[384.12_Alpha - builds] Testing all variants.

[Swistheater]

@themiron , you did an awesome job with implementation and execution of DoT with Rmerlin setup..
Thank you for your hard work.

 

[Swistheater]

Just self compiled a version of 384.12_alpha with the binary blobs from the most recent GPL 45717 that Rmerlin just merged. I think I will wait to install it to see if merlin has to make any changes first.

 

[Gar]

It's easier to just set the option to Yes.

Would yes or no effect basic functionality? Could there be buffering or other minor differences that would be worsened by either? All I do is basic routing, DoT and DNSfiltering set to Router, no scripts added.

Edit: using Quad9, it's been slower than CF for me but like the filtering.

 

[Swistheater]

Would yes or no effect basic functionality? Could there be buffering or other minor differences that would be worsened by either? All I do is basic routing, DoT and DNSfiltering set to Router, no scripts added.

Some say Yes is faster and some say No is faster.. it really depends on servers you are using if you select No. it really doesn't matter though because this has nothing to do with what your clients deal with. It has to do with what is done router side.

 

[Dabombber]

If you're using DoT you will probably want it off. The clients always go through the router/dnsmasq/stubby, but if set to 'no' the router will skip dnsmasq/stubby. This could be important since stubby needs the system time to be correct, and to get the correct time you need to go through stubby.

            local DNS as resolver
                    v
client -> router --yes--> dnsmasq -> stubby -> DNS server
            |                                     ^
            +------no-----------------------------+

I think it would be better to configure dnsmasq to skip stubby for ntp, at least until the time is set, which could be done by adding:

server=/ntp_server0/ntp_server1/wan_dns
server=/ntp_server0/ntp_server1/ipv6_dns

to /tmp/resolv.dnsmasq. But for now the yes/no toggle can fix anything that breaks.

 

[Swistheater]

If you're using DoT you will probably want it off. The clients always go through the router/dnsmasq/stubby, but if set to 'no' the router will skip dnsmasq/stubby. This could be important since stubby needs the system time to be correct, and to get the correct time you need to go through stubby.

            local DNS as resolver
                    v
client -> router --yes--> dnsmasq -> stubby -> DNS server
            |                                     ^
            +------no-----------------------------+

I think it would be better to configure dnsmasq to skip stubby for ntp, at least until the time is set, which could be done by adding:

server=/ntp_server0/ntp_server1/wan_dns
server=/ntp_server0/ntp_server1/ipv6_dns

to /tmp/resolv.dnsmasq. But for now the yes/no toggle can fix anything that breaks.

is the system intelligent to understand the ntp_server0 notation or is that a fill in yourself type of fill in? also wouldn't wan_dns need to be defined as a fall back name server for this to properly implement?

 

[Dabombber]

Those are just the nvram names for them, wan_dns actually has space separated entries and ipv6 entries are in the form ipv6_dns1 - ipv6_dns3. They're automatic from your ISP I think.

 

[Swistheater]

Those are just the nvram names for them, wan_dns actually has space separated entries and ipv6 entries are in the form ipv6_dns1 - ipv6_dns3. They're automatic from your ISP I think.

so hypothetically you could assign any ntp server and any dns address just for the sake of getting ntp.

 

[Swistheater]

Finally got my hands on GPL 45717. The piece of code that was worrying me should not be a problem, it should be fairly easy to disable.

Also, very little code changes since 45713, so I suspect that the security issues reported in their changelog are mostly tied to AiCloud.

would it be safe to self compile and flash with what you have done already in the mainline as far as the new GPL goes or would you say there is still more work that needs to be done to make it work with your code?

 

[isr25]

I'm still getting the dcd crashes. Diversion, scknet, jrfresh scripts running. No VPN.

Try setting up an OpenVPN server. I’m not sure why, but right after I set mine up, the crashes went away. Other than that, I didn’t do anything else that was new. Or maybe I just had a lucky break

 

[Gar]

If you're using DoT you will probably want it off. The clients always go through the router/dnsmasq/stubby, but if set to 'no' the router will skip dnsmasq/stubby. This could be important since stubby needs the system time to be correct, and to get the correct time you need to go through stubby.

            local DNS as resolver
                    v
client -> router --yes--> dnsmasq -> stubby -> DNS server
            |                                     ^
            +------no-----------------------------+

I think it would be better to configure dnsmasq to skip stubby for ntp, at least until the time is set, which could be done by adding:

server=/ntp_server0/ntp_server1/wan_dns
server=/ntp_server0/ntp_server1/ipv6_dns

to /tmp/resolv.dnsmasq. But for now the yes/no toggle can fix anything that breaks.

