What's new

[Beta] Asuswrt-Merlin 384.13 Beta is now available

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
@RMerlin If add this to Stubby I can get more cyphers for DNSSEC (taken from Unbound guide):
nano /jffs/scripts/stubby.postconf
Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_insert "  - GETDNS_TRANSPORT_TLS" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG
chmod 755 /jffs/scripts/stubby.postconf

This unlocks more cyphers and I get the result like yours on the first page, but does it mean that stubby doing the DNSSEC validation instead of dnsmasq? is it fine to add this to Stubby or it can cause conflicts with dnsmasq or maybe it doesn't do validation correctly but only shows more supported cyphers?

FCGm2SB.png
 
Last edited:
I installed the beta on my AC86U. I run two simultaneous VPNs, one on Client 1 and one on Client 2. As soon as the second VPN comes up the entire web admin interface stops responding until I power cycle the router (Edit: I should point out that after a reboot, as soon as the second VPN client fires up the interface locks up again, so you only have access to the web interface for a short period of time after a reboot). This occurred both on dirty and clean upgrades. Reverting the firmware resolves the problem. My wife works from home so my ability to do more thorough testing of this is dependent on her not needing connectivity so it may be held up until this weekend, but I'm curious if anyone else runs more than 1 concurrent VPN client on the router and has seen anything like this.
 
Last edited:
There is no AC686U, please tell us your correct type for others to help.

Hey, sorry about the typing error. AC86U and I've updated the post.
 
You just meshed them, so you could easily see on you own that you can use the ports like they where on main router.
And you could disable Wifi on node with poper SSH commands. But really, whats the benefit of Aimesh then, run it in AP mode and disable Wifi.
Trying to decode this message, but first, you do realize there is a difference between and AP device and a Mesh device. If compatible, and AP might be used in a mesh configuration, but they are NOT the same. I had an AP, I now have a Mesh, and using ethernet for a backhaul is just better if possible (many times it's not).
 
you should read this .... may shine alittle light on what may have happen.
https://bani.com.br/2015/06/linux-getting-rid-of-net_ratelimit-n-callbacks-suppressed-messages/
basically everything went spazztastic all at once, who knows what caused it (DoS attack maybe or DHCP service failure with ISP "internet connection loss"), but the kernel net_ratelimit is packets that are being suppressed probably in regards to all the crashes with the dhcp service.

Did occur to me but not seeing any strange traffic beyond the norm.
you should read this .... may shine alittle light on what may have happen.
https://bani.com.br/2015/06/linux-getting-rid-of-net_ratelimit-n-callbacks-suppressed-messages/
basically everything went spazztastic all at once, who knows what caused it (DoS attack maybe or DHCP service failure with ISP "internet connection loss"), but the kernel net_ratelimit is packets that are being suppressed probably in regards to all the crashes with the dhcp service.


It would seem on further investigation that i am indeed being attacked.

Got logon attempts from China, Germany, United Kingdom and Vietnam .

Seems to have started since a ip change over from our provider which rang a dinner bell.
 
I can’t even upload .13 the router keep reverting to the sign in page. Really ever since .12 I’ve had problems even opening web pages including my browser which is Microsoft edge


Sent from my iPhone using Tapatalk
 
I can’t even upload .13 the router keep reverting to the sign in page. Really ever since .12 I’ve had problems even opening web pages including my browser which is Microsoft edge


Sent from my iPhone using Tapatalk
What model are you using?
 
I can’t even upload .13 the router keep reverting to the sign in page. Really ever since .12 I’ve had problems even opening web pages including my browser which is Microsoft edge
good time for factory reset and manual configuration.
 
@RMerlin If add this to Stubby I can get more cyphers for DNSSEC (taken from Unbound guide):
nano /jffs/scripts/stubby.postconf
Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_insert "  - GETDNS_TRANSPORT_TLS" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG
chmod 755 /jffs/scripts/stubby.postconf
You can also append the entry.
Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_append "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG
However, with either method when you reboot the router you likely will not have a connection because Stubby did not auto retrieve the root keys. A workaround is to create a wan-start:
/jffs/scripts/wan-start
with the following content:
Code:
#!/bin/sh
sleep 15
service restart_stubby
chmod 755 /jffs/scripts/wan-start
This reloads Stubby 15 seconds after the WAN starts. You may need to increase the time for your router.
 
