[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[john9527]

I asked a couple of times about those settings but got no answer, didn't want to bother you again
Apparently I got my answer sideways eventually
Thanks

I apologize if I missed getting back to you. I remember your note and writing a reply (in fact I found where I had written and saved it). Your request came in about the time I had to have a 'double' root canal done, and I must have forgotten to hit send.

For everyone's benefit, here's the answer

The pulldown controls what DNS servers are used by dnsmasq. The checkbox option on the same line controls routing WAN clients' DNS requests to bypass dnsmasq and go directly to a different set of DNS servers in policy rules mode.

Accept DNS Configuration

• Disabled
  The VPN DNS servers are ignored, and all clients use the current non-VPN servers via dnsmasq.
• Relaxed
  The VPN DNS servers are added to the list of servers that dnsmasq can use along with your default servers. Any server can be selected for any DNS request (will tend to use the fastest servers), so this can result in DNS leaks. DNSCrypt is not used even if configured.
• Strict
  The VPN DNS servers are prepended to the list of servers that dnsmasq can use followed by your default servers. DNS requests are sent to each server in order, starting with the VPN servers. If you have slow or poorly configred VPN servers, you will have DNS leaks. DNScrypt is not used even if configured.
• Exclusive
  The VPN DNS servers are the only servers used by dnsmasq. The checkbox option can change the DNS servers used by WAN clients, but then the WAN clients cannot use ABSolution.
• DNSCrypt
  If you have DNSCrypt configured, only the DNSCrypt servers are configured for use by dnsmasq. The checkbox option can change the DNS servers used by WAN clients, but then the WAN clients cannot use ABSolution.

Note that my implementation of 'Exclusive' is different from Merlin's. In Merlin builds with policy rules, 'Exclusive' uses dnsmasq for your default DNS servers/WAN clients, and VPN clients are automatically routed to bybass dnsmasq and go directly to the VPN DNS server. This is why under Merlin, VPN clients with Exclusive DNS set cannot make use of ABSolution (they don't use dnsmasq).

Alternatively, the downside to my implementation is that applications that hardcode requests to specific DNS servers, like Chromecast and google DNS, will have a leak to the google DNS server even if the Chromecast is in the VPN. If this is important to you, you can override the DNS handling with DNSFilter for those clients, but then those clients would loose the ability to use ABSolution.

But honestly, I've given up on trying to use VPNs on clients that are media players (unless you are using a VPN provider that specifically supports geo location hiding) . Applications like Netflix, Amazon Prime and other streaming apps now use the hardcoded DNS calls as part of their VPN/proxy checking and fail if you try and force the VPN DNS servers.

 

[john9527]

But due to my double NAT Exclusive makes my WAN devices not have a working DNS.
It seems to work with relaxed, but I am not sure how that works, sounds a bit too relaxed for a VPN

It's probably not Exclusive mode that's the problem, but your VPN DNS rejecting requests that don't come through the VPN. In this case, use the WAN devices checkbox and it should work. (at the expense of no ABSolution for your WAN clients if you use it). Compromises.....

 

[john9527]

Can someone tell me if I should change any default router settings or is all default values secure enough.

Double check that on the Administration > System tab none of the services are selected to be open to the WAN (just a double check, it should be that way by default).

 

[cowst]

It's probably not Exclusive mode that's the problem, but your VPN DNS rejecting requests that don't come through the VPN. In this case, use the WAN devices checkbox and it should work. (at the expense of no ABSolution for your WAN clients if you use it). Compromises.....

No need to apologize, you do more than enough!

I am not sure the problem is clear.
The fire tv stick being rejected by the streaming services, is not in the vpn list (I actually installed a VPN client there selecting only Kodi to go through it).
However, the stick is going through the router WIFI, and when the VPN client is enabled, it seems to take the VPN DNS, if set in strict mode.
Unfortunately, using exclusive with the WAN DNS makes the stick work again, but my laptop cannot resolve anything (which speaks against the WAN checkbox, unless the WAN DNS are crap coming from my provider router).

Relaxed mode seems to work, but it might be coincidence based on which DNS is faster, plus it allows for DNS leak on the VPN devices.

I don't use ABSolutions, so no compromise there.

 

[AsusRouterUser]

Hi I just switched to this firmware from the Merlin firmware and I have 2 questions. 1 is where is the setting to turn OFF access to the router from the WAN and 2 is when there are updates do you just download it and then go to the update page and upload it and that is it? I guess what I am really asking is do you have to clear and re-enter all your setting with every upgrade?

Thanks, AsusRouterUser

 

[ColinTaylor]

1 is where is the setting to turn OFF access to the router from the WAN

Administration > System> Web Access. Only if Authentication Method is set to HTTPS or BOTH will you then see the option Enable Web Access from WAN.

2 is when there are updates do you just download it and then go to the update page and upload it and that is it?

Yes

I guess what I am really asking is do you have to clear and re-enter all your setting with every upgrade?

No

 

[SaveMyRouter]

My bad, I was not precise, it's a converted TM-AC1900. Does it define a revision unambiguously ?



All are empty

May I ask on which FM you are currently? LTS V32E4?

 

[SomeWhoCallMeTim]

Was able to connect to 192.168.1.1 and then wait an hour or so and it all eventually loaded. Thx!

Ah the memory...how it goes. Thanks for the reminder.

 

[snbDD]

May I ask on which FM you are currently? LTS V32E4?

Yes, 32E4. But minor LED issue is resolved after setting
nvram set odmpid=RT-AC68U
thanks to John.

