[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[john9527]

Did you make use of IFB? I see the screenshots shows both ingress and egress stats.

No, I was going to, but ended up trying something else. As it turns out, I do it the same as Adaptive QoS, using br0 for ingress (saw that when I was adding the charts).

 

[RMerlin]

No, I was going to, but ended up trying something else. As it turns out, I do it the same as Adaptive QoS, using br0 for ingress (saw that when I was adding the charts).

I always wondered if there was some blackbox magic inside Trend Micro's kernel modules to explain why they were able to do it that way, and everyone else seemed to imply that, out of the box, it wouldn't work unless using IMQ or IFB to mirror the inbound traffic. Interesting.

I hope that somebody (Asus or Broadcom) will eventually fix all the recent breakage that happened with traffic processing, which prevents Traditional QoS from working properly (or even traffic accounting - I had to disable Asus' switch-level accounting for it to work again. Packet counts at the netdev level are no longer accurate.)

Next thing you need is to implement nDPI, and come up with your own, 100% open-source Adaptive QoS

(if I didn't have Adaptive QoS already, that would probably be my next personal project).

 

[thelonelycoder]

Did you test all those firmware on the same architecture (MIPS or ARM)? I can't think of anything that could make a difference between our forks, aside from when comparing different architectures.

Same router, fresh install, factory reset and manual minimal settings. Both wireless channels down.
I'll test again day after tomorrow, seems fishy to me now too.

 

[john9527]

I always wondered if there was some blackbox magic inside Trend Micro's kernel modules to explain why they were able to do it that way, and everyone else seemed to imply that, out of the box, it wouldn't work unless using IMQ or IFB to mirror the inbound traffic. Interesting.

I actually got the idea originally from when I backported the Bandwidth Limiter QoS and saw that's how they did it there. I think the black magic comes in allowing CTF to be active, which I can't do.

BTW....I also enabled and debugged the dead code they had for differentiating between rules with transfer size limits and those without.

 

[john9527]

Next thing you need is to implement nDPI, and come up with your own, 100% open-source Adaptive QoS

Definitely beyond my pay grade

 

[mobileman88]

Does it work with HW acceleration now? Or this new QOS will still disable HW acceleration? Why I am asking is because I have a fairly quick fiber connection which didn't work too well when HW acceleration is disabled. With HW acceleration, I get approximately 850mbps down and 480mbps up. Without HW acceleration I am getting at most 300mbps

I am on an AC68U if that helps.

 

[john9527]

Does it work with HW acceleration now? Or this new QOS will still disable HW acceleration?

Still disables HW acceleration, sorry.

Without HW acceleration I am getting at most 300mbps. I am on an AC68U if that helps.

That's about right for the AC68U.

 

[mobileman88]

Still disables HW acceleration, sorry.

That's about right for the AC68U.

Bummer. Shall have to keep it disabled

 

[RMerlin]

I think the black magic comes in allowing CTF to be active, which I can't do.

This is probably because the packet marking is done by the Trend Micro module, rather than at the Netfilter level, where chains are being bypassed by CTF.

 

[jrmwvu04]

The primary reason I looked into qos in the first place a couple of years ago is having network issues that I learned were due to my phone doing cloud backups. To this point, qos simply didn't help, but bandwidth limiting did. With 22B4, traditional qos is handling that as well as using bandwidth limiter does.

 

[qamar]

do we enter 100% of upload/download bw values or the traditional around 80% or so for both ?
secondly..i dont see the option for queing discipline in my qos setting page ? & yes i performed a factory reset after flashing your latest beta fw on my n66 :-(

 

[john9527]

do we enter 100% of upload/download bw values or the traditional around 80% or so for both ?

The traditional 80-90% of full bandwidth

secondly..i dont see the option for queing discipline in my qos setting page ? & yes i performed a factory reset after flashing your latest beta fw on my n66 :-(

The kernel on the N66 is too old to support the new queuing disciplines...sorry

 

[zonnebril]

Is there an easy way of disabling the duplicate-cn option for the OpenVPN server? The config.ovpn is automatically generated during boot, and there does not seem to be an option in the GUI to disable the duplicate-cn.

 

[john9527]

Is there an easy way of disabling the duplicate-cn option for the OpenVPN server? The config.ovpn is automatically generated during boot, and there does not seem to be an option in the GUI to disable the duplicate-cn.

Make a file
/jffs/scripts/openvpnserver1.postconf (or openvpnserver2)
with the following contents

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_delete "duplicate-cn" $CONFIG

exit

Make the file executable with
chmod a+rx /jffs/scripts/openvpnserver1.postconf

and make sure the option to execute scripts is enabled.

