[Release] Asuswrt-Merlin 384.12 is now available

[David Arnstein]

I upgraded from ll.2 to 12.0 and I experience a regression. I am having a problem with web access to my router, when using https.

My router is an RT-AC68U, which I dirty-upgraded from 11.2 to 12.0 without incident. In the router's Administration|System page, I have set Local Access Config to Authentication method both, addresses http://192.168.1.1 and https://192.168.1.1:8443 .

Remote access via WAN is disabled. Enable access restrictions is disabled.

I only access the router from a wired ethernet port, LAN.

I can log in to the router OK as http://192.168.1.1.

If I log in via https://192.168.1.1:8443, Google Chrome indicates "Not secure." In the browser address bar, I see https: in red strikethrough typeface. Then ://192.168.1.1:8443.

If I log in via http://192.168.1.1:8443 using Mozilla Firefox, results are much worse. Firefox indicates it is VERY SLOWLY executing TLS handshakes again and again. Eventually, Firefox simply times out.

My router config is rather simple. No VPNs, nothing besides default routing and maybe 25 static host names in the DHCP config. 2.4 GHz and 5 GHZ WiFi are working, but I don't have any guest network. No cloud services or media servers.

I can access the router via ssh and run top. When the TLS handshaking problem happens, the CPU idle time is about 97%.

Any suggestions?

 

[Poseidon]

Is the check firmware update feature broken? I've noticed that in the last 2 releases, it doesn't tell you if you have the latest RMerlin firmware when u click on the check update tab - instead it opens up a stock Asus page.

What happened with this feature?

 

[Sanna1967]

when u click on the check update tab - instead it opens up a stock Asus page.

What happened with this feature?

Same,it goes on the Asus site

 

[InstantAli3n]

[BUG] Some uploads misdetected as downloads.
[BUG] Incorrect transfer classes assigned to some connections.

QoS ineffective -> Bufferbloat -> High/inconsistent ping -> VoIP and video chat quality degradation. Under certain conditions it becomes unusable.
​

A picture is worth a thousand words so I made a "visual bug report" to show what is going on.
I didn't know what other details to show so let me know. I'd like to give better detail or make some logs while it's misbehaving for troubleshooting.

NOTE: My upload and download are manually configured with dslreports speed test to ensure consistency and minimum possible bufferbloat. Charter Spectrum 100/10 (Over Provisioned to: 120/12 | Actual w/ QoS off: 116/11.6 | QoS set to 110/10.7 WAN overhead 18 | Speed test: 107/10.7 A+ A A+ A+, Wifi and ISP connection all good.

 

[Vexira]

[BUG] Some uploads misdetected as downloads.
[BUG] Incorrect transfer classes assigned to some connections.

QoS ineffective -> Bufferbloat -> High/inconsistent ping -> VoIP and video chat quality degradation. Under certain conditions it becomes unusable.
​

A picture is worth a thousand words so I made a "visual bug report" to show what is going on.
I didn't know what other details to show so let me know. I'd like to give better detail or make some logs while it's misbehaving for troubleshooting.

NOTE: My upload and download are manually configured with dslreports speed test to ensure consistency and minimum possible bufferbloat. Charter Spectrum 100/10 (Over Provisioned to: 120/12 | Actual w/ QoS off: 116/11.6 | QoS set to 110/10.7 WAN overhead 18 | Speed test: 107/10.7 A+ A A+ A+, Wifi and ISP connection all good.

Are you running the freshjr script?

And agree that UI element needs a visual upgrade.

 

[Sonyrolfy]

I have set connect Intercept NTP local requests and the local NTP to accomplice the same time for each device in my network, unfortunately port 123 has un-replied states for my devices. Do I need to forward port 123 to my VPN provider to get this to work?

