What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

Update-17E8
  • Rewrite VPN exclusive mode 'Only VPN clients use VPN DNS' option
    There are some differences between the main Merlin branch now and this fork, and I didn't like how this was behaving. Changed the implementation somewhat and I think it's much better now.
    Note that this option and any Parental Controls/DNS Filter options will bypass some custom addons, like AB-Solution, for some clients . This is true for the main Merlin releases as well.
All my VPN Profiles no longer work. After spending hours getting the DNS option figured out with the last firmware update (just learning how all the various DNS worked), I have no DNS with the settings I was previously using in 17E5. However, in reading your change logs, I don't understand what changes you've made. Could you elaborate on how you rewrote the 'Exclusive Mode'? I'd really rather not have to go through and relearn everything with the trial and error method I used last time.

BTW, my VPN provider is IPVanish and everything had been working perfectly in 17E5. I'm sure once I understand what you changed in 17E8, I'll be able to get my VPN working again.
 
Release V17E8 is now available...There were a couple of fixes I wanted to get out prior to the next major release.
Unless a significant issue is found, I expect this to be that last update in the V17 series. V18 will be next...in about 8 weeks.

LATEST RELEASE: Update-17E8
9-April-2016
Merlin fork 374.43_2-17E8j9527
Download http://1drv.ms/1uChm3J
============================

Update-17E8
  • Dropbear: validates xauth input (security fix from upstream) - was only exposed to people you have already given SSH access to
  • Dropbear: disable X11 forwarding support (security fix) - was only exposed to people you have already given SSH access to
  • No longer flush the mangle table on QOS start, just delete any existing QOS rules
    This will help cure some 'mysterious' loss of iptables mangle rules, both firmware and user added
  • Rewrite VPN exclusive mode 'Only VPN clients use VPN DNS' option
    There are some differences between the main Merlin branch now and this fork, and I didn't like how this was behaving. Changed the implementation somewhat and I think it's much better now.
    Note that this option and any Parental Controls/DNS Filter options will bypass some custom addons, like AB-Solution, for some clients . This is true for the main Merlin releases as well.
  • Source address field added to Port Forwarding system log page
  • Fix for enhanced httpd status watchdog incorrectly shutting down on the first failure/recovery
  • Fix for Native DHCP addresses sometimes failing to renew successfully - @LiFePO4
  • Fix for Traditional QOS gui issues in modifying or deleting user rules - @Grump
  • Fix for client names not showing in Parental Controls selection pulldown

Enjoy!


Thanks, I upgraded from 17E5 to this but it broke my VPN client on the router (AC68U). Downgrading back to 17E5 fixed the issue, VPN works again.

Darrin.
 
All my VPN Profiles no longer work. After spending hours getting the DNS option figured out with the last firmware update (just learning how all the various DNS worked), I have no DNS with the settings I was previously using in 17E5. However, in reading your change logs, I don't understand what changes you've made. Could you elaborate on how you rewrote the 'Exclusive Mode'? I'd really rather not have to go through and relearn everything with the trial and error method I used last time.

BTW, my VPN provider is IPVanish and everything had been working perfectly in 17E5. I'm sure once I understand what you changed in 17E8, I'll be able to get my VPN working again.
The change is actually harder to explain than it was to implement....

- First, the change is only when you select VPN DNS 'Exclusive' mode AND check the 'Only VPN clients use VPN DNS' checkbox. Without checking the box, everything is the same as it's been in every prior release (including 17E5)

Now for the change at a high level with the checkbox checked...

V17E5 - dnsmasq (the router) acted as the DNS server for NON-VPN clients, and VPN Clients were routed directly to the VPN DNS server bypassing the router dnsmasq

V17E8 - it's reversed. dnsmasq (the router) is acting as the DNS server for the VPN clients. NON-VPN clients are routed around the router directly to your ISP's DNS servers (or whatever DNS server you specified in normal gui DNS setup).

The only place I can think of where this may affect things, is if you are also using Parental Controls/DNS Filter to also do DNS routing, in which case the definition of router would change. But with the new implementation, the definition of 'router' would be consistent with when a VPN was active and Exclusive mode set on for all the fork releases prior to V17.
 
Thanks, I upgraded from 17E5 to this but it broke my VPN client on the router (AC68U). Downgrading back to 17E5 fixed the issue, VPN works again.

