[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[fink.nottle]

Can someone confirm that using v20E9 with factory defaults can setup a wan pppoe connection ??
For an unknown reason my rt-n16 rebooted to factory defaults and i could not set it up to use my pppoe wan.
What did worked though is restoring an older backup file (25.07.16)
unfortunately i didn't saved logs 'cause i was i a hurry to restore family's internet connection for Christmas

Look at the logs. If your ISP does some sort of MAC whitelisting, you might have to force the WAN MAC to an accepted one. I had to do this recently. Quite uncommon though.

 

[punchsuckr]

Hey John, is there a way to save the ssl certificate that the router generates to a trusted certificate equivalent on linux (ubuntu mate)? I've searched around a lot but can't get to a definite solution. Firefox does store an exception but there's no such workaround on chrome. Trusted certificates work fine on windows.

And more importantly, is ssl really needed when I am not using it to access the router from the wan side and i've set only 4 trusted computers on the network to be able to login to router administration (which are allocated ip addresses that are away from the general ip range allocated by dhcp). I am a security freak though... can you please advise.

 

[Gravityz]

Hey John,

first of all a very mery Chrismas (we have a second Christmas day in The Netherlands)

i noticed someting strange which might or might not be related to the firmware.

I have a brand new playstation pro which io hook up to the wired lan connection.
no matter hat i do it refuse to connect at 100Base-T
as fr as i can tell the ps4 pro has a gigabit port so this should work.
tried other ports, cables everything.

could this be an incompatibility issue.

i use robocfg show to tell if the port is switched to 1000BT or 100BT

Port 0: 1000FD enabled stp: none vlan: 2 jumbo: off mac:
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac:
Port 2: 1000FD enabled stp: none vlan: 1 jumbo: off mac:
Port 3: 100FD enabled stp: none vlan: 1 jumbo: off mac:
Port 4: 100FD enabled stp: none vlan: 1 jumbo: off mac:
Port 8: 1000FD enabled stp: none vlan: 1 jumbo: off mac:

what is on Port 0, WAN!!!!
Port 1 is pc
Port 2 is synology nas
Port 3 is various stuff on 100BT
Port 4 is PS4 pro (100FD while it should be 1000FD)
what is port 8?

i am on fork 20E3

 

[ColinTaylor]

@Gravityz Try using a different cable. Also try plugging the cable into a different LAN port.

Yes, port 0 is the WAN. Port 8 is the "CPU" port.

 

[Santiago C]

Edit: Never mind, I found it! http://www.snbforums.com/threads/fo...leases-v20e9-v22ba.18914/page-249#post-297897

After that, it gets difficult since I don't have a 'real' dual-wan setup

Hi @john9527, do you think it could help if I can get a fw version with DEBUG_NOISY defined? That way I would be able to see the output of csprintf() in the console, right?
I don't think I would be able to compile a version myself (never did it, lots could go wrong) but if you would compile one for my AC68U I'd be more than happy to share my findings with you.

I've been spending a lot of time today trying to understand and figure out what is wrong with wanduck but I just can't seem to find were the logic fails:

1. Line 1866 (wanduck_main wanduck.c) triggers a chain of functions resulting in the ping and either CONNED or DISCONN when the physical line is connected which I think it is safe to asume gets processed since both of us confirmed the ping is triggered regularly
2. the else if block starting in line 1906 sets conn_changed_state to DISCONN on the second loop (didn't figure out what happens in the first one where it is set to C2D) and starts the counter if idle (set_disconn_count(current_wan_unit, S_COUNT))
3. Line 1942 increases de disconnection count
4. Line 2208 triggers the wan line switch if the disconnection count is equal/higher than the maximum defined

I think being able to see the csprintf output would be helpful, I don't know if there's any other way to debug code running on the router (at least a way that I could both do and understand)

Thanks for your input!

 

[Gravityz]

[UPDATE]

solved the problem.

i have 2 outlet ports coming from the wall
left connector had a broken wire(everything connected at 100BT)
right connector had a bend pin(notebook connected at 1000BT but PS4 pro at 100BT)

thanks al for helping me out.


