Since upgrading to firmware 386.3_2, my Internet will not stay connected for even a day.

[DTS]

FYI - The changes we discussed @eibgrad (removing the non-functional script, cleaning up) did not resolve the issue. The problem happened again, but I needed access, so I had to immediately reboot the router. The interval was approx 10 days this time.

I did save the router syslog as soon as my client lost Internet, but the strange thing is that the router log entries stop after Jan 29 06:58:46. The problem happened today, so the log entries stopped several days ago.

As my next step, I decided to purchase a new Asus RT-AC86U. I plan to install Merlin fw 386.3_2 on it. This will be my third router since upgrading to fw 386.3_2.

@eibgrad - I will give you access to this new router if you want to help / watch / inspect my installation and setup process. You can (if you wish) see if all this is due to some mistake(s) I am making.

I want to eliminate all possible questions about this issue since it has so far persisted across 2 (EDIT: no, actually 3) different routers and many months (since Oct 2021 when I installed fw 386.3_2).


My end goal is as follows:

- run Merlin fw
- have one reliable VPN client tunnel with an Internet kill switch
- have one guest network that does not use the VPN tunnel (guest traffic goes via WAN directly).

That's all I need, so I think it can be a simple and clean setup. There's no reason my router should have a lot of processes running or a lot of complicated scripts.

Do you have alternative suggestions or ideas?

 

[eibgrad]

I understand the need to reboot immediately in some instances. But of course, that's an enormous setback to finding the problem.

Given how many ppl use that same router everyday without issue (or at least whatever issues they may have, I've NOT heard of one like yours), it seems to me the problem may lie outside the router. Or something outside the router may have an issue w/ that particular router. But I don't have a clue what that could be. I can't imagine buying *three* of those same routers under any circumstances. I'd be far more inclined to try something different, if only to regain some stability. And something that supports more than one third party firmware (e.g., DD-WRT or FT (FreshTomato), my own daily driver). Given the modest requirements you have, I don't see Asuswrt-Merlin being "critical".

This is one reason I never choose a router that leaves me w/ only one third-party firmware option. They all have advantages and disadvantages, good and bad points. I use them all at one time or another, either for myself or my customers. And sometimes, given the circumstances, one proves more suitable than the other. But again, if you lock yourself into ONE option, you're now forced to pursue the problem to the bitter end, whereas I would probably have abandoned the situation long ago for a different firmware.

As I stated before, there's little more I can do than what I've already suggested. We can keep trying to investigate the router when it fails via ssh. But given your obvious need to keep things running, it might be like catching lightning in a bottle to have that happen. Might help too to provide access to the GUI so I can see if perhaps it shows anything unusual (w/ ssh access, I can configure a local ssh socks proxy here, I just need the username/password, and its local IP address).

 

[DTS]

I can't imagine buying *three* of those same routers under any circumstances.

I made a mistake in my prior post. This new router is a different model: RT-AX86U -- supposedly one of the best Asus models. I own a few other brands of routers including Netgear. But I like Asus the best (or at least I did until now).

I'd be far more inclined to try something different, if only to regain some stability.

I switched from Comcast to AT&T. This involved a full equipment switch. The AT&T equipment provides multiple IP addresses. (Details earlier in this thread.) I have other devices hooked up to other ports on AT&T equipment and those devices have zero issues. I believe all the steps I have taken rule out anything outside this Asus router. This router is hooked up directly to the AT&T equipment.

And something that supports more than one third party firmware (e.g., DD-WRT or FT (FreshTomato), my own daily driver). Given the modest requirements you have, I don't see Asuswrt-Merlin being "critical".

I used dd-wrt, tomato and sabai firmware in the past (as well as one firmware I can't remember at the moment). I like Merlin best, by far. I specifically decided to use these router models so that I could use Merlin firmware. I've been using it for years so far. Until this present version I have loved it. I'm not ready to go back to dd-wrt or something else. I like Merlin fw.

As I stated before, there's little more I can do than what I've already suggested. We can keep trying to investigate the router when it fails via ssh. But given your obvious need to keep things running, it might be like catching lightning in a bottle to have that happen. Might help too to provide access to the GUI so I can see if perhaps it shows anything unusual (w/ ssh access, I can configure a local ssh socks proxy here, I just need the username/password, and its local IP address).

I am willing to give you GUI access to the router as well. I do appreciate your interest and I want to get to the bottom of this. We can coordinate via private messages again.

