Asuswrt-Merlin - custom build of the Asus RT-N66U firmware

[alternety]

From a post somewhere else, it is my understanding that there is no NAT specified for IPV6. My own feeling is that that is not a good idea since it eliminates what appears to be a useful level of address hiding.

Any further insight into this from you guys?

 

[RMerlin]

IPv6 does not need NAT for privacy. While the IPv6 designers eventually caved in and did create a NATv6 RFC, they still do not recommend using it. The real answer to privacy lies in the Privacy Extensions, as defined by this RFC. It gives privacy on machines within a network, without the technical issues caused by NAT.

 

[RMerlin]

Original post updated - build 3.0.0.3.108.6 is now available

This new build mostly focuses on fixing some of the issues related to traffic history saving (introduced in build 5), and backporting some of the improvements Asus did in 3.0.0.3.112 (namely HTTP client access list and better PPTP VPN encryption options).

3.0.0.3.108.6:
- NEW: HTTP access list (backported from build 112)
- NEW: PPTP VPN encryption options (backported from build 112)
- FIXED: Traffic history location was't properly saved
when changed in webui.
- FIXED: Disabled traffic history saving to nvram for now,
to avoid people accidentally filling their limited nvram space.
- FIXED: Missing bottom pixels from the bottom of General menu
- FIXED: Removed invalid CSS attribute
- FIXED: typo in VPN iptables entries (bug in Asus's code)

Hope you enjoy it

 

[alternety]

RMerlin - I guess my question comes down to this. Are the current crop of router implementations and local LAN attached devices equipped (if necessary) to use the protection written into the IPV6 standards in lieu of the NAT? Whatever the details are, I don't want to replace my current router with this Asus, or any other device with a lack of a robust and fully functioning implementation of all the IPV6 functions necessary to maintain at least the previous level of isolation, and therefore have less overall protection. Are the new routers able to deal properly with devices that will never use IPV6? I presume there is still a normal IPV4 NAT included in the routers.

I am not arguing; just wanting to understand. I really appreciate, along with many others I am sure, your work on enhancing and fixing the firmware. The open source community is an incredibly valuable resource for many things.

 

[RMerlin]

RMerlin - I guess my question comes down to this. Are the current crop of router implementations and local LAN attached devices equipped (if necessary) to use the protection written into the IPV6 standards in lieu of the NAT? Whatever the details are, I don't want to replace my current router with this Asus, or any other device with a lack of a robust and fully functioning implementation of all the IPV6 functions necessary to maintain at least the previous level of isolation, and therefore have less overall protection. Are the new routers able to deal properly with devices that will never use IPV6? I presume there is still a normal IPV4 NAT included in the routers.

I am not arguing; just wanting to understand. I really appreciate, along with many others I am sure, your work on enhancing and fixing the firmware. The open source community is an incredibly valuable resource for many things.

Privacy Extensions are a feature of the client, unrelated to the router. Windows 7, for example, fully support these. They manifest as your computer reporting both a regular, semi-static IP (derived from the MAC address), and a second temporary IP address (which is randomly taken from within your /64 block), which will change over time. Outbound connections to services such as websites you visit will use that temporary address, while the more permanent address is used for inbound services that require a static target.

Current routers (such as the RT-N66U) also fully support IPv4+NAT. The router uses a dual stack structure, it can manage simultaneously IPv4 and IPv6 connections. The only issue (IMHO) is that the IPv6 part is still a bit incomplete, as it has no firewall configuration interface for the IPv6 firewall (which uses rules completely separate from the IPv4 rules). In fact, by default your whole /64 gets routed with no firewall rules in place - you have to manually manage the IPv6 firewall rules through telnet.

 

[alternety]

Thank you.

 

[drinkingbird]

I've gotten VLANs and trunking working using the scripts, but haven't been able to get bridging between guest wireless and the new VLAN working. Mostly due to my very limited knowledge of this stuff on linux. Now if only this router would run Cisco IOS Seems because I am using it in AP Only mode, the "LAN1_" nvram variables don't do anything so having to set it up using brctl, which seems to work but not pass traffic. We'll see.

I'm going to get it all set up and working with toastman just so I can look around and see what is configured etc then go back and try again.

Anyone know how to view port VLAN membership/status, and/or set ports into VLANs without setting the NVRAM variable and rebooting the router? Either would save me some time. I can't seem to find any commands that let you manipulate/view the switch ports directly.

 

[RMerlin]

As a fan of the stock Asus firmware I would be interested in seeing additional NAT opttions added. Having no NAT loopback is my biggest gripe about the Asus firmware so far.

