After 384.9 update internet shows disconnected....

[rdallen]

I've updated to 384.10. Done a complete clear of all data, and manually re-entered everything.

Internet still shows "Disconnected".

This is on an RT-AC86U. I also set up my older RT-AC68U, manually entered in exactly the same settings. That works fine. So it is related to the RT-AC86U.

I have a VPN connection redirecting two PC's to a VPN, so it uses policy based routing. When I turn this off, the Internet correctly shows connected. Turn it on, and goes back to disconnected (even though it remains connected).

Anybody have any idea why the VPN would affect the status?

Not that it really matters - I know it is connected so it really is just a display issue.

 

[#TY]

I have the same issue on an Asus RT-AC5300 but it only started when I installed 384.10.

For now, I turned on the PING in Administration > Network Monitoring and pointed it to CloudFlare (1.1.1.1).

Here's to hoping that will fix it.

It's a really odd and peculiar issue. Everything was flawless for weeks while using Merlin 384.9 while having my OpenVPN Client connected at all times. Not sure if 384.10 changed something in the OpenVPN code but now, every x period of time, my Asus would report being "Disconnected" and the way I fix it is by turning my OpenVPN Client OFF and then ON again.

In any case, I'll report back on whether the ping option helped.

 

[gilstrac]

I updated to the 384.10. I experienced the same issue. If the OpenVPN is on, the status page shows the internet disconnected. If I stop/start the OpenVPN, it works as normal for a bit. It also appears some of the clients are not getting internet access. I am not sure what is causing this but if I turn the OpenVPN off, they can access the internet again. I am using OpenVPN Policy Rules with the Block Internet access if the internet goes down set but the blocked client is not on the list to use the VPN.

Any ideas?

 

[#TY]

I updated to the 384.10. I experienced the same issue. If the OpenVPN is on, the status page shows the internet disconnected. If I stop/start the OpenVPN, it works as normal for a bit. It also appears some of the clients are not getting internet access. I am not sure what is causing this but if I turn the OpenVPN off, they can access the internet again. I am using OpenVPN Policy Rules with the Block Internet access if the internet goes down set but the blocked client is not on the list to use the VPN.

Any ideas?

Welcome to the club. I've been trying to pinpoint the cause of this for the past couple of days

 

[dave14305]

Welcome to the club. I've been trying to pinpoint the cause of this for the past couple of days

Can this be related to the new WAN DNS option in Tools Settings to use internal or external DNS resolver?

Internal: use the IP configured on your router's WAN. External: query a remote service to use your public IP. The latter will work through double NAT, but might not work properly when using a VPN tunnel or with some DDNS providers.

 

[rdallen]

I think I have found a workaround.

In my VPN client settings, I changed "Accept DNS Configuration" from "Strict" to "Relaxed". My VPN continues to operate correctly (without DNS leaks) and Internet status shows "Connected" at all times (well, has for the last 30 minutes). I did this for all my VPN clients.

Interested to hear if this fixes the problem for the others who also are experiencing the issue.

 

[#TY]

In my VPN client settings, I changed "Accept DNS Configuration" from "Strict" to "Relaxed". My VPN continues to operate correctly (without DNS leaks) and Internet status shows "Connected" at all times (well, has for the last 30 minutes). I did this for all my VPN clients.

Mine is still set to "Disabled" since I use Stubby and that's what the recommendation is. My OpenVPN client is still connected since I turned it on yesterday (fingers crossed). The only thing I changed was disabling the Triband Smart connect for my WiFi and tweaking some settings in their respective Professional tabs. I'm not even certain if this is linked in any way to OpenVPN but that's what I did.

I also updated AMTM and Diversion to their latest versions (released yesterday).

I will continue to report back on my situation on this thread.

 

[#TY]

Can this be related to the new WAN DNS option in Tools Settings to use internal or external DNS resolver?

These are my settings. (from Tools -> Other Settings)

 

[Eric_on_Fire]

Setting "Network Monitoring" (Administration>System) to DNS Query fixed this for me on RT-AC86U 384.10. I have one single client routed through a OpenVPN client (AirVPN), with the router is exposed directly to the internet. I verified VPN routing as intended with "curl ifconfig.co" on the router and other devices. Both "Accept DNS Configuration" and "Redirect Internet traffic" are set to Strict.

 

[rdallen]

Well I think I've gotten to the bottom of my issue, and perhaps found a bug in the process.

TLDR: DNSSEC + Strict Order + Open VPN Client (with DNS Servers that don't support DNSSEC) = "Disconnected" message.

Explanation:

Normally, my DNS Servers are 1.0.0.1 and 1.1.1.1. I have DNSSEC set. The DNS Servers can be seen in /tmp/resolv.dnsmasq.

When I start the VPN, the VPN provider adds two DNS Servers. I use Surfshark, and now resolv.dnsmasq looks like:
server=1.0.0.1
server=1.1.1.1
server=162.252.172.57
server=149.154.159.92

What I've found is setting strict order against the VPN actually sets strict order against DNSMasq. This can be seen in /etc/dnsmasq.conf, where there is a new parameter "strict-order". So strict order is being set for the whole router, not just the VPN connection.

The two additional DNS servers (162.252.172.57 and 149.154.159.92) do not work from the router (in other words, the router cannot resolve hosts using these DNS servers). This is because I have DNSSEC enabled. However, these DNS servers don't support DNSSEC, so any DNSMasq lookup fails.

When I have strict order set for the VPN "Accept DNS Configuration", I cannot resolve any hostnames on the router (I tried pinging various hostnames after logging into the router using ssh - all failed). This is because they try to resolve against the VPN servers first, but fail.

