[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[Builder71]

It's a change in Chrome 56 and is fixed in the V23 beta.


Interesting question.....my first thought is that you are correct and IPTV is not affected by QoS since it's running on a different VLAN interface.

Yep, V23 beta fixes that one!

I played a bit more with "Traditional QoS" and it does give me a much better rating on the BufferBloat issue.
From a C rating to A rating using http://www.dslreports.com/speedtest

I want to stay as close as possible to the default values, so I added only a few rules.
- VoIP phone
- PlayStation network and GTA Online Server

The GTA Online Server needs one port and a range.
I added it like 6672,61455:61458 which is accepted by the GUI.
Is it really allowed or should I make two lines? (One for port 6672 and another for the range.)

 

[john9527]

The GTA Online Server needs one port and a range.
I added it like 6672,61455:61458 which is accepted by the GUI.
Is it really allowed or should I make two lines? (One for port 6672 and another for the range.)

It's allowed....the limit is 15 ports or ranges or a mix thereof separated by commas in a single entry

 

[Builder71]

It's allowed....the limit is 15 ports or ranges or a mix thereof separated by commas in a single entry

Great, thx.

Thinking about it, not sure why not add the MAC address of the PlayStation3, just like I did with my VoIP phone.
Only one rule to get the job done.

Now we wait and see if the kids keep complaining about "lag" while I download.

 

[john9527]

Now we wait and see if the kids keep complaining about "lag" while I download.

The true test.....the 'family' complaints (or lack thereof)

 

[cybrnook]

Now we wait and see if the kids keep complaining about "lag" while I download.

Tell them they can always buy their own internet line if Dad's funded line does not meet their standards. Muwahahahahaha

 

[jrmwvu04]

Thinking about it, not sure why not add the MAC address of the PlayStation3, just like I did with my VoIP phone.
Only one rule to get the job done.

That is for sure the way to go, in my experience. Particularly because the ports that end up being used can vary based on game/application.

 

[XSXS]

Is the top speed when you run the test actually being limited to around 43 and 4.3? Have you tried a factory reset? It's true that you shouldn't have to, but a factory reset and config from scratch clears things up sometimes.

Yes the speeds are being limited correctly per my Qos settings.
Well.... I did a factory reset using the wps button method and now it is totally jacked! Internet pages take for ever to load, xfinity speed test getting hung up, could not access my modem gui and i can't even run the dsl buffer bloat test. Gets hung up for being too slow. I reset the router and modem s few times and finally was able to access my modem but still seeing interenet issues!

 

[XSXS]

I'm going to flash it back to the previous FW version and see what happens.

 

[cybrnook]

Okay @john9527 , I took the time this evening to test the WAN over WAN DNS in OpenVPN client, and successfully, it broke again same as before

So with the settings as we discussed:

WAN DNS set to 192.168.1.2 (Pi-Hole)
DNSFilter rules deleted/disabled
OpenVPN client set to "Exclusive" with "WAN devices use WAN DNS"
3 x clients set to policy based routing over openvpn client with block internet if tunnel is down

This is the output after a reboot of the router:

ASUSWRT-Merlin RT-AC68U_3.0.0.4 Mon Jan 30 16:23:34 UTC 2017
myusername@RT-AC68P-3DFX:/tmp/home/root# iptables-save -t nat
# Generated by iptables-save v1.4.14 on Wed Feb 22 19:33:48 2017
*nat
: PREROUTING ACCEPT [630:47794]
: INPUT ACCEPT [224:19636]
: OUTPUT ACCEPT [89:13028]
: POSTROUTING ACCEPT [18:3443]
: DNSFILTER - [0:0]
: DNSVPN1 - [0:0]
: LOCALSRV - [0:0]
: VSERVER - [0:0]
: VUPNP - [0:0]
-A PREROUTING -d XXX.5XX.5XX.2XX/32 -j VSERVER
-A PREROUTING -i br0 -p udp -m udp --dport 53 -j DNSVPN1
-A PREROUTING -i br0 -p tcp -m tcp --dport 53 -j DNSVPN1
-A POSTROUTING -s 192.168.1.0/24 -o tun11 -j MASQUERADE
-A POSTROUTING ! -s XXX.5XX.5XX.2XX/32 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -o br0 -j MASQUERADE
-A DNSVPN1 -s 192.168.1.20/32 -j DNAT --to-destination 192.168.1.1
-A DNSVPN1 -s 192.168.1.21/32 -j DNAT --to-destination 192.168.1.1
-A DNSVPN1 -s 192.168.1.22/32 -j DNAT --to-destination 192.168.1.1
-A DNSVPN1 -j DNAT --to-destination 192.168.1.2
-A VSERVER -j VUPNP
-A VUPNP -p udp -m udp --dport 49574 -j DNAT --to-destination 192.168.1.181:49574
COMMIT
# Completed on Wed Feb 22 19:33:48 2017
myusername@RT-AC68P-3DFX:/tmp/home/root#


As well, a couple screenshots of the after affects to non - vpn devices (so WAN devices), after a reboot of the router and computer:

and of course

 

[john9527]

@cybrnook
Everything looks right.....are you sure there isn't a firewall on the pi that's blocking requests from other than the router address?

