[Experimental] Asuswrt-Merlin 384.13 test - AiMesh/DNSSEC through OpenSSL

[skeal]

Can someone tell me if aimesh extends guest networks as well?

 

[Swistheater]

Can someone tell me if aimesh extends guest networks as well?

It does not because of the nature of how the router guest network behaves v.s. How an AP guest network behaves.

 

[RMerlin]

Thanks a lot to point me in the right direction. I will check on GitHub next time Sorry I'm just a newbie with Asuswrt-Merlin.

The used GPL is always documented in the Changelog file.

 

[Grisu]

Can someone tell me if aimesh extends guest networks as well?

you could add guest wifi on Aimesh nodes via SSH, but clients connected to it on nodes will have full access same as on main SSID, master wont see the difference!
Same behavior as running AP-mode on nodes.

 

[bluepoint]

Regarding https://rootcanary.org/test.html test behavior.
Browser tries to resolve secure.dNaNnN.rootcanary.net & bogus.dNaNnN.rootcanary.net domains.
After that, following happen:
1. If bogus.* was resolved - test concludes resolver doesn't validate answers (yellow)
2. If bogus.* was not resolved but secure.* was - test concludes resolver performs validation. (green)
3. If bogus.* was not resolved and secure.* was not too - test concludes resolver doesn;t support algo in general. (red)

So, if upstream DNS performs validation on its own (i.e cloudflare) - bogus.* requests will not be validated upstream and therefore will not be replied to dnsmasq, and in turn - to client too.
Therefore test will be unable to test dnsmasq against 1st case at all (dnsmasq / client have no bogus.* reply), instead it actually will be test of upstream DNS server.

In as much as it's so confusing how DNSSEC works for me, do you recommend enabling DNSSEC in case 1 scenario or not? In case 1 it seems, dnsmasq validation is non functional, is that the case?

 

[rleeden]

With DNSSEC enabled, I still can’t get to this site with the new 384.13 Alpha1.

sa.gov.au

Disable DNSSEC, & no problem getting to it.

I think this is due to a problem with the DNSSEC at their end. The domain sa.gov.au looks OK, but that site redirects you to www.sa.gov.au which according to Verisign is not so OK.

 

[WET]

Set up AIMesh between my RT-AC86U & RT-AC68U(node) seemed to work fine, however, I then
realized there is no way to turn guest networks on or add disks to be servers on the node. So I reverted back to standard AP mode because I need both of these operational from my AP.

Should I turn AIMesh software off on my RT-AC86U if so how do I do this.

 

[skeal]

It does not because of the nature of how the router guest network behaves v.s. How an AP guest network behaves.

Can I accomplish the same thing by flipping the guest networks for the main networks and setting the "AP to Isolated" and allowing access to LAN on the newly named guest networks? Follow me?

 

[Grisu]

Set up AIMesh between my RT-AC86U & RT-AC68U(node) seemed to work fine, however, I then
realized there is no way to turn guest networks on or add disks to be servers on the node. So I reverted back to standard AP mode because I need both of these operational from my AP.

Should I turn AIMesh software off on my RT-AC86U if so how do I do this.

read Merlins post on first page: https://www.snbforums.com/threads/e...esh-dnssec-through-openssl.57489/#post-503479
and there is a way if you would read this if it fits your needs: https://www.snbforums.com/threads/e...ssec-through-openssl.57489/page-5#post-503679
With AP-mode your guests have full access to main router too (by default)!

 

[Swistheater]

i suppose you could restrict access to AP using this maybe idk though, maybe a method can be replicated to do something similar to this.

Also, if you know how to use IP tables it should be easy enough to implement rules to drop traffic coming from specific IP's to the destination IP and port of the webui.

and also set AP isolated keeps the devices from communicating with each other.

i mean that is mostly alot of what Yazfi script does is IPtable and etable rules.

 

[Treadler]

I think this is due to a problem with the DNSSEC at their end. The domain sa.gov.au looks OK, but that site redirects you to www.sa.gov.au which according to Verisign is not so OK.

Good catch!
This site is the only one I have bother with, & disabling DNSSEC makes everything happy.
I’ve tested it extensively, disabling scripts, AiProtect, dns rebind etc etc, but DNSSEC is the gold medallist ;-)

 

[Treadler]

Odd, it resolves properly for me. The domain also passed Verisign's DNSSEC validation test, so it shouldn't be a problem on their end.

Thank you.
As pointed out in post #86, sa.gov.au redirects to www.sa.gov.au; which does have issues when tested via Verisign.

 

[Gar]

I may have missed something, think I read the whole thread. After flashing do I just disable DoT and let it do its thing? Won't need mesh but prefer the DoT bypass. Maybe I missed the point of this Alpha.

 

[Treadler]

I may have missed something, think I read the whole thread. After flashing do I just disable DoT and let it do its thing? Won't need mesh but prefer the DoT bypass. Maybe I missed the point of this Alpha.

DoT status not the issue here, enable or disable to suit your own requirements.
This Alphas’ main point is the experimental enhancement of both the DNSSEC function, & the addition of aimesh.

 

[skeal]

I may have missed something, think I read the whole thread. After flashing do I just disable DoT and let it do its thing? Won't need mesh but prefer the DoT bypass. Maybe I missed the point of this Alpha.

The changes offered up in this alpha have nothing to do with whether you should or shouldn't use DoT.

 

[Gar]

DoT status not the issue here, enable or disable to suit your own requirements.
This Alphas’ main point is the experimental enhancement of both the DNSSEC function, & the addition of aimesh.

Dnssec's effectiveness is enhanced so part of the benefit of Dot is unnecessary, is that a better interpretation of it?

 

[RMerlin]

Dnssec's effectiveness is enhanced so part of the benefit of Dot is unnecessary, is that a better interpretation of it?

As others have said, DoT have nothing to do with DNSSEC, they offer two completely different, complementary security layers.

 

[Gar]

As others have said, DoT have nothing to do with DNSSEC, they offer two completely different, complementary security layers.

You mentioned not using DoT personally, so I thought this version might be a substitute in some way. Referring to post #19.

 

[Gitsum]

Well I give up. Can not get AX88U and AC68U to mesh wirelessly. Even with stock firmware. Works with ethernet connection but not without it. Thought I had it working after adding the node with a cable, took it out to my shop and it connected but any clients trying to connect on the 2.4 would not get any internet. 5ghz and LAN connections worked.
Think I'll try an AC86U and see if that works.

 

[king006]

Works fine with the alpha thank you for @RMerlin

@Gitsum,

Set both to factory reset. Then Merlin alpha on the main router and on the node the stock firmware. Then make an Aimesh connection over WiFi (you want that anyway?). Both routers must then stand side by side for the connection. Does it work afterwards?

Is the roaming option on? that the connection is lost because the node is farther away than is set there?