forked from RMerl/asuswrt-merlin
-
Notifications
You must be signed in to change notification settings - Fork 37
/
Merlin_Fork_Options.txt
578 lines (474 loc) · 31 KB
/
Merlin_Fork_Options.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
Merlin Fork Custom Options
----------------------------------------------------------------------------------------------------------------
Stop copy of syslog files to JFFS
Can be set in gui: Yes (as of Update-11, Administration/System/Save syslog to JFFS)
Enable via NVRAM: nvram set jffs2_log=1
nvram commit && reboot
Routers Supported: AC66,AC56,AC68
Released: Update-02
Reboot Required: Yes
Notes: Existing logs must be manually deleted from /jffs (syslog.log and syslog.log-1)
----------------------------------------------------------------------------------------------------------------
Enable Comcast DSCP fix
Can be set in gui: Yes (Firewall/General/Enable DSCP override)
Enable via NVRAM: nvram set DSCP_fix_enable=1
nvram commit && reboot
Routers Supported: All
Released: Update-07
Reboot Required: Yes
Notes: For SOME Comcast service areas it has been seen that the
Differentiated Services Code Point (DSCP) value is incorrectly set to a low
priority, resulting in decreased internet throughput for wireless IPv4 transfers.
This fix overrides that incorrect value.
----------------------------------------------------------------------------------------------------------------
Display Traffic Monitor graphs in
Mb/s (default is KB/s)
Can be set in gui: Yes (Tools/Other Settings/Traffic Monitor graph units)
Enable via NVRAM: nvram set rstats_units=1
nvram commit
Routers Supported: All
Released: Update-07
Reboot Required: No
Notes: Refresh or open the TM page in the browser
----------------------------------------------------------------------------------------------------------------
Multiple listening addresses and
ports for SSH access
Can be set in gui: No
Enable via NVRAM: nvram set sshd_addr=[address:]port,[address:]port,[address:]port,[address:]port
nvram commit && reboot
Routers Supported: All
Released: Update-07
Reboot Required: Yes
Notes: Up to 4 address:port or port values may be specified separated by commas
This will override the port setting specified in the gui
This modifies a previous commit in Update-05 (was a single address only and now
need to specify a port when specifying an address)
----------------------------------------------------------------------------------------------------------------
Enable full syslog records for
remote monitoring
Can be set in gui: Yes (Update-15)
Enable via NVRAM: nvram set log_small=0
nvram commit && reboot
Routers Supported: All
Released: Update-08 (NVRAM) Update-15 (GUI)
Reboot Required: Yes
Notes: This will include the full header (including hostname and priority level) in the
syslogd output to enable remote monitoring
----------------------------------------------------------------------------------------------------------------
Save HTTPS certificate
Can be set in gui: Yes (Administration/System/Save HTTPS certificate)
Enable via NVRAM: nvram set https_crt_save=1
nvram commit && reboot
Routers Supported: All
Released: Update-11
Reboot Required: Yes
Notes: If you are using HTTPS validation, the security certificate is regenerated at every
boot, requiring you to install a new certificate in your browser. This
option saves the certificate across reboots negating the need to reinstall
in your browser.
