[Preview] Early Asuswrt-Merlin 384.6 test builds are available

[natzakaria]

Good so far on 5300

 

[kfp]

Tin foil hat much?

I think that’s pretty reasonable. What’s your problem with that setup?

 

[cmkelley]

I think that’s pretty reasonable. What’s your problem with that setup?

It's reasonable, sure, but honestly, dealing with OpenBSD is way too big of a pain for most people. And I say that as someone running OpenBSD on a Lenovo T61p. I used to have an old Pentium machine running pfSense (before they got bought and turned evil) and even that, I had to learn a LOT about networking and such to make it work the way I wanted. It isn't that most people aren't "smart" enough to do it, but most people don't have enough interest in it to spend that much time learning about networking.
Assuming my next router isn't being bought in a panic because the old one crapped out, I will probably go back to rolling my own router with pf either on top of FreeBSD or OpenBSD, because I enjoy that sort of stuff as a hobby. Most people just want to connect to the internet and not deal with the nitty gritty.
I honestly don't know why there are no readily available consumer grade routers built on OpenBSD. OpenBSD is more secure, licensing is far easier than the GPL, and it's really not any harder than doing it on Linux. Probably because it's easier to find coders familiar with Linux than *BSD.

 

[kfp]

It's reasonable, sure, but honestly, dealing with OpenBSD is way too big of a pain for most people.

I’m not advocating it for most people, I just don’t understand why using it automatically equates to wearing a tinfoil hat.

Obviously @azdps is comfortable managing it and using it as his edge device.

 

[DonnyJohnny]

It's reasonable, sure, but honestly, dealing with OpenBSD is way too big of a pain for most people. And I say that as someone running OpenBSD on a Lenovo T61p. I used to have an old Pentium machine running pfSense (before they got bought and turned evil) and even that, I had to learn a LOT about networking and such to make it work the way I wanted. It isn't that most people aren't "smart" enough to do it, but most people don't have enough interest in it to spend that much time learning about networking.
Assuming my next router isn't being bought in a panic because the old one crapped out, I will probably go back to rolling my own router with pf either on top of FreeBSD or OpenBSD, because I enjoy that sort of stuff as a hobby. Most people just want to connect to the internet and not deal with the nitty gritty.
I honestly don't know why there are no readily available consumer grade routers built on OpenBSD. OpenBSD is more secure, licensing is far easier than the GPL, and it's really not any harder than doing it on Linux. Probably because it's easier to find coders familiar with Linux than *BSD.

I think that’s pretty reasonable. What’s your problem with that setup?

Let’s don’t hijack the thread as Eric used for Merlin firmware related issue.

If need to further discuss, may move to here.
https://www.snbforums.com/forums/lan-wan-article-discussions.19/

Thanks.

 

[Temchenko]

Hi. I am interested if that firmware have any changes related L2TP-Wi-Fi instability issue? I was posting that on official AsusWRT forum but nobody haven't answered.
Dear RMerlin would you please take closer look for this issue at AC86U? That'll be great since none of Asus reps paid any attention for that and number of affected people is thousands in CIS as part of our ISP uses L2TP to provide internet.
Huge thanks in advance.

 

[AndreiV]

I consider the RT-AC3200's goose cooked. I got a RT-AC86U because the 3200 uses 2.6 kernel and has tons of holes in it. I doubt it's security after I saw it fail to protect against malware attacks and spammers. I tested several ipset schemes and these proved my point. Don't just throw away the 3200 though. Use it as a wired access point.

Nonsense .

Nothing at all wrong with the AC3200 or Merlin's firmware for that model.

Mine gets a hammering 18+ hours a day with youngsters all over the net , we see no issues at all.

Spam and malware are down to your on line practices.

 

[AndreiV]

RT-AC3200_384.6_alpha2-g5b076fc87 flashed over previous alpha, had fun with the new certificate set up but all working well after a power cycle.

 

[octopus]

I just loaded new alpha2 (25 min up time) (alpha2-g5b076fc87) and seems to working fine so far.
When starting SSH from wan and try to turn on brute protection SSHBFP no chain is created.
That may have changed.

EDIT: seems to be created after awhile. (working)

New tab (privacy) in: Administreation: Administration - ASUS NOTICE( for privacy)

 

[scjr]

I loaded new alpha 2 revision (g5b076fc87) over previous version. RT-AC1900P. Smooth upgrade and no issues.

