Saturday, November 17, 2018

Configuring WAN settings in Asuswrt-Merlin for TM UniFi

Below is my Internet Connection setting for TM UniFi:

  • WAN Connection Type: PPPoE
  • Enable WAN: Yes
  • Enable NAT: Yes
  • NAT Type: Symmetric
  • Enable UPnP: No (for better security control)
  • Get the WAN IP automatically: Yes
  • Connect to DNS Server automatically: No (set as Yes to use the DNS servers of your ISP)
  • DNS Server: you can use the DNS servers of your ISP, or any of the public DNS servers below:
    • Cloudflare:,
    • FreeDNS:,
    • Google:,
    • Level3:,
    • OpenDNS:,
    • Quad9:,
    • UncensoredDNS:,
    • Verisign:,
  • PPP Username: your username given by the ISP
  • Password: your password given by the ISP
  • Disconnect after time of inactivity: 0 second (never disconnect)
  • MTU: 1480
  • MRU: 1480 (same value as MTU)
  • Internet Detection: PPP Echo
  • PPP Echo Interval: 30 seconds
  • PPP Echo Max Failures: 5 times
  • Enable VPN+DHCP Connection: Yes
  • Spoof LAN TTL value: No
You can use the ping command to find out the maximum possible MTU value for your WAN connection. Just ping to any external server that accepts ICMP echo, with the parameters "-f -l xxxx" where xxxx is a number you try to get as large as possible, while the ping result will remain to have 0% packet loss without packet fragmentation. Any number greater than it will cause packet fragmentation.

Your MTU will be this xxxx number added by 28.

In the ping results shown above, the maximum number is 1452. Therefore, the MTU is 1452+28=1480.

Dual WAN: if you only have single Internet connection, set this to Off. If you have two Internet connections, set this to On. Your secondary WAN connection can be configured as fail over backup link which only active when the primary WAN is down, or as load balancing link which active together with the primary WAN and share the Internet traffic.

Port Trigger: Disabled. You can enable it if required.

Virtual Server / Port Forwarding: Disabled. You can enable it if required. Note that if you have enabled Parental Control function of the router, there will be some Port Forwarding rules automatically set here for the Parental Control function.

DMZ: Disabled.

Enable DDNS Client: Yes.

Method to retrieve WAN IP: Internal.

Server: just pick one of your favourite. Use Asus if you have no preference.

Host Name: pick a name for your router to be accessible from the Internet. As long as the name is not in used by other user in the DDNS server, it can be used.

HTTPS/SSL Certificate: Let's Encrypt (this is the easiest to use)

NAT Passthrough:
  • PPTP Passthrough: Enable
  • L2TP Passthrough: Enable
  • IPSec Passthrough: Enable
  • RTSP Passthrough: Enable + NAT helper
  • H.323 Passthrough: Enable + NAT helper
  • SIP Passthrough: Enable + NAT helper
  • Enable PPPoE Relay: Disable
If you don't use any VPN client and VoIP in your LAN, you can configure the NAT passthrough to be Disabled.


Post a Comment

Hint: Click on the "Older Posts" link to continue reading, or click here for a listing of all my past 3 months articles.