Hi Colin,

tried different cables and ports on the router which i know work at 1000BT(1 and 2)

nothing works.

this is the first time i ever have to worry about direct attached lan cables connecting at full speed.
This was an issue 20 years ago.

strange.

i suspect it must be the PS4 pro then since it is brand new and might have some bugs in it

how can i tell the ports on the router are set to auto?
is it wise to try to set them at fixed 1000BT?

@Gravityz Try using a different cable. Also try plugging the cable into a different LAN port.

Yes, port 0 is the WAN. Port 8 is the "CPU" port.

 

[Santiago C]

EDIT: It worked! The script saved the output of "route" before dropping traffic on the primary wan, after 90 seconds (when the default route was successfully switched to the secondary wan) and again after removing the firewall entry. I still think it should also work if "Redirect to error pag" is set to "Never" though...

OK, I think I might have cracked the Dual WAN ping failover... thing... Either that or I have reached the point where my brain is no longer able to read code:

wanduck.c, detect_internet(), line 452 reads:

    if(link_internet == DISCONN){
        nvram_set_int("link_internet", 0);
        record_wan_state_nvram(wan_unit, -1, -1, WAN_AUXSTATE_NO_INTERNET_ACTIVITY);

        if(!(nvram_get_int("web_redirect")&WEBREDIRECT_FLAG_NOINTERNET)) {
            nvram_set_int("link_internet", 1);
            link_internet = CONNED;
        }
    }
    else{
        nvram_set_int("link_internet", 1);
        record_wan_state_nvram(wan_unit, -1, -1, WAN_AUXSTATE_NONE);
    }

That piece of code gets executed if link_internet == DISCONN but the highlighted logical expression returns 1 and ends up setting link_internet to CONNED.

web_redirect is 1 in my current config (no clue what that means but seems to be the default value, seems linked to the redirect on either link or wan down feature?) and WEBREDIRECT_FLAG_NOINTERNET is defined as 2 in /release/src/router/shared/rtstate.h. If my binary algebra does not fail, 2 is 10 and that means bitwise AND returns 0 which in turn the NOT operator turns to 1 and fullfills that clause condition.

I have changed the "Redirect to error page" to "When WAN down" which turned web_redirect to 2 and will build a quick script to test if it works (being remotely connected means I will get disconnected when primary wan goes down) and update this post.

 

[RMerlin]

@RMerlin Just thinking about busybox applets.....we should probably try and keep in sync. I'll pick up history and monotonic syscall, but over time I've picked up a couple more (you already found xarg). Additionally, I added
time, uniq, getopt/getopt long and mktemp

Works for me. We still need to be careful however to ensure that we don't enable an applet that Asus might end up overriding with a full-featured package in the future (like they did with wget). That's one of the reasons I prefer to stick to a limited set of applets - fewer things to remember whenever merging new code in, and also it reduces memory usage (keep in mind that when you run any applet, the whole busybox binary gets loaded.)

 

[wedwabbit]

Hi all

Can someone explain the setup required to get DNSCrypt working in 22BA on an AC68U? I would like the router to forward all DNS queries to Adguard.

On the WAN -> WAN DNS Setting panel I have the following:
Connect to DNS Server Automatically: No
DNS Server1: 8.8.8.8
DNS Server2: 8.8.4.4
Enable DNSSEC Support: Yes
Enable DNSCRYPT Support: Yes
DNSCRYPT Resolver1: Adguard DNS 1
DNSCRYPT Port1: 65053
DNSCRYPT Resolver1: Adguard DNS 2
DNSCRYPT Port1: 65054
DNSCRYPT log level: Warning

This doesn't seem right to me since Google's DNS servers (8.8.8.8 etc) don't support DNSCrypt? I checked what servers were being used on this setup and it looks like Google's.

But if I set "Connect to DNS Server Automatically" to "No" then my ISP's DNS is used. I can't set it to 'Yes' and leave the DNS Server1/2 entries empty either???

