[Release] Asuswrt-Merlin 384.12 is now available

[ppfoong]

We have to bear in mind that this is a 3rd party firmware, not an official firmware from Asus.

When a firmware (or any computer software) updates from one version to another, there are changes between them, and there are migrating attempts during the update process to migrate old configurations and settings to work with the new version. In some cases where migration is not so straightforward, there are even backward-compatibility tweaking so that certain configurations and settings remain in their old form, and workaround measures implemented so that the system can still work with the old form.

In official firmware, we expect the engineer to know inside-out of the differences between the old version and new version, and have every measures to make sure the new version works properly after the update. But for 3rd party firmware, where there are portion of closed-source components, the update might have broken points, such as configuration that suppose to be changed to new format, but not fully changed. These are "landmines" that might cause issues.

If you start over with a fresh firmware with totally new set of configuration and settings, it eliminate these kind of issues.

However, you can still try your luck, and perform the "dirty upgrade" just like many of us. As long as it works well, then it is not necessary to reset and start over all the tedious config. You only need to factory reset if there is something wrong after the update. This is to test that does the same issue still occur even after the factory reset? If it still occur, then it could be a bug in the firmware that needs to be fixed, or it can also be a coincident hardware problem. Then, we wait and see if other people also facing the same problem. If only you facing the problem even after factory reset, then the problem is specific to your router, which could be hardware problem.

After performing a dirty upgrade, I always make a reboot after the system upgrade auto-reboot finished writing to the storage. This is to ensure that the system can survive the next reboot after upgrade without any issue, because after the upgrade auto-reboot, the firmware updating process might still be continued with its migrating and tweaking of config files. So, we need to make sure after all the final change, the system can still work properly without anything broken.

Some people recommended the very extreme way, such as pulling out the power cord, with the intention to 100% ensure that the old firmware and its configs are totally wiped out with no remains, and the new firmware you flash in will be like virgin to the router. Again, if you don't face any issue with dirty upgrade, you don't need to go to that extreme way.

 

[Val D.]

That's why my instructions specifically say you have to turn the router on a few seconds with the power unplugged. That will drain any residual charge.

No need to do that Merlin. The power switch at the back of ASUS routers disconnects mechanically the power plug. Disconnecting the power plug or turning off the switch does exactly the same thing. In both cases all capacitors inside the router get discharged in seconds.

In desktop and laptop computers power-on circuit works differently.

 

[RMerlin]

Minor cosmetic issue on the new page. The "Ping (Continuous)" dropdown shows the text for nslookup. All the other options change the text to match the chosen function. This is on AC68U.

Thanks, fixed. I guess Asus forgot to update hideCNT(), so it was showing the default description (which was the nslookup one).

 

[Dabombber]

Typical LAN setups use RA rather than DHCP. Not sure if there's a RA equivalent.

I don't think so. From RFC8106, it seems that RA is just for basic networking information:

The intention is to enable the full configuration of basic networking information for hosts without requiring DHCPv6. However, for networks that need to distribute additional information, DHCPv6 is likely to be employed. In these networks, RA-based DNS configuration may not be needed.

If it was, or eventually is supported, dnsmasq would most likely copy over the DHCP options like it does already.

If provided, the DHCPv6 options dns-server and domain-search are used for the DNS server (RDNSS) and the domain search list (DNSSL).

 

[RMerlin]

I don't think so. From RFC8106, it seems that RA is just for basic networking information:

A quick Google search turned up this expired draft:

https://tools.ietf.org/id/draft-bcd-6man-ntp-server-ra-opt-00.html

Looks like it never got accepted.

 

[Morac]

Dirty upgraded AC-88U from 384.11_2 to 384.12. So far so good after an hour. Only odd thing I noticed was the following in the logs which indicates that the wsdd2 process is trying to listen on ports already in use.

Jun 24 00:40:49 wsdd2[907]: wsdd-http-v6: open_ep: bind: Address already in use
Jun 24 00:40:49 wsdd2[907]: llmnr-tcp-v6: open_ep: bind: Address already in use

I don’t know what wsdd2 is doing so I don’t know if that’s “normal” or not. I’m not running any scripts or other programs on the router; just what comes in 384.12 so I wouldn’t expect a binding conflict.

