[Release 384/NG] Asuswrt-Merlin 384.4 is now available

[D_Day]

Parental control (and firewall) worked on 380 -- I have been using it for a long time. I had to turn off parental control on 384 because (as reported by others as well) when enabled, it blocks internet access randomly even during "allow" periods.

Sean

After I updated 384.4_2 everything was fine for 2 to 3 days and then I experienced similar issues with parental controls. I even had an issue with Xbox playing fine but being kicked out of the chat rooms randomly.
I changed NAT acceleration from auto to disable and that appears to have sorted the issues out for now.
I have always been able to leave NAT acceleration on auto without a problem on other firmware updates but not this one.
Parental controls appear to be working ok for now but I will post if this changes.

I’m running an ac68u.

 

[Simkin]

This is becoming an Urban legend .... 30-30-30 dont work with Asuswrt or Rmerlin fw.

With Asuswrt , 30-30-30 = Turn off the router, press the WPS button , then turn on the router. Wait about 15 seconds(Power led will flash rapidly), then release the WPS button.Wait 3 min and reconfig, dont import saved settings.

he he. i just tried whatever i could find on the interwebz

I have also done the WPS button, but did not help.

Gonna return my AC3200 after easter, and buy a new one, and im gonna stick with the 380 firmware and leave it like that. Not gonna sit and wait for this issue to be solved, apparently this WiFi issue (closed code) is out of RMerlins control.

There is absolutely no chance to downgrade the AC3200?

 

[guho]

reverted my AC3200 to 384.3 hopefully will fix the terrible 2.4GHz wifi. Can the AC3200 be reverted to 380.x via the recovery procedure?

 

[Simkin]

If there is ANY way to revert the AC3200 fw to 380.x i would be happy to know, even if it means the risk of bricking it.

 

[scjr]

If there is ANY way to revert the AC3200 fw to 380.x i would be happy to know, even if it means the risk of bricking it.

Simkin,

Have you tried to go back 382?

 

[Simkin]

Simkin,

Have you tried to go back 382?

I have tried the original Asus 382 FW.

 

[endtimes]

So, I too am having issues with this release on my beloved RT-AC88U. I feel like right now!

I went from release 380.69_2 to 384.4_2. After updating, I initialized and reconfigured the settings with the exception of the nat-start script. I also run a VPN client using AirVPN service but reconfigured that last. Now, both the 2.4 ghz and 5 ghz wireless worked at first however, once I put in my nat-start script for port forwarding through my VPN, everything broke. My laptop's LAN connection appears fine, as in it shows I'm connected with no issues, and wireless shows to be connected but with no internet, yet I cannot access anything on the web even through just my LAN connection. I discovered that if I rename the nat-start script so it doesn't get loaded and reboot the router, everything works again.

So it's either...

1) The 384.4_2 breaks port forwarding in which I will have to revert to 380.69_2 or try a maybe 38x.x

or

2) My nat-start script is broken (though it worked before) in which case can someone here please review it?

This is what I was using that did work.

#!/bin/sh

iptables -t nat -A POSTROUTING -s [URL='http://10.4.0.0/24']10.8.0.0/24[/URL] -o eth0 -j MASQUERADE

#Port forwarding for transmission
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 61xxx -j DNAT --to-destination 192.168.1.x
iptables -t nat -I PREROUTING -i tun11 -p udp --dport 61xxx -j DNAT --to-destination 192.168.1.x
iptables -I FORWARD -i tun11 -p udp -d 192.168.1.x --dport 61xxx -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.x --dport 61xxx -j ACCEPT

Does my script need to be modified? Is there another method to forward a single port to a single IP on my network?

I have to this forum and everyone in this community has been invaluable. I would appreciate any assistance and recommendations on any of this.

 

[Martineau]

Here's a visual for users affected by the network services filter timed scheduler.

As I am unsure on the behavior/setup that was implemented in the past.

