[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[john9527]

Oh well...I'll just make it a habit to reboot from software every time I switch it off which is already very rare. I already have UPS backup for the whole system which further ensures no unknown power losses so it will do just fine I guess and I will have to control my ocd with unclean fs warnings (switched back to ext2 and leaving it as that). Thanks for your help.

One last thing to try.....if you are setting permissions on the drives, try changing to allowing guest access (I'm assuming you are sharing them?)

 

[punchsuckr]

One last thing to try.....if you are setting permissions on the drives, try changing to allowing guest access (I'm assuming you are sharing them?)

Nah already using guest access, tried with the permissions method as well.

 

[cybrnook]

@john9527

Have you noticed that when using your latest, and using a policy based VPN routing there seems to be a chicken or the egg scenario when using "Start with WAN".

Seems vpn sripts are kicking off too early in the boot process, and may not have proper auth's yet (at least my google searches lead me to believe the openvpn process may not be "root" yet during the boot process, thus failing). Later in the boot process it fires again and is successful:

 

[john9527]

@john9527

Have you noticed that when using your latest, and using a policy based VPN routing there seems to be a chicken or the egg scenario when using "Start with WAN".

Seems vpn sripts are kicking off too early in the boot process, and may not have proper auth's yet (at least my google searches lead me to believe the openvpn process may not be "root" yet during the boot process, thus failing). Later in the boot process it fires again and is successful:

Always been that way and is expected. That's actually the VPN being shut down (see the del dev tun11 as the next line). The policy based code actually removes the routes as part of its cleanup, so that when the OpenVPN code tries to remove them again it can't find them and posts that error. Not a problem.

 

[cybrnook]

Always been that way and is expected. That's actually the VPN being shut down (see the del dev tun11 as the next line). The policy based code actually removes the routes as part of its cleanup, so that when the OpenVPN code tries to remove them again it can't find them and posts that error. Not a problem.

Awesome! Just wanted to make sure it was expected.

Watching it, it does eventually fire up without issues (not that it seems to be struggling to get there or anything..), just wanted to make sure there just wasn't an extra unnecessary execution during boot.

Thank you much


I guess on the topic (somewhat) of VPN policy based routing. This comes up with the beaten to death topic of DNS option in openvpn client page. I have no direct question to those in general, as since I am only routing a few clients over the tunnel, I have "Accept DNS configuration" set to Disabled, as I want my WAN devices to use my pi-hole DNS server which forwards upstream to OpenDNS.

However, I do want my devices ON the tunnel to use the VPN providers DNS servers. SO, for this, I found a post by Merlin suggesting a user a few years ago to use the DNSfilter in the parental controls options. I got that setup no issues, my only question is:

If my VPN provider providers a primary and a fallback DNS server (2 x IP's), is it acceptable for my to define each one of those IP's in "Custom 1" and "Custom 2" in the DNSfilter section, and then define a particular devices MAC address twice, assigning it to one of those 2 x "Custom" entries? So I would end up with a MAC address defined twice, but with a different DNS IP behind it, giving that Device the ability to use BOTH DNS servers?

Like so:

 

[john9527]

However, I do want my devices ON the tunnel to use the VPN providers DNS servers. SO, for this, I found an post by Merlin suggesting a user a few years ago to use the DNSfilter in the parental controls options. I got that setup no issues, my only question is:

My implementation of the handling of DNS servers under a VPN is different than Merlin's. So, for your use case it's actually easy to implement (I'm assuming you have your pi-hole DNS server set on the WAN page).
On the VPN page, change 'Accept DNS configuration' to Exclusive, then check the box that will appear 'WAN clients use WAN DNS Server'. Done

 

[punchsuckr]

@john9527 John I was trying again with the permissions method, disk2 again stopped but when I changed perssion for a folder on the disk which restarted the samba server, the disk showed up. Is there any way the samba server can be restarted after the router has done booting up? That should solve the problem for good!

 

[john9527]

@john9527 John I was trying again with the permissions method, disk2 again stopped but when I changed perssion for a folder on the disk which restarted the samba server, the disk showed up. Is there any way the samba server can be restarted after the router has done booting up? That should solve the problem for good!

Starting/stopping/restarting services is actually a fairly tuned 'dance'....it's easy to get into multiple restarts or failure to start scenarios. Can you upload a syslog to a file sharing site from boot for both when it comes up working and when it doesn't, and send me a PM?

 

[BDM123]

Gents, quick question. I'm using fork 374.43_2-17E8j9527. I've had "zero" issues using it for some time now. I do not use VPNs, or have a hard drive attached to the router. I simply use it as both a wired and wireless access point for gaming and general web browsing. Also the wireless coverage is excellent. Any advantage you can see upgrading to the latest fork? Thanks.

Whooops, mine is an RT-N66U

-Brian

 

[punchsuckr]

Starting/stopping/restarting services is actually a fairly tuned 'dance'....it's easy to get into multiple restarts or failure to start scenarios. Can you upload a syslog to a file sharing site from boot for both when it comes up working and when it doesn't, and send me a PM?

I tried again and service restart_ftpsamba does the trick.