I really do not want to give up on Asus routers or Merlin firmware. It took me a few years of experimenting to decide on this combination and I still like it a lot -- again, prior to the current issue.

 

[heywire]

Have you tried the latest official firmware (3.0.0.4.386_45956) to see if that's more stable? Works better for me than any of the official or Merlin releases going several versions back.

The problem seems to stem from Asus long time neglect of the Asus AC86U firmware, which has caused instability problems for tons of users going way back. See a short summary here: https://www.snbforums.com/threads/386-4-ac86u-losing-2-4-ghz-devices.77018/#post-740169

Hence, I don't think there is anything config-wise you can do to overcome these issues. We just have to wait for Asus to get their act together and improve the GPL release that Merlin builds on. I'm as frustrated by this as you, having wasted tons of hours troubleshooting and great annoyance among users, which is reflected in my commenting history.

 

[DTS]

Have you tried the latest official firmware (3.0.0.4.386_45956) to see if that's more stable? Works better for me than any of the official or Merlin releases going several versions back.

I have not tried it yet.

The problem seems to stem from Asus long time neglect of the Asus AC86U firmware, which has caused instability problems for tons of users going way back. See a short summary here: https://www.snbforums.com/threads/386-4-ac86u-losing-2-4-ghz-devices.77018/#post-740169

I had not seen that thread, and I was not aware of this widespread instability.

I also see "constant micro-disconnections" in my logs too. I wondered about those, but had not yet focused on that issue as the complete loss of client Internet connectivity has been the more pressing issue.
https://www.snbforums.com/threads/386-4-ac86u-losing-2-4-ghz-devices.77018/#post-740169

Hence, I don't think there is anything config-wise you can do to overcome these issues. We just have to wait for Asus to get their act together and improve the GPL release that Merlin builds on. I'm as frustrated by this as you, having wasted tons of hours troubleshooting and great annoyance among users, which is reflected in my commenting history.

OK, so you and @eibgrad have given me enough reasons to convince me to try something other than the Merlin firmware that I am such a fan of using. (I hope to come back to Merlin in the future.)

I now have a brand new Asus RT-AX86U. I will try the latest official Asus firmware on it. This router is supposed to support openvpn client tunnels in the stock firmware, but I don't know if an Internet killswitch is also supported. If it is, I will stick with the stock firmware and see how that goes.

If the RT-AX86U doesn't have an Internet killswitch feature, then I can try another firmware (such as dd-wrt). I have the following routers which I think can run dd-wrt:

- Asus RT-AC68 (U or P -- I can't remember which)
- Netgear R7800
- Archer C7

The only other feature I need is for WiFi guests to be directed to the WAN port, not the VPN tunnel. But there's a workaround for that -- use a second router for the guests. I can pick any of my spare routers with any reliable firmware and connect it directly to the ISP's modem and use that for the guest WiFi.

 

[eibgrad]

OK, so you and @eibgrad have given me enough reasons to convince me to try something other than the Merlin firmware that I am such a fan of using. (I hope to come back to Merlin in the future.)

Ok, but remember, that's when I thought you had bought the same router (RT-AC86U) for the third time! You then corrected yourself and stated you now have the RT-AX86U, which is probably the most common and popular router in the forum at this time. Every router has its issue from time to time, even the RT-AX86U, but I've never heard of anything like yours. Ppl successfully and quite happily use the RT-AX86U w/ Merlin all the time. And many w/ vastly more complex setups.

 

[DTS]

Ok, but remember, that's when I thought you had bought the same router (RT-AC86U) for the third time! You then corrected yourself and stated you now have the RT-AX86U, which is probably the most common and popular router in the forum at this time. Every router has its issue from time to time, even the RT-AX86U, but I've never heard of anything like yours. Ppl successfully and quite happily use the RT-AX86U w/ Merlin all the time. And many w/ vastly more complex setups.

I purchased the AX86U because of the positive ratings I saw here. As you know, I like the Merlin firmware, so I'm happy to start with that combination.

I just downloaded Merlin fw 386_4_0 for the AX86U.

I normally do like the instructions say, which is "Simply flash it like any regular update."

It should be simple because this is a brand new router and I will be setting all the settings manually (not uploading any saved settings).

However, I think it might be worthwhile to follow an exact set of steps. Is there any tutorial or guide on this site (or anywhere) that goes into great detail? For example, does it matter if I install YazFi earlier in my setup process or later?

