.222, 208.67.220.220
    • Quad9: 9.9.9.9, 149.112.112.112
    • UncensoredDNS: 91.239.100.100, 89.233.43.71
    • Verisign: 64.6.64.6, 64.6.65.6
  • PPP Username: your username given by the ISP
  • Password: your password given by the ISP
  • Disconnect after time of inactivity: 0 second (never disconnect)
  • MTU: 1480
  • MRU: 1480 (same value as MTU)
  • Internet Detection: PPP Echo
  • PPP Echo Interval: 30 seconds
  • PPP Echo Max Failures: 5 times
  • Enable VPN+DHCP Connection: Yes
  • Spoof LAN TTL value: No
You can use the ping command to find out the maximum possible MTU value for your WAN connection. Just ping to any external server that accepts ICMP echo, with the parameters "-f -l xxxx" where xxxx is a number you try to get as large as possible, while the ping result will remain to have 0% packet loss without packet fragmentation. Any number greater than it will cause packet fragmentation.

Your MTU will be this xxxx number added by 28.


In the ping results shown above, the maximum number is 1452. Therefore, the MTU is 1452+28=1480.

Dual WAN: if you only have single Internet connection, set this to Off. If you have two Internet connections, set this to On. Your secondary WAN connection can be configured as fail over backup link which only active when the primary WAN is down, or as load balancing link which active together with the primary WAN and share the Internet traffic.


Port Trigger: Disabled. You can enable it if required.

Virtual Server / Port Forwarding: Disabled. You can enable it if required. Note that if you have enabled Parental Control function of the router, there will be some Port Forwarding rules automatically set here for the Parental Control function.

DMZ: Disabled.

Enable DDNS Client: Yes.

Method to retrieve WAN IP: Internal.

Server: just pick one of your favourite. Use Asus if you have no preference.

Host Name: pick a name for your router to be accessible from the Internet. As long as the name is not in used by other user in the DDNS server, it can be used.

HTTPS/SSL Certificate: Let's Encrypt (this is the easiest to use)

NAT Passthrough:
  • PPTP Passthrough: Enable
  • L2TP Passthrough: Enable
  • IPSec Passthrough: Enable
  • RTSP Passthrough: Enable + NAT helper
  • H.323 Passthrough: Enable + NAT helper
  • SIP Passthrough: Enable + NAT helper
  • Enable PPPoE Relay: Disable
If you don't use any VPN client and VoIP in your LAN, you can configure the NAT passthrough to be Disabled.

Thursday, November 15, 2018

Configuring LAN settings in Asuswrt-Merlin

For LAN IP Address and the corresponding subnet mask, pick one from the following private IP address ranges:

  • 192.168.0.1 to 192.168.255.254 (subnet mask 255.255.0.0 for fixed first 2 numbers 192.168 in the available LAN IP addresses; subnet mask 255.255.255.0 for fixed first 3 numbers in the available LAN IP addresses)
  • 172.16.0.1 to 172.31.255.254 (subnet mask 255.240.0.0, or 255.255.0.0, or 255.255.255.0)
  • 10.0.0.1 to 10.255.255.254 (subnet mask 255.0.0.0 or 255.255.0.0 or 255.255.255.0)
For home network, using a subnet mask of 255.255.255.0 with 254 allocable IP addresses is sufficient.

