RT-AS66U: Timeout issues under load

[ThereIsNoName]

Hi!

When there is a lot of traffic passing through the NAT, an ASUS RT-AC66U, the admin GUI and secondary built in services such as DNS stops working. The admin GUI gets timeouts and it seem the same occurs for the DNS cache/proxy server.
And with a lot of traffic I mean in the range of 80 - 100 Mbit.

I am currently using Firmware version: 3.0.0.4.378_9533, which the router downloaded and installed automatically from ASUS site.

I am only interested in the following functionality:
- NAT
- Reverse NAT (port mapping)
- Firewall
- Wireless 5 Ghz Access Point
- DHCP (for clients)
- DNS-proxy server for connected clients
- A working Admin GUI (even with high traffic)


My questions
1. Will your Merlin FirmWare solve these problems?
2. How can I be sure this Merlin FirmWare is secure and that no one introduced backdoors or anything like that?

///H

PS I understand that things will be slower when there is a lot of traffic through the NAT, but it should still work. Especially the admin GUI needs to always work so any issues can be fixed. The admin GUI should run in a process with high enough priority to make sure you always can run it, even if it means that you limit throughput or even start to drop packages. Since it is a web site, even with a very high priority, it will not affect the NAT unless someone is actually using the Admin GUI. And if a request to the admin GUI ever times out, then a very simple page where you can limit, or even pause, traffic for the next few minutes, so you can get in and fix whatever it is you need to do.

 

[RMerlin]

My questions
1. Will your Merlin FirmWare solve these problems?

I don't know what you mean by "a lot of traffic", as this router should be able to handle near gigabit speed without any problem through CTF (NAT acceleration). Make sure it's not a device causing issues by accidentally (or through a hardware fault at the Ethernet level) DoS'ing yourself, and that you aren't disabling NAT acceleration by enabling a non-compatible feature, such as QoS.

2. How can I be sure this Merlin FirmWare is secure and that no one introduced backdoors or anything like that?

I publish all the code on Github, so you can review the code and compile your own version if you don't trust the binaries I put out.

 

[ThereIsNoName]

And with a lot of traffic I mean in the range of 80 - 100 Mbit.

As long as there is none or little load on the NAT I have no problems with either the admin GUI or the built in DNS server.
But as soon as the throughput get up to around 80Mbit, the DNS server stops responding to name queries and the admin GUI times out when navigating to a new page.
I can see the CPU goes up to 100% just before everything stops.
And the same second the load goes away, the NAT starts working as it should again.

I guess I should interpret your result as this is nothing you are aware of in the FirmWare I mentioned, and hench, you have not done anything to solve it?

And to my second question regarding security. Do you have full control of all changes made? And are there any testing and/or security evaluations done when releasing a new version?

 

[RMerlin]

As long as there is none or little load on the NAT I have no problems with either the admin GUI or the built in DNS server.
But as soon as the throughput get up to around 80Mbit, the DNS server stops responding to name queries and the admin GUI times out when navigating to a new page.
I can see the CPU goes up to 100% just before everything stops.
And the same second the load goes away, the NAT starts working as it should again.

I guess I should interpret your result as this is nothing you are aware of in the FirmWare I mentioned, and hench, you have not done anything to solve it?

Check under LAN -> Switch Control and make sure NAT acceleration is set to Auto. Next to it it should confirm whether it was able to enable it or not. Some features such as QoS are not compatible, and will force it to be disabled.

And to my second question regarding security. Do you have full control of all changes made? And are there any testing and/or security evaluations done when releasing a new version?

Everything that is specific to my project is entirely under my control - I am the only person with commit access to the repository. However this is all based on top of Asus's own code, and some of Asus's components are closed source so they are completely outside of my control. But if you trust Asus (I do), then it's fine.

I do no do any special security tests, since anything that was changed on top of Asus's code was changed by me, so I know that nothing could have been slipped in by anyone else. And doing extensive security audits of Asus's own code is totally beyond the scope of this project, which is just a one-man project.

 

[Klaus Eder]

I'm having this issue also with the latest merlinwrt (380.65_4) on a RT-AC66U - downloading at ~80mbit/s second and the DNS Server stops responding, gui doesn't load or loads very slow ...

after the download is done everything works fine again.

- update:

disabling QOS and enabling auto switch control solves the issue.

before cpu usage was at 100%, now at ~20% when downloading @75mbit/s.