Last Updated on March 7, 2018 by Dave Farquhar
Consumer routers drive security professionals like me crazy. I’m happy to say I finally found a router that doesn’t drive me nuts. I want you to buy an Asus RT-AC66U. I’m going to tell you why, and I’m going to tell you how to configure it. Here’s how to set up an Asus RT-AC66U and how to optimize an Asus RT-AC66U.
First things first. I’m a security professional. You know, the guy who says no for a living. I’m the guy who goes on a model train forum and answers an off-topic computer question and the other IT guys tell me I’m one of those people who makes their careers and lives impossible. I’m that guy, and I’m excited about a router.
The Asus RT-AC66U isn’t quite the router I would build myself if I were going to build one. But it doesn’t take much to make it really close. Close enough that I have no reason to bother. Of all the 802.11ac routers I’ve seen, the RT-AC66U is my favorite.
Upgrade the firmware
There’s a wonderful aftermarket firmware for Asus wireless routers called Asus WRT-Merlin. Asus does right by the GPL and publishes its source code and build files, so a kind developer named Eric Sauvageau downloads it, updates it, adds a small number of enhancements, and provides it for free. Asus WRT-Merlin is the only router firmware I’ve seen that fixes the infamous Linux dirty cow vulnerability.
While Asus WRT-Merlin isn’t as full featured as DD-WRT, it leaves out a lot of the settings that can get you in trouble and it retains the nice Asus user interface. Plus it fixes security vulnerabilities a lot faster, so in most ways, it’s more secure.
Upgrading is dead simple. Download the latest build and unzip it. Log in to your router. Click Administration, then click Restore/Save/Upload Setting. Save your settings if you wish. Then reset the factory defaults by clicking Restore.
Log back in, click Administration, then click Firmware Upgrade. Click Choose File, then select the file you just unzipped, then click Open, then click Upload. Wait about three minutes and you’re done. Log back in with the default credentials of admin/admin, reset the password, and you’re done. Now you have the most secure router on the block, from a software perspective.
It’s a good idea to check for updates and upgrade the firmware occasionally. I know you won’t do it once a month, but could you think about doing it once a year? Sometimes the new firmware has new features, so there may be something in it for you other than just security.
Secure your wireless network
When you click through the automatic configuration wizard, the results you get are pretty good. You need to choose a fairly long password, and I have some advice for making a secure one that’s not too obnoxious.
Other than that, this firmware omits a lot of the insecure settings, which is fantastic. It makes it really hard to make a fatal mistake. The one thing I really recommend is navigating to Wireless, then to WPS, and under Enable WPS, set it to OFF. WPS is pretty easy to crack.
Now, since you have a WPS button that serves no function, scroll navigate to Administration, then to System. Scroll down to WPS Button behavior. Click the option that says Toggle Radio. Now that button turns your wifi on and off.
Universal Plug and Play is another convenience feature that tends to be too insecure to be worth it. Unless you have a device that really needs UPnP to work, navigate to WAN, then to Internet Connection, scroll down to Enable UPnP and select No.
Change your network settings
Most router malware assumes your router lives at 192.168.0.1 or 192.168.1.1 because about 90 percent of them do. So you can gain a surprising amount of security by navigating to LAN, then to LAN IP, and changing your router’s IP address to something else. The default is 192.168.1.1. You can change it to 192.168.1.2. Click Apply, and just put a piece of tape on your router saying what the IP address is so you’ll be able to log into it again.
If you’ve assigned any static IP addresses to your home network, be sure to change your gateway. If you don’t know what I’m talking about, you probably don’t have any.
Router malware lives in RAM, so rebooting clears it. Of course a vulnerable device stands a chance of reinfection, but some defense in between upgrades is better than none. I have my router reboot every day at 2 AM.
To set this up, navigate to Administration, then to System. Scroll down to Enable Reboot Scheduler and click Yes. Choose the weekday(s) to reboot, type in the time of day, and choose your time zone so you don’t reboot at 2 AM Zulu time instead of your local time zone.
Create a guest network for your guests
Chances are when you have visitors, you want them to have Internet access. I’m sure you’ve seen the meme that says something like “I’m having people over to stare at their phones later if you want to come by.” Anyway, you don’t want random computers connecting to the same network as the computer you use for banking.
Click on Guest Network and create a 2.4 GHz network for your guests. I know some people recommend creating 2.4ghz and 5ghz networks of the same name so dual-band devices can jump between them, but that occasionally causes problems. Make it easier on yourself and just give your guests 2.4 GHz.
Give the network a boring-sounding name, select WPA2-Personal, AES encryption, and create a strong password that isn’t too obnoxious to type. But do put a password on it–that protects you and your guests. It keeps people you don’t know from breaking the law on your network, and it keeps people from snooping on your guests’ traffic. Be sure to leave the Access Intranet option set to Disabled. The intranet is your home network.
Do not include “guest” in your network name. That suggests you know what you’re doing. The network with a guest network attached is the one a bad guy will want to attack, but it’s the regular network that’s going to have the good stuff.
Put your IoT stuff on a guest network
As you can imagine, I’m not a big IoT guy. I like my light bulbs energy efficient but dumb. That said, some devices, like the Ring Wi-Fi Enabled Video Doorbell, greatly enhance your home’s physical security. So I understand you wanting one of those.
So, create an isolated guest network to put those devices on, if you have them. Click on Guest Network and create one. You can create up to three guest networks on each band. Chances are a lot of your IoT stuff is only 2.4 GHz capable.
Give the network a boring-sounding name, select WPA2-Personal, AES encryption, and create a strong password that isn’t too obnoxious to type. Be sure to leave the Access Intranet option set to Disabled. The intranet is your home network.
