[Release] Asuswrt-Merlin 384.7 is now available

[AntonK]

Hi everyone,

I'm not at all confident that I understand what's going on here with the various routers.

I own an Asus AC-3200. Is RMerlin's 384.6 (or stock 3.0.0.4.382.50624) likely the end of the line for firmware updates for this router?

Thanks,
Anton

 

[scjr]

Hi everyone,

I'm not at all confident that I understand what's going on here with the various routers.

I own an Asus AC-3200. Is RMerlin's 384.6 (or stock 3.0.0.4.382.50624) likely the end of the line for firmware updates for this router?

Thanks,
Anton

Hi Anton,

It all depends on Asus and whether they update the firmware of the AC-3200. Without new source code, there is nothing Merlin can merge into a future release.

 

[Tekneek]

Hi everyone,

I'm not at all confident that I understand what's going on here with the various routers.

I own an Asus AC-3200. Is RMerlin's 384.6 (or stock 3.0.0.4.382.50624) likely the end of the line for firmware updates for this router?

Thanks,
Anton

Until it lands on their End of Life list at https://www.asus.com/event/network/EOL-product/ , I wouldn't worry about its future.

 

[Tekneek]

I'm not seeing that when I look at that URL.

Even after clearing caches. That's strange.

 

[Tekneek]

I am guessing it has hit EOL in some regions, but not all. It is definitely not on the list for me and I noticed this at the bottom of the page:

'Available and EOL versions and models may varied from regions to regions. Please contact local ASUS representatives for the most recommended versions/models.'

 

[JoeHz]

Hi all,
Just a quick and hopefully simple question from me.
I'm at work and want to upgrade to 384.7 remotely and my question is, will I have to change anything with regards to my DDNS address that I use to access the router after it reboots itself?

In my case, I did, but I expected that. Tunnelbroker.net, if you're not connecting to their ddns update page over https, you had to use your user id (which is a not-human-readable string), rather than your username. And the old firmware *never* used https.

Now that it's using https, you should use your actual tunnelbroker.net username.

 

[demonbane]

Since I upgraded all of my local-facing IPv6 seems to be broken. I'm still getting an IPv6 address from my ISP on the WAN interface, but the local interface (br0) has no IPv6 address and none of the clients on the network are getting valid IPv6 addresses either. I've tried completely disabling/reenabling IPv6 support as well as a reboot but it still doesn't work.

 

[loveleeyoungae]

RMerlin: unless uPnP is considered low priority, I hope you can take a look at the issue or suggest some troubleshooting steps so that we can at least get the idea why uPnP suddenly stopped working since 384.6.

The issue is easily reproducible. As the screenshots show below:
- Connected the uPnP-enabled devices/applications to the 384.5 router and they worked normally. My IP Camera, 2 Plex servers and 1 Emby server all showed up on the "UPNP forwards" page .
- Switched to the 384.7 router and they would stop working immediately. The "UPNP forwards" page is blank. Log showed some failures from miniupnpd.
(For testing, the routers were all factory-reset and run on default settings).

384.5

384.7

 

[RMerlin]

RMerlin: unless uPnP is considered low priority, I hope you can take a look at the issue or suggest some troubleshooting steps so that we can at least get the idea why uPnP suddenly stopped working since 384.6.

Working normally for me. Are you in a dual NAT setup? Any customization done to your firewall configuration?

 

[mad_fish]

ac86u 384.7 and 384.8alpha, factory reset after update. UPnP does not work.
Any software that uses UPnP, for example, a torrent client reports an error in the log:

miniupnpd[2109]: Failed to add NAT-PMP 10287 tcp->10.0.1.6:10287 'NAT-PMP 10287 tcp'
miniupnpd[2109]: Failed to add NAT-PMP 10287 udp->10.0.1.6:10287 'NAT-PMP 10287 udp'

The routers were all factory-reset and run on default settings, no customization.

 

[loveleeyoungae]

Working normally for me. Are you in a dual NAT setup? Any customization done to your firewall configuration?

I should admit that I'm in double-NAT. There's only an Asus router behind the ISP router-modem. ISP modem has uPnP enabled since the beginning (3 years ago), and the Asus router has been usually set as DMZ host.

As I previously mentioned, with the setup above, uPnP has worked flawlessly from old firmwares on N66U until 384.5 on AC68U. Actually, only after upgrading to 384.6 and I couldn't see my camera that I would notice about "uPnP". Without connecting the Asus router to ISP modem (i.e. Asus running in offline mode), I could easily see iptables rules were set on 384.5 while none were created on 384.7. Is that something we should consider before thinking double-NAT is the main cause?