If you want to allocate less usable IP addresses, you can refer to the subnet masks below:
  • 255.255.255.128 (126 allocable IP addresses)
  • 255.255.255.192 (62 allocable IP addresses)
  • 255.255.255.224 (30 allocable IP addresses)
  • 255.255.255.240 (14 allocable IP addresses)
Below is my LAN configuration for your reference:
  • Enable the DHCP Server: Yes
  • Hide DHCP/RA queries: No
  • IP Pool Starting and Ending Address: for easier management, it is advisable to allocate this dynamic IP range to be different from the IP range used in manual assignment. Make sure this IP range is within the allocable IP addresses as defined by the subnet mask.
  • Lease time: 86400 seconds
  • Default gateway: the internal IP address of the router
  • DNS Server: you can use the DNS servers of your ISP, or any of the public DNS servers below:
    • Cloudflare: 1.1.1.1, 1.0.0.1
    • FreeDNS: 45.33.97.5, 37.235.1.177
    • Google: 8.8.8.8, 8.8.4.4
    • Level3: 209.244.0.3, 209.244.0.4
    • OpenDNS: 208.67.222.222, 208.67.220.220
    • Quad9: 9.9.9.9, 149.112.112.112
    • UncensoredDNS: 91.239.100.100, 89.233.43.71
    • Verisign: 64.6.64.6, 64.6.65.6
  • Advertise router's IP in addition to user-specified DNS: Yes
  • Forward local domain queries to upstream DNS: No
  • Enable DNSSEC support: No (unless you are sure your ISP and your DNS servers support this feature)
  • Enable DNS Rebind protection: No (unless you are sure your ISP and your DNS servers support this feature)
  • WINS Server: the internal IP address of the router
  • Enable Manual Assignment: Yes
Note: For the hosts configured in the manual IP assignment table, you can edit their name and change their icon by clicking on their icon.

  • Enable static routes: No (normally you don't need this, unless you have a complex network with several routers)
  • IPTV: select the correct ISP Profile to auto-configure the IPTV settings for the corresponding ISP
  • Switch Control:
    • Enable Jumbo Frame: Disable
    • Spanning-Tree Protocol: Enable

Tuesday, November 13, 2018

Configuring WiFi settings in Asuswrt-Merlin

Smart Connect is a feature in Asus wireless routers to automatically steer the WiFi clients to the most appropriate band of 2.4GHz and 5GHz. If you make use of Smart Connect feature, you will need to have the same SSID and Pre-Shared Key (WiFi password) for all the bands available.

If you prefer to have more control on which band your WiFi clients should connect to, you can disable Smart Connect.

For 2.4GHz band:

  • There are 3 wireless modes available. "Auto" allows 802.11b/g/n devices to connect to the WiFi network. In this mode, 802.11n devices can connect with optimum speed (up to 250Mbps per stream). "Legacy" mode also allows 802.11b/g/n devices to connect to the WiFi network, and the 802.11n devices can only connect with a maximum speed of 54Mbps (same as 802.11g). If all your wireless devices support 802.11n, you can select "N only" wireless mode for optimal performance. This mode does not allow 802.11b/g to connect.
  • Tick the "optimized for Xbox" if your WiFi network has Xbox 360 connected, otherwise just leave it unticked.
  • If your WiFi network has old 802.11b and/or 802.11g devices, tick the "b/g Protection". This will protect those devices from interferences which will also affecting the 802.11n devices.
  • Set channel bandwidth to 20/40 MHz to allow 802.11n connections to combine 2 channels for faster transmission speed, provided there is minimal channel interference with your neighbours. The router will device whether to use 20 MHz (one channel) or 40 MHz (dual channel) based on actual situation.
  • Try to use control channel 1, 6 or 11 if none of your neighbours is using it. These 3 channels are non-overlapping.

For 5GHz band:
  • Try to use a different SSID from 2.4GHz to have more control on which band you want your device to connect to.
  • There are 4 wireless modes available. "Auto" allows 802.11ac/n/a devices to connect to the WiFi network. "Legacy" only allows 802.11n/a devices to connect, and the 802.11n devices can only connect with a maximum speed of 54Mbps. "N only" will exclude all the 802.11 ac/a devices. For most of the users, you should choose "N/AC mixed" because only very old device will use the 802.11a connection on 5GHz band, you probably don't have such device at home.
  • Tick the "optimized for Xbox" if your WiFi network has Xbox 360 connected, otherwise just leave it unticked.
  • Set channel bandwidth to 20/40/80 MHz to allow the router to make use of either single channel, 2 channels or 3 channels, based on the actual situation.
  • The best control channel for most Asus routers is channel 48. Channels 36/40/44/48 belong to the UNII-1 low band channels, with channel 48 having the best transmission power. Other channels above are belonging to the UNII-2 or UNII-3 channels, which availability for use is depending on the country's regulation. Those higher band channels are in the Dynamic Frequency Selection (DFS) spectrum, and the router will simply disable using them if any radar systems is detected using the same spectrum.

