Release Asuswrt-Merlin 3004.388.8_2 is now available

[RMerlin]

Asuswrt-Merlin 3004.388.8 is now available for supported Wifi 6 models. This release implements a new VPN killswitch method, and fixes a number of issues.

July 31st: 3004.388.8_2 is now available. Changes since 3004.388.8:

3004.388.8_2 (31-July-2024)
  - UPDATED: OpenVPN to 2.6.12.
  - CHANGED: Support importing WiregUard config files that
             contain multiple AllowedIPs, Address or DNS
              declarations.
  - FIXED: OpenVPN client routing not working properly when
           configuring Internet redirection to "All" or "None".
  - FIXED: New firmware check button missing for the RT-AX58U.
  - FIXED: Generated web certificate wasn't using the FQDN
           for Namecheap DDNS users.

Changes since 3004.388.7:

3004.388.8 (21-July-2024)
  - NOTE: RT-AX56U is exceptionally included in this release.
  - NEW: Rewrote VPN killswitch implementation.  The new method
         uses an always present routing rule to prohibit access to
         the main routing table, so it will be active even if the
         user manually stops a client.  Removing the prohibit rule
         requires disabling the killswitch on the webui.
         The rules are also created before WAN goes up, to reduce
         the risks of leaks between WAN going up and VPN connecting.

         *** Make sure to double check that you don't have any
         unwanted killswitch enabled if you have connectivity issues
         following the upgrade to this firmware.

  - NEW: Added killswitch support for WireGuard clients.
  - NEW: Added mDNS support to the router's local name resolution
         (nss).
  - UPDATED: Chart.js was upgraded from 2.x to 3.9, to share the
             same version used by Asus.  Any third party addon
             that used it will need to upgrade their charts to
             the new version.
  - UPDATED: wget to 1.24.5.
  - CHANGED: Removed stop/start and "Start with WAN" buttons from
             OpenVPN clients.  There is now just a single
             "Enable" option, which will immediately start the
             client when applying changes, and will also start it
             automatically when WAN comes up.  This is to reduce
             confusion, better integrate into SDN, and match how
             WireGuard clients already worked.
  - CHANGED: Allow text selection on the Wireguard Server settings
             page.
  - FIXED: JS error on Wifi 6e/7 models when toggling DDNS.
  - FIXED: Couldn't mount CIFS shares on the router for BCM4912
           devices.
  - FIXED: Wrong band shown when selecting the 5 GHz band on the
           WPS page for the GT-AXE11000.
  - FIXED: WPS page wouldn't properly detect if 6 GHz radio is
           disabled when selecting it for the GT-AXE11000
  - FIXED: Disabling IGDv2/pinhole support wasn't fully disabling
           IPv6 support.
  - FIXED: CVE-2024-3080 issue
  - REMOVED: Wifi Radar was removed (unsupported by Wifi 7 devices,
             and security issues cited by Asus in their own recent
             releases).

Please keep discussions on this specific release. The thread will be locked once feedback dies down.

Downloads are here.
Changelog is here.

 

[RMerlin]

Known issues:

• No ROG versions of the release (was accidentally left disabled in the build process, should be re-included in the next release)
• VPN routing issues, particularly in site2site setups (Incorrect rule configured for All and None redirection, fixed locally)
• New firmware check button missing on RT-AX58U/RT-AX3000 (missing rc_support flag, fixed locally)

 

[lgkahn]

why no rog versions? they were in the beta? thanks

 

[RMerlin]

why no rog versions? they were in the beta? thanks

It was accidentally left disabled in my build script when I generated this release, so these images didn't get generated.

I don't really feel like going through the full rebuild + release process just to recreate all release archives with the missing images, so this release won't have ROG versions for the time being. Keep in mind that I initially mentionned that ROG releases were experimental and not fully supported, so they were never guaranteed to be alaways present or fully working. I am in fact dropping their support for the 3006 releases due to the amount of extra work involved in properly maintaining them.

If there is need for a 3004.388.8_2 point release at some point I will re-include them at that time.

