[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[john9527]

Is there anyway to check cpu usage for this? I tried 'top' command via putty but it is showing
CPU: 0.0% usr 0.0% sys 0.0% nic 100% idle 0.0% io 0.0% irq 0.0% sirq

Also, what is the normal temperature for 2.4 GHz - 5 GHz - CPU? I am getting 49C 54C 76C respectively. Is that safe in a long run?
Sorry if this has been asked before, I am new here.

Top is accurate as far as I know.....make sure you are actually doing something, like a speedtest, and I'm sure you'll see it change.

You didn't say what model router, so I'll assume an AC68.....those temps are average.

 

[zonnebril]

Hi John,

I am still in the progress on making my second OpenVPN server more secure. You helped me before with success, and now I have successfully enabled specific routing through the firewall to specific internal IP's.

Can you explain more about the "Allowed Clients" section in the OpenVPN details? I am looking for a way to allow only a specific remote IP address to access the OpenVPN server (ofcourse with a valid certificate).

I did some testing but I cannot seem to understand what these options actually do. In combination with the option "allow only specific client" it seems that it does only Common Name verification. When entering a subnet and subnetmask this does nothing for the connecting part. The following options are available from the GUI:

Common Name: [Certificate Common Name]
Subnet: ?
Subnet Mask: ?
Push: Yes/No ?

Is it possible to allow only a specific remote IP with these options, if not, is there a way to do so?
Thanks!

 

[bayern1975]

any chance to get this firmware for AC-3200?

 

[ColinTaylor]

any chance to get this firmware for AC-3200?

No. Read post #1.

 

[john9527]

Pushed a new refresh to the beta....something to play with over Christmas
This is likely to be the final content of the formal release, so if you can test at all it would be appreciated.

BETA RELEASE: Update-22BA
21-December-2016
Merlin fork 374.43_2-22BAj9527
Download http://bit.ly/1UGjcOX
============================

Following are the major changes (full changelog is in the zip files)

Update-22BA Highlights

• Backport of ASUS XSS/CSRF security fix
• DNSCrypt Enhancements
  • Now supports two DNSCrypt resolvers for redundancy
  • Supports IPv6 DNSCrypt resolvers
  • DNSCrypts resolvers list is now marked with IPv6/DNSSEC support instead of being filtered
  • New option for ARM processors to allow using VPN servers in Exclusive mode for VPN Clients and DNSCrypt for non-VPN (WAN Clients). Sorry, this is not available for the MIPS based processors as it required a kernel backport and the MIPS kernel is too old.
  • NOTE: If you are currently on 22B6, you will need to reconfigure your DNSCrypt settings after moving to 22BA (I needed to change some of the nvram variable names to support multiple resolvers).
• Fix for QoS Stats charts rounding the byte transfer counts
• Optimize QoS rules during entry that specify byte counts of 0 to unlimited(blank)
• Fix when using explicit-exit-notify in OpenVPN client custom configuration. This should also resolve other problems such as 'orphan' routes when stopping VPN clients and problems in setting custom routes in the custom configuration.
• Improved the OpenVPN Client/Server start and stop sequences
• Prevent use of registered domain names for the router domain
• Merlin Backports
  • Update nano to 2.7.1
  • Add IPv6 support for curl

See the previous release notes for the earlier V22 beta releases here
http://www.snbforums.com/threads/fo...leases-v20e9-v22b6.18914/page-241#post-295739

As always, a reminder to users with MIPS routers to have a backup of /jffs in case the jffs space needs to be reformatted due to increases in firmware size.

SHA256

73bf40d743d923ef32362afd57cb014954fae16a5cc7b72144c2a43b7b09d557  RT-AC68U_3.0.0.4_374.43_2-22BAj9527.trx
9c79de3e0b332b22d12b9f462af8c6a898505a3fc3700efdc44d72027beff5d6  RT-AC56U_3.0.0.4_374.43_2-22BAj9527.trx
1be53615402e9bf71e81b34099bfbc8e96916aa5e1baada454f46f125bbd973d  RT-N16_3.0.0.4_374.43_2-22BAj9527.trx
638bd3436bb9e9392be8d091972e06b16ed1d4cd8bfb7170d0e960ecad154cf0  RT-AC66U_3.0.0.4_374.43_2-22BAj9527.trx
1231ce6b4edb5d950e24365c8885741d415a5b000fd0500d213b64223d9df650  RT-N66U_3.0.0.4_374.43_2-22BAj9527.trx

 

[Santiago C]

Hi @john9527. I am trying to test the failover/failback dual WAN functionality in 20E9 (AC68U) because I am guessing it does not work at least as I think it should.
I have set up the following:

wandog_interval=5
wandog_maxfail=12
wandog_fb_count=4
wandog_delay=0
wandog_target=www.google.com

I know it does work at the link level, if I unplug either the network or coaxial cable from my router, or if I switch it off but I wanted to verify it does ping google and switch but have been unable to do so.

I used a modified host file to resolve www.google.com as 10.9.9.9, confirmed it does not reply to ping requests from the router itself but even after a couple minutes the WAN connection is not switched to the secondary one as I though it would and it still routes traffic using the main interface.

Would you mind giving me some insights on how should I confirm everything works ok? I had an ISP issue yesterday and was left with no connectivity for the whole day, even though I have a backup line because it never switched.

