Release Asuswrt-Merlin 386.7 is now available for all models

[ColinTaylor]

Off topic, what IPv6 should I use for VM 6to4, native etc ?

Yes it's off-topic. I suggest you open a separate thread with more detailed information as "for VM" doesn't tell us anything useful.

 

[BuTTuS]

The internet speed test page no longer displays packet loss?
That's a bummer for me that is fighting with my ISP over a bad quality connection atm...

 

[Safemode]

Thanks again Rmerlin for a great build on my rt-ax88u. Just a quick observation under WAN / Dns server under Privacy respecting for quad9 you have 9.9.9.9 and 149.112.112.11, shouldn't this be 9.9.9.11 and 149.112.112.11 which is for Secured w/ECS: Malware blocking, DNSSEC Validation, ECS enabled. Just wondering if it was a typo or good reasoning behind this. Thanks again.

 

[ZebMcKayhan]

It didn’t help, unfortunately. There’s so little written about issues DNATting IPv6 UDP packets, that I’m starting to believe it’s another Broadcom “gift”. Disabling DNS Filter will avoid it.

Maybee a long shot and no viable solution but what if you install Entware iptables? If the problem persists then atleast its not merlins backport of DNAT the cause of it.

I've been running Entware iptables on my ac86u for acouple of month (just to get ipv6 DNAT on previous firmwares) without noticeable problems, but just to be safe, install, test then remove it.

 

[RMerlin]

Thanks again Rmerlin for a great build on my rt-ax88u. Just a quick observation under WAN / Dns server under Privacy respecting for quad9 you have 9.9.9.9 and 149.112.112.11, shouldn't this be 9.9.9.11 and 149.112.112.11 which is for Secured w/ECS: Malware blocking, DNSSEC Validation, ECS enabled. Just wondering if it was a typo or good reasoning behind this. Thanks again.

9.9.9.11 enables EDNS, which can reduce your privacy as you need to share part of your subnet info with your query. So having 9.9.9.9 listed under Privacy is correct.

 

[Makaveli]

The internet speed test page no longer displays packet loss?
That's a bummer for me that is fighting with my ISP over a bad quality connection atm...

Can't you just get the same info from a command prompt with ping? or running the speedtest.net app? or its CLI version?

 

[Treadler]

IPv6 is still an overengineered solution to a problem that also tries to address 10 other problems that sometimes weren't even problems.

But then, this is a recurring issue with other Internet novelties as well. The Internet was initially designed to be simple yet very robust in its design. Most protocols were even text-based, making it easy to debug and troubleshoot. What has been done to simple protocols such as HTTP, SMTP or DNS these past 5 years has been mind boggling. Developing any application that can handle sending email notifications has become quite complicated now that providers like Google expect you to use OAUTH2 for authentication. DNS has forked into four or five different protocols over the past three years.

Sometimes it does improve things or address a specific problem. But they also go out of their way to find other problems to solve at the same time. This added complexity only makes things harder to debug, and less robust and reliable.

Over many years, in all aspects of life, I’ve become a fan of Occam’s Razor.
The least complex solution is generally the best.

 

[Akore]

Can't you just get the same info from a command prompt with ping? or running the speedtest.net app? or its CLI version?

Most like to run it on the router itself as you then eliminate other variables like WiFi interference, etc... For those that are hardwired from the PC to router with a verified good patch cable though can go that route.

 

[dave14305]

Maybee a long shot and no viable solution but what if you install Entware iptables? If the problem persists then atleast its not merlins backport of DNAT the cause of it.

I've been running Entware iptables on my ac86u for acouple of month (just to get ipv6 DNAT on previous firmwares) without noticeable problems, but just to be safe, install, test then remove it.

I don’t think it’s a matter of the userspace iptables tool, but something deeper in the kernel netfilter code or the darn Broadcom driver.

 

[SomeWhereOverTheRainBow]

how many pihole instances are you running? I want to run two but I am thinking more and more that its not possible

I run three on one setup. It is easily possible.

 

[SomeWhereOverTheRainBow]

I think this is related to the new IPv6 DNAT for DNS Filter.

rc: implement DNAT support for dnsfilter over IPV6 on HND models · RMerl/asuswrt-merlin.ng@c454668

Third party firmware for Asus routers (newer codebase) - rc: implement DNAT support for dnsfilter over IPV6 on HND models · RMerl/asuswrt-merlin.ng@c454668

github.com

I can recreate this by manually setting DNS on my iPad to Cloudflare IPv6 (2606:4700:4700::1112), having DNS Filter in Router mode, and then running the test at https://cmdns.dev.dns-oarc.net/

I imagine the rewrite of the udp ipv6 headers probably triggers this problem.