FYI,, For firmware v384.xx, simply enabling the Parental Control Scheduler, the NSFW chain is now also correctly processed before the 'state RELATED,ESTABLISHED' rule:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination       
1     146K  167M ipttolan   all  --  *      br0     0.0.0.0/0            0.0.0.0/0         
2     108K   15M iptfromlan all  --  br0    *       0.0.0.0/0            0.0.0.0/0         
3        0     0 PControls  all  --  br0    *       0.0.0.0/0            0.0.0.0/0            TIME from 09:00:00 to 12:00:00 on Sun MAC XX:XX:XX:XX:XX:XX
4        0     0 PControls  all  --  br0    *       0.0.0.0/0            0.0.0.0/0            TIME from 09:00:00 to 12:00:00 on Mon MAC XX:XX:XX:XX:XX:XX
5        0     0 PControls  all  --  br0    *       0.0.0.0/0            0.0.0.0/0            TIME from 09:00:00 to 12:00:00 on Tue MAC XX:XX:XX:XX:XX:XX
6        0     0 PControls  all  --  br0    *       0.0.0.0/0            0.0.0.0/0            TIME from 09:00:00 to 12:00:00 on Wed MAC XX:XX:XX:XX:XX:XX
7        0     0 PControls  all  --  br0    *       0.0.0.0/0            0.0.0.0/0            TIME from 09:00:00 to 12:00:00 on Thu MAC XX:XX:XX:XX:XX:XX
8        0     0 PControls  all  --  br0    *       0.0.0.0/0            0.0.0.0/0            TIME from 09:00:00 to 12:00:00 on Fri MAC XX:XX:XX:XX:XX:XX
9        0     0 PControls  all  --  br0    *       0.0.0.0/0            0.0.0.0/0            TIME from 09:00:00 to 12:00:00 on Sat MAC XX:XX:XX:XX:XX:XX
10       0     0 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            MAC XX:XX:XX:XX:XX:XX
11    267K  193M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
12    9747  657K MyVLANs    all  --  *      *       0.0.0.0/0            0.0.0.0/0         
13    8938  601K MyIPCAMs   all  --  br0    *       0.0.0.0/0            0.0.0.0/0         
14    1673 80638 MyAlexa    all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Alexa src,dst
15       4   214 MyLifx     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Lifx src,dst
16       0     0 MyHive     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Hive src,dst
17       0     0 MyTplink   all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Tplink src,dst
18       0     0 MyIot      all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Iot src,dst
19       2    80 other2wan  all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0         
20     645 26460 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
21     196 18440 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0         
22    2354  217K NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0/0         
23       0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT
24    2354  217K OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
25    2354  217K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0

Chain PControls (7 references)
num   pkts bytes target     prot opt in     out     source               destination       
1        0     0 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
2        0     0 NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0/0         
3        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

 

[Fitz Mutch]

I was having some issue with Tor traffic being blocked on my network due to the built-in firewall rules for OpenVPN server. So I wrote a script to reverse the iptables rules within any other script. And then call it like this, so it won't interfere with my Tor firewall rules. This is only for those individuals and groups running the latest 384.5 alpha, who already have their own OpenVPN custom firewall rules written in /jffs/scripts/openvpn-event.

/jffs/scripts/openvpn-event

#!/bin/sh
case "$1" in
        "tun11")
                ;;
        "tun12")
                ;;
        "tun13")
                ;;
        "tun14")
                ;;
        "tun15")
                ;;
        "tun21")
                ( sleep 7 ; source /jffs/scripts/iptables-reverse-rules.sh /etc/openvpn/fw/server1-fw.sh ) &
                ;;
        "tun22")
                ( sleep 7 ; source /jffs/scripts/iptables-reverse-rules.sh /etc/openvpn/fw/server2-fw.sh ) &
                ;;
        *)
                ;;
esac

