[Beta] Asuswrt-Merlin 384.7 Beta is now available

[crapinon]

My RT-AC86U with Beta3 says:

HW acceleration: Runner: Enabled - Flow Cache: Enabled

 

[truglodite]

It's weird, I have an AC86u too, with just a basic config, no qos, and i've never seen the "runner" enable

Mine was like that at first. You have to ssh in and type "runner_disabled=0" then reboot. From then on, as long as no incompatible features are enabled, runner will stay on.

Fwiw, from my readings the way runner works exactly is a mystery (closed source). However with the latest diversion+pixelserv beta, runner makes a HUGE difference in pixelserv latency... tav with runner on is <10ms, versus >20ms with runner disabled.

 

[john9527]

The cache fix however might possibly resolve some random resolution failures in his opinion. He's been testing it for a while, and will merge to my repo in the coming days, so I can also test it on my end.

Just an FYI....I'm liking the cache change so far. Seems to have improved the dnsmasq failure stats for me.
A bit early to tell, but may have also helped DoT stability.

 

[Hawk]

I discovered what looks like a bug in 384.7_beta3 on my 86u (also existed in previous versions I think, but didn't pin it down until after installing beta3). I normally keep hw acceleration 'runner' enabled, and the webui tools menu shows it as enabled. However if just click on the webui 'adaptive qos' tab on the left (not actually changing any settings there), runner becomes disabled. I am aware that enabling adaptive qos is incompatible with runner, however I think simply reading the qos page(s) and not changing any settings should not trigger a runner disable. Runner should not be disabled until an incompatible setting is actually applied. When this happens to me, rebooting the router re-enables runner.

Is anyone else having this problem? Not sure if it's something that can be fixed, or if it's locked inside a closed source blob.

In case it matters, I'm also running the latest diversion+skynet+pixelserv_beta, some other scripts to add a local ntpd and block webcam wan access via iptables, and an openvpn server... and aiprotection, qos, traffic stats, and ipv6 stuff is all disabled.

I experience the same thing, just opening adaptive QOS tab and runner is disabled, rebooting router fix it.

 

[Sanna1967]

just opening adaptive QOS tab and runner is disabled, rebooting router fix it.

Not for me .
But anyway I have no problem reaching 300/100 with my ips (ping around 10ms) and the CPU load never exceeds 15% , just with the Flow Cache: Enabled.
There is nothing in the GUI that says why it's disabled and if I remember correctly, with my ac68 and 1900p, HW acceleration under the tool tab told us why.
I will check the logs at the next flash or reboot if I see something that disable it.

* Sorry , a bit off topic

 

[Sh0cker54]

Hello
Thank you for your great firmware
I'm using IPSEC VPN on my RT-AC86U and it is great.
But I have some questions:
Some ports are not redirected using shrew soft vpn access manager
I can't use, Microsoft Store, Courrier applications or xboxlive with the IPSEC vpn.
It is working with openvpn, but I can't use openvpn because someone is trying to hack my router through this port an kills my router memory (I don't know how to protect my 1194 port so I disabled it).
Do you think you could use this script to implement IKEv2 on the RT-AC86U in this thread with all ports available.
https://www.snbforums.com/threads/asus-ipsec-vpn-server.44973/

Do you think we could use windows 10 native client with it?

Anyway thanks for your time, have a great day
Best Regards
Alex

 

[Alfsu]

It is working with openvpn, but I can't use openvpn because someone is trying to hack my router through this port an kills my router memory (I don't know how to protect my 1194 port so I disabled it).

This is not the answer you're looking for... but if openvpn server is working for you, changing the default port on the server might be your best solution at the moment.

 

[Zonkd]

What are

This is not the answer you're looking for... but if openvpn server is working for you, changing the default port on the server might be your best solution at the moment.

Does anyone know of good alternative ports to use instead of 443 or 1194? Ports that get scanned less.

