Asuswrt-Merlin 384.8 is now available

[D_Day]

anyone else getting a closed port on the ssh port over the wan
even though ssh is only enabled on the lan?

View attachment 15550

What’s that tool called?

 

[Shonk]

https://www.grc.com/shieldsup

click proceed then all service ports

 

[dave14305]

Trust buy verify. What is the output of these commands?

netstat -anp | grep :22 | grep LISTEN

iptables -L INPUT -v

From the first command, you're looking for something like this with just your router LAN IP listed:

netstat -anp | grep :22 | grep LISTEN
tcp        0      0 192.168.1.1:22          0.0.0.0:*               LISTEN      24074/dropbear

From the second command, just looking for any unusual lines and to make sure there are no extra rules to ACCEPT ssh. I ran ShieldsUp! and watched the last line (DROP) increase as it worked its way through the ports.

 

[Martin_D]

No problem for me on that port

GRC Port Authority Report created on UTC: 2018-12-19 at 22:08:43

Results from scan of ports: 0-1055

0 Ports Open
4 Ports Closed
1052 Ports Stealth
---------------------
1056 Ports Tested

NO PORTS were found to be OPEN.

Ports found to be CLOSED were: 135, 137, 138, 445

Other than what is listed above, all ports are STEALTH.


Our ISP blocks some ports

Blocked ports by Virgin media
TCP & UDP ports 135, 137, 138, 139
TCP & UDP port 445

 

[D_Day]

T

https://www.grc.com/shieldsup

click proceed then all service ports

Thanks for that!

 

[scjr]

T

Thanks for that!

He has a nice little DNS Benchmark tool as well.

https://www.grc.com/dns/benchmark.htm

 

[D_Day]

He has a nice little DNS Benchmark tool as well.

https://www.grc.com/dns/benchmark.htm

I need to get on my laptop for that one but that will be tomorrow now.
Thanks for the link
I’ve got an open port and now have to work out how to connect to my router through my VPN

 

[Shonk]

Trust buy verify. What is the output of these commands?

netstat -anp | grep :22 | grep LISTEN

iptables -L INPUT -v

From the first command, you're looking for something like this with just your router LAN IP listed:

netstat -anp | grep :22 | grep LISTEN
tcp        0      0 192.168.1.1:22          0.0.0.0:*               LISTEN      24074/dropbear

From the second command, just looking for any unusual lines and to make sure there are no extra rules to ACCEPT ssh. I ran ShieldsUp! and watched the last line (DROP) increase as it worked its way through the ports.

admin@odyssey:/tmp/home/root# netstat -anp | grep :22 | grep LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN                                  319/dropbear
tcp        0      0 :::22                   :::*                    LISTEN

 

[dave14305]

admin@odyssey:/tmp/home/root# netstat -anp | grep :22 | grep LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN                                  319/dropbear
tcp        0      0 :::22                   :::*                    LISTEN

Double check the SSH setting for LAN. It shouldn’t be listening on 0.0.0.0 if it’s truly LAN only. Or restart sshd in case the router didn’t do it.

service restart_sshd

And do you use IPv6?

 

[Shonk]

Double check the SSH setting for LAN. It shouldn’t be listening on 0.0.0.0 if it’s truly LAN only. Or restart sshd in case the router didn’t do it.

service restart_sshd

And do you use IPv6?

yes i do use ipv6


admin@aurora:/tmp/home/root# service restart_sshd

Done.

still a closed port

 

[dave14305]

yes i do use ipv6


admin@aurora:/tmp/home/root# service restart_sshd

Done.

still a closed port

Just have to ask: in your earlier post your router was called “odyssey” at the terminal prompt. In this post it’s named “aurora”. Did you rename it between posts or are you dealing with multiple devices?

