[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[john9527]

One last question. My Obi VIOP still works when connected to PIA now.
It didn't used to work with the old PIA setup last year.
Something they changed or something? Just glad it still works.
Can I still use a standard speed test? Or is there a special test?

EDIT: Speed test on Comcast and PIA were the same 27Mbps

Glad you got it working.....and am happy to help out, no need to apologize (I'm sure it will also help others as well).

I can't think of a reason this change and am not aware of any other PIA change that would affect your VOIP adapter. Maybe something changed on the VOIP end?

You can use any speedtest. If you use speedtest.net, it should show your address as one belonging to one of PIAs partners, not your own ISP. A good double check that everything is working on the OpenVPN end.

 

[Lotta Cox]

I can pass the https://dnsleaktest.com/ with IPv4. Not sure if IPv6 still fails?

 

[john9527]

I can pass the https://dnsleaktest.com/ with IPv4. Not sure if IPv6 still fails?

Right now the ASUS OpenVPN only supports IPv4.....if you have IPv6 enabled it will bypass the VPN. Enabling OpenVPN IPv6 is one of the next things on my 'todo' list

 

[ColinTaylor]

Hi John,

I raised this once before but got no response, but someone mentioned it again in another thread which reminded me....

In the Firewall > Network Services Filter section, if you create a blacklist rule using "TCP ALL" it creates a rule like so in /tmp/filter_rules:

-A FORWARD -i br0 -o eth0 -p tcp --tcp-flags ALL ALL -s 192.168.1.9 -j DROP

and if you display it with iptables-save:

-A FORWARD -s 192.168.1.9 -i br0 -o eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP

This is all well and good but...

This rule makes no sense. The rule says examine ALL TCP flags (FIN,SYN,RST,PSH,ACK,URG) and drop packets that have ALL the flags set. AFAIK that will never happen.

This has come up in this forum where people have wanted to block traffic and used "TCP ALL" but found that it doesn't work. Changing to "TCP" works as expected.

I don't think this issue is specific to your fork but I haven't tried any of the other versions besides yours .

Your thoughts would be most welcome.

See "TCP Extensions" and "An Explanation of TCP Flags" : http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-7.html#ss7.3

 

[john9527]

I don't think this issue is specific to your fork but I haven't tried any of the other versions besides yours .

Thanks for the heads up....haven't touched anything there, so it's the way it's always been. Do you know if the any of the failures you mentioned were on the later/latest Merlin levels? I'll also take a look at what it's doing there.

EDIT: So if I read things right, you would need to generate a separate rule for each flag....agree?

 

[slobodan]

About 16BG on RT-N16:

Good news: dnsmasq starting before /opt/tftproot gets mounted does no longer breaks dnsmasq functioning.

Bad news: I had this in /jffs/scripts/post-mount:

#!/bin/sh

if [ "$1" = "/tmp/mnt/Optware" ] ; then
  ln -nsf $1/entware /tmp/opt
fi

kilall -9 dnsmasq
sleep 1
dnsmasq --log-async

If I leave dnsmasq lines stay therein, dnsmasq is broken, since /etc/dnsmasq.conf cannot be found (it does not exist).

 

[john9527]

About 16BG on RT-N16:

Good news: dnsmasq starting before /opt/tftproot gets mounted does no longer breaks dnsmasq functioning.

Bad news: I had this in /jffs/scripts/post-mount:

#!/bin/sh
 
if [ "$1" = "/tmp/mnt/Optware" ] ; then
  ln -nsf $1/entware /tmp/opt
fi
 
kilall -9 dnsmasq
sleep 1
dnsmasq --log-async

If I leave dnsmasq lines stay therein, dnsmasq is broken, since /etc/dnsmasq.conf cannot be found (it does not exist).

Sorry, but I'm a bit confused.....if dnsmasq was running dnsmasq.conf must exist. Can you post a copy of your syslog?

EDIT: If the conf file is really missing, the only thing I can think of is that you are hitting a timing window where dnsmasq is being restarted by the router, which would cause the conf to be regenerated. You may need to add a delay or add a check that dnsmasq is actually running before you kill it and restart it.

 

[slobodan]

Sorry, but I'm a bit confused.....if dnsmasq was running dnsmasq.conf must exist. Can you post a copy of your syslog?