Yep I remember this dance from the failure to start the media server because of download master

Sent u a pm.

 

[punchsuckr]

Gents, quick question. I'm using fork 374.43_2-17E8j9527. I've had "zero" issues using it for some time now. I do not use VPNs, or have a hard drive attached to the router. I simply use it as both a wired and wireless access point for gaming and general web browsing. Also the wireless coverage is excellent. Any advantage you can see upgrading to the latest fork? Thanks.

Whooops, mine is an RT-N66U

-Brian

Well off the top of my head, security is one. Contains many fixes since v17, doesn't break anything else... why wouldn't one upgrade?

 

[cybrnook]

My implementation of the handling of DNS servers under a VPN is different than Merlin's. So, for your use case it's actually easy to implement (I'm assuming you have your pi-hole DNS server set on the WAN page).
On the VPN page, change 'Accept DNS configuration' to Exclusive, then check the box that will appear 'WAN clients use WAN DNS Server'. Done

This has gone a little sideways on me (1 x reset later)

If I use this option, It "appears" as though I need to define any device (IP) that I want to go over WAN DNS in the Policy rules as well, then set target iface as "WAN"?

What I was expecting was that I could set "Exclusive" (Check WAN devices use WAN DNS), then only have to define my 3 x IP's for VPN iface in the policy rule set. Something like:
Exclusive (All devices not set to iface "VPN" default to WAN DNS)

That way I only need to define my VPN targets, instead of every IP on my network in the policy based rules.

Because what happened, was as soon as I enabled that (Exclusive with WAN to WAN DNS), all my DHCP clients lost the DNS resolution abilities. (Of course I have not defined ALL my IP's within the VPN Policy based rules, only the ones I want over VPN).

Hm...... Maybe I should stick with the DNSfilter instead?

And yes, my Pi-Hole is set on my WAN page as 192.168.1.2, and the IPv6 Address is set on the IPv6 tab as well.

 

[Uncle_Gadget]

Hm...... Maybe I should stick with the DNSfilter instead?

Quite some time ago (right after John made the changes to VPN DNS that he referenced above, I tried to eliminate the use of DNS filter and was unsuccessful in getting my VPN clients to use the VPN provider DNS. I tried every combination of settings I could think of and was never able to get it to work properly with my VPN provider (iPVanish). However, everything works fine if I use DNS filter and the "Exclusively" setting. I attributed it to an idiosyncrasy of my provider. Perhaps you're in the same situation.

 

[cybrnook]

I am doing the same, only I am in reverse of you at the moment.

I am using "Disabled" within the DNS settings of OpenVPN (so everything at that moment uses my WAN DNS settings), and am then settings DNSfilters for my VPN clients to then point to the VPN providers 2 x DNS IP's (so I then carve off my VPN devices to only use the VPN DNS servers, while all else still uses WAN DNS).

Knock on wood seems to be working fine. (assuming it's working properly, and also back to my original question of having the MAC identified to 2 x different Custom IP's in DNSfilter works properly)

Yes, I think we are in the same boat. I want to use custom DNS for my normal WAN, while still being able to set my VPN devices to use the VPN providers DNS servers. Of course, without having to do TOO much work on my end.

 

[john9527]

What I was expecting was that I could set "Exclusive" (Check WAN devices use WAN DNS), then only have to define my 3 x IP's for VPN iface in the policy rule set. Something like:
Exclusive (All devices not set to iface "VPN" default to WAN DNS)

That way I only need to define my VPN targets, instead of every IP on my network in the policy based rules.

This is how it should work (and I just verified it on my system). Not to be funny, but you did hit 'Apply' after making the changes, correct?

 

[cybrnook]

This is how it should work (and I just verified it on my system). Not to be funny, but you did hit 'Apply' after making the changes, correct?

Sure did, that's when it all went downhill...... (I know you are not being funny)

The moment I hit apply, and the counter clock finished it's spin cycle, my devices that are not set to go over the VPN tunnel (for example, the desktop I was using to make the changes) could no longer resolve anything. It was as if I needed to define my Desktops IP in the Policy based rules and set it to "WAN".

 

[john9527]

@cybrnook
Make sure dnsfilter is disabled, then append the output of

iptables-save -t nat

with the settings as we discussed.

 

[cybrnook]

@cybrnook
Make sure dnsfilter is disabled, then append the output of

iptables-save -t nat

with the settings as we discussed.

Would you be generous enough to let me take a small rain check on this? I already tested the limits with the wife today by swapping the RT-AC3100 out and putting the RT-AC68P (and your build) in it's place. Then the reboots and re-configs to get it up and running. She has work she has to do today, and I would be in the dog house if I ask her to step off again to test.

Maybe tonight, EST, if that's okay?

 

[john9527]

Would you be generous enough to let me take a small rain check on this? I already tested the limits with the wife today by swapping the RT-AC3100 out and putting the RT-AC68P (and your build) in it's place. Then the reboots and re-configs to get it up and running. She has work she has to do today, and I would be in the dog house if I ask her to step off again to test.

Maybe tonight, EST, if that's okay?

Can't stress out the wife! No problem

 

[cybrnook]

Can't stress out the wife! No problem

You get it.......