I bought the ASUS ROG Rapture GT-AXE16000. WiFi 6E, quad-band, AiMesh support. On paper it's a monster. Out of the box, though, it was running stock ASUS firmware with ISP default DNS, no ad blocking, and transmit power settings that left performance on the table. I spent an afternoon tearing through every setting and came out the other side with a very different router.
Here's what I changed, why, and what the actual measured results look like.
Starting Point
The router sits on the second floor balcony edge, in the loft. Four bands: 2.4 GHz, two 5 GHz radios, and 6 GHz. All running WoW-themed SSIDs because I am who I am. Dalaran for 2.4 GHz, Dalaran_5G-1 and Dalaran_5G-2 for the two 5 GHz bands, and Dalaran_6G for 6 GHz.
Stock firmware was fine. It worked. But "fine" doesn't tell you what you're missing. The first thing I did was flash Asuswrt-Merlin.
Firmware: Stock to Merlin
Merlin 3006.102.7 replaced the stock ASUS 3.0.0.4.388_24329. The stock firmware is locked down. No SSH. No JFFS scripts. No Entware. Merlin opens all of that up while keeping the same ASUS web UI. It's the same interface, just with the gates removed.
After flashing, I enabled SSH (LAN only, port 22), turned on JFFS scripts for boot persistence, and installed Entware on a 64 GB USB 3.0 drive. That USB drive is the foundation for everything else.
SSH access, persistent JFFS scripts that survive reboots, Entware package manager, custom DNS config via dnsmasq.postconf, and the ability to run services like AdGuard Home directly on the router hardware.
The Channel Situation
Before changing anything else, I did a neighbor scan. This matters more than most settings tweaks.
2.4 GHz: A Mess
Channel 6 was a disaster. Five networks, the strongest at -32 dBm. That's extremely close. Channel 1 had a couple neighbors at -57 dBm. Channel 11 had weak signals, the strongest at -71 dBm.
| Channel | Networks | Strongest Signal |
|---|---|---|
| 1 | N&T2, SETUP-3B60 | -57 dBm (moderate) |
| 6 | SETUP-16F6 + 4 others | -32 dBm (very strong) |
| 11 | 2 hidden, B41F | -71 dBm (weak) |
I moved from channel 1 to channel 11. The cleanest option by far. I also dropped bandwidth from 40 MHz to 20 MHz. On 2.4 GHz in a crowded environment, 40 MHz just creates more overlap with neighbors. And with 25 IoT devices on this band, compatibility matters more than speed.
5 GHz: Workable
Channels 36-40 were crowded. A HongMi router screaming at -39 dBm. My 5 GHz-1 sits on channel 44, which is acceptable. The second 5 GHz radio (dedicated AiMesh backhaul) runs on channel 157, which is clean.
6 GHz: Empty
Zero neighbors. The entire band to myself. This is where the real speed lives.
Boosting Transmit Power
This is the spicy one. The GT-AXE16000 ships with a US region code. US regulatory limits cap transmit power around 30 dBm (1000 mW). Australia allows 31.75 dBm (1496 mW). That's roughly 50% more power, which translates directly to better range and wall penetration.
I changed the country code from US to AU. The catch: it resets on reboot. So I wrote a boot script to reapply it.
#!/bin/sh # Start Entware (AdGuard Home comes up on :5335) /opt/etc/init.d/rc.unslung start # Wait for wireless radios to initialize sleep 30 # Set AU country code on all 4 bands (higher Tx power limits) wl -i eth6 country AU wl -i eth7 country AU wl -i eth8 country AU wl -i eth9 country AU # Force 2.4 GHz to channel 11 (cleanest in scan) wl -i eth6 channel 11
Changing your country code may violate local regulations. The AU code allows higher power on all four bands. Whether you should do this depends on your own comfort level. The performance difference is real.
Wireless Tuning
Beyond channels and power, a few settings in the Professional tab made a difference:
- OFDMA: Was disabled on 2.4 GHz. Enabled it on all four bands. This lets the router talk to multiple devices simultaneously instead of one at a time. With 25 IoT devices, this is not optional.
- Preamble Type: Changed from Long to Short on all bands. Reduces per-frame overhead. Small gain, but free.
- PMF (Protected Management Frames): Set to "Capable" on 2.4 GHz and 5 GHz. This adds deauth attack protection while staying backward-compatible with older devices.
Things I left alone: Smart Connect (off, I prefer separate SSIDs), QoS (off, correct for gigabit), UPnP, beamforming, MU-MIMO, AMPDU RTS. All already optimal.
DNS: From ISP Defaults to Encrypted
Stock firmware was using ISP-provided DNS. Slow, unencrypted, and logging who knows what. I rebuilt the entire DNS chain.
Step 1: Cloudflare DNS with DNSSEC
Primary: 1.1.1.1. Secondary: 1.0.0.1. DNSSEC enabled to validate responses. "Validate unsigned" turned on to reject anything tampered with.
Step 2: DNS-over-TLS
Set DNS Privacy Protocol to Strict mode with DoT servers pointing to 1.1.1.1 and 1.0.0.1 using the hostname cloudflare-dns.com for TLS verification. Every DNS query leaving the router is now encrypted.
