[Beta 384/NG] Asuswrt-Merlin 384.5 Beta is now available

[RMerlin]

Asuswrt-Merlin 384.5 beta is now available for all supported models. In addition to new GPL merges, this release focuses on various things that had been waiting on the Todo list for a while. With this release, a lot of work has been done around the OpenVPN implementation in an attempt to simplify it a bit, removing rarely used or flat out broken settings.

Updated May 7th: Beta 2 is now available. Changes since beta 1:

4833b80 Updated documentation
cffe78d webui: autofill DST start/end time on timezone select; update a few outdated DST times
d4b23de miniupnpd: updated to 20180503 snapshot
d645ee8 iptables: add missing ip6tables-save applet (closes #142)
020df8d Updated documentation
5598770 kernel: tweak input class modules, removing mouse/joystick support
fc5eb7d build: include HID modules in firmware images
caaa83a kernel41: Add USB HID support
84b68d0 webui: look up for firmware_path nvram rather than the checkbox that's no longer on that page
7d05e84 webui: display remaining time left on UPNP leases, now stored as remaining time instead of a timestamp
91f505b httpd: signal miniupnpd to dump an up-to-date lease list
9ac7d0f miniupnpd: updated to 20180502 (includes monotonic clock fixes)
1e54594 strongswan: patch for CVE-2017-9022, CVE-2017-9023, CVE-2017-11185
3fdd7ff build: copy-prebuilt: added libletsencrypt
71141ea libletsencrypt: updated with builds from 384_20648
60538a9 webui: explicitely set textarea_ssh_table font size to 13px
72210f1 webui: firmware_path can be either "0" or "" when set to the stable channel - check both
785c216 Bumped revision to beta 2
e126557 Merge branch 'master' of github.com:RMerl/asuswrt-merlin.ng
b1d3858 rc: keep persistent dlna uuid & serial format, follow e9219373af4c688532f66de9a6c6d887d50b948a
e921937 rc: make upnp uuid persistent
f487476 miniupnpd: fix SSDP socket binding to wrong interfaces
058a835 shared: fix empty wan/lan/2g hwaddr on gmac3-enabled models

The highlight of this release:

• Merged with GPL 384_20648.
• Merged binary blobs from 384_20648 for RT-AC86U, RT-AC68U and RT-AC5300.
• Updated components: OpenVPN (2.4.6), Dropbear (2018.76), OpenSSL (1.0.2o), miniupnpd (20180412), nano (2.9.5).
• Upgraded the RT-AC86U to the same Busybox release (1.25.1) as used by all other models.
• Revised Traditional QoS implementation. Will require extensive testing to validate that it does fix previous issues, and that it doesn't introduce any new one.
• Added a new service-event script, executed before any service call (for example, restart_wireless). Note that this script will block the execution of the event until it returns, so be careful with it.
• Revised OpenVPN server and client options. Please see below for more details on these changes.
• Revised the System Log -> Connections page due to changes made by Asus to httpd. The new implementation removes the ability to resolve hostnames, and info is shown in a sortabled table (click on a header to sort by that field).
• Added ability to resolve hostnames to the Network Tools -> Netstat page.
• Changed Samba behaviour. From now on, enabling master browser and WINS support requires explicitely enabling SMB sharing.
• Changes to the Firmware Upgrade page layout. Beta Firmware channel selector moved to Tools -> Other Settings, where it will now behave more predictably like a standard setting that can be saved to nvram.
• DHCP server no longer broadcast an empty option 252 value (for WPAD).
• Blocking custom scripts (like pre-mount) will now wait a maximum of 120 seconds before returning control, to prevent permanent lockouts.
• Security fixes for dnsmasq (like CVE-2017-15107) were backported from upstream

This is a summary of the changes made to OpenVPN:

Server changes:

• Removed "TLS Reneg time" (rarely used, can manually be set as a custom option)
• Removed "Server Poll" (which didn't work properly), and reimplemented watchdog service as a cron job, hardcoded to 2 mins frequency.
• Removed "Push LAN" and "Redirect Gateway", replaced with new Client Access setting
• Removed Firewall setting (firewall rules are now always created, and the broken External mode was fixed and integrated into the new Client Access setting). You can now use the postconf script to override it.
• Removed option to respond to DNS queries - enabling the option to Push DNS will also handle it
• Added new Client Access setting to select between three types of access: LAN only, WAN only (will block access to the LAN, including the router itself) and LAN + WAN.
  Keys and certificates can now be up to 7999 characters long.

