Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From claude-mods
ASUS router and Asuswrt-Merlin firmware configuration and hardening. Covers security, encrypted DNS (DoT/DoH), VPN (WireGuard/OpenVPN), guest network/VLAN isolation, AiMesh, AiProtection, JFFS scripts, and QoS.
npx claudepluginhub 0xdarkmatter/claude-mods --plugin claude-modsHow this skill is triggered — by the user, by Claude, or both
Slash command
/claude-mods:asus-router-opsThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Authoritative guidance for configuring and hardening ASUS routers — stock **Asuswrt** and **Asuswrt-Merlin** firmware — via the web UI and SSH/nvram. Covers security hardening, encrypted DNS, VPN, network segmentation, AiMesh, AiProtection, and JFFS scripting.
Network infrastructure for self-hosted environments: VLANs, firewalls (nftables, OPNsense, pfSense), DNS (Pi-hole, AdGuard Home, split-horizon), reverse proxies (Caddy, Traefik, Nginx Proxy Manager), VPN (WireGuard, Tailscale), TLS/SSL certificate management, DHCP, and security hardening. Invoke when task involves any interaction with network configuration — designing, implementing, debugging, reviewing, or planning network architecture.
Reviews homelab VLAN segmentation, local DNS filtering, and WireGuard-style remote access before changing router, firewall, DHCP, or VPN configuration.
Configures pfSense firewall rules, NAT policies, VPN tunnels, and traffic shaping to enforce network segmentation, control traffic, and secure zones in enterprise/SMB networks.
Share bugs, ideas, or general feedback.
Authoritative guidance for configuring and hardening ASUS routers — stock Asuswrt and Asuswrt-Merlin firmware — via the web UI and SSH/nvram. Covers security hardening, encrypted DNS, VPN, network segmentation, AiMesh, AiProtection, and JFFS scripting.
Safety first. Changes here can lock you out or drop the network. Test during low-usage windows, document the before value, and know how to undo. Cite official docs, not folklore.
| Stock Asuswrt | Asuswrt-Merlin | |
|---|---|---|
| Base | ASUS official | Community fork of ASUS source (same core, more control) |
| Scripting | Limited | JFFS custom scripts, cron, services-start, firewall-start, nat-start |
| DNS control | Basic | DNS Director (per-client/global DNS redirection, DoT) |
| VPN | OpenVPN/WireGuard server+client | + VPN Director (policy/split-tunnel routing) |
| Best for | Most users | Power users wanting scripts, fine-grained DNS/VPN routing |
Never mix stock and Merlin nodes in the same AiMesh network. Keep the firmware family consistent across mesh nodes.
Do these on every new router, in order:
See references/hardening-and-network.md for the full hardening rationale, VLAN/IoT
segmentation, AiMesh backhaul tuning, QoS, and dual-WAN.
| Layer | What | Notes |
|---|---|---|
| Transport | DoT (DNS over TLS) or DoH (DNS over HTTPS) | Stops plaintext port-53 hijacking. Merlin DNS Director can enforce DoT |
| Provider | Cloudflare (1.1.1.1), NextDNS, ControlD, AdGuard | Choose for filtering/analytics needs |
| Validation | DNSSEC | Validates record authenticity |
| Per-client policy | DNS Director (Merlin) | Different DNS per device/profile; split-horizon |
| Rebinding protection | On by default | Can break local services (Plex, smart home) — whitelist specific domains rather than disabling wholesale |
Avoid plain DNS (port 53) — unencrypted and hijackable. Move to DoT/DoH.
| Need | Use |
|---|---|
| Fast modern tunnel, low overhead | WireGuard server/client (preferred where supported) |
| Maximum compatibility / legacy clients | OpenVPN server/client |
| Route only some clients/traffic through VPN | VPN Director (Merlin) — policy-based split tunnel |
| Remote admin of the router | VPN in, then manage on LAN (never expose WAN admin) |
Common clients: NordVPN, Surfshark, Mullvad via OpenVPN/WireGuard config import.
| Goal | Approach |
|---|---|
| Visitor isolation | Guest network with "Access Intranet" off |
| IoT containment | Dedicated guest/VLAN SSID; block lateral movement to main LAN |
| Consistent guest across mesh | Enable guest on AiMesh deliberately; mind "Access Intranet" per node |
| Smart-home discovery | mDNS/Bonjour may need controlled cross-VLAN allowances — scope narrowly |
| Segmented routing | VLAN segmentation + routing policies (capability varies by model) |
| Anti-pattern | Why | Instead |
|---|---|---|
| DMZ mode | Exposes the whole device to the internet | Explicit per-port forwarding |
| UPnP globally on | Unpredictable auto port forwards | Enable only when required, understand the risk |
| Plain DNS (port 53) | Plaintext, hijackable | DoT/DoH |
| Mixing stock + Merlin in AiMesh | Inconsistent behavior | Keep firmware family uniform |
| Disabling DNS rebind protection wholesale | Reopens rebinding attacks | Whitelist the specific local domains that break |
| Wireless mesh backhaul on congested channels | Throughput collapse | Wired backhaul or dedicated DFS 5GHz channel |
| Default admin/WiFi credentials | Trivial compromise | Change both immediately |
| Remote WAN admin enabled | Major attack surface | Manage via VPN |
nvram get.Merlin runs user scripts from JFFS at lifecycle points. Enable JFFS custom scripts and configs (Administration → System) first.
| Script | Runs at | Use for |
|---|---|---|
services-start | After services start | Start custom daemons |
firewall-start | After firewall (re)builds | Add custom iptables rules (survives firewall restarts) |
nat-start | After NAT rules load | Custom NAT/port rules |
dnsmasq.postconf | Before dnsmasq starts | Inject dnsmasq config |
Inspect/set persistent config with nvram get <key> / nvram set <key>=<val> + nvram commit
(commit sparingly — it writes flash).
The assets/firewall-start.sh template shows the canonical safe shape for custom firewall
rules. See references/hardening-and-network.md for placement and gotchas.
| File | Use |
|---|---|
assets/firewall-start.sh | Annotated Merlin /jffs/scripts/firewall-start template — idempotent custom iptables rules with safe-by-default examples |
net-ops — general networking: subnets, DNS, TLS, firewalls, packet inspection