Release Asuswrt-Merlin 3004.388.8_2 is now available

[Makaveli]

Zero changes related to DNS in this release. It's almost entirely related to VPN.

merlin@ubuntu-dev:~/dev/amng$ git log --oneline 3004.388.8..3004.388.8_2
d85c64f682 (HEAD -> 3004.388, tag: 3004.388.8_2, origin/3004.388) Bumped revision to 3004.388.8_2
69bcb235af Updated documentation
d63ddde8ca Merge branch 'master' into 3004.388
b6ba0d87f1 (origin/master, origin/HEAD, master) shared: skip \r while importing a DOS-formatted Wireguard config file
4b1ec7e937 shared: support importing multiple AllowedIPs, DNS or Address instances from wireguard config file
d7cf720260 httpd: use correct FQDN for certificate SAN when using Namecheap DDNS
2ba89afe70 openvpn: updated to 2.6.12
8b49d97756 Updated documentation
beb86adc0e rc: add missing FW update support flag for RT-AX58U
908dbf3334 libovpn: don't specify the interface when creating a rule for All or None routing policies (like c16e25979a085d71627baeb1971096fc75a4733d from the 3006 branch)
f5d511aa7e Bumped revision to 3004.388.8_1

Troubleshoot your setup by starting with the syslog.

No DNS issues for me!

 

[netmik3]

ROG is back for those that complained

 

[postoronnim-v]

Can someone explain to me the logic of DNS operation when using WireGuard in this firmware? If I specify the same DNS server (for example, 1.1.1.1) in the WAN settings (DNS over TLS) and specify 1.1.1.1 in the WireGuard Client settings, then DNS requests go through the tunnel. DNS over TLS are ignored. Is this how it should be?

 

[eibgrad]

Can someone explain to me the logic of DNS operation when using WireGuard in this firmware? If I specify the same DNS server (for example, 1.1.1.1) in the WAN settings (DNS over TLS) and specify 1.1.1.1 in the WireGuard Client settings, then DNS requests go through the tunnel. DNS over TLS are ignored. Is this how it should be?

I don't have access to WG on my own router, but logically, I would assume if you left it blank, it would default to DNS over TLS (i.e. the WAN). It's the equivalent of specifying Disabled for Accept DNS configuration on the OpenVPN client. Besides, once you've secured DNS over the WAN, who cares if DNS is still over the WAN, even w/ an active VPN? Not unless you have some other reason to do so.

 

[postoronnim-v]

Besides, once you've secured DNS over the WAN, who cares if DNS is still over the WAN, even w/ an active VPN? Not unless you have some other reason to do so.

I was confused by the fact that by default (without any rules) all DNS requests go through WireGuard. That is, I receive DNS from the VPN provider although the client is running in the router without setting any rules. But if you use different DNS servers (DNS over TLS and WireGuard), this does not happen.

 

[Jeffrey Young]

This is by design, AFAIK. So error pages like Parental Blocking, Internet Down error page and so on can be displayed. It`s always been like that.

EDIT: also probably used by Let's Encrypt for validation purposes if you're not using Asus DDNS (which can do DNS-based validation).

So that I am understanding this behaviour correctly, if I wanted to host my own website (using the router as reverse proxy), then I am not able to setup NGINX to listen on both port 80 and 443 as the firmware is refusing to release port 80? It is usually pretty standard to put a redirect in NGINX to redirect incoming connections on port 80 to 443. Or are we taking about port 80 being tied down on LAN (br0) while the WAN port is still ok to use port 80 and 443?

 

[jerry6]

THANKS FOR 388-2 working on my ax1100pro axe 110 will stay on 388-0

 

[eibgrad]

So that I am understanding this behaviour correctly, if I wanted to host my own website (using the router as reverse proxy), then I am not able to setup NGINX to listen on both port 80 and 443 as the firmware is refusing to release port 80? It is usually pretty standard to put a redirect in NGINX to redirect incoming connections on port 80 to 443. Or are we taking about port 80 being tied down on LAN (br0) while the WAN port is still ok to use port 80 and 443?

Both @thatdoodle and you need to be more precise about how you've configured NGINX, and where it's running. Don't assume we should just know. It could be on the router, or internally on the LAN. It could be a proxy, or reverse proxy. It could be bound to the WAN, the LAN, or BOTH. Without such details, it's difficult to provide accurate answers or address your concerns.

