What's new

Release Asuswrt-Merlin 3004.388.8_2 is now available

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
Zero changes related to DNS in this release. It's almost entirely related to VPN.

Code:
merlin@ubuntu-dev:~/dev/amng$ git log --oneline 3004.388.8..3004.388.8_2
d85c64f682 (HEAD -> 3004.388, tag: 3004.388.8_2, origin/3004.388) Bumped revision to 3004.388.8_2
69bcb235af Updated documentation
d63ddde8ca Merge branch 'master' into 3004.388
b6ba0d87f1 (origin/master, origin/HEAD, master) shared: skip \r while importing a DOS-formatted Wireguard config file
4b1ec7e937 shared: support importing multiple AllowedIPs, DNS or Address instances from wireguard config file
d7cf720260 httpd: use correct FQDN for certificate SAN when using Namecheap DDNS
2ba89afe70 openvpn: updated to 2.6.12
8b49d97756 Updated documentation
beb86adc0e rc: add missing FW update support flag for RT-AX58U
908dbf3334 libovpn: don't specify the interface when creating a rule for All or None routing policies (like c16e25979a085d71627baeb1971096fc75a4733d from the 3006 branch)
f5d511aa7e Bumped revision to 3004.388.8_1

Troubleshoot your setup by starting with the syslog.
No DNS issues for me!
 
Can someone explain to me the logic of DNS operation when using WireGuard in this firmware? If I specify the same DNS server (for example, 1.1.1.1) in the WAN settings (DNS over TLS) and specify 1.1.1.1 in the WireGuard Client settings, then DNS requests go through the tunnel. DNS over TLS are ignored. Is this how it should be?
 
Can someone explain to me the logic of DNS operation when using WireGuard in this firmware? If I specify the same DNS server (for example, 1.1.1.1) in the WAN settings (DNS over TLS) and specify 1.1.1.1 in the WireGuard Client settings, then DNS requests go through the tunnel. DNS over TLS are ignored. Is this how it should be?

I don't have access to WG on my own router, but logically, I would assume if you left it blank, it would default to DNS over TLS (i.e. the WAN). It's the equivalent of specifying Disabled for Accept DNS configuration on the OpenVPN client. Besides, once you've secured DNS over the WAN, who cares if DNS is still over the WAN, even w/ an active VPN? Not unless you have some other reason to do so.
 
Besides, once you've secured DNS over the WAN, who cares if DNS is still over the WAN, even w/ an active VPN? Not unless you have some other reason to do so.
I was confused by the fact that by default (without any rules) all DNS requests go through WireGuard. That is, I receive DNS from the VPN provider although the client is running in the router without setting any rules. But if you use different DNS servers (DNS over TLS and WireGuard), this does not happen.
 
This is by design, AFAIK. So error pages like Parental Blocking, Internet Down error page and so on can be displayed. It`s always been like that.

EDIT: also probably used by Let's Encrypt for validation purposes if you're not using Asus DDNS (which can do DNS-based validation).

So that I am understanding this behaviour correctly, if I wanted to host my own website (using the router as reverse proxy), then I am not able to setup NGINX to listen on both port 80 and 443 as the firmware is refusing to release port 80? It is usually pretty standard to put a redirect in NGINX to redirect incoming connections on port 80 to 443. Or are we taking about port 80 being tied down on LAN (br0) while the WAN port is still ok to use port 80 and 443?
 
THANKS FOR 388-2 working on my ax1100pro axe 110 will stay on 388-0
 
So that I am understanding this behaviour correctly, if I wanted to host my own website (using the router as reverse proxy), then I am not able to setup NGINX to listen on both port 80 and 443 as the firmware is refusing to release port 80? It is usually pretty standard to put a redirect in NGINX to redirect incoming connections on port 80 to 443. Or are we taking about port 80 being tied down on LAN (br0) while the WAN port is still ok to use port 80 and 443?

Both @thatdoodle and you need to be more precise about how you've configured NGINX, and where it's running. Don't assume we should just know. It could be on the router, or internally on the LAN. It could be a proxy, or reverse proxy. It could be bound to the WAN, the LAN, or BOTH. Without such details, it's difficult to provide accurate answers or address your concerns.

