Release Asuswrt-Merlin 3004.388.6 is now available

[SANdood]

I'm not sure what I could do to fix this. I'd be happy to try reinstall 388.6 if there is anything anyone can suggest for me to get it working or just to have a second look at logs.

After downgrade to 388.5 DLNA works again.

I had a similar problem during the beta, and again this morning when I tried to upgrade from 3004.388.5 to .6 - nothing seemed to be working, and (the clue was) nothing seemed to be able to resolve DNS addresses. Once I realized that hint, I went to the system log and found that DNSMASQ startup was failing with a bad line in the /etc/dnsmasq.conf file.

For me, the bad line was dns-forward-max=500 which I had added via /jffs/configs/dnsmasq.conf.add. It turns out that this latest release has added the dns-forward-max=1500 directive - dnsmasq won't accept duplicate entries (you have to edit these with /jffs/scripts/dnsmasq.postconf if you want to change an existing directive). Once I commented out my (newly duplicated) entry, I was able to upgrade to 3004.388.6 without problem.

Important note - it is surprising how many things in the router code depend on DNS running properly. Some are obvious: anything that needs to resolve an external name to work, e.g., DDNS, VPN connections, etc. Some less obvious - for example, ALL of my AIMesh nodes failed to reconnect when dnsmasq wasn't running properly. Also, I was unable to SSH into the router while DNSMASQ wasn't running (I had to downgrade to .5 so that I could comment out the offending entry in /jffs/configs/dnsmasq.conf)

So...check your system logs for a failed dnsmasq startup (or any other errors that aren't there when you boot up the 3004.388.5 release).

 

[visortgw]

I had a similar problem during the beta, and again this morning when I tried to upgrade from 3004.388.5 to .6 - nothing seemed to be working, and (the clue was) nothing seemed to be able to resolve DNS addresses. Once I realized that hint, I went to the system log and found that DNSMASQ startup was failing with a bad line in the /etc/dnsmasq.conf file.

For me, the bad line was dns-forward-max=500 which I had added via /jffs/configs/dnsmasq.conf.add. It turns out that this latest release has added the dns-forward-max=1500 directive - dnsmasq won't accept duplicate entries (you have to edit these with /jffs/scripts/dnsmasq.postconf if you want to change an existing directive). Once I commented out my (newly duplicated) entry, I was able to upgrade to 3004.388.6 without problem.

Important note - it is surprising how many things in the router code depend on DNS running properly. Some are obvious: anything that needs to resolve an external name to work, e.g., DDNS, VPN connections, etc. Some less obvious - for example, ALL of my AIMesh nodes failed to reconnect when dnsmasq wasn't running properly.

So...check your system logs for a failed dnsmasq startup (or any other errors that aren't there when you boot up the 3004.388.5 release).

Also, keep a log of the manual changes or additions that you make to dnsmasq.conf (however they are made) and other config files for use during troubleshooting.

 

[sirzur]

I upgraded my GT-AX6000 to GT-AX6000_3004_388.6_0 (non rog) from 388.5 just now and promptly lost access to my router - all the while internet connection is available. I dont have a complicated system - just the single router with VPN, some static IP addresses defined

Typing https://192.168.x.x:8443 and https://www.asusrouter.com:8443 both could not connect to the router GUI. This is from a PC connected to the ethernet port. I downloaded the ASUS app to my phone and while the app could see my GT-A6000 router, it would not connect. I have tried issuing "service restart_httpd" from terminal (obviously successful connection via putty), but also with the same no connection result. Is there any suggestions that I can try to access the GUI.

On the off chance that the router could have reverted to previous IP address, I looked at my wifi connected phone and can see that the gateway for the IP 4 address is that of the router which I previously set

I also tried to access the logs at /var/log/ but there were no boot up logs there.

I guess the last alternative is to reset, but I would really like to get the config file via terminal (as I dont have the latest config file) to make sure that I enter all the configuration anew after reset (obviously not just reload config file from backup)

Another question I have is whether this could be a cert issue. And if so is there any way to load a cert manually into the router?

