[Beta] Asuswrt-Merlin 384.13 Beta is now available

[Delusion]

@RMerlin If add this to Stubby I can get more cyphers for DNSSEC (taken from Unbound guide):
nano /jffs/scripts/stubby.postconf

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_insert "  - GETDNS_TRANSPORT_TLS" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG

chmod 755 /jffs/scripts/stubby.postconf

This unlocks more cyphers and I get the result like yours on the first page, but does it mean that stubby doing the DNSSEC validation instead of dnsmasq? is it fine to add this to Stubby or it can cause conflicts with dnsmasq or maybe it doesn't do validation correctly but only shows more supported cyphers?

 

[Seth Harman]

I installed the beta on my AC86U. I run two simultaneous VPNs, one on Client 1 and one on Client 2. As soon as the second VPN comes up the entire web admin interface stops responding until I power cycle the router (Edit: I should point out that after a reboot, as soon as the second VPN client fires up the interface locks up again, so you only have access to the web interface for a short period of time after a reboot). This occurred both on dirty and clean upgrades. Reverting the firmware resolves the problem. My wife works from home so my ability to do more thorough testing of this is dependent on her not needing connectivity so it may be held up until this weekend, but I'm curious if anyone else runs more than 1 concurrent VPN client on the router and has seen anything like this.

 

[Grisu]

I installed the beta on my AC686U.

There is no AC686U, please tell us your correct type for others to help.

 

[Seth Harman]

There is no AC686U, please tell us your correct type for others to help.

Hey, sorry about the typing error. AC86U and I've updated the post.

 

[Elmer]

You just meshed them, so you could easily see on you own that you can use the ports like they where on main router.
And you could disable Wifi on node with poper SSH commands. But really, whats the benefit of Aimesh then, run it in AP mode and disable Wifi.

Trying to decode this message, but first, you do realize there is a difference between and AP device and a Mesh device. If compatible, and AP might be used in a mesh configuration, but they are NOT the same. I had an AP, I now have a Mesh, and using ethernet for a backhaul is just better if possible (many times it's not).

 

[Magnus33]

you should read this .... may shine alittle light on what may have happen.
https://bani.com.br/2015/06/linux-getting-rid-of-net_ratelimit-n-callbacks-suppressed-messages/
basically everything went spazztastic all at once, who knows what caused it (DoS attack maybe or DHCP service failure with ISP "internet connection loss"), but the kernel net_ratelimit is packets that are being suppressed probably in regards to all the crashes with the dhcp service.

Did occur to me but not seeing any strange traffic beyond the norm.

you should read this .... may shine alittle light on what may have happen.
https://bani.com.br/2015/06/linux-getting-rid-of-net_ratelimit-n-callbacks-suppressed-messages/
basically everything went spazztastic all at once, who knows what caused it (DoS attack maybe or DHCP service failure with ISP "internet connection loss"), but the kernel net_ratelimit is packets that are being suppressed probably in regards to all the crashes with the dhcp service.

It would seem on further investigation that i am indeed being attacked.

Got logon attempts from China, Germany, United Kingdom and Vietnam .

Seems to have started since a ip change over from our provider which rang a dinner bell.

 

[Darcy]

I can’t even upload .13 the router keep reverting to the sign in page. Really ever since .12 I’ve had problems even opening web pages including my browser which is Microsoft edge


Sent from my iPhone using Tapatalk

 

[QuikSilver]

I can’t even upload .13 the router keep reverting to the sign in page. Really ever since .12 I’ve had problems even opening web pages including my browser which is Microsoft edge


Sent from my iPhone using Tapatalk

What model are you using?

 

[Grisu]

I can’t even upload .13 the router keep reverting to the sign in page. Really ever since .12 I’ve had problems even opening web pages including my browser which is Microsoft edge

good time for factory reset and manual configuration.

 

[bbunge]

@RMerlin If add this to Stubby I can get more cyphers for DNSSEC (taken from Unbound guide):
nano /jffs/scripts/stubby.postconf

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_insert "  - GETDNS_TRANSPORT_TLS" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG

chmod 755 /jffs/scripts/stubby.postconf

You can also append the entry.

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_append "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG

However, with either method when you reboot the router you likely will not have a connection because Stubby did not auto retrieve the root keys. A workaround is to create a wan-start:
/jffs/scripts/wan-start
with the following content:

#!/bin/sh
sleep 15
service restart_stubby

chmod 755 /jffs/scripts/wan-start
This reloads Stubby 15 seconds after the WAN starts. You may need to increase the time for your router.