Are there common mistakes people make that you think I need to review? Even though I have installed Merlin fw many times, I'm going to pretend like I have never do it before and try to eliminate any potential errors.

My plan:
I will set up Express VPN and use a single client VPN tunnel
I will use Merlin's built-in Internet killswitch
I will set up a single Guest WiFi network
I'll use the VPN director and YazFi to direct guests to the WAN port

I will also try the latest stock firmware on one of my two AC86U devices, as @heywire suggested.

I could also leave YazFi off the AX86U and use a separate router for my guest network. Thoughts on that?

 

[L&LD]

When flashing from stock to RMerlin firmware, a full reset to factory defaults is always a good suggestion. Even with a brand new router, the settings it may have with the shipped firmware, won't necessarily be the settings required by the variables, new/updated software components, and or the drivers of the forked firmware (and, vice-versa).

After flashing the firmware you want to use, follow the suggested steps below.

[Wireless] ASUS router Hard Factory Reset | Official Support | ASUS Global

Fully Reset / Best Practice Setup / More


Additional links you may find useful when getting your router/network to a good/known state.

Almost all L&LD Links

About L&LD

 

[DTS]

I carefully followed the L&LD recommendations and set up Merllin 386.4 firmware on my AX86U.

My minimal configuration consists of the following changes. Everything else was left at the default settings.

All I am doing is setting up a single VPN client tunnel with killswitch. I am not setting up local DNS resolution, or a guest network. I am not adding any scripts.

Wireless
set SSID & strong WPA2 password
use dual-band smart connect (2.4 and 5 GHz)
Disable WPS

Lan
set hostname
set IP address

WAN
Forward local domain queries to upstream DNS: No
Enable DNS Rebind protection: Yes

VPN
VPN Director Rules
OVPN1: ExpressVPN UDP NJ2 stock Connected VPN Director + killswitch
VPN Director rule -> Local IP: <local devices ip range> -> Remote IP: <blank> -> Iface: OVPN1
VPN Client setup
Automatic start at boot time: yes
Accept DNS Configuration: Exclusive
Redirect Internet traffic through tunnel: VPN Director (policy rules)
Killswitch - Block routed clients if tunnel goes down: yes

Firewall
log dropped packets

Administration
router login name
strong password
Enable JFFS scripts
set Time Zone
Enable LAN only SSH (no password login)
add Authorized Keys
No SSH forwarding
Enable HTTPS only GUI access (only from LAN)

Save settings
Save JFFS (probably empty?)

Test restoring settings: done

Save syslog: done
Save some diagnostics via SSH (free, df, etc.): done

---

I have a couple questions:

1. what else should I set at this stage for good DNS privacy?
2. did I miss any VPN Director rules I should have?
3. did I miss anything obvious?

My Todo List after testing the above simple configuration for several weeks:

1. enable this:
[Use VPN Exclusive DNS and Local DNS | SmallNetBuilder Forums](https://www.snbforums.com/threads/use-vpn-exclusive-dns-and-local-dns.77246/ "Use VPN Exclusive DNS and Local DNS | SmallNetBuilder Forums")

2. enable Guest network and routing of guests to WAN (bypass VPN tunnel) - requires installing YazFi

3. review security settings

I also plan to install the latest stock firmware (or the newer Merlin 386.4) on my AC86U immediately.

 

[eibgrad]

1. what else should I set at this stage for good DNS privacy?

If you're following my suggestions on the following thread ...

Use VPN Exclusive DNS and Local DNS

I have a question related to https://www.snbforums.com/threads/local-dns-and-vpn-issue.55312/#post-468948, but thought I'd post a separate question since my setup is slightly different than what is described there. I have an Asus RC-AC86U router running Merlin v386.4. Its relevant...

www.snbforums.com

... that should do the job.

2. did I miss any VPN Director rules I should have?

You only indicated you had some local IPs being routed over the VPN. But my suggestions on that other thread suggest binding your public DNS to the VPN using routing policy as well (and adding static routes).

3. did I miss anything obvious?

Not that I'm seeing.

 

[DTS]

If you're following my suggestions on the following thread ...

Use VPN Exclusive DNS and Local DNS

I have a question related to https://www.snbforums.com/threads/local-dns-and-vpn-issue.55312/#post-468948, but thought I'd post a separate question since my setup is slightly different than what is described there. I have an Asus RC-AC86U router running Merlin v386.4. Its relevant...

www.snbforums.com

... that should do the job.