 

[Shonk]

doesnt matter forgot i compiled the master branch on the 17th
just compiled the latest and its all stealth now

 

[Shonk]

Just have to ask: in your earlier post your router was called “odyssey” at the terminal prompt. In this post it’s named “aurora”. Did you rename it between posts or are you dealing with multiple devices?

odyssey is an rt-ac88u in ap mode
aurora is an rt-ac88u in router mode

and yes your right i checked the wrong router earlier

 

[consorts]

so damn annoyed today - i had to use a different linksys router off my fios ont to run a test
(i've done this back and forth before when i was using 384.7_2 and 384.8 without issue)
and when i switched back to the asus 384.8_2 router the internet would not clamp on back
nothing i tried worked - i left the linksys running and will revert back to 384.8 and uninstall
diversion and stubby to see if i can at least get the asus router clamping onto internet again.
nothing is more aggravating than having something you thought you could count on - fail
thank my cynical stars i keep a decent spare router up on a shelf just for such eventualities.
i'll update tomorrow with what worked - i got a house full of wifi users to contend with.

one weird thing i noticed while 384.8_2 was on my fios ont unable to clamp is;
both cores of the cpu would fluctuate between 10% and 90% every 30 seconds
even though i only had one wired pc on doing nothing and wifi turned off, so
i have no idea what the router was stuck thinking about.

UPDATE: i honestly don't know what's wrong. maybe it's because i did dirty firmware updates instead of factory resetting and inputting all my setting manually, i donno, but regardless a factory reset was the only way i could clamp back my fios internet. this is really frustrating because it takes me an hour of data entry work to get all my setting back in (lots of static lan ip and lan qos), and what's worse is restoring .CFG files with older settings has NEVER worked correctly for me, so this just means the next time merlin has a firmware update, i may ignore the blinking "!" from now on. I just can't have to factory reset and then update firmware every time there's an update, sorry. this mis-alignment between firmware versions and .CFG files such that dirty updates and save/restore of .CFG files not working - is extremely annoying and unreliable, so once i get everything working again, i'm not going to change a thing - life's too short to dick around with this every month with a house full of people crying why is the wifi down again... sorry guys, just venting - i'm of course grateful for all your hard work here.

 

[D_Day]

I’m a bit stuck with my OpenVPN server, I can’t get it going.
I just keep getting the same error ‘Failed to import profile’
Would anyone have any suggestions?

 

[Stevens243]

https://www.grc.com/shieldsup

click proceed then all service ports

Oh man, I haven't been to Steve Gibson's site in well over a decade! I've completely forgotten about it. Thanks for the reminder.

 

[neiremaove]

Hello there,
I was facing a problem since many merlin updates on my RT-AC68U (more than 1 year).
I was unable to connect to Battlenet or on my email web portal (TLS handshake forever), I think it's a problem on DNS.
To solve my problems I'd setup a vpn and I can connect on Battlenet or read my mails by web portal.
This mode of operation did not suit me, so today I flashed the router with the ASUS official firmware and everything is back in order, I do not have to go through a vpn to connect to different services.
This is my setup fiber ONT and RT-AC68U directly connected on. RT-AC68U as Wireless Router and Firmware Version:3.0.0.4.384_45149

 

[e_lasman]

Any plans to support CloudFlare dynamic DNS updates via their API?

For now I'm using custom `/jffs/scripts/wan-start` but having this function in web UI may be just better.

 

[TonyK132]

Here are my results. When not using the PIA VPN, all my ports are Green meaning completely Stealthy!! But when I enable the VPN, I get this.

[FONT=Verdana,Arial,Helvetica,Sans-Serif,MS Sans Serif][FONT=courier new,courier]GRC Port Authority Report created on UTC: 2018-12-20 at 16:10:41

Results from scan of ports: 0-1055

23 Ports Open
1033 Ports Closed
0 Ports Stealth
---------------------
1056 Ports Tested

NO PORTS were found to be STEALTH.

Ports found to be OPEN were: 22, 53, 80, 110, 443, 500, 501,
502, 600, 601, 602, 603, 604, 605,
606, 607, 608, 609, 610, 611, 612,
613, 614

Other than what is listed above, all ports are CLOSED.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.[/FONT][/FONT]


Should the ports while on VPN be just as stealthy as when not on the VPN? If yes, what do I do about it? I'm using OpenVPN to connect to PIA.

 

[Lotta Cox]

The Steve Gibson Shields up is off topic. Start a new thread.