 

[cybrnook]

No firewall on it, it's just a DNS devices that forwards requests. It acts as a stand alone DNS server, so I do have the ability to point devices directly to it.

But yeah.... Not sure what to look at. DNSfilter seems to work fine coupled with "disabled" for Accept DNS configuration in the open VPN client.

I really would like to find the issue, as you see the need for users to have it, and have taken the time to add that option.

What do you use for your WAN DNS?

 

[john9527]

@cybrnook
A light bulb maybe just went off......by running a local server, we need to be able to route to the local network. Normally, this is not allowed and is considered a 'martian' packet. In order to do the full support for DNSCrypt, I had to backport a kernel patch that would allow this (this is only supported on the ARM routers).

So, for your case, make a /jffs/scripts/init-start with the following contents (or add the 'echo' line to an existing init-start)

#!/bin/sh

echo 1 > /proc/sys/net/ipv4/conf/br0/route_localnet

Then reboot and try it again.

 

[jrmwvu04]

Yes the speeds are being limited correctly per my Qos settings.
Well.... I did a factory reset using the wps button method and now it is totally jacked! Internet pages take for ever to load, xfinity speed test getting hung up, could not access my modem gui and i can't even run the dsl buffer bloat test. Gets hung up for being too slow. I reset the router and modem s few times and finally was able to access my modem but still seeing interenet issues!

I'm going to flash it back to the previous FW version and see what happens.

Yikes. You have something going on outside of my usual experiences. I'm rather curious now to know what the problem is so keep us posted.

 

[cybrnook]

@cybrnook
A light bulb maybe just went off......by running a local server, we need to be able to route to the local network. Normally, this is not allowed and is considered a 'martian' packet. In order to do the full support for DNSCrypt, I had to backport a kernel patch that would allow this (this is only supported on the ARM routers).

So, for your case, make a /jffs/scripts/init-start with the following contents (or add the 'echo' line to an existing init-start)

#!/bin/sh

echo 1 > /proc/sys/net/ipv4/conf/br0/route_localnet

Then reboot and try it again.

I will give this a go hopefully this weekend. We are back on the clock again

 

[john9527]

Well.... I did a factory reset using the wps button method and now it is totally jacked! Internet pages take for ever to load, xfinity speed test getting hung up, could not access my modem gui and i can't even run the dsl buffer bloat test. Gets hung up for being too slow. I reset the router and modem s few times and finally was able to access my modem but still seeing interenet issues!

Something is severely wrong if a WPS reset caused all this problem. I'd download a fresh copy of the code and apply it with the ASUS Firmware recovery tool, then factory reset again to be safe.

Also, note that some ISPs get upset if you are switching routers behind the modem, or re-adding the modem after taking it out. If you do either of the above, you should power down the modem and router for 15-30 minutes after the change to force the ISP to reset your connection.

 

[Builder71]

Today at the office I connected to home. (OpenVPN Server running on the RT-N66U.)

I wasn't able to do anything useful with the connection. Unworkable slow!
Switching off QoS solved the problem.

If I read the comments on the QoS page it makes me believe VPN is in the bulk class.
WHY??

I hope this can be fixed and make VPN at least one class above bulk by default.

 

[john9527]

If I read the comments on the QoS page it makes me believe VPN is in the bulk class.
WHY??

I hope this can be fixed and make VPN at least one class above bulk by default.

Can't be changed...technical limitation. If you need to use a VPN, you can change the default priority/limits then adjust the priorities/limits of the other rules as necessary.

 

[Builder71]

Do you ever sleep john?
Thx for the quick reply.

I have to think about that, how it would look like.
If I set the "Default Priority Level" to Medium it will help VPN.
But does that at the same time set the bulk class to Medium as well?
If so, I'm still stuck.

 

[cybrnook]

@cybrnook
A light bulb maybe just went off......by running a local server, we need to be able to route to the local network. Normally, this is not allowed and is considered a 'martian' packet. In order to do the full support for DNSCrypt, I had to backport a kernel patch that would allow this (this is only supported on the ARM routers).

So, for your case, make a /jffs/scripts/init-start with the following contents (or add the 'echo' line to an existing init-start)

#!/bin/sh

echo 1 > /proc/sys/net/ipv4/conf/br0/route_localnet

Then reboot and try it again.

@john9527
You sure init-start is the one we want? I have it set, and after boot contents are still "0". So either init-start is firing too early, or something else is happening during boot to overwrite the "1" that we echo in there.

Enable JFFS custom scripts and configs - enabled
/jffs/scripts/init-start - 777

script runs fine on its own after boot.


Since I assume this needs to be set during boot, before firewall and all come up, may need to peek at it. I tried setting this after boot, and of course, same affect. But I am sure that the "1" was not actually taken into account post-boot, when I manually ran the script to validate syntax.

 

[john9527]

@john9527
You sure init-start is the one we want? I have it set, and after boot contents are still "0".

I just double checked and it works fine for me. Are you sure you didn't accidentally create the script in DOS/WIN format instead of linux? run
dos2unix /jffs/scripts/init-start

and I assume you are checking the value with
cat /proc/sys/net/ipv4/conf/br0/route_localnet