Darrin.
I'm running a VPN client and tested multiple setups also without problems. Please post your VPN setup and syslog when the VPN server is starting (including the dnsmasq entries).
 
The change is actually harder to explain than it was to implement....

The only place I can think of where this may affect things, is if you are also using Parental Controls/DNS Filter to also do DNS routing, in which case the definition of router would change. But with the new implementation, the definition of 'router' would be consistent with when a VPN was active and Exclusive mode set on for all the fork releases prior to V17.
Great minds think alike...

Your revised implementation is EXACTLY the way I thought things were supposed to work. The reason I had to invest so much time with the prior implementation was to try and figure out how things were working and, then, how to make them work the way I wanted. As you surmised, I had the "Only VPN clients use VPN DNS**" box checked and was using Parental Controls/DNS Filters to make things work the way I needed. After your detailed explanation (thanks for taking the time to do so!), I can now remove DNS Filtering and simplify my setup, somewhat.

Thanks, again, to you and Merlin for sharing your valuable work with us mere mortals!
 
Now for the change at a high level with the checkbox checked...

V17E5 - dnsmasq (the router) acted as the DNS server for NON-VPN clients, and VPN Clients were routed directly to the VPN DNS server bypassing the router dnsmasq

V17E8 - it's reversed. dnsmasq (the router) is acting as the DNS server for the VPN clients. NON-VPN clients are routed around the router directly to your ISP's DNS servers (or whatever DNS server you specified in normal gui DNS setup).

The only place I can think of where this may affect things, is if you are also using Parental Controls/DNS Filter to also do DNS routing, in which case the definition of router would change. But with the new implementation, the definition of 'router' would be consistent with when a VPN was active and Exclusive mode set on for all the fork releases prior to V17.
I guess I didn't understand things as well as I first thought. I can't get my DNS settings to operate the way I'd like. Perhaps you can guide me. What I'm looking for is the following:
  • I'm redirecting only specific clients on the network to route through the VPN using policy rules. Only clients specified in the list are being routed through the VPN.
  • I have it set to block routed clients if the tunnel goes down.
  • I want ALL clients in the VPN tunnel to use the DNS provided by the VPN
  • I want all other clients (outside the VPN tunnel) to use my specified 3rd party DNS service (Level 3, OpenDNS, Google, etc.)
Can you recommend settings to achieve what I'm looking for? And, where is the best place to place my 3rd party DNS Server IP addresses? (Policy Rules, LAN, or WAN?)

Also, since "Only VPN clients use VPN DNS**" doesn't really function as its described, is there a better way to label it?
 
I guess I didn't understand things as well as I first thought. I can't get my DNS settings to operate the way I'd like. Perhaps you can guide me. What I'm looking for is the following:
  • I'm redirecting only specific clients on the network to route through the VPN using policy rules. Only clients specified in the list are being routed through the VPN.
  • I have it set to block routed clients if the tunnel goes down.
  • I want ALL clients in the VPN tunnel to use the DNS provided by the VPN
  • I want all other clients (outside the VPN tunnel) to use my specified 3rd party DNS service (Level 3, OpenDNS, Google, etc.)
Can you recommend settings to achieve what I'm looking for? And, where is the best place to place my 3rd party DNS Server IP addresses? (Policy Rules, LAN, or WAN?)

Also, since "Only VPN clients use VPN DNS**" doesn't really function as its described, is there a better way to label it?

The problem with options....they can sometimes fight with one another if you aren't careful :)

Let's try through example....

First, don't enter any servers under LAN > DHCP Servers. This causes those server addresses to be sent directly to the clients and overrides everything else. Leave the 'Advertise router's IP in addition to user-specified DNS' set to the default of Yes.

Case 1
- Client1 uses VPN (and VPN DNS servers)
- All other clients bypass the VPN (but also use the VPN DNS Servers)
- Settings:
  • Add Client1 to the policy based routing with Iface set to VPN
  • Accept DNS set to Exclusive
  • 'Only VPN clients use VPN DNS' NOT checked
  • Parental Controls/DNS Filter is off

Case 2
- Client1 uses VPN (and VPN DNS servers)
- All other clients bypass the VPN (but you want them all to use your ISP or other specified DNS Servers)
-Settings:
  • Add Client1 to the policy based routing with Iface set to VPN
  • Accept DNS set to Exclusive
  • 'Only VPN clients use VPN DNS' IS checked
  • Parental Controls/DNS Filter is off
  • The clients not using the VPN will use the server under the WAN DNS settings (either the ISP if 'Connect to DNS Server automatically' is Yes or the manually entered one if 'Connect automatically is set to No'. If you want everyone besides the VPN to use OpenDNS for example, here's where you would enter those servers.