 

[skeal]

What are


Does anyone know of good alternative ports to use instead of 443 or 1194? Ports that get scanned less.

There are 65000 ports to choose from just make sure you up above 2000 to be safe.

 

[skeal]

I should include that if you experience any conflicts with other software and it's port needs you will have to alter the port again to get something that is more free to use.

 

[RMerlin]

I just built new test releases with the latest dnsmasq changes. I don't want to go through a full beta cycle just for these, but I'd appreciate it if people could give them a test run. They should appear in https://asuswrt.lostrealm.ca/test-builds in the next couple of minutes.

Does anyone know of good alternative ports to use instead of 443 or 1194? Ports that get scanned less.

Keep it simple, try something like 1195, or 11194. As long it's not another well known port.

 

[skeal]

Loaded and testing 384.7_beta3-gc44f112e3 and all seems to work well. All my pages load without delay and no problems with vpn or add blocking, what would you like specifically tested?

EDIT: DNSSEC is working as expected as well.

 

[DonnyJohnny]

Loaded and testing 384.7_beta3-gc44f112e3 and all seems to work well. All my pages load without delay and no problems with vpn or add blocking, what would you like specifically tested?

EDIT: DNSSEC is working as expected as well.

Changelog of dnsmasq 2.8test7 as per Merlin update.
https://github.com/RMerl/asuswrt-merlin.ng/commit/c44f112e32f44ce1627dd71c19a9909e27efda88

Interesting is the “dig +trace” command working.
Example of command

dig 202.59.245.173.in-addr.arpa +trace

Example took from
https://blog.cloudflare.com/additional-record-types-available-with-cloudflare-dns/

 

[skeal]

dig 202.59.245.173.in-addr.arpa +trace

I'm unable to run this command from my router. Do I need to install Dig?

Spoiler: Results of command

-sh: dig: not found

 

[M@rco]

Do I need to install Dig?

Yes.

opkg update
opkg install bind-dig

 

[DonnyJohnny]

I'm unable to run this command from my router. Do I need to install Dig?

Spoiler: Results of command

-sh: dig: not found

Need install from entware
opkg update ; opkg install bind-dig

 

[skeal]

Yes.

opkg update
opkg install bind-dig

Need install from entware
opkg update ; opkg install bind-dig

Yup that worked. Does this verify that dnssec is working or am I looking for a different command?

 

[M@rco]

Does this verify that dnssec is working

No, +trace is used to spit out the servers which were used to perform the lookup. From the dig man page:

+[no]trace
Toggle tracing of the delegation path from the root name servers for the name
being looked up. Tracing is disabled by default. When tracing is enabled, dig
makes iterative queries to resolve the name being looked up. It will follow
referrals from the root servers, showing the answer from each server that was
used to resolve the lookup.

If you want to verify DNSSEC is working, just visit https://dnssec.vs.uni-due.de/ for example, and press 'Start test'.

 

[skeal]

If you want to verify DNSSEC is working, just visit https://dnssec.vs.uni-due.de/ for example, and press 'Start test'.

I believe this test just observes if your DNS server of choice can handle DNSSEC. It doesn't check the function. As an example: disable DNSSEC on LAN page and then go back to the above mentioned site. You will see that when the test is run it still gives you thumbs up. Further if you leave DNSSEC disabled and enter your ISP DNS (if it is like mine it doesn't support DNSSEC yet) and run the test again...now it fails as the DNS server of choice no longer supports DNSSEC. That the way it seems to me IMHO.

 

[RMerlin]

Loaded and testing 384.7_beta3-gc44f112e3 and all seems to work well. All my pages load without delay and no problems with vpn or add blocking, what would you like specifically tested?

Mostly just general lookups. I'm not expecting any trouble (hence this very short test run for it), but it might resolve some occasional random resolution failures.

Interesting is the “dig +trace” command working.
Example of command

That's indeed one scenario highlighted by the dnsmasq author with that cache fix.