 

[zonnebril]

Make a file
/jffs/scripts/openvpnserver1.postconf (or openvpnserver2)
with the following contents

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_delete "duplicate-cn" $CONFIG

exit

Make the file executable with
chmod a+rx /jffs/scripts/openvpnserver1.postconf

and make sure the option to execute scripts is enabled.

Hi John,
Thanks, that worked like a charm!
I would like to extend my question. I have enabled the second openvpn server (openvpnserver2) that is used for remote backup jobs. I only want to allow port 445 (samba traffic) and icmp. I now manually reconfigure the firewall after the router is booted with the following rules:

#!/bin/sh
#allow tcp445 inbound
iptables -I FORWARD -i tun22 -o br0 -m conntrack --ctstate NEW -p tcp --syn --dport 445 -d 192.168.0.200 -j ACCEPT

#allow any icmp
iptables -I FORWARD -i tun22 -o br0 -m state --state NEW,RELATED -p icmp  -d 192.168.0.200 -j ACCEPT

#delete default allow any from tun22 created by server2-fw.sh
iptables -D FORWARD -i tun22 -s 0/0 -d 0/0 -j ACCEPT

I am looking for a way to do this automatically after each reboot. What I have tried:
- user scripts
- post configuration scripts like you mentioned in your post.
- Putting this in the custom configuration in the GUI which runs the below code:

script-security 2
up "/jffs/scripts/CustomFirewallRules.sh up"
down "/jffs/scripts/CustomFirewallRules.sh down"

#!/bin/sh

if [ -z $1 ]; then
   exit 0

elif [ $1 = "up" ]; then

   logger "setting firewall rules"

   /usr/sbin/iptables -I FORWARD -i $2 -o br0 -m conntrack --ctstate NEW -p tcp --syn --dport 445 -d 192.168.0.200 -j ACCEPT
   /usr/sbin/iptables -I FORWARD -i $2 -o br0 -m state --state NEW,RELATED -p icmp  -d 192.168.0.200 -j ACCEPT
   /usr/sbin/iptables -D FORWARD -i $2 -s 0/0 -d 0/0 -j ACCEPT

elif [ $1 = "down" ]; then

   logger "deleting firewall rules"

   /usr/sbin/iptables -D FORWARD -i $2 -o br0 -m conntrack --ctstate NEW -p tcp --syn --dport 445 -d 192.168.0.200 -j ACCEPT
   /usr/sbin/iptables -D FORWARD -i $2 -o br0 -m state --state NEW,RELATED -p icmp  -d 192.168.0.200 -j ACCEPT

else
   exit 0
fi

With every scenario, the rule "Allow any" below is not deleted (because it does not exist on execution time) This specific rule is created by the /etc/openvpn/fw/server2-fw.sh script and it seems that this script always runs as last. So the rule is always imported.

ACCEPT all -- tun22 * 0.0.0.0/0 0.0.0.0/0

So, manually the scripts runs fine, but I need a way to run my script after the server2-fw.sh script is finished OR modify server2-fw.sh with my custom iptable rules before it runs.
Do you know a way of doing that?

 

[thelonelycoder]

I couldn't resist a Newegg refurb sale, so now have an N66
just test there as well 10X successful (it's not connected to the wan though)

admin@RT-N66R-2628:/jffs/tmp# ./test.sh
+ echo -e  checking your system\n
 checking your system

+ brup_ping
+ echo -e  testing if 'ifconfig br0 up' works on your system
 testing if 'ifconfig br0 up' works on your system
+ echo -e  (might take a few seconds to complete)
 (might take a few seconds to complete)
+ ping -c 1 172.31.255.254
ping: sendto: Network is unreachable
+ brup_test 172.31.255.254
+ ifconfig br0:absolution 172.31.255.254 up
+ ping -c 2 172.31.255.254
+ echo -e  this appears to be working, continuing\n
 this appears to be working, continuing

+ ifconfig br0:absolution 172.31.255.254 down
+ exit

Just FYI:
I reboot mine, run test, need the sleep, reboot again, does not need sleep.
The two sec sleep stays, but the comment goes.

 

[SuperFly74]

The Best build/version for my Asus B66U ?


Sent from my iPhone using Tapatalk

 

[Nullity]

The Best build/version for my Asus B66U ?


Sent from my iPhone using Tapatalk

The latest stable version.

 

[SuperFly74]

The latest stable version.

Okay...

And how du i upgrade, just download to iMac and Then select it


Sent from my iPhone using Tapatalk

 

[john9527]

The Best build/version for my Asus B66U ?


Sent from my iPhone using Tapatalk

No such thing as a B66U.....it's either an 'N66U' or 'AC66U' or 'AC66U B (the latest rev just released)'

For the first two, load the latest stable release.
For the last, it's not officially supported (see many threads on the AC66U rev B). Some have had luck loading the latest Merlin AC68U code, but AFAIK nobody has tried this with this fork and I suspect the fork code will not work.