Thanks in advance!

S
-

 

[john9527]

Would you mind giving me some insights on how should I confirm everything works ok?

The dual-wan code is something Merlin and I tend to stay out of....rather cryptic and not well documented.

Having said that, I took a quick look....and without trying to trace it all through, your test technique may not be what you expect. At least part of the code won't switch or do the ping test until the interface is seen working at least once. So if you boot with your modified hosts file, it may never work. Give this a try....

- Remove your host file change and reboot the router.....make sure the main page shows both wan interfaces as available (or whatever the good status indicator is).
- Now edit your hosts file on the router
- enter
service restart_dnsmasq
- cross your fingers and see what happens

 

[Santiago C]

- Remove your host file change and reboot the router.....make sure the main page shows both wan interfaces as available (or whatever the good status indicator is).
- Now edit your hosts file on the router
- enter
service restart_dnsmasq
- cross your fingers and see what happens

Actually, that is kind of what I did, using the blacklist of AB-Solution, but that is what it does in the background. (enters 10.9.9.9 www.google.com in the hosts file and restarts dnsmasq)

I did not have my fingers crossed though...

 

[Santiago C]

do the ping test until the interface is seen working at least once

Do I have any way to check if it even is pinging? I know wanduck is running but that seems to be obvious or the router itself wouldn't work. From what I could see in the code (quicker look than yours) it touches /tmp/ping_success after pinging, probably as a flag, but I do not see that file created at all..

Edit: I manually touched, and it gets immediately deleted, that should explain why I do not see it in the first place...

 

[john9527]

Actually, that is kind of what I did, using the blacklist of AB-Solution, but that is what it does in the background. (enters 10.9.9.9 www.google.com in the hosts file and restarts dnsmasq)

I did not have my fingers crossed though...

Thinking some more....this may not work since we are killing access to both wan interfaces with the hosts change. By the time it fails the ping watchdog, it may have already also failed the secondary wan, so maybe says I'm done.

Trying to think of another way to test....what are the values of
wan0_ifname
wan1_ifname
wan_ifnames

 

[john9527]

it touches /tmp/ping_success after pinging, probably as a flag, but I do not see that file created at all..

it only touches the file if the ping is successful (&& touch), then checks for the existance of the file. Then deletes it.

 

[Santiago C]

Trying to think of another way to test....what are the values of
wan0_ifname
wan2_ifname
wan_ifnames

wan0_ifname=vlan3
wan1_ifname=vlan150
wan_ifnames=vlan3 vlan150

WAN0 is DHCP
WAN1 is PPPoE (wan1_pppoe_ifname=ppp1 just in case)

 

[john9527]

@Santiago C

Not sure if this will work, but try this iptables rule to test (no hosts files changes) after a clean boot
iptables -I OUTPUT -o vlan3 -j DROP

EDIT: You may also have to clear the dnsmasq cache with the service restart_dnsmasq

 

[Santiago C]

iptables -I OUTPUT -o vlan3 -j DROP

It didn't work, was left with no internet access whatsoever, but the default route kept pointing to vlan3, @"#$!

Thoughts? I guess merging Merlin's current wanduck is a no-go but I see the do_ping_detect does more than just use the file as a flag in his current code, maybe importing just that function provided that it doesn't have weird dependencies? I am open to test it if you want

 

[Santiago C]

Hi @john9527 I've been doing some more testing:

• I have linked /dev/null to an actual file in a hard drive and have an ssh window open watching its contents.
• I have submited the iptables statement to block traffic, the resulting "log" in /dev/null changes as expected.
• I have opened a new ssh window and entered "ping www.google.com && touch /tmp/text.txt" and as expected /tmp/test.txt is not created (ping returns 1, also as expected). This was to confirm the iptables statement creates a comparable scenario
• I issued a "service restart_firewall" to recover connectivity, but my main ISP was down at that moment and the router still didn't switch to my backup connection, had to unplug the cablemodem power cable to get the router to switch (proving once again it does work when down at the link layer which does not rely on ping obviously), pluged it again and it did not switch back (expected, couldn't get a DHCP lease, right?)
• Eventually my main ISP came up, the router was able to get a DHCP lease and automatically switched back to primary WAN

 

[john9527]

@Santiago C
I was able to turn on some tracing and verified the ping test is working correctly. After that, it gets difficult since I don't have a 'real' dual-wan setup. I have some ideas on things I can look at, but it will need to wait until after the holidays

 

[Santiago C]

I have some ideas on things I can look at, but it will need to wait until after the holidays

Happy Holidays

 

[john9527]

Loaded V22BA and could not keep my TM822 Charter on line the TM822 keeps booting, log really displays nothing, tried total reset, clean NVRAM reloaded several times,

Can't tell anything without data.....syslog from the router, and I'd also like to see the TM822 log.

 

[john9527]

The RT-AC68U Log file has nothing NADA ZIP NADA FT

If it's as bad as you say, I'd really expect something to show up in the router syslog. I've heard of a modem problems causing a router reboot, but never the other way around.

 

[john9527]

called charter they do or so they say they have a outage , but I got a idiot!!!!

after you look at it delete this message!! Don't like my MAC address on public

I can't delete it ....you need to (Delete button at bottom of msg)
Those are all upstream errors from the modem....it couldn't connect to it's headend.