My assumption w/ @thatdoodle was that he was running NGINX on the router and wanted it bound to the LAN (port 80), which is in conflict w/ the GUI. So he changed the GUI's LAN port to something else (e.g., 8080). And while that solved the problem, it came at the unexpected expense of having the GUI now running on the new port w/ HTTP, when he had specifically requested only HTTPS for the LAN authentication!

That's why I consider it a bug. Had he never needed port 80 for NGINX and simply wanted to limit LAN authentication to HTTPS, the router would NOT have bound the GUI to HTTP/80.

Now when it comes to the WAN side, the GUI is never bound to the WAN. If you enable remote access, then HTTPS is required and a port is opened (8443 by default, although you can change it), where the inbound traffic is redirected (via DNAT) to the GUI on the LAN side (port 80 by default, for http, or 8443, for https, unless you changed these for some reason).

In short, unless you're replicating @thatdoodle's configuration, there shouldn't be any issues w/ port forwarding or opening ports 80/443 on the WAN. At least NOT as far as the GUI is concerned (I can't speak to other services that might also find those same ports appealing, e.g., AiCloud).
 
Last edited:
Why don't Merlin just put it back the way everyone is use to ? Is it a security issue ? I don't use VPN so just curious why all the issues ?

This has nothing to do w/ VPNs.

Only the developer can explain his reasoning for taking or NOT taking action. All I can do is explain the problem. For all I know, there may be some rationale behind it all that remains elusive. Even if it is a bug, Merlin is not free to change just anything he wants. He has constraints. Some things fall under the umbrella of the ASUS developers.

Is it a security concern? Depends.

On the one hand, the OP has requested only HTTPS on the LAN side, yet HTTP has been made available over the new port. Then again, the LAN side is usually a trusted network. Then again, if the OP is trying to force the LAN clients through the NGINX proxy, it undermines his efforts.

So technically, I suppose it's a failure of security, but just how much of a failure it represents depends on the OP's intentions and security requirements.
 
Thanks @eibgrad. I love reading your detailed responses.

For my use case, yes I have (and soon plan on again) run NGINX on the router as a reverse proxy to two web services (family Nextoud server and a website for our local Catholic church group) inside my LAN. As such, my interest is to ensure I can bind NGINX to port 80 and 443 on the WAN.

From the description above, it sounded like the issue was on the LAN side. I was just wanting to confirm my suspicions.
 
I just did the entire house without electricity and restarted everything. Unfortunately that didn't help
Are you sure it wasn’t running on battery?
 
Hi thanks for including ROG version in 3004.388.8_2 release!
My router is GT-AXE16000 and currently is running on 388.7 ROG. I tried to apply 388.8_2 ROG version, but it keeps failing. Any suggestions?

fw.jpg
 
Last edited:
Hi thanks for including ROG version in 3004.388.8_2 release!
My router is GT-AXE16000 and currently is running on 388.7 ROG. I tried to apply 388.8_2 ROG version, but it keeps failing. Any suggestions?

View attachment 60693
Did you remove all attached USB drives before flashing the firmware? Otherwise, I think you should do the upgrade via an Ethernet cable, rather via Wifi.
 
Dirty upgrade from 388.8. Zero problems, no DNS nor Timemachine issues, Thanks to M!
 
Updated AX86U and PRO, everything seems to be working perfectly.
 
That's what the log file you posted showed.

Do you have 802.11ax / WiFi 6 mode enabled for the 2.4GHz band? If so disable that (assuming none of your 2.4GHz clients use ax) and see if the messages disappear.

EDIT: If you have WPA3 enabled for that band try changing it to WPA2-Personal only.


Post the new log file that shows that.
So now that was the problem again. As seen in the log file.

I've now given a different 5ghz password again for testing so that whatever I try, she can't dial in
 

Attachments

  • syslog.txt
    967.8 KB · Views: 21
Status
Not open for further replies.

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top