Again, don’t include “guest” in that network name.
Here’s more on guest networks if you’re interested.
Other things to not do
SNMP is in a tab under Administration. It’s disabled by default. If you need SNMP, do not choose the Allow access over WAN option.
Do not enable your router’s Web Access from WAN. That’s in Administration under System. If you’ve set one of these up for a remote family member, enable SSH and use SSH to connect to it if you need to do something. SSH access allows you to temporarily enable web access from the WAN. Enter these commands from SSH:
nvram set misc_http_x=1
nvram set http_enable=2
Disable WAN access from the web interface after you’re done changing things.
Disabling other stuff
Toby Meyer has a thorough guide talking about disabling other features you aren’t using. I won’t replicate it here. It’s a good practice to disable stuff you don’t use.
Here’s why. If there’s a bug in the printer sharing feature, it may be possible to do something bad with it, even if you aren’t using it. But if you disable that feature, the bug doesn’t matter.
I actually plan to plug a printer into one USB port and a big flash drive into the other USB port and use my router to share them out. But if you don’t, disabling that and other features you don’t use will improve your security. The USB 2.0 ports are the one thing I don’t like about this router. I’d prefer USB 3.0 but that’s likely reserved for the pricier models.
Positioning your external antennas
If you can handle how it looks, you’ll get better reception if you turn one antenna horizontal instead of leaving all three vertical. Some people hate how this looks and won’t do it, but it will give you better wireless reception.
Use the LAN ports when you can
What do the router’s LAN ports have to do with wireless? Plugging computers straight into the LAN ports reduces the amount of wireless traffic, which can make it easier for devices like phones and tablets to connect. I ran Ethernet ports to most rooms of my house for this purpose. If you have streaming devices like those from Roku, they’re sometimes happier running off a LAN port instead of wireless.
Thank you for reading this far. Sincerely. Old routers are really making the Internet a much more hostile place than it needs to be. If everyone threw out their old routers, bought an Asus RT-AC66U or one of its brethren and set it up like this, the Internet would be a safer place. So thank you for buying one and considering configuring yours like this. It helps you, but it also helps me.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.
12 thoughts on “How to set up and optimize an Asus RT-AC66U”
Yay! My router gets the Dave seal of approval. Of course, I’m not running Asus Merlin WRT (DD-WRT for bandwidth tracking options) but I’ve loved my AC-66U.
Not so in love with the Netgear Charter put in for my second line.
What, if anything, would you edit about this piece if you were using a slightly newer RT-AC68U? Which would you use as the border/primary router and which would you use internally (access point/subnet router)?
No difference other than making sure you load the appropriate firmware. I would use the AC68U at the border, and use the lighter-weight router internally. With other models, I’d use the bigger, better one at the border and smaller, cheaper ones inside.
The major difference is faster network speeds and more CPU power in the bigger models. The firmware’s capabilities stay the same but the bigger, faster CPUs will be more responsive.
I have learned a lot from your articles and thank you for them. I am thinking of installing a vpn in my AC68U and was wondering if Merlin would allow me to do this or would I have to go the DD-WRT route ?
Thanks Rob. To answer your question, yes, Merlin has VPN capability built in, so it’s definitely an option for you.
Also the latest version update samba:
Updated Samba version (3.6), with SMB2.0 support from Samba 3.0.33 no SMB2 support
Just an FYI, but the last legacy release of Asus Merlin (380.70), released on 2018-April-08, is the last version to support the RT-AC66U, per the release notes. Only the new generation branch is being developed now, and the AC66U was dropped. There is a user who has forked the old code branch to continue support for the AC66U, though, I haven’t looked into it yet.
Thanks for that. I’ve pulled down the forked version but haven’t done anything with it yet.
Hi Dave! We recently got our speed out of the modem up to 950mbps, our ac66u (Asus RT-AC1750) supposedly supports gigabit, but we are being throttled to 130mbps on our LAN ports. We’ve eliminated every variable except for the router, yet still, we’re seeing 130mbps on our LAN ports.
So, my question for you is, are you aware of any way to get around this using MerlinWRT or DD-WRT?
We love this router, but we’re going to have to get rid of it if this can’t be resolved, and I’m about 18hrs deep in forum posts with no answer… Thanks a ton for your time, hope to hear back soon!
That is odd. I can tell you on my AC66U running Merlin, I got gigabit-ish speeds out of my LAN ports. Throughput was maybe 10 megabits lower than I’d see on a commercial-quality Dell managed switch, but I always measured 900-something when I’d check my throughput. Worlds better than 130 meg.
I will tell you the first thing I did with my AC66U was to flash Merlin onto it, so I didn’t really pay any attention to the speeds with the factory firmware.
I had a similar issue where I was only getting about 100-120 mbps on my 300 mbps net connection with my AC66U. I knew something was odd because when I got the router initially I always got about 270-290mpbs on my net connection. Turns out it was because I had turned on QoS and device logging. Once I turned off QoS my speeds shot up to 170-200 mbps. I then turned off device logging, which disables hardware switching and has to use the single core CPU, and my speeds are back to normal.
I wrote that comment two quickly as I was trying to run out the door. When device monitoring, aka IP Traffic Monitoring (under Tools > Other Settings > Enable Traffic Monitoring, is enabled it disables NAT Acceleration.
As a test, I set IP Traffic Monitoring to on just now, and it automatically disabled NAT Acceleration under LAN > Switch Control to disable. My Internet throughput decreased from an average of about 270 Mbps to 160 Mbps. Once I turned IP Traffic Monitoring off, and when to NAT Acceleration and set it to Auto, my speeds jumped back up to 270 Mbps on my Net connection.
I should also state that this is using Asus Merlin on an AC66U router.
Comments are closed.