Asuswrt-Merlin 388.1 Beta is now available for all Wifi 6 (AX) models. This release marks the merge with the new 388 code base from Asus. I don't want to list every 388-specific changes made by Asus, so I recommend checking Asus' own changelogs for more details. I will highlight the most important ones below.
Nov 29th:
Beta 4 is now available. Changes since beta 3:
Nov 21st:
Beta 3 is now available. Changes since beta 2:
Nov 11th:
Beta 2 is now available. Changes since beta 1:
388.1 Release notes
This code base is only available for AX models, AC models will stay on the 386.x code base. Asus hasn't added any of these to their End-of-Life list as of now, so that means they will still get updates, just not as frequently. Most of these models being 5-7 years old now, having reduced support isn't unreasonable (as opposed to competitors typically completely dropping ALL support within 2-4 years). On my end, I currently don't plan to drop support for these AC models for the time being, but as with upstream updates, these older models will get less frequent updates from me as well.
388.1 is based on 388_21224, except for the RT-AX88U and GT-AX11000 which are based on a slightly older 388_20566 release.
New model supported
388.1 introduces support for the new RT-AX86U_Pro.
Feature changes
388 introduces a number of feature changes. Some of them were already available in Asuswrt-Merlin (like DNSSEC or DNS rebind protection support). Some of the new features are only available through the mobile application, which may or may not work with Asuswrt-Merlin - it is not officially supported by me. Anything related to OpenVPN for instance will not work properly, as Asuswrt-Merlin's OpenVPN implementation is completely different from the stock firmware. I have no control over the mobile application, so it is what it is in terms of compatibility.
WireGuard
The biggest user-facing change is the introduction of WireGuard support as an alternative VPN protocol. This implementation is developped by Asus, the only changes made were to integrate it with VPN Director (which is Asuswrt-Merlin's alternative to VPN Fusion), and to integrate it into the web interface (as we don't use Asus' VPN Fusion management interface). Note that while supported, I don't intend to make any major changes to the WireGuard implementation, as my development focus will remain with OpenVPN. One important limitation to note is that WireGuard requires NAT acceleration to be disabled, which greatly reduces its usefulness on a router, as if you have a fast enough WAN connection to truly benefit from WireGuard performance, that performance ceiling will most likely cap at around 300-350 Mbps due to the lack of NAT acceleration for your router's traffic.
WireGuard was fully integrated into VPN Director. WireGuard rules will have the lowest priority, which means they will be applied after the OpenVPN rules (which will be applied after any WAN rule, these having the highest priority). DNS handling will be identical to OpenVPN clients set to Exclusive mode, which means DNS servers configured for WireGUard clients will use firewall rules to force routed clients to use that DNS server. Also, by default, no traffic is routed through WireGuard, you need to configure rules in VPNDirector. This is identical to the stock firmware which requires you to create VPN Fusion rules to handle WireGuard client traffic.
Other 388 changes
388 also revamped the Parental Control settings a bit. The networkmap uses a new port status display (note that this seems to still be a bit quirky on some models, but that code is closed source so outside of my control). This new display will tie in with Asus' new cable diagnostic feature, available on some models. There are also a few low-level changes made by Asus to improve reliability in general. Also, on newer HND 5.04 models (like the GT-AXE16000), they upgraded the amount of available nvram to 192 KB.
Other Asuswrt-Merlin specific changes
I tried to keep the other changes to a minimum for this first 388 release, to focus testing/debugging on the 388 code base itself. There were still a few internal changes made, for instance improvements around VPN Director, and a redesign of that page. Please see the changelog for details.
One thing worth mentionning is that I have decided to rebrand DNSFilter as DNS Director. There was no change in functionality. The name change was to avoid confusion with the company that bears the same name, and also to better describe what this feature does.
Also as an experiment, the ROG model archives (GT-xxxxx) contain a second firmware image with the _rog prefix added to the version. This is the same firmware compiled with the original ROG user interface enabled. Note that these images are provided as-is. I have fixed the most important display issues, however there may still be a few issues that remains, like the lack of any icon for the Tools menu (I don't have the artistic skills to create that icon). While I will monitor feedback, note that while I may fix issues, I don't plan on extending this interface any further. I may also decide to drop the experiment in the future, it will depend on the user feedback, and how much development time is required for future maintenance of this separate interface.