/jffs/scripts/iptables-reverse-rules.sh

#!/bin/sh
SCRIPT_NAME="$1"
PATH_IPTABLES=$(which iptables)
iptables() {
  local cmdline="$@"
  local deleteline="$(echo $cmdline | sed -r 's/(\s*-)(I|A)(\s+[a-zA-Z]\w*)(\s+[0-9]*\s+|\s+)(.*)/\1D\3 \5/')"
  # if the rule is Insert or Add then cause it to Delete, otherwise run the original rule
  if [ "$deleteline" != "$cmdline" ]; then
    echo -n "FIREWALL: $PATH_IPTABLES $deleteline; # "
    $PATH_IPTABLES $deleteline
    [ $? -eq 0 ] && echo success
  else
    echo -n "FIREWALL: $PATH_IPTABLES $cmdline; # "
    $PATH_IPTABLES $cmdline
    [ $? -eq 0 ] && echo success
  fi
}
source "$SCRIPT_NAME"
unset iptables

 

[JSinFCVA]

I asked this in the previous firmware release, but don't think I got a response.

In the network map wifi devices, (mostly, if not all 5ghz connected) keep disappearing and then showing again.

They are not losing connectivity.

The network map seems very unstable, if your trying to look at something the device suddenly drops from the map and then appears again a few seconds/minutes later.

I can't remember it ever being like this.

I see this every time I try to upgrade to 384.4 (any version) until I revert back to older release. I do not see this on 384.3

 

[Sean Nelson]

After I updated 384.4_2 everything was fine for 2 to 3 days and then I experienced similar issues with parental controls. I even had an issue with Xbox playing fine but being kicked out of the chat rooms randomly.
I changed NAT acceleration from auto to disable and that appears to have sorted the issues out for now.
I have always been able to leave NAT acceleration on auto without a problem on other firmware updates but not this one.
Parental controls appear to be working ok for now but I will post if this changes.

I’m running an ac68u.

Thanks. I'll also try this.

I have also confirmed that the failure of network service filter rules was not due to "established" connection living past the allowed period -- I rebooted the router inside the prohibition period and connections to blocked ports were again established a while later. Since the NSFW rules look fine, this really points to issue with time checking.

And w.r.t. network service filter -- can I have multiple filters (for different time periods, with different ports)?

Sean

 

[endtimes]

So, I too am having issues with this release on my beloved RT-AC88U. I feel like right now!

I went from release 380.69_2 to 384.4_2. After updating, I initialized and reconfigured the settings with the exception of the nat-start script. I also run a VPN client using AirVPN service but reconfigured that last. Now, both the 2.4 ghz and 5 ghz wireless worked at first however, once I put in my nat-start script for port forwarding through my VPN, everything broke. My laptop's LAN connection appears fine, as in it shows I'm connected with no issues, and wireless shows to be connected but with no internet, yet I cannot access anything on the web even through just my LAN connection. I discovered that if I rename the nat-start script so it doesn't get loaded and reboot the router, everything works again.

So it's either...

1) The 384.4_2 breaks port forwarding in which I will have to revert to 380.69_2 or try a maybe 38x.x

or

2) My nat-start script is broken (though it worked before) in which case can someone here please review it?

This is what I was using that did work.

#!/bin/sh

iptables -t nat -A POSTROUTING -s [URL='http://10.4.0.0/24']10.8.0.0/24[/URL] -o eth0 -j MASQUERADE

#Port forwarding for transmission
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 61xxx -j DNAT --to-destination 192.168.1.x
iptables -t nat -I PREROUTING -i tun11 -p udp --dport 61xxx -j DNAT --to-destination 192.168.1.x
iptables -I FORWARD -i tun11 -p udp -d 192.168.1.x --dport 61xxx -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.x --dport 61xxx -j ACCEPT

Does my script need to be modified? Is there another method to forward a single port to a single IP on my network?

I have to this forum and everyone in this community has been invaluable. I would appreciate any assistance and recommendations on any of this.

So as it turns out, just having a nat-start script is whats breaking it. I entered in the following commands in order to test the script.

iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan1 -j DROP
iptables -I INPUT -i tun11 -j REJECT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

iptables -I FORWARD -i tun11 -p udp -d 192.168.x.x --dport 61xxx -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.x.x --dport 61xxx -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 61xxx -j DNAT --to-destination 192.168.x.x
iptables -t nat -I PREROUTING -i tun11 -p udp --dport 61xxx -j DNAT --to-destination 192.168.x.x

After doing so, the port successfully tested open. THis told me the script was fine. So I used the same commands and created the nat-start script. Upon reboot, it broke the router. I verified the commands were in there by SSHing into the router and listing all of the iptable rules. The ones from the script were there.

