Comcast email - RT-AX86U Pro - ASUS 3.0.0.6.102_34314 works, Merlin 3004_388.8_2 doesn't

[DFlood]

Hello Everyone,

Last Weekend I upgraded to a RT-AX86U-Pro and, of course, the first thing I did was install Merlin's port.
As soon as I did that, I was unable to access any form of Comcast email - POP3 or Web.
Once I flashed it back to the ASUS firmware, I could get to my email again.

Its only the POP3 and Web when on Comcast. I could get there from work and such and every other Comcast link works.

The error was "The page took too long to respond".

Anyone got any ideas about what to disable or "tune" in the Merlin firmware to let it work?

Thanks,

 

[Analog-1]

I would just run the stock firmware. It's newer code plus it's very stable. Merlin's 388.8.2 is based on GPL code that's 9 months old. It is rumored Merlin will move the Pro models over to 3.0.0.6 code but so far there has been no releases and he has said nothing about when this will ever happen.

 

[bbunge]

Hello Everyone,

Last Weekend I upgraded to a RT-AX86U-Pro and, of course, the first thing I did was install Merlin's port.
As soon as I did that, I was unable to access any form of Comcast email - POP3 or Web.
Once I flashed it back to the ASUS firmware, I could get to my email again.

Its only the POP3 and Web when on Comcast. I could get there from work and such and every other Comcast link works.

The error was "The page took too long to respond".

Anyone got any ideas about what to disable or "tune" in the Merlin firmware to let it work?

Thanks,

Did you do a Factory Reset with Initialize after flashing Merlin then manually configure? I've tested the Merlin firmware, a couple of times, with no issues. I've gone back to Asus, however, as I need a network someone else can manage if my health issues get worse.

 

[bennor]

Anyone got any ideas about what to disable or "tune" in the Merlin firmware to let it work?

After flashing from stock Asus firmware to the Asus-Merlin firmware; did you do a hard factory reset and manual configuration (do not import a saved router.cfg file)?
What configuration changes did you make after flashing the Asus-Merlin firmware? What DNS servers, etc. did you select when setting up Asus-Merlin?
Did you enable any sort of VPN or AiProtection or install any addon scripts (or USB drive)?

 

[DFlood]

After flashing from stock Asus firmware to the Asus-Merlin firmware; did you do a hard factory reset and manual configuration (do not import a saved router.cfg file)?
What configuration changes did you make after flashing the Asus-Merlin firmware? What DNS servers, etc. did you select when setting up Asus-Merlin?
Did you enable any sort of VPN or AiProtection or install any addon scripts (or USB drive)?

I didn't do any resets but the configuration was 100% manual including a print-out of the former DHCP reservations. I just loaded the appropriate firmware and rebooted. No add-ons or VPNs or anything fancy like that.

I don't think the DNS is an issue since a ping and tracert returned the exact same IP and eventual destination. So it's something NAT related I think.

 

[bbunge]

I didn't do any resets but the configuration was 100% manual including a print-out of the former DHCP reservations. I just loaded the appropriate firmware and rebooted. No add-ons or VPNs or anything fancy like that.

I don't think the DNS is an issue since a ping and tracert returned the exact same IP and eventual destination. So it's something NAT related I think.

Well, you need to reset and reconfigure after a switch in firmware. It is just the facts!

 

[bennor]

I didn't do any resets but the configuration was 100% manual including a print-out of the former DHCP reservations. I just loaded the appropriate firmware and rebooted. No add-ons or VPNs or anything fancy like that.

I don't think the DNS is an issue since a ping and tracert returned the exact same IP and eventual destination. So it's something NAT related I think.

Some (many?) will recommend doing a hard factory reset any time one switches between stock Asus firmware (Asuswrt) and Asus-Merlin firmware. It is possible certain variables or settings are either different or new when flashing from stock to Asus-Merlin. Doing a hard factory reset is a basic troubleshooting step when one has weird issues crop up after flashing firmware.