Upgrade RT-AX88U from V384.12_0 Final to V384.13_beta1-gbde70e184d, via firmware upgrade (first GUI rebooted the router as it had been up for 35+ days, working great with 30+ devices). All appears to be working.
 
There must be a fair number of users that use it, since there's been frequent complains from RT-AC68U users who wanted that feature added to their router.

Some people prefer to have a fire-and-forget type of setup rather than manually allocating clients to specific bands. And with tri-band routers, it allows to split clients between the two 5 GHz radios without having to manually allocate them.
FWIW, I used it on my AC3200 and never had problems. I didn't actively disable it on my AC86U, so if it's on by default, it's still on.
 
es it mean that stubby doing the DNSSEC validation instead of dnsmasq?

Not "instead", but "in addition to".

DNSSEC validation can be quite consuming in terms of round-trips, so you'd have to ask yourself whether it's worth the extra overhead of having the same validations done twice by your router.

Also, don't put too much fait in that web-based. I'm starting to think it's about as unreliable as Cloudflare's DoT/DNSSEC/1.1.1.1 test. The only way to accurately test anything is to do a DNS query using dig, and looking for the presence of the "ad" flag.

FWIW, I used it on my AC3200 and never had problems. I didn't actively disable it on my AC86U, so if it's on by default, it's still on.

IMHO, Smart Connect makes more sense on tri-band devices than on dual-band. You typically want everything connected to the 5 GHz band, unless your device lacks 5 GHz support. In a tri-band case, you might want to split clients between the two 5 GHz radios.
 
Upgrade RT-AX88U from V384.12_0 Final to V384.13_beta1-gbde70e184d, via firmware upgrade (first GUI rebooted the router as it had been up for 35+ days, working great with 30+ devices). All appears to be working.

From your signature, you have a bunch of asus routers that I can only assume are functioning as APs.
now that you've flashed the master router with the ability to be a hub for AiMesh, will you be migrating those meshable APs over to the merlin beta to mesh them or are you leaving it be?
 
From your signature, you have a bunch of asus routers that I can only assume are functioning as APs.
now that you've flashed the master router with the ability to be a hub for AiMesh, will you be migrating those meshable APs over to the merlin beta to mesh them or are you leaving it be?

Unfortunately my ASUS AP's are all RT-AC66U A1 (only B1's are officially supported), so unless A1's ever get official Aimesh support (not holding breath) , Roaming Assistant turned on for me for my AP's continues to provide me the requirements to change AP's when Wifi signal becomes to low for devices.
 
384.13 beta1 working well on my AC53-00 no problems with 5 days uptime , I do not use mesh .
Thanks
 
You can also append the entry.
Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_append "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG
However, with either method when you reboot the router you likely will not have a connection because Stubby did not auto retrieve the root keys. A workaround is to create a wan-start:
/jffs/scripts/wan-start
with the following content:
Code:
#!/bin/sh
sleep 15
service restart_stubby
chmod 755 /jffs/scripts/wan-start
This reloads Stubby 15 seconds after the WAN starts. You may need to increase the time for your router.
I have mine inside stubby.yml.add and I am not having any issues with it retrieving root keys. It seems to do it just fine(tested) with my setup.
 
Did occur to me but not seeing any strange traffic beyond the norm.



It would seem on further investigation that i am indeed being attacked.

Got logon attempts from China, Germany, United Kingdom and Vietnam .

Seems to have started since a ip change over from our provider which rang a dinner bell.
If you have a service like comcast try disabling ipv6 neighbor solicitation under the tools-- others settings tab. It may help if that is where the traffic is coming from.
 
Last edited:
Unfortunately my ASUS AP's are all RT-AC66U A1 (only B1's are officially supported), so unless A1's ever get official Aimesh support (not holding breath) , Roaming Assistant turned on for me for my AP's continues to provide me the requirements to change AP's when Wifi signal becomes to low for devices.

I thought I saw a 3100 in the list on your sig. my bad...


Sent from my iPhone using Tapatalk
 
Status
Not open for further replies.

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top