What am I missing?

Thanks

 

[john9527]

Can someone explain the setup required to get DNSCrypt working in 22BA on an AC68U? I would like the router to forward all DNS queries to Adguard.

Sometimes the toughest part of a new 'feature' is the user interface

When you select to use DNSCrypt, the WAN DNS server settings are ignored (except when you also have an OpenVPN client active and want to use other than the VPN DNS servers). So with your settings, you should be using the Adguard servers. You might try setting the log level from Warning to Info, then you should see the DNSCrypt servers getting the certs and starting in the syslog.

One other thing....not all (actually very few) DNSCrypt servers are DNSSEC enabled (they are labeled in the selection list). Right now, DNSSEC is running in a 'non-strict' mode, in that it will use DNSSEC if available, but not block things if not available. I'm thinking about changing that in the next release to full DNSSEC enforcement if selected.

 

[RMerlin]

Sometimes the toughest part of a new 'feature' is the user interface

In Asuswrt's case, it's often the toughest part. I hate dealing with the webui, especially since the existing code is a mess.

 

[john9527]

OK, I think I might have cracked the Dual WAN ping failover... thing... Either that or I have reached the point where my brain is no longer able to read code:

Interesting that the redirect on fail seems to be taking precedence over the fail over. I'm currently not able to do a lot of debug work, but will definitely take a look next week.

 

[wedwabbit]

Sometimes the toughest part of a new 'feature' is the user interface

When you select to use DNSCrypt, the WAN DNS server settings are ignored (except when you also have an OpenVPN client active and want to use other than the VPN DNS servers). So with your settings, you should be using the Adguard servers. You might try setting the log level from Warning to Info, then you should see the DNSCrypt servers getting the certs and starting in the syslog.

One other thing....not all (actually very few) DNSCrypt servers are DNSSEC enabled (they are labeled in the selection list). Right now, DNSSEC is running in a 'non-strict' mode, in that it will use DNSSEC if available, but not block things if not available. I'm thinking about changing that in the next release to full DNSSEC enforcement if selected.

Thanks John

I set the log level as suggested and do indeed see the certs etc. in syslog.

However, I still seem to be using Google's DNS servers?

Here's how I test:
1. Disable ab-solution
2. Settings as above.
3. On my Mac I have the DNS Server set to 192.168.1.1 (AC68U).
4. DNS Leak test indicates Google's DNS servers.
5. Ad block test pages such as http://ads-blocker.com/testing/ and others display adverts which should be blocked by the Adguard DNS servers I believe?

BTW - I am also running a VPN client but it is setup to route only one IP (not the Mac I'm testing on).

Any insights?

Thanks

 

[john9527]

BTW - I am also running a VPN client but it is setup to route only one IP (not the Mac I'm testing on).

Maybe the case if too many options

Since you are running an AC68 (ARM), when you turn on the VPN you have these options after setting up DNSCrypt on the WAN page...goto the OpenVPN client page....
- If you want everything to use DNSCrypt (both your VPN and non-VPN clients), under 'Accept DNS configuration', select DNSCrypt from the pulldown. The checkbox will then allow you to have the non-VPN clients use the WAN DNS servers (in your case, the google servers),
- If you want your VPN clients to only use the VPN DNS servers, select Exclusive under 'Accept DNS configuration'. Another checkbox will then appear, allowing you to specify that you want your non-VPN clients to use DNSCrypt instead of the VPN DNS servers.

 

[wedwabbit]

Maybe the case if too many options

Since you are running an AC68 (ARM), when you turn on the VPN you have these options after setting up DNSCrypt on the WAN page...goto the OpenVPN client page....
- If you want everything to use DNSCrypt (both your VPN and non-VPN clients), under 'Accept DNS configuration', select DNSCrypt from the pulldown. The checkbox will then allow you to have the non-VPN clients use the WAN DNS servers (in your case, the google servers),
- If you want your VPN clients to only use the VPN DNS servers, select Exclusive under 'Accept DNS configuration'. Another checkbox will then appear, allowing you to specify that you want your non-VPN clients to use DNSCrypt instead of the VPN DNS servers.

