[Dev] Asuswrt-Merlin 388.1 development

[commodoro]

What DDNS provider are you using?

Hi @RMerlin,

I use the FREEDNS.AFRAID.ORG

Thanks
Commodoro

 

[DiGz_Au]

Waiting for ax86u to be uploaded... Maybe it's behind due to the pro model taking the front seat?

 

[DJones]

@RMerlin

Noticed an interesting bug, not sure if I can reproduce it however. I found that the Bandwidth monitor had stopped displaying any information regarding speeds, I usually disable AIprotection and withdraw from it in privacy. However for some reason the only way short of a reboot to get it working was to enable and consent to Trend micros policy. After that it worked fine, until you withdraw from trend micro, then it doesn’t no speeds displayed.

I thought well that’s odd I used it prior. Rebooted the router and yep it worked fine without trend micro.

 

[skeal]

I'm trying to login to my AiMesh-node, when I login it asks for user ID and password, after entering that on the AiMesh-node's login, it instantly redirects me to my main router's network map page. Is this the intended outcome? I used to be able to login to the mesh node and see a limited GUI, now that seems impossible to achieve. Am I missing something? Is this new with this firmware?

From this the most recent changelog:

CHANGED: Setting an OpenVPN client to redirect all traffic while
in "Exclusive" DNS mode will now force redirect ALL
DNS traffic just like in VPN Director mode.
While this will allow redirecting clients with
hardcoded DNS servers, it also means that your whole
LAN will lose the ability of doing local name
resolution. It might be best to use VPN Director
in that case to control which client should
be involved in the DNS redirection, or use
DNSFilter instead of Exclusive DNS mode.

Does this have anything to do with my above problem? I do not use a redirect "All" instruction, I only use VPN Director selectively for directing a few individual devices.

UPDATE: I have reset the node and readded it, still can't open the nodes GUI. Is this new?

 

[skeal]

View attachment 45007

@RMerlin

Noticed an interesting bug, not sure if I can reproduce it however. I found that the Bandwidth monitor had stopped displaying any information regarding speeds, I usually disable AIprotection and withdraw from it in privacy. However for some reason the only way short of a reboot to get it working was to enable and consent to Trend micros policy. After that it worked fine, until you withdraw from trend micro, then it doesn’t no speeds displayed.

I thought well that’s odd I used it prior. Rebooted the router and yep it worked fine without trend micro.

QOS is a component covered under the AI-Protect license agreement group. Proper function is to not work if you withdraw.

 

[DJones]

QOS is a component covered under the AI-Protect license agreement group. Proper function is to not work if you withdraw.

App analysis perhaps. But just the graph showing device speeds I can definitely say it does work withdrawn from Trend Micro. So either what you say in regards to bandwidth monitor (QoS) is not true or the Bandwidth Monitor working without consent is a bug.

Aiprotection is still greyed out so I know I’m withdrawn.

 

[skeal]

App analysis perhaps. But just the graph showing device speeds I can definitely say it does work withdrawn from Trend Micro. So either what you say in regards to bandwidth monitor (QoS) is not true or the Bandwidth Monitor working without consent is a bug.

Aiprotection is still greyed out so I know I’m withdrawn.

I just know it's one of the packages covered in the license agreement. Whether there is a bug or not. The QOS disciplines other than Cake are the key things to think about. The graph you speak of is under the QOS section of the router. It stands to reason that it would be unavailable if not activated. The withdrawal process has always been with consequence. Regardless of what used to work, sorry.

 

[DJones]

I just know it's one of the packages covered in the license agreement. Whether there is a bug or not.

I don’t disagree that it’s covered under the agreement as it uses parts of Trend Micro for certain functions. Traffic analyzer - Traffic Monitor should also stop working when withdrawn and it doesn’t it works. Just saying it’s odd behaviour.

From a privacy standpoint some people would be concerned. I’m not I really don’t care; I just don’t use trend micro because skynet is more than sufficient.

Would it be nice if it worked without trend micro having anything to do with it because yep it’s a very handy tool. I know Rmerlin doesn’t have anything to do with Trend Micro so he likely can’t look into it, but wanted to point it out.

 

[jakey]

Well chaps, got it working now, there were 2 issues, it turns out the imported config was ok.