 

[Martineau]

10102:    from 10.8.0.2 lookup ovpnc1

Chain OVPN (2 references)

num   pkts bytes target     prot opt in     out     source               destination       

1       27  1754 ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0         

2        0     0 DROP       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)

num   pkts bytes target     prot opt in     out     source               destination       

1        0     0 ACCEPT     udp  --  br0    ppp0    0.0.0.0/0            0.0.0.0/0            match-set Skynet-IOT src udp dpt:123

2        0     0 LOG        all  --  br0    !tun2+  0.0.0.0/0            0.0.0.0/0            match-set Skynet-IOT src LOG flags 7 level 4 prefix "[BLOCKED -

3        0     0 DROP       all  --  br0    !tun2+  0.0.0.0/0            0.0.0.0/0            match-set Skynet-IOT src

4        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.0/4       

5      655 39652 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 TCPMSS clamp to PMTU

6    20735   10M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

7        0     0 other2wan  all  --  !br0   ppp0    0.0.0.0/0            0.0.0.0/0         

8        0     0 logdrop    all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0         

9       29  1856 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0         

10     150  7010 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID

11     489 41621 NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0/0         

12     456 39491 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0         

13       6   376 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT

14      27  1754 OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW

15       0     0 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0

The OVPN chain indicates that VPN Server traffic is being allowed inbound, but you would need to change the 'ACCEPT' target to 'logaccept' to show in Syslog what is actually being allowed.
(This may indicate that the traffic to the LAN resource is allowed, but perhaps there is a firewall on the actual target LAN device that may be blocking the access?)

In the FORWARD chain, the only block seems to be the expected 'INVALID' packets, but none of the other 'DROP/logdrop' rules seem to be the culprit.

Perhaps you could try temporarily disabling Skynet, otherwise you will either need to temporarily change ALL 'DROP' targets with 'logdrop' in order to find which rule is the culprit, or install tcpdump to assist in tracking down the issue.

 

[Delusion]

multiple reasons:
1. that changes are not merged into mainline branch
2. by default nettle still used, need to config_base
3. cloudflare validates dnssec on their end and doesn't support ed448 at least (striping rrsig)

Working great. Apparently, https://rootcanary.org/test.html saves data on PC and shows you old stats but after a period of time, it runs fresh test .... This is what I get (works much faster and better then on 384.12 which had 'servfail' and took longer to finish the test) :

 

[RMerlin]

Is the check firmware update feature broken? I've noticed that in the last 2 releases, it doesn't tell you if you have the latest RMerlin firmware when u click on the check update tab - instead it opens up a stock Asus page.

What happened with this feature?

Works for me.

What model? What firmware version?

 

[Stevens243]

The problem disappeared before I start checking what is happening. VPN is working properly now with Inbond Firewall Block. Temporary VPN server overload perhaps between my reboots, who knows.

I was seeing the exact same thing this morning. After checking logs and making sure the config was correct, no change. A reboot of both devices cleared it up. Same VPN also.

 

[Gerry Smith]

How did I not know about this firmware! solved a years worth of issues with Overheating, (the router not me) 5ghz WiFi not routing , smart home not working in one simple upgrade. Sorry this sounds like an advert but as helpful as ASUS support have been they never fixed any of the issues I had. I can Chromecast and use my smart lights again without having to reboot my entire house. I will send a donation it's probably sad but this has made me very happy today!

 

[JohnSmith]

Upgrade RT-AC3100 from V384.11_2 Final to V384.12_0 Final, via firmware upgrade (first GUI rebooted the router as it had been up for 34+ days). Everything is working great!

 

[Sanna1967]

What model? What firmware version?

Tried with Firefox,Edge and Chrome and this is all the same , it open the Asus website download .
https://www.asus.com/fr/Networking/RT-AC86U/HelpDesk_Download/

It worked with the Beta 2(or beta 1 ), we arrived on your site


AC86 , 384.12

 

[Diamond67]

Is the check firmware update feature broken? I've noticed that in the last 2 releases, it doesn't tell you if you have the latest RMerlin firmware when u click on the check update tab - instead it opens up a stock Asus page.

What happened with this feature?

I haven't used that feature for ages because I use Diversion and have Firmware update notification enabled from Communication settings of Diversion. So, when a new Merlin fw update is released my router sends me a notification email. Very handy.

 

[Poseidon]

Works for me.

What model? What firmware version?

86U and

Tried with Firefox,Edge and Chrome and this is all the same , it open the Asus website download .
https://www.asus.com/fr/Networking/RT-AC86U/HelpDesk_Download/

It worked with the Beta 2, we arrived on your site

AC86 , 384.12

Same router and f/w here as well. No luck using any browser. Always redirecting to Asus website

 

[Val D.]

I was seeing the exact same thing this morning. After checking logs and making sure the config was correct, no change. A reboot of both devices cleared it up. Same VPN also.