----------------------------------------------------------------------------------------------------------------
Filter IPv6 Neighbor Solicitation
Can be set in gui: Yes (Firewall/General/Filter IPv6 Neighbor Solicitation)
Enable via NVRAM: ipv6_neighsol_drop=1 (1=Yes, 0=No)
nvram commit
service restart_firewall
Routers Supported: All
Released: Update-11
Reboot Required: No
Notes: Control iptables rule dropping IPv6 neighbor solicitation requests
----------------------------------------------------------------------------------------------------------------
CROND logging options
Can be set in gui: No
Enable via NVRAM: nvram set cron_loglevel=N (default is 8)
nvram commit && reboot
Routers Supported: All
Released: Update-11
Reboot Required: Yes
Notes: Setting cron_loglevel=N sets the logging level to N
----------------------------------------------------------------------------------------------------------------
Scan media files at every boot
Can be set in gui: Yes (USB Applications/Servers Center/Media Server/Scan media files at every boot)
Enable via NVRAM: nvram set dms_scan=1
nvram commit
Routers Supported: All
Released: Update-12
Reboot Required: No
Notes: Setting to No will only scan media files when a change is detected
----------------------------------------------------------------------------------------------------------------
Enable IPv6 MTU Advertisement
Can be set in gui: Yes (IPv6/Enable IPv6 MTU Advertisement)
Enable via NVRAM: nvram set ipv6_radvd_mtu=1 (0 to disable)
nvram commit
Routers Supported: All
Released: Update-13
Reboot Required: No
Notes: Default is to enable advertisement for IPv6 on all connection types
----------------------------------------------------------------------------------------------------------------
Advertise Router as IPv6 DNS Server
Can be set in gui: Yes (IPv6/Advertise router as DNS server)
Enable via NVRAM: nvram set ipv6_dns_router=1
nvram commit
Routers Supported: All
Released: Update-14
Reboot Required: Yes
Notes: Enable IPv6 DNS lookups to be cached by dnsmasq
----------------------------------------------------------------------------------------------------------------
Stealth Mode - Show power status only
Can be set in gui: Yes (Tools/Other Settings/Stealth Mode/Show power status only)
Enable via NVRAM: nvram set led_disable=2
nvram commit
service restart_leds
Routers Supported: All
Released: Update-14
Reboot Required: No
Notes: Show only the power status led
----------------------------------------------------------------------------------------------------------------
HTTP Lan Port
Can be set in gui: Yes (Administration/System/HTTP Lan Port)
Enable via NVRAM: No, nvram variable http_lanport must be set thru gui
Routers Supported: All
Released: Update-14
Reboot Required: Yes
Notes: Changes HTTP port for gui access from default port 80
Reset to default of 80 before loading firmware which does not support
changing of the port
----------------------------------------------------------------------------------------------------------------
QOS SFQ limit
Can be set in gui: No
Enable via NVRAM: nvram set qos_sfql=[0,off-default 1,auto 2-127,value]
nvram commit
Routers Supported: All
Released: Update-14
Reboot Required: Yes
Notes: Changes SFQ qdisc packet limit
A value of 1 automatically selects a value based on upload speed (recommended)
A value of 2-127 sets this value as the packet limit
----------------------------------------------------------------------------------------------------------------
SNTP Server
Can be set in gui: Yes (Administration/System/Enable router as local SNTP server)
Enable via NVRAM: nvram set ntpd_server=1
nvram commit
service restart_time
Routers Supported: All
Released: Update-15
Reboot Required: No
Notes: Enables the router to act as an SNTP time server
User 'router.asus.com' as your SNTP server
----------------------------------------------------------------------------------------------------------------
Networkmap UNIX/Linux Clients as PC
Can be set in gui: No setting required
Enable via NVRAM: No setting required
Routers Supported: All
Released: Update-15
Reboot Required: No
Notes: You must install SAMBA and winbind on the client for the client to be
recognized as a PC
----------------------------------------------------------------------------------------------------------------
Disable Avahi (mDNS) Reflector
Can be set in gui: No
Enable via NVRAM: nvram set mdns_reflector=0
nvram commit
service restart_mdns
Routers Supported: All
Released: Update-15
Reboot Required: No
Notes: Changes the default state of the Avahi reflector to disabled
----------------------------------------------------------------------------------------------------------------
Enable logging of successful NTP updates
Can be set in gui: No
Enable via NVRAM: nvram set ntp_log=0
nvram commit
Routers Supported: All
Released: Update-15
Reboot Required: No
Notes: Successful NTP updates are not logged by default, fails are always logged
This option enables logging of successful updates
----------------------------------------------------------------------------------------------------------------
Set NTP update interval
Can be set in gui: Yes (Administration/System/Router NTP update interval (hours))
Enable via NVRAM: nvram set ntp_update=[interval in hours]
nvram commit
Routers Supported: All
Released: Update-15 w/o gui support, Update-16 w/ gui support
Reboot Required: No
Notes: Default is that the router will update with its NTP server every hour
This option changes the number of hours between updates. The value is not currently error
checked and should be an integer between 1 and 24 (hours)
A value of '0' disables NTP updates and the time must be set manually (Update-16)
----------------------------------------------------------------------------------------------------------------
Set NTP alternate time server
Can be set in gui: Yes (Administration/System/NTP Server (Alternate))
Enable via NVRAM: nvram set ntp_update=[interval in hours]
nvram commit
Routers Supported: All
Released: Update-15 w/o gui support, Update-16 w/ gui support
Reboot Required: No
Notes: Default is that the router will update with its NTP server every hour
This option changes the number of hours between updates. The value is not currently error
checked and should be an integer between 1 and 24 (hours)
A value of '0' disables NTP updates and the time must be set manually (Update-16)
----------------------------------------------------------------------------------------------------------------
Set number of threads for NVS server
Can be set in gui: No
Enable via NVRAM: nvram set nfsd_threads=x (where x is the number of threads)
nvram commit & service restart_nfs
Routers Supported: All
Released: Update-17
Reboot Required: No
Notes: The default number of threads has now been raised to two (instead of a single thread)
---------------------------------------------------------------------------------------------------------------
Set preferred interface for bandwidth limiter
Can be set in gui: No
Enable via NVRAM: nvram set qos_iface=[iface]
nvram commit && reboot
Routers Supported: All
Released: Update-17
Reboot Required: No
Notes: The default interface is eth0 (standard WAN interface). This may be useful if running
an OpenVPN client and wish to limit that bandwidth (set to tun11 for example for
vpnclient1.