Personally, on my RT-AX86U Pro, I do a hard factory reset any time I swap between stock Asus firmware and Asus-Merlin. There are ways, including addon scripts for Asus-Merlin like YazDHCP, to backup the manual DHCP reservations and restore them after performing a hard factory reset. One can find various discussions on ways to do so using the forum search feature.

Another troubleshooting step is to change the DNS server being used to a different public DNS server. It is possible, when using a DNS that filters for ad-blocking and malware blocking that it may block access to a otherwise normal service or website. As a troubleshooting step change the DNS servers to a public DNS server like Googles (8.8.8.8 and 8.8.4.4) as a test (rebooting the LAN devices so they pull the new DNS if using DHCP manual DNS entries).

 

[maxbraketorque]

Its probably something with the DNS settings.

 

[GoldWing]

Hello,

Merlin's 388.8.2 is based on GPL code that's 9 months old. It is rumored Merlin will move the Pro models over to 3.0.0.6 code but so far there has been no releases and he has said nothing about when this will ever happen.

So in order to protect my home network using the Asus RT-AX86U Pro router from the injection vulnerability that Asus fixed in Version 3.0.0.6.102_34314 that was released on 8/9/2024 I'd have to wait until Merlin releases firmware based upon the 3.0.0.6 code?

See https://www.asus.com/networking-iot...86u-pro/helpdesk_bios?model2Name=RT-AX86U-Pro for Asus's documentation.

Unless I'm missing something I did not see any vulnerabity tracking number provided by Asus in their notes for the release of Version 3.0.0.6.102_34314. In prior releases Asus did provide tracking numbers under "Security Updates" which IMHO does appear a little odd.

Regards,

GoldWing

 

[GoldWing]

Unless I'm missing something I did not see any vulnerabity tracking number provided by Asus in their notes for the release of Version 3.0.0.6.102_34314. In prior releases Asus did provide tracking numbers under "Security Updates" which IMHO does appear a little odd.

Although I have no ideal what the "injection vulnerability" is in Asus firmware that was mentioned Version 3.0.0.6.102_34314 release I did find this posting by the NVD which indicates the ASUS RT-AC86U router. I do NOT know if this vulnerability applies to the "Pro" model, but I do find it a little "odd" that Asus did NOT provide any specifics.

Regards,

GoldWing

 

[hancox]

Hello,



So in order to protect my home network using the Asus RT-AX86U Pro router from the injection vulnerability that Asus fixed in Version 3.0.0.6.102_34314 that was released on 8/9/2024 I'd have to wait until Merlin releases firmware based upon the 3.0.0.6 code?

See https://www.asus.com/networking-iot...86u-pro/helpdesk_bios?model2Name=RT-AX86U-Pro for Asus's documentation.

Unless I'm missing something I did not see any vulnerabity tracking number provided by Asus in their notes for the release of Version 3.0.0.6.102_34314. In prior releases Asus did provide tracking numbers under "Security Updates" which IMHO does appear a little odd.

Regards,

GoldWing

I wouldn't worry yet - overwhelming majority of similar vulnerability fixes, in the past, have been circumvented by Merlin being more up to date on non-firmware components. Just because Asus releases firmware, doesn't mean that the code they're fixing actually sits in the GPL

 

[bennor]

... I did find this posting by the NVD which indicates the ASUS RT-AC86U router.

Following the link it indicates that particular OpenVPN vulnerability affects a number of Asus routers (before certain firmware versions).
https://vulncheck.com/advisories/asus-ovpn-rce
Affecting

• ASUS ExpertWiFi before 3.0.0.6.102_44544
• ASUS RT-AX55 before 3.0.0.4.386_52303
• ASUS RT-AX58U before 3.0.0.4.388_24762
• ASUS RT-AC67U before 3.0.0.4.386_51685
• ASUS RT-AC68R before 3.0.0.4.386_51685
• ASUS RT-AC68U before 3.0.0.4.386_51685
• ASUS RT-AX86 Series before 3.0.0.4.388_24243
• ASUS RT-AC86U before 3.0.0.4.386_51925
• ASUS RT-AX88U before 3.0.0.4.388_24209
• ASUS RT-AX3000 before 3.0.0.4.388_24762
• ASUS RT-AC68P before 3.0.0.4.386_51685
• ASUS RT-AC86U before 3.0.0.4.386_51925
• ASUS RT-AC1900 before 3.0.0.4.386_51685
• ASUS RT-AC1900U before 3.0.0.4.386_51685
• ASUS RT-AC2900 before 3.0.0.4.386_51925
• ASUS ZenWIFI XT8 before 3.0.0.4.388_24621