Step 3: AdGuard Home
This is the big one. AdGuard Home runs directly on the router, installed via Entware on the USB drive. It listens on port 5335, and dnsmasq (the router's built-in DNS) forwards all queries to it.
Device | v dnsmasq (:53) # Router's built-in DNS | v AdGuard Home (:5335) # Blocks ads/trackers | v Cloudflare DoH # Encrypted upstream | v Answer returned (or blocked)
AdGuard Home runs the AdGuard DNS filter and AdAway Default Blocklist. Every device on the network gets ad blocking without installing anything. No client configuration needed. Phones, tablets, smart TVs, IoT devices. They all just use the router for DNS and get filtered automatically.
The admin panel lives at http://192.168.50.1:3000. Same credentials as the router.
Other Housekeeping
- Weekly reboot: Scheduled for Sunday 3:00 AM. Memory cleanup, fresh state.
- Asusnat Tunnel: Disabled. This is ASUS's remote access tunnel. I don't want ASUS maintaining a persistent connection into my router.
- WPA3 on 6 GHz: Already set (required by spec). WPA2-Personal on 2.4/5 GHz for IoT compatibility.
Coverage Results
After all the changes, I walked around the house with my MacBook Air M3 connected to the 6 GHz band (Dalaran_6G, 160 MHz channel width, WPA3). Here's what I measured:
| Location | Signal (RSSI) | Link Speed | MCS | Verdict |
|---|---|---|---|---|
| Living Room (below router) | -40 dBm | 1814 Mbps | 8 | Excellent |
| Bedroom | -53 dBm | 816 Mbps | 4 | Great |
| Bathroom | -59 dBm | 544 Mbps | 3 | Good |
| Kitchen (worst spot) | -63 dBm | 432 Mbps | 1 | Solid |
No dead spots. The worst location in the house still pulls 432 Mbps on 6 GHz. The living room, directly below the router, hits 1814 Mbps. That's on WiFi. Through a floor.
Zero neighbor interference, 160 MHz channel width, WPA3. The entire band is empty. 1814 Mbps link speed in the best spot. Even the kitchen, furthest from the router with the most walls in the way, sustains 432 Mbps.
The Full Boot Sequence
Everything is automated. On every reboot, this is what happens:
1. Router boots with Merlin firmware 2. /jffs/scripts/services-start runs: a. Entware starts (AdGuard Home comes up on :5335) b. 30-second wait for wireless initialization c. All 4 bands set to AU country code d. 2.4 GHz forced to channel 11 3. dnsmasq starts with postconf forwarding to AdGuard Home 4. All devices reconnect automatically
No manual intervention needed after a power outage or scheduled reboot. The USB drive with Entware mounts, AdGuard Home starts, the region code gets set, and everything comes back exactly as configured.
Network Architecture
[ISP Modem] | v [GT-AXE16000] Loft, 2nd floor balcony edge | +-- USB 3.0: 64GB PNY (Entware + AdGuard Home) | +-- 6 GHz ch53 Dalaran_6G High-speed devices +-- 5 GHz ch44 Dalaran_5G-1 Medium-speed devices +-- 5 GHz ch157 Dalaran_5G-2 AiMesh backhaul +-- 2.4 GHz ch11 Dalaran 25 IoT devices | +-- [AiMesh Node(s)] Extended coverage
What I'd Do Differently
Honestly, not much. The one thing I'd change is doing the neighbor scan first, before even thinking about other settings. I wasted time tweaking wireless parameters while sitting on a noisy channel. The channel move to 11 on 2.4 GHz made a bigger difference for IoT reliability than any Professional tab toggle.
If you have this router and you're on stock firmware, flash Merlin. The DNS chain alone (encrypted, ad-blocked, DNSSEC-validated) is worth the 10 minutes. The transmit power boost from the AU region code is a cherry on top.
Key Files
| File | Purpose |
|---|---|
/jffs/scripts/services-start |
Boot script: Entware, AU region, channel fix |
/jffs/configs/dnsmasq.postconf |
Forwards DNS to AdGuard Home |
/opt/etc/AdGuardHome/AdGuardHome.yaml |
AdGuard Home configuration |
/opt/etc/init.d/S99adguardhome |
AdGuard Home service script |
Recovery
Things go wrong. Here's the quick reference:
- DNS stops working: SSH in, restart AdGuard Home with
/opt/etc/init.d/S99adguardhome restart. If that doesn't work, remove/jffs/configs/dnsmasq.postconfand restart dnsmasq to bypass AdGuard entirely. - WiFi issues after reboot: SSH in, edit
/jffs/scripts/services-startto remove the AU country override. Reboot. - Router won't boot: Hold reset 10 seconds for factory reset, then flash stock firmware via recovery mode.
- Want to go back to stock: Download from ASUS support, flash via Administration > Firmware Upgrade.
I kept a backup of pre-Merlin settings (Settings_GT-AXE16000_backup.CFG). If everything truly goes sideways, restore that after flashing stock and you're back to day one. But after a week of running this config, I haven't needed it.