[Beta] Asuswrt-Merlin 384.11 Beta is now available

[maxbraketorque]

Just installed beta2. My AC86U configured as an AP has the option to "Intercept NTP client requests" when the local NTP server is enabled. If I enable that, does it actually perform that function? I thought this function would only be handled by the router with the WAN connection.

 

[Serigraphist]

hello everyone. please tell me how to use merlin software without OPENDNS settings in OPENVPN. because my VPN does not leak and I would not trust cisco. in the original firmware version, everything is great and I see the DNS vendor's VPN, but with Merlin I can only see CISCO. the original version moves very poorly compared to Merlin. I use asus ac87u. thanks a lot and congratulations to those who contribute to this forum.

 

[L&LD]

Just installed beta2. My AC86U configured as an AP has the option to "Intercept NTP client requests" when the local NTP server is enabled. If I enable that, does it actually perform that function? I thought this function would only be handled by the router with the WAN connection.

That is what I would assume too. In AP mode, that option may need to be invisible.

 

[maxbraketorque]

That is what I would assume too. In AP mode, that option may need to be invisible.

Maybe even the local ntp server option would need to be invisible?

 

[FLA_NL]

Where there is security just add more security- it wasn't too long ago that someone change time on government agencies computers just to show they could do it. So if there is more security bring it on.

I don't understand that this is a security feature, your router itself is still vulnerable to man in the middle attacks. The only security I get from this is that I can block internet completely for specific clients but still can let them use ntp from the router.

 

[Swistheater]

I don't understand that this is a security feature, your router itself is still vulnerable to man in the middle attacks. The only security I get from this is that I can block internet completely for specific clients but still can let them use ntp from the router.

The reply wasn't implying that there is more security now.

 

[FLA_NL]

The reply wasn't implying that there is more security now.

Ok than I understood your comment wrongly.

 

[no_name]

Flashed RT-AC86U from 384.11_beta1 to beta2
Format JFFS partition on next boot, factory reset & reconfigured settings

Settings used

DHCP Server
VPN Client with ExpressVPN
DoT
Traffic Analyzer
Adaptive QoS
AIProtection
Various Scripts

Been up and running fine for 24 hours



Sent from my iPad using Tapatalk

 

[PoloNes]

Good Morning,

Does anyone know if I can enable using DNSSEC with CleanBrowsing using DOT?

Thank you and so much to everyone who can help me.

https://cleanbrowsing.org/guides/dnsovertls

 

[Treadler]

Good Morning,

Does anyone know if I can enable using DNSSEC with CleanBrowsing using DOT?

Thank you and so much to everyone who can help me.

https://cleanbrowsing.org/guides/dnsovertls

Quote from that site: (See last sentence).

As security professionals, we built privacy and security into our network. We are the only provider to support DNSCrypt(port 8443), DNS over TLS (port 853) and DNS over HTTPS (port 443) by default on our Anycast DNS network. DNSSEC is also enforced and validated.

 

[RMerlin]

How to get dnnsec enable with openvpn client outside to openvpn server installed in router?

When you use an OpenVPN client and that server's DNS, DNSSEC support will be up to them, you can't control it.

I won't be using Stubby anymore, since @RMerlin's latest firmware already has a DoT implementation. For that, I'd only have to select a resolver that supports both DoT and EDNS and that's it?

I use Stubby too. Your options are to force that client to use a different DNS through DNSFilter, or re-enable EDNS Client Subnet support through postconf as someone else suggested (in which case there's little point in running DoT, unless you ONLY want to hide that traffic from your ISP).

Will the .11 firmware update require a fresh install or will we be able to simply update?

Depends from what firmware you are coming from. If updating from 384.10, then there's no need to reset your settings.

 

[RMerlin]

There is another issue, a few posts back, someone mentioned Google DOT may not be supporting edns as it is in experimental stage. Not sure if it ended the stage.

I know their regular DNS supports EDNS Client Subnet (they hardcode it to a /24 before sending it upstream to improve privacy). No idea if the DoT support is any different.

hello everyone. please tell me how to use merlin software without OPENDNS settings in OPENVPN. because my VPN does not leak and I would not trust cisco. in the original firmware version, everything is great and I see the DNS vendor's VPN, but with Merlin I can only see CISCO. the original version moves very poorly compared to Merlin. I use asus ac87u. thanks a lot and congratulations to those who contribute to this forum.

Please start a separate thread, as this thread is specifically for beta testing the 384.11 release.

 

[skeal]

In order to get a public IP, by DHCP from my ISP, I have to use IPTV settings. I set to manual and use vlan 1000 and prio 1 and the connection comes up. @RMerlin can you shed some light on why the IPTV settings take so long to apply during the boot up? My connection comes up mere seconds before the log ends for the boot up.

EDIT: I should add that once the connection comes up, everything works like a charm, very stable so far and no unusual things happening.

 

[Swistheater]

Wrong, Merlin is still using Stubby just that it is integrated into the firmware. And by default the edns is still disable by default.
You may need to use /jffs/scripts/stubby.postconf to amend the stubby.yml

There is another issue, a few posts back, someone mentioned Google DOT may not be supporting edns as it is in experimental stage. Not sure if it ended the stage.

and how would you enable this in stubby.yml?

 

[skeal]

and how would you enable this in stubby.yml?

You wouldn't want to.

 

[Swistheater]

You wouldn't want to.

i get that skeal i was just asking for clarification on the method just to be more knowledgeable.

 

[Swistheater]

edns_client_subnet_private: 1 ---- would be set to zero right?

 

[EeK]

Wrong, Merlin is still using Stubby just that it is integrated into the firmware. And by default the edns is still disable by default.
You may need to use /jffs/scripts/stubby.postconf to amend the stubby.yml

There is another issue, a few posts back, someone mentioned Google DOT may not be supporting edns as it is in experimental stage. Not sure if it ended the stage.

I use Stubby too. Your options are to force that client to use a different DNS through DNSFilter, or re-enable EDNS Client Subnet support through postconf as someone else suggested (in which case there's little point in running DoT, unless you ONLY want to hide that traffic from your ISP).

Got it. The problem with forcing the client to use a different DNS is that the PC running Steam is also the main one that I use on a daily basis, so I don't see much point in running DoT on everything else but this machine. Then again, a resolver too far away from my location would probably make the browsing experience slower. I'm kind of in a pickle here.

@RMerlin, I mentioned the router login issue before, and found this thread about it, where a user said it's a "known issue" and firmware-related. I'd never had this issue in years using the AC87U with your firmware and in the few weeks since switching to the AC86U, on version 384.10_2.

It started, coincidentally, after I disabled one of the router's radios (5G). Could it be related to that, or does the issue lie somewhere else?

 

[appss]

Is DNS-over-HTTPS possible with 384.11? I’m not sure which one (DoH or DoT) is “faster” for general usage. Thank you.

 

[Sonyrolfy]

In short, Beta 2 is running great on my RT-AC86U with no additional scripts for a day now. I do see DoT is running on port 853. I see that 1 VPN client with DNS and DNSSEC disabled on WAN, is getting applause from 1.1.1.1 and when DNSSEC is enabled on WAN, then without the applause (as you mentioned before) The 2nd VPN is isolated with Exclusive and no leaks whatsoever. The local NTP is intercepting the clients in the router on port 123, visible on connections page. I had a small struggle to get it working but succeeded in the end. The Netstat page is great with tick boxes to see what’s going on. ( I often checked that page before the update ) Don’t know what else you have in mind in light of features and privacy, but I’m gladly waiting for the next round.

Thanks Eric!