Client changes:

• Reorganized settings into groups
• Removed "Poll Interval" (which didn't work properly), and reimplemented watchdog service as a cron job, with a hardcoded frequency of 2 mins.
• Removed Firewall setting (firewall rules are now always created). You can now use the postconf script to override it.
• Modified behaviour of Connection Retry. Instead of taking a value in seconds that only affected resolution failure, it now takes a number of attempts, and affects connection failures. Resolution failures will now retry for an infinite period of time (the default OpenVPN value).
• Added "refresh" link which can be clicked to re-query the public IP endpoint of the tunnel
• Keys and certificates can now be up to 7999 characters long.

Things that will require particular testing/feedback:

• Traditional QoS. Please confirm whether Cédric's fixes resolved the non-working Traditional QoS.
• OpenVPN: Make sure nothing was broken by the changes, and provide feedback on those changes.
• miniupnpd: confirm that the new version doesn't break things (one thing is known broken at this time - the ability to report the remaining forward time. Issue logged upstream, the remaining time is temporarily hardcoded to always report N/A for now.

Please keep discussions to this specific beta release. Off-topic posts may be moved or deleted, depending on my mood at the time.

Downloads are here.
Changelog is here.

 

[RMerlin]

Known issues:

• Can no longer display remaining time on UPnP port forwards. Temporarily displayed as NA (fixed in beta 2)
• Cannot display beta changelog (fixed in beta 2)
• Cannot disable the beta channel (fixed in beta 2)
• Cannot change TCP timeout values on Tools -> Other settings (fixed in beta 3)

 

[scjr]

Smooth upgrade to beta 1. Thanks, Eric!

 

[skeal]

Smooth upgrade to beta 1. Thanks, Eric!

Same here!

 

[Keenan]

Updated smoothly here!

 

[joegreat]

Bad news: The beta 1 firmware crashed 5G WLAN on my two AC87Us.
After restart 5G WLAN is disabled and the wireless config page is broken (cannot use it at all).

I did a dirty upgrade over 384.4 and a downgrade to it enabled 5G WLAN again and the config page is also working again!

Looks like a build error due to the specific AC87U Quantenna Firmware - as also the Quantenna version information is missing on the Tools page...

 

[RMerlin]

Bad news: The beta 1 firmware crashed 5G WLAN on my two AC87Us.
After restart 5G WLAN is disabled and the wireless config page is broken (cannot use it at all).

I did a dirty upgrade over 384.4 and a downgrade to it enabled 5G WLAN again and the config page is also working again!

Looks like a build error due to the specific AC87U Quantenna Firmware - as also the Quantenna version information is missing on the Tools page...

Try a power cycle to reset the Quantenna CPU. I haven't made any change related to Quantenna in many months, and I didn't get any similar report during the alpha stage.

 

[netmik3]

Removed "Push LAN" and "Redirect Gateway", replaced with new Client Access setting

Not sure how to use this. I'm using advanced and there are no users listed. Should I turn off manage users ? How do I set the settings?

 

[netmik3]

This release fixed my issue where soft resets after changing radio settings would stop responding and need a hard reset. Thanks.

 

[Deleted member 22229]

I did a dirty upgrade over 384.4 and a downgrade to it enabled 5G WLAN again

So why even post if you have not done a complete factory reset ? 384 code is picky and frankly a factory reset is almost needed every flash.

