Consumer routers drive security professionals like me crazy. I’m happy to say I finally found a router that doesn’t drive me nuts. I want you to buy an Asus RT-AC66U. I’m going to tell you why, and I’m going to tell you how to configure it. Here’s how to set up an Asus RT-AC66U and how to optimize an Asus RT-AC66U.

First things first. I’m a security professional. You know, the guy who says no for a living. I’m the guy who goes on a model train forum and answers an off-topic computer question and the other IT guys tell me I’m one of those people who makes their careers and lives impossible. I’m that guy, and I’m excited about a router.

The Asus RT-AC66U isn’t quite the router I would build myself if I were going to build one. But it doesn’t take much to make it really close. Close enough that I have no reason to bother. Of all the 802.11ac routers I’ve seen, the RT-AC66U is my favorite.

Upgrade the firmware

There’s a wonderful aftermarket firmware for Asus wireless routers called Asus WRT-Merlin. Asus does right by the GPL and publishes its source code and build files, so a kind developer named Eric Sauvageau downloads it, updates it, adds a small number of enhancements, and provides it for free. Asus WRT-Merlin is the only router firmware I’ve seen that fixes the infamous Linux dirty cow vulnerability.

While Asus WRT-Merlin isn’t as full featured as DD-WRT, it leaves out a lot of the settings that can get you in trouble and it retains the nice Asus user interface. Plus it fixes security vulnerabilities a lot faster, so in most ways, it’s more secure.

Upgrading is dead simple. Download the latest build and unzip it. Log in to your router. Click Administration, then click Restore/Save/Upload Setting. Save your settings if you wish. Then reset the factory defaults by clicking Restore.

Log back in, click Administration, then click Firmware Upgrade. Click Choose File, then select the file you just unzipped, then click Open, then click Upload. Wait about three minutes and you’re done. Log back in with the default credentials of admin/admin, reset the password, and you’re done. Now you have the most secure router on the block, from a software perspective.

It’s a good idea to check for updates and upgrade the firmware occasionally. I know you won’t do it once a month, but could you think about doing it once a year? Sometimes the new firmware has new features, so there may be something in it for you other than just security.

Secure your wireless network

When you click through the automatic configuration wizard, the results you get are pretty good. You need to choose a fairly long password, and I have some advice for making a secure one that’s not too obnoxious.

Other than that, this firmware omits a lot of the insecure settings, which is fantastic. It makes it really hard to make a fatal mistake. The one thing I really recommend is navigating to Wireless, then to WPS, and under Enable WPS, set it to OFF. WPS is pretty easy to crack.

Now, since you have a WPS button that serves no function, scroll navigate to Administration, then to System. Scroll down to WPS Button behavior. Click the option that says Toggle Radio. Now that button turns your wifi on and off.

Disable UPnP

Universal Plug and Play is another convenience feature that tends to be too insecure to be worth it. Unless you have a device that really needs UPnP to work, navigate to WAN, then to Internet Connection, scroll down to Enable UPnP and select No.

Change your network settings

Most router malware assumes your router lives at or because about 90 percent of them do. So you can gain a surprising amount of security by navigating to LAN, then to LAN IP,  and changing your router’s IP address to something else. The default is You can change it to Click Apply, and just put a piece of tape on your router saying what the IP address is so you’ll be able to log into it again.

If you’ve assigned any static IP addresses to your home network, be sure to change your gateway. If you don’t know what I’m talking about, you probably don’t have any.

Automatic reboots

Router malware lives in RAM, so rebooting clears it. Of course a vulnerable device stands a chance of reinfection, but some defense in between upgrades is better than none. I have my router reboot every day at 2 AM.

To set this up, navigate to Administration, then to System. Scroll down to Enable Reboot Scheduler and click Yes. Choose the weekday(s) to reboot, type in the time of day, and choose your time zone so you don’t reboot at 2 AM Zulu time instead of your local time zone.

Create a guest network for your guests

Chances are when you have visitors, you want them to have Internet access. I’m sure you’ve seen the meme that says something like “I’m having people over to stare at their phones later if you want to come by.” Anyway, you don’t want random computers connecting to the same network as the computer you use for banking.

Click on Guest Network and create a 2.4 GHz network for your guests. I know some people recommend creating 2.4ghz and 5ghz networks of the same name so dual-band devices can jump between them, but that occasionally causes problems. Make it easier on yourself and just give your guests 2.4 GHz.

Give the network a boring-sounding name, select WPA2-Personal, AES encryption, and create a strong password that isn’t too obnoxious to type. But do put a password on it–that protects you and your guests. It keeps people you don’t know from breaking the law on your network, and it keeps people from snooping on your guests’ traffic. Be sure to leave the Access Intranet option set to Disabled. The intranet is your home network.

Do not include “guest” in your network name. That suggests you know what you’re doing. The network with a guest network attached is the one a bad guy will want to attack, but it’s the regular network that’s going to have the good stuff.

Put your IoT stuff on a guest network

As you can imagine, I’m not a big IoT guy. I like my light bulbs energy efficient but dumb. That said, some devices, like the Ring Wi-Fi Enabled Video Doorbell, greatly enhance your home’s physical security. So I understand you wanting one of those.

So, create an isolated guest network to put those devices on, if you have them. Click on Guest Network and create one. You can create up to three guest networks on each band. Chances are a lot of your IoT stuff is only 2.4 GHz capable.

Give the network a boring-sounding name, select WPA2-Personal, AES encryption, and create a strong password that isn’t too obnoxious to type. Be sure to leave the Access Intranet option set to Disabled. The intranet is your home network.

Again, don’t include “guest” in that network name.

Here’s more on guest networks if you’re interested.

Other things to not do

SNMP is in a tab under Administration.  It’s disabled by default. If you need SNMP, do not choose the Allow access over WAN option.

Do not enable your router’s Web Access from WAN. That’s in Administration under System. If you’ve set one of these up for a remote family member, enable SSH and use SSH to connect to it if you need to do something. SSH access allows you to temporarily enable web access from the WAN. Enter these commands from SSH:

nvram set misc_http_x=1
nvram set http_enable=2

Disable WAN access from the web interface after you’re done changing things.

Disabling other stuff

Toby Meyer has a thorough guide talking about disabling other features you aren’t using. I won’t replicate it here. It’s a good practice to disable stuff you don’t use.

Here’s why. If there’s a bug in the printer sharing feature, it may be possible to do something bad with it, even if you aren’t using it. But if you disable that feature, the bug doesn’t matter.

I actually plan to plug a printer into one USB port and a big flash drive into the other USB port and use my router to share them out. But if you don’t, disabling that and other features you don’t use will improve your security. The USB 2.0 ports are the one thing I don’t like about this router. I’d prefer USB 3.0 but that’s likely reserved for the pricier models.

Positioning your external antennas

If you can handle how it looks, you’ll get better reception if you turn one antenna horizontal instead of leaving all three vertical. Some people hate how this looks and won’t do it, but it will give you better wireless reception.

Use the LAN ports when you can

What do the router’s LAN ports have to do with wireless? Plugging computers straight into the LAN ports reduces the amount of wireless traffic, which can make it easier for devices like phones and tablets to connect. I ran Ethernet ports to most rooms of my house for this purpose. If you have streaming devices like those from Roku, they’re sometimes happier running off a LAN port instead of wireless.

Thank you

Thank you for reading this far. Sincerely. Old routers are really making the Internet a much more hostile place than it needs to be. If everyone threw out their old routers, bought an Asus RT-AC66U or one of its brethren and set it up like this, the Internet would be a safer place. So thank you for buying one and considering configuring yours like this. It helps you, but it also helps me.