[Release] Asuswrt-Merlin 384.10 is now available

[CooCooCaChoo]

DNS question. Is there any known reason not to use DNS 1.1.1.1 or 1.0.0.1 in this f/w? I heard that it causes problems in some brands of routers. Many thanks.

I've experienced DNSSEC incompatibility with cloudflare DNS servers, as others have as well. May or may not be fixed since it's been a while.

 

[Xentrk]

Not sure if this is due to the firmware update but after the update I changed my VPN server and when I started the VPN back up the local address changed from 10.x.x.x to 172.x.x.x. What would make this happen? Is it something I can / or got configured somewhere with the update or none of the above. Everything seems to be working just the local address changed.

Unrelated to the firmware update.

With my provider TorGuard, the local IP address is set by the OpenVPN Server. It is derived using a combination of the Port and Protocol (e.g UDP, TCP) settings in the OpenVPN Client screen. TorGuard has a spec page on their site (member access required) that lists the subnet based on the Port/Protocol settings. For example:

Port  Protocol  Subnet    DNS
443   UDP       10.9.x.x  10.9.0.1
443   TCP       10.8.x.x  10.8.0.1
80    UDP       10.22.x.x 10.22.0.1

Check with your provider as they may also have a spec page listing this information.

 

[tallytr]

Interesting!
I had to Google it but will keep using Google, no reason to change for me.

• Google 8.8.8.8: Private and unfiltered. Most popular option.
• CloudFlare 1.1.1.1: Private and unfiltered. New player.

I use those servers for most PCs on my network but stick with google DNS for video devices (ie firetv, appletv, etc...)[/QUOTE

 

[Billy Chaney]

I use those servers for most PCs on my network but stick with google DNS for video devices (ie firetv, appletv, etc...)

So do I.

 

[MoonPie2000]

...With my provider TorGuard, the local IP address is set by the OpenVPN Server. ...

Thanks for the replies. So if i understand correctly then in my case (Local: 172.x.x.x - Public: x.x.x.x) the local 172.x.x.x address is determined by my provider. If this it correct then this makes sense. Thanks...

 

[Xentrk]

I use those servers for most PCs on my network but stick with google DNS for video devices (ie firetv, appletv, etc...)

Interesting!
I had to Google it but will keep using Google, no reason to change for me.

• Google 8.8.8.8: Private and unfiltered. Most popular option.
• CloudFlare 1.1.1.1: Private and unfiltered. New player.

With the Stubby installer, you get the option to override DNS settings of clients and force all LAN clients to use Cloudflare or whatever DNS provider you told Stubby to use. So far, I have had no issues with devices that have Google DNS hard coded.

I do have an issue with the Amazon Echo though. I don't believe it is DNS related as I am still forcing it to use Cloudflare DNS. For some reason, it does not play nice when connected to the VPN tunnel. I have to assign it to the WAN iface for it to work correctly.

 

[cmkelley]

With the Stubby installer, you get the option to override DNS settings of clients and force all LAN clients to use Cloudflare or whatever DNS provider you told Stubby to use. So far, I have had no issues with devices that have Google DNS hard coded.

I do have an issue with the Amazon Echo though. I don't believe it is DNS related as I am still forcing it to use Cloudflare DNS. For some reason, it does not play nice when connected to the VPN tunnel. I have to assign it to the WAN iface for it to work correctly.

I'm gonna guess Echo doesn't like VPNs to try to prevent people getting around per-country content restrictions, ala Netflix.

 

[Xentrk]

I'm gonna guess Echo doesn't like VPNs to try to prevent people getting around per-country content restrictions, ala Netflix.

I am routing the Echo to my Private IP VPN address that I also use for Amazon Prime, Netflix and Hulu. It worked fine for the first year. A firmware update appears to have dorked it. I found some posts on the Netgate forum where others have reported the issue.

one of the things that it does is a DNS query for www.example.com asking for a AAAA record (an ipv6 address). If it does not get a sucessful answer back it CANNOT register with Amazon

If anything, the Echo shouldn't work over the WAN connection since my WAN IP is in an out of market area. But it does.

 

[Xentrk]

Thanks for the replies. So if i understand correctly then in my case (Local: 172.x.x.x - Public: x.x.x.x) the local 172.x.x.x address is determined by my provider. If this it correct then this makes sense. Thanks...

Correct!

