Release Asuswrt-Merlin 386.7 is now available for all models

[Muyfa666]

@RMerlin: Elden Ring eh? I feel your pain! When I got into it for real I put in 120 game hours in two weeks while still working full time on the days. Who needs sleep anyway? Haha.

 

[Damit1]

Dear @RMerlin
Any idea when 386 7 2 is out?

TY

 

[BreakingDad]

- Notification on new unknown devices connecting

love this

such as "rewarding" a kid

cheese, while I agree with safe browsing, time restrictions should be controlled by parents saying "switch it off" and teaching self control.

 

[MyPal]

Having problems saving VPN client certificates since 386.5_2 via the GUI. Anyone else? JFFS partition issues perhaps?

Issue on both GT-AX6000 and RT-AX88U.

 

[zd59]

AC86U upgrade 386.3.2 --> 386.7

Unintentionally I fired upgrade from 386.3.2 to 386.7 without following "dirty upgrade" recommendations - USB disk inserted, Entware running (SAMBA, torrent client..).
Upgrade finished, new version show up on a main GUI window and all worked. Then I release USB drive, swith off router, wait 5 minutes, pull out USB cable and boot for 15'.
Then switch off, pull in USB drive with Entware and boot for an hour, then rebooted.
All work excellent now for five days.

Congratulate @RMerlin

 

[torstein]

I won`t get access to 388 code until September, and Asus won't be migrating all other devices at once, they intend to do it gradually over the course of multiple months.

How does Asus usually roll out? The most popular models first? The most expensive ones first? Cheapest ones? Or is there no logic to it?

 

[L&LD]

No logic from a user's perspective. They push out what they deem is fixed/ready at any given time.

 

[ColinTaylor]

Unintentionally I fired upgrade from 386.3.2 to 386.7 without following "dirty upgrade" recommendations - USB disk inserted, Entware running (SAMBA, torrent client..).
Upgrade finished, new version show up on a main GUI window and all worked.

Then I release USB drive, swith off router, wait 5 minutes, pull out USB cable and boot for 15'.
Then switch off, pull in USB drive with Entware and boot for an hour, then rebooted.

There was no need to do any of that as your router had successfully been updated to 386.7. You just wasted a lot of time for no reason.

 

[RMerlin]

Dear @RMerlin
Any idea when 386 7 2 is out?

TY

When I feel it's ready and there are no more issues that need fixing for that release. I don't have any timetable at this time.

How does Asus usually roll out? The most popular models first? The most expensive ones first? Cheapest ones? Or is there no logic to it?

There's no real pre-established method. Previous major upgrades were typically rolled out in a shorter time frame.

 

[Damit1]

When I feel it's ready and there are no more issues that need fixing for that release. I don't have any timetable at this time.


There's no real pre-established method. Previous major upgrades were typically rolled out in a shorter time frame.

TY again!
Much appreciated

 

[Clark Griswald]

Elden Ring? I don't see that listed in amtm gaming list.
VPN Fusion and new parental control features seem a waste imho.

My network is working well on latest RMerlin fw!

 

[Yota]

thanks again for the great firmware

I found two possible issues in the latest available stable (386.7_0) release:


Issue 1: RT-AC86U reports incorrect Ethernet link speed in network map.
To reproduce: Forced the computer's Ethernet adapter speed to 10 Mbps, but the router's network map still reported 100 Mbps.
Tested routers: RT-AC86U and RT-AC68U.
Actually the tools page will report the correct speed, this kind of issue only exists in the network map, if this is introduced by Asus, please ignore it.

Issue 2: Potential security holes of the http server.
To reproduce:
1: Set "Authentication Method" to "HTTPS only".
2: Change the HTTP port to any port other than 80.
3: You can access HTTP through the port you set regardless of the Authentication method setting, and you can see that the httpd service is running through netstat -nlp | grep httpd in the SSH.
Tested routers: RT-AC86U and RT-AC68U.


To verify these issues, all routers were reset to factory.

 

[RMerlin]

Actually the tools page will report the correct speed, this kind of issue only exists in the network map

It's quite possible that the page does not support reporting 10 Mbps, probably because it's 2022.

BTW, don't force a specific rate. For it to work, both ends need to be set on a specific rate. If one of the two ends is still on auto negotiate, then the end result is unpredictable. Some ports will end up defaulting to half-duplex for example.

You can access HTTP through the port you set regardless of the Authentication method setting, and you can see that the httpd service is running through netstat -nlp | grep httpd in the SSH.

If I recall, this is because it's required to display the block page when you use AiProtection and you try to access a blocked site. The router needs to be able to handle port 80 traffic to serve the error page.

 

[zd59]

There was no need to do any of that as your router had successfully been updated to 386.7. You just wasted a lot of time for no reason.

I know that. But it was a safety measure as my job depend on a reliable internet connection.