---------------------------------------------------------------------------------------------------------------
Use alternate NAT Loopback implementation (ASUS)
Can be set in gui: No
Enable via NVRAM: nvram set fw_nat_loopback=1
nvram commit && reboot
Routers Supported: All
Released: Update-17
Reboot Required: No
Notes: The default NAT Loopback is that developed by Merlin and has been used in all fork
firmware levels which have been released. Merlin's implementation employs
iptables marks in it's implementation. This alternate method does not use
marks and may be helpful if the user is employing custom marks. Note also
that in V17 the standard Merlin implementation has been changed to only use
a single bit, to aid users who what to perform custom packet marking.
---------------------------------------------------------------------------------------------------------------
Ability to disable DNSSEC permissive mode
Can be set in gui: No
Enable via NVRAM: nvram set dnssec_check_unsigned=1
nvram commit && reboot
Routers Supported: All
Released: Update-17
Reboot Required: No
Notes: By default, DNSSEC will also accept unsigned responses. This option forces DNSSEC
to only accept signed responses. USE WITH CAUTION: This can disable dns lookups
if no DNSSEC enabled servers are available.
---------------------------------------------------------------------------------------------------------------
Ability to enable DFS channels for N66U/AC66U-MIPS EU routers
Can be set in gui: No
Enable via NVRAM: nvram set wl_dfs_enable=1
nvram commit && reboot
Routers Supported: N66U/R/W, AC66U_B0
Released: Update-18
Reboot Required: Yes
Notes: The base 374.43 firmware only supports the lower channels on the 5GHz band in
EU configured routers.
This setting enables support for the DFS and upper 5GHz channels with full regulatory
support.
Note: There are two versions of the MIPS based AC66U, rev A2 and rev B0. The DFS
DFS channels are only available on the later rev B0 hardware.
---------------------------------------------------------------------------------------------------------------
Ability to set the Site Level Aggregation identifier (sla-id)
Can be set in gui: No
Enable via NVRAM: nvram set ipv6_slaid=[number]
nvram commit && reboot
Routers Supported: All
Released: Update-19
Reboot Required: Yes
Notes: Sets which prefix out of the delegation to use. This is 2^sla-id. If you have a /48,
valid values would be 2^16 or 0-65535.
If you had a /56, it would be 2^8 or 0-255. A /60 is 0-15.
---------------------------------------------------------------------------------------------------------------
Control release of IPv6 Addresses on exit
Can be set in gui: Yes
Enable via NVRAM: nvram set ipv6_dhcp6c_release=[1 release, 0 no release]
nvram commit && reboot
Routers Supported: All
Released: Update-19
Reboot Required: Yes
Notes: Release addresses on exit. Not releases addresses allows some ISPs to continue to assign the
same IPv6 addresses.
---------------------------------------------------------------------------------------------------------------
Ability force a DHCPv6 request during IPv6 prefix delegation
Can be set in gui: Yes
Enable via NVRAM: nvram set ipv6_dhcp6c_force=1
nvram commit && reboot
Routers Supported: All
Released: Update-19
Reboot Required: Yes
Notes: Some ISPs will not send an IPv6 prefix without an address REQUEST.