Also my signature shows my previous router. I have corrected but it has not shown up yet

 

[snapieee]

Sorry I amended my post right as you replied.

Have you accepted the Trend Micro EULA?

nvram show | grep ^TM

I did accepted it when i initially enabled it

On the other hand, I tried something different. I completely turned off QoS and reboot router. Waited a few min, logged back in, turned QoS back on and bam everything back to normal I can now see dn/up statistics under Classification tab. I reinstalled FlexQoS, restarted QoS and i am able to see dn/up statistics under FlexQoS as well.

Thanks @RMerlin and @dave14305 for your assistance.

Everything is working as it should be under the new firmware. The only minor thing i have noticed is that devices takes a bit longer to connect to 5ghz network.

 

[Morpheus2020]

Merlin firmware performs an additional check for AX clients.

httpd: report MU-MIMO and STBC support for AX clients · RMerl/asuswrt-merlin.ng@e365a66

Third party firmware for Asus routers (newer codebase) - httpd: report MU-MIMO and STBC support for AX clients · RMerl/asuswrt-merlin.ng@e365a66

github.com

Thank you very much.

 

[Morpheus2020]

If I remember correctly, Asus only checks for Wifi 5 MU-MIMO, while I check for explicit Wifi 6 MU-MIMO (HE). My report is more accurate here.

Thank you very much.

 

[MushroomSoup]

I upgraded my GT-AX6000 to GT-AX6000_3004_388.6_0 (non rog) from 388.5 just now and promptly lost access to my router - all the while internet connection is available. I dont have a complicated system - just the single router with VPN, some static IP addresses defined

Typing https://192.168.x.x:8443 and https://www.asusrouter.com:8443 both could not connect to the router GUI. This is from a PC connected to the ethernet port. I downloaded the ASUS app to my phone and while the app could see my GT-A6000 router, it would not connect. I have tried issuing "service restart_httpd" from terminal (obviously successful connection via putty), but also with the same no connection result. Is there any suggestions that I can try to access the GUI.

On the off chance that the router could have reverted to previous IP address, I looked at my wifi connected phone and can see that the gateway for the IP 4 address is that of the router which I previously set

I also tried to access the logs at /var/log/ but there were no boot up logs there.

I guess the last alternative is to reset, but I would really like to get the config file via terminal (as I dont have the latest config file) to make sure that I enter all the configuration anew after reset (obviously not just reload config file from backup)

Another question I have is whether this could be a cert issue. And if so is there any way to load a cert manually into the router?

Also my signature shows my previous router. I have corrected but it has not shown up yet

I had the exact issue, Merlin gave a potential workaround here: https://www.snbforums.com/threads/asuswrt-merlin-3004-388-6-is-now-available.88559/post-887416

In my case, I had to do a reset. I didn't have SSH enabled prior, only HTTPS, and restarting my router wouldn't work in generating a new cert. You should be able to get it working again since it sounds like you have SSH enabled.

The issue we're seeing seems to be expected due to the changelog:

- NOTE: Asus reworked the way SSL certificates are handled in 24353. The automatic conversion code does not always work properly, you might need to force your router to re-generate its SSL certificates by toggling the SSL mode on the DDNS page.

My only recommendation might be to make the wording here stronger and just generally advise all who are upgrading to either have HTTP temporarily enabled for reconfiguration after the upgrade.

Either way, starting fresh wasn't a bad idea too!

 

[RMerlin]

No locale error in /jffs/minidlna.log?

It's a warning, not an error.

and log entries are not dated 1969?

Even my 1.2.1 log entries were using an epoch datestamp rather than the current date, so it's nothing new.

 

[gk802]

It's a warning, not an error.


Even my 1.2.1 log entries were using an epoch datestamp rather than the current date, so it's nothing new.