Off topic: Yesterday we had a power drop. I started to work on a business over VPN and vital application shut-off at logon attempt, all other apps worked.
After searching for a reason I discovered that router did not synchronise time at boot - log show 5th may 2018 (default time at boot).
Reboot solved the issue.

 

[zd59]

Issue 2: Potential security holes of the http server.
To reproduce:
1: Set "Authentication Method" to "HTTPS only".
2: Change the HTTP port to any port other than 80.
3: You can access HTTP through the port you set regardless of the Authentication method setting, and you can see that the httpd service is running through netstat -nlp | grep httpd in the SSH.
Tested routers: RT-AC86U and RT-AC68U.


To verify these issues, all routers were reset to factory.

Advice regarding routers safety from network specialists:
Never expose routers http(s) server to the world, only for a local network. It is intended only for a router administration. Use VPN to access local network and a http server.
As so, only ssh port hole is in firewall, which minimise security risks.

 

[Yota]

It's quite possible that the page does not support reporting 10 Mbps, probably because it's 2022.

BTW, don't force a specific rate. For it to work, both ends need to be set on a specific rate. If one of the two ends is still on auto negotiate, then the end result is unpredictable. Some ports will end up defaulting to half-duplex for example.

Good morning and thanks for your explanations and clarifications.

Yes, I think the link rates in the network map are from Asus' code, they probably forgot about the 10 Mbps possibility when they wrote that page, I first found out because of my low quality ethernet cable causing IoT 10 Mbps speed negotiated (this IoT NIC only supports up to 100 Mbps), but when I checked from the router I saw 100 Mbps, which is really misleading, I thought IoT was running at the right speed so many times that I didn't realize there was a problem with my network cable until after multiple checks I found out that the router's network map was reporting the wrong link speed.

If I recall, this is because it's required to display the block page when you use AiProtection and you try to access a blocked site. The router needs to be able to handle port 80 traffic to serve the error page.

No, I didn't enable AiProtection, maybe I didn't make it clear, the behavior of the http server is different from the 386.5_2, in 386.5_2, even if AiProtection is enabled, if it is set to HTTPS only, the http port will not be opened.

In version 386.7_0, when the http port remains the default port 80, and HTTPS only is enabled, as in previous firmware, the http port will not be opened and the httpd service will not run, But after changing http port to any other port, it seems that the setting of the Authentication Method will be ignored, the httpd service will run, and the http port will be open.

So I guess it might be a problem because when people set HTTPS only, obviously they don't want http still enabled, although most people don't change http to a port other than 80, the problem doesn't happen with the default 80 port, but if they set other http ports, the HTTPS only setting is ignored, which is unexpected.

Advice regarding routers safety from network specialists:
Never expose routers http(s) server to the world, only for a local network. It is intended only for a router administration. Use VPN to access local network and a http server.
As so, only ssh port hole is in firewall, which minimise security risks.

Thanks, I think this is only happening on the LAN, so the impact seems to be limited.

 

[RMerlin]

No, I didn't enable AiProtection

AiProtection was just one example, there are other reasons why httpd keeps listening on port 80. Parental Control is another one, to display the block page.

I didn't make any recent change to that code, so any change in behaviour would come from upstream.

 

[capncybo]

I know that. But it was a safety measure as my job depend on a reliable internet connection.

Off topic: Yesterday we had a power drop. I started to work on a business over VPN and vital application shut-off at logon attempt, all other apps worked.
After searching for a reason I discovered that router did not synchronise time at boot - log show 5th may 2018 (default time at boot).
Reboot solved the issue.

Ah-hem... These routers are lacking an internal clock & they require a "successful" NTP Synchronization to establish a correct Date & Time ???
You almost answered your own query ;-)
LOL

 

[Yota]

AiProtection was just one example, there are other reasons why httpd keeps listening on port 80. Parental Control is another one, to display the block page.

I didn't make any recent change to that code, so any change in behaviour would come from upstream.

Well, but I must stress that when set to port 80, the httpd server respects the setting of https only, so the problem is not port 80, but when changing to any port other than 80, https only loses its effect.

I also think this is an issue introduced by Asus, thank you for your attention.

 

[archiel]

I have just run a dirty install from 386.5_2 to 386.7 and then 386.7_1

All the IPv6 connectivity seems to be fine and thanks to the addition of IPv6 to DNSFilter I have been able to remove entware iptables (I was using this as a proxy for IPv6 DNSFilter to get WireGuard to behave as wanted).

2 Observations

Although I have CAKE enabled in QOS, flow control is also enabled - should this be happening?
I know I can disable through setting

nvram set fc_disable=0
nvram commit
reboot

but in all earlier versions enabling CAKE would disable both Runner and Flow Control. Before I go through a full reset and manual rebuild (last done when installing 386.0) is anyone else seeing this?

IPv6 seems to be working fine in both 386.7 and 386.7_1. The only change being that the LAN prefix length has changed from 56 to 64, the WAN Prefix is unchanged at 56. The setup is native, DHCP-PD and Stateless.