Case 3
- Client1 uses VPN (and VPN DNS servers)
- Client2 bypasses the VPN but uses OpenVPN DNS server
- All other clients bypass the VPN (but you want them all to use your ISP or other default DNS Servers)
-Settings:
  • Add Client1 to the policy based routing with Iface set to VPN
  • Accept DNS set to Exclusive
  • 'Only VPN clients use VPN DNS' IS checked
  • Parental Controls/DNS Filter is On, 'Global Filter Mode' is set to 'No Filtering' (Checking the box on the VPN page essentially sets the Global Filter mode - I'll probably force this option in the next release if the 'Only VPN clients....' box is checked)
  • Select the client2 info and desired DNS in the DNS Filter settings
  • The rest of the clients not using the VPN will use the server under the WAN DNS settings (either the ISP if 'Connect to DNS Server automatically' is Yes or the manually entered one if 'Connect automatically is set to No'. This is where to enter your default DNS servers.
Also, since "Only VPN clients use VPN DNS**" doesn't really function as its described, is there a better way to label it?
I think it will work as advertised unless it gets 'short-circuited' somehow.

Hope this helps.....
 
Last edited:
I have 2 rt-ac68u's. One is a router the other is set up as a bridge. Updating this firmware before has not been a problem. Today I updated it on the router (V17E8) - went OK. When I updated it on the bridge (using the same computer) it said reboot router manually. I unplugged the bridge and then reconnected it and could not access the GUI. I tried resetting the bridge by using the power and reset button, and power and WPS button. It got the fast blink but did nothing. I still can't access it and ther is no internet connection through it now.Is there some way to fix this? Thanks.
 
Is there some way to fix this? Thanks.
It's very tough to brick an AC68U (I only remember 1 confirmed case, on an overclocked router).

If after holding the WPS+Power > Fast Blink > wait 5 sec > release WPS > should reboot
(remember this will set things back to defaults, router mode, DHCP server active and default 192.168.1.1 address, so make sure it's disconnected from the network so as not to conflict with your main router). Also, if you have anything plugged into the USB ports, unplug them first.

If that doesn't bring it back, I would connect it directly to a computer via Ethernet and try the ASUS Firmware restoration utility (from the ASUS support site, here under Utilities).
https://www.asus.com/us/Networking/RTAC68U/HelpDesk_Download/
 
The problem with options....they can sometimes fight with one another if you aren't careful :)

Let's try through example....

First, don't enter any servers under LAN > DHCP Servers. This causes those server addresses to be sent directly to the clients and overrides everything else. Leave the 'Advertise router's IP in addition to user-specified DNS' set to the default of Yes.

Case 2
- Client1 uses VPN (and VPN DNS servers)
- All other clients bypass the VPN (but you want them all to use your ISP or other specified DNS Servers)
-Settings:
  • Add Client1 to the policy based routing with Iface set to VPN
  • Accept DNS set to Exclusive
  • 'Only VPN clients use VPN DNS' IS checked
  • Parental Controls/DNS Filter is off
  • The clients not using the VPN will use the server under the WAN DNS settings (either the ISP if 'Connect to DNS Server automatically' is Yes or the manually entered one if 'Connect automatically is set to No'. If you want everyone besides the VPN to use OpenDNS for example, here's where you would enter those servers.

Hope this helps.....
First of all... WOW! The instructions you gave were simple, explicit, and easy to follow. Thanks for taking so much time on this!

That said, I'm still not getting DNS to work with my setup. I'm trying to achieve scenario #2 (as quoted above). Perhaps there's something I've missed or overlooked. The spoiler below contains my current settings that are not working. As a reminder, I was successfully doing what I wanted in 17E5, but I was using DNS Filtering. It'd be nice to not have to use it, but I'll do what I need to get things working again.

EDIT: I forgot to mention I'm using an AC68U Router.

DNS Filtering (OFF)
ALL DNS Filtering is OFF. The board wouldn't let upload the picture because a message can't contain more than 3 images.