I am not following that thread -- yet. I was trying to keep things even simpler for the first two weeks. I was going to make sure local DNS is working only after I make sure the problem that started this thread (client Internet connection) is fully solved.

You only indicated you had some local IPs being routed over the VPN. But my suggestions on that other thread suggest binding your public DNS to the VPN using routing policy as well (and adding static routes).

Without going that far yet, what simple / GUI settings do I need to review regarding DNS privacy while using a VPN. (This is a topic that has always perplexed me, and I want to learn about it in more detail, but I also want to limit the changes I make to this router for a couple weeks.)

Not that I'm seeing.

Thank you. I really appreciate all your help on this issue!

 

[DTS]

FYI - after 7 days, the AX86U with Merlin f/w 386.4 is working well. I'll test it for another week (maybe two) before I make any major configuration changes.

 

[DTS]

I already had plenty of evidence of this, but now I have additional evidence. Today the clients connected to the AC86U with Merlin 386.3_2 lost Internet connectivity, but the clients connected to the AX86U with 386.4 did not. Both routers are connected to the same ISP modem.

When I set up the AX86U I also set the AC86U to reboot once a week. Apparently that's not sufficient to prevent the issue. I have to actually power it off and turn it back on to clear the issue once it happens.

Today's incident encourages me that whatever the issue is with the AC86U with Merlin 386.3_2, the AX86U and 386.4 does not suffer from it. But I'll continue the test for at least another week.

 

[heywire]

There is a new BETA version of 386.5 in case anybody with stability problems (especially the AC86U as it seems hit particularly hard with the disconnection events) is able to take it for a spin and report back whether it resolves anything:

Beta - Asuswrt-Merlin 386.5 Beta is now available

Asuswrt-Merlin 386.5 Beta is now available. This release introduces support for the RT-AC68U_V4 and GT-AXE11000 (both were originally planned for 386.4, but wifi issues with their GPLs forced both, to be delayed). This also merges with Asus's 386_46065 GPL code, and fixes a few issues. The...

www.snbforums.com

 

[eibgrad]

Hmm, looks like we're getting close to a month now w/o problems. No news is good news?!

 

[Kanji-San]

I already had plenty of evidence of this, but now I have additional evidence. Today the clients connected to the AC86U with Merlin 386.3_2 lost Internet connectivity, but the clients connected to the AX86U with 386.4 did not. Both routers are connected to the same ISP modem.

When I set up the AX86U I also set the AC86U to reboot once a week. Apparently that's not sufficient to prevent the issue. I have to actually power it off and turn it back on to clear the issue once it happens.

Today's incident encourages me that whatever the issue is with the AC86U with Merlin 386.3_2, the AX86U and 386.4 does not suffer from it. But I'll continue the test for at least another week.

@DTS I encountered similar WAN drops last year after an ISP equipment change. I am convinced that certain Asus router models, such as the AX88U in my case, have incompatibility issues with certain ISP equipment which results in hard-to-debug random WAN disconnects. Like you, I replaced my router with the AX86U and since then it has been rock-stable.
Thanks for your datapoint. I wish Asus would look into these random WAN drops.

 

[DTS]

I flashed 386.5 firmware to this router today. If that doesn't resolve the issue, I'll replace this router with an AX86U, which has been rock solid for me with the Merlin fw.

I appreciate all the help and the learning experience. I want to thank everyone who helped me, especially @eibgrad.

 

[DTS]

Hmm, looks like we're getting close to a month now w/o problems. No news is good news?!

Correct. No problems with the AX86U and 386.4 fw. (Upgraded to 386.5 today.)
The AC86U with 386.3_2 continues to have problems, so I updated it to 386.5 today too. And we'll see if that solves the issue that started this thread.

 

[DTS]

Update. The AC86U with 386.5 fw appears to still have the issue that started this thread.

Weirdly, the AX86U with 386.5 fw has a GUI problem. I cannot access the GUI (even after a reboot), although the device continues to function in AP mode.

 

[drinkingbird]

Update. The AC86U with 386.5 fw appears to still have the issue that started this thread.

Weirdly, the AX86U with 386.5 fw has a GUI problem. I cannot access the GUI (even after a reboot), although the device continues to function in AP mode.

I think I mentioned this previously, but do you have FIOS and guest wireless 1 enabled? If so, move it to guest wireless 2. There is a known issue with GW1 forwarding DHCP packets to the WAN and confusing FIOS.