1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

3.80 to 3.84 dirty remote upgrade worth it?

Discussion in 'Asuswrt-Merlin' started by David Kremer, Apr 5, 2020.

  1. David Kremer

    David Kremer New Around Here

    Joined:
    Apr 5, 2020
    Messages:
    8
    My remote router is running OK on Merlin 3.80, but I wish some bugs were fixed. For example, automatic reboot hangs and doesn't work. Also, adjusting the bandwidth limiter causes a crash requiring manual reset.

    Problem is this is a remote router approximately 3,000 miles away. And now during Corona lockdown, I won't be able to go there soon.

    The only way I could upgrade is with a dirty upgrade (I can't do a factory reset after flashing the new firmware). It just has to work, carrying over the old settings.

    Is it worth the risk? I could just try it and cross my fingers, but I'm nervous.
     
  2. JDB

    JDB Very Senior Member

    Joined:
    Aug 28, 2016
    Messages:
    1,100
    That’s a big jump, id leave it


    Sent from my iPhone using Tapatalk
     
  3. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    33,014
    Location:
    Canada
    Don't. You even admitted it sometimes crashed during reboots, so it's even more likely to fail to reboot properly after an update. OpenVPN code also changed a lot since 380.xx, and may fail to restart after the upgrade.
     
    Makaveli, martinr and Vexira like this.
  4. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    12,617
    For the sake of connectivity, as others have said, don't.

    But, what is this network used/useful for? If nothing really important, then it is a great opportunity/learning experience to flash it to john9527's latest 42.E7 firmware. :)

    Which model are we talking about here, btw?
     
    martinr and Vexira like this.
  5. David Kremer

    David Kremer New Around Here

    Joined:
    Apr 5, 2020
    Messages:
    8
    I'm on the RT-AC88U. I wasn't aware of anything called 42.E7 but it looks like it's for earlier than 380. This is not a mission critical router but it would still really suck to have it go down. To get to it physically, I have to fly 3000 miles and then drive 2 hours one way ;) Nothing worse than this thing going down. There is someone onsite that could help me fix it, but they're non technical. I dread having to walk them through configuring a router from scratch that I can't access myself.
     
    L&LD likes this.
  6. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    12,617
    Yes, the firmware I suggested isn't even available for your router. Still, a little shocked it running 380.xxx today. :eek:
     
  7. netware5

    netware5 Very Senior Member

    Joined:
    Mar 9, 2013
    Messages:
    513
    Location:
    Bulgaria
    That is a challenge :) But you are lucky as you have somebody on-site to switch power, so there is a chance :) My proposal is to prepare a detailed guide for person on-site to do a factory reset and to do minimal initial configuration from scratch. Then you flash new FW remotely using existing OpenVPN server. Then the person on-site performs power cycle, factory reset and initial configuration. Then the most risky from security point of view part comes. The person on-site should enable WAN access (the administrator account name shall be changed in advance to non-default). This part is very risky, so you should co-ordinate the time to perform it. Then, as fast as possible, you should login remotely and complete the OpenVPN server configuration. Then disable the WAN access and check if everything is OK. Then, in order to stay on the safe side, you may re-flash the FW again. The whole operation needs careful preparation and having all necessary configuration elements ready in advance on paper and files. At the end you should carefully inspect all running processes and jffs scripts to verify that no malware were introduced during the short period when WAN access had been enabled.

    *** Addition***

    If the service is not critical you may also switch off the router for 1-2 days before upgrade in order scanning bots to forget it.
     
    Last edited: Apr 6, 2020
  8. David Kremer

    David Kremer New Around Here

    Joined:
    Apr 5, 2020
    Messages:
    8
    It sounds like you think having WAN access enabled is pretty risky. Is that true? I always have WAN access as well as SSH enabled. I also have VPN as well, but I don't need VPN for all tasks, usually WAN or SSH does it. Are there really exploits on 380 to hack through the WAN or SSH?
     
  9. JDB

    JDB Very Senior Member

    Joined:
    Aug 28, 2016
    Messages:
    1,100
    WAN access for web interface is the worst thing you can possibly do!! Turn it off now!! I at least hope it is set to HTTPS only, if it is HTTP then frankly, just wow!

    WAN SSH is also a pretty terrible idea, if you must do it, disable password access and use SSH keys only though. Ideally, turn it off now!!

