0xDarkMatter/asus-router-ops
skills/asus-router-ops/SKILL.md
ASUS router configuration and hardening - Asuswrt-Merlin firmware, security hardening, encrypted DNS (DoT/DoH), VPN (WireGuard/OpenVPN), guest networks, VLAN/IoT isolation, AiMesh, AiProtection, JFFS scripts, QoS. Use for: asus router, asuswrt, merlin, asuswrt-merlin, router hardening, DNS Director, AiProtection, AiMesh, guest network, VPN Director, wireguard router, openvpn router, nvram, jffs, DoT, DoH, port forwarding, IoT isolation.
$ install --global
skillsauthnpx skillsauth add 0xDarkMatter/claude-mods asus-router-opsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 11, 2026, 2:42 AM146.8s3 files scanned
SKILL.md
- name:
- asus-router-ops
- description:
- ASUS router configuration and hardening - Asuswrt-Merlin firmware, security hardening, encrypted DNS (DoT/DoH), VPN (WireGuard/OpenVPN), guest networks, VLAN/IoT isolation, AiMesh, AiProtection, JFFS scripts, QoS. Use for: asus router, asuswrt, merlin, asuswrt-merlin, router hardening, DNS Director, AiProtection, AiMesh, guest network, VPN Director, wireguard router, openvpn router, nvram, jffs, DoT, DoH, port forwarding, IoT isolation.
- license:
- MIT
- allowed-tools:
- Read Write Bash
- author:
- claude-mods
- related-skills:
- net-ops
ASUS Router Operations
Authoritative guidance for configuring and hardening ASUS routers — stock Asuswrt and Asuswrt-Merlin firmware — via the web UI and SSH/nvram. Covers security hardening, encrypted DNS, VPN, network segmentation, AiMesh, AiProtection, and JFFS scripting.
Safety first. Changes here can lock you out or drop the network. Test during low-usage windows, document the before value, and know how to undo. Cite official docs, not folklore.
Stock Asuswrt vs Asuswrt-Merlin
| | Stock Asuswrt | Asuswrt-Merlin |
|---|---|---|
| Base | ASUS official | Community fork of ASUS source (same core, more control) |
| Scripting | Limited | JFFS custom scripts, cron, services-start, firewall-start, nat-start |
| DNS control | Basic | DNS Director (per-client/global DNS redirection, DoT) |
| VPN | OpenVPN/WireGuard server+client | + VPN Director (policy/split-tunnel routing) |
| Best for | Most users | Power users wanting scripts, fine-grained DNS/VPN routing |
Never mix stock and Merlin nodes in the same AiMesh network. Keep the firmware family consistent across mesh nodes.
Security hardening checklist
Do these on every new router, in order:
- Change defaults immediately — both the admin/login password and the WiFi password.
- Disable WPS — it's a brute-force surface.
- Disable UPnP unless an app genuinely needs it (it creates unpredictable port forwards).
- Use explicit port forwarding, never DMZ — DMZ exposes the entire device.
- Disable remote WAN admin access — use a VPN to manage remotely instead.
- Enable AiProtection (two-way IPS + malicious-site blocking) where available.
- Set up a guest network with intranet access disabled (proper isolation).
- Enable firewall logging for security monitoring; forward to syslog if you have a collector.
- Apply ingress filtering (BCP38/84 anti-spoofing) where supported.
- Keep firmware current — security fixes land in point releases.
See references/hardening-and-network.md for the full hardening rationale, VLAN/IoT
segmentation, AiMesh backhaul tuning, QoS, and dual-WAN.
DNS privacy stack
| Layer | What | Notes | |-------|------|-------| | Transport | DoT (DNS over TLS) or DoH (DNS over HTTPS) | Stops plaintext port-53 hijacking. Merlin DNS Director can enforce DoT | | Provider | Cloudflare (1.1.1.1), NextDNS, ControlD, AdGuard | Choose for filtering/analytics needs | | Validation | DNSSEC | Validates record authenticity | | Per-client policy | DNS Director (Merlin) | Different DNS per device/profile; split-horizon | | Rebinding protection | On by default | Can break local services (Plex, smart home) — whitelist specific domains rather than disabling wholesale |
Avoid plain DNS (port 53) — unencrypted and hijackable. Move to DoT/DoH.
VPN decision table
| Need | Use | |------|-----| | Fast modern tunnel, low overhead | WireGuard server/client (preferred where supported) | | Maximum compatibility / legacy clients | OpenVPN server/client | | Route only some clients/traffic through VPN | VPN Director (Merlin) — policy-based split tunnel | | Remote admin of the router | VPN in, then manage on LAN (never expose WAN admin) |
Common clients: NordVPN, Surfshark, Mullvad via OpenVPN/WireGuard config import.
Network segmentation
| Goal | Approach | |------|----------| | Visitor isolation | Guest network with "Access Intranet" off | | IoT containment | Dedicated guest/VLAN SSID; block lateral movement to main LAN | | Consistent guest across mesh | Enable guest on AiMesh deliberately; mind "Access Intranet" per node | | Smart-home discovery | mDNS/Bonjour may need controlled cross-VLAN allowances — scope narrowly | | Segmented routing | VLAN segmentation + routing policies (capability varies by model) |
Patterns to avoid
| Anti-pattern | Why | Instead | |--------------|-----|---------| | DMZ mode | Exposes the whole device to the internet | Explicit per-port forwarding | | UPnP globally on | Unpredictable auto port forwards | Enable only when required, understand the risk | | Plain DNS (port 53) | Plaintext, hijackable | DoT/DoH | | Mixing stock + Merlin in AiMesh | Inconsistent behavior | Keep firmware family uniform | | Disabling DNS rebind protection wholesale | Reopens rebinding attacks | Whitelist the specific local domains that break | | Wireless mesh backhaul on congested channels | Throughput collapse | Wired backhaul or dedicated DFS 5GHz channel | | Default admin/WiFi credentials | Trivial compromise | Change both immediately | | Remote WAN admin enabled | Major attack surface | Manage via VPN |
Operating principles
- Reversibility — record the current value before changing; know the undo path.
