Release Asuswrt-Merlin 3004.388.6 is now available

[Kees17760]

As I mentioned, auto logoff has always been set to zero and it still is. I toggled it to another number and back to zero and the problem continues. I never had this problem in all the years before 388.6. The only other recent change I noticed is that Firefox auto-upgraded around the same time. I am stumped if no one else sees this problem.

Read somewhere (longtime ago) that some pages like "Network map" (first screen) and "System Log" (first screen) never log you off, despite logout setting while others do. Which page exactly doesn't follow logout setting? I never touched it, but will try it over here.

 

[bennor]

Read somewhere (longtime ago) that some pages like "Network map" (first screen) and "System Log" (first screen) never log you off, despite logout setting while others do.

It's in the change log:

388.2 (12-Apr-2023)
- CHANGED: Disabled auto logout on System Log and Wireless Log pages.

 

[nlurker]

Read somewhere (longtime ago) that some pages like "Network map" (first screen) and "System Log" (first screen) never log you off, despite logout setting while others do. Which page exactly doesn't follow logout setting? I never touched it, but will try it over here.

The page that I have always kept a tab open on is Main_TrafficMonitor_last24.asp
Now suddenly it logs me off many times a day.

I looked in the Firefox 122.0 security settings and found something called "Enhanced Tracking Protection." I added an exception for the router to see if this makes a difference.

 

[wumbly]

I have no idea why it wouldn't apply it then, sorry. Keep in mind that the router's httpd daemon is way more basic than that of a real web server, so it can have more limitations as to what certificate it would support. I also know that Asus's new validations will now check what hostnames are supported by a certificate, so it's possible that they don't recognize a wildcard certificate.

That is unfortunate

I think I'll see if I can reissue a cert with GlobalSign at 2048 vs 4096 and see if that straights things out. Otherwise like you mention the SANs are only *.mydomain.com and mydomain.com ... I will report back.

 

[XIII]

it's possible that they don't recognize a wildcard certificate.

I’m successfully using a (Let’s Encrypt) wildcard certificate (generated by Certbot) with 3004.388.6, so they at least accept some.

PS: Elliptic Curve 256 bits

 

[wumbly]

I’m successfully using a (Let’s Encrypt) wildcard certificate (generated by Certbot) with 3004.388.6, so they at least accept some.

PS: Elliptic Curve 256 bits

Thank you for this insight. I assume the SAN fields are *.yourdomain.com and yourdomain.com. I just tried with a 2048 key with no luck. SHA256-RSA (key is still unencrypted, and headers do not mention RSA format, OpenSSL reporting PKCS8). Can you tell me what your cert CN is? Mine has the wildcard in it, where I've seen other CAs use the normal FQDN followed by putting the wildcard in SANs.

@RMerlin would it be possible for you to tell me where these certificates are stored now? I could SSH to my box and push / modify the cert and key files manually, unless you'd think that would break something?

 

[XIII]

Can you tell me what your cert CN is?

*.domain.tld

 

[Kees17760]

The page that I have always kept a tab open on is Main_TrafficMonitor_last24.asp
Now suddenly it logs me off many times a day.

I looked in the Firefox 122.0 security settings and found something called "Enhanced Tracking Protection." I added an exception for the router to see if this makes a difference.

It does log me out after some time, or stays put but doesn't refresh. When i press F5 to refresh it turns out i was logged out. Using Firefox 122.0 with logout timer set to 0.

 

[spykos]

@RMerlin

Have you removed the below option from OpenVPN ?

pull-filter ignore "dhcp-option DNS"

I am asking as in the new version of Android OpenVPN client (v3.4.0) I get an error message and can't connect anymore unless I remove this line.

 

[RMerlin]

I’m successfully using a (Let’s Encrypt) wildcard certificate (generated by Certbot) with 3004.388.6, so they at least accept some.

The Let's Encrypt certificates probably don't go through the same validation procedure that Asus added for user-provided certificates, these only apply to user-uploaded certs.

