What's new

[Beta] Asuswrt-Merlin 384.11 Beta is now available

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I can confirm that the latest beta and traceroute works as intended on my AX88U
 
Same issue on a 86U (newer router?):

traceroute to www.ebay.com (104.77.221.103), 30 hops max, 60 byte packets
1 10.11.16.17 (10.11.16.17) 4.328 ms 12.800 ms *
2 10.178.206.164 (10.178.206.164) 3.056 ms 3.098 ms 3.045 ms
3 10.178.206.165 (10.178.206.165) 2.880 ms 2.837 ms 2.873 ms
4 tcore3x-quebec14_0-4-0-2.net.bell.ca (64.230.87.104) 12.337 ms tcore4x-quebec14_0-4-0-2.net.bell.ca (64.230.87.106) 12.285 ms 12.222 ms
5 tcore3-montreal02_hundredgige2-12-0-1.net.bell.ca (64.230.40.172) 12.142 ms 12.092 ms tcore4-montreal02_hundredgige2-12-0-1.net.bell.ca (64.230.40.170) 12.011 ms
6 bx1-montreal02_hundredgige0-1-0-0.net.bell.ca (64.230.91.123) 11.989 ms bx1-montreal02_hundredgige0-2-0-0.net.bell.ca (64.230.91.125) 9.349 ms bx1-montreal02_hundredgige0-1-0-0.net.bell.ca (64.230.91.123) 9.256 ms
7 ix-ae-10-0.tcore1.w6c-montreal.as6453.net (66.198.96.9) 9.189 ms 9.125 ms 9.075 ms
8 if-ae-12-2.tcore1.mtt-montreal.as6453.net (64.86.31.26) 13.933 ms 13.460 ms 14.927 ms
9 if-ae-0-2.tcore2.mtt-montreal.as6453.net (216.6.115.90) 14.782 ms 14.840 ms 14.619 ms
10 if-ae-5-2.tcore2.n0v-new-york.as6453.net (64.86.226.58) 14.405 ms 14.353 ms 14.280 ms
11 if-ae-2-2.tcore1.n0v-new-york.as6453.net (216.6.90.21) 14.741 ms 14.357 ms 14.420 ms
12 if-ae-7-5.tcore1.nto-new-york.as6453.net (63.243.128.141) 14.077 ms if-ae-7-2.tcore1.nto-new-york.as6453.net (63.243.128.25) 14.533 ms 15.210 ms
13 if-ae-9-2.tcore1.n75-new-york.as6453.net (63.243.128.122) 14.192 ms 14.354 ms 14.031 ms
14 66.110.96.89 (66.110.96.89) 17.708 ms 17.559 ms 17.488 ms
15 ae2.coresite-ewr3.netarch.akamai.com (23.203.156.177) 34.734 ms 34.675 ms 34.630 ms
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
I stopped it there.
.

I don't believe that is the same problem (very large negative time's). In fact, it looks normal.

Running traceroute via the CLI on an AC88U (non-HND), AX88U (HND) and a Raspberry Pi running Raspbian - all show the same for www.ebay.com - at some point the ICMP packets timeout and traceroute prints a "*".
Doing another test run using www.google.com, all 3 show one hop as taking too long.
I also did all 3 using www.facebook.com and www.twitter.com - all ran fine, no hops timing out.

I also did the 4 targets using the Beta2 WebUI. Both the AC88U and the AX88U responded "correctly". No large negative numbers.

From what I can tell, all 3 CLI based traceroutes are working as expected.

Of course I need to qualify that this is at 8:14AM Friday morning from Rochester NY.
The beauty of Internet/Routers is that paths will (and do) change at any moment ;-)

Eric - at least on my non-HND AC88U, both the CLI and Web traceroutes for the 4 targets seem fine... As a data point, the AC88U was factory reset after the update to Beta 2 and all I have installed is Entware. Very vanilla. It is running in Media Bridge mode.

Happy to try some different combinations/features.
 
After doing some more research, I found out that Cloudflare recently announced servers in my country, so the issue may, in fact, be related solely to EDNS support.

Do you know which ones support both EDNS and DoT, so I can look up the locations of their datacenters, @RMerlin?

I don't know. Check Wikipedia, I remember it has a page with a list of public DNS resolvers and their features, I don't remember however if they also specified EDNS support.

Same issue on a 86U (newer router?):

I see no issue in that traceroute you posted, it's a perfectly normal one.
 
Hello to all
I have installed latest beta 2 on my AC68u. I also enabled DNSSEC and DoT as instructed on the forums. Im using 1.1.1.1 servers

Im aware that that cloudfare test page isnt working right but still i wanted to confirm if the router is working as intended. test page says im not even connected to 1.1.1.1. am i missing something or is everything working as it should be?

thanks!
 

Attachments

  • Capture.JPG
    Capture.JPG
    80.8 KB · Views: 282
Hello to all
I have installed latest beta 2 on my AC68u. I also enabled DNSSEC and DoT as instructed on the forums. Im using 1.1.1.1 servers

Im aware that that cloudfare test page isnt working right but still i wanted to confirm if the router is working as intended. test page says im not even connected to 1.1.1.1. am i missing something or is everything working as it should be?

thanks!

The special URL it creates to determine if you are connected to their DoT server is what gets rejected by DNSSEC validation. So, your results are "normal", until Cloudflare addresses the issue.
 
Hello to all
I have installed latest beta 2 on my AC68u. I also enabled DNSSEC and DoT as instructed on the forums. Im using 1.1.1.1 servers

Im aware that that cloudfare test page isnt working right but still i wanted to confirm if the router is working as intended. test page says im not even connected to 1.1.1.1. am i missing something or is everything working as it should be?

thanks!
Yea turn off dnssec and do the test. Then quickly turn dnssec back on
 
Dirty upgrade from (get ready) .... 384.8_2 to 384.11 beta 2 (!)