- Testability — change during low-usage windows; verify before walking away.
- Trade-offs — note privacy-vs-functionality costs (rebind protection vs local services).
- Verification — confirm via system log, client-side test (e.g. DNS leak test), or
nvram get. - Cite official docs — avoid unverified tweaks.
SSH / JFFS scripting (Merlin)
Merlin runs user scripts from JFFS at lifecycle points. Enable JFFS custom scripts and configs (Administration → System) first.
| Script | Runs at | Use for |
|--------|---------|---------|
| services-start | After services start | Start custom daemons |
| firewall-start | After firewall (re)builds | Add custom iptables rules (survives firewall restarts) |
| nat-start | After NAT rules load | Custom NAT/port rules |
| dnsmasq.postconf | Before dnsmasq starts | Inject dnsmasq config |
Inspect/set persistent config with nvram get <key> / nvram set <key>=<val> + nvram commit
(commit sparingly — it writes flash).
The assets/firewall-start.sh template shows the canonical safe shape for custom firewall
rules. See references/hardening-and-network.md for placement and gotchas.
Assets
| File | Use |
|------|-----|
| assets/firewall-start.sh | Annotated Merlin /jffs/scripts/firewall-start template — idempotent custom iptables rules with safe-by-default examples |
See also
net-ops— general networking: subnets, DNS, TLS, firewalls, packet inspection
Key external resources
- Asuswrt-Merlin project · docs · wiki
- Merlin features (DNS Director, VPN Director)
- ASUS router security hardening FAQ
- ASUS firewall intro · Network Services Filter · IPv6 firewall
- AiProtection overview · setup
- Cloudflare DoH · ControlD ASUS setup
- SNBForums community
Related Skills
0xDarkMatter/ytdlp-ops
tools
VerifiedTrustedCommunity
yt-dlp operations - the media ACQUISITION layer that feeds ffmpeg-ops: format selection (-S sort vs -f filters) that avoids post-download transcodes, --download-sections clip-at-download, audio-only extraction for STT pipelines (-x --audio-format opus), playlists + --download-archive incremental channel syncs, cookies/auth (--cookies-from-browser), rate limiting and politeness, SponsorBlock mark/remove, output templates (-o), subtitle download (--write-subs/--write-auto-subs), remux-vs-recode doctrine, and failure triage (403s, throttling, geo blocks, the nsig-extraction class that means yt-dlp is outdated). Triggers on: yt-dlp, ytdlp, youtube-dl, download video, download youtube, download from youtube, download playlist, download channel, archive channel, channel sync, rip audio, youtube to mp3, youtube to mp4, save video, grab video, video downloader, download subtitles, download transcript, clip from youtube, download section, sponsorblock, cookies-from-browser, download-archive, nsig, requested format is not available, sign in to confirm, download livestream, record stream, live-from-start, premiere, impersonate.
22SKILL.mdUpdated Jun 13, 2026
0xDarkMatter/ffmpeg-ops
tools
VerifiedTrustedCommunity
Comprehensive ffmpeg/ffprobe operations - probe-first media processing: transcode and compress (H.264/H.265/AV1/Opus), frame-accurate cut/trim/concat, EDL-driven editing, color grading and .cube LUTs, audio loudnorm and mixing, STT/Whisper audio prep, subtitles, GIF and thumbnails, HLS packaging, hardware encoding (NVENC/QSV/AMF/VideoToolbox), restoration, scene and silence detection, VMAF quality gates, screen capture, yt-dlp interop. Triggers on: ffmpeg, ffprobe, transcode, convert video, compress video, encode video, extract audio, trim video, cut video, concat videos, video to gif, thumbnail, contact sheet, burn subtitles, watermark, resize video, crop video, change fps, slow motion, timelapse, loudnorm, normalize audio, audio for whisper, transcription prep, scene detection, silence detection, remove silence, color grade, LUT, tonemap HDR, vmaf, nvenc, hardware encode, hls, remux, faststart, deinterlace, stabilize video, denoise video, screen record, EDL, keyframes.
22SKILL.mdUpdated Jun 13, 2026
0xDarkMatter/payloadcms-ops
development
VerifiedTrustedCommunity
Payload CMS 3 (Next.js-native) architecture - collections, globals, fields, access control, hooks, Local API, storage adapters, and database (Postgres/MongoDB/SQLite). Use for: payload, payloadcms, payload cms, payload 3, collection config, access control, payload hooks, local api, payload fields, multi-tenant payload, payload nextjs, payload s3, payload r2, payloadcms architecture, headless cms typescript.
22SKILL.mdUpdated Jun 11, 2026
0xDarkMatter/cypress-ops
testing
VerifiedTrustedCommunity
Cypress end-to-end and component testing operations - selector/retry-ability strategy, cy.intercept network stubbing, cy.session auth, component vs e2e, flake diagnosis, CI, Test Replay. Use for: cypress, e2e test, component test, cy.get, cy.intercept, cy.session, data-cy, data-test, retry-ability, flake, flaky test, cypress.config, cy.mount, Test Replay, custom commands, fixtures.
22SKILL.mdUpdated Jun 11, 2026