Beta Asuswrt-Merlin 388.1 Beta is available for select models

[SomeWhereOverTheRainBow]

Hmm, that is disappointing. So I have to choose between a 2.5Gbps downlink to my switch (10Gbps if I go with the GT-AX11000 Pro) or Full-Cone NAT on my RT-AX88U. When stuck with Symmetrical NAT solutions like building a small form factor X86-64 system and running OPNsense becomes a possibility as well.

Yea I definitely find stuffs like this disappointing as well, but it is one of the downside of the Broadcomm-Asus relationship. The sad part is we will probably see more things like this happen in the future.

 

[RamGuy]

Luckily the use of Symmetrical NAT is becoming less and less of an issue with gaming. Most AA and AAA games are hosting most things "in the cloud" resulting in you having less need for P2P connections to your own console/PC to happen. IPv6 is going to remove this issue entirely as there won't be any need for NAT to happen at all. Sadly the support for IPv6 in gaming is abysmal. I've had native IPv6 going for several years now, I think the only game that I've been playing that fully supports IPv6 is World of WarCraft of all things.

 

[Mogsy]

I had the same situation last night. Since upgraded my family says internet not stable, their phones getting no internet from time to time while other things still working. It happened to me last night also, I turned off WiFi on my phone and turned it back on. Once reconnected internet worked.

See attached log. Has anything looks strange?

iPhone iOS16.1? Known wifi bug I think. 16.1.1 fixed it

 

[Igor]

Case.
1. Upgrade RT-AX68U from 386.7_2 to 388.1-beta 3.
2. Saving settings.
3. Factory reset.
4. Restore settings.
Lost as a result:
- all static IP on DHCP,
- all trusted MAC addresses,
- encryption keys on OpenVPN,
- access to the router via SSH.

 

[Tech9]

4. Restore settings.

Seems like you didn't restore jffs partition contents.

 

[Igor]

Seems like you didn't restore jffs partition contents.

No. jffs was also saved, then restored.

 

[Tech9]

You first upgraded 386 -> 388 and then saved your settings. You had to save your settings first and then upgrade. Restoring the settings from another firmware is not guaranteed and not recommended. I wouldn't do it between 386 and 388 firmware. Your saved settings on 386 would serve a go back to 386 purpose only. Start fresh with 388. Also - 388 is beta, not intended for production. Testing only.

 

[L&LD]

@Igor, restoring your settings after doing a reset to factory defaults is the same as not doing the factory default reset in the first place.

Fully Reset / Best Practice Setup / More

 

[RMerlin]

Hmm, that is disappointing. So I have to choose between a 2.5Gbps downlink to my switch (10Gbps if I go with the GT-AX11000 Pro) or Full-Cone NAT on my RT-AX88U. When stuck with Symmetrical NAT solutions like building a small form factor X86-64 system and running OPNsense becomes a possibility as well.

Full Cone NAT is overhyped by gamers, quite honestly. Very few routers actually support it, it reduces your network's security, and when discussing it with an engineer, his question was: "Can you give me one precise scenario where it is necessary", which I couldn't answer (and apparently nobody can at a technical level, all you will find online are "My console complains about NAT mode").

Since so few routers support it, I refuse to believe that so many online games would be broken for such a large amount of people.

The fact that you had a non-working Fullcone switch for so long without realizing it should tell you something.

But still can’t work out what this is, only appear in Beta 3 i think.

Related to AiMesh, beyond that I don't know what this specific service does.

There is an implementation around which might be able to be merged into either ASUS or Merlin firmware and yet we are left with "gaming routers" that can't do full cone NAT so anyone with two or more Xbox consoles will have problems ...

I've reviewed two of them. One only works with UDP and does not support TCP. The other one requires completely replacing the kernel's masquerade implementation, which means it has a high chance of breaking a lot of other things - assuming that implementation is even compatible with 4.19's Netfilter.