 

[L&LD]

Based on questions asked on SNB and issues mentioned I know for a fact that 99% of users on this forum have simple home network setup with one main router and some common devices connected to it wired or wireless. We are not talking about a corporate network of 1000 computers here. No corporate network uses consumer products as main hardware anyway. Router reset procedure is described in the User Manual and it takes 60 seconds to perform. No need to reinvent the wheel.

Merlin is absolutely correct to recommend a fresh start when installing his version of the firmware. This way he can filter out the firmware bugs from inherited issues from previous firmware installations and configurations. I don't see Merlin trying to reinvent the reset procedure though.

I'm not re-inventing the procedure either, these are mostly tips and suggestions I've seen on this forum over the last few years. Let's just say I've used them all at one point or another and have put them in a few posts in a condensed format for others.

Btw, I still haven't seen any better way to help the users here that do need more fleshed out instructions than the 60-second router procedure you recommend from the manual?

When a router/network/client device(s) is borked beyond fixing just one of those possible aspects that may be the trouble, what would you do differently to narrow down the possibilities of fixing it to the range of the average user? And, in the shortest amount of time possible? You seem to be fixated on the router as being the only equipment with the issue. That is rarely the case in my experience.

The main reason for my continuing to do this for my customers and will continue to suggest it to others here as I feel applicable is that the difference between a simple router reset vs. a full Nuclear Reset (as I've termed it) is a matter of mere minutes difference. If/when I determine that such a reset is required (sometimes in as little as 10 minutes of speaking to the network owner), it actually saves time in the end, not wastes it.

In your mind, I clearly don't know what I'm doing when the intention is getting a router/network/client device(s) back into a good/known state (when it obviously isn't).

I will not waste any more time on this. So here; you're right. Happy?

 

[TheOldMan]

How many of you have that AIprotection turned On ?

I have it turned on.

 

[gattaca]

...
The main reason for my continuing to do this for my customers and will continue to suggest it to others here as I feel applicable is that the difference between a simple router reset vs. a full Nuclear Reset (as I've termed it) is a matter of mere minutes difference. If/when I determine that such a reset is required (sometimes in as little as 10 minutes of speaking to the network owner), it actually saves time in the end, not wastes it.

^^^ We've each wrestled with "router/computer dragons" over the years and I have my own procedure similar to what's been posted and discussed for updating our beloved ASUS routers. Call me crazy, but it's worked reliably for the past 1-2 years with every upgrade from RMerlin.

If whatever process we have works 99.999% of the time, then I'll stick with it b/c like L&LD, I've probably spent days (in total) chasing weird a$$ (*@(*@* in firmware bugs both in computers and routers. I know one time I spent 1-2 days screwing around with a much older ASUS a few years ago trying to get it happy before going similar to nuclear. I've also posted that computer manufacturers have struggled for years with firmware flashes and updates to low-level BMC (controllers) to where sometimes you just have to unplug the machine, press the power button for 30-60 seconds to drain-those-cap, wait another few mins, then reconnect the power and hope that works "magic". I swear, and that's the official process on a $50-100K+ server today. I understand both sides of these last couple of pages of posts... so let's just post the excellent advice and procedures and recommend what we think helps the most folks and call it a day. No harm, no foul. After all, we are here trying to help each other use this little bit of cool-tech better. Cheers! Have a good one!

 

[themiron]

what are we looking forward to seeing in future releases with these type of changes as far as dnssec behavior goes?

in short, from end-user point of view, ed448 algo is going to be supported, dsa & dsa-nsec3-sha1 - to be not validated as secure.