Sky UK is known to require this option.
---------------------------------------------------------------------------------------------------------------
Special IPv6 options
Can be set in gui: No
Enable via NVRAM: nvram set ipv6_isp_opt=xx
nvram commit && reboot
Routers Supported: All
Released: Update-20
Reboot Required: Yes
Notes: ipv6_isp_opt is a mask with the following options
ipv6_isp_opt=16 : Disable rapid-commit for dhcp6 server
ipv6_isp_opt=8 : Disable rapid-commit for dhcp6c client
ipv6_isp_opt=4 : Send generic ia-na=0 (default is calculated value based on MAC)
ipv6_isp_opt=2 : Don't send prefix length, preferred lifetime hint (this may be invalid)
ipv6_isp_opt=1 : Force default ipv6 route if not set by ISP
The default value is ipv6_isp_opt=0. Add the values to select multiple options.
---------------------------------------------------------------------------------------------------------------
OpenVPN Client Reverse Strict DNS
Can be set in gui: No
Enable via NVRAM: nvram set vpn_reverse_strict=1
nvram commit && reboot
Routers Supported: All
Released: Update-23
Reboot Required: No - alternatively can restart the VPN Client
Notes: The OpenVPN DNS strict option causes dnsmasq to access the DNS servers in order, first to last,
with the DNS servers provided by the VPN added BEFORE the defined WAN servers.
Setting this option causes the VPN DNS servers to be appended to the list of servers AFTER the WAN
defined servers, so they will be accessed only if the WAN defined servers are unavailable.
This may be useful if you are running a DNS server on your local LAN.
---------------------------------------------------------------------------------------------------------------
IPv6 Local Name Resolution
Can be set in gui: Yes
Enable via NVRAM: No
Enable by adding the following lines to /jffs/configs/dnsmasq.conf.add
dhcp-script=/usr/sbin/v6hosts.sh
addn-hosts=/_etc/hosts.autov6
Routers Supported: All
Released: Update-23
Reboot Required: No - if manually configuring restart dnsmasq
Notes: Add script for IPv6 hosts auto update for native/stateless IPv6
(adds local ipv6 name resolution to public address)
---------------------------------------------------------------------------------------------------------------
Move certs from NVRAM to JFFS
Can be set in gui: No
Enable via NVRAM: No
This function is provided via command line using telnet/ssh
To move the SSH (dropbear certs), enter
sshd2jffs or
sshd2nvram
When moving the SSH keys to jffs (sshd2jffs), the data is normally copied from the default nvram variables.
Using 'sshd2jffs copyall' will initialize jffs reading the data from the internal system directory and force
a replacement of the keys during the next boot.
To move the OpenVPN certs, enter
ovpn2jffs [server1|server2|client1|client2] or
ovpn2nvram [server1|server2|client1|client2]
At the end of the command execution, you will be prompted to reboot the router
Routers Supported: All
Released: Update-24
Reboot Required: Yes
Notes: These commands can free NVRAM space by moving certificates/keys from NVRAM to JFFS (and back if required).
They may be used if you are receiving a low NVRAM warning from the router gui.
IMPORTANT: If you wish to revert to a firmware prior to Update-24 and have moved the certs to JFFS,
you MUST move them back to NVRAM prior to loading the earlier firmware.
---------------------------------------------------------------------------------------------------------------
Disable ASUS Protection Server
Can be set in gui: Yes (Firewall)
Enable via NVRAM: nvram set ptcsrv_enable=0
nvram commit && service restart_firewall
Routers Supported: All
Released: Update-27
Reboot Required: No
Notes: The ASUS protection server monitors attempts to access the telnet and SSH ports. If excessive attempts
are detected, the source IP address of those attempts will automatically be blocked.
It is NOT recommended to disable this service unless you are running a third-party router addon which
provides the same functionality.