Sounds like it's all on the server then. If I have slow-downs when it's off I could use CF instead of Q9. Q9 has measured slower here on grc.com tests. Thanks.

 

[RMerlin]

would it be safe to self compile and flash with what you have done already in the mainline as far as the new GPL goes or would you say there is still more work that needs to be done to make it work with your code?

It's alpha code that barely got any testing done. The only test I did was to flash it on an RT-AC88U to confirm that it booted correctly.

 

[Swistheater]

It's alpha code that barely got any testing done. The only test I did was to flash it on an RT-AC88U to confirm that it booted correctly.

Yea I flashed it and had to do a firmware recovery. Fortunately the firmware recovery worked I am in the process of reflashing everything and resetting it up.

 

[kernol]

Returning to Samba issue ...

From Change Log

384.12 (xx-xxx-2019)
  - NEW: Added WSD discovery support.  This allows Windows clients
         to detect the router's shared USB drive even if SMB1
         is disabled.

MS have made many security issue changes in Windows 10 subsequent to early releases - beginning with dumping the "HomeGroup" and then dropping SMB1 protocol as a default install.

In the early releases of Win10 - setting the AC5300's Samba settings to "Simpler share naming" - Yes; "Master Browser" - Yes; and "WINS server" - Yes; worked a treat and facilitated quick access to all local PC shares from every WIN10 box and from MAC's with High Sierra or Mojave. It even showed an icon for the AC5300 under "Devices".

However the latest releases of Windows 10 [winver 1803 and 1809] have broken that functionality - and without invoking SMB1 Client protocol the router is simply not seen at all.

@RMerlin I can confirm after extensive testing that, despite change log quote above, without SMB1 invoked on the workstations - the router is still not discovered by Win10 PC's. Further - if you change router SMB settings to SMB2 only [instead of both] - errors appear in syslog: -

May 22 08:04:51 smbd[14481]: [2019/05/22 08:04:51.407265,  0] smbd/negprot.c:706(reply_negprot)
May 22 08:04:51 smbd[14481]:   No protocol supported !
May 22 08:04:52 smbd[14484]: [2019/05/22 08:04:52.253534,  0] smbd/negprot.c:706(reply_negprot)
May 22 08:04:52 smbd[14484]:   No protocol supported !
May 22 08:04:53 smbd[14485]: [2019/05/22 08:04:53.096780,  0] smbd/negprot.c:706(reply_negprot)
May 22 08:04:53 smbd[14485]:   No protocol supported !
May 22 08:04:53 smbd[14490]: [2019/05/22 08:04:53.940747,  0] smbd/negprot.c:706(reply_negprot)
May 22 08:04:53 smbd[14490]:   No protocol supported !

[Errors may be irrelevant?] - but router cannot be seen by any Win10 PC's - with or without SMB1 invoked on the Win10 workstations.

Returning router setting to SMB1+SMB2 and invoking SMB1 Client on Win10 PC's brings back access to the shared USB drive - although it remains slow and is the last discovered network device in "Network Neighbourhood".

I checked all Win10 firewall settings and services - problem is not there.

 

[Swistheater]

rc: fix parameter order when launching wsdd2

Returning to Samba issue ...

From Change Log

384.12 (xx-xxx-2019)
  - NEW: Added WSD discovery support.  This allows Windows clients
         to detect the router's shared USB drive even if SMB1
         is disabled.

MS have made many security issue changes in Windows 10 subsequent to early releases - beginning with dumping the "HomeGroup" and then dropping SMB1 protocol as a default install.

In the early releases of Win10 - setting the AC5300's Samba settings to "Simpler share naming" - Yes; "Master Browser" - Yes; and "WINS server" - Yes; worked a treat and facilitated quick access to all local PC shares from every WIN10 box and from MAC's with High Sierra or Mojave. It even showed an icon for the AC5300 under "Devices".

However the latest releases of Windows 10 [winver 1803 and 1809] have broken that functionality - and without invoking SMB1 Client protocol the router is simply not seen at all.