Thanks for your help

I choose 'Exclusive' under 'Accept DNS Configuration' and I get a checkbox labelled "WAN clients use WAN DNS Server (DNSCrypt unavailable)" which I check.

I then did a test from my Mac on dnsleaktest.com and got:

173.194.171.13 none Google United States
74.125.41.4 none Google Taiwan
173.194.171.5 none Google United States
173.194.171.3 none Google United States
173.194.171.8 none Google United States
173.194.93.19 none Google United States

Does that look right? Why does the the checkbox say "DNSCrypt Unavailable"?

Edit: I checked syslog and dnscrypt is starting without errors.
Edit 2: I did a dnsleaktest.com from the IP routed via the VPN and it correctly reports my VPN provider's DNS.

 

[john9527]

Does that look right? Why does the the checkbox say "DNSCrypt Unavailable"?

The option to mix 'Exclusive' mode VPN with DNSCrypt non-VPN is only available for ARM processor routers (otherwise it will be marked DNSCrypt Unavailable and you will use the regular WAN DNS when you check the box). I checked/tested the logic to make that determination, but maybe I missed something. I'll double check it next week.

EDIT: I think I may know why it shows DNSCrypt unavailable. Can you check the following via telnet/ssh

nvram get allow_routelocal

if it comes back as '0' (and it's an AC56 or AC68 router) set it to '1'

nvram set allow_routelocal=1

 

[wedwabbit]

The option to mix 'Exclusive' mode VPN with DNSCrypt non-VPN is only available for ARM processor routers (otherwise it will be marked DNSCrypt Unavailable and you will use the regular WAN DNS when you check the box). I checked/tested the logic to make that determination, but maybe I missed something. I'll double check it next week.

EDIT: I think I may know why it shows DNSCrypt unavailable. Can you check the following via telnet/ssh

nvram get allow_routelocal

if it comes back as '0' (and it's an AC56 or AC68 router) set it to '1'

nvram set allow_routelocal=1

allow_routelocal was indeed set to '0' so I set it to '1' and the 'DNSCrypt Unavailable' message disappeared However dnsleaktest.com still reports what looks like Google DNS servers.

But, when I do the following at the shell prompt on the router I get:

# hostip -r 127.0.0.1:65053 resolver.dnscrypt.org
74.125.44.145
# hostip -r 127.0.0.1:65054 resolver.dnscrypt.org
74.125.74.3
# hostip -r 127.0.0.1 resolver.dnscrypt.org
209.222.18.218

The first two look like Google owned IPs but are probably Adguard DNS servers. The last is my VPNs DNS which seems strange since it is only supposed to be used for one IP address routed over the VPN.

Complicated stuff but very interesting

 

[john9527]

@wedwabbit Sorry....after making the allow-routelocal change, you will need to reboot or restart the VPN (otherwise the correct iptables rules won't be set).

I'm also not sure that using hostip on the router like you are trying to do is really telling you what you want to know. That utility is meant to be used when DNSCrypt can't validate it's certs to do DNS resolution. I'd have to go through the source, but I'd guess it's trying to find an alternate DNS server or goes to a built in default (maybe google?) since using the DNSCrypt server would mean there would have to be a back door to bypass validation, which wouldn't be good.

Try testing from the clients directly after rebooting the clients or clearing their DNS cache to make sure it's working. (I use dnsleaktest.com in my testing to verify the right servers are being used).

 

[Posh]

I'm sorry if I missed it somewhere in this thread already. But does @RMerlin have any intention of integrating the DNSCrypt options. I would appreciate it but understand supporting each new feature potentially requires additional work. I have it working via JFFS but it's not the most convenient method. Either way I appreciate both @RMerlin and @john9527 work they have done!

 

[RMerlin]

But does @RMerlin have any intention of integrating the DNSCrypt options.

Not at this time, no.