For both 2.4GHz and 5GHz bands:
  • Extension channel is the second channel for 40 MHz bandwidth (and third channel for 80 MHz in 5GHz band), which you can specify it to be either above the control channel or below the control channel.
  • For most home users, set your authentication method to "WPA2-Personal" and WPA encryption to AES. If you have a RADIUS server in your local network, you can use "WPA2-Enterprise" for better security.
  • WPA pre-shared key is a passphrase, which you can use a short sentence of words instead of a single word.
  • For most of the users, you can leave protected management frames to be disabled. You can enable it for better security, but wireless clients that don't support this feature might not be able to connect to your WiFi network.
  • In WPA WiFi connections, the group key is a shared encryption keys among all the connected devices to secure multicast/broadcast traffic. It is more secured to change this group key at certain time interval, although for most home user, there is usually no harm for not to change it. For group key rotation interval, the figure is in seconds. You can set it to 0 to use the same key without any periodic change required. The interval can be from 1 second to 2,592,000 seconds. 3,600 seconds should be good enough for most users.

WPS (WiFi Protected Setup) provides an easy way to connect new device to the WiFi network. For most home user, you can just disable this function, as your wireless devices at home is pretty fixed.

WDS (Wireless Distribution System) is a kind of wireless bridging function to extend your WiFi coverage with additional access points (AP). If your home network only has one wireless router, you can ignore the settings here. Besides, Asus routers has a better way of interconnection called AiMesh.

If you discovered your neighbour is stealing your WiFi network, you can block their device with Wireless MAC Filter. It is very straightforward to configure.

RADIUS Setting is for WPA2-Enterprise network. Most home users can just leave it as it is.

Below is my configuration for Professional Wireless settings, for your reference.

For 2.4GHz:
  • Enable Radio: Yes
  • Enable wireless scheduler: No
  • Set AP Isolated: No
  • Roaming assistant: Disable (enable if you use Smart Connect function)
  • Bluetooth Coexistence: Pre-emptive (if you use Bluetooth keyboard/mouse/speaker nearby your router)
  • Enable IGMP Snooping: Disable
  • Multicast Rate(Mbps): Auto
  • Preamble Type: Long
  • AMPDU RTS: Enable
  • RTS Threshold: 2346
  • DTIM Interval: 3
  • Beacon Interval: 100
  • Enable TX Bursting: Enable
  • Enable WMM: Enable
  • Enable WMM No-Acknowledgement: Disable
  • Enable WMM APSD: Enable
  • Optimize AMPDU aggregation: Disable
  • Modulation Scheme: Up to MCS 11 (NitroQAM/1024-QAM)
  • Airtime Fairness: Enable
  • Multi-User MIMO: Enable
  • Explicit Beamforming: Enable
  • Universal Beamforming: Enable
  • Region: make sure you select correctly

For 5GHz:
  • Enable Radio: Yes
  • Enable wireless scheduler: No
  • Set AP Isolated: No
  • Roaming assistant: Disable (enable if you use Smart Connect function)
  • Enable IGMP Snooping: Disable
  • Multicast Rate(Mbps): Auto
  • AMPDU RTS: Enable
  • RTS Threshold: 2346
  • DTIM Interval: 3
  • Beacon Interval: 100
  • Enable TX Bursting: Enable
  • Enable WMM: Enable
  • Enable WMM No-Acknowledgement: Disable
  • Enable WMM APSD: Enable
  • Optimize AMPDU aggregation: Disable
  • Modulation Scheme: Up to MCS 11 (NitroQAM/1024-QAM)
  • Airtime Fairness: Enable
  • Multi-User MIMO: Enable
  • 802.11ac Beamforming: Enable
  • Universal Beamforming: Enable
  • Region: make sure you select correctly

WiFi Radar enables you to check for the WiFi channels usage and congestion state around your area, so that you can set your control channel to the least congested option. Before using it, you need to go to the Configure tap and click on the Start Data Collection button, wait for a few seconds, then click on the Stop Data Collection button.