1- I totally missed the 'Redirect Internet traffic through tunnel' setting (is that new?)

2- I had the 'Prevent client auto DoH' set on the wan page which seems to be the cause.

Thanks to all who helped, much appreciated.

@RMerlin, with new firmware RT-AX58U_388.1_alpha1-g5fb71044da I was able to re-enable 'Prevent client auto DoH'

Cheers

 

[svk]

RT-AX58U is working fine here on the latest alpha, all devices got connected, but Device list is empty...

 

[DJones]

Just noticed their was an update.

GT-AX11000

Dirty update to 388.1_alpha1_rog-g0ca7941c3e from 388.1_alpha1-g8ea471fa9e

Going to give the rog theme another shot.

Everything seems okay.

One thing about the rog theme being that the dashboard is different as it has game radar on it; well game radar is a nice feature just being on the dashboard does unfortunately create unnecessary logs in skynet firewall if you block a country like Korea or Russia, as it pings those ip addresses without being able to turn them off.

Network map is the default dashboard for the other theme which is basically the same thing just less flashy and has functions for usb and device list.

Since the last page you’re on is the landing page you’ll be on when you login the next time Network Map will probably be my go to. Only quality of life change would be make the status page tab first as it’s much more useful. Each time you login you need to click that tab.

Also the convenient reboot button from the other theme would be a nice addition to the rog theme.

As you said you’re on the fence of officially supporting the theme, so it’s understandable and the option for now is at least nice. Would be nice to see the little Merlin logo if you do. Maybe a red hat will make it go faster ;p

 

[jakey]

RT-AX58U is working fine here on the latest alpha, all devices got connected, but Device list is empty...

Device list ok on my AX58U.

 

[svk]

Device list ok on my AX58U

Hmm... Very strange...

 

[Nodens]

I appreciate your technical points; however, for a test of your recommendation to have true weight , we would have to have a non-fiber comparison of equal asuswrt equipment. Not every connection is going to be as impervious as fiber. A similar asymmetric cable connection would easily buckle to the bottleneck produced by the routers insufficient arm processors having to respond without the aid of hardware acceleration.

Do you mean due to retransmissions and NAT acceleration? I'm not sure on the impact there so I can't comment. If you mean due to retransmissions and AES acceleration wireguard should still be faster.

Might be, I don't know for sure. All I know is if it's a kernel module, and not a userland implementation.

If it's not userland implementation then yeah it's wireguard-linux-compat for sure. Asus may be applying their own patches though. Try building the module yourself with debug on if it'll help with development.

The problem is the Wireguard protocol is not compatible with Broadcom Flow Cache (part of their NAT acceleration). That requires you to disable NAT acceleration to be able to use Wireguard, which will cap NAT throughput at around 300-350 Mbps max on an RT-AX88U (and that's without any VPN overhead). Whatever speed gain Wireguard might get, you end up being capped at around 300 Mbps, which isn't much faster than OpenVPN which can reach 220-250 Mbps on the same router. OpenVPN can run with Flow Cache still enabled, so that means anyone with an Internet connection faster than 300 Mbps cannot use Wireguard without seriously capping their whole Internet connection speed.

So in your case, you'd have to chose between 220 Mbps OpenVPN and 1 Gbps non-VPN throughput, or 300 Mbps Wireguard and 350 Mbps non-VPN throughput.

This is very interesting and a very valid concern. I assume this applies to "server" functionality as well? Because that's what I need..I wanted to uncouple wireguard from this particular linux server in order to simplify my networking setup and move the point of failure from the server to the router (since if that fails there's no access from the internet anyhow apart from 4G failover which puts my entire network in a barely functional state) but NAT acceleration off is a deal breaker.

I know Broadcom SDK is not freely available but do you perhaps have a white paper on Flow Cache? Or a description of implementation somewhere? I'm willing to see if I can provide wg patches that make it compatible with FC (and even try to submit them upstream as well). I could reverse engineer but things would be *much* faster if I had a white paper.

 

[Nodens]

Subscribing to static IP may be your only solution then. I did for years. You could also try the IPTV settings to accomplish your need for a public IP. This requires your ISP's basic VLAN information, they use for their internet network. I used IPTV settings for a few years but it has a few problems and isn't fully supported by @RMerlin

This is what I actually use with my ONT and it works great. The VID is usually 835 for ISPs in Europe and since he said Vodafone IT, I assume it's Italy so that should work. Here, in Greece, Vodafone uses 835 as well.