---------------------------------------------------------------------------------------------------------------
Assign Bandwidth Limiter rules in Kb/s instead of Mb/s
Can be set in gui: Yes (User-defined Bandwidth Limiting)
Enable via NVRAM: nvram set qos_bw_units=0
nvram commit
Routers Supported: All
Released: Update-27
Reboot Required: No
Notes: Set the value to '0' for Kb/s or to '1' for Mb/s
followed by a refresh of the webui for Bandwidth Limiter
---------------------------------------------------------------------------------------------------------------
Allow blocking IPv6 when OpenVPN client is active
Can be set in gui: Yes (OpenVPN Client)
Enable via NVRAM: nvram set vpn_block_ipv6=1
nvram commit
Routers Supported: All
Released: Update-27E7
Reboot Required: No
Notes: When running in a dual stack environment, set the value to '1' to block IPv6, or '0' to allow
Setting this option may create delays in opening some IPv6 enabled sites depending on the browser bein used.
IPv6 only sites will not be accessible.
---------------------------------------------------------------------------------------------------------------
Do not send empty WPAD response
Can be set in gui: No
Enable via NVRAM: nvram set dhcpd_send_wpad=0
nvram commit
Routers Supported: All
Released: Update-32E6
Reboot Required: Yes (to refresh wireless leases, ethernet leases must be manually renewed)
Notes: DNSMASQ by default sends a single linefeed as a WPAD url. This can prevent the setting of a WPAD proxy in
certain configurations. Setting this option to zero prevents sending the empty linfeed WPAD response.
---------------------------------------------------------------------------------------------------------------
Stubby (DoT) operational parameters
Can be set in gui: No
Enable via NVRAM: nvram set stubby_idletimeout=x
nvram set stubby_timeout=x
nvram set stubby_retires=x
nvram commit
service restart_stubby
(where x = value in msec)
Routers Supported: All
Released: Update-36E6
Reboot Required: No (must restart stubby to activate changes)
Notes: Allows changing stubby parameters
idle_timeout:
timeout:
tls_connection_retries:
to customize stubby for your location/hardware. See the stubby man page for further information.
---------------------------------------------------------------------------------------------------------------
Stubby (DoT) DNSSEC validation
Can be set in gui: Yes (WAN/Internet Connection)
Enable via NVRAM: nvram set stubby_dnssec=x
nvram commit
service restart_stubby
(where x = 0, use getdns DNSSEC validation, x = 1, use dnsmasq DNSSEC validation)
Routers Supported: All
Released: Update-37B5
Reboot Required: No (must restart stubby to activate changes)
Notes: Allows changing the DNSSEC validator used for DoT. By default, DoT will use its own DNSSEC validation.
This setting allows the user to force dnsmasq DNSSEC validation for DoT servers.
---------------------------------------------------------------------------------------------------------------
WSD Discovery enable
Can be set in gui: No
Enable via NVRAM: nvram set wsdd_enable=x
nvram commit
service restart_samba
(where x = 0, disable wsdd, x = 1, enable wsdd - default)
Routers Supported: All
Released: Update-40E3
Reboot Required: No (must restart samba to activate changes)
Notes: Allows Windows WSD to find samba shares on the router if Windows SMB1 is disabled.
---------------------------------------------------------------------------------------------------------------
NextDNS support
Can be set in gui: No
Enable via NVRAM: nvram set nextdns_id=[your_id]
nvram set nextdns_analytics=x
nvram commit
service restart_stubby
(where x = 0, disable analytics - default, x = 1, enable analytics)
Routers Supported: All
Released: Update-42E9
Reboot Required: No (must restart stubby or select DoT servers to activate changes)
Notes: Allows sending of the NextDNS id and other info to NextDNS for personalization/analytics.
A NextDNS id must be provided in order to enable analytics.
If a provider other than NextDNS is selected/also selected/ analytics are automatically disabled.
---------------------------------------------------------------------------------------------------------------
NTP sync without internet access
Can be set in gui: No
Enable via NVRAM: nvram set ntp_force=x
(where x = 0, require internet - default, x = 1, force attempted sync)
Routers Supported: All
Released: Update-45ED
Reboot Required: No
Notes: Allows syncing to local NTP server when WAN/internet is not connected
---------------------------------------------------------------------------------------------------------------
Disabling the special options:
For options set with 'nvram set variable=1', setting 'nvram set variable=0' will disable
(nvram commit and reboot if required)
For options set with 'nvram set variable=some_string', setting the with no data 'nvram set variable=',
will disable (nvram commit and reboot if required)
Alternatively you can erase the variable with 'nvram unset variable' (nvram commit and reboot if required)