[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[john9527]

@jrmwvu04 Your File Transfer value should be 2048~, because the 0~2048 on Web Surf is translated as 0 to 2097151 bytes (2048k -1 byte).

Good catch

As Colin points out, the firmware automatically subtracts 1 byte from the upper limit so you can use the same value for the next rule lower limit in the case of cascading rules.

 

[jrmwvu04]

@jrmwvu04 Your File Transfer value should be 2048~, because the 0~2048 on Web Surf is translated as 0 to 2097151 bytes (2048k -1 byte).

Good catch

As Colin points out, the firmware automatically subtracts 1 byte from the upper limit so you can use the same value for the next rule lower limit in the case of cascading rules.

And here I thought I was being crafty. Many thanks.

 

[fink.nottle]

What are your 'base' upload/download speeds? Also, check in the detail from the bufferbloat test to see if one or the other is having problems. If you have a relatively low ISP bandwidth, sometimes their 'throttling' algorithms can wreak havoc with bufferbloat that can't be managed.

Base values are 120/12 (comcast). This is the baseline run without any QoS (on wifi). Wifi subtracts about 10 Mbps for my tests. I get full 120 in ethernet tests.

http://www.dslreports.com/speedtest/8715410

There are the results after enabling QoS, and setting limits as 100/10

http://www.dslreports.com/speedtest/8715806

Limiting to 90/9

http://www.dslreports.com/speedtest/8715990

Limiting to 80/8
http://www.dslreports.com/speedtest/8716089

As you can see, the caps seem to reduce the speeds, but not bufferbloat.

@jrmwvu04 , did you have bufferbloat in the speedtest before QoS ?

 

[jrmwvu04]

@jrmwvu04 , did you have bufferbloat in the speedtest before QoS ?

I also have 120/12 Comcast.

Result with no qos:

Result with my aforementioned (and now fixed) qos settings:

 

[john9527]

@fink.nottle
Just have to double check based on your results....but you did change the units from Kb/s to Mb/s when specifying the limits?

 

[john9527]

But I just noticed that by hitting Apply on the Administration > System page you also loose the current syslog history file.

Going to give you the award for the best bug finder

Found it....another one of those 'been like that forever' (and still like that in Merlin) problems. Will pick up the fix for the next update.

 

[john9527]

That reminds me. During the initial setup, you can't copy paste the admin password in the fork. Kinda annoying if you use a password manager. Can this be changed ?

The problem is that allowing paste bypasses at least some of the checks on the password, including its length. But reviewing how to make sure an overly long password isn't entered in on my todo list, and I'll look for a way to support paste.

 

[Trebuin]

John,
Thanks for your help & advice. I might have identified the cause of the random resets & it likely is what affected Merlin's build when I tried to go up to that.

I recently moved my DirecTV box LAN connection from the second wifi transmitter to the AC66U...which happens to be around the same time I experienced the constant reboots. I read a bit into my code that identified something external causing the router to reboot.

I also recalled my Apple Airport TC producing a lot of faults related to the DirecTV box & that also clued me in. I pulled the LAN cable completely off & will run a network logger on it for about a day to verify my theory before I elevate this to be looked at & fixed.

I read in some posts that the newer boxes use STP due to their MOCA configuration. Have you tracked anything related to these boxes in the past? If I do verify the box is the cause of the problem, I'll create a new thread & get Merlin involved, time permitting for all of us. I'll have to spin up my Apple Router again to pull the logs for you guys, but that is if I am correct. Until then, let me know if you have any ideas/things to try/things to look at until then, & have a good night!

 

[punchsuckr]

Hey John, I was trying out dnscrypt and enabled it in the settings, with resolver1 and 2 to adguard but the adguard website still says I am not using it. Also filled in the dns entries for adguard, rebooted (router and pc) but still their website says I am not using their service. Drawing a blank here...

EDIT: Tested with family protection and website gets blocked by adguard. It's probably their dns detection which isn't working.

 

[john9527]

the adguard website still says I am not using it.

I tried it and got the same answer from their check website.....but it was obviously working. They might also be doing something that checks for the their app.

 

[fink.nottle]

@fink.nottle
Just have to double check based on your results....but you did change the units from Kb/s to Mb/s when specifying the limits?

Yes, I changed the units to Mbps. I also know that tomato works much better for bufferbloat for my case. Does tomato have some sort of default settings that can be transferred over to the QoS here (assuming the fq_codel implementations are similar enough) ?

 

[ColinTaylor]

@fink.nottle If you post the output of the following command we might be able to spot something.

nvram show | grep qos | sort

I'd also suggest that you change the default settings on DSLReports. Try testing from a single server that is closest to you, No. download streams = 3, No. upload streams = 1, enable Don't Geo-locate and Port 80 only.

I found that quite often the default settings will choose bad servers with poor response times, this gives variable and inaccurate results.

 

[Trebuin]

John,
8 hours up & still running perfectly. Read below if you didn't get a chance.