Odd. Have not had datestamp errors in any previous version:
[2024/01/22 14:36:59] minidlna.c:167: warn: received signal 15, good-bye
[2024/01/22 14:36:59] minidlna.c:1352: warn: Starting MiniDLNA version 1.2.1.
[2024/01/22 14:36:59] minidlna.c:377: warn: Creating new database at /tmp/mnt/M_db/.minidlna/files.db
[2024/01/22 14:37:00] minidlna.c:1393: warn: HTTP listening on port 8200

 

[Martinski]

...
Typing https://192.168.x.x:8443 and https://www.asusrouter.com:8443 both could not connect to the router GUI. This is from a PC connected to the ethernet port. I downloaded the ASUS app to my phone and while the app could see my GT-A6000 router, it would not connect. I have tried issuing "service restart_httpd" from terminal (obviously successful connection via putty), but also with the same no connection result. Is there any suggestions that I can try to access the GUI.

In cases where you have enabled HTTPS-Only access to the webGUI and no longer are able to connect for some reason, you can re-enable HTTP access with the following commands on an SSH terminal window:

nvram set http_enable=0     ## HTTP-Only access ##
      ## OR ##
nvram set http_enable=2     ## *Both* HTTP & HTTPS access ##

nvram commit
service restart_httpd

Now you can try accessing the webGUI via HTTP, port 80 (assuming you have not changed the port number):

http://www.asusrouter.com

If the HTTP port number has been changed, you can also reset it & try again:

nvram set http_lanport=80
nvram commit
service restart_httpd

 

[sirzur]

In cases where you have enabled HTTPS-Only access to the webGUI and no longer are able to connect for some reason, you can re-enable HTTP access with the following commands on an SSH terminal window:

nvram set http_enable=0     ## HTTP-Only access ##
      ## OR ##
nvram set http_enable=2     ## *Both* HTTP & HTTPS access ##

nvram commit
service restart_httpd

Now you can try accessing the webGUI via HTTP, port 80 (assuming you have not changed the port number):

http://www.asusrouter.com

If the HTTP port number has been changed, you can also reset it & try again:

nvram set http_lanport=80
nvram commit
service restart_httpd

Thank you for this. I ran command "nvram set http+enable=0" followed by service restart_httpd. Did not need the "nvram commit" but probably good practise to run that command. Able to access via http. Sorted my certs and then set back to https access. More importantly, I backed up my configuration and jffs partition partition.

 

[learning_curve]

A dirty upgrade on my RT-AX86U from 3004.388.5 to 3004.388.6, then a 15 mins run and a further re-boot.
No problems at all, with anything: The upgrade, the re-boots or the full router operation itself, for over 18 hours now.
Thanks again @RMerlin Your hard work and effort is very much appreciated!

 

[SomeWhereOverTheRainBow]

Asuswrt-Merlin 3004.388.6 is now available for all supported Wifi 6 models. This release focuses on merging new GPL code from Asus.

Exceptionally, this release also includes the RT-AX56U. While this device still remains "end of life", Asus provided GPL code for it, so I decided to release a firmware for that model as well.

3004.388.6 (20-Jan-2024)
  - NOTE: Since Asus provided GPL code for the RT-AX56U, this model
          will exceptionally be included with this release, despite
          still being considered being end-of-life.

  - NOTE: Asus reworked the way SSL certificates are handled in
          24353.  The automatic conversion code does not always
          work properly, you might need to force your router
          to re-generate its SSL certificates by toggling the
          SSL mode on the DDNS page.

  - NEW: Added ethtool to the firmware.
  - UPDATED: Merged GPL 388_24353.
  - UPDATED: nano to 7.2.
  - UPDATED: ncurses to 6.3.
  - UPDATED: OUI database used by networkmap and the webui.
  - FIXED: CVE-2023-48795 in dropbear.
  - FIXED: e-Learning category not always properly identified
           on the Classification/Stats page.
  - FIXED: Incorrectly report 2.4 GHz as being disabled when
           disabling 6 GHz on the GT-AXE16000.
  - FIXED: UPNP leases without a description would not appear
           on the Forwarded Ports page.

