Asuswrt-Merlin 3.0.0.4.354.28 Beta 1

[RMerlin]

The new SSH brute force protection option uses the netfilter recent module, so it is now compiled as part of the kernel versus as a kernel module.

I knew the name sounded familiar LOL Yeah, it's no longer compiled as a module since it makes things simpler to have it built-in than having to modprobe it in the kernel (especially considering its small size).

 

[FireWire76]

@RMerlin
Hi.
First of all, thanks for your nice firmware.
I recently switched from Tomato to your firmware due to speedproblems with Tomato(250Mbit/100Mbit from ISP).
One function that I was a bit confused about is the parental control. I have a couple of devices that need to be blocked from Internet and a couple of other devices that needs to have time restrictions to Internet. I used Parental control to add the devices and time schedule. But I was surprised that the Parental control blocks ALL network connectivity not only Internet. And thats not what I wanted. Is this intentional or is this a bug? If not a bug, is it possible to add the option to choose what to block(e.g BLOCK LAN CONNECTIONS/BLOCK INTERNET CONNECTION) in upcoming version. Would be really nice, because I really need this feature.
Or is it some other way to achieve this?

Best regards,
FireWire76

 

[FireWire76]

Want to bump this too: Suggestion.
Don´t know if you saw my comment on that, but would be a nice change if possible.

//FireWire76

 

[RMerlin]

@RMerlin
Hi.
First of all, thanks for your nice firmware.
I recently switched from Tomato to your firmware due to speedproblems with Tomato(250Mbit/100Mbit from ISP).
One function that I was a bit confused about is the parental control. I have a couple of devices that need to be blocked from Internet and a couple of other devices that needs to have time restrictions to Internet. I used Parental control to add the devices and time schedule. But I was surprised that the Parental control blocks ALL network connectivity not only Internet. And thats not what I wanted. Is this intentional or is this a bug? If not a bug, is it possible to add the option to choose what to block(e.g BLOCK LAN CONNECTIONS/BLOCK INTERNET CONNECTION) in upcoming version. Would be really nice, because I really need this feature.
Or is it some other way to achieve this?

Best regards,
FireWire76

The parental control code is entirely Asus's, and since they regularly make changes to it I'd rather not do any customization at this point, otherwise it will become very difficult to merge in any future changes from Asus. Maybe once their code stabilizes I might start taking a look at how it works and see if it can be improved.

For the scheduler: no plan to change it. I don't want to make it overly complicated and burden the webui with confusing options - too many options will drive away the novice user that this firmware targets in addition to the slightly above average user.

 

[FireWire76]

Do you have a suggestion on how to block a network device/computer to access Internet? And I mean completely not only certain ports etc. I thought the parental control was aimed at this, but I was obviously mistaken. In Tomato, this was easily achieved by using Access restriction. I am a bit disappointed that there is no such function in a router firmware as of today. This should be a standard feature in any router firmware.

 

[RussellInCincinnati]

Why wouldn't you simply limit internet access by adjusting things about the particular device? If you don't want some device to access the Internet, why wouldn't you do something to the device so that it can't do so?

Hmm, you could also consider setting up a guest network for the device, and changing a quality of service parameter for it, so that the guest network has practically no internet bandwidth allocated to it.

One could also point out that it's not a good sign for the importance of the feature that "there is no such function in a router firmware today". Something to do with the fact that routers are usually installed in order to give people access to the Internet, rather than preventing it.

 

[FireWire76]

I guess you misunderstood me. What I meant was that it´s somewhat odd, that a firmware(ASUS in this case) of today doesn´t have that function, when ALL other firmwares has it. The parental control in Asus firmware should block Internet access, not access to whole network.
ALL other router firmwares have this function(to block Internet access), either as parental control or as access restriction. Asus is the exception, and I tried lots of different routers and firmwares for many years.

If you don't want some device to access the Internet, why wouldn't you do something to the device so that it can't do so?

Thats why I have a Router! To control the traffic to and from Internet. You may not be aware of this, but many devices that use the network(media players, TV etc) doesn´t have the ability to turn of Internet access. Thats why I have Router! And if some devices/computers was able to be configured to not use the Internet, It would be stupid to do that, because the use of internet or not can change. Thats why I have a Router!

And to be honest, your comment is the most unuseful comment I seen in a long time. You must be either stupid or just mean, to answer a question so badly. Why even bother?
A routers purpose is to both give and restrict access to Internet and the network, not only to give!
I think you should really take a minute or two, before you post a comment next time. Is this the way you would like to be treated, when you want to have help to solve a problem? If yes, you can stop answering my questions!

