[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[RogerSC]

Who's at 192.168.1.142? Do you recognize the MAC associated with that address?
Are you using a password manager for your browser?

As I said in my original posting, the IP address in the messages is the desktop PC that I use to admin the router.

Yes, I do use a password manager, and have for a couple of years now. Haven't seen this before in any router logs (and I've used a LOT of different firmware on various routers *smile*). Already checked, and "Autologin" was not checked for the router entry, I don't use autologin much at all. But that's a good thought, could have been a malfunction there, LastPass has been great on the whole (aside from the recent hack), but has had its problems.

Nothing new in the log for about 15 hours now, so I'm hoping for no recurrence.

 

[john9527]

Sorry I missed that you identified it as your desktop. Another thought, is if you had changed your password and the browser was using a cached set of credentials to try and log in. Glad to hear it hasn't returned

 

[RMerlin]

Sorry I missed that you identified it as your desktop. Another thought, is if you had changed your password and the browser was using a cached set of credentials to try and log in. Glad to hear it hasn't returned

I bet it's a security suite like Avast trying to be clever, and hitting every single port 80 it can find open on the LAN.

 

[RogerSC]

I bet it's a security suite like Avast trying to be clever, and hitting every single port 80 it can find open on the LAN.

If it is, it isn't on my desktop *smile*. I read about that when I looked around some...I'm currently using Windows Defender, pretty basic, and I really doubt that it does that. I don't think anyone would accuse Windows Defender of trying to be clever *smile*.

 

[Deleted member 27741]

Is anyone else having issues with the vpn client on v12? I will try to turn it on and it will either fail (turn on then off) or it will "succeed" (stay on) but my ip address will not change and data will no longer flow due to what seems to be a dns issue according to chrome. I was trying to use vpnbook, I tried pptp and openvpn.

 

[john9527]

Is anyone else having issues with the vpn client on v12? I will try to turn it on and it will either fail (turn on then off) or it will "succeed" (stay on) but my ip address will not change and data will no longer flow due to what seems to be a dns issue according to chrome. I was trying to use vpnbook, I tried pptp and openvpn.

Syslog is pretty good at capturing vpn issues.....anything there?

 

[john9527]

If it is, it isn't on my desktop *smile*. I read about that when I looked around some...I'm currently using Windows Defender, pretty basic, and I really doubt that it does that. I don't think anyone would accuse Windows Defender of trying to be clever *smile*.

Windows Defender? Are you still running XP?

 

[Deleted member 27741]

Syslog is pretty good at capturing vpn issues.....anything there?

Yeah, something about DNS-
openvpn[3650]: RESOLVE: Cannot resolve host address: us2.vpnbook.com: Name or service not known

It seems this problem is caused by my openvpn-event script (I discovered works fine when I comment everything out and manually insert the password). It goes to the vpnbook page and curls the password, chops off the html and inserts it into nvram. Looks like I have some figuring to do, I think I have an invisible character issue.

 

[RogerSC]

Windows Defender? Are you still running XP?

Nope. In Windows 8.1, Windows Security Essentials antivirus and Windows Defender are merged together under the name "Windows Defender". I guess that MS liked the name Windows Defender enough to carry it into the future. It's also called that in Windows 10 (so far). I have a Windows 10 tech preview VM (build 10162), looks pretty familiar. They've improved the "Start" menu a bunch, and have sorted out the tablet stuff from the desktop stuff better, addressing the main complaints about Windows 8. Pretty familiar look and feel, though, if you've used Windows 8. Window 10 is looking very polished these days, release is at the end of this month.

My only complaint about Windows Defender so far is that I had to create a scheduled task to get the latest updates. Given that it's malware and viruses, I want up-to-the-minute definition updates, and wasn't getting them without the scheduled task. Unusual for an anti-malware app.

 

[Deleted member 27741]

I have seen those abnormal logins before, I concluded they were malicious websites trying to get into my router. If you change Administration >> System >> Enable access from WAN to NO I think they will stop. If you need to get into your router from away from home you can use vpn (pptp is simplest) to get access as if you were local. I think I also use only https login and changed the port to something other than the default (80)... so I log in with something like (not what I actually use)-

https://192.168.1.1:1234

 

[RogerSC]

I have seen those abnormal logins before, I concluded they were malicious websites trying to get into my router. If you change Administration >> System >> Enable access from WAN to NO I think they will stop. If you need to get into your router from away from home you can use vpn (pptp is simplest) to get access as if you were local. I think I also use only https login and changed the port to something other than the default (80)... so I log in with something like (not what I actually use)-

https://192.168.1.1:1234

Well, that's a good thought, but I never need to get into my LAN from the WAN, so I never enable WAN access. The "abnormal" logins are coming from my desktop PC, not from the WAN. While I suppose it could be malware on my desktop PC, I don't really believe that. And if it was, the router is doing an admirable job of denying the malware access to itself. No recurrence since the initial event, now the day before yesterday, so I doubt that it'll happen again at this point.