Just an observation under Tools/Sys Info and this has nothing to do with Merlin. I noticed the driver version date changed from the previous alpha.

Previous alpha 2 build: wl0: May 31 2018 13:48:59 version 6.37.14.126 (r561982)

New alpha 2 build: wl0: May 27 2018 15:12:06 version 6.37.14.126 (r561982)

 

[Flitzjoy]

Just flashed the new build.

Dnsmask stills failing with DNSSec (lot "Insecure DS reply received, do upstream DNS servers support DNSSEC?" log messages) and ntp sync fails. Disabling DNSSec restored ntp sync.

 

[DonnyJohnny]

Just flashed the new build.

Dnsmask stills failing with DNSSec (lot "Insecure DS reply received, do upstream DNS servers support DNSSEC?" log messages) and ntp sync fails. Disabling DNSSec restored ntp sync.

Regards the dnssec error message is common as most sites are not fully dnssec ready. It involves in various stages like dns hosting providers, web host provider, registrars, dns server used. That’s what it mean “if upstream DNs servers support DNSSEC?” You can read more here.
https://www.internetsociety.org/res...e-two-sides-of-dnssec-signing-and-validation/

You can see some example here for fully dnssec ready site.
https://www.internetsociety.org/deploy360/dnssec/tools/

You can test the site domain that if they are fully dnssec ready.
https://dnssec-analyzer.verisignlabs.com/


Regard to sync fail, do you have dnscrypt-proxy installed? Could be due to internet not ready when ntp sync process trying to start?

 

[LilyKim]

Just flashed the new build.

Dnsmask stills failing with DNSSec (lot "Insecure DS reply received, do upstream DNS servers support DNSSEC?" log messages) and ntp sync fails. Disabling DNSSec restored ntp sync.

Ooooh, thank you so much! Was about to factory reset, but decided to check this thread out again.. This was the issue I had myself. Disabled DNSSec and everything works flawlessly again.

 

[Flitzjoy]

Regards the dnssec error message is common as most sites are not fully dnssec ready. It involves in various stages like dns hosting providers, web host provider, registrars, dns server used. That’s what it mean “if upstream DNs servers support DNSSEC?” You can read more here.
https://www.internetsociety.org/res...e-two-sides-of-dnssec-signing-and-validation/

You can see some example here for fully dnssec ready site.
https://www.internetsociety.org/deploy360/dnssec/tools/

You can test the site domain that if they are fully dnssec ready.
https://dnssec-analyzer.verisignlabs.com/


Regard to sync fail, do you have dnscrypt-proxy installed? Could be due to internet not ready when ntp sync process trying to start?

No no, it's not normal.

Any previous stable release I don't have this issue in system logs.

I don't use any custom script, just Google dns with dnssec enabled. I already factory reseted by the way.

 

[john9527]

Just flashed the new build.

Dnsmask stills failing with DNSSec (lot "Insecure DS reply received, do upstream DNS servers support DNSSEC?" log messages) and ntp sync fails. Disabling DNSSec restored ntp sync.

The latest version of dnsmasq turned on 'strict' dnssec checking by default (dnssec_check_unsigned) as well as fixing some bugs in the dnssec check. Previously, if the server was not dnssec compliant, it would go on in most cases...now it fails the lookup with that error msg.

 

[Clark Griswald]

Latest Alpha 2 installed effortlessly over previous alpha. No issues noted in my environment

 

[eddiez]

No no, it's not normal.

Any previous stable release I don't have this issue in system logs.

I don't use any custom script, just Google dns with dnssec enabled. I already factory reseted by the way.

Google public dns does not support dnssec

 

[johnathonm]

Hi Merlin,

I hope you are well. I noticed there are two AC86U alpha2 files on the site. Is there a difference between the two? I can only tell the timestamps are different on one vs. the other.

Thank you,

Johnathon

 

[Sanna1967]

two AC86U alpha2

384.6_alpha2-g5b076fc87 is the last one

 

[DonnyJohnny]

Google public dns does not support dnssec

No.. it does..
https://developers.google.com/speed/public-dns/faq
Thanks @john9527 for the explaination. Note that dnssec is still not commonly used. Expect lots of such errors if the check unsigned dnssec is enable.