EDIT: If the conf file is really missing, the only thing I can think of is that you are hitting a timing window where dnsmasq is being restarted by the router, which would cause the conf to be regenerated. You may need to add a delay or add a check that dnsmasq is actually running before you kill it and restart it.

# grep -i dns syslog.log*
syslog.log:Jan 9 00:58:43 rc_service: ntp 578:notify_rc restart_rdnssd
syslog.log:Jan 9 00:58:43 rc_service: waiting "restart_rdnssd" via ntp ...
syslog.log:Jan 9 00:58:43 rdnssd[443]: Child process hung up unexpectedly, aborting
syslog.log:Jan 9 00:58:47 dnscrypt-proxy[441]: Refetching server certificates
syslog.log:Jan 9 00:58:47 dnscrypt-proxy[441]: Server certificate #1435874751 received
syslog.log:Jan 9 00:58:47 dnscrypt-proxy[441]: This certificate looks valid
syslog.log:Jan 9 00:58:47 dnscrypt-proxy[441]: Chosen certificate #1435874751 is valid from [2015-07-03] to [2016-07-02]
syslog.log:Jan 9 00:58:47 dnscrypt-proxy[441]: Server key fingerprint is ED19:BFBA:FAFC:9257FDC:68C7:69BF:AC24:94CD:743F:3C1D:4966:134D:FE2C:4BDC:F315
syslog.log:Jan 9 00:58:47 dnscrypt-proxy[441]: Proxying from 192.168.2.1:40 to 208.67.220.220:443
syslog.log-1:Jan 1 00:00:36 dnscrypt-proxy[441]: Refetching server certificates
syslog.log-1:Jan 1 00:00:36 dnscrypt-proxy[441]: Server certificate #1435874751 received
syslog.log-1:Jan 1 00:00:36 dnscrypt-proxy[441]: This certificate has not been activated yet
syslog.log-1:Jan 1 00:00:36 dnscrypt-proxy[441]: No useable certificates found

The point is: dnsmasq is running, but there is no /etc/dnsmasq.conf if I leave those lines in post-mount (I have since then corrected kilall to killall, same result).

 

[ColinTaylor]

Thanks for the heads up....haven't touched anything there, so it's the way it's always been. Do you know if the any of the failures you mentioned were on the later/latest Merlin levels? I'll also take a look at what it's doing there.

EDIT: So if I read things right, you would need to generate a separate rule for each flag....agree?

I checked with the guy here (http://www.snbforums.com/threads/how-to-add-remove-rules-in-filter_rules.29649/#post-229838) and he's using your fork as well. The other post I remembered from way back didn't specify which firmware he was using.

I think I see the thought processes behind that option:

If you specify an individual option, say RST, you get "--tcp-flags RST RST". This works because you're only testing 1 bit against the bitmask. The same goes for any of the other bits. Now you can also specify "ALL" or "NONE" as options. I'm guessing the person that wrote that piece of code assumed that specifying "--tcp-flags ALL ALL" would be true if one or more bits matched, whereas I believe it would only be true if all the bits matched. A simple mistake - if my understanding is correct.

If the intention is to match any of the flags then I think you are correct in that there would have to be a rule for each flag.

My main concern is that the option is confusing people. They see "TCP" and "TCP ALL" and think "I want to block all TCP so I'll choose TCP ALL" and it doesn't do what they think it does. Personally I would prefer it if that option was removed altogether as I can see no practical use for it.

* Interestingly "--tcp-flags ALL ALL" would be used to block a "Christmas tree packet" attack.

 

[john9527]

@ColinTaylor - Based on the doc link you sent I've come to the same conclusion....they assumed it was an OR comparison, not an AND comparison. I like your idea of just removing the option as the best solution.

My first thought is that I hate to add another rule by default, so if someone is concerned about the 'Christmas Tree Attack', they could just add that via a script. But I'm open to other opinions....it wouldn't be hard to add the ALL ALL rule as a default.

 

[john9527]

The point is: dnsmasq is running, but there is no /etc/dnsmasq.conf if I leave those lines in post-mount (I have since then corrected kilall to killall, same result).

There has to be something else going on....I just did the killall dnsmasq from the command line and it doesn't affect the presence of /etc/dnsmasq.conf (it was still there).