Asus' validation required that any user-uploaded certificates contained various SAN entries, such as www.asusrouter.com. While this works fine for a user-generated certificates, it means you cannot use any certificate generated by a commercial CA. So I have disabled that extra validation for 3004.388.6.

If a user-uploaded certificate fails validation, then the reason should be visible in the system log. For instance if the certificate lacks a SAN, which is now mandatory.

I haven't fully analyzed the extent of Asus' changes in 24353 because there was simply too much code that was changed. I disabled the extended SAN validation because I actually encountered the issue on my own test router.

@RMerlin would it be possible for you to tell me where these certificates are stored now?

#define UPLOAD_CERT_FOLDER    "/jffs/.cert"
/* Uploaded cert is root/intermediate. */
#define UPLOAD_CACERT        "/jffs/.cert/cacert.pem"
#define UPLOAD_CAKEY        "/jffs/.cert/cakey.pem"
/* End-entity certificate that is signed by uploaded root/intermediate certificate. */
#define UPLOAD_GEN_CERT        "/jffs/.cert/cert_gen.pem"
#define UPLOAD_GEN_KEY        "/jffs/.cert/key_gen.pem"
/* Uploaded end-entity cert or signed by uploaded root/intermediate certificate. */
#define UPLOAD_CERT        "/jffs/.cert/cert.pem"
#define UPLOAD_KEY        "/jffs/.cert/key.pem"

 

[RMerlin]

@RMerlin

Have you removed the below option from OpenVPN ?

pull-filter ignore "dhcp-option DNS"

I am asking as in the new version of Android OpenVPN client (v3.4.0) I get an error message and can't connect anymore unless I remove this line.

I don't understand your question. What you are quoting is not an option, it's a custom config entry that tells the client to ignore any dhcp-option DNS that gets pushed to the client. That has nothing to do with the server configuration, if it causes an error then the issue is with your client.

You will need to look at your client error log to determine what's the problem.

 

[swejuggalo]

As a quick fix, changing the "log messages more urgent" field to "All" on the system_log/general_log page may work.

My syslog server says this all of a sudden. It's running on 2.4 GHz though. But from the normal "User.Warning" to dropping everything and reset of run time.
Maybe a wired server gets a few more rows I guess. But then I need to figure out how to do that on Linux. Tried setting up rsyslog, but there is something I'm not doing right here.