Friday, November 9, 2018

Tweaking network settings in Asuswrt-Merlin

The Tools > Other Settings in Asuswrt-Merlin firmware is a menu not found in the stock Asuswrt firmware. It enables us to tweak some network settings to the router, which most of the time we can just keep them at default value.


Traffic history is a small database storing information required by the Traffic Analyzer. By default it is stored in RAM, which will be lost after the router is restarted.

You can set the traffic history location to NVRAM to preserve the data after router restart, and set the frequency whereby the database will be copied from RAM to NVRAM. Note that the NVRAM in the router has a finite times of read/write cycle. It is advisable to set the save frequency not to be too frequent to prolong the wear-and-tear of the NVRAM.

A better way is to save it to custom location, which can be a mounted USB storage device.

If your ISP billing cycle is not on the first day of the month, you can change the default starting day of monthly cycle from the default 1 to the first day of your billing cycle. This will enable you to have better view of your monthly traffic based on your billing cycle.

Asus routers such as the RT-AC86U have a physical button for you to turn off all its LED lights. This is a feature for you to conceal the router, particularly at night or in dark condition. Asuswrt-Merlin provides you the software option to turn off the LED lights by enabling Stealth Mode in miscellaneous options. In fact, you can further tweak your router to automatically turn off the LED lights during certain time, and make them function as normal during other period of time. You can click here to learn more about scheduled LED control.

New firmware version check will alert you when you login to the router and there is new Asuswrt-Merlin firmware available. You will still need to manually download the firmware after getting the alert, and perform the update accordingly. You are given the option not to check for beta firmware releases.

For TCP/IP settings, just keep the default values unless you have certain network application, such as VoIP, that need the tweaking. TCP connections limit is in quantity. All the timeout values on the screen are in number of seconds.

In IPv4, Address Resolution Protocol (ARP) is used to find out and associate the Media Access Control (MAC) address of a network interface with its IP address. It was done by a broadcast in the Layer 2. In IPv6, ARP is replaced by Neighbour Solicitation. By default, IPv6 neighbour solicitation broadcast is allowed by the internal firewall of the router, and Asuswrt-Merlin allows you to instruct the internal firewall to drop such broadcast, if it bothered you.

The Asuswrt firmware has a program called WANduck, which handles tasks related to your Internet (WAN) connections. WANduck is "inherited" in Asuswrt-Merlin firmware.

By default, WANduck will keep on sending DNS queries every few seconds to check if your WAN link is connected or not. You can disable this in the advanced tweaks and hacks settings. It is advisable not to change the default setting, unless you are clear about your reason to disable it.

Asusnat tunnel is a special NAT tunnel built-in to enable access to the router from the WAN side, even under NAT network. It is used by certain features, and the Asus Router mobile app. If you are paranoid about this kind of tunnel, you are given the option to disable it.

The Web Proxy Auto-Discovery (WPAD) protocol is a technology which aids a web browser in automatically detecting the location of a Proxy Auto Config (PAC) file using DNS or DHCP. The PAC file contains information of web proxy server.
By default, the DHCP server in the router will send empty WPAD with a carriage return to the requester. If this behavior causes problem, you can disable the sending of carriage return in empty WPAD.

Tuesday, November 6, 2018

Configuring AiCloud 2.0 in Asuswrt-Merlin

Asus AiCloud 2.0 is a "personal cloud" feature available in Asus wireless routers, enabling you to have easy access to your shared files either inside your home network or externally from the Internet.