 

[MDM]

Was already discussed earlier, and if I remember a discussion consensus was that the ROG version is not really needed or wanted by most; and also that it adds unnecessary work for RMerlin.
So...
Might be gone forever for all I am concerned

P.S.
Also, all works for me in the final for now!

 

[DrTurk]

Thanks RMerlin. Dirty upgrade of an RT-AX86U from 388.7 to 388.8. No issues observed so far.

 

[geobernd]

Dirty upgrade RT-AX86U from 388.7 to 388.8 a few minutes after it was released. All stable so far.
Thank you!!

 

[octopus]

Just updated my GT-AX6000 and it's working fine. Uptime: 0 days 0 hour(s) 15 minute(s) 19 seconds

My SSD not mounting when upgrade.
Module "md4" *NOT* found.

Thanks for new build.

 

[Makaveli]

Just upgraded now thank you.

 

[ColDen]

Dirty upgrade on my GT-AX6000 more than an hour ago from 3004-388-7 to 3004-388-8. No issues observed so far.

Thanks Éric.

 

[Igor]

Help me please.
There are 4 routers:
RT-AC68U -> OpenVPN -> RT-AX88U_PRO
RT-AX68U mesh -> RT-AX68U -> OpenVPN -> RT-AX88U_PRO
Updated everything: RT-AX88U_PRO_3004_388.8, RT-AX68U_3004_388.8, RT-AC68U_386.14.

After the update, I see a VPN connection on RT-AX88U_PRO, but I can’t open Web RT-AX68U (timeout). I can connect via SSH to RT-AX68U. How to restore Web access?

 

[RMerlin]

Module "md4" *NOT* found.

MD4 is compiled built-in, not as a module. This is normal.

admin@RT-AX86U_Pro-E930:/tmp/home/root# zcat /proc/config.gz | grep MD4
CONFIG_CRYPTO_MD4=y

 

[fka]

Bit of a knee jerk post so apologies if covered in the beta thread.
Not sure if this is how it's intended to work but from reading the changelog I'm guessing not.
I have an OpenVPN client setup with killswitch. Post update the killswitch is blocking both LAN and WAN traffic i.e I was unable to access the webui. ping returned host down.
Factory reset and uploaded my config and I could access the webui and everything was fine, allbeit the VPN Director rule list empty, hence being able to access the webui again.
I re-entered the VPN Director rules without the OpenVPN client running and again was unable to access the webui.
Surely the killswitch should only be blocking WAN access if the VPN is down?

Edit - For clarity. Director rules send the (only) machine I have entered in the access restriction list through the VPN

 

[Howard_inGA]

Installed as a dirty upgrade from the beta, but lost the Airmesh. In any case, I rebooted both the primary and the airmesh. After reboot, airmesh was restored as before.
I've been using the rog on the 16000, but don't note anything that I can't live without. The absence of bling is a non-starter for me!
So, after a bit of dinking around, I've found that I can't start NORD VPN on the VPN Client page because there is no Service Slide to turn on the VPN!?? All config data is correct, as usual. I even reinstalled the VPN client, just to be sure. Still NO OFF/ON SWITCH for the VPN??
There is a STATUS that shows disconnected, but that is because there is no switch?

 

[octopus]

MD4 is compiled built-in, not as a module. This is normal.

admin@RT-AX86U_Pro-E930:/tmp/home/root# zcat /proc/config.gz | grep MD4
CONFIG_CRYPTO_MD4=y

Got it, thanks.

 

[predatorz]

Dirty upgrade from 3004.388.7_2 to 3004.388.8 smoothly
Thanks for new firmware..!!

 

[ugandy]

dirty upgrade from 388.7 to 388.8
no issues

 

[RMerlin]

Still NO OFF/ON SWITCH for the VPN??

...read the changelog...

 

[jerry6]

thanks will not bore some here with further comments

 

[Howard_inGA]

...read the changelog...

Found it. Thanks for the hint...
The VPN Director page is one I've never used, so it caught me flat unaware.