Release Asuswrt-Merlin 386.1 is now available

[Deleted member 22229]

Your preference. The WAN DNS servers will be used until Stubby starts up, and the router will continue to use these servers when it resolves names for itself. Clients will get forwarded through dnsmasq and Stubby.

So when i select dns/tls it don't matter if connect to dns server auto is selected or not. In other words dns/tls over rides it ?

 

[joe scian]

So when i select dns/tls it don't matter if connect to dns server auto is selected or not. In other words dns/tls over rides it ?

yes dns/tls overrides for clients

 

[dave14305]

So when i select dns/tls it don't matter if connect to dns server auto is selected or not. In other words dns/tls over rides it ?

Some incidental queries will still go to the regular WAN DNS servers, so just be sure you trust what’s configured there. It would make sense that you pick the same provider you’re trusting for DoT.

 

[joe scian]

Finally I was able to update from 384.19 to 386.1 after a complete reset, on an RT-AC66U B1.
After about 20 mins the UI worked fine, so I spent some time to see what's changed.

Then I tried connecting to my VPN server running on router.

There are some warning never seen before, but connection to VPN server is fine.

2021-02-05 19:43:22 Note: Treating option '--ncp-ciphers' as  '--data-ciphers' (renamed in OpenVPN 2.5).
2021-02-05 19:43:22 OpenVPN 2.5.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 28 2020
2021-02-05 19:43:22 Windows version 10.0 (Windows 10 or greater) 64bit
2021-02-05 19:43:22 library versions: OpenSSL 1.1.1h  22 Sep 2020, LZO 2.10
Enter Management Password:
2021-02-05 19:43:25 ******* WARNING *******: '--auth none' was specified. This means no authentication will be performed on received packets, meaning you CANNOT trust that the data received by the remote side have NOT been manipulated. PLEASE DO RECONSIDER THIS SETTING!
2021-02-05 19:43:25 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:9999
2021-02-05 19:43:25 UDP link local: (not bound)
2021-02-05 19:43:25 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:9999
2021-02-05 19:43:25 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-02-05 19:43:26 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1537', remote='link-mtu 1521'
2021-02-05 19:43:26 [RT-AC68U] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:9999
2021-02-05 19:43:26 open_tun
2021-02-05 19:43:26 tap-windows6 device [Connessione alla rete locale (LAN)] opened
2021-02-05 19:43:26 Set TAP-Windows TUN subnet mode network/local/netmask = 10.8.0.0/10.8.0.2/255.255.255.0 [SUCCEEDED]
2021-02-05 19:43:26 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.2/255.255.255.0 on interface {5567ACE7-D52C-4F8A-B5B2-DFC040B207A7} [DHCP-serv: 10.8.0.254, lease-time: 31536000]
2021-02-05 19:43:26 Successful ARP Flush on interface [9] {5567ACE7-D52C-4F8A-B5B2-DFC040B207A7}
2021-02-05 19:43:26 IPv4 MTU set to 1500 on interface 9 using service
2021-02-05 19:43:31 Initialization Sequence Completed

This is the old client1.ovpn file generated by 384.19:

client
dev tun
proto udp
remote myddnshostname 9999
float
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
cipher AES-128-CBC
auth none
keepalive 15 60
auth-user-pass
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
LINES REMOVED
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
LINES REMOVED
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
LINES REMOVED
-----END PRIVATE KEY-----
</key>
resolv-retry infinite
nobind

Then I decided to generate a new client.ovpn with updated firmware release.
Edited the remote address and replaced conf file in Windows 10 OpenVPN client:

# Config generated by Asuswrt-Merlin 386.1, requires OpenVPN 2.4.0 or newer.

client
dev tun
proto udp
remote myddnshostname 9999
resolv-retry infinite
nobind
float
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
auth none
keepalive 15 60
auth-user-pass
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
LINES REMOVED
-----END CERTIFICATE-----

</ca>
<cert>
-----BEGIN CERTIFICATE-----
LINES REMOVED
-----END CERTIFICATE-----

</cert>
<key>
-----BEGIN PRIVATE KEY-----
LINES REMOVED
-----END PRIVATE KEY-----

</key>

With this configuration file I'm not able to connect to VPN server, this is Windows OpenVPN client log:

2021-02-05 20:19:47 Note: Treating option '--ncp-ciphers' as  '--data-ciphers' (renamed in OpenVPN 2.5).
2021-02-05 20:19:47 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2021-02-05 20:19:47 OpenVPN 2.5.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 28 2020
2021-02-05 20:19:47 Windows version 10.0 (Windows 10 or greater) 64bit
2021-02-05 20:19:47 library versions: OpenSSL 1.1.1h  22 Sep 2020, LZO 2.10
Enter Management Password:
2021-02-05 20:19:50 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.0.2:9999
2021-02-05 20:19:50 UDP link local: (not bound)
2021-02-05 20:19:50 UDP link remote: [AF_INET]192.168.0.2:9999
2021-02-05 20:20:50 [UNDEF] Inactivity timeout (--ping-restart), restarting
2021-02-05 20:20:50 SIGUSR1[soft,ping-restart] received, process restarting
2021-02-05 20:20:55 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.0.2:9999
2021-02-05 20:20:55 UDP link local: (not bound)
2021-02-05 20:20:55 UDP link remote: [AF_INET]192.168.0.2:9999
2021-02-05 20:21:46 SIGTERM[hard,] received, process exiting

And a spinning wheel appear on router VPN server page, near the export CFG file, that will spin until I reboot the router:

View attachment 30349

As I can see the only missing cfg line in the new client1 is cipher AES-128-CBC, but adding this line to the newly generated conf file doesn't help.

Am I the only one?

My actual workaround is to restart router to stop the spinning wheel and use the old client1.ovpn file from 384.19.


Thanks to Merlin for the great job and to all users who can help me to fix this small problem.

Max


EDIT: Post modified, my apologies for posting an invented domain resulting in a live domain.
I'm sorry.

Your screenshot shows LAN Only and 1024Bit. Is that by design or should you have Internet or both selected and maybe 2048bit for extra security? Also says that your router is using a private WAN IP address. in range 192.168.x.x , 10.x.x.x, 172.16.x.x. That cant be right ? Or maybe you are using CGNAT whereas your WAN IP address is private. I was never able to host services like cameras or OVPN when using CGNAT. Had to get a static IP from ISP. Well known problem with CGNAT.

Carrier-grade NAT usually prevents the ISP customers from using port forwarding, because
the network address translation (NAT) is usually implemented by mapping ports of the NAT
devices in the network to other ports in the external interface. This is done so the router
will be able to map the responses to the correct device; in carrier-grade NAT networks,
even though the router at the consumer end might be configured for port forwarding, the
"master router" of the ISP, which runs the CGN, will block this port forwarding because
the actual port would not be the port configured by the consumer.[

You should be using OpenVPN Client Version 11.20.0.0 for windows (OpenVPN-2.5.0-I601-amd64.msi) or OPENVPN Connect V3 64bit. Make sure you are on latest version. If not update your client.
Then you could try SHA1 for Authentication instead of NONE. Regenerate OVPN and try connecting. You can also include "auth-nocache" in your OVPN file to stop one of the messages. Make sure you religiously copy the OVPN file to the correct folder \program files\OpenVPN\Config if using 11.20.00 or import profile when using OVPN Connect. Make sure you dont have extraneous OVPN files from older configs lying around your directory structure or import the correct profile when using Openvpn Connect.

To Get rid of other warning messages use following in custom configuration ( server advanced settings )

auth-nocache
verb 3
mute 10
persist-key
persist-tun
cipher AES-256-GCM
keepalive 30 120
tun-mtu 1500

AND edit your OVPN File to following

client
dev tun
proto udp
remote <your ddns adress>  <port number>
resolv-retry infinite
nobind
float
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
auth SHA1
keepalive 15 60
auth-user-pass
remote-cert-tls server
cipher AES-256-GCM
tun-mtu 1500
auth-nocache

 

[Deleted member 22229]

Some incidental queries will still go to the regular WAN DNS servers, so just be sure you trust what’s configured there. It would make sense that you pick the same provider you’re trusting for DoT.

Thanks !!!

 

[calzor suzay]

Hit my first odd bug today.
Was poking around Network map, went to rename a device so it made more sense, have done this already a few times.
Went to go to a different view and router web page timed out and died. Wi-Fi, internet etc. all still working, tried a different browser but no response.
Middle of the day and didn't want to restart router so googled about and found 'service restart_httpd', web page back, logged on all good.

Went back to network map to rename device but it didn't take so thought I'll do it via AiMesh view, same thing hit apply but didn't stick.
Just now I rebooted it (everyone's in bed) and it came back all good and the devices are renamed now with the ability to rename others.

Nothing major but certainly odd.

 

[jmrdv]

RT-Ac68u report
I was on Merlin 384.19 and all was fine. Yesterday i upgraded to the 386.1 and major problems. Most of my wireless clients reported offline in their respective apps but still showed in the router client list. I tried all day to resolve and finally did a full factory restore to default and loaded 384.19. The problem persists. Switching to another router altogether and everything works fine. My clients include a bunch or amazon Alexa echo and dots, Leviton wall switches, ring products. roomba vacuum and more. My phones, tablets and one tv all connect fine to wireless and the ethernet wired stuff remains fine.