My assumption w/ @thatdoodle was that he was running NGINX on the router and wanted it bound to the LAN (port 80), which is in conflict w/ the GUI. So he changed the GUI's LAN port to something else (e.g., 8080). And while that solved the problem, it came at the unexpected expense of having the GUI now running on the new port w/ HTTP, when he had specifically requested only HTTPS for the LAN authentication!

That's why I consider it a bug. Had he never needed port 80 for NGINX and simply wanted to limit LAN authentication to HTTPS, the router would NOT have bound the GUI to HTTP/80.

Now when it comes to the WAN side, the GUI is never bound to the WAN. If you enable remote access, then HTTPS is required and a port is opened (8443 by default, although you can change it), where the inbound traffic is redirected (via DNAT) to the GUI on the LAN side (port 80 by default, for http, or 8443, for https, unless you changed these for some reason).

In short, unless you're replicating @thatdoodle's configuration, there shouldn't be any issues w/ port forwarding or opening ports 80/443 on the WAN. At least NOT as far as the GUI is concerned (I can't speak to other services that might also find those same ports appealing, e.g., AiCloud).

 

[Analog-1]

That's why I consider it a bug.

Why don't Merlin just put it back the way everyone is use to ? Is it a security issue ? I don't use VPN so just curious why all the issues ?

 

[eibgrad]

Why don't Merlin just put it back the way everyone is use to ? Is it a security issue ? I don't use VPN so just curious why all the issues ?

This has nothing to do w/ VPNs.

Only the developer can explain his reasoning for taking or NOT taking action. All I can do is explain the problem. For all I know, there may be some rationale behind it all that remains elusive. Even if it is a bug, Merlin is not free to change just anything he wants. He has constraints. Some things fall under the umbrella of the ASUS developers.

Is it a security concern? Depends.

On the one hand, the OP has requested only HTTPS on the LAN side, yet HTTP has been made available over the new port. Then again, the LAN side is usually a trusted network. Then again, if the OP is trying to force the LAN clients through the NGINX proxy, it undermines his efforts.

So technically, I suppose it's a failure of security, but just how much of a failure it represents depends on the OP's intentions and security requirements.

 

[Jeffrey Young]

Thanks @eibgrad. I love reading your detailed responses.

For my use case, yes I have (and soon plan on again) run NGINX on the router as a reverse proxy to two web services (family Nextoud server and a website for our local Catholic church group) inside my LAN. As such, my interest is to ensure I can bind NGINX to port 80 and 443 on the WAN.

From the description above, it sounded like the issue was on the LAN side. I was just wanting to confirm my suspicions.

 

[vlord]

I just did the entire house without electricity and restarted everything. Unfortunately that didn't help

Are you sure it wasn’t running on battery?

 

[cabodog168]

Hi thanks for including ROG version in 3004.388.8_2 release!
My router is GT-AXE16000 and currently is running on 388.7 ROG. I tried to apply 388.8_2 ROG version, but it keeps failing. Any suggestions?

 

[netmik3]

Hi thanks for including ROG version in 3004.388.8_2 release!
My router is GT-AXE16000 and currently is running on 388.7 ROG. I tried to apply 388.8_2 ROG version, but it keeps failing. Any suggestions?

View attachment 60693

Did you reboot

 

[Quoc Huynh]

Hi thanks for including ROG version in 3004.388.8_2 release!
My router is GT-AXE16000 and currently is running on 388.7 ROG. I tried to apply 388.8_2 ROG version, but it keeps failing. Any suggestions?

View attachment 60693

Did you remove all attached USB drives before flashing the firmware? Otherwise, I think you should do the upgrade via an Ethernet cable, rather via Wifi.

 

[prosperot]

Dirty upgrade from 388.8. Zero problems, no DNS nor Timemachine issues, Thanks to M!

 

[cowboy]

Updated AX86U and PRO, everything seems to be working perfectly.

 

[Funnyland123]

Possibly a smartwatch switching between 2.4 & 5Ghz due to weak signal...

I don't have any

 

[Funnyland123]

That's what the log file you posted showed.

Do you have 802.11ax / WiFi 6 mode enabled for the 2.4GHz band? If so disable that (assuming none of your 2.4GHz clients use ax) and see if the messages disappear.

EDIT: If you have WPA3 enabled for that band try changing it to WPA2-Personal only.


Post the new log file that shows that.

So now that was the problem again. As seen in the log file.

I've now given a different 5ghz password again for testing so that whatever I try, she can't dial in

 

[Funnyland123]

Are you sure it wasn’t running on battery?

yes