Sad I went down to your level, but I have recently become a member here to get help and maybe give suggestions on features/bugs in the firmware. And I got upset over your ludicrous comment.

 

[FireWire76]

@RMerlin
Do you have any contact at Asus, maybe you could check with them if this is a bug. Because I never seen a Parental control/Access restriction work like this. In all firmwares/routers I tested, the main function is to either block Internet access and second to block access to specific IP´s/MAC-addresses, not to block all network connectivity.
And please, If you have any suggestion on how to solve this during the meantime, I would appreciate it very much.

Best regards,
FireWire76

 

[Pericynthion]

So just to be clear;

-You want the router to function as a wireless / wired hub
-with a local LAN functionality between the local devices
-but, you only want to allow specific devices internet access

I think you can do this with the existing firewall controls under - Under firewall using the network services filter.

"The Network Services filter blocks the LAN to WAN packet exchanges and restricts devices from using specific network services.
For example, if you do not want the device to use the Internet service, key in 80 in the destination port. The traffic that uses port 80 will be blocked.
Leave the source IP field blank to apply this rule to all LAN devices."

So on the assumption you know what IP addresses are in use (or specify a static DHCP lease for those), you can create a black-list for those source addresses and black-list ports 80 / 443 etc.

Also - I disagree with your statement - the purpose of a router is to exchange all packets between a LAN and WAN, not to control it. Controlling the packet exchange the purpose of a firewall.

 

[FireWire76]

So just to be clear;

-You want the router to function as a wireless / wired hub
-with a local LAN functionality between the local devices
-but, you only want to allow specific devices internet access

I think you can do this with the existing firewall controls under - Under firewall using the network services filter.

"The Network Services filter blocks the LAN to WAN packet exchanges and restricts devices from using specific network services.
For example, if you do not want the device to use the Internet service, key in 80 in the destination port. The traffic that uses port 80 will be blocked.
Leave the source IP field blank to apply this rule to all LAN devices."

So on the assumption you know what IP addresses are in use (or specify a static DHCP lease for those), you can create a black-list for those source addresses and black-list ports 80 / 443 etc.

Also - I disagree with your statement - the purpose of a router is to exchange all packets between a LAN and WAN, not to control it. Controlling the packet exchange the purpose of a firewall.

Ok, thank you for the suggestion will try this. I have a NAS that I don´t want to access the Internet for obvious reasons. And I have several media players that tries to autoupdate their firmware when connected to Internet. So those are the main reasons I want to be able to block devices from Internet. And beyond that, I want to block my children's iPods etc on weekdays, so they don´t stay up to long using internet =).

 

[DaveMishSr]

@RMerlin
Hi.
First of all, thanks for your nice firmware.
I recently switched from Tomato to your firmware due to speedproblems with Tomato(250Mbit/100Mbit from ISP).
One function that I was a bit confused about is the parental control. I have a couple of devices that need to be blocked from Internet and a couple of other devices that needs to have time restrictions to Internet. I used Parental control to add the devices and time schedule. But I was surprised that the Parental control blocks ALL network connectivity not only Internet. And thats not what I wanted. Is this intentional or is this a bug? If not a bug, is it possible to add the option to choose what to block(e.g BLOCK LAN CONNECTIONS/BLOCK INTERNET CONNECTION) in upcoming version. Would be really nice, because I really need this feature.
Or is it some other way to achieve this?

Best regards,
FireWire76

Yea unfortunately that is why TomatoUSB and DD-WRT are around. Buffalo AirStation offers factory DD-WRT versions for some of their high power access points/range extenders. You would probably be best served by something like that. However, both the RT-N66U and the RT-AC66U are supported by DD-WRT. The RT-AC66U version is still a beta though.

 

[RMerlin]

I can see one reason why one might argue that total LAN blocking might be desirable: to prevent bypassing the block through a proxy, RDesktop, using a forgotten iPod as an access point for the computer, etc...

Ideally, I think the router's administrator would be allowed to chose if they want only WAN block or complete LAN block.

Parental Control is one area where I still see code changes from Asus between releases, so I prefer to let them keep improving on it before I start doing any radical changes to it that might end up making my job a lot more complicated for merging in their newer changes. Once that part of the code stabilizes, I might take a closer look at it and see if it can be improved upon.

 

[RussellInCincinnati]

Firewire76 original question: Do you have a suggestion on how to block a network device/computer to access Internet?