VPN providers use the "Private-use" bogon IP addresses for the Clients connecting to their services. Bogon IP addresses and IP ranges are reserved for special use, like local or private networks, and should not appear on the public internet.

 

[#TY]

DNS question. Is there any known reason not to use DNS 1.1.1.1 or 1.0.0.1 in this f/w? I heard that it causes problems in some brands of routers. Many thanks.

Using Cloudflare DNS for everything has boosted the performance and security of absolutely everything on my network. I use it for iOS, macOS, TV, both OpenVPN Server and client ... everything. No problem whatsoever. I'm also curious about their upcoming Warp VPN service.

 

[sebdepringy]

You can check the status of the existing Dual-WAN RPDB rules inserted when using the GUI.

ip rule

..then simply match the rule syntax for the websites.

NOTE: URLs/Domains cannot be used directly, so if there are multiple IPs for each website it will require a rule for each IP to ensure that ALL website traffic is routed appropriately.

e.g. If you already know the static IP of the website that needs to be routed via the Primary WAN

ip rule add to xxx.xxx.xxx.xxx lookup wan0 prio 99

otherwise you will need to use additional scripting to add (without duplicates) ALL of the current IPs associated with the website.

e.g. Send all requests for BBC UK via the Secondary WAN

#!/bin/sh

for WEBSITE_IP in $(nslookup "www.bbc.co.uk" | grep -woE '([0-9]{1,3}\.){3}[0-9]{1,3}' | awk 'NR>2' | tr '\n' ' ')
    do
       ip rule del to $WEBSITE_IP lookup wan1 prio 99 2>/dev/null
       ip rule add to $WEBSITE_IP lookup wan1 prio 99
 done

If you must redirect only Port 80 traffic to those IPs then you will most likely need to use the Netflix IPSET+dnsmasq technique etc. especially if there are a huge list of multiple IPs for the website as they may change dynamically for each nslookup call.

I suggest you manually test your two sites (initially allowing ANY port) to see if it works, then if required, try and limit the Selective Routing to 'www' traffic if this is vital.

e.g. Untested -but will attempt to exploit Dual-WAN tagging rules for specific ports i.e. 80 and 443 for the site

#!/bin/sh

# Usage:
#    e.g.        p   www.cbs.com
#                2   www.nbc.com

case $1 in
    1|p|primary) WAN_TAGMARK="0x80000000/0xf0000000"            # Primary WAN
        WAN_IF="wan0"
        ;;
    2|s| secondary) WAN_TAGMARK="0x90000000/0xf0000000"         # Secondary WAN
        WAN_IF="wan1"
        ;;
    *)
        echo -e $cBRED"\a\n\t***ERROR arg must be WAN interface for Dual-WAN Selective Routing i.e 1-Primary WAN, 2-Secondary WAN\n"$cRESET
        exit 99
        ;;
esac

for WEBSITE_IP in $(nslookup "$2" | grep -woE '([0-9]{1,3}\.){3}[0-9]{1,3}' | awk 'NR>2' | tr '\n' ' ')
    do
        iptables -t mangle -D PREROUTING -i br0 -d $WEBSITE_IP -p tcp -m multiport --dport 80,443 -j MARK --set-mark $WAN_TAGMARK 2>/dev/null
        iptables -t mangle -A PREROUTING -i br0 -d $WEBSITE_IP -p tcp -m multiport --dport 80,443 -j MARK --set-mark $WAN_TAGMARK
    done
 
iptables -nvL PREROUTING -t mangle --line

Thank you for your answer, there is no simpler directly with the interface?

 

[Martineau]

Thank you for your answer, there is no simpler directly with the interface?

No, not for Selective Port Routing.

However if you just simply want to ensure that all LAN device access to a particular website is via a preferred WAN, then yes the GUI may work.

e.g. Route access to the BBC UK website (2 addresses) via the Secondary WAN, and the CBS US website (1 address) via the Primary WAN

nslookup www.bbc.co.uk

Name:      www.bbc.co.uk
Address 1: 212.58.249.211 bbc-vip149.lbh.bbc.co.uk
Address 2: 212.58.244.69 bbc-vip114.telhc.bbc.co.uk

nslookup www.cbs.com

Name:      www.cbs.com
Address 1: 35.227.235.238 238.235.227.35.bc.googleusercontent.com

However, if there any target address changes you will need to amend the entries, and unless you can correctly identify/define all of the website in CIDR format, the GUI limit of 64 entries may quickly be reached.