If anyone has a suggestion on how i might resolve this =- i would be very thankful. My alternative now is likely a RT-AX86U which i will likely order in the next day or two if i cannot resolve this.

 

[L&LD]

@jmrdv welcome to the forums.

You may find the following suggestions helpful to get your router/network back to a good/known state by allowing the firmware to use its expected defaults.

Best Practice Update/Setup Router/AiMesh Node(s) 2021

 

[RMerlin]

That's exactly what I did, both bands have static channel... that's the strange thing... but if it's closed source, there's not too much you can do then. Thanks anyway!

I can't reproduce the problem on my own RT-AC88U, acsd is running normally.

 

[sentinelvdx]

I can't reproduce the problem on my own RT-AC88U, acsd is running normally.

I reboot it and didn't do it again hope not seeing again

 

[RMerlin]

@RMerlin IPv6 with 6in4 throws out an error for LAN IPv6 Prefix. It used to be fine with xxxx:xxx:xxxx:: but 386.1 says it's an invalid ip. Add a 1 at the end works for now.
Thanks for the 386.1 update.

That's a bug that's been there for quite some time. A better workaround would be to enter "0" rather than "1" (since :: means :0 basically).

Fixed on my end.

 

[bbunge]

RT-Ac68u report
I was on Merlin 384.19 and all was fine. Yesterday i upgraded to the 386.1 and major problems. Most of my wireless clients reported offline in their respective apps but still showed in the router client list. I tried all day to resolve and finally did a full factory restore to default and loaded 384.19. The problem persists. Switching to another router altogether and everything works fine. My clients include a bunch or amazon Alexa echo and dots, Leviton wall switches, ring products. roomba vacuum and more. My phones, tablets and one tv all connect fine to wireless and the ethernet wired stuff remains fine.

If anyone has a suggestion on how i might resolve this =- i would be very thankful. My alternative now is likely a RT-AX86U which i will likely order in the next day or two if i cannot resolve this.

Were the offline clients using Guest network 1?

 

[Citius]

Since the upgrade to this version in my RT-AX86U i some times see strange settings when changing page. I will show you. Unfortunately some is in Swedish Because i was helping a Swedish person with som screenshots when it hapened. This doesn't happen all the time. Very random. The most confusing thing is the Ai Mesh backhaul or, no i think the Facebook Guest network is stranger. Notice the 5Ghz-2 in one picture.

 

[jerrytouille]

RT-AC68U ui is dog slow after switching to Traditional QoS. Browsers spin forever to load after login. Basic settings only: dhcp/no static ip, google dns/ntp, no usb, no custom jffs, no ssh, no loop switch, no stp, only qos, fact. reset yes. Clicking qos Apply again after boot does not fix the Classification page, which it did for Adaptive QoS.

 

[capncybo]

What's so special about Instant Guard?

It's basically an easier to setup, free vpn, I was going to get my iphone family members to try & use it while using free wifi hot spots. But our family router won't be getting it.

 

[Matthew Patrick]

Cheers, yeah will let you know how it is.

Yeah it's been 14 hours or so and nothing has dropped on my 2.4ghz . Seems like it is 386 issue. Idk what tho. So weird...

 

[ecantona9]

Yeah it's been 14 hours or so and nothing has dropped on my 2.4ghz . Seems like it is 386 issue. Idk what tho. So weird...

Did you downgrade to 384.19?

 

[Matthew Patrick]

Did you downgrade to 384.19?

Yeah. And then I restored my 384.19 config... On 386 i already tried wps resetting twice now. And still the same, downgraded to 384.19 and it works fine again now. And the logs when it was on 386 doesn't really tell anything too. It just shows it disconnecting and reconnecting. Spamming it until it's apparently working again . Seems random in terms of when it starts and stops. It's not like always every few hours or so. Just random.

 

[criminala]

Noticed this morning that the router was unresponsive , internet slow/not loading . so checked the logs . snap :