 

[HuskyHerder]

Updated RT-AC5300 with no obvious issues from alpha 3.

 

[rtn66uftw]

Updated, so far so good. Thanks Eric!

 

[nzwayne]

Upgraded successfully AC86U (with USB key installed for AB-Solution) & AC87U (AP) from Alpha 3 to Beta 1. AC87U required a reboot at completion, as per firmware message. Great work, Eric. Thks.

 

[hervon]

AC86U working fine on this beta from alpha 3. Thanks.

 

[HuskyHerder]

• Traditional QoS. Please confirm whether Cédric's fixes resolved the non-working Traditional QoS.

@RMerlin or anyone

Forgive me for not wanting to read more into that, than I should. The way I read it, its about QOS from with merlin/asus and its a potential fix.

Thats the way I read it, but would like to make sure, I am not chasing my tail.

 

[unsynaps]

• Changed Samba behaviour. From now on, enabling master browser and WINS support requires explicitly enabling SMB sharing.

Um... what? I do not want anything shared off my router. This is a really bad change.

Guess I am going to have to firewall it.

 

[RMerlin]

Not sure how to use this. I'm using advanced and there are no users listed. Should I turn off manage users ? How do I set the settings?

General and Advanced are just page selectors to select which settings to display. You have to configure settings on both pages.

Um... what? I do not want anything shared off my router. This is a really bad change.

This is exactly why I did that change. Enabling WINS and master browser support requires Samba to run, which in turns would share any plugged disk. So if you were using these two settings, you were already sharing your USB disk. This change simply requires you to explicitely enable sharing first, to ensure that you understand that these two features requiring Samba to be running, and therefore sharing any plugged disk.

 

[nasville]

This release fixed my issue where soft resets after changing radio settings would stop responding and need a hard reset

What's the difference between soft reset and hard reset please?

 

[jerry6]

Beta up and running on one AC3200 , all working well , no troubles updating , so far .
Thanks

 

[Odkrys]

@RMerlin

Pick up the security patches of strongswan. https://download.strongswan.org/security/
This patches were only applied to BRT-AC828.
I don't know the reason :O. Maybe different development team?
https://github.com/odkrys/asuswrt-merlin.ng/commit/dc18ac6224f563cf91a550ce04663548ad0ec8a7

And please add libletsencrypt.so file to tracking list, when you merge with newer RT-AC86U GPL.
https://github.com/odkrys/asuswrt-merlin.ng/commit/e16daea0f8807edcfdf1a6cf521325524efb1ef0

Thanks.

Question

Entware openvpn has better benchmark time.
How do you think about this ?
I didn't real world test yet.

Entware (openvpn-openssl)

@RT-AC86U-3F10:/tmp/home/root# time /opt/sbin/openvpn --test-crypto --secret /tmp/test --verb 0 --tun-mtu 20000 --cipher aes-256-gcm
Sun Apr 29 14:35:58 2018 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
real    0m 12.57s
user    0m 12.43s
sys     0m 0.02s
@RT-AC86U-3F10:/tmp/home/root# time /opt/sbin/openvpn --test-crypto --secret /tmp/test --verb 0 --tun-mtu 20000 --cipher aes-256-cbc
Sun Apr 29 14:36:14 2018 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
real    0m 12.94s
user    0m 12.79s
sys     0m 0.02s

Firmware

@RT-AC86U-3F10:/tmp/home/root# time /usr/sbin/openvpn --test-crypto --secret /tmp/test --verb 0 --tun-mtu 20000 --cipher aes-256-gcm
Sun Apr 29 14:36:35 2018 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
real    0m 13.95s
user    0m 13.85s
sys     0m 0.01s
@RT-AC86U-3F10:/tmp/home/root# time /usr/sbin/openvpn --test-crypto --secret /tmp/test --verb 0 --tun-mtu 20000 --cipher aes-256-cbc
Sun Apr 29 14:36:53 2018 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
real    0m 14.29s
user    0m 14.10s
sys     0m 0.04s