 

[SaveMyRouter]

Yes, 32E4. But minor LED issue is resolved after setting
nvram set odmpid=RT-AC68U
thanks to John.

Thank you!

 

[AsusRouterUser]

Administration > System> Web Access. Only if Authentication Method is set to HTTPS or BOTH will you then see the option Enable Web Access from WAN.
Yes
No

Thanks.

 

[john9527]

Yes, 32E4. But minor LED issue is resolved after setting
nvram set odmpid=RT-AC68U
thanks to John.

Thanks for letting me know that worked....was scratching my head if that wasn't it

 

[ml70]

I still have this extremely high sirq% on AC66 since upgrading from 23E to 31E, and now to 32L. Used to router is ~75% idle at 100 Mbps wire speed one direction, or 80/80 bidirectional. Now, nearing 100 Mbps sirq% will be 80-99% and 0% idle, reachin anything above 50/50 bidirectional is hard to impossible.

I've done a factory reset and input settings manually, again for 32L. Yet this persists. There's no VPN configured or active. Very plain vanilla setup with pppoe access to ISP. Turned ddos/ssh protect servers off to save cpu.

Web interface reports that Hardware Acceleration/CTF is on, but is there some way to verify this from the shell? Otherwise i've no idea where to even start troubleshooting this.

Report with interrupts and top screenshot is in msg #7275

 

[john9527]

I still have this extremely high sirq% on AC66 since upgrading from 23E to 31E, and now to 32L. Used to router is ~75% idle at 100 Mbps wire speed one direction, or 80/80 bidirectional. Now, nearing 100 Mbps sirq% will be 80-99% and 0% idle, reachin anything above 50/50 bidirectional is hard to impossible.

Two possibilities...
- Around V28 I updated the CTF code for the MIPS routers because it wasn't working for PPPoE. This did indeed fix it for that user.
- But in your screen shot, I see that httpd and protect_srv are using over 23% of the CPU. This usually indicates some type of 'attack'. Have you recently updated/changed any security suite software? Many of these will probe the network by trying to log into common local addresses. If so, you want to exclude the router address from these checks.

 

[ml70]

I need to check some version before 28 then, because this is getting really intolerable. Why i'm asking about how to verify that CTF is on, is that the total max throughput seems to be around 140 Mbps, which i've seen mentioned as the max without CTF. And that this would just magically top out at exactly same figures... Interestingly i never had any problem with pppoe before.

Not sure but i believe that the top output shows relative timings, so if there's only 4% idle cpu available and httpd takes 1% out of 100%, then it'd show 25%. Because at the time of the screenshot i only had the web interface open, nothing else. Basically it's the sirq% eating up all cpu time and the rest have to fight for whatever's left.

I've not made any other system changes recently. It all started pretty immediately after 23E->31E upgrade, although it took a while before i really started digging in to the cause of the sluggishness.

Edit: IF i was under some kind of prolonged attack, the throughput total should be nearer 200 Mbps, should my upload be maxed which it often is. But at most, the up+down total is 140 Mbps. And that makes me suspect the router and CTF.

 

[ml70]

Two possibilities...
- Around V28 I updated the CTF code for the MIPS routers because it wasn't working for PPPoE. This did indeed fix it for that user.

AC66U: Changed to 27E5 and sirq utilization problem is completely gone. sirq% goes up ~10% for every 50 Mbps of wire speed, around 20% at 100 Mbps one way. With 32L it would be over 90%.

I'm using pppoe and there doesn't seem to be anything wrong regarding the CTF on 27E5 or earlier buids? But the later ones do make a problem with the excess sirq utilization. If you can make a test fw release of 32L code with the old CTF code i'll be happy to test it.

 

[john9527]

AC66U: Changed to 27E5 and sirq utilization problem is completely gone. sirq% goes up ~10% for every 50 Mbps of wire speed, around 20% at 100 Mbps one way. With 32L it would be over 90%.

I'm using pppoe and there doesn't seem to be anything wrong regarding the CTF on 27E5 or earlier buids? But the later ones do make a problem with the excess sirq utilization. If you can make a test fw release of 32L code with the old CTF code i'll be happy to test it.

So, who do I fix and who do I break? Here's a post near the beginning of the previous input that was having your same symptom of high sirq that was fixed with 28E8 release (read the posts from stalker780)
https://www.snbforums.com/threads/f...lts-releases-v32e4.18914/page-342#post-356474

Please try V28 release (there was a subsequent update to CTF in V29 due to continuing problems being reported on the Merlin code).

 

[jrmwvu04]

Been running the build with the Debian OpenSSL patch and nothing exciting to report. Memory usage over several days is negligibly better in some cases but I doubt I would be able to tell the difference. But no problems either.

 

[rtn66uftw]

Is it a Lexar USB? I had to relegate one I had to windows only as it would magically disappear when attached to the router.

No. It was a pretty old Transcend 2.0 USB

 

[ml70]

So, who do I fix and who do I break? Here's a post near the beginning of the previous input that was having your same symptom of high sirq that was fixed with 28E8 release (read the posts from stalker780)

Seems he is using N66U and complaining of "only" getting 220/500 Mbit speed. But the fixes break AC66U so badly it's struggling to reach 100 Mbps one way.

Please try V28 release (there was a subsequent update to CTF in V29 due to continuing problems being reported on the Merlin code).

I'll try both 28 and 29 over the weekend and get back to you with more info.

Meanwhile, AC66U@27E5 now at ~80/80 Mbps, protect services on, 2 ssh shells one of which is running 'top -d1' and the web interface traffic monitor, sirq% is 20-40% and idle% is 33-66%.