Switching the VPN "Accept DNS Configuration" to relaxed (which also switches DNSMasq to relaxed) allows the router to resolve hostnames again. I guess it then uses CloudFlare to resolve.

Also turning off DNSSEC fixes the problem.

A side effect of all this is that "Disconnected" shows against the status, as the DNS resolving doesn't work (and switching it to "Ping" doesn't work either, even just pinging an IP address).

@RMerlin does this sound feasible?

 

[tommyv2]

I get the same issue as above on Merlin 384.10. If WAN ever hits a disconnected status ("br0 modem hangup" or similar, I'm on Bell Fibe), DNS stops working. I can still ping things by IP, however, and if I change my clients to public DNS manually, it works. A router reboot fixes it for a bit, but only for a while. This is a fairly new issue and it's not the ISP, in this case.

 

[RMerlin]

If not all of your DNS servers support DNSSEC, then you should keep that disabled. I have no way of knowing the state of the support from servers pushed by OpenVPN servers.

 

[maxbraketorque]

Will be interesting to see if others have DNSSEC support enabled.

 

[#TY]

It's been 3 days now since my clean install and happy to report that I have not experienced any Internet Disconnected messages yet. 3 days ago, I followed the instructions to do a clean factory reset, then a M&M install and then, the installation of the scripts I want. I also disabled TriBand WiFi Smart Connect.

Today, I pushed the router into doing some heavy downloading just to see if anything would break. The only thing that was off in my logs was a ton of these messages:

Apr 2 18:46:09 ovpn-client1[1030]: AEAD Decrypt error: bad packet ID (may be a replay): [ #10527268 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

I've already asked for some explanation/help regarding the above error but besides that, everything is running optimally as it should.

I'm running the latest versions of Merlin 384.10, AMTM, Diversion, Entware, and Stubby.

I will wait a few more days and if things continue to be stable, will proceed to installing Skynet.

 

[#TY]

Ok so I've now made my ASUS the main router and bridged my ISP's router. Everything seems to be working fine but I'd like an expert confirmation if possible as this is the first time I venture this far with my router.

My ExpressVPN is set to automatically start on boot and it does.
I've set redirect internet traffic to ALL.
I've checked that I'm connected to the VPN and all is well on that front.
I've confirmed that all my scripts (Diversion, Stubby, etc) are working perfectly as well.

Questions:
• In Network Map, it still shows my ISP IP (instead of my ExpressVPN one). Is this normal?

• My DNS-O-Matic service also updates with my ISP IP (instead of my ExpressVPN one). Is this normal? In the DDNS settings, I've set Method to retrieve WAN IP to INTERNAL (rather than External).

• If I wanted to SSH remotely into my Asus router, I'm assuming I need to do some sort of port forwarding somewhere? I know that I shouldn't open port 22 but rather pick some other external port that forwards to port 22 internally. I'm just not sure where/how to set all this up.

I appreciate all help in advance and I apologize if this isn't the right forum to ask such a question. Kindly redirect me to the proper place.

Thank you to all.

 

[RMerlin]

In Network Map, it still shows my ISP IP (instead of my ExpressVPN one). Is this normal?

Yes. A VPN does not replace your WAN interface, a VPN is a tunnel that goes through that. So, your WAN traffic still goes to your ISP, just that it's encapsulated into VPN packets.

Think of VPN packets as being items you put into boxes before sending them to someone - regardless of whether it's in a box or not, it still has to go through UPS/Fedex/etc... It's just that UPS/Fedex won't see what's in the box.

• My DNS-O-Matic service also updates with my ISP IP (instead of my ExpressVPN one). Is this normal? In the DDNS settings, I've set Method to retrieve WAN IP to INTERNAL (rather than External).

Normal, since Internal will use the IP allocated to your WAN interface.

If I wanted to SSH remotely into my Asus router, I'm assuming I need to do some sort of port forwarding somewhere?

That depends on your VPN provider. Some allow port forwarding, others don't.

 

[#TY]

That depends on your VPN provider. Some allow port forwarding, others don't.

Thank you so much for taking the time to respond and clarifying. It makes sense now.

My VPN provider is ExpressVPN. I'll check to see if they allow port forwarding.

Otherwise, would configuring an OpenVPN Server on my router be an option (or would it conflict somehow with my ExpressVPN client connection)?

 

[RMerlin]

Thank you so much for taking the time to respond and clarifying. It makes sense now.

My VPN provider is ExpressVPN. I'll check to see if they allow port forwarding.

Otherwise, would configuring an OpenVPN Server on my router be an option (or would it conflict somehow with my ExpressVPN client connection)?

You can configure a server, however it might require making sure that the routing rules don't conflict with those from the tunnel. I have never tested such a scenario, so I can't provide any more details, but I know there are a few posts on the forums discussing this particular scenario.

Forwarding the port through your VPN tunnel isn't any safer than forwarding it directly on the WAN tho, so you might as well just do that. Switch to a different port than the default 22 to reduce the amount of port knocking from bots, and use key-based authentication instead of a password.

 

[#TY]

Forwarding the port through your VPN tunnel isn't any safer than forwarding it directly on the WAN tho, so you might as well just do that. Switch to a different port than the default 22 to reduce the amount of port knocking from bots, and use key-based authentication instead of a password.

Ok cool. I'll do that. You wouldn't happen to have a link on these forums that explains how to do that properly? Thank you so much once again.

 

[RMerlin]

Ok cool. I'll do that. You wouldn't happen to have a link on these forums that explains how to do that properly? Thank you so much once again.

I don't, sorry. It might have been un the VPN sub-forum and not the Asus one however.