What's new

3.80 to 3.84 dirty remote upgrade worth it?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

David Kremer

Occasional Visitor
My remote router is running OK on Merlin 3.80, but I wish some bugs were fixed. For example, automatic reboot hangs and doesn't work. Also, adjusting the bandwidth limiter causes a crash requiring manual reset.

Problem is this is a remote router approximately 3,000 miles away. And now during Corona lockdown, I won't be able to go there soon.

The only way I could upgrade is with a dirty upgrade (I can't do a factory reset after flashing the new firmware). It just has to work, carrying over the old settings.

Is it worth the risk? I could just try it and cross my fingers, but I'm nervous.
 
That’s a big jump, id leave it


Sent from my iPhone using Tapatalk
 
Don't. You even admitted it sometimes crashed during reboots, so it's even more likely to fail to reboot properly after an update. OpenVPN code also changed a lot since 380.xx, and may fail to restart after the upgrade.
 
For the sake of connectivity, as others have said, don't.

But, what is this network used/useful for? If nothing really important, then it is a great opportunity/learning experience to flash it to john9527's latest 42.E7 firmware. :)

Which model are we talking about here, btw?
 
For the sake of connectivity, as others have said, don't.

But, what is this network used/useful for? If nothing really important, then it is a great opportunity/learning experience to flash it to john9527's latest 42.E7 firmware. :)

Which model are we talking about here, btw?

I'm on the RT-AC88U. I wasn't aware of anything called 42.E7 but it looks like it's for earlier than 380. This is not a mission critical router but it would still really suck to have it go down. To get to it physically, I have to fly 3000 miles and then drive 2 hours one way ;) Nothing worse than this thing going down. There is someone onsite that could help me fix it, but they're non technical. I dread having to walk them through configuring a router from scratch that I can't access myself.
 
Yes, the firmware I suggested isn't even available for your router. Still, a little shocked it running 380.xxx today. :eek:
 
That is a challenge :) But you are lucky as you have somebody on-site to switch power, so there is a chance :) My proposal is to prepare a detailed guide for person on-site to do a factory reset and to do minimal initial configuration from scratch. Then you flash new FW remotely using existing OpenVPN server. Then the person on-site performs power cycle, factory reset and initial configuration. Then the most risky from security point of view part comes. The person on-site should enable WAN access (the administrator account name shall be changed in advance to non-default). This part is very risky, so you should co-ordinate the time to perform it. Then, as fast as possible, you should login remotely and complete the OpenVPN server configuration. Then disable the WAN access and check if everything is OK. Then, in order to stay on the safe side, you may re-flash the FW again. The whole operation needs careful preparation and having all necessary configuration elements ready in advance on paper and files. At the end you should carefully inspect all running processes and jffs scripts to verify that no malware were introduced during the short period when WAN access had been enabled.

*** Addition***

If the service is not critical you may also switch off the router for 1-2 days before upgrade in order scanning bots to forget it.
 
Last edited:
That is a challenge :) But you are lucky as you have somebody on-site to switch power, so there is a chance :) My proposal is to prepare a detailed guide for person on-site to do a factory reset and to do minimal initial configuration from scratch. Then you flash new FW remotely using existing OpenVPN server. Then the person on-site performs power cycle, factory reset and initial configuration. Then the most risky from security point of view part comes. The person on-site should enable WAN access (the administrator account name shall be changed in advance to non-default). This part is very risky, so you should co-ordinate the time to perform it. Then, as fast as possible, you should login remotely and complete the OpenVPN server configuration. Then disable the WAN access and check if everything is OK. Then, in order to stay on the safe side, you may re-flash the FW again. The whole operation needs careful preparation and having all necessary configuration elements ready in advance on paper and files. At the end you should carefully inspect all running processes and jffs scripts to verify that no malware were introduced during the short period when WAN access had been enabled.

*** Addition***

If the service is not critical you may also switch off the router for 1-2 days before upgrade in order scanning bots to forget it.

It sounds like you think having WAN access enabled is pretty risky. Is that true? I always have WAN access as well as SSH enabled. I also have VPN as well, but I don't need VPN for all tasks, usually WAN or SSH does it. Are there really exploits on 380 to hack through the WAN or SSH?
 
It sounds like you think having WAN access enabled is pretty risky. Is that true? I always have WAN access as well as SSH enabled. I also have VPN as well, but I don't need VPN for all tasks, usually WAN or SSH does it. Are there really exploits on 380 to hack through the WAN or SSH?

WAN access for web interface is the worst thing you can possibly do!! Turn it off now!! I at least hope it is set to HTTPS only, if it is HTTP then frankly, just wow!

WAN SSH is also a pretty terrible idea, if you must do it, disable password access and use SSH keys only though. Ideally, turn it off now!!