Note that after switching to a _rog version (or back to the regular version), you will need to either shift-reload the webui page, or clear your browser cache for the UI to load properly.
(new in beta 3): the self-signed certificate generated by the router will now use EC instead of RSA, which will make it less CPU-intensive, but will no longer work with prehistoric platforms such as WIndows XP or Internet Explorer 6.0.
Upgrade procedure
You can directly upgrade from a previous Asuswrt-Merlin release. If coming from the original Asus firmware, note that while supported, you will need to reconfigure any existing VPN configuration after the upgrade. I implemented some upgrade code that will at least fix/prevent the most problematic issues, but if you notice any odd behaviour following the upgrade, be ready to do a factory default reset, and to manually reconfigure your router.
Things to test:
Downloads are here.
Changelog is here.
Nov 29th:
Beta 4 is now available. Changes since beta 3:
Code:
0a4887aca6 Bumped version to beta 4
2896db0d70 Updated documentation
e484f7eb95 dropbear: disable DSS key support
865d4f39d5 rc: Fix the issue that option Enabling IPv4 Firewall Rules causes the entire LAN to be open over IPv6 (patch from Asus)Nov 21st:
Beta 3 is now available. Changes since beta 2:
Code:
a8d8f1d89c Updated documentation
cbf95d8d2c httpd: switch self-signed certificate from RSA to ECC
0343bed2b8 Merge branch 'master' of github.com:RMerl/asuswrt-merlin.ng
eed92b06e1 Merge pull request #824 from ikruglov/mssl_cert_key_match_with_ec
f8b7eefdee httpd: add support of elliptic curves in mssl_cert_key_match
79b4562413 rc: add wgserver-stop, wgserver-start, wgclient-stop and wgclient-start scripts
b5794650d8 rc: leverage already existing is_wg_enabled() function in hnd_nat_ac_init()
b2cc3b6d54 webui: ensure we show the main QoS page rather than the User Rules page when enabling Cake
1b334cdc92 rc: make hnd_nat_ac_init() aware of WireGuard state
933f4d74e6 Bumped revision to beta 3Nov 11th:
Beta 2 is now available. Changes since beta 1:
Code:
d38e529fda Update documentation
d5d74b7843 bwdpi: new cache bypass logic for BCM4912 which is now compatible with that platform (fix provided by Asus)
811f8da0d5 webui: hide WPA passphrase by default on wireless settings for the GT-AXE11000
b044136f42 webui: hide WPA passphrase by default on Wireless Settings for the GT-AXE16000
927c8513c6 webui: replace hardcoded Chinese labels with localized labels on Wireless router status pane
046227166f rc: implement inbound firewall for WireGuard clients (defaults to Block)
ec94039240 bwdpi: disable flow cache bypass by AiProtection on BCM4912 (fix provided by Asus)
cf74ee5066 lltd: fix dangling symlinks for RT-AX88U and GT-AX11000 icons
7e7ff61ceb lltd: resync with upstream
478f0b9712 libovpn: update amvpn_update_exclusive_dns_rules() so OVPNC rules are before WGC rules
595d22d6ed rc: re-apply OpenVPN exclusive DNS rules after WGC rules, so they get inserted before them
961b9f2336 rc: re-apply WG clients exclusive DNS rules on firewall restarts
3627943427 rc: webui: remove NAT type setting from HND 5.04 models
5ac92c10a7 build: enable ASD on RT-AX68U (fixes missing libasc.so needed by networkmap)
f72f313807 webui: update reference to DNSFilter on WAN page
a253718ffc webui: fix VPNDirector's edit panel location
6710f7c803 webui: remove stray <tr> fromm VPNDirector's WGC client state
cff5673d3d Bumped version to beta 2388.1 Release notes
This code base is only available for AX models, AC models will stay on the 386.x code base. Asus hasn't added any of these to their End-of-Life list as of now, so that means they will still get updates, just not as frequently. Most of these models being 5-7 years old now, having reduced support isn't unreasonable (as opposed to competitors typically completely dropping ALL support within 2-4 years). On my end, I currently don't plan to drop support for these AC models for the time being, but as with upstream updates, these older models will get less frequent updates from me as well.
388.1 is based on 388_21224, except for the RT-AX88U and GT-AX11000 which are based on a slightly older 388_20566 release.
