Release Asuswrt-Merlin 3004.388.8_4 is now available

[Stepalex]

Have there been any changes to Wireguard implementation?

I used to get over 80 megabytes p/s with the same VPN provider before, but now it hovers around 20 - and I suspect it's because core 1 is being used to the max, i.e. the CPU is throttling?

I do not have screenshots from 'before', but from what I remember the usage split between cores was much more even than now.

Running 3004.388.8_4 on XT12.

 

[PorscheT]

I

Have there been any changes to Wireguard implementation?

I used to get over 80 megabytes p/s with the same VPN provider before, but now it hovers around 20 - and I suspect it's because core 1 is being used to the max, i.e. the CPU is throttling?

View attachment 62853

I do not have screenshots from 'before', but from what I remember the usage split between cores was much more even than now.

Running 3004.388.8_4 on XT12.

I’m getting 300/250Mpbs with ProtonVPN wireguard. It maxes out my Core 1 at that speed and the other cores stay below 50%. I have AX11000 and 500/500 fiber.

 

[CaptainSTX]

Have there been any changes to Wireguard implementation?

I used to get over 80 megabytes p/s with the same VPN provider before, but now it hovers around 20 - and I suspect it's because core 1 is being used to the max, i.e. the CPU is throttling?

View attachment 62853

I do not have screenshots from 'before', but from what I remember the usage split between cores was much more even than now.

Running 3004.388.8_4 on XT12

Have there been any changes to Wireguard implementation?

I used to get over 80 megabytes p/s with the same VPN provider before, but now it hovers around 20 - and I suspect it's because core 1 is being used to the max, i.e. the CPU is throttling?

View attachment 62853

I do not have screenshots from 'before', but from what I remember the usage split between cores was much more even than now.

Running 3004.388.8_4 on XT12.

Running a WG client on my AX88Pro I often get 500+/22 through the router when a PC is connected using Ethernet. I use StrongVPN and connect to a server less than 200 miles distant. The heaviest load is on core 1( 99% ) but the other three cores do show some activity.

The AX88Pro is a beast as spMerlin often logs results over 940 Mbps when running automatic speed tests. My ISP plan is 800/20. In testing with OpenVPN clients the router usually shows 160/240 Mbps connected to OpenVPN servers within 500 miles.

 

[Conir]

3004.388.8_4 (17-Nov-2024)
- CHANGED: VPN killswitch will now only be active if the
VPN client itself is enabled. If you stop/start
the client yourself over SSH, you need to also
update the enabled/disabled nvram setting.
- FIXED: Security issues in AiCloud (backports from Asus)
- FIXED: CVE-2024-2511, CVE-2024-4741, CVE-2024-5535 &
Implicit rejection for RSA PKCS#1 in openssl
(backport from Ubuntu by RSDNTWK)

Does this Merlin update include all of the security fixes from the official ASUS RT-AX86 Series(RT-AX86U/RT-AX86S) Firmware version 3.0.0.4.388_24323? It seems like it wouldn’t, since Asus released it on 11/28/2024 and Merlin released this firmware on 11/17/2024.

I am still running the old Merlin 3004.388.4 on my RT-AX86U and it’s time to update. I checked and the WAN access & cloud features are turned off. Additionally, there is a long username and password combo to login.

 

[RMerlin]

Does this Merlin update include all of the security fixes from the official ASUS RT-AX86 Series(RT-AX86U/RT-AX86S) Firmware version 3.0.0.4.388_24323?

It doesn't contain every fixes in 388_24323, and 388_24323 doesn't contain every fixes that are in 388.4_4 either. You can't compare them.

388.8_4 contains the most important fixes from 388_24323.

 

[RMerlin]

Just for additional clarification: there are some "security" changes done by Asus which will absolutely not be implemented in Asuswrt-Merlin. For instance, among these recent security changes, Asus now prevents using mount with certain paths. This is something that I will not implement, because it prevents very legitimate uses that I personally do occasionally while developing, for instance.

Likewise, a few months ago one of their security changes was to remove scp from the firmware, something I will not apply to Asuswrt-Merlin, because it's very useful for advanced users.

People should not try to compare Asus security changelogs with Asuswrt-Merlin. Not every change that they do applies to Asuswrt-Merlin. Some of their changes would be directly incompatible with Asuswrt-Merlin's support for user customizations and addons.