VPN should be the only way ANY router is accessed remotely. Have a search for the many reasons why!


Sent from my iPhone using Tapatalk
 
In that situation and especially if this is for a business use, I'd buy a new router, configure it at my place then courier it to the remote site, letting someone else do the flying and the driving for a small fee (I'm assuming courier services are still running in your country during the lockdown and they will pick the parcel up at your place).

Overall it's bound to cost you a lot less than doing it yourself plus you'd have a backup router onsite (the RT-AC88U) to use if the main one fails, possibly saving you downtime and a long journey in future. Once the new router is in place you can factory reset and update the RT-AC88U remotely.

For remote access only use the VPN, Internet side HTTP/S and SSH are a vulnerability and best kept turned off.
 
It sounds like you think having WAN access enabled is pretty risky. Is that true? I always have WAN access as well as SSH enabled. I also have VPN as well, but I don't need VPN for all tasks, usually WAN or SSH does it. Are there really exploits on 380 to hack through the WAN or SSH?

As @JDB says above the ONLY port open to the external world shall the port OpenVPN server listens on. That is a golden security standart!
 
WAN access for web interface is the worst thing you can possibly do!! Turn it off now!! I at least hope it is set to HTTPS only, if it is HTTP then frankly, just wow!

WAN SSH is also a pretty terrible idea, if you must do it, disable password access and use SSH keys only though. Ideally, turn it off now!!

VPN should be the only way ANY router is accessed remotely. Have a search for the many reasons why!


Sent from my iPhone using Tapatalk

I am pretty careful. WAN is https only of course, I would never use plain http. And ssh is using keys only, I never use passwords. I do think that unless there is a crazy exploit, these methods should be pretty secure. Is there any evidence of exploits for these?
 
In that situation and especially if this is for a business use, I'd buy a new router, configure it at my place then courier it to the remote site, letting someone else do the flying and the driving for a small fee (I'm assuming courier services are still running in your country during the lockdown and they will pick the parcel up at your place).

Overall it's bound to cost you a lot less than doing it yourself plus you'd have a backup router onsite (the RT-AC88U) to use if the main one fails, possibly saving you downtime and a long journey in future. Once the new router is in place you can factory reset and update the RT-AC88U remotely.

For remote access only use the VPN, Internet side HTTP/S and SSH are a vulnerability and best kept turned off.

This is a really good idea actually. Routers are cheap after all. Thanks for the tip!
 
I am pretty careful. WAN is https only of course, I would never use plain http. And ssh is using keys only, I never use passwords. I do think that unless there is a crazy exploit, these methods should be pretty secure. Is there any evidence of exploits for these?

Just google for AsusWRT vulnerability
There’s a constant trickle of hacks and fixes (by both Asus and Merlin).
I don’t think there are any current ones that need patching, but the point is, a couple times a year they pop up and have to be patched, so why take the risk on the next unknown exploit affecting you?
You already have it set up, VPN takes only 3-4 seconds to click connect, so why would you need WAN HTTPS/SSH?


Sent from my iPhone using Tapatalk
 
I am pretty careful. WAN is https only of course, I would never use plain http. And ssh is using keys only, I never use passwords. I do think that unless there is a crazy exploit, these methods should be pretty secure. Is there any evidence of exploits for these?

Asus has been fixing plenty of security exploits bypassing the web server authentication over the years, and considering the state of the httpd code, I'm pretty sure more will be found in the future.. Just don't open the web server to the WAN. Use a VPN, or an SSH tunnel if you really must (the ssh daemon should be quite secure, just move it to another port than 22 to prevent it from being hammered all the time by connection attempts).

Https gives you zero protection there, all it does is ensure everything is transmitted encrypted.
 
If a new router is being shipped to the remote location and there is a person ready to switch them, I would do the following. For the sake of the scientific 'router' community here. :)

  • Have them switch to the new router and verify that all operations are possible, including remote connection and full access to remote clients as needed/required.
  • After the above is done and verified (reboot the router remotely and via power off a couple of times too, while testing), then the fun can start.
  • Put in the original RT-AC88U and flash it to RMerlin 384.16_0 and see if you can get it to work from the 380.xx firmware it is currently running. :eek:
  • Don't expect it to go smoothly, but you may learn something and be able to pass it on to the rest of us too. :)
Of course, it won't be a 'backup' router anymore if you attempt this. But it could easily be shipped back to you to do it properly too. :)

Just a wild suggestion from one sleepy guy. Please let us know the progress of this, however may you decide to proceed. :)
 
He can connect the RT-AC88U's LAN to the new router's LAN after changing the new router's LAN IP then VNC to a local machine and he should be able to reconfigure the RT-AC88U from scratch after a factory reset. It wouldn't work directly from the VPN as the RT-AC88U wouldn't know the VPN's IP subnet nor have a default gateway towards the LAN.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top