GrinningShark
Regular Contributor
Well, my router RT-AC5300 has been online for 13 days with not a single issue, I agree, maybe we are close to the final release.
16 days here with no issues (beta 1). Solid as a rock. Bring on the final.
Well, my router RT-AC5300 has been online for 13 days with not a single issue, I agree, maybe we are close to the final release.
Strict mode with policy based routing appears to work just as I would expect on my fork. If I dump the dnsmasq stats, I can see it starting at the top of the list and rolling down as necessary. And yes, it does show that occasionally I leak from the VPN servers to my first ISP server.
Code:Jun 25 11:08:29 dnsmasq[2702]: time 5983 Jun 25 11:08:29 dnsmasq[2702]: cache size 1500, 0/1145 cache insertions re-used unexpired cache entries. Jun 25 11:08:29 dnsmasq[2702]: queries forwarded 662, queries answered locally 35 Jun 25 11:08:29 dnsmasq[2702]: DNSSEC memory in use 2904, max 4840, allocated 149996 Jun 25 11:08:29 dnsmasq[2702]: server 209.222.18.222#53: queries sent 555, retried or failed 96 Jun 25 11:08:29 dnsmasq[2702]: server 209.222.18.218#53: queries sent 96, retried or failed 20 Jun 25 11:08:29 dnsmasq[2702]: server 68.105.28.11#53: queries sent 20, retried or failed 0 Jun 25 11:08:29 dnsmasq[2702]: server 68.105.29.11#53: queries sent 0, retried or failed 0 Jun 25 11:08:29 dnsmasq[2702]: server 68.105.28.12#53: queries sent 0, retried or failed 0 Jun 25 11:08:29 dnsmasq[2702]: server 2001:578:3f::30#53: queries sent 0, retried or failed 0 Jun 25 11:08:29 dnsmasq[2702]: server 2001:578:3f:1::30#53: queries sent 0, retried or failed 0
for 389.60 the no downgrade path is just on the GUI right? but we we can still downgrade/upgrade via CFE mode.
for 389.60 the no downgrade path is just on the GUI right? but we we can still downgrade/upgrade via CFE mode.
Yes, I am seeing the same problem with Policy rules (see my post). When using the rules regardless of configuration, I leak DNS servers. When I remove the policy rules, no leaks at all.
The only reason I am using policy rules is because if you click redirect internet traffic you get another box to kill the internet if the VPN is broken. By the way, when I used the policy rules my ISP sent me a warning message in my browser saying I had malware or bots controlling my internet. When I remove the redirect internet traffic box (and no policy rules)...no problems.
My only suggestion is can I have the internet kill switch as a separate box regardless if I redirect interent traffic (policy rules).
Accept DNS Configuration must be set to Exclusive if you want to ensure that VPN clients use only the VPN DNS servers.
Once I use policy rules, I get 5-6 different DNS addresses.
I really dont need the redirect internet traffic...the only reason I use it is that another box opens up so I can have the internet traffic killed when the VPN goes down.
It's legit... For IPv4, dnsmasq will send the client a single (or multiple, but won't deal with that) IP address for DNS via IPv4 that is only a dnsmasq forwarder. However, dnsmasq itself will have a list of multiple DNS Servers that it uses to resolve. So, resolving an IP address make send queries to multiple servers. Add in IPv6, and it can be a long list..That alone doesn't even make any sense, since most clients only use a maximum of two servers, and they generally only use the first one unless it has problems. Personally, I would doubt that the test itself is working properly (or, you are misunderstanding what it's meant to test).
It's legit... For IPv4, dnsmasq will send the client a single (or multiple, but won't deal with that) IP address for DNS via IPv4 that is only a dnsmasq forwarder. However, dnsmasq itself will have a list of multiple DNS Servers that it uses to resolve.
I know that comcast returns FOUR... two for IPv4 and two for IPv6. DNSMasq will try all four if it doesn't get the answer it wants. (My term "negative" was a meant that the server is returning "failure" not "does not exist." Sorry for using a misleading term.)I have yet to see an ISP that provided more than two DNS servers
Running GRC Shields Up I got this report on the AC5300.
----------------------------------------------------------------------
GRC Port Authority Report created on UTC: 2016-07-09 at 01:08:51
Results from scan of ports: 0-1055
0 Ports Open
2 Ports Closed
1054 Ports Stealth
---------------------
1056 Ports Tested
NO PORTS were found to be OPEN.
Ports found to be CLOSED were: 135, 445
Other than what is listed above, all ports are STEALTH.
TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- NO Ping reply (ICMP Echo) was received.
----------------------------------------------------------------------
Any idea why ports 135 (epmap) and 445 (microsoft-ds) are not reporting as stealth? This was not an issue with my AC3200 before I upgraded. Not sure if it was in 380.59 or not. I upgraded directly to this beta before testing.
I have yet to see an ISP that provided more than two DNS servers, and Asus's webui also only allows you to enter two. So at most, you should only be "seeing" two nameservers (or four if you have two more provided by the tunnel provider, and you aren't using Exclusive mode).
Running GRC Shields Up I got this report on the AC5300.
----------------------------------------------------------------------
GRC Port Authority Report created on UTC: 2016-07-09 at 01:08:51
Results from scan of ports: 0-1055
0 Ports Open
2 Ports Closed
1054 Ports Stealth
---------------------
1056 Ports Tested
NO PORTS were found to be OPEN.
Ports found to be CLOSED were: 135, 445
Other than what is listed above, all ports are STEALTH.
TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- NO Ping reply (ICMP Echo) was received.
----------------------------------------------------------------------
Any idea why ports 135 (epmap) and 445 (microsoft-ds) are not reporting as stealth? This was not an issue with my AC3200 before I upgraded. Not sure if it was in 380.59 or not. I upgraded directly to this beta before testing.
Do You merge with new 3831_GPL?
I have also noticed that sometimes the browser seems to cache the DNS servers
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!