Please keep discussions on this specific release. This thread will eventually be locked once release feedback has died down.

Downloads are here.
Changelog is here.

When you say toggling the SSL mode on the DDNS page what do you mean?

 

[elgreco29]

After several problems with vnstat (could not detect ppp0) and skynet (locked process) i'm back to 388.5 and all is running fine.

 

[RMerlin]

When you say toggling the SSL mode on the DDNS page what do you mean?

If you are having https issues then switch Auto, let it generate a new certificate, then switch back to "Import" and re-upload your key+certificate.

 

[AlbumMan]

Skipped the short-lived Alpha & Betas and did a dirty update from 388.5 release to 388.6 release.
Power cycled after 30 minutes and 18 hours later still smooth sailing.
Thanks @RMerlin !

 

[SomeWhereOverTheRainBow]

If you are having https issues then switch Auto, let it generate a new certificate, then switch back to "Import" and re-upload your key+certificate.

Now I get this:

Jan 23 12:10:07 inadyn[3690948]: Certificate verification error:num=20:unable to get local issuer certificate:depth=1:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
Jan 23 12:10:07 inadyn[3690948]: OpenSSL error: 4152988816:error:1416F086:lib(20):func(367):reason(134):NA:0:
Jan 23 12:10:07 inadyn[3690948]: Will retry again ...
Jan 23 12:10:07 inadyn[3690948]: Certificate verification error:num=19:self signed certificate in certificate chain:depth=2:/C=US/O=IdenTrust/CN=IdenTrust Commercial Root CA 1
Jan 23 12:10:07 inadyn[3690948]: OpenSSL error: 4152988816:error:1416F086:lib(20):func(367):reason(134):NA:0:
Jan 23 12:10:07 inadyn[3690948]: Will retry again ...
Jan 23 12:10:08 inadyn[3690948]: Certificate verification error:num=20:unable to get local issuer certificate:depth=1:/C=US/O=Let's Encrypt/CN=R3
Jan 23 12:10:08 inadyn[3690948]: OpenSSL error: 4152988816:error:1416F086:lib(20):func(367):reason(134):NA:0:
Jan 23 12:10:08 inadyn[3690948]: Will retry again ...
Jan 23 12:10:08 inadyn[3690948]: Certificate verification error:num=20:unable to get local issuer certificate:depth=1:/C=US/O=Let's Encrypt/CN=R3
Jan 23 12:10:08 inadyn[3690948]: OpenSSL error: 4152988816:error:1416F086:lib(20):func(367):reason(134):NA:0:
Jan 23 12:10:08 inadyn[3690948]: Will retry again ...
Jan 23 12:10:08 inadyn[3690948]: Will retry again, rc=33
Jan 23 12:10:08 inadyn[3690948]: Error code 33: Failed connecting to DDNS server (HTTPS)

in logs.

 

[John Fitzgerald]

Now I get this:

Jan 23 12:10:07 inadyn[3690948]: Certificate verification error:num=20:unable to get local issuer certificate:depth=1:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
Jan 23 12:10:07 inadyn[3690948]: OpenSSL error: 4152988816:error:1416F086:lib(20):func(367):reason(134):NA:0:
Jan 23 12:10:07 inadyn[3690948]: Will retry again ...
Jan 23 12:10:07 inadyn[3690948]: Certificate verification error:num=19:self signed certificate in certificate chain:depth=2:/C=US/O=IdenTrust/CN=IdenTrust Commercial Root CA 1
Jan 23 12:10:07 inadyn[3690948]: OpenSSL error: 4152988816:error:1416F086:lib(20):func(367):reason(134):NA:0:
Jan 23 12:10:07 inadyn[3690948]: Will retry again ...
Jan 23 12:10:08 inadyn[3690948]: Certificate verification error:num=20:unable to get local issuer certificate:depth=1:/C=US/O=Let's Encrypt/CN=R3
Jan 23 12:10:08 inadyn[3690948]: OpenSSL error: 4152988816:error:1416F086:lib(20):func(367):reason(134):NA:0:
Jan 23 12:10:08 inadyn[3690948]: Will retry again ...
Jan 23 12:10:08 inadyn[3690948]: Certificate verification error:num=20:unable to get local issuer certificate:depth=1:/C=US/O=Let's Encrypt/CN=R3
Jan 23 12:10:08 inadyn[3690948]: OpenSSL error: 4152988816:error:1416F086:lib(20):func(367):reason(134):NA:0:
Jan 23 12:10:08 inadyn[3690948]: Will retry again ...
Jan 23 12:10:08 inadyn[3690948]: Will retry again, rc=33
Jan 23 12:10:08 inadyn[3690948]: Error code 33: Failed connecting to DDNS server (HTTPS)