    VPN should be the only way ANY router is accessed remotely. Have a search for the many reasons why!


    Sent from my iPhone using Tapatalk
     
  10. grifo

    grifo Regular Contributor

    Joined:
    Jun 9, 2017
    Messages:
    111
    In that situation and especially if this is for a business use, I'd buy a new router, configure it at my place then courier it to the remote site, letting someone else do the flying and the driving for a small fee (I'm assuming courier services are still running in your country during the lockdown and they will pick the parcel up at your place).

    Overall it's bound to cost you a lot less than doing it yourself plus you'd have a backup router onsite (the RT-AC88U) to use if the main one fails, possibly saving you downtime and a long journey in future. Once the new router is in place you can factory reset and update the RT-AC88U remotely.

    For remote access only use the VPN, Internet side HTTP/S and SSH are a vulnerability and best kept turned off.
     
    Makaveli and netware5 like this.
  11. netware5

    netware5 Very Senior Member

    Joined:
    Mar 9, 2013
    Messages:
    513
    Location:
    Bulgaria
    As @JDB says above the ONLY port open to the external world shall the port OpenVPN server listens on. That is a golden security standart!
     
    L&LD likes this.
  12. David Kremer

    David Kremer New Around Here

    Joined:
    Apr 5, 2020
    Messages:
    8
    I am pretty careful. WAN is https only of course, I would never use plain http. And ssh is using keys only, I never use passwords. I do think that unless there is a crazy exploit, these methods should be pretty secure. Is there any evidence of exploits for these?
     
  13. David Kremer

    David Kremer New Around Here

    Joined:
    Apr 5, 2020
    Messages:
    8
    This is a really good idea actually. Routers are cheap after all. Thanks for the tip!
     
  14. JDB

    JDB Very Senior Member

    Joined:
    Aug 28, 2016
    Messages:
    1,100
    Just google for AsusWRT vulnerability
    There’s a constant trickle of hacks and fixes (by both Asus and Merlin).
    I don’t think there are any current ones that need patching, but the point is, a couple times a year they pop up and have to be patched, so why take the risk on the next unknown exploit affecting you?
    You already have it set up, VPN takes only 3-4 seconds to click connect, so why would you need WAN HTTPS/SSH?


    Sent from my iPhone using Tapatalk
     
    netware5 likes this.
  15. grifo

    grifo Regular Contributor

    Joined:
    Jun 9, 2017
    Messages:
    111
    You are welcome, happy to help.
     
  16. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    33,014
    Location:
    Canada
    Asus has been fixing plenty of security exploits bypassing the web server authentication over the years, and considering the state of the httpd code, I'm pretty sure more will be found in the future.. Just don't open the web server to the WAN. Use a VPN, or an SSH tunnel if you really must (the ssh daemon should be quite secure, just move it to another port than 22 to prevent it from being hammered all the time by connection attempts).

    Https gives you zero protection there, all it does is ensure everything is transmitted encrypted.
     
    L&LD and netware5 like this.
  17. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    12,617
    If a new router is being shipped to the remote location and there is a person ready to switch them, I would do the following. For the sake of the scientific 'router' community here. :)

    • Have them switch to the new router and verify that all operations are possible, including remote connection and full access to remote clients as needed/required.
    • After the above is done and verified (reboot the router remotely and via power off a couple of times too, while testing), then the fun can start.
    • Put in the original RT-AC88U and flash it to RMerlin 384.16_0 and see if you can get it to work from the 380.xx firmware it is currently running. :eek:
    • Don't expect it to go smoothly, but you may learn something and be able to pass it on to the rest of us too. :)
    Of course, it won't be a 'backup' router anymore if you attempt this. But it could easily be shipped back to you to do it properly too. :)

    Just a wild suggestion from one sleepy guy. Please let us know the progress of this, however may you decide to proceed. :)
     
  18. grifo

    grifo Regular Contributor

    Joined:
    Jun 9, 2017
    Messages:
    111
    He can connect the RT-AC88U's LAN to the new router's LAN after changing the new router's LAN IP then VNC to a local machine and he should be able to reconfigure the RT-AC88U from scratch after a factory reset. It wouldn't work directly from the VPN as the RT-AC88U wouldn't know the VPN's IP subnet nor have a default gateway towards the LAN.