ASUS RT-AX59U as an Advanced AP & VLAN Router

Hardware Questions and Recommendations
1

My Home Network Setup: ASUS RT-AX59U as an Advanced AP & VLAN Router

Hello everyone,

I'd like to share the architecture of my home network. I've been running OpenWrt on this ASUS RT-AX59U for about a year now, starting with version 24.10.1 and upgrading along the way up to 24.10.6. My setup uses the router in a specific configuration: it acts as a powerful Access Point and an internal router for multiple VLANs, while my ISP box remains the main internet gateway.

1. Core Architecture & Hardware

The core principle is to use the ISP box (French ISP) for its basic internet and firewall capabilities, while offloading all advanced networking tasks to the OpenWrt router.

Role Device Notes
Main Gateway / Firewall Freebox Revolution This is the primary edge device connected to the internet.
VLAN Router & AP ASUS RT-AX59U This device has no WAN interface. It is connected as a client on the main LAN. Its role is to handle all advanced tasks.
DNS & Services Synology NAS A NAS on the main LAN, hosting a Docker container for AdGuard Home.

2. DHCP Architecture

A key aspect of this setup is the split in DHCP responsibilities:

  • Freebox Revolution: Manages the DHCP server for the primary 192.168.0.0/24 LAN. This is the network that the OpenWrt router and the Synology NAS are connected to.
  • OpenWrt Router: Runs its own dnsmasq instance to provide DHCP services for all the custom VLANs (main, iot, guest, and boost), ensuring clients on these networks get the correct IP addresses and network settings.

3. Performance & Optimizations

To get the most out of the hardware, several performance-enhancing features are enabled on the ASUS RT-AX59U:

  • SQM QoS: Using cake and piece_of_cake.qos to manage bufferbloat.
  • Flow Offloading: Both software and hardware flow offloading are intentionally disabled to ensure proper operation of SQM QoS.
  • CPU Optimization: irqbalance is enabled to distribute hardware interrupts across CPU cores.
  • Packet Steering: Enabled globally to improve internal routing performance.

4. DNS Architecture

The DNS setup is designed for filtering and privacy, following this specific flow:

  1. Clients: Devices on any VLAN receive the NAS IP as their DNS server via DHCP.
  2. Filtering (NAS): AdGuard Home on the NAS filters all requests.
  3. Privacy (Router): AdGuard is configured to use the ASUS router as its upstream resolver. The router runs Stubby on port 5453 to forward all queries securely using DNS-over-TLS (DoT).

5. Network Segmentation & VLANs (on OpenWrt)

The ASUS router creates and manages multiple isolated subnets. The OpenWrt firewall is configured to route traffic between these VLANs and to "masquerade" all outbound traffic through its LAN interface to the Freebox network.

Interface Subnet Purpose / Note
main 192.168.20.0/24 Main network for trusted personal devices.
iot 192.168.30.0/24 Isolated network for IoT devices.
guest 192.168.40.0/24 Isolated guest network with client isolation.
boost 192.168.10.0/24 High-priority devices (e.g., work, gaming).
wg0 192.168.27.0/24 Subnet for WireGuard VPN clients.

6. Wi-Fi Configuration

The wireless setup is managed entirely by the OpenWrt router. A key security feature is the use of Client Isolation on the IoT and Guest networks, preventing devices on the same Wi-Fi from seeing or communicating with each other.

SSID Band Security Interface Notes
(5GHz SSID) 5 GHz (80MHz) WPA3-SAE boost -
(Main SSID) 2.4 GHz WPA2-PSK main -
(IoT SSID) 2.4 GHz WPA2-PSK iot Client Isolation enabled
(Guest SSID) 2.4 GHz WPA2-PSK guest Client Isolation enabled

7. WireGuard VPN Server

The ASUS router runs a WireGuard server to provide secure remote access to the home network, including the main LAN and the NAS. Connected clients use the internal AdGuard DNS for filtering on the go.

8. Monitoring & Utility Packages

  • nlbwmon: For detailed, per-client network bandwidth accounting.
  • filebrowser: For web-based file management on the router.
  • collectd: For comprehensive, historical performance monitoring (cpu, memory, network, rrdtool, etc.).

Conclusion

After a year of running this configuration, I can confidently say that the performance and stability of the Mediatek/Filogic hardware have been outstanding. This architecture, powered by the flexibility of OpenWrt, has truly transformed our home network.

For our family, it provides the best of all worlds: rock-solid, lag-free connectivity for work-from-home, streaming, and gaming, thanks to SQM and the various optimizations. At the same time, the robust segmentation and DNS-level filtering offer incredible peace of mind, ensuring that IoT devices remain contained and the entire network is protected from unwanted ads and trackers. The ability to extend this secure environment to mobile devices via WireGuard is the final touch, delivering a seamless and safe experience everywhere.

This setup is a testament to what is possible with OpenWrt, turning a consumer-grade router into a prosumer powerhouse that delivers enterprise-level features with the comfort and reliability needed for a modern connected family.

1 Like
OpenWrt support for Asus RT-AX59U