Lost as a result:
- all static IP on DHCP,
- all trusted MAC addresses,
- encryption keys on OpenVPN,
- access to the router via SSH.

All of these are stored in the JFFS partition. This tells me you didn't properly save or restore the JFFS partition content if they are still missing.

 

[RMerlin]

There's also a problem with Firewall. If I enable IPv4 firewall with IPv6 firewall all of my IPv6 client are naked on the internet (I can access my IPv6 client port all over the internet)

For some reason enabling IPv4 firewall rules adds a rule to the IPv6 FORWARD chain that allows all WAN traffic to the LAN. I will have to track down where this rule is created, might be a rule that's written to the wrong script during generation of firewall entries (so it ends up in the IPv6 firewall rather than the IPv4 firewall).

 

[Tech9]

If this issue is present in Asuswrt base as well - it needs immediate fix.

 

[Deleted member 22229]

For some reason enabling IPv4 firewall rules adds a rule to the IPv6 FORWARD chain that allows all WAN traffic to the LAN. I will have to track down where this rule is created, might be a rule that's written to the wrong script during generation of firewall entries (so it ends up in the IPv6 firewall rather than the IPv4 firewall).

So does this cause a security issue ? And if so is there a work around till it's fixed ? I would think Asus would want this fixed like NOW.

 

[RMerlin]

So does this cause a security issue ? And if so is there a work around till it's fixed

Don't enable the IPv4 Inbound Firewall Rules option, this is what triggers it.

Note that this is NOT the same thing as the IPv4 firewall. IPv4 Firewall Rules is what allows you to add user-defined firewall rules, and this is new in 388.

 

[Igor]

This tells me you didn't properly save or restore the JFFS partition content if they are still missing.

On the "Administration - Restore/Save/Upload Setting" page
Router settings -> Save setting
JFFS Partition -> Backup JFFS partition
Factory default.
Then Restore setting and Restore JFFS partition.

It is not right?

 

[Deleted member 22229]

Don't enable the IPv4 Firewall Rules option, this is what triggers it.

Note that this is NOT the same thing as the IPv4 firewall. IPv4 Firewall Rules is what allows you to add user-defined firewall rules, and this is new in 388.

Thanks for the quick reply. This still needs a fix asap it's amazing Asus would release a firmware with this type of issue.

 

[Tech9]

It is not right?

What is not right you did it after updating 386 -> 388. You had to do it before.

 

[RMerlin]

Thanks for the quick reply. This still needs a fix asap it's amazing Asus would release a firmware with this type of issue.

All we know is the issue exists in 21224. It's possible they might have already fixed it in newer versions.

 

[Deleted member 22229]

All we know is the issue exists in 21224. It's possible they might have already fixed it in newer versions.

Is Asus even aware of the problem ? Do you think you will be able to fix this on your end or will it require you to wait for a upstream fix. I can live with bugs but i hate security issues.

 

[Damit1]

@RMerlin

It was spoke a lot here but without any reasonable answer, this port forward rule- what makes it?
I have no fetaure available for Parental Control, or Trend Micro...
Something you are aware of?

Taken from AX88U

Thank you

 

[RamGuy]

Full Cone NAT is overhyped by gamers, quite honestly. Very few routers actually support it, it reduces your network's security, and when discussing it with an engineer, his question was: "Can you give me one precise scenario where it is necessary", which I couldn't answer (and apparently nobody can at a technical level, all you will find online are "My console complains about NAT mode").

Since so few routers support it, I refuse to believe that so many online games would be broken for such a large amount of people.

The fact that you had a non-working Fullcone switch for so long without realizing it should tell you something.

I configured my GT-AX6000 yesterday, I've been using the RT-AX88U for the past few years and when testing it still works with Full-Cone NAT. It's only the GT-AX6000 that seems not to so I've had about 28 hours so far with Symmetrical NAT instead of Full-Cone NAT.

NAT =! Security. I don't really understand why some people pretend otherwise. The added security is simply a side effect of NAT. I work as a senior cyber security consultant, and I work mostly with Check Point and Palo Alto deployments. As all government services in my country are being enforced to have native IPv6 supported by Q1 2023 I get into these discussions all the time where people are so afraid of deploying IPv6 because they don't want to have public routable IP addresses within their network. They utilise NAT as some kind of security barrier and have forgotten all about how to manage proper firewalls to safeguard their networks. There is zero need for NAT from a security perspective as long as you have proper firewalling in place.

For home networks it becomes different and most home networks need to rely on UPnP, and as a result of UPnP running on your router it will not only provide you with NAT port mappings, but it will also automatically allow for traffic through the router SPI firewall so you lose all control. For enterprise this is obviously not going to be the case, when doing NAT on an enterprise firewall you will still have to manage your firewall policy accordingly to allow for traffic to traverse NAT.


The reason why I prefer Full-Cone NAT over Symmetrical NAT is that it's pretty much the only way to get around the limitation of having just a single public IPv4 address. If you have a home network that features multiples of the same gaming console, multiple gaming PC's using the same gaming services etc. You run into several frustrating scenarios. Regular UPnP through Symmetrical NAT is not always going to work. There are still a lot of games where P2P is required. You can't really do proper P2P through Symmetrical NAT unless the P2P connection is going to just between you and the game server.

Take a game like Call of Duty: Blackout (I'm not sure if this has changed with more recent Call of Duty games). When doing a private lobby within this game your system (Xbox, PlayStation or gaming PC) is going to host your private lobby locally from your system. UPnP ensures that it is working by telling the router that your local system running 192.168.1.50 is establishing a connection to 193.130.123.40 using local port 34923, and remote port 27031. With Symmetrical NAT return traffic will work, but only when it comes from 193.130.123.40. But your friend A is 193.130.123.40, your friend B is 82.342.23.140. Friend B is not able to connect to your lobby as Symmetrical NAT will not allow for 82.342.23.140 to use the existing port 27031 in order to reach your local system on 192.168.1.50 on local port 34923.

A lot of services do work with Symmetrical NAT as the game is just going to keep utilising UPnP to have additional sessions going. Allowing friend B to reach the lobby via the game utilising UPnP to tell the router that your local system running 192.168.1.50 is establishing a connection to 82.342.23.140 using local port 34924 and remote port 27032.


Things get worse when you start tossing multiple gaming systems into the mix as you are running out of ports. Gaming consoles and games tend to have a limited range of ports they use, so if you exhaust the number of ports you are out of luck.


Full-Cone NAT makes this so much better, as it allows for your gaming session to simply do a 1:1 NAT for whatever ports it needs. Your local system running 192.168.1.50 can simply tell your router that anything you receive on the remote port 27031, just send it to me. Thus friends A and B can utilise the same inbound connection to reach you. From a security perspective, this is less secure, so for people that have no control over their network in any meaningful way, this might not be the way you would like it to be. But for someone who has control, this is vastly superior and is causing a lot fewer headaches.

Port Forwarding will do the same, the problem with manual port forwarding is that you can't forward the same port to multiple IP addresses so you run into a huge mess when you have multiple systems wanting the same ports. Manual port forwarding will be even less secure as it will have the port openings running 24/7, even when they are not needed.


UPnP + Full-Cone NAT is by far the best way for this to work. Then you can have multiple gaming systems battling for the same ports all working. The only scenario where it won't work is if you have too many gaming systems going on all at once and you still run out of ports available for your specific game because even with Full-Cone NAT you can't use the same port twice, but you will most likely never exhaust the number of ports available for whatever game as Full-Cone NAT at least ensures that each gaming device can have multiple incoming connections to the same UPnP opening without having to get a new one going for each remote connection.



With all that being said it's not like you won't survive. If you are on a network that is incapable of doing P2P when gaming, you are still able to connect to others that are capable.