John,
Thanks for your help & advice. I might have identified the cause of the random resets & it likely is what affected Merlin's build when I tried to go up to that.

I recently moved my DirecTV box LAN connection from the second wifi transmitter to the AC66U...which happens to be around the same time I experienced the constant reboots. I read a bit into my code that identified something external causing the router to reboot.

I also recalled my Apple Airport TC producing a lot of faults related to the DirecTV box & that also clued me in. I pulled the LAN cable completely off & will run a network logger on it for about a day to verify my theory before I elevate this to be looked at & fixed.

I read in some posts that the newer boxes use STP due to their MOCA configuration. Have you tracked anything related to these boxes in the past? If I do verify the box is the cause of the problem, I'll create a new thread & get Merlin involved, time permitting for all of us. I'll have to spin up my Apple Router again to pull the logs for you guys, but that is if I am correct. Until then, let me know if you have any ideas/things to try/things to look at until then, & have a good night!

 

[czekker]

just upgraded my RT-N16 to v374.43_2-22E3j9527 - so far so good..

the only thing that bugs me is NVRAM usage: 29612 / 32768 bytes (90% utilized)
i use MAC filter list, DHCP list and DNS Filtering.
top 20 is below - any ideas what could i do about it?

size: 29612 bytes (3156 left)
1089 sshd_hostkey
774 dhcp_staticlist
624 sshd_dsskey
359 wl0_maclist_x
358 wl_maclist_x
338 sshd_ecdsakey
311 dnsfilter_rulelist
233 rc_support
227 wl0_maclist
226 wl_maclist
222 filter_lwlist
120 qos_rulelist
85 asus_device_list
69 url_rulelist
68 http_clientlist
66 apps_ipkg_server
61 qos_orates
53 buildinfo
51 acc_list
47 ct_tcp_timeout

 

[Mr_Andy]

Hi
updated my Asus RT-N66u tonight from 20e9 to 22e2 this evening. flashed and rebooted ok but had a few issues with dnscrypt:

thought I'd have a try at enabling dnscrypt. I enabled it and selected various different dnscrypt resolvers but each time my DNS was still resolving from OpenDNS (208.67.220.220 / 208.67.200.200) which is configured on the WAN page. so even though dnscrypt was enabled it wasn't being used ? did some further digging, I had to disable "Enable DNS based Filtering" on the Parental control section. Usually I have this 'On' and pointing at 'Router' to ensure all DNS traffic goes via the router and people can't bypass filtering by putting their own custom DNS on their devices. When disabling the DNS based filtering the DNSCrypt appears to work fine with OpenDNS. is there a way to use DNSCrypt in conjuction with DNS Based Filtering if it's pointing at the router?

second issue is that the update script dnscrypt-update-resolvers.sh script doesn't work for me. It throws an error that https is not supported in curl :

ASUS:/tmp/home/root# dnscrypt-update-resolvers.sh
Updating the list of public DNSCrypt resolvers...
curl: (1) Protocol https not supported or disabled in libcurl
Download failed
mv: can't rename '/jffs/etc/dnscrypt-resolvers.csv.tmp': No such file or directory
Done

as a workaround I've manually downloaded the csv file and transferred it across to /jffs/etc using winscp.

thirdly, would be good if possible to manually specify DNSCrypt resolvers by custom IP address. for example, only one Cisco OpenDNS server is available to select in the dnscrypt settings which points to 208.67.220.220, but the other OpenDNS server 208.67.222.222 also supports DNSCrypt and would be good to have as a Secondary.

 

[john9527]

Hi
updated my Asus RT-N66u tonight from 20e9 to 22e2 this evening. flashed and rebooted ok but had a few issues with dnscrypt:

thought I'd have a try at enabling dnscrypt. I enabled it and selected various different dnscrypt resolvers but each time my DNS was still resolving from OpenDNS (208.67.220.220 / 208.67.200.200) which is configured on the WAN page. so even though dnscrypt was enabled it wasn't being used ? did some further digging, I had to disable "Enable DNS based Filtering" on the Parental control section. Usually I have this 'On' and pointing at 'Router' to ensure all DNS traffic goes via the router and people can't bypass filtering by putting their own custom DNS on their devices. When disabling the DNS based filtering the DNSCrypt appears to work fine with OpenDNS. is there a way to use DNSCrypt in conjuction with DNS Based Filtering if it's pointing at the router?

Sorry, but I can't recreate this. Once you enable DNSCrypt, the WAN DNS servers are replaced with the DNSCrypt servers in dnsmasq (127.0.0.1:65053). dnsleaktest.com then showed the DNSCrypt server whether or not the DNSFilter global router setting was enabled.