I usually setup OpenVPN servers. As I saw some guy also reporting the same issue in the 384.8 alpha thread, I did some more tests by factory-reseting everything, erasing nvram, power cycling..., setting up some Plex, Emby servers on different computers to have the screenshots above. What else would you think I may test: try disabling the firewalls on (both) ISP modem and/or the Asus router for a while?

 

[skeal]

What else would you think I may test: try disabling the firewalls on (both) ISP modem and/or the Asus router for a while?

Nat behind Nat is ok....firewall behind firewall not so much. I would use the firewall on the Asus router.

 

[skeal]

Nat behind Nat is ok....firewall behind firewall not so much. I would use the firewall on the Asus router.

Ideal setup would be your Asus in the DMZ of your ISP modem, better is to bridge the modem.

 

[RMerlin]

I should admit that I'm in double-NAT. There's only an Asus router behind the ISP router-modem. ISP modem has uPnP enabled since the beginning (3 years ago), and the Asus router has been usually set as DMZ host.

Might be a security measure taken by the miniupnpd author to reject UPNP forwards where the WAN side of thing is a LAN IP. I don't know.

 

[Butterfly Bones]

I keep seeing this in my syslog after updating to 384.7 final.

kernel: nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.

I searched the SNB forums and found the same question asked 10 times and never a reply. Anyone know what and why?

 

[Xenus]

I seem to have this same issue. DOCSIS modem. After rebooting my RT-AC3100 the internet is out. I have to manually reset the entire network to regain connectivity.

Same setup here. AC-87U went from .5 t o .7. Issue arose when connectivity actually failed. Router page reports internet status disconnected although it's actually working just fine (typing this message) after reboot of router.
I get this on Network Analysis: ping: bad address 'www.facebook.com'
Looks like the router itself is not resolving addresses properly whilst connected HW does ?!

Solution
DNSSEC: strict unsigned validation - Changed back to "No" - fixes the issue.

 

[bbunge]

)
Solution
DNSSEC: strict unsigned validation - Changed back to "No" - fixes the issue.

Check that your DNS resolvers can do DNSSEC. If you enable DNSSEC and the DNS servers do not fully support DNSSEC, when you reboot the router the NTP Server URL will not be resolved and the router can't set its time (has no internal clock) and even though the router gets an IP address from the WAN DHCP it will not allow a connection. Quad9 (9.9.9.9 and 149.112.112.112) does work with strict enabled. Clean Browsing should work, too. You might be able to use an IP instead of a URL in the Time Server setting.

 

[Therion87]

Same setup here. AC-87U went from .5 t o .7. Issue arose when connectivity actually failed. Router page reports internet status disconnected although it's actually working just fine (typing this message) after reboot of router.
I get this on Network Analysis: ping: bad address 'www.facebook.com'
Looks like the router itself is not resolving addresses properly whilst connected HW does ?!

Solution
DNSSEC: strict unsigned validation - Changed back to "No" - fixes the issue.

I performed a factory reset, and reconfigured from the ground up manually.

Everything seems to be fine now.

 

[appleseed]

I searched the SNB forums and found the same question asked 10 times and never a reply. Anyone know what and why?

Secure use of Connection Tracking Helpers
https://home.regit.org/netfilter-en/secure-use-of-helpers/

..."Following the preceding remarks, it appears that it is necessary to not blindly use helpers. You must take into account the topology of your network when setting parameters linked to a helper."

it answers the "what" and doesn't really answer the "why" (Asus) ...

and here is one from 5 yrs ago:

https://www.linode.com/community/qu...automatic-helper-assignment-is-deprecated-and

"...However, it is a boolean value and something has to go there on boot, and the kernel has no way to remember what its state was when (and if) it was last booted. So, it picked 1."

Ok. But unless CentOS patches their kernels in this regard, it will eventually get there as well. This is a mainline kernel change, so it should reach everywhere eventually. Some distros might have better defaults, but Ubuntu 12.04 didn't at least.

so essentially, in a nutshell, we have an old kernel

 

[Butterfly Bones]

so essentially, in a nutshell, we have an old kernel

Really, on an AC86U? Here is uname output (Cloudflare thinks I'm trying to spam the forums)

Linux RT-AC86U 4.1.27 #2 SMP PREEMPT
Sun Oct 7 13:37:58 EDT 2018 aarch64 ASUSWRT-Merlin