Should NTP be advertised on IPv6 over DHCP? I added it via dnsmasq.postconf

echo 'dhcp-option=option6:ntp-server,[::]' >> "$1"

Just curious if it got forgotten or there is a reason not to have it.

not gonna work, dhcpv6's ntp option must be encapsulated and dnsmasq currently doesn't support it. try ti use following:

echo 'dhcp-option=option6:ntp-server,00:01:00:10:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx' >> "$1"

where xx... is lan ipv6 address in 16 hex parts, i.e 2001:db8::1 is 20:01:0d:b8:00:00:00:00:00:00:00:00:00:00:00:01

 

[dave14305]

Thanks, fixed. I guess Asus forgot to update hideCNT(), so it was showing the default description (which was the nslookup one).

Do you want the ping count box visible or hidden for Ping Continuous? It will still be there with the fix.

 

[Delusion]

in short, from end-user point of view, ed448 algo is going to be supported, dsa & dsa-nsec3-sha1 - to be not validated as secure.
View attachment 18378

I built Alpha 384.13 alpha 1 today after I saw the commit ''dnsmasq: add openssl backend for dnssec, default is nettle'' but I still get a yellow lock on ED448 and ED22519 columns . Is there a switch between the default nettle and openssl ?

 

[Pit_g]

RT-AC86U 384.12 Over 384.11-2

reboot, causes the loss of qos parameters (classification) in custom mode.........in my case.

no error message in syslog..........

 

[visortgw]

RT-AC86U 384.12 Over 384.11-2

reboot, causes the loss of qos parameters (classification) in custom mode.........in my case.

no error message in syslog..........

This was also reported for the 384.12 Beta 2. In earlier versions, it only occurred with a new firmware flash.

 

[Pit_g]

This was also reported for the 384.12 Beta 2. In earlier versions, it only occurred with a new firmware flash.

Ok ¡¡

 

[bbunge]

I was reducing idle_timeout to 1500 with Quad9 but eventually gave up.

stubby.postconf:

#!/bin/sh

source /usr/sbin/helper.sh
CONFIG=$1

pc_replace "idle_timeout: 9000" "idle_timeout: 1500" $CONFIG

Here is what I'm using in /jffs/scripts/stubby.postconf

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_replace "idle_timeout: 9000" "idle_timeout: 2000" $CONFIG
pc_replace "tls_connection_retries: 2" "tls_connection_retries: 5" $CONFIG
pc_replace "timeout: 3000" "timeout: 2000" $CONFIG
pc_replace "round_robin_upstreams: 1" "round_robin_upstreams: 0" $CONFIG
# pc_append "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG

Well, it is part of what I'm using...
Just switched to Quad9 resolvers to see if it works. My ISP routes me to Quad9 resolvers 1,000 miles away bypassing several data centers hosting Quad9 that are closer.
Edit: With the above settings I ran Clean Browsing Secure for half of the morning and then switched to Quad9. Have had no DNS failures or pauses. I should add that I'm running DNSSEC via Stubby and not Dnsmasq (the default Merlin web GUI setting). To run DNSSEC in Stubby un-comment (remove the #) "pc_append "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG" in the above stubby.postconf and restart Stubby.

 

[Ditch]

On my ac86u I run both OVPN server and client. However since 384.11 when the OVPN client is active it does not permits traffic from the VPN Server's clients even in local network. I did the router reset.

 

[themiron]

I built Alpha 384.13 alpha 1 today after I saw the commit ''dnsmasq: add openssl backend for dnssec, default is nettle'' but I still get a yellow lock on ED448 and ED22519 columns . Is there a switch between the default nettle and openssl ?

multiple reasons:
1. that changes are not merged into mainline branch
2. by default nettle still used, need to config_base
3. cloudflare validates dnssec on their end and doesn't support ed448 at least (striping rrsig)

 

[Delusion]

multiple reasons:
1. that changes are not merged into mainline branch
2. by default nettle still used, need to config_base
3. cloudflare validates dnssec on their end and doesn't support ed448 at least (striping rrsig)

If I do ' git merge master ' after 'git checkout mainline' , it doesn't add Master commits which are not yet merged to Mainline on github? because I do get 384.13_alpha1 FW file after compilation and not 384_12 (which gets compiled if I don't use 'git merge master') .

Thanks.

 

[AntonK]

I have it turned on.

I have it turned on.