That is completely odd. I just ran the same test, on the RT-AX88U and same firmware. Same method but I changed the DNS on a desktop computer and not an IPAD. Here are my results.

I have No logs like that in my syslog.

 

[Tech9]

IPv4 exhaustion is really coming in quick and fast in Australia.

I don't think so. 47,573,248 IPs on ~26mln population. About the same ratio in Canada. And we don't worry here.

 

[anonimo]

9.9.9.11 enables EDNS, which can reduce your privacy as you need to share part of your subnet info with your query. So having 9.9.9.9 listed under Privacy is correct.

I reread the QUAD9 site and it notes the same as above, but looking at WAN -> Internet Connection -> DNS Server the drop down is different (below).

 

[shabbs]

how many pihole instances are you running? I want to run two but I am thinking more and more that its not possible

It sure is. My DHCP handout gives out the two IP addresses for my two main Pi-holes. I have a third Pi-hole instance on an older RPi that I stood up to goof around with PiVPN on.

 

[RMerlin]

I don't think so. 47,573,248 IPs on ~26mln population. About the same ratio in Canada. And we don't worry here.

One thing to note is that a lot of devices are moving to mobile. These can more easily be on IPv6 as the most common use for them is accessing remote email or web services. Less legacy equipment there as well. So CGNAT + IPv6 is fine for mobiles, which frees up IPs for cable/FTTN/FTTH connections. So the doomsday clock has slowed down quite a bit over the past few years.

 

[dave14305]

9.9.9.11 enables EDNS, which can reduce your privacy as you need to share part of your subnet info with your query. So having 9.9.9.9 listed under Privacy is correct.

So is your repo copy of DNS_List.json for Privacy Quad9 (item 21) deliberately out of sync with ASUS’ online version? You use .9 and they use .11.

https://raw.githubusercontent.com/RMerl/asuswrt-merlin.ng/master/release/src/router/www/ajax/DNS_List.json:

    "21":{
            "FilterMode": "Privacy-respecting",
            "DNSService": "Quad9",
            "ServiceIP1": "9.9.9.9",
            "ServiceIP2": "149.112.112.11",
            "Description": "Collects no information about users, and is governed by Swiss privacy law.",
            "url": "https://quad9.net/asus/private",
            "confirmed": "Yes",
            "ping_target": "No"
        },

https://nw-dlcdnet.asus.com/plugin/js/DNS_List.json:

    "21":{
            "FilterMode": "Privacy-respecting",
            "DNSService": "Quad9",
            "ServiceIP1": "9.9.9.11",
            "ServiceIP2": "149.112.112.11",
            "Description": "Collects no information about users, and is governed by Swiss privacy law.",
            "url": "https://quad9.net/asus/private",
            "confirmed": "Yes",
            "ping_target": "No"
        },

 

[RMerlin]

So is your repo copy of DNS_List.json for Privacy Quad9 (item 21) deliberately out of sync with ASUS’ online version? You use .9 and they use .11.

Then it means they changed it since last time I synced it.

I typically only resync those json files every few releases. And I don't want to directly use their online version, for multiple reasons.

Tho in this case, it looks to me as their updated version is wrong. 9.9.9.11 sends EDNS info.

 

[RMerlin]

That is completely odd. I just ran the same test, on the RT-AX88U and same firmware. Same method but I changed the DNS on a desktop computer and not an IPAD. Here are my results.

Test with the query posted by Dave. I was able to reproduce the issue on an RT-AX86U with just that single query.

 

[dave14305]

Tho in this case, it looks to me as their updated version is wrong. 9.9.9.11 sends EDNS info.

So does 149.112.112.11, so if you want to be consistent replace that with 149.112.112.112 (No ECS) in your copy.

 

[Tech9]

So the doomsday clock has slowed down quite a bit over the past few years.

I understand it's country specific, but my mobile phone has public IPv4 address (IPv6 not supported) and my ISP is providing 2x public IPv4 addresses (IPv6 supported). I keep IPv6 disabled (disabled by Default settings) on all my networks for multiple reasons and everything is working properly.