12 hours and working fine :)

Thanks Merlin and team!
 
In this beta, in my AC86u, udpxy is not autostarting.

I have Movistar iptv profile but I had to add udpxy call at services-start script.

I have a theory as to what is going on (seems to be specific to Movistar).

Please post the output of these commands:

Code:
nvram get udpxy_enable_x
nvram get switch_stb_x
nvram get iptv_ifname
 
And the same number of products supported.

I support 8 models. Asus supports close to 30 of them, across different SDK and SoC platforms, plus development of the new incoming models...
 
Every time I try to enable the local ntp, regardless of how I have the intercept flag set, I get an ntpd stopped in the logs. In rebooting the router I do see the below log, which is then filled by a stop shortly after.

May 2 22:31:56 ntp: Initial clock set
May 2 22:31:56 rc_service: ntpd_synced 8052:notify_rc restart_stubby
May 2 22:31:56 rc_service: waitting "stop_ntpd" via wanduck ..

Those log lines are unrelated to webui changes. They occur at the moment the clock gets its first sync following WAN coming up.
 
I support 8 models. Asus supports close to 30 of them, across different SDK and SoC platforms, plus development of the new incoming models...

I stand corrected.
Still, it seems there is more progress here. Mayhaps that means my perspective is somewhat narrow and could use broadening, but I think you and the rest of the folks making things better for the rest of us are doing so better, faster and rather more prolifically than those at corporate...because you don’t have to worry about, well, corporate.



Sent from my iPhone using Tapatalk
 
Smooth update from beta1b to beta2 all looking good ;)
 
beta2 just installed on my AC68U. Working fine in the first hour with DNSSEC+DoT enabled and set to Quad9. DNSFilter enabled and set globally to "Router" mode. Local NTP server enabled and set to handle all NTP requests on the network. As others have seen, Traceroute is giving unreal results in some cases, but it sounds like the cause of this is already understood. Nothing strange in my syslog file that is receiving all info, including debug.
 
I've flashed beta2 over 384.10 on my RT-AC87U, removed ntpMerlin and tested the NTP server with an Android app called ClockSync, which shows details about any configured NTP server.

I've configured the router to use a pair of IP addresses of NTP servers local to my country but the app is always showing ool-43544400.dyn.optonline.net as the server it's synced with. It would seem the router is not using the servers configured by the user? With ntpMerlin the app would show the correct servers.

EDIT: or do I have to edit an ntp.conf file? I just configured those servers on the GUI.
 
After doing some more research, I found out that Cloudflare recently announced servers in my country, so the issue may, in fact, be related solely to EDNS support.

Do you know which ones support both EDNS and DoT, so I can look up the locations of their datacenters, @RMerlin?
I spent over an hour researching this last night with only two results about public DNS resolvers using DNS over TLS and supporting EDNS. This Wikipedia link has good info, but nothing on EDNS.
https://en.wikipedia.org/wiki/Public_recursive_name_server

I searched each public DNS provider site for EDNS info, no provider offered EDNS info. The only EDNS results I found was this from Google. I found nothing about the duration of the "experiment" start / end dates, nothing more.
https://developers.google.com/speed/public-dns/docs/dns-over-tls
Privacy
Our privacy policy applies to the DNS-over-TLS service.

As an experiment during the initial launch of the service we have disabled EDNS client subnet (ECS) for queries received over DNS-over-TLS. We plan to enable ECS for the DNS-over-TLS service at the end of the experiment.
 
I am, however I'm still on 384.10_2

384.10_2 does not use the new traceroute command, only 384.11 beta 2 does.

I've configured the router to use a pair of IP addresses of NTP servers local to my country but the app is always showing ool-43544400.dyn.optonline.net as the server it's synced with. It would seem the router is not using the servers configured by the user? With ntpMerlin the app would show the correct servers.

The redirection is done at the firewall level, so there's a good chance your application does not properly detect this. Only way to be sure is to test using tcpdump on the router - the only outbound 123 traffic should be coming from the router itself, to the servers configured on the System page.

I spent over an hour researching this last night with only two results about public DNS resolvers using DNS over TLS and supporting EDNS.

One reason is that people wanting to use DoT/DoH usually do so for privacy reasons. Using the EDNS Client Subnet extension pretty much violate this, by sending your IP's subnet (typically as a /24, but some ISP resolvers might change that scope) to the resolving DNS.

As someone pointed out, the stubby implementation is also done to disable sending such info by default, so just switching resolver might not be enough. You would have to either disable it in stubby through a postconf, or stop using DNS Privacy.

Thanks @RMerlin, this is the output commands:

Thanks, seems to confirm what I suspect. For some reason, Asus will skip the part where it starts udpxy when using movistar. Can you confirm udpxy works properly once started manually? Not sure if there was any technical reason to do so, or if it's a bug. I will try to revert that behaviour for the final 384.11 release, we'll see how it goes.
 
Hi @RMerlin

I have installed 384.11_beta2 on my RT-AX88U

I also use ProtonVPN. The server I use I can watch US Netflix from Australia.

I have also enabled DoT

On ipleak.net there shows 2 DNS addresses (1 is ProtonVPN and the other the DoT from the router's selection) and I can watch US Netflix on my Apple TV 4K from Australia perfectly ok.

https://i.imgur.com/NNhjw50.png

However, for the DoT I've selected "CleanBrowsing (1) Security" and since I have 2 DNS addresses will the security feature of the DoT server I've selected work, or are the DNS quires past through the VPN's DNS?

I hope that makes sense.
 
Last edited:

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top