in logs.

Can you reboot when it's set to AUTO,
or
Reflash when it's set to AUTO ?

I know you want to do it via command line...

 

[askan7]

@RMerlin is there any chance for Asus to update their tx power tables and ch per region?
In Europe you only have 36-64 and 100-140. Yet it's UNII-3 is allowed and available with other brands in EU.

I have no ideia why my router is limited to 14dbm only in both 2.4ghz and 5ghz 36-64. It goes up to 21dbm max using ch100-140.
China is limited to 18dbm?! Yet both EU and china have 20dbm eirp in 2.4ghz and 5ghz 36-64. Asus tx power tables make 0 sense.
US is limited to 23dbm on 2.4ghz. 5ghz it varies from 18dbm to 24dbm depending on the ch.
Asus TX power tables don't make any sense whatsoever. And this is not wrong reading from the app(Wifiman), i can clearly see the difference in download throughout and SNR.

The router my ISP provided has higher TX power by default on both 2.4 and 5ghz... (23dbm for both ch36 and 100, don't remember how much for 2.4ghz)

 

[SomeWhereOverTheRainBow]

Can you reboot when it's set to AUTO,
or
Reflash when it's set to AUTO ?

I know you want to do it via command line...

Here is it set to "AUTO" after a reboot.

Jan 23 12:43:43 inadyn[33637]: Certificate verification error:num=20:unable to get local issuer certificate:depth=1:/C=US/O=Let's Encrypt/CN=R3
Jan 23 12:43:43 inadyn[33637]: OpenSSL error: 4156245136:error:1416F086:lib(20):func(367):reason(134):NA:0:
Jan 23 12:43:43 inadyn[33637]: Will retry again ...
Jan 23 12:43:48 inadyn[33637]: Will retry again ...
Jan 23 12:43:48 inadyn[33637]: Certificate verification error:num=19:self signed certificate in certificate chain:depth=2:/C=US/O=IdenTrust/CN=IdenTrust Commercial Root CA 1
Jan 23 12:43:48 inadyn[33637]: OpenSSL error: 4156245136:error:1416F086:lib(20):func(367):reason(134):NA:0:
Jan 23 12:43:48 inadyn[33637]: Will retry again ...
Jan 23 12:43:49 inadyn[33637]: Certificate verification error:num=20:unable to get local issuer certificate:depth=1:/C=US/O=Let's Encrypt/CN=R3
Jan 23 12:43:49 inadyn[33637]: OpenSSL error: 4156245136:error:1416F086:lib(20):func(367):reason(134):NA:0:
Jan 23 12:43:49 inadyn[33637]: Will retry again ...
Jan 23 12:43:49 inadyn[33637]: Certificate verification error:num=20:unable to get local issuer certificate:depth=1:/C=US/O=Let's Encrypt/CN=R3
Jan 23 12:43:49 inadyn[33637]: OpenSSL error: 4156245136:error:1416F086:lib(20):func(367):reason(134):NA:0:
Jan 23 12:43:49 inadyn[33637]: Will retry again ...
Jan 23 12:43:49 inadyn[33637]: Will retry again, rc=33
Jan 23 12:43:49 inadyn[33637]: Error code 33: Failed connecting to DDNS server (HTTPS)

The Auto certificates are generated, but here is the DDNS status