Thanks.

 

[RMerlin]

Well, that's a good thought, but I never need to get into my LAN from the WAN, so I never enable WAN access. The "abnormal" logins are coming from my desktop PC, not from the WAN. While I suppose it could be malware on my desktop PC, I don't really believe that. And if it was, the router is doing an admirable job of denying the malware access to itself. No recurrence since the initial event, now the day before yesterday, so I doubt that it'll happen again at this point.

Thanks.

The fact that it specifically tries to connect with the username "admin" seem to imply that it's a web browser that has your login info saved (but not the correct password). Could you possibly have a crashed browser session running in background (for instance an iexplore.exe process that does not show any window)?

Open the Resource Monitor, and go to the Network tab. Check for anything there that tries to connect to port 80.

 

[Deleted member 27741]

Well, that's a good thought, but I never need to get into my LAN from the WAN, so I never enable WAN access. The "abnormal" logins are coming from my desktop PC, not from the WAN. While I suppose it could be malware on my desktop PC, I don't really believe that. And if it was, the router is doing an admirable job of denying the malware access to itself. No recurrence since the initial event, now the day before yesterday, so I doubt that it'll happen again at this point.

Thanks.

You are right, the attacks are coming from your web browser on that desktop pc, not from wan. I wasn't clear in my post that you will need to change the port (I wouldn't use 80 or 443) and go to https only as well. Solved the same problem for me. The malicous site is just guessing that you use port 80, username admin, and common default passwords to get access. I guess maybe just switching the port would do it, but YMMV. Oh, and I forgot- changing the router's ip to something other than 192.168.1.1 or other commonly used defaults might be of help as well.

 

[Qu4d]

Hi, guys! I'd like to report two things:

1. I also have problems with IPv6. My ISP is RDS, Romania.
Connection type: Native
Interface: PPP
DHCP-PD: Enable
Auto Configuration: Stateless
Enable Router Advertisement: Enable
Enable DHCPv6 Server: Enable
WAN MTU: 1492
NAT Acceleration: Enable

I want to mention that I had the original Merlin 374.43_2 previously and it worked flawlessly with the above settings.

Today I've installed 374.43_2-12j9527, restored factory defaults and remade all the settings manually.
I haven't used any previous builds from your fork.

Observation #1: I am able to get an IPv6 address if I disable 'Enable Router Advertisement'. If I turn it on, I get only link-local. Same as razvanu: http://www.snbforums.com/threads/fork-update-for-374-43-available-v12.18914/page-95#post-189685
Router tries to get the address for ~1 minute, but in the end fails and reboots.

Observation #2: 'Filter IPv6 Neighbor Solicitation' is 'Off'. On or off, it doesn't have any effect.

Observation #3: Same goes for NAT acceleration.

Jul  5 22:37:20 rc_service: ipv6-up 1060:notify_rc start_firewall
Jul  5 22:37:20 rc_service: waiting "start_rdnssd" via ipv6-up ...
Jul  5 22:37:21 start_nat_rules: apply the nat_rules (/tmp/nat_rules_ppp0_eth0)!
Jul  5 22:37:21 start_nat_rules: (/tmp/nat_rules_ppp0_eth0) success!
Jul  5 22:38:19 rdnssd[1188]: Get IPv6 address & DNS from DHCPv6
Jul  5 22:38:19 rc_service: rc 1227:notify_rc start_dhcp6c

^ After this it restarts.


2. OpenVPN
This is what it displays each time I click on 'VPN' on the left. Issue is not present on Merlin 374.43_2.
I haven't verified if I can connect with a client.

Jul  5 22:31:08 openvpn[716]: event_wait : Interrupted system call (code=4)
Jul  5 22:31:08 openvpn[716]: TITLE,OpenVPN 2.3.7 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jun 20 2015
Jul  5 22:31:08 openvpn[716]: TIME,Sun Jul  5 22:31:08 2015,1436124668
Jul  5 22:31:08 openvpn[716]: HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username
Jul  5 22:31:08 openvpn[716]: HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
Jul  5 22:31:08 openvpn[716]: GLOBAL_STATS,Max bcast/mcast queue length,0
Jul  5 22:31:08 openvpn[716]: END

 

[john9527]

1. I also have problems with IPv6. My ISP is RDS, Romania.

I've been working with a couple of other folks trying to understand what is going on with RDS, Romania. It's been a long haul, but I think I have it figured out. I'm going to be putting up a V13BETA in the next day or so that I hope will fix things up.