@RMerlin I can confirm after extensive testing that, despite change log quote above, without SMB1 invoked on the workstations - the router is still not discovered by Win10 PC's. Further - if you change router SMB settings to SMB2 only [instead of both] - errors appear in syslog: -

May 22 08:04:51 smbd[14481]: [2019/05/22 08:04:51.407265,  0] smbd/negprot.c:706(reply_negprot)
May 22 08:04:51 smbd[14481]:   No protocol supported !
May 22 08:04:52 smbd[14484]: [2019/05/22 08:04:52.253534,  0] smbd/negprot.c:706(reply_negprot)
May 22 08:04:52 smbd[14484]:   No protocol supported !
May 22 08:04:53 smbd[14485]: [2019/05/22 08:04:53.096780,  0] smbd/negprot.c:706(reply_negprot)
May 22 08:04:53 smbd[14485]:   No protocol supported !
May 22 08:04:53 smbd[14490]: [2019/05/22 08:04:53.940747,  0] smbd/negprot.c:706(reply_negprot)
May 22 08:04:53 smbd[14490]:   No protocol supported !

[Errors may be irrelevant?] - but router cannot be seen by any Win10 PC's - with or without SMB1 invoked on the Win10 workstations.

Returning router setting to SMB1+SMB2 and invoking SMB1 Client on Win10 PC's brings back access to the shared USB drive - although it remains slow and is the last discovered network device in "Network Neighbourhood".

I checked all Win10 firewall settings and services - problem is not there.

He has recently put up a fix for the protocol that he hasn't compiled globally yet. I can confirm the fix has worked for me.

 

[Swistheater]

It's alpha code that barely got any testing done. The only test I did was to flash it on an RT-AC88U to confirm that it booted correctly.

After my dirty flash went bad.. I used firmware recovery to fix everything. then I flashed to the compile with new binary blobs and every thing appears to be in working order.

 

[kernol]

rc: fix parameter order when launching wsdd2

He has recently put up a fix for the protocol that he hasn't compiled globally yet. I can confirm the fix has worked for me.

Thanks - "non-coder" here ... so presume this relates to this post - which was way over me head ...
https://www.snbforums.com/threads/384-12_alpha-builds-testing-all-variants.56639/page-2#post-491722

I will wait for next alpha release and test again.
Dirty Flash from 384.11_2 to 384.12-alpha was faultless on my AC5300 - with no issues on OpenVPN server or the rest of my scripts per signature.

Only 1 issue remains for me [true for earlier firmware as well] - ntp time is not synchronised before /jffs/scripts [add-ons] start galloping away, tripping over themselves to some degree in the fairly fast environment of the AC5300! For e.g. timestamp on amtm "disk check" is always Sat May 5 etc. when performing a disk check at boot time [not much help in its log file!]

The cause is no doubt that my ISP WAN connection is slow to come up - fails initially - then connects 5 seconds later: -

May  5 07:05:10 WAN_Connection: Fail to connect with some issues.
.... [lots in-between] ...
May  5 07:05:15 WAN_Connection: WAN was restored.

Would be good to hold off until WAN up and Time synced .

 

[FTC]

Would be good to hold off until WAN up and Time synced .

Well, this problem is related to the https://www.snbforums.com/threads/the-network-cable-is-unplugged-on-rt-ax88u-11.56524/ problem, and the solution you propose would effectively sort out the problem, BUT I think that the wait for ntp syncronization should be done with a timeout (maybe 2-3 minutes?). After all, we do not want routers that do not complete initialization when the WAN is really down (not available).

 

[kernol]

Well, this problem is related to the https://www.snbforums.com/threads/the-network-cable-is-unplugged-on-rt-ax88u-11.56524/ problem, and the solution you propose would effectively sort out the problem, BUT I think that the wait for ntp syncronization should be done with a timeout (maybe 2-3 minutes?). After all, we do not want routers that do not complete initialization when the WAN is really down (not available).

Agreed - and 20 seconds should be more than enough [in my case just 5 seconds would do the trick] - after which the router must continue to initialise whether WAN up or not.

 

[Sonyrolfy]

All is working great on the latest Alpha. I like DoT with filter global router dns caching and NTP client requests, i have CF to wan dns 853 with vpn clients tcp 443 strict (with the extra CF dns servers ) Diversion and skynet works great with this setting. Mission accomplished! Now waiting on merge latest GPL but no hurry