RussellInCincinnati: Why wouldn't you simply limit internet access by adjusting things about the particular device? If you don't want some device to access the Internet, why wouldn't you do something to the device so that it can't do so?

FireWire76: I guess you misunderstood me. What I meant was...The parental control in Asus firmware should block Internet access, not access to whole network...And to be honest, your comment is the most unuseful comment I seen in a long time.
**********
Well I seem to have usefully encouraged you to explain yourself a bit more. You could perhaps see your own contribution to not getting the most useful comments immediately, before you have more thoroughly described your problem.

FireWire76: You must be either stupid or just mean...
**********
Is this the way you talk to your colleagues in person?

FireWire76: Is this the way you would like to be treated, when you want to have help to solve a problem?
****************
Apparently asking for clarification strikes you as terrible behavior.

FireWire76: "Sad I went down to your level...your ludicrous comment."
*******
This is oddly strong condemnation.

Firewire76: And I have several media players that tries to autoupdate their firmware when connected to Internet...So those are the main reasons I want to be able to block devices from Internet. And beyond that, I want to block my children's iPods etc on weekdays, so they don´t stay up to long using internet =).
**********
Firewire76, you suddenly seem to understand the point in clarifying your goals, when asking for help in reaching those goals. It would have been logical for you to have clarified your goals when I asked (in a way that I would have asked someone in person) for clarification, rather than your leaping to harsh words in a way that you would never have said to someone in person. This is a pretty nice forum, let's you and I both work a little harder to avoid the harshness that anonymity can lead to.

 

[Flannel]

Firstly, thanks merlin great work.

I have an issue with WAN access to the router web page.
I enabled this setting and configured a couple of IP's. Then decided against using this feature and disabled it again.
Now i cant get to the router page at all from internal IP's.

Any suggestions?

 

[RMerlin]

Firstly, thanks merlin great work.

I have an issue with WAN access to the router web page.
I enabled this setting and configured a couple of IP's. Then decided against using this feature and disabled it again.
Now i cant get to the router page at all from internal IP's.

Any suggestions?

You possibly removed the IPs without first disabling the restriction feature, which means no IP is currently allowed to connect to the webui.

Do you have either telnet or ssh enabled, so you can log into the router to change the nvram settings? If you do, you can disable IP-based access control with these:

nvram set http_client=0
nvram commit
service restart_httpd

If not, then you probably lost any method of accessing your router's configuration and will have to reset it back to factory defaults I'm afraid.

 

[Flannel]

Cheers.

Yep no telnet or ssh on, so a reset and settings restore got it all back.

I figure I must've changed to https by accident and had not updated my url to get back to the login page. We live, we learn.

 

[dhajduch]

DDNS behind multiple NAT routers

Hi,

is it possible to use DDNS client in multiple NAT environment? My internet provider use such an environment and even if I have fixed external IP address my router wan address is different from then external one. So it looks like this:

My external IP -> Provider NAT router -> My ISP wan address -> My router WAN port

With stock Asus RT-N66U firmware DDNS client registers My ISP wan address instead of My external IP address.

Does anybody know how to resolve this problem... or there is no go for such a scenario???

Thanks for any response.

 

[vdemarco]

Well the slowdown of the 5GHz band has started up for me again. After resetting the nvram it now takes about 7 days or so for it to come back. Rebooting it clears it up.

I realize that this is all beta software, so...

I am guessing that the radios go into low power mode after some period of time, is there some way of shutting this off?

(I could be completely wrong with the guess, but its just weird that it takes a week or so for the problem to show up)

 

[rlcronin]

Well the slowdown of the 5GHz band has started up for me again. After resetting the nvram it now takes about 7 days or so for it to come back. Rebooting it clears it up.

I realize that this is all beta software, so...

I am guessing that the radios go into low power mode after some period of time, is there some way of shutting this off?

(I could be completely wrong with the guess, but its just weird that it takes a week or so for the problem to show up)

What I would like to know is whether ASUS is pursuing a fix for the recently introduced wireless driver issues with any sense of urgency? While I understand Merlin's recent release is beta, were the new wireless drivers advertised as such as well?
--
bc

 

[RMerlin]

What I would like to know is whether ASUS is pursuing a fix for the recently introduced wireless driver issues with any sense of urgency? While I understand Merlin's recent release is beta, were the new wireless drivers advertised as such as well?
--
bc

Yes, Asus's 354 release which introduced the new drivers was also marked as beta by them.

No ETA as to when they might release a new version with fixed driver.