2. OpenVPN
This is what it displays each time I click on 'VPN' on the left. Issue is not present on Merlin 374.43_2.

The stats display wasn't always working correctly on the base 374.43_2. What you are seeing is the system generating an interrupt to gather the VPN stats. Nothing to worry about.

 

[Qu4d]

Alright, I'll be on the lookout for it. Thanks for the answers.

 

[RogerSC]

The fact that it specifically tries to connect with the username "admin" seem to imply that it's a web browser that has your login info saved (but not the correct password). Could you possibly have a crashed browser session running in background (for instance an iexplore.exe process that does not show any window)?

Open the Resource Monitor, and go to the Network tab. Check for anything there that tries to connect to port 80.

Could have been that...but I shut down my computer every night, and reboot during the day sometimes. So maybe there was an extra chrome zombie at that time, has not repeated in the days since. Guess I've been treating chrome better in the last few days. I did switch between the stable track and the dev track recently to get a fix for the logjam exploit (which is fixed on the dev track), but haven't seen any problems as a result of that. Even the dev track seems pretty stable these days.

Don't use IE for anything except watching the odd tv show. IE seems to be able to run tv shows despite not showing the commercials, while with chrome I have to suffer through the commercials. Much better without those loud ads.

Anyways, I like this idea best of the ones that I've heard.

Thanks!

 

[john9527]

Putting out a beta to verify some fixes (some for problems which have been around a long time and are just now being reported).

BETA RELEASE: Update-13B5
5-July-2015
Merlin fork 374.43_2-13B5j9527
Download http://1drv.ms/1sDtB1V
============================


Update-13B5 HighLights:

• Merlin Backports
  • None
• New Fork Updates
  • Fix for incorrect TCP max connections following a factory reset (since V7)
  • Fix for hang in updating to the new, longer OpenSSL DH on MIPS routers when using OpenVPN server
  • Fix for failure establishing IPv6 PPPoE connections (since V7)
    Starting with V7, a fix was introduced to correct a problem with the MTU advertisement for PPPoE connections. This led to some users experiencing problems in establishing an IPv6 PPPoE connection due to both an bug in the fix and some ISPs requiring an MTU other than the normal default value for PPPoE. If you are having trouble obtaining an IPv6 address or have trouble connecting to some sites:
    • Try lowering the WAN MTU/MRU value. Lowering the value from the default of 1492 to 1480 or 1472 has been reported to solve connection problems (the minimum value for IPv6 is 1280)
    • An additional option has been added to the IPv6 configuration page, 'Disable IPv6 MTU Advertisement'. Checking this option reinstates the behavior of pre-V7 firmware and may allow you to connect to determine the correct MTU value for your ISP.
  • Added error checking in setting WAN PPPoE MTU/MRU
  • Fix for QoS limiting IPv6 download speeds

A factory default reset is NOT required if coming from any level of the fork or Merlin 374.42 or 374.43 code. Coming from any other level does require a factory default reset after the code is loaded.

SHA256 hashes:

d27719a2f3d3129125b9e41cda4414ee2f4274b4fda002151fe6aefc8eea1090 *RT-AC56U_3.0.0.4_374.43_2-13B5j9527.trx
6ce50575ee1fc511806b38a026b2e3c233b1e18cc70b16081323829ce753dccf *RT-AC66U_3.0.0.4_374.43_2-13B5j9527.trx
7e894a4ba19d87a85bb2c6bbef7913134a2520df7581b7b05c69de35ef09c8cd *RT-AC68U_3.0.0.4_374.43_2-13B5j9527.trx
9343e6cb91db857323861c513c9a267e077b8b88dc7d6369a1ac77e6e569fa67 *RT-N16_3.0.0.4_374.43_2-13B5j9527.trx
1bb2448e1fa387b7755b9103df3f18ef15ba5b184124f799ec6f2d0b0a511081 *RT-N66U_3.0.0.4_374.43_2-13B5j9527.trx

 

[Qu4d]

RT-AC68U
Connection type: Native
Interface: PPP
DHCP-PD: Enable
Auto Configuration: Stateless
Enable Router Advertisement: Enable
Enable DHCPv6 Server: Enable
WAN MTU: 1492
NAT Acceleration: Enable
Filter IPv6 Neighbor Solicitation: Yes

'Disable IPv6 MTU Advertisement' is checked. Everything seems stable, all clients from LAN received IPv6 addresses.

 

[john9527]

'Disable IPv6 MTU Advertisement' is checked. Everything seems stable, all clients from LAN received IPv6 addresses.

Thanks for the quick feedback...glad to have a working solution for you. But, I just had one of those 'why didn't I think of that before' moments.....

Can you run a test for me setting the WAN MTU to 1452 and unchecking the 'Disable Advertisement' box?