 

[jksmurf]

Likewise, a few months ago one of their security changes was to remove scp from the firmware, something I will not apply to Asuswrt-Merlin, because it's very useful for advanced users.

Thank you, very good call .

 

[Gravityz]

Just for additional clarification: there are some "security" changes done by Asus which will absolutely not be implemented in Asuswrt-Merlin. For instance, among these recent security changes, Asus now prevents using mount with certain paths. This is something that I will not implement, because it prevents very legitimate uses that I personally do occasionally while developing, for instance.

Likewise, a few months ago one of their security changes was to remove scp from the firmware, something I will not apply to Asuswrt-Merlin, because it's very useful for advanced users.

People should not try to compare Asus security changelogs with Asuswrt-Merlin. Not every change that they do applies to Asuswrt-Merlin. Some of their changes would be directly incompatible with Asuswrt-Merlin's support for user customizations and addons.

exactly. SCP is a life saver. using winscp on a pc will get things done so much quicker on the router. without it i am lost.

Thanks @RMerlin

 

[Stepalex]

Running a WG client on my AX88Pro I often get 500+/22 through the router when a PC is connected using Ethernet. I use StrongVPN and connect to a server less than 200 miles distant. The heaviest load is on core 1( 99% ) but the other three cores do show some activity.

The AX88Pro is a beast as spMerlin often logs results over 940 Mbps when running automatic speed tests. My ISP plan is 800/20. In testing with OpenVPN clients the router usually shows 160/240 Mbps connected to OpenVPN servers within 500 miles.

XT12s are as powerful. As per above, I used to get 80 megabytes p/s over VPN before, i.e. often over 700 mbps.

So having core 1 maxed out, with others at a vastly lower usage, seems to be common behaviour, right?

 

[CaptainSTX]

XT12s are as powerful. As per above, I used to get 80 megabytes p/s over VPN before, i.e. often over 700 mbps.

So having core 1 maxed out, with others at a vastly lower usage, seems to be common behaviour, right?

Yes it seems so currentlycurrently. Previously with OpenVPN and multiple VPN clients using Client 1,3,5 put the VPN load on Core 2 leaving Core 1 available for other router functions. I don't know how it works with 4 Core routers and WG. Perhaps Merlin or someone else can enlighten us on what cores are running the VPNs both Open & WG and if there is a setup that will shift the load from core 1.

 

[RMerlin]

Yes it seems so currentlycurrently. Previously with OpenVPN and multiple VPN clients using Client 1,3,5 put the VPN load on Core 2 leaving Core 1 available for other router functions. I don't know how it works with 4 Core routers and WG. Perhaps Merlin or someone else can enlighten us on what cores are running the VPNs both Open & WG and if there is a setup that will shift the load from core 1.

OpenVPN is unchanged - it will always use the next core, skipping the first one (unless running client 4 on a quad-core, in which case it will end up on core 0).

Wireguard is in kernel-space, so there's no CPU affinity that can be adjusted. It should be multicore.

 

[CaptainSTX]

OpenVPN is unchanged - it will always use the next core, skipping the first one (unless running client 4 on a quad-core, in which case it will end up on core 0).

Wireguard is in kernel-space, so there's no CPU affinity that can be adjusted. It should be multicore.

Thanks for the information:

Running Speed tests on a PC connected by Ethernet to the router using servers in the same city. ISP service 800/20 Mbps.

Open VPN - VPN Client 1 Download speed obtained 175 - 240 Mbps (several tests)

Utilization by core: OpenVPN

1 = 17%
2 = 100%
3 = 7%
4 = 4%

WG - Client 1 475 - 535 Mbps Download (several tests)

1 = 97%
2= 62%
3= 55%
4 = 32%

It is unfortunate that because WG is in kernel can't reverse the order of the cores used to minimize load on core 1 or at least skip core 1 like OpenVPN.

 

[RMerlin]

It is unfortunate that because WG is in kernel can't reverse the order of the cores used to minimize load on core 1 or at least skip core 1 like OpenVPN.

WG is multithreaded. It's not tied to a single core, as you can see in your test results.

 

[CaptainSTX]

WG is multithreaded. It's not tied to a single core, as you can see in your test results.

