ASUS Router Operations
Facts verified as of 2026-07.
Authoritative guidance for configuring and hardening ASUS routers — stock Asuswrt and Asuswrt-Merlin firmware — via the web UI and SSH/nvram. Covers security hardening, encrypted DNS, VPN, network segmentation, AiMesh, AiProtection, and JFFS scripting.
Safety first. Changes here can lock you out or drop the network. Test during low-usage windows, document the before value, and know how to undo. Cite official docs, not folklore.
Stock Asuswrt vs Asuswrt-Merlin
| | Stock Asuswrt | Asuswrt-Merlin |
|---|---|---|
| Base | ASUS official | Community fork of ASUS source (same core, more control) |
| Scripting | Limited | JFFS custom scripts, cron, services-start, firewall-start, nat-start |
| DNS control | Basic | DNS Director (per-client/global DNS redirection, DoT) |
| VPN | OpenVPN/WireGuard server+client | + VPN Director (policy/split-tunnel routing) |
| Best for | Most users | Power users wanting scripts, fine-grained DNS/VPN routing |
Never mix stock and Merlin nodes in the same AiMesh network. Keep the firmware family consistent across mesh nodes.
Security hardening checklist
Do these on every new router, in order:
- Change defaults immediately — both the admin/login password and the WiFi password.
- Disable WPS — it's a brute-force surface.
- Disable UPnP unless an app genuinely needs it (it creates unpredictable port forwards).
- Use explicit port forwarding, never DMZ — DMZ exposes the entire device.
- Disable remote WAN admin access — use a VPN to manage remotely instead.
- Enable AiProtection (two-way IPS + malicious-site blocking) where available.
- Set up a guest network with intranet access disabled (proper isolation).
- Enable firewall logging for security monitoring; forward to syslog if you have a collector.
- Apply ingress filtering (BCP38/84 anti-spoofing) where supported.
- Keep firmware current — security fixes land in point releases.
See references/hardening-and-network.md for the full hardening rationale, VLAN/IoT
segmentation, AiMesh backhaul tuning, QoS, and dual-WAN.
DNS privacy stack
| Layer | What | Notes | |-------|------|-------| | Transport | DoT (DNS over TLS) or DoH (DNS over HTTPS) | Stops plaintext port-53 hijacking. Merlin DNS Director can enforce DoT | | Provider | Cloudflare (1.1.1.1), NextDNS, ControlD, AdGuard | Choose for filtering/analytics needs | | Validation | DNSSEC | Validates record authenticity | | Per-client policy | DNS Director (Merlin) | Different DNS per device/profile; split-horizon | | Rebinding protection | On by default | Can break local services (Plex, smart home) — whitelist specific domains rather than disabling wholesale |
Avoid plain DNS (port 53) — unencrypted and hijackable. Move to DoT/DoH.
VPN decision table
| Need | Use | |------|-----| | Fast modern tunnel, low overhead | WireGuard server/client (preferred where supported) | | Maximum compatibility / legacy clients | OpenVPN server/client | | Route only some clients/traffic through VPN | VPN Director (Merlin) — policy-based split tunnel | | Remote admin of the router | VPN in, then manage on LAN (never expose WAN admin) |
Common clients: NordVPN, Surfshark, Mullvad via OpenVPN/WireGuard config import.
Network segmentation
| Goal | Approach | |------|----------| | Visitor isolation | Guest network with "Access Intranet" off | | IoT containment | Dedicated guest/VLAN SSID; block lateral movement to main LAN | | Consistent guest across mesh | Enable guest on AiMesh deliberately; mind "Access Intranet" per node | | Smart-home discovery | mDNS/Bonjour may need controlled cross-VLAN allowances — scope narrowly | | Segmented routing | VLAN segmentation + routing policies (capability varies by model) |
Patterns to avoid
| Anti-pattern | Why | Instead | |--------------|-----|---------| | DMZ mode | Exposes the whole device to the internet | Explicit per-port forwarding | | UPnP globally on | Unpredictable auto port forwards | Enable only when required, understand the risk | | Plain DNS (port 53) | Plaintext, hijackable | DoT/DoH | | Mixing stock + Merlin in AiMesh | Inconsistent behavior | Keep firmware family uniform | | Disabling DNS rebind protection wholesale | Reopens rebinding attacks | Whitelist the specific local domains that break | | Wireless mesh backhaul on congested channels | Throughput collapse | Wired backhaul or dedicated DFS 5GHz channel | | Default admin/WiFi credentials | Trivial compromise | Change both immediately | | Remote WAN admin enabled | Major attack surface | Manage via VPN |
Operating principles
- Reversibility — record the current value before changing; know the undo path.
- Testability — change during low-usage windows; verify before walking away.
- Trade-offs — note privacy-vs-functionality costs (rebind protection vs local services).
- Verification — confirm via system log, client-side test (e.g. DNS leak test), or
nvram get. - Cite official docs — avoid unverified tweaks.
SSH / JFFS scripting (Merlin)
Merlin runs user scripts from JFFS at lifecycle points. Enable JFFS custom scripts and configs (Administration → System) first.
| Script | Runs at | Use for |
|--------|---------|---------|
| services-start | After services start | Start custom daemons |
| firewall-start | After firewall (re)builds | Add custom iptables rules (survives firewall restarts) |
| nat-start | After NAT rules load | Custom NAT/port rules |
| dnsmasq.postconf | Before dnsmasq starts | Inject dnsmasq config |
Inspect/set persistent config with nvram get <key> / nvram set <key>=<val> + nvram commit
(commit sparingly — it writes flash).
The assets/firewall-start.sh template shows the canonical safe shape for custom firewall
rules. See references/hardening-and-network.md for placement and gotchas.
Assets
| File | Use |
|------|-----|
| assets/firewall-start.sh | Annotated Merlin /jffs/scripts/firewall-start template — idempotent custom iptables rules with safe-by-default examples |
See also
net-ops— general networking: subnets, DNS, TLS, firewalls, packet inspection