 

[sebdepringy]

No, not for Selective Port Routing.

However if you just simply want to ensure that all LAN device access to a particular website is via a preferred WAN, then yes the GUI may work.

e.g. Route access to the BBC UK website (2 addresses) via the Secondary WAN, and the CBS US website (1 address) via the Primary WAN

nslookup www.bbc.co.uk

Name:      www.bbc.co.uk
Address 1: 212.58.249.211 bbc-vip149.lbh.bbc.co.uk
Address 2: 212.58.244.69 bbc-vip114.telhc.bbc.co.uk

nslookup www.cbs.com

Name:      www.cbs.com
Address 1: 35.227.235.238 238.235.227.35.bc.googleusercontent.com

View attachment 16908

However, if there any target address changes you will need to amend the entries, and unless you can correctly identify/define all of the website in CIDR format, the GUI limit of 64 entries may quickly be reached.

hello, no 2 sites are hosted internally on 2 vm, it is for the outside for port 80

thank

 

[kernol]

Dirty flash 384.10-0 to 384.10-2 on my AC5300 a few days back - great stability and no problems.
I have a strong feeling this fw will prove as rock steady and stable as 384.8-2 ... with improved security and performance.
Many thanks once again to Maestro @RMerlin .

 

[#TY]

@RMerlin is the ASUS BEAST!

I would have never purchased this router if it weren't for the Merlin Firmware. Extremely happy with it and with the invaluable effort brought forth by everyone in this community. Thank you so much.

 

[MarvinAndro]

I made the jump to 384.10_2 and my RT-AC5300 works great so far. Thank you @RMerlin !

With my IoT madness, I'm at way over 100 smart things and was looking for the workaround to assign static IPs to all of my devices, or at least to have smart bulbs on .100-119, smart plugs on .120-139, etc.

It'd be very handy if the "Manually Assigned IP around the DHCP list FAQ" at /Advanced_DHCP_Content.asp could be updated to point to the forum entry explaining how this is done? It currently points to and Oops 404 page link at https://www.asus.com/support/FAQ/1000906

Thanks!

 

[unsynaps]

Interesting!
I had to Google it but will keep using Google, no reason to change for me.

• Google 8.8.8.8: Private and unfiltered. Most popular option. - Logging
• CloudFlare 1.1.1.1: Private and unfiltered. New player. - Does not log

Something a tad important added.

 

[Butterfly Bones]

I made the jump to 384.10_2 and my RT-AC5300 works great so far. Thank you @RMerlin !

With my IoT madness, I'm at way over 100 smart things and was looking for the workaround to assign static IPs to all of my devices, or at least to have smart bulbs on .100-119, smart plugs on .120-139, etc.

It'd be very handy if the "Manually Assigned IP around the DHCP list FAQ" at /Advanced_DHCP_Content.asp could be updated to point to the forum entry explaining how this is done? It currently points to and Oops 404 page link at https://www.asus.com/support/FAQ/1000906

Thanks!

Check this post and the one above it (#74 & #75)
https://www.snbforums.com/threads/backup-manual-dhcp-list.12876/page-4#post-469462

 

[unsynaps]

avahi service has been churning up some CPU usage after every reboot lately. Sometimes taking up 100% of one core. Other times justfluttering about.

service restart_mdns has to be run after a reboot to calm it back down.

 

[Morac]

So I updated from 384.10 to 384.10_2 on my AC88U and within an hour my Sony TV lost its network connection shortly after using the check connection tool after which it complained my router wasn’t responding when I checked the network again. This was the same problem I had with 384.9.

I noticed something odd, which was the IP address reported by both the router and the TV (before it lost it) switched from x.x.x.22 to x.x.x.23. This was after the router was updated. For a brief while it was using both .22 and .23 before switching to .23.

I powered off the router and rebooted the TV. When everything came back up the TV and router both reported the DHCP assigned address was again x.x.x.22.

My guess as to what happened was that the router decided to change the address to x.x.x.23 for some reason (have no idea why since no other devices were using that) and even though the TV used it for a bit, it wasn’t happy with that.

I’m hoping rebooting everything resolved this since everything was working fine on 384.10 for a week. Under 384.9 the problem showed up within 24 hours.

Something apparently changed though between 384.8 and 384.9 with respect to ip assignment since there was no reason for the router to change the IP address of the TV, though the TV shouldn’t have freaked out because of that.