RMerlin

I dropped RT-AC87 support a few years ago, so that's not an option if you want DNS over TLS support. That router has also been EOL by Asus for quite some time now. https://www.asus.com/event/network/EOL-product/ With Asuswrt-Merlin, the DNS over TLS queries are done by the router, and in a typical setup, your LAN clients will use the router as their DNS server (which will in turn use DoT). Some clients have hardcoded DNS servers (like the Netflix Android app for instance). The workaround with Asuswrt-Merlin is to enable DNSFilter, and force all clients to use the Router as their DNS server when they use regular DNS queries. You can also have the router disable the automatic DoH promotion that is supported by newer Windows and Firefox clients, however anything that arbitrarily decides to use DoH will not be intercepted by the router. All of this however will require a newer supported router.

The RT-AX86S is a new lower cost variant of the RT-AX86U. Dual core CPU versus quad-core, no 2.5 Gbps interface, and only 512 MB of RAM versus 1 GB for the RT-AX86U. They both run the same firmware.

The bug in newer firmware is just in the unnecessary logging, not in ports not working. If your port isn`t working, try to do a complete electrical reset of the router, i.e. unplug the power for about five seconds while the power switch is still on, then plug it back in.

It depends how his system is set up. It might make more sense to just disable the Wifi on the main router and use the mesh system to cover the area near to that router for example, to ensure centralized client management. You generally wouldn't want to mix up mesh and non-mesh APs, as it might prevent roaming from working properly. We`ll need more info as to how everything is setup first.

How is your Mesh system connected to your main router? If the main router (Wifi 5) is connected with the Mesh system (Wifi 6) over Wifi, then the speed of that main link will be limited to Wifi 5 performance - the slowest of the two ends of the link.

Some are easier to block (like IPSEC) others are harder (like Shadowsocks), and others will depend on how you set them up (OpenVPN). I'm not sure how easy it is to detect Wireguard. Right now it's very new, so I assume very few networks would be secured to specifically block that particular protocol at this time (outside of blocking ASNs owned by the VPN provider).

In general, it will depend on which AP your client connect to. They will use the standard supported by the node they connect to. Your backhaul however (if wireless) will be limited to Wifi 5.

DPI can detect various types of VPNs. Just look at what China is doing on their end to prevent VPN usage. It's not 100% foolproof (as one using technologies like Shadowsocks, or OpenVPN + the obfuscate patch + TLS encryption of both data and control channels can be very difficult to identify), but detection rate can be pretty high without having to know all the popular ASNs from VPN providers (which can be worked around anyway by running your own VPN in a VPS or even at home). That ease of detection means you are quite likely to get caught, and then be summoned into the HR's office...

If you already have Wifi 6 devices (that is devices with 802.11ax support), then it's definitely worth it, especially as Wifi 6 improvements start bringing actual benefits when you have two or more of them connected at the same time (more efficient bandwidth allocation). It might then be a matter of budget. Mid-range AX routers have started to appear on the market now, like the Asus RT-AX58U/RT-AX3000, so these would be good candidates. I'm having a hard time recommending to overpay for a high-end Wifi 6 router however (like the Asus RT-AX88U), as the improvements over Wifi 5 rarely justify the current price premium these routers carry.

Try a traceroute to get a better view of what is going on. Within a command prompt in Windows: tracert 8.8.8.8 (or traceroute 8.8.8.8 under Linux). See if it can at least reach the default gateway/router on your network.

And note that 6 GHz wifi is actually branded "Wifi 6E". Not every future Wifi 6 router will be Wifi 6E, as this generally involves adding a third radio dedicated to the 6 GHz band (that is at least the path that most manufacturers are going with at this point). Because of this, I expect Wifi 6e to be a niche platform, and the majority of mid-range wifi routers will still be only 2.4 and 5 GHz. BTW, by your use of the labels "Wifi 2 and Wifi 5", I believe you are mixing up bands and classes. Wifi 5 = 802.11ac, which supports both 2.4 GHz and 5 GHz band Wifi 6 = 802.11ax, which also supports both 2.4 and 5 GHz bands, but also has a few extra optional features such as OFDMA, supports more streams, etc... Wifi 6e = 802.11ax, which again supports both 2.4 and 5 GHz bands, but also adds support for the 6 GHz band Yes, you should definitely use the 5 GHz band whenever possible, as it will be much faster and less congested than the 2.4 GHz band. Ideally, 2.4 GHz should only be used for devices that require less bandwidth, like an IoT device.

The kernel is SDK-specific. So, newer models like the RT-AX88U which are based on Broadcom's newer HND SDK are running kernel 4.1.27 (4.1.51 for the RT-AX56U and RT-AX58U). The 2.6.36 models are old SDK 6.37 and 7.14 devices, like the RT-AC68U or RT-AC88U. Only Broadcom can upgrade the kernel used by their SDKs (and in turn ODMs then have to switch to the newer SDK).

Also try with a different DNS on your network configuration, in case the DNS you use is pointing you at the wrong CDN server (or the server you are pointed at is problematic).

Try monitoring trafic on the Proxmox server by using tcpdump on its LAN interface, just to confirm that at least the traffic is reaching its interface.

Check the firewall configuration on the Proxmox, it probably drops traffic coming from your tunnel's IP address.