LAN DNS Settings
zydmvd.png


WAN DNS Settings
aoreb6.png


VPN Settings
30cwrwz.png
 
  • Like
Reactions: usr
That said, I'm still not getting DNS to work with my setup. I'm trying to achieve scenario #2 (as quoted above).
Everything looks right. For the sake of completeness, it bears mention that the non-VPN clients will only really use the first DNS that you enter (we're not trying to write a new type of dnsmasq here, just like DNS Filter is only one DNS server per entry - same with Merlin).

How are you testing what DNS server you are using? I use dnsleaktest.com. Using 4.2.2.2 (Level3) as the address in the first slot of the WAN DNS settings, I get this on my non-VPN clients. (The big DNS providers will automatically redirect to multiple servers for load balancing).

dnstest.JPG

Also, as you change settings, you need to completely close and restart your browser (or it will cache the last DNS server address and not see the changes).
 
No new modem. just changed the IP address it connects to (so they said) to point to new servers. Dunno because as I said I was already getting 500/600 before they did anything. And I can get those speeds (even 850/900) direct connected to modem. Maybe I will downgrade to 16 and see what happens. (after your recommendation :)) Thanks John!
So downgraded to v17e5 then 16e1 then 14 and no change. Cleared NVRAM a few times no help. Just 200mb was the max I could get in speedtest while on LAN via router, 650-900 direct to modem. Finally flashed ASUS latest stock version 378.9533 and its fixed, 650-660 were the last tests I ran connected to router (wired). So who knows what happened but no version of this fork would make it go more than 195-200 over lan and my 5ghz AC was around 170-240 max now getting 310 at last test. Almost afraid to re-flash back to the fork now :( Maybe I will test the stock for a few days. Been forever since I was on ASUS stock firmware. Anyone have any thoughts?
 
Anyone have any thoughts?
Puzzling indeed....it almost sounds like CTF was disabled (MIPS router will usually top out in the 150's with it off). Per IP monitoring, either of the QoS options (traditional or bandwidth limiter) or attaching a USB modem will automatically turn it off. If you try again, double check the status on the Tools page.

Second thing is to look at your WAN ip addresses. For me, I used to have the same address 'forever'. For the past several months, as my ISP has been upgrading it's network, I'd say I pull a different address over 1/2 the time when I reboot. And I do notice that some addresses perform better than others.
 
Puzzling indeed....it almost sounds like CTF was disabled (MIPS router will usually top out in the 150's with it off). Per IP monitoring, either of the QoS options (traditional or bandwidth limiter) or attaching a USB modem will automatically turn it off. If you try again, double check the status on the Tools page.

Second thing is to look at your WAN ip addresses. For me, I used to have the same address 'forever'. For the past several months, as my ISP has been upgrading it's network, I'd say I pull a different address over 1/2 the time when I reboot. And I do notice that some addresses perform better than others.
Interesting enough, during the testing I did toggle NAT acceleration off then back on and the 1st test I ran over AC wifi increased. I was going to post that it seems CTF wasnt working and toggling CTF seems to have solved it. But it stopped again so I figured it was just coincidence. But you may be onto something. That did seem to change it at least temporarily. I am running a basic router. no QoS or VPN , etc. Just basic wifi router with mostly wireless devices (phones tablets, laptops). Straight forward not a lot of deviation from default. So apparently something went haywire during flashing that re-flashing same fork wouldn't resolve. Anyway thanks for the input (and this fork) I will update when I decide to reflash it again.
 
@john9527 - Does this update has the nvram set fw_nat_loopback=1 fix in it or do i have to wait for the V18 update ?
 
Hi John - happy to report 17E8 is going strong and IPV6 (Comcast) is working great (so far; fingers crossed o_O). Thank you very much!!! I have been using your fork from day one (and Merlin prior).

P.S. I have searched high and low on IPV6 MTU and there is no one answer for the best setting (outside of the MIN 1280). I found one mention somewhere about Comcast IPV6 MTU being the same as their IPV4 of 1500 although elsewhere people say the IPV6 MTU has to be less than IPV4 for overhead. I have found 1432, 1360, lots of 1280, etc

I have set my MTU at 1500 and run some tests and it seems fine. I would like to know what others are doing or what is the right answer.
 
Last edited:

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Back
Top