The problem I think is that your system time was reset (from Jan 9 to Jan 1). What happened in between?
Can you PM me with a link to your full syslog?

 

[ColinTaylor]

@ColinTaylor My first thought is that I hate to add another rule by default, so if someone is concerned about the 'Christmas Tree Attack', they could just add that via a script.

Agreed.

I don't think there was ever any intention for TCP ALL to be used to block Christmas Tree attacks. If there were it would have been called that and placed on Firewall > General next to Enable DoS protection. In fact, why stop there? There are half a dozen other attacks based on different flag combinations.

No, I believe that TCP ALL was included "just because you could" without any thought as to its usefulness (even if it worked as they thought).

If someone is such an advanced user that they know about such attacks they wouldn't be using such a limited option in the GUI, they'd be writing their own iptables rules.

I'm becoming more convinced that the sensible action is to remove that option. As it stands, I'm sure there are users out there that think they are blocking TCP traffic, having chosen "TCP ALL", but aren't at all!

I'd be interested to hear if anybody has ever used any of the flag options and if so, what for.

 

[rbird2]

Installed 16BD from 15E5 on a RT-66R two days ago and so far it works great with no concerns.
I have tried other firmware (ASUS updates, Merlin updates) and keep coming back to john9527's Merlin fork.
Thank you for keeping our ASUS routers running smoothly and at peak performance.

 

[Rango]

John thanks for update and implementing new features such as open vpn. Questions if i may ask.
I'm planning to get this vpn service as it has tested 87Mbps speeds which is what i have 90/12 service.
They support open vpn but would your firmware features support the router config. At first glance when i take a look it seems it does but there may be one feature that may be missing or not available so wanted to check first. Also will my ip address change with router and open vpn config or stays static?

They also have openvpn config files and certs so in theory should work but wanted to run it by you

https://vpn.ac/ovpn/

https://vpn.ac/knowledgebase/47/OpenVPN-on-TomatoUSB-Router.html

https://vpn.ac/knowledgebase/43/OpenVPN-on-DD-WRT-Router.html

This is configuration tutorial for vpn.ac vpn service threw router config. They support RT-66u but with tomato firmware.

This OpenVPN tutorial was created using TomatoUSB v. 1.28 by shibby. If you have a different release and require our help, let us know.

1. Login to TomatoUSB router's web GUI
2. Go to VPN Tunneling > OpenVPN Client
3. Under Client 1 > Basic tab, use the following settings:
Start with WAN: Check if you want the VPN to connect automatically on router restart
Interface Type: TUN
Protocol: UDP
Server Address: nl1.vpn.ac (or other, get the hostname from vpn.ac/status), port 1194 or 53, 6112
or use a server's IP address instead of hostname - recommended in case you experience problems when reconnecting, client not being able to resolve hostname.

Firewall: Automatic
Authorization mode: TLS
Username/Password Authentication: checked
insert your VPN user and pass
Username Authen. Only: checked
Create NAT on tunnel: checked
Screenshot of Basic tab with correct settings
Open the Advanced tab:
Poll Interval: 0
Redirect Internet traffic: checked
Accept DNS configuration: Exclusive
Encryption cipher: BF-CBC
Compression: Disabled
TLS Renegotiation Time: -1
Connection retry: 30
Verify server certificate (tls-remote): unchecked
Custom configuration:
persist-key
persist-tun
tls-client
remote-cert-tls server
Screenshot of Advanced tab with correct settings
Open keys tab:
Add the CA:

-----BEGIN CERTIFICATE-----
MIIDljCCAv+gAwIBAgIJANMiwLWxktowMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYD
VQQGEwJSTzEMMAoGA1UECBMDQlVDMRIwEAYDVQQHEwlCdWNoYXJlc3QxDzANBgNV
BAoTBlZQTi5BQzEPMA0GA1UECxMGVlBOLkFDMQ8wDQYDVQQDEwZWUE4uQUMxDzAN
BgNVBCkTBlZQTi5BQzEaMBgGCSqGSIb3DQEJARYLaW5mb0B2cG4uYWMwHhcNMTIx
MTI2MTI0NDMzWhcNMjIxMTI0MTI0NDMzWjCBjzELMAkGA1UEBhMCUk8xDDAKBgNV
BAgTA0JVQzESMBAGA1UEBxMJQnVjaGFyZXN0MQ8wDQYDVQQKEwZWUE4uQUMxDzAN
BgNVBAsTBlZQTi5BQzEPMA0GA1UEAxMGVlBOLkFDMQ8wDQYDVQQpEwZWUE4uQUMx
GjAYBgkqhkiG9w0BCQEWC2luZm9AdnBuLmFjMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDZ6bE44ampTNnDBqsB/J5tS41UHTkxk8sswATe7R32+mn87hwLzfhz
uRP4sRPLKTcM+7zGgfgyMU2wvF2N1+4Vyr+BxTRNKZIuGvoUwqFvOU7kGMrSW4Hx
R2Z1dr+IVhtDGYg3C3zHZcRDOMZZzufG1rxl0rWBF8atkkvwhWwIRQIDAQABo4H3
MIH0MB0GA1UdDgQWBBQE14ZZ8yiLb6jsy9j8168FwkhNEzCBxAYDVR0jBIG8MIG5
gBQE14ZZ8yiLb6jsy9j8168FwkhNE6GBlaSBkjCBjzELMAkGA1UEBhMCUk8xDDAK
BgNVBAgTA0JVQzESMBAGA1UEBxMJQnVjaGFyZXN0MQ8wDQYDVQQKEwZWUE4uQUMx
DzANBgNVBAsTBlZQTi5BQzEPMA0GA1UEAxMGVlBOLkFDMQ8wDQYDVQQpEwZWUE4u
QUMxGjAYBgkqhkiG9w0BCQEWC2luZm9AdnBuLmFjggkA0yLAtbGS2jAwDAYDVR0T
BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA3jbSdw0ShUj3yV9LlW//MutZpQc67
bXexaRrLvbDgFywOE5jdIeYMQzn3T4/Uj17B6qHZjFwWIkiE7Q2a1ShmHwFFq4pS
NfDo/CDdcNRbQU7r8T4XorwVYGPmdxRVoZtejOb510lY5AP6P0pSBshC3zjTLpPi
qRI4JvSeZc4/ww==
-----END CERTIFICATE-----

 

[Rango]

Also is BF-CBC blowfish secure enough or is that cipher considered insecure already since i see a lot of people use AES ?

Is 128 strenght enough?

Sorry if i'm asking obvious to some question but I'm novice in encryption and vpn. If anyone has suggestion on fast vpn service as alternative to what i found that can do 90/12 Mbps please suggest. Thank you in advance.

 

[Nullity]

I'd be interested to hear if anybody has ever used any of the flag options and if so, what for.

A popular use of traffic-shaping is to prioritize TCP ACKs. The OpenBSD pf even has the feature integrated. With Linux though, I think you need to explicitly configure it.

I am not involved enough with firewalling to understand why the flags would be used. I just let the stateful firewall worry about that.

(I hope I understood your question.)

 

[ColinTaylor]

Thanks @Nullity

I was really asking about the specific options that are available in the routers GUI. Namely, dropping or allowing a packet based on 1 individual bit being set. (Sorry I didn't make that clear)

 

[cobrax3]

hey guys, please help me a bit
ive setup openvpn for my phone, it works fine, but i can't access the lan from it. tried all options on/off, nothing. i also tried with tomato, it didnt work with it either. is there some parameters/routes i have to add manually?
thank you

 

[shooter40sw]

Hi guys, I´ve been on merlins code from day one with my RT66U, Im on the latest build 380.57, but wireless is working terrible the range is very weak, and I remeber the router did have better signal a long time ago, so does this fork support DNSSEC?, entware?, I already read the firts post so I know I will lose some GUI updates. But is there anything else I should know before jumping and testing this?, I also use lonelycoders ad blocking, dnscrypt, openvpn, remote ssh tunnels , dnsmasq logging, bandwith limiter
Any information that can be supplied other than the first post thanks

 

[john9527]

Any information that can be supplied other than the first post thanks

Everything on your list should work except for....
* DNSSEC - just released with 380.57, and to be honest I really haven't looked at what it would take to add it or had any requests for it
* bandwidth limiter - this from ASUS, and is on my list to try and backport for a future release
* openvpn server and client instances still limited to 2 each instead of 5, and not likely to change (the client supports Merlin's policy based routing)