I have noticed the server configuration files offered for download by NordVPN contain different settings in Custom Configuration than the ones mentioned in Asuswrt-Merlin instructions here https://nordvpn.com/tutorials/asustwrt-merlin/openvpn/. I manually copy/paste the default settings in instructions, change Accept DNS Configuration to Disabled* and Compression to None**. The rest is all Default settings as per configuration file. The tunnel stays up for months, with some very small exceptions.

* - NordVPN DNS server in Singapore was not responding about a month ago and is slow in my location. Who can we trust more? One company claiming no logs or another company claiming no logs? I just use a much faster DNS as global setting. I don't sell drugs, nor weapons.

** - No local server I connected to supports compression anyway. Even if leave it enabled (as per some server configuration files), the system log shows it is disabled after connection is established. LZO Compression has some security issues, as far as I understand.

Anyway, none of this is related to Merlin's 384.12 firmware. OpenVPN is working properly, no fix needed.

 

[themiron]

Working great. Apparently, https://rootcanary.org/test.html saves data on PC and shows you old stats but after a period of time, it runs fresh test .... This is what I get (works much faster and better then on 384.12 which had 'servfail' and took longer to finish the test)

good. fyi, that test saves nothing on PC, but resolved domains (incl. status) get cached for 1 minute by dnsmasq, that's why.

 

[JIPG]

Tried with Firefox,Edge and Chrome and this is all the same , it open the Asus website download .
https://www.asus.com/fr/Networking/RT-AC86U/HelpDesk_Download/

It worked with the Beta 2(or beta 1 ), we arrived on your site


AC86 , 384.12

It happens the same for me with an RT AC87U and FW 384.12.
The "check updates" button open the following page: https://www.asus.com/es/Networking/RTAC87U/HelpDesk_Download.

On the other hand, it works flawlesly, so thanks again RMerlin to keep us on the wave!.
Some bugs are now solved: The network map now detects correctly the 5 GHz band users, other router used as AP is also detected now, and in Aiprotection, the detected attacks are shown again, so thank you also to Asus.

 

[pfonseca]

Hi,

I've upgraded my AC86U from 384.10_2 to 384.12. It seems that everything works OK, but my dnsmasq.con.add doesn't apply the configuration that I've added.

Meanwhile, this messages starts to appear in log:

Jun 25 20:19:26 kernel: pgd = ffffffc017138000
Jun 25 20:19:26 kernel: [00735000] *pgd=0000000013c74003, *pud=0000000013c74003, *pmd=0000000016453003, *pte=0000000000000000
Jun 25 20:19:26 kernel: CPU: 0 PID: 2526 Comm: cfg_server Tainted: P O 4.1.27 #2
Jun 25 20:19:26 kernel: Hardware name: Broadcom-v8A (DT)
Jun 25 20:19:26 kernel: task: ffffffc01701eb40 ti: ffffffc01579c000 task.ti: ffffffc01579c000
Jun 25 20:19:26 kernel: PC is at 0x14bc0
Jun 25 20:19:26 kernel: LR is at 0x14bc0
Jun 25 20:19:26 kernel: pc : [<0000000000014bc0>] lr : [<0000000000014bc0>] pstate: a0000010
Jun 25 20:19:26 kernel: sp : 00000000ffad2a70
Jun 25 20:19:26 kernel: x12: 00000000ffffffff
Jun 25 20:19:26 kernel: x11: 0000000000734ffe x10: 0000000000000002
Jun 25 20:19:26 kernel: x9 : 00000000007143ff x8 : 0000000000000000
Jun 25 20:19:26 kernel: x7 : 0000000000734ffe x6 : 00000000f74f5ce0
Jun 25 20:19:26 kernel: x5 : 000000000008a415 x4 : 000000000008a42a
Jun 25 20:19:26 kernel: x3 : 00000000ffffffff x2 : 0000000000000010
Jun 25 20:19:26 kernel: x1 : 000000000008a428 x0 : 0000000000000008

This repeats for ever and ever.

I've done a Factory Reset, a new reflash of the Firmware and reapplied the config settings and JFFS backup tha I've done befor the upgrade, but the situation mantains.

Any idea?

Regards,

 

[Butterfly Bones]

nevermind, my mistake, I read the error wrong