..........
Feb 6 08:55:16 kernel: CONSOLE: 282356.838 wl1: wlc_ampdu_dotxstatus_aqm_complete: tx phy error (0x9200)
Feb 6 08:55:16 kernel: CONSOLE: 282356.838 wl1.0: wlc_send_bar: for 78:2b:46:4a:8d:f5 seq 0x59c tid 0
Feb 6 08:55:17 kernel: CONSOLE: 282356.986 wl1: wlc_ampdu_dotxstatus_aqm_complete: tx phy error (0x9200)
Feb 6 08:55:17 kernel: CONSOLE: 282356.986 wl1.0: wlc_send_bar: for 78:2b:46:4a:8d:f5 seq 0x59d tid 0
Feb 6 08:55:17 kernel: CONSOLE: 282357.208 wl1: wlc_ampdu_dotxstatus_aqm_complete: tx phy error (0x9200)
Feb 6 08:55:17 kernel: CONSOLE: 282357.208 wl1.0: wlc_send_bar: for 78:2b:46:4a:8d:f5 seq 0x59e tid 0
Feb 6 08:55:17 kernel: CONSOLE: 282357.235 wl1: wlc_ampdu_dotxstatus_aqm_complete: tx phy error (0x9200)
Feb 6 08:55:17 kernel: CONSOLE: 282357.235 wl1: wlc_ampdu_dotxstatus_aqm_complete: tx phy error (0x9200)
Feb 6 08:55:17 kernel: CONSOLE: 282357.236 wl1: wlc_ampdu_dotxstatus_aqm_complete: tx phy error (0x9200)
Feb 6 08:55:17 kernel: CONSOLE: 282357.236 wl1: wlc_ampdu_dotxstatus_aqm_complete: tx phy error (0x9200)
Feb 6 08:55:17 kernel: CONSOLE: 282357.237 wl1: wlc_ampdu_dotxstatus_aqm_complete: tx phy error (0x9200)
Feb 6 08:55:17 kernel: CONSOLE: 282357.237 wl1: wlc_ampdu_dotxstatus_aqm_complete: tx phy error (0x9200)
Feb 6 08:55:17 kernel: CONSOLE: 282357.238 wl1: wlc_ampdu_dotxstatus_aqm_complete: tx phy error (0x9200)
Feb 6 08:55:17 kernel: CONSOLE: 282357.239 wl1: wlc_ampdu_dotxstatus_aqm_complete: tx phy error (0x9200)
Feb 6 08:55:17 kernel: CONSOLE: 282357.240 wl1: wlc_ampdu_dotxstatus_aqm_complete: tx phy error (0x9200)
Feb 6 08:55:17 kernel: CONSOLE: 282357.240 wl1: wlc_ampdu_dotxstatus_aqm_complete: tx phy error (0x9200)
Feb 6 08:55:17 kernel: CONSOLE: 282357.241 wl1: wlc_ampdu_dotxstatus_aqm_complete: tx phy error (0x9200)
Feb 6 08:56:20 kernel: CONSOLE: 282420.183 wl1: wlc_ampdu_dotxstatus_aqm_complete: tx phy error (0x9200)
Feb 6 08:56:20 kernel: CONSOLE: 282420.184 wl1: wlc_ampdu_dotxstatus_aqm_complete: tx phy error (0x9200)
Feb 6 08:56:20 kernel: CONSOLE: 282420.184 wl1: wlc_ampdu_dotxstatus_aqm_complete: tx phy error (0x9200)
Feb 6 08:56:20 kernel: CONSOLE: 282420.185 wl1: wlc_ampdu_dotxstatus_aqm_complete: tx phy error (0x9200)
Feb 6 08:56:20 kernel: CONSOLE: 282420.185 wl1: wlc_ampdu_dotxstatus_aqm_complete: tx phy error (0x9200)
May 5 07:05:07 syslogd started: BusyBox v1.25.1
May 5 07:05:07 kernel: klogd started: BusyBox v1.25.1 (2021-01-30 15:23:16 EST)
May 5 07:05:07 kernel: npe_max_entries<32768>
May 5 07:05:07 kernel: Bind blog_notify_evt_enqueue_fn[<ffffffbffc469888>]
May 5 07:05:07 kernel: fc_evt task created successfully
May 5 07:05:07 kernel: max_ent = 16384 intvl_msec = 10000 num_slices = 2000 num_ent = 9 period_msec = 5
May 5 07:05:07 kernel: NBUFF v1.0 Initialized
May 5 07:05:07 kernel: ^[[0;36;44mTotal # of labels = 68^[[0m
May 5 07:05:07 kernel: ^[[0;36;44mInitialized fcache state^[[0m
May 5 07:05:07 kernel: Pkt HW acceleration is disabled/unavailable.
May 5 07:05:07 kernel: ^[[0;36;44mBroadcom Packet Flow Cache Char Driver v4.0 Registered<302>^[[0m
May 5 07:05:07 kernel: fc_timer_task created successfully
May 5 07:05:07 kernel: Pkt HW acceleration is disabled/unavailable.
May 5 07:05:07 kernel: Created Proc FS /procfs/fcache
........

seems something strange has been going on and the rooter rebooted or something (notice it jumps date to 5th of May suddenly) .
AX86U , merlin 386.1 . clean install configured this router from scratch . Not using any mods/addons .
I am using link aggregation on ports 1&2 , which is the only non default probably .

 

[Geraner]

My ChormeCast devices suddenly stopped working, when I was upgrading from 386.1_beta5 to 386.1 release. (RT-AX86U).
Anyone else having the same problems?
Looks like the ChromeCast devices can't anounce their "roomname".