[384.16_Alpha Builds] Testing all variants

[Torson]

Hi,

Here is my brief experience and empirical observations with a brand new RT-AX56U:
- ran an @L&LD factory defaults reset followed by the installation of 384.16 Alpha 2 which just came out at that time
- did two reboots spaced at about 10-15 minutes
- ran it a day with a very basic configuration only - all good. I'm on a 100/10 Mbps cable connection - speed was just a bit higher than the providers specs. All 2.4GHz and 5GHz devices connected well and the ones running AX200 reached 1201 Mbps as specified up to around 9 feet from the router.
- amtm was already there so I installed Diversion ran it for half a day and then Skynet for half day. No (or negligible) difference in speed connectivity etc. I use a 16GB USB3 drive for Entware and apps. That one is connected to the USB3 port. I added to the USB2 port another stick with some additional scripts of mine. NOTE - the second USB drive did not auto mount. After reboot it still did not show up in the GUI. However, I manually mounted it and transferred some files between the 2 drives. So it's functional if manually mounted but eve so did not show up in the GUI.
- enabled then AiProtection - dcd Tainted messages started to show up quite frequently in the log - no impact on performance (just like the old RT-AC86U)
- I then configured 1 OpenVPN server and the IPSec VPN server - connectivity alright, good performance
- added a RT-AC66U_B1 as an AiMesh node. I have an IP phone, Raspberry PI3+, a TV and so on that connected to the node. Nothing of concern in the logs. All working well.
- installed then @Xentrk's selective routing - I use 4 OpenVPN clients with IP shell scripts. After installing the first client pointing to a server in the same geography as the WAN IP the download speed dropped to 52Mbps. It worked well for the apps I tested . The other clients then show a speed in the 32-45Mbps.
- enabling Adaptive QoS with automatic setting added a 20% overhead...
- nothing unusual (or not previously mentioned) in the log
- during the 5 days use the 4th CPU core showed very little - if any - "joie de vivre". It was quite lethargic in other words even when the other 3 cores had high usage.

Looks like a very good entry level router. Merlin &Co thank you for adding this one to the supported list and all the work around that....

 

[Deleted member 22229]

Possible issue AX58U. Using DNS over TLS but using the cloud flare testing site it says i failed and my DNS can be seen. Any ideas why ?

 

[dave14305]

Possible issue AX58U. Using DNS over TLS but using the cloud flare testing site it says i failed and my DNS can be seen. Any ideas why ?

Cloudflare tests have been unreliable when DNSSEC is also enabled. Which specific test site? What other DNS settings do you have enabled?

Try this DNS checkup tool (Check My DNS): https://cmdns.dev.dns-oarc.net/

EDIT: it doesn't validate DoT, but a good checkup anyway.

 

[Deleted member 22229]

Cloudflare tests have been unreliable when DNSSEC is also enabled.

Using TLS with DNSSec enabled and strict. Cloud flare for both v4 & V6. That link you posted gave me a C what ever that means.

 

[dave14305]

Using TLS with DNSSec enabled and strict. Cloud flare for both v4 & V6. That link you posted gave me a C what ever that means.

So you're probably fine. The best test is to run tcpdump (from Entware) on the router and observe the encrypted traffic out the WAN interface on port 853:

tcpdump -i $(nvram get wan0_ifname) -n port 853

Then confirm little or no old-school port 53 traffic (except for router's own queries):

tcpdump -i $(nvram get wan0_ifname) -n port 53

 

[Deleted member 22229]

So you're probably fine. The best test is to run tcpdump (from Entware) on the router and observe the encrypted traffic out the WAN interface on port 853:

Thanks. Can't do any of that tonight as the internet will be in constant use. I thank you for your reply's.

 

[bbunge]

I never had any problems mixing DNS providers and in theory it shouldn't really matter, or does it? So could you please explain why that is your feeling?

I'll be switching to Unbound in the near future anyway, as I've said, as it was developed by some of my former colleagues, but I'm interested in hearing your reasons.

Using one DNS provider may be more a matter of preference than performance. I have no hard testing data to back up my claim. I was one of the initial Stubby on Asus testers and have banged away on many of the settings and their variations. While I, still, do not feel comfortable with the way the Merlin adaption handles the loop back to stubby, it works. I also do not feel the round robin upstream, which rotates through the cited DNS servers, enhances performance. In your case you are rotating through DNS providers that filter queries (Quad9) and those that don't (Cloudflare). My choice of Quad9 is to try to filter out the malicious sites. Yes, I could use another filtering DNS provider but Quad9 has kept my home network and the couple not for profits I manage safe. I also use AIProtection. I do not use an add blocker as I feel this small annoyance does no harm and provides a small revenue source to the web sites I visit. This is my choice and is not wrong although I bet I will be flamed for it.
I am on my third Asus router. Sometime in the future I will likely go to an AX or whatever comes up in the future. For now I will stick with the AC86U that provides wonderful coverage for my small home!

 

[JWoo]

Possible issue AX58U. Using DNS over TLS but using the cloud flare testing site it says i failed and my DNS can be seen. Any ideas why ?

Many possible reasons, some ideas for you:
1) You have multiple DNS over TLS providers selected in WAN settings in addition to Cloudfare
2) The Cloudfare site does periodically report incorrect results
3) Use https://www.dnsleaktest.com/ to verify which DNS servers are being used by your router
4) Make sure your browser is not also selecting a DNS server as a number of browsers support this directly (including DNS over HTTPS)
5) Is DNSSEC on in WAN settings as it is reported that the Cloudfare site https://cloudflare-dns.com/help/ does not work if DNSSEC is on
6) Check the stubby log file for clues

 

[Deleted member 22229]

The site you posted indeed confirms Cloud Flare as my DNS server. No i do not have multiple servers selected just cloud flare. Browser is the latest Edge but Chrome has the same results. I am not sure there is a issue other then Cloud flare site said DNS/TLS failed.

 

[Frankflash]

I got a C on that site as well it failed DNS features Qname Minimisation and EDNS etc

 

[JWoo]

I am using Cloudfare and Quad9. I am getting a pass result with https://cloudflare-dns.com/help/ But, I have had times where I have had fail results for a period of time on that site. Cloudfare has a ton of servers so it could be related to your server location. I am not sure where the Stubby logs are on Asus Merlin but it is also worthwhile to check the Stubby logs. My setup is Strict mode, with Cloudfare and Quad9 selected. DNSSEC is NO.

 

[Gar]

Cloudflare tests have been unreliable when DNSSEC is also enabled. Which specific test site? What other DNS settings do you have enabled?

Try this DNS checkup tool (Check My DNS): https://cmdns.dev.dns-oarc.net/

EDIT: it doesn't validate DoT, but a good checkup anyway.

With 9.9.9.9 I get a B, with 9.9.9.11