Yes, I see that however it still heavily utilizes core 1 97-100% which probably slows down other activities on the router if core 1 is in fact the core used for many/most other functions. Probably it isn't that critical as most online activities don't attempt to fully utilize the download bandwidth.

 

[RMerlin]

Yes, I see that however it still heavily utilizes core 1 97-100% which probably slows down other activities on the router if core 1 is in fact the core used for many/most other functions. Probably it isn't that critical as most online activities don't attempt to fully utilize the download bandwidth.

That 97% is probably a combination of regular router activity + Wireguard. Based on the other cores, I suspect that only half of that 97% is actually from WG. It's quite possible that if that first core is already busy with other activities, then WG may rely more heavily on the other available cores. I'm not familiar enough with Linux's scheduler to know how it will balance the load in such a scenario.

 

[Stepalex]

I suspect that only half of that 97% is actually from WG. It's quite possible that if that first core is already busy with other activities

In my screenshot above, Core 1 use is 99% with just 19 MB/s going through the router, of that 95% being through VPN at that moment. No other 'user initiated' activities on the router save for AiProtect, no add-ons etc.

This is how it looks with 140-150 MB/s going through without VPN. I.e. it almost looks to me that core 1 is throttling the performance on the earlier screenshot - and while I do no have screenshots to support it, I remember the load being spread much more evenly across cores before, something like ~70% on core 1, 40-50% on other cores, when I used to get 90 MB/s through VPN (=essentially maxing out my ISP speed) using the same router (XT12), the same protocol and the same VPN provider.

 

[CaptainSTX]

That 97% is probably a combination of regular router activity + Wireguard. Based on the other cores, I suspect that only half of that 97% is actually from WG. It's quite possible that if that first core is already busy with other activities, then WG may rely more heavily on the other available cores. I'm not familiar enough with Linux's scheduler to know how it will balance the load in such a scenario.

I turned off WG for my PC and ran a speed test.

Download 954 Mbps - No VPN

Core 1 45%
Core 2 9%
Core 3 2%
Core 4 11%

This is in line with your supposition than half the 97%-100% usage on Core 1 is data throughput irrespective of WG VPN client data encryption. The fact that I get twice the download speed when not using the WG client tunnel does impact the percentage of use of core 1 and pushes it up. I also know that my VPN client host can provide download speeds of at least 850 Mbps when running on a VPN appliance with an I7 processor so the VPN provider is not a significant limiting factor.

Again, back to my original thought, it is unfortunate that there isn't currently any way to utilize some other core besides core 1 for the WG client encryption. If there were it probably would allow increased WG through put.

 

[CaptainSTX]

Asuswrt-Merlin 3004.388.8_4 is now available for all Wifi 6 models.

3004.388.8_4 (17-Nov-2024)
  - CHANGED: VPN killswitch will now only be active if the
             VPN client itself is enabled.  If you stop/start
             the client yourself over SSH, you need to also
             update the enabled/disabled nvram setting.
  - FIXED: Security issues in AiCloud (backports from Asus)
  - FIXED: CVE-2024-2511, CVE-2024-4741, CVE-2024-5535 &
           Implicit rejection for RSA PKCS#1 in openssl
           (backport from Ubuntu by RSDNTWK)

Please keep discussions on this specific release. The thread will be locked once feedback dies down.

Downloads are here.
Changelog is here.

Upgraded AX88Pro several weeks ago and it is running perfectly. One thing I have noticed when connected to the router by Ethernet and if I run a site survey for some reason it does not see the SSID for guest network 3 on the 2.4 Ghz band. I don't have a guest network 3 running on the 5 Ghz band so I don't know if it has the same issue. My guest network 3 is active and I have nine devices are connected.

Guest network 1 on both bands is active and are seen in the site survey.

 

[nagyimre1980]

@RMerlin
I own a GT-AXE16000. There’s no information about an update to 3006. Could you share your plans regarding when we can expect a GPL update? It’s been a year already This will be the next priority, right? The 2023 flagship model is being seriously neglected

 

[hervon]

@RMerlin
I own a GT-AXE16000. There’s no information about an update to 3006. Could you share your plans regarding when we can expect a GPL update? It’s been a year already This will be the next priority, right? The 2023 flagship model is being seriously neglected

?

Asuswrt-Merlin - Browse /GT-AXE16000/Release at SourceForge.net

Alternative firmware for Asus wireless routers

sourceforge.net