 

[JohnSmith]

Upgrade RT-AX88U from V384.12_0 Final to V384.13_beta1-gbde70e184d, via firmware upgrade (first GUI rebooted the router as it had been up for 35+ days, working great with 30+ devices). All appears to be working.

 

[cmkelley]

There must be a fair number of users that use it, since there's been frequent complains from RT-AC68U users who wanted that feature added to their router.

Some people prefer to have a fire-and-forget type of setup rather than manually allocating clients to specific bands. And with tri-band routers, it allows to split clients between the two 5 GHz radios without having to manually allocate them.

FWIW, I used it on my AC3200 and never had problems. I didn't actively disable it on my AC86U, so if it's on by default, it's still on.

 

[RMerlin]

For RT-AC87U updated to 382_51640?

GPL of ASUS RT-AC87U for firmware 3.0.0.4.382.51640 2019/07/11
https://dlcdnets.asus.com/pub/ASUS/wireless/RT-AC87U/GPL_RT_AC87U_300438251640.zip

That was merged nearly a month ago.

commit 95c196e93e92456b50b82b95669c2338e25fe639
Author: Eric Sauvageau <merlin@asuswrt-merlin.net>
Date:   Thu Jul 4 10:42:29 2019 -0400

    Updated RT-AC87U wireless driver to 382_51640 release

 

[RMerlin]

es it mean that stubby doing the DNSSEC validation instead of dnsmasq?

Not "instead", but "in addition to".

DNSSEC validation can be quite consuming in terms of round-trips, so you'd have to ask yourself whether it's worth the extra overhead of having the same validations done twice by your router.

Also, don't put too much fait in that web-based. I'm starting to think it's about as unreliable as Cloudflare's DoT/DNSSEC/1.1.1.1 test. The only way to accurately test anything is to do a DNS query using dig, and looking for the presence of the "ad" flag.

FWIW, I used it on my AC3200 and never had problems. I didn't actively disable it on my AC86U, so if it's on by default, it's still on.

IMHO, Smart Connect makes more sense on tri-band devices than on dual-band. You typically want everything connected to the 5 GHz band, unless your device lacks 5 GHz support. In a tri-band case, you might want to split clients between the two 5 GHz radios.

 

[heysoundude]

Upgrade RT-AX88U from V384.12_0 Final to V384.13_beta1-gbde70e184d, via firmware upgrade (first GUI rebooted the router as it had been up for 35+ days, working great with 30+ devices). All appears to be working.

From your signature, you have a bunch of asus routers that I can only assume are functioning as APs.
now that you've flashed the master router with the ability to be a hub for AiMesh, will you be migrating those meshable APs over to the merlin beta to mesh them or are you leaving it be?

 

[JohnSmith]

From your signature, you have a bunch of asus routers that I can only assume are functioning as APs.
now that you've flashed the master router with the ability to be a hub for AiMesh, will you be migrating those meshable APs over to the merlin beta to mesh them or are you leaving it be?

Unfortunately my ASUS AP's are all RT-AC66U A1 (only B1's are officially supported), so unless A1's ever get official Aimesh support (not holding breath) , Roaming Assistant turned on for me for my AP's continues to provide me the requirements to change AP's when Wifi signal becomes to low for devices.

 

[jerry6]

384.13 beta1 working well on my AC53-00 no problems with 5 days uptime , I do not use mesh .
Thanks

 

[Swistheater]

You can also append the entry.

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_append "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG

However, with either method when you reboot the router you likely will not have a connection because Stubby did not auto retrieve the root keys. A workaround is to create a wan-start:
/jffs/scripts/wan-start
with the following content:

#!/bin/sh
sleep 15
service restart_stubby

chmod 755 /jffs/scripts/wan-start
This reloads Stubby 15 seconds after the WAN starts. You may need to increase the time for your router.

I have mine inside stubby.yml.add and I am not having any issues with it retrieving root keys. It seems to do it just fine(tested) with my setup.

 

[Swistheater]

Did occur to me but not seeing any strange traffic beyond the norm.



It would seem on further investigation that i am indeed being attacked.

Got logon attempts from China, Germany, United Kingdom and Vietnam .

Seems to have started since a ip change over from our provider which rang a dinner bell.

If you have a service like comcast try disabling ipv6 neighbor solicitation under the tools-- others settings tab. It may help if that is where the traffic is coming from.

 

[heysoundude]

Unfortunately my ASUS AP's are all RT-AC66U A1 (only B1's are officially supported), so unless A1's ever get official Aimesh support (not holding breath) , Roaming Assistant turned on for me for my AP's continues to provide me the requirements to change AP's when Wifi signal becomes to low for devices.

I thought I saw a 3100 in the list on your sig. my bad...


Sent from my iPhone using Tapatalk