Any thoughts guys?

 

[mazball]

I updated my ac5300 from the 380 branch to 384.4_2 on the weekend (factory reset - initialize after flashing) and everything looked to be running really well for next 48hrs or so until yesterday the wifi stopped responding for all clients. I rebooted (more than once) the ac5300 and all wireless interfaces are down (led’s for 2.4 & 5 ghz off).

Have not had an issue like this in any previous merlin version. When i get home from work will connect via ethernet to see if i can get the log to post any errors here and/or downgrade to 384.4 which might be more stable.

All wireless interfaces were down. Started them up via the gui (professional) and all was working again. Downgraded to 384.4.

Errors (there was another error regarding a write error, though i didnt manage to capture it at the time):

kernel: ERROR fwder_init: fwd_cpumap nvram not present, using default
kernel: *** ERROR: [tdts_shell_ioctl_sig_op_load:95] tdts_core_rule_parsing_trf_load() fail!


The only other module i installed on the ac5300 was dnscrypt: https://github.com/thuantran/dnscrypt-asuswrt-installer

 

[Jobine]

I just finished installing version 384.4_2 and I just lost my 5GHz again. Even after many complete power cycle.
I even changed the SSID and I don't see it.

 

[Jobine]

I try this

1. Login to the Asus Router Admin Page
2. Click on "Wireless" on the menu on the left
3. Click on "Professional" tab
4. Select the "5GHz" band
5. Select "Enable Radio" = "No"
6. Click Apply
7. After it has been applied, go and select "Enable Radio" = "Yes"
8. Click Apply

and I tried a few 30/30/30 resets...

I reinstall the lastest firmware...

and no luck

 

[Sanna1967]

30/30/30 resets

Initialize and try this after .
https://www.snbforums.com/threads/r...-4-is-now-available.45406/page-29#post-393356

 

[KnightRider]

I also have this since start of 382 release if I remember correctly. Here are my other observations regarding this,

- just after reboot; clients can connect both 2.4 and 5 ghz with no problem.
- after a while connected clients don't have any issue but after about 1-2 minutes new clients can't connect.
- I'm using FreshJR's QoS script which runs after 3-4 minutes after reboot. Sometimes after this script runs clients becomes able to connect and sometimes after this script runs, clients becomes unable to connect. Just a reminder; these both two happens really rare, probably these are just coincidence.
- Sometimes one reboot solves the issue, sometimes 3-4 reboots solves, so sometimes it takes 30+ minutes to solve it. That's why I'm afraid to reboot my router

Did you reset to factory and re-stage from scratch?

 

[YRT]

Reboot your router, with no USB disk attached, to ensure you have enough free RAM.

The hash I provide with the firmware are SHA256 BTW, not MD5.

Thank you, my bad. Works like charm now.

 

[amd7674]

Parental control (and firewall) worked on 380 -- I have been using it for a long time. I had to turn off parental control on 384 because (as reported by others as well) when enabled, it blocks internet access randomly even during "allow" periods.

Sean

I'm having the same problem when using 384.4_2 on 1900P router. It is great feature to control my kids devices, but since the latest updated it blocks internet even when the period is marked as allowed.

I don't think I did test it on 384, but it worked fine on 380.69.

Is there a fix or workaround for this?

 

[D_Day]

I'm having the same problem when using 384.4_2 on 1900P router. It is great feature to control my kids devices, but since the latest updated it blocks internet even when the period is marked as allowed.

I don't think I did test it on 384, but it worked fine on 380.69.

Is there a fix or workaround for this?

Try disabling NAT acceleration, i had mine set to auto and was experiencing all sorts of problems, I then set to disabled and it has been working fine since. I have ac68u.