External access to AiCloud is still unaffected even if you have disabled web access from WAN, i.e. remote access to your router's configuration web interface is disabled from the Internet (configured the Administration > System > Remote Access Config > Enable Web Access from WAN to "No", which is a good security measure to prevent unauthorized remote access to your router).

AiCloud is best to be used with a Cloud Disk USB storage device plugged in to your router's USB 3.0 port. It can be a USB thumb drive or a USB external harddisk. You can either format it with NTFS or EXT4 file system.

In my experience, AiCloud for Asus RT-AC86U router can work properly with the following combination of file systems:

  • NTFS only, single partition
  • EXT4 only, single partition
  • NTFS + EXT4. The EXT4 is to be used by Entware or Optware
  • NTFS + EXT4 + SWAP
Inside AiCloud 2.0 menu option, there are 3 settings. You need to turn on Cloud Disk in order to share the attached USB storage device to both your Intranet and the Internet.

I recommend to disable Smart Access, unless you want all your shared resources in your internal network to be remotely accessible from the Internet via AiCloud.

Smart Sync is said to be able to sync your attached USB storage to Asus Webstorage in the cloud, or AiCloud of another router in the Internet. In order to use Smart Sync, you need to enable both Cloud Disk and Smart Access. I found this function to be still buggy, and haven't found the way to make it work properly with Asus Storage yet. Therefore, I just keep it off.



In order to access your AiCloud from the Internet, particularly when you don't have a fixed IP address allocated by your ISP, you will need to have your DDNS service up and running. It is configured inside WAN > DDNS, and you have quite a wide variety of DDNS servers that you can choose to use.


You can access to your AiCloud using:
  • Web browser connecting to your router's AiCloud Web Access Port, configured in AiCloud 2.0 > Settings > AiCloud Web Access Port. It is advisable for you to change this port number from the default to your own.

Asus Download Master is a utility in the router that enable you to download Internet files using torrents to your attached USB storage device. It is not installed by default, and when you install it, the router will setup optware in your USB storage device and install the Download Master utility there. It can then be accessible using its web interface by browsing to its port in your router.

I think Internet files downloading is much better to be handled by proper software in your computer, rather than using the utility in your router. It will consume your router's CPU and memory resources, reduce its stability and reduce its security level.

Inside USB Application > Media Services and Servers, you can make use of the built-in media server functionality in your router (miniDLNA) to stream media stored in the attached USB storage device to computers, tablets, smartphones, smart TV, media player, etc. Supported media content includes video, music and pictures.


If you enable iTunes Server, you can stream the media content to iTunes app and Apple TV in your intranet. Disable this if you don't need it.

By using Manual Media Server Path, you can specific only media files resided in certain folders in the attached USB storage device be accessible with the media server. For each of the folders, you can further specify whether to share the audio, image or video in it.

For Samba network file sharing, the following settings are recommended:
  • Allow guest login: Off
  • Maximum number of concurrent connects: 5
  • Samba protocol version: SMBv2
  • Simpler share naming: Yes
  • Force as Master Browser: Yes
  • Set as WINS server: Yes, unless you already have a WINS server in your local network
SMBv2 is more secured against Windows malware attack. However, you might see the following log entries in your router, which is caused by one or more clients trying to access using the old SMBv1 (CIFS) protocol.

 
To eliminate these log entries, you can either set the Samba protocol version to "SMBv1 + SMBv2", which is not recommended due to malware security issue with SMBv1, or to turn off SMBv1 clients.

In Windows, you can turn off its SMBv1 client by going to Control Panel > Programs > Programs and Features > Turn Windows features on or off > SMB 1.0/CIFS File Sharing Support and uncheck the SMB 1.0/CIFS Client.


The settings for NFS exports and FTP Share is pretty straightforward. You can just disable them if not in used.

Hint: Click on the "Older Posts" link to continue reading, or click here for a listing of all my past 3 months articles.