 

[GoldWing]

I wouldn't worry yet - overwhelming majority of similar vulnerability fixes, in the past, have been circumvented by Merlin being more up to date on non-firmware components. Just because Asus releases firmware, doesn't mean that the code they're fixing actually sits in the GPL

I do worry because I use my home for financial and medical purposes. IMHO these are 2 significant purposes to desire the highest security possible with KNOWN CVEs.


So what I've done is try to trace the CVEs applicable to the RT-AX86U Pro router which I utilize, and from the results of a DuckDuckGo.com search indicating CVE numbers to either Asus's firmware notes, or to Merlin's change log. Some were noted as fixed in the release's change log, and some were not.


Rather than get into all of the detail I'll just comment on my review which is from a user perspective, and not an expert perspective. It appears that not all CVE numbers are indicated in the change logs. From a user's perspective this is NOT very reassuring. After doing a fair amount of reading I believe my observation is probably due to the market that my router targets.


Regards,


GoldWing

 

[hancox]

I do worry because I use my home for financial and medical purposes. IMHO these are 2 significant purposes to desire the highest security possible with KNOWN CVEs.


So what I've done is try to trace the CVEs applicable to the RT-AX86U Pro router which I utilize, and from the results of a DuckDuckGo.com search indicating CVE numbers to either Asus's firmware notes, or to Merlin's change log. Some were noted as fixed in the release's change log, and some were not.


Rather than get into all of the detail I'll just comment on my review which is from a user perspective, and not an expert perspective. It appears that not all CVE numbers are indicated in the change logs. From a user's perspective this is NOT very reassuring. After doing a fair amount of reading I believe my observation is probably due to the market that my router targets.


Regards,


GoldWing

Not unreasonable. I get it.

Just to set your mind at ease - unless @RMerlin has an explicit fix for a CVE (which isn't that common), his changelogs will only list a (usually somewhat aged) version upgrade to an underlying component, with no reference to any CVE. History and my gut this usually is what happens at least 80% of the time.

 

[laracroftonline]

Not unreasonable. I get it.

Just to set your mind at ease - unless @RMerlin has an explicit fix for a CVE (which isn't that common), his changelogs will only list a (usually somewhat aged) version upgrade to an underlying component, with no reference to any CVE. History and my gut this usually is what happens at least 80% of the time.

Everything that’s not closed source is usually on the latest version with merlin sometimes he even uses a dev version if it’s so critical it can’t wait.

 

[hancox]

Everything that’s not closed source is usually on the latest version with merlin sometimes he even uses a dev version if it’s so critical it can’t wait.

Yep - saying same thing.

As to this CVE - it appears to be related to Asus use of OpenVPN ( https://nvd.nist.gov/vuln/detail/CVE-2024-0401 ). Straight from the Merlin release notes for the latest version:

3004.388.8_2 (31-July-2024)
[HEADING=1]  - UPDATED: OpenVPN to 2.6.12.[/HEADING]
  - CHANGED: Support importing WiregUard config files that
             contain multiple AllowedIPs, Address or DNS
              declarations.
  - FIXED: OpenVPN client routing not working properly when
           configuring Internet redirection to "All" or "None".
  - FIXED: New firmware check button missing for the RT-AX58U.
  - FIXED: Generated web certificate wasn't using the FQDN
           for Namecheap DDNS users.

 

[RMerlin]

Asuswrt-Merlin`s OpenVPN implementation is completely different from the stock firmware. So any security issue related to OpenVPN in the stock firmware is unlikely to apply to Asuswrt-Merlin.