"
2024-01-28 16:26:09 User.Warning 192.168.50.1 Jan 28 16:26:06 RT-AX88U-C8A0-EF953B1-C kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=0c:9d:92:01:c8:a0:ac:5f:ea:fb:96:16:08:00 SRC=192.168.50.187 DST=185.56.83.83 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=50627 DF PROTO=TCP SPT=49192 DPT=9001 SEQ=2677871871 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405500402080A13B944810000000001030309)
2024-01-28 16:26:50 User.Debug 192.168.50.1 May 5 07:05:14 RT-AX88U-C8A0-EF953B1-C ntpd: Started ntpd
2024-01-28 16:26:50 User.Debug 192.168.50.1 May 5 07:05:14 RT-AX88U-C8A0-EF953B1-C acsd: eth7: selected channel spec: 0xe03a (52/80)
2024-01-28 16:26:50 User.Debug 192.168.50.1 May 5 07:05:14 RT-AX88U-C8A0-EF953B1-C acsd: eth7: Adjusted channel spec: 0xe03a (52/80)
2024-01-28 16:26:50 User.Debug 192.168.50.1 May 5 07:05:14 RT-AX88U-C8A0-EF953B1-C acsd: eth7: selected channel spec: 0xe03a (52/80)
2024-01-28 16:26:50 User.Debug 192.168.50.1 May 5 07:05:14 RT-AX88U-C8A0-EF953B1-C acsd: acs_set_chspec: 0xe03a (52/80) for reason APCS_INIT
2024-01-28 16:26:51 User.Notice 192.168.50.1 May 5 07:05:15 RT-AX88U-C8A0-EF953B1-C kernel: random: nonblocking pool is initialized
2024-01-28 16:26:51 User.Debug 192.168.50.1 May 5 07:05:15 RT-AX88U-C8A0-EF953B1-C httpd: Succeed to init SSL certificate...8443
2024-01-28 16:26:51 User.Debug 192.168.50.1 May 5 07:05:15 RT-AX88U-C8A0-EF953B1-C BONDING: option disabled
2024-01-28 16:26:51 User.Info 192.168.50.1 May 5 07:05:15 RT-AX88U-C8A0-EF953B1-C kernel: cfg80211: Calling CRDA to update world regulatory domain
2024-01-28 16:26:51 Daemon.Info 192.168.50.1 May 5 07:05:15 RT-AX88U-C8A0-EF953B1-C lldpd[1256]: removal request for address of 10.6.0.1%25, but no knowledge of it
2024-01-28 16:26:51 User.Debug 192.168.50.1 May 5 07:05:15 RT-AX88U-C8A0-EF953B1-C WireGuard: Stopping server.
2024-01-28 16:26:51 User.Debug 192.168.50.1 May 5 07:05:15 RT-AX88U-C8A0-EF953B1-C rc_service: udhcpc_wan 1542:notify_rc stop_samba
2024-01-28 16:26:51 User.Debug 192.168.50.1 May 5 07:05:15 RT-AX88U-C8A0-EF953B1-C custom_script: Running /jffs/scripts/service-event (args: stop samba)
2024-01-28 16:26:51 User.Debug 192.168.50.1 May 5 07:05:15 RT-AX88U-C8A0-EF953B1-C Samba_Server: smb daemon is stopped"

 

[nlurker]

It does log me out after some time, or stays put but doesn't refresh. When i press F5 to refresh it turns out i was logged out. Using Firefox 122.0 with logout timer set to 0.

Thank you! That is the exact behavior I am seeing. Previous releases did not do this, it would stay active all day.

 

[colossus]

Entering fiddling mode - looking good!
amtm | Diversion | Skynet | Entware | Patriot 120gb SSD | Orico 2139U3 | USB 3.0

Thank you @RMerlin | thelonelycoder | Adamm

 

[XIII]

The Let's Encrypt certificates probably don't go through the same validation procedure that Asus added for user-provided certificates, these only apply to user-uploaded certs.

I might not have been clear about this, but I generated them using certbot on a Raspberry Pi, so they are user-uploaded certs.

If they succeed because you disabled checks: thank you!

 

[RMerlin]

I might not have been clear about this, but I generated them using certbot on a Raspberry Pi, so they are user-uploaded certs.

If they succeed because you disabled checks: thank you!

In that case the other user's issue isn't the use of a wildcard hostname.

 

[M75]

Encounter strange response from OpenVPN setting, use VPN director for tablet to use openvpn client in router:

This happens even after I reload the ovpn file from surfshark. By the way, it appears only when accessing Netflix using the tablet but never happened in 388.5

 

[nlurker]

The page that I have always kept a tab open on is Main_TrafficMonitor_last24.asp
Now suddenly it logs me off many times a day.

I looked in the Firefox 122.0 security settings and found something called "Enhanced Tracking Protection." I added an exception for the router to see if this makes a difference.

The Firefox setting had no discernible effect, it still logs me off many times a day. Next I will try changing auto logoff from zero to 999 minutes (the maximum allowed).

 

[spykos]

I don't understand your question. What you are quoting is not an option, it's a custom config entry that tells the client to ignore any dhcp-option DNS that gets pushed to the client. That has nothing to do with the server configuration, if it causes an error then the issue is with your client.

You will need to look at your client error log to determine what's the problem.

Understood. I thought that maybe there was a change in the compilation options for the server part in the latest version.

 

[zer0bitz]

8 days of uptime and running rock solid.