I finally took the time to look into NAT loopback, and looks like it's already implemented by Asus. After forwarding a port to a local server, I was able to connect to that port by using my WAN IP while inside my network.

 

[shantanugoel]

Yeah, NAT loopback works as I've also tried this out sometime back, but there is one confusion I have over how it works. Does it bypass other NAT restrictions?
Asking because I host an ftp server (proftpd) on my n66u and when I use my external IP (dyndns hostname actually) to access it from a machine inside the network, it worked well without forwarding any data ports (passive ftp config) but didn't work when I tried to access it from an actual external machine (i.e. I was able to connect to it since port 21 was forwarded but no data could be tfred because the other ports used by passive ftp were blocked).

 

[RMerlin]

Yeah, NAT loopback works as I've also tried this out sometime back, but there is one confusion I have over how it works. Does it bypass other NAT restrictions?
Asking because I host an ftp server (proftpd) on my n66u and when I use my external IP (dyndns hostname actually) to access it from a machine inside the network, it worked well without forwarding any data ports (passive ftp config) but didn't work when I tried to access it from an actual external machine (i.e. I was able to connect to it since port 21 was forwarded but no data could be tfred because the other ports used by passive ftp were blocked).

From what I gathered, Tomato implements two different types of loopback: one that only loops forwarded ports, and another that loops everything. I suspect Asus implemented the former, as I saw a blanket rule in the pre/postrouting tables.

 

[RMerlin]

Updated OP, and released build 3.0.0.3.108.7. I originally intended to wait for a new release from Asus, but from the looks of it we won't be seeing one until the nvram-fixed release they intend to release sometime in June. Since I had a few nice features in the pipeline I decided to go ahead and make one more release based on 108.

3.0.0.3.108.7:
- NEW: Added no-ip.com support to DDNS (patch submitted by Igor Pavlov)
- NEW: Added webui page under System Log to display active/tracked network connections.
- NEW: Added netstat-nat command.
- NEW: Added pre-mount and post-mount user scripts (patch submitted by Shantanu Goel)
- NEW: Allows tweaking TCP/UDP connection tracking timeouts
- FIXED: Removed check in Asus's code that would reject txpower > 80 unless you clicked three times on Apply (?!). NOTE: Still not sure power setting even works, as I get -80db from the other end of the house no matter if I use 40 or 500 mW.

As usual, you can download it from my website.

 

[AnthonyArmato]

Not to be off topic but I sure hope we haven't seen a new firmware lately because they're waiting to fix the nvram issue in the next one.

 

[RMerlin]

Not to be off topic but I sure hope we haven't seen a new firmware lately because they're waiting to fix the nvram issue in the next one.

They already said that a version with fixed nvram would be out sometime in June.

The latest non-public beta partly addressed the issue, but the fix was incomplete, so I expect them to wait for this fix to be finalized, unless they decided to make an official release based on 116b, which wasn't a bad version.

 

[thexile]

Thank you very much for the custom build firmware!

 

[claykin]

NOTE: Still not sure power setting even works, as I get -80db from the other end of the house no matter if I use 40 or 500 mW.

Same experience here.

 

[thE_29]

Is there anywhere a FAQ/Howto about which script/files are executed on start/mount/whatever?

 

[RMerlin]

Is there anywhere a FAQ/Howto about which script/files are executed on start/mount/whatever?

They are listed in the included README.

 

[Gingernut]

RMerlin,

Is there a way to flash your version onto the RT-N16? Maybe hacking the the firmwares checksum or something.

If not, have you thought about giving it support in your firmware or even building a different version?

It would be great.

Thanks for all your hard work.

 

[MFighter]

great stuff!

Do you have additional steps required before trying to build your sources?

getting an error when trying to build with the instructions from README.txt

/opt/asus-rt-n66u-merlin/release/src-rt$ make rt-n16
make[1]: Entering directory `/opt/asus-rt-n66u-merlin/release/src-rt'
# prepare config_base
# prepare prebuilt sysdep kernel module
cp: cannot stat `/opt/asus-rt-n66u-merlin/release/src-rt/wl/sysdeps/default/linux': No such file or directory
make[1]: *** [bin] Error 1
make[1]: Leaving directory `/opt/asus-rt-n66u-merlin/release/src-rt'
make: *** [rt-n16] Error 2

Thanks in advance

 

[RMerlin]

great stuff!

Do you have additional steps required before trying to build your sources?

getting an error when trying to build with the instructions from README.txt

Check the howto on my website, the error you are encountered is fixed by following the steps I documented there: http://www.lostrealm.ca/tower/node/84