New model supported
388.1 introduces support for the new RT-AX86U_Pro.
Feature changes
388 introduces a number of feature changes. Some of them were already available in Asuswrt-Merlin (like DNSSEC or DNS rebind protection support). Some of the new features are only available through the mobile application, which may or may not work with Asuswrt-Merlin - it is not officially supported by me. Anything related to OpenVPN for instance will not work properly, as Asuswrt-Merlin's OpenVPN implementation is completely different from the stock firmware. I have no control over the mobile application, so it is what it is in terms of compatibility.
WireGuard
The biggest user-facing change is the introduction of WireGuard support as an alternative VPN protocol. This implementation is developped by Asus, the only changes made were to integrate it with VPN Director (which is Asuswrt-Merlin's alternative to VPN Fusion), and to integrate it into the web interface (as we don't use Asus' VPN Fusion management interface). Note that while supported, I don't intend to make any major changes to the WireGuard implementation, as my development focus will remain with OpenVPN. One important limitation to note is that WireGuard requires NAT acceleration to be disabled, which greatly reduces its usefulness on a router, as if you have a fast enough WAN connection to truly benefit from WireGuard performance, that performance ceiling will most likely cap at around 300-350 Mbps due to the lack of NAT acceleration for your router's traffic.
WireGuard was fully integrated into VPN Director. WireGuard rules will have the lowest priority, which means they will be applied after the OpenVPN rules (which will be applied after any WAN rule, these having the highest priority). DNS handling will be identical to OpenVPN clients set to Exclusive mode, which means DNS servers configured for WireGUard clients will use firewall rules to force routed clients to use that DNS server. Also, by default, no traffic is routed through WireGuard, you need to configure rules in VPNDirector. This is identical to the stock firmware which requires you to create VPN Fusion rules to handle WireGuard client traffic.
Other 388 changes
388 also revamped the Parental Control settings a bit. The networkmap uses a new port status display (note that this seems to still be a bit quirky on some models, but that code is closed source so outside of my control). This new display will tie in with Asus' new cable diagnostic feature, available on some models. There are also a few low-level changes made by Asus to improve reliability in general. Also, on newer HND 5.04 models (like the GT-AXE16000), they upgraded the amount of available nvram to 192 KB.
Other Asuswrt-Merlin specific changes
I tried to keep the other changes to a minimum for this first 388 release, to focus testing/debugging on the 388 code base itself. There were still a few internal changes made, for instance improvements around VPN Director, and a redesign of that page. Please see the changelog for details.
One thing worth mentionning is that I have decided to rebrand DNSFilter as DNS Director. There was no change in functionality. The name change was to avoid confusion with the company that bears the same name, and also to better describe what this feature does.
Also as an experiment, the ROG model archives (GT-xxxxx) contain a second firmware image with the _rog prefix added to the version. This is the same firmware compiled with the original ROG user interface enabled. Note that these images are provided as-is. I have fixed the most important display issues, however there may still be a few issues that remains, like the lack of any icon for the Tools menu (I don't have the artistic skills to create that icon). While I will monitor feedback, note that while I may fix issues, I don't plan on extending this interface any further. I may also decide to drop the experiment in the future, it will depend on the user feedback, and how much development time is required for future maintenance of this separate interface.
Note that after switching to a _rog version (or back to the regular version), you will need to either shift-reload the webui page, or clear your browser cache for the UI to load properly.
(new in beta 3): the self-signed certificate generated by the router will now use EC instead of RSA, which will make it less CPU-intensive, but will no longer work with prehistoric platforms such as WIndows XP or Internet Explorer 6.0.
Upgrade procedure
You can directly upgrade from a previous Asuswrt-Merlin release. If coming from the original Asus firmware, note that while supported, you will need to reconfigure any existing VPN configuration after the upgrade. I implemented some upgrade code that will at least fix/prevent the most problematic issues, but if you notice any odd behaviour following the upgrade, be ready to do a factory default reset, and to manually reconfigure your router.
Things to test:
- RT-AX86U_Pro support in general, LED behaviour, etc...
- WireGuard client and server
- VPN Director in general (both with OpenVPN and WireGuard), including the new UI changes to directly edit a VPN client settings
Downloads are here.
Changelog is here.
Last edited:
