[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[Chrysalis]

Is fixed now John, I had user and group nobody by accident in my custom openvpn config which was breaking the execution of the updown script.

I will remove my amendments now from firewall-start as they wont be needed now the DNS block rules are correctly removed on vpn shutdown.

For my VPN I use 192.168.0.1 which is pushed by my VPN via a DHCP push command, although I am not sure if that actually works so I have a openvpn-event script set which puts a dnsmasq conf in place that has 192.168.0.1 set as the dns server. All my lan devices still use the router as the DNS server.

The issue was ip6tables block rules which were left in place due to me breaking the updown.sh script on openvpn shutdown

Whilst we on the subject of openvpn, I have noticed that when the openvpn is running, ipv6 traffic still works normally outside of the vpn. I do not mean dns lookups but actual normal ipv6 traffic, so if a dns lookup returns ipv6 addresses like e.g. on youtube, then youtube would not go over the vpn.

 

[john9527]

Is fixed now John, I had user and group nobody by accident in my custom openvpn config which was breaking the execution of the updown script.

I will remove my amendments now from firewall-start as they wont be needed now the DNS block rules are correctly removed on vpn shutdown.

Whew.....glad to hear it. Just as a minor aside.....one of the more obscure changes in V20 is to not set the DNS leak protection if you are running in DNS Exclusive mode. That way, if you use the option to not use the VPN DNS for non-VPN clients, they will still have IPv6 access.

 

[Chrysalis]

I am about to update the firmware now to the latest beta you posted

and yes I am running in exclusive mode with the box ticked, so your change will affect me.

 

[rtn66uftw]

Hi John! After updating from 19E3 to 20B7, I can no longer see either IP addresses or names of clients under System Log > Wireless Log on my RT-N66 (running under AP mode). Is it normal? Thanks!

 

[MuppetSoul]

My N66U has been acting up ever since I flashed 19E3.

Symptoms:

• A yellow error sign shows up on the wireless icon in the notification area stating that internet is no longer available
• After running the "Troubleshoot problems" wizard, I'm told that DNS is no longer responding
• The router's Network Map doesn't show any issues so I restart the router
• After the restart, the router doesn't get a new IP address automatically instead its gets 192.168.1.2 as WAN IP
• I can't get a new IP unless I turn off DDNS, WAN, and restart the ISP modem

Services:

• Disabled: AiCloud, Guest Network, VPN, Traffic Manager, Parental Controls, IPv6, SSH

Looking at the changes in 19E3, I don't see anything that stands out however I do have an IPSET script which specific blocks countries

Here's the script:

#!/bin/sh

# Loading ipset modules
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_nethash ip_set_iphash ipt_set
do
    insmod $module
done

# Preparing folder to cache downloaded files
IPSET_LISTS_DIR=/jffs/ipset_lists
[ -d "$IPSET_LISTS_DIR" ] || mkdir -p $IPSET_LISTS_DIR

# Different routers got different iptables syntax
case $(uname -m) in
  armv7l)
    MATCH_SET='--match-set'
    ;;
  mips)
    MATCH_SET='--set'
    ;;
esac

# Block traffic from Tor nodes
if [ "$(ipset --swap TorNodes TorNodes 2>&1 | grep 'Unknown set')" != "" ]
then
    ipset -N TorNodes iphash
    [ -e $IPSET_LISTS_DIR/tor.lst ] || wget -q -O $IPSET_LISTS_DIR/tor.lst http://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv
    for IP in $(cat $IPSET_LISTS_DIR/tor.lst)
    do
        ipset -A TorNodes $IP
    done
fi
[ -z "$(iptables-save | grep TorNodes)" ] && iptables -I INPUT -m set $MATCH_SET TorNodes src -j DROP

# Block incoming traffic from some countries. cn and pk is for China and Pakistan. See other countries code at http://www.ipdeny.com/ipblocks/
if [ "$(ipset --swap BlockedCountries BlockedCountries 2>&1 | grep 'Unknown set')" != "" ]
then
    ipset -N BlockedCountries nethash
    for country in pk cn
    do
        [ -e $IPSET_LISTS_DIR/$country.lst ] || wget -q -O $IPSET_LISTS_DIR/$country.lst http://www.ipdeny.com/ipblocks/data/countries/$country.zone
        for IP in $(cat $IPSET_LISTS_DIR/$country.lst)
        do
            ipset -A BlockedCountries $IP
        done
    done
fi
[ -z "$(iptables-save | grep BlockedCountries)" ] && iptables -I INPUT -m set $MATCH_SET BlockedCountries src -j DROP

# Block Microsoft telemetry spying servers
if [ "$(ipset --swap MicrosoftSpyServers MicrosoftSpyServers 2>&1 | grep 'Unknown set')" != "" ]
then
    ipset -N MicrosoftSpyServers iphash
    for IP in 23.99.10.11 63.85.36.35 63.85.36.50 64.4.6.100 64.4.54.22 64.4.54.32 64.4.54.254 \
              65.52.100.7 65.52.100.9 65.52.100.11 65.52.100.91 65.52.100.92 65.52.100.93 65.52.100.94 \
              65.55.29.238 65.55.39.10 65.55.44.108 65.55.163.222 65.55.252.43 65.55.252.63 65.55.252.71 \
              65.55.252.92 65.55.252.93 66.119.144.157 93.184.215.200 104.76.146.123 111.221.29.177 \
              131.107.113.238 131.253.40.37 134.170.52.151 134.170.58.190 134.170.115.60 134.170.115.62 \
              134.170.188.248 157.55.129.21 157.55.133.204 157.56.91.77 168.62.187.13 191.234.72.183 \
              191.234.72.186 191.234.72.188 191.234.72.190 204.79.197.200 207.46.223.94 207.68.166.254
    do
        ipset -A MicrosoftSpyServers $IP
    done
fi
[ -z "$(iptables-save | grep MicrosoftSpyServers)" ] && iptables -I FORWARD -m set $MATCH_SET MicrosoftSpyServers dst -j DROP

Source: https://github.com/RMerl/asuswrt-merlin/wiki/Using-ipset

I've replaced:

# Loading ipset modules
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_nethash ip_set_iphash ipt_set
do
    insmod $module
done

With:

# Load ipset modules                                                       
ipset -v | grep -i "v4" > /dev/null 2>&1                                     
if [ $? -eq 0 ];                                                             
then                                                                   
   # old ipset                                                           
   ipsetv=4                                                             
   lsmod | grep "ipt_set" > /dev/null 2>&1 || \                         
   for module in ip_set ip_set_nethash ip_set_iphash ipt_set             
   do                                                                   
       insmod $module                                               
   done                                                                 
else                                                                         
   # new ipset                                                 
   ipsetv=6                                                     
   lsmod | grep "xt_set" > /dev/null 2>&1 || \                 
   for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set   
   do                                                           
       insmod $module                                       
   done                                                         
fi

Hopefully this fixes the issue.

 

[john9527]

Hi John! After updating from 19E3 to 20B7, I can no longer see either IP addresses or names of clients under System Log > Wireless Log on my RT-N66 (running under AP mode). Is it normal? Thanks!

It depends.....how long did you wait before looking and what state were the wireless clients in? Two things are necessary to fill in the table....
there must be an active entry in the arp table to get the ip address
there must be an active DNS lease to get the client name

It the devices were in sleep mode when you loaded the coded (and cleared both items), you can see what you got until they wake up, request a new lease and get an arp entry. (I've seen some clients that don't reliably request a new lease on wakeup, in which case the name will be blank until you force a new lease by disabling/enabling wireless on the client).

 

[john9527]

Hopefully this fixes the issue.

I don't think that will change anything....ipset didn't change for the MIPS routers. It sounds like your modem is more likely dropping your internet connection. Upload a syslog when it happens and provide a link and we may be able to see what is going on.

EDIT: As a separate issue, it's also possible that MS changed the active probing address (for Win 7, it's dns.msftncsi.com (131.107.255.255)...don't know about Win10). Does it still happen if you totally disable the 'spyware' ipsets? Those ip lists are not always the most reliable things. I tried one that disabled my hotmail account.

 

[MuppetSoul]

I don't think that will change anything....ipset didn't change for the MIPS routers. It sounds like your modem is more likely dropping your internet connection. Upload a syslog when it happens and provide a link and we may be able to see what is going on.

EDIT: As a separate issue, it's also possible that MS changed the active probing address (for Win 7, it's dns.msftncsi.com (131.107.255.255)...don't know about Win10). Does it still happen if you totally disable the 'spyware' ipsets? Those ip lists are not always the most reliable things. I tried one that disabled my hotmail account.

Yea, I thought it might be the modem but I wanted to check off all other possibilities first.

I just noticed Merlin blocks Microsoft telemetry servers however I took out that part in my script.

 

[RMerlin]

I just noticed Merlin blocks Microsoft telemetry servers

I certainly don't.

 

[john9527]

Yea, I thought it might be the modem but I wanted to check off all other possibilities first.

I just noticed Merlin blocks Microsoft telemetry servers however I took out that part in my script.

The telemetry blocking is added via your added script....not in the base code.

Also, just as an info item.....the latest ASUS/Merlin builds actually use the same address as Windows (dns.msftncsi.com) as the default host to check if dns services are working. If you are using a Windows Tracking blocker....be careful.

I didn't make that change in my fork. I still use a series of the most popular search engine sites to verify dns function.

 

[rtn66uftw]

It depends.....how long did you wait before looking and what state were the wireless clients in? Two things are necessary to fill in the table....
there must be an active entry in the arp table to get the ip address
there must be an active DNS lease to get the client name

It the devices were in sleep mode when you loaded the coded (and cleared both items), you can see what you got until they wake up, request a new lease and get an arp entry. (I've seen some clients that don't reliably request a new lease on wakeup, in which case the name will be blank until you force a new lease by disabling/enabling wireless on the client).

Thanks John! Strange thing is that it never happened before with 19E3 or earlier. And all my devices on the RT-N66U are constantly on and streaming videos 24/7

 

[john9527]

Thanks John! Strange thing is that it never happened before with 19E3 or earlier. And all my devices on the RT-N66U are constantly on and streaming videos 24/7

Hmmmm....didn't make any changes (at least that I know of) that would affect the wireless log output. But at least some of your devices are in powersave mode, which I think can cause some strange results.

Can you append the output of the following commands....

arp -a | sed -r "s/([[:xdigit:]]{1,2}[:-]){5}([[:xdigit:]]{1,2})/xx:xx:xx:xx:xx:\2/g"

cat /tmp/var/lib/misc/dnsmasq.leases | sed -r "s/([[:xdigit:]]{1,2}[:-]){5}([[:xdigit:]]{1,2})/xx:xx:xx:xx:xx:\2/g"

Note: The long sed command is to automatically obscure your mac addresses

 

[rtn66uftw]

Hmmmm....didn't make any changes (at least that I know of) that would affect the wireless log output. But at least some of your devices are in powersave mode, which I think can cause some strange results.

Can you append the output of the following commands....

arp -a | sed -r "s/([[:xdigit:]]{1,2}[:-]){5}([[:xdigit:]]{1,2})/xx:xx:xx:xx:xx:\2/g"

cat /tmp/var/lib/misc/dnsmasq.leases | sed -r "s/([[:xdigit:]]{1,2}[:-]){5}([[:xdigit:]]{1,2})/xx:xx:xx:xx:xx:\2/g"

Note: The long sed command is to automatically obscure your mac addresses

Stupid question: how can I run those command lines ? Thanks!

Edit: found out that I need to enable Telnet both in Windows and Router's Administration > System.

Belows are the outputs of those command lines from the main router (AC68U) not the AP itself (N66U). I removed all client names because they are quite ridiculous

arp -a | sed -r "s/([[:xdigit:]]{1,2}[:-]){5}([[:xdigit:]]{1,2})/xx:xx:xx:xx:xx:\2/g" | sed 's/^[^(]*(/(/'

(192.168.1.103) at xx:xx:xx:xx:xx:44 [ether]  on br0
(192.168.1.134) at xx:xx:xx:xx:xx:32 [ether]  on br0
(192.168.1.165) at xx:xx:xx:xx:xx:d4 [ether]  on br0
(192.168.1.121) at xx:xx:xx:xx:xx:94 [ether]  on br0
(192.168.1.126) at xx:xx:xx:xx:xx:6f [ether]  on br0
(192.168.1.161) at xx:xx:xx:xx:xx:50 [ether]  on br0
(192.168.1.115) at xx:xx:xx:xx:xx:72 [ether]  on br0
(192.168.1.125) at xx:xx:xx:xx:xx:63 [ether]  on br0
(192.168.1.164) at xx:xx:xx:xx:xx:2f [ether]  on br0
(192.168.1.154) at xx:xx:xx:xx:xx:9a [ether]  on br0
(192.168.1.122) at xx:xx:xx:xx:xx:3f [ether]  on br0
(192.168.1.107) at xx:xx:xx:xx:xx:0c [ether]  on br0
(192.168.1.109) at xx:xx:xx:xx:xx:2f [ether]  on br0
(192.168.1.117) at xx:xx:xx:xx:xx:94 [ether]  on br0
(192.168.1.131) at xx:xx:xx:xx:xx:17 [ether]  on br0
(192.168.1.118) at xx:xx:xx:xx:xx:ca [ether]  on br0
(192.168.1.129) at xx:xx:xx:xx:xx:44 [ether]  on br0
(192.168.1.100) at xx:xx:xx:xx:xx:0f [ether]  on br0
(192.168.1.166) at xx:xx:xx:xx:xx:77 [ether]  on br0
(xx.xx.xx.1) at xx:xx:xx:xx:xx:07 [ether]  on eth0
(192.168.1.132) at xx:xx:xx:xx:xx:7b [ether]  on br0
(192.168.1.130) at xx:xx:xx:xx:xx:20 [ether]  on br0
(192.168.1.163) at xx:xx:xx:xx:xx:5b [ether]  on br0
(192.168.1.133) at xx:xx:xx:xx:xx:f6 [ether]  on br0
(192.168.1.106) at xx:xx:xx:xx:xx:05 [ether]  on br0
(192.168.1.151) at xx:xx:xx:xx:xx:70 [ether]  on br0
(192.168.1.108) at xx:xx:xx:xx:xx:3f [ether]  on br0
(192.168.1.105) at xx:xx:xx:xx:xx:0d [ether]  on br0
(192.168.1.162) at xx:xx:xx:xx:xx:bf [ether]  on br0
(192.168.1.128) at xx:xx:xx:xx:xx:96 [ether]  on br0
(192.168.1.160) at xx:xx:xx:xx:xx:e2 [ether]  on br0
(192.168.1.127) at xx:xx:xx:xx:xx:68 [ether]  on br0
(192.168.1.135) at xx:xx:xx:xx:xx:d8 [ether]  on br0

cat /tmp/var/lib/misc/dnsmasq.leases | sed -r "s/([[:xdigit:]]{1,2}[:-]){5}([[:xdigit:]]{1,2})/xx:xx:xx:xx:xx:\2/g" | sed 's/\.[^.]*$//'

56804 xx:xx:xx:xx:xx:d8 192.168.1.x
56731 xx:xx:xx:xx:xx:7b 192.168.1.x
68255 xx:xx:xx:xx:xx:63 192.168.1.x
19614 xx:xx:xx:xx:xx:53 192.168.1.x
56815 xx:xx:xx:xx:xx:f6 192.168.1.x
50662 xx:xx:xx:xx:xx:fa 192.168.1.x
48916 xx:xx:xx:xx:xx:f2 192.168.1.x
49630 xx:xx:xx:xx:xx:0d 192.168.1.x
56890 xx:xx:xx:xx:xx:32 192.168.1.x
57537 xx:xx:xx:xx:xx:17 192.168.1.x
56667 xx:xx:xx:xx:xx:20 192.168.1.x
52654 xx:xx:xx:xx:xx:5b 192.168.1.x
58936 xx:xx:xx:xx:xx:e2 192.168.1.x
57401 xx:xx:xx:xx:xx:d4 192.168.1.x
57342 xx:xx:xx:xx:xx:77 192.168.1.x
52653 xx:xx:xx:xx:xx:50 192.168.1.x
52653 xx:xx:xx:xx:xx:2f 192.168.1.x
52653 xx:xx:xx:xx:xx:bf 192.168.1.x
52631 xx:xx:xx:xx:xx:94 192.168.1.x
56656 xx:xx:xx:xx:xx:96 192.168.1.x
52626 xx:xx:xx:xx:xx:8b 192.168.1.x
58251 xx:xx:xx:xx:xx:3f 192.168.1.x
56642 xx:xx:xx:xx:xx:68 192.168.1.x
51745 xx:xx:xx:xx:xx:3f 192.168.1.x
56711 xx:xx:xx:xx:xx:70 192.168.1.x
66746 xx:xx:xx:xx:xx:05 192.168.1.x
48846 xx:xx:xx:xx:xx:44 192.168.1.x
82353 xx:xx:xx:xx:xx:85 192.168.1.x
56639 xx:xx:xx:xx:xx:9a 192.168.1.x
79150 xx:xx:xx:xx:xx:0f 192.168.1.x
56884 xx:xx:xx:xx:xx:ca 192.168.1.x
49572 xx:xx:xx:xx:xx:0c 192.168.1.x
52567 xx:xx:xx:xx:xx:44 192.168.1.x
50119 xx:xx:xx:xx:xx:2f 192.168.1.x
52565 xx:xx:xx:xx:xx:6f 192.168.1.x
56888 xx:xx:xx:xx:xx:94 192.168.1.x
52563 xx:xx:xx:xx:xx:72 192.168.1.x

 

[john9527]

Stupid question: how can I run those command lines ? Thanks!

Sorry....telnet or ssh to the router. Then you can cut/paste from the forum entry or type them in by hand.

Oh....and one other question. Do the clients show up correctly if you look at the client list under network map?

 

[john9527]

@rtn66uftw - I just was looking again at your output, and you are even missing the column header for 'Name' which is really strange.....what browser are you using?

 

[rtn66uftw]

Oops I didn't see your post. Please see my edited posted with all the outputs above

Sorry....telnet or ssh to the router. Then you can cut/paste from the forum entry or type them in by hand.

Oh....and one other question. Do the clients show up correctly if you look at the client list under network map?

Yes they all show up correctly under network map

@rtn66uftw - I just was looking again at your output, and you are even missing the column header for 'Name' which is really strange.....what browser are you using?

Firefox and Edge. They both don't have Name column.

It might help if I tell you how I setup my network:

1. AC68U is the main router. I gave all client a static IP and Name under LAN > DHCP Server. Under System Log > Wireless Log, everything shows up correctly including the Name column
2. N66U is set as AP. Under Wireless log, Name column is always missing but IP Address was there prior to 20B7

 

[john9527]

Oops I didn't see your post. Please see my edited posted with all the outputs above



Yes they all show up correctly under network map



Firefox and Edge. They both don't have Name column.

It might help if I tell you how I setup my network:

1. AC68U is the main router. I gave all client a static IP and Name under LAN > DHCP Server. Under System Log > Wireless Log, everything shows up correctly including the Name column
2. N66U is set as AP. Under Wireless log, Name column is always missing but IP Address was there prior to 20B7

I took a look at the code.....the Name column doesn't show up if you don't have a dnsmasq leases file. Have you done anything to move it or use a different DHCP server?

 

[rtn66uftw]

I took a look at the code.....the Name column doesn't show up if you don't have a dnsmasq leases file. Have you done anything to move it or use a different DHCP server?

Thanks John! Indeed when I ran one of the command on N66U I got this

cat: can't open '/tmp/var/lib/misc/dnsmasq.leases': No such file or directory

I have never run any command line on these routers tbh. How do I re-create dnsmasq leases file then?

 

[john9527]

I have never run any command line on these routers tbh. How do I re-create dnsmasq leases file then?

The leases file should be built automatically after dnsmasq starts as each client requests a lease (especially wireless clients). Next thing will be to take a look at the syslog. Can you do a save after a reboot and upload it to a sharing site and provide a link? If you have trouble with this, send me a PM and I'll give you my email address to send it to me.

 

[john9527]

@rtn66uftw - Read again....the N66 is an AP? Then there won't be a leases file (and why the code doesn't try to include the Name field). Now, I'm not sure about the arp table....did you get output from the N66 running the arp command.