To see what may be going on, I need to see
killall -s USR1 dnsmasq (this will dump the dnsmasq stats to the syslog so we can verify the DNSCrypt servers are correctly set)
iptables -t nat -nvL (both with and without DNSFilter)

Also, if you are using a VPN Client, that can affect things as well.

second issue is that the update script dnscrypt-update-resolvers.sh script doesn't work for me. It throws an error that https is not supported in curl :

ASUS:/tmp/home/root# dnscrypt-update-resolvers.sh
Updating the list of public DNSCrypt resolvers...
curl: (1) Protocol https not supported or disabled in libcurl
Download failed
mv: can't rename '/jffs/etc/dnscrypt-resolvers.csv.tmp': No such file or directory
Done

as a workaround I've manually downloaded the csv file and transferred it across to /jffs/etc using winscp.

Sorry, but again I can't recreate.
ASUSWRT-Merlin RT-AC68U_3.0.0.4 Wed Jan 11 18:22:20 UTC 2017
admin@AC68P-06650:/tmp/home/root# dnscrypt-update-resolvers.sh
Updating the list of public DNSCrypt resolvers...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 31960 100 31960 0 0 18413 0 0:00:01 0:00:01 --:--:-- 37292
Done

Are you sure you don't have another curl installed, maybe via entware? What's the result of entering
which curl

thirdly, would be good if possible to manually specify DNSCrypt resolvers by custom IP address. for example, only one Cisco OpenDNS server is available to select in the dnscrypt settings which points to 208.67.220.220, but the other OpenDNS server 208.67.222.222 also supports DNSCrypt and would be good to have as a Secondary.

I'm torn on this one.....it's not just the ip, it's also a port and a key that would need to be entered. Currently one way around it would be to edit the resolvers file in /jffs and add your server info. But I'm not sure this will remain possible in the future once I add signature verification to that file.

 

[john9527]

just upgraded my RT-N16 to v374.43_2-22E3j9527 - so far so good..

the only thing that bugs me is NVRAM usage: 29612 / 32768 bytes (90% utilized)
i use MAC filter list, DHCP list and DNS Filtering.
top 20 is below - any ideas what could i do about it?

Unfortunately, nothing shows up that is really out of place....just suffering from feature creep. The good news, is that you are still probably OK since you don't have to worry about the OpenVPN keys (which need at least about 3.5K free to manipulate).

The big hitter for you is the ssh keys.....let me think on that one a bit.

 

[john9527]

John,
8 hours up & still running perfectly. Read below if you didn't get a chance.

Haven't been ignoring you....just thinking about your posts. Haven't seen anything specific to the Direct TV LAN connect.

You did mention STP....I'm not sure if it's active in AP mode, but there is a Spanning-Tree Protocol setting under LAN > Switch Control (if it's not there, maybe we can try manipulating the nvram var).

 

[Trebuin]

Haven't been ignoring you....just thinking about your posts. Haven't seen anything specific to the Direct TV LAN connect.

You did mention STP....I'm not sure if it's active in AP mode, but there is a Spanning-Tree Protocol setting under LAN > Switch Control (if it's not there, maybe we can try manipulating the nvram var).

I'm back to the drawing board on it...the router has crashed several times so something else is the cause.

I also just disabled the stp using the direct link to that LAN page...maybe it will work. I pulled all the LAN devices so it has to be a wifi device running on my AP off the 66u, a dlink dir-895L. There are about 20 devices connecting through the 66u through either LAN or wifi.

 

[Mr_Andy]

Sorry, but I can't recreate this. Once you enable DNSCrypt, the WAN DNS servers are replaced with the DNSCrypt servers in dnsmasq (127.0.0.1:65053). dnsleaktest.com then showed the DNSCrypt server whether or not the DNSFilter global router setting was enabled.

To see what may be going on, I need to see
killall -s USR1 dnsmasq (this will dump the dnsmasq stats to the syslog so we can verify the DNSCrypt servers are correctly set)
iptables -t nat -nvL (both with and without DNSFilter)

Also, if you are using a VPN Client, that can affect things as well.



Sorry, but again I can't recreate.
ASUSWRT-Merlin RT-AC68U_3.0.0.4 Wed Jan 11 18:22:20 UTC 2017
admin@AC68P-06650:/tmp/home/root# dnscrypt-update-resolvers.sh
Updating the list of public DNSCrypt resolvers...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 31960 100 31960 0 0 18413 0 0:00:01 0:00:01 --:--:-- 37292
Done

Are you sure you don't have another curl installed, maybe via entware? What's the result of entering
which curl

I'm torn on this one.....it's not just the ip, it's also a port and a key that would need to be entered. Currently one way around it would be to edit the resolvers file in /jffs and add your server info. But I'm not sure this will remain possible in the future once I add signature verification to that file.

Hi John
results of entering which curl. no other curl is installed as far as I know.

/usr/sbin/curl

curl version:

asus-config@ASUS:/tmp/home/root# curl -V
curl 7.21.7 (mipsel-unknown-linux-gnu) libcurl/7.21.7
Protocols: file ftp http imap pop3 rtsp smtp tftp

Features: IPv6 Largefile



I'll check out the other bits you mention about dnscrypt.

I don't use the vpnclient