EDIT: Do notice that usually static package offerings usually require the same setup when an ONT that can't be put into bridge mode is utilized. This is exactly my setup for example. I have a /28 subnet and I use the IPTV method and 1:1 SNAT/DNAT with custom scripts on the router.

 

[skeal]

This is what I actually use with my ONT and it works great. The VID is usually 835 for ISPs in Europe and since he said Vodafone IT, I assume it's Italy so that should work. Here, in Greece, Vodafone uses 835 as well.

EDIT: Do notice that usually static package offerings usually require the same setup when an ONT that can't be put into bridge mode is utilized. This is exactly my setup for example. I have a /28 subnet and I use the IPTV method and 1:1 SNAT/DNAT with custom scripts on the router.

To improve the boot timing using IPTV settings was a hassle, so I configured a smart switch with VLAN capability with the information you mention and turned IPTV settings off. The dynamic IP was passed to my router through the switch from my ONT. This is however a little off topic though.

 

[Kingp1n]

Just noticed their was an update.

GT-AX11000

Dirty update to 388.1_alpha1_rog-g0ca7941c3e from 388.1_alpha1-g8ea471fa9e

Going to give the rog theme another shot.

View attachment 45011
Everything seems okay.

One thing about the rog theme being that the dashboard is different as it has game radar on it; well game radar is a nice feature just being on the dashboard does unfortunately create unnecessary logs in skynet firewall if you block a country like Korea or Russia, as it pings those ip addresses without being able to turn them off.

Network map is the default dashboard for the other theme which is basically the same thing just less flashy and has functions for usb and device list.

Since the last page you’re on is the landing page you’ll be on when you login the next time Network Map will probably be my go to. Only quality of life change would be make the status page tab first as it’s much more useful. Each time you login you need to click that tab.View attachment 45010View attachment 45013
Also the convenient reboot button from the other theme would be a nice addition to the rog theme.

As you said you’re on the fence of officially supporting the theme, so it’s understandable and the option for now is at least nice. Would be nice to see the little Merlin logo if you do. Maybe a red hat will make it go faster ;p
View attachment 45014

+1 on the red hat idea and Merlin logo on the rog theme!!!

 

[RMerlin]

I have reset the node and readded it, still can't open the nodes GUI. Is this new?

Node UIs was never directly accessible, because they are centrally managed by the main router. That's the main point of AiMesh.

Also the convenient reboot button from the other theme would be a nice addition to the rog theme.

It's there, on the gear icon on the top right.

I have no plans to make any change to the ROG UI. If I end up offering it as an option, it will be totally as-is, as in the past the main reason for me not to support the ROG UI is I don't want to have to maintain two separate UIs, one being already a lot of (annoying) work.

This is very interesting and a very valid concern. I assume this applies to "server" functionality as well?

Yes.

I know Broadcom SDK is not freely available but do you perhaps have a white paper on Flow Cache? Or a description of implementation somewhere?

I have no documentation at all about it. It can be manipulated through the "fc" userspace tool. At least one improvement over CTF is you can enable/disable it without the need to reboot. There are also more finer grained options, but there's no public documentation beyond the description labels shown by the fc tool.

I know that Broadcom does "special" support for IPSEC based on references I've seen in the past within the SDK. I also know that they recently did some CPU interrupt/timing tweaks in a recent SDK update to improve OpenVPN performance. So anyone's best chance is probably for them to eventually decide to support the WG protocol within fc, assuming this is even technically possible.

This is the same problem with Cake. Cake cannot work with fc enabled because it needs direct control over flows, which flow cache, well, caches.

 

[SomeWhereOverTheRainBow]

Do you mean due to retransmissions and NAT acceleration? I'm not sure on the impact there so I can't comment. If you mean due to retransmissions and AES acceleration wireguard should still be faster.

No I mean exactly what the reply says. Maybe you should reread it for better understanding because your response to the post is genuinely out of step with what the original message was.

 

[underdose]

Went straight from 386.7_2 to 388.1_alpha1-g5fb71044da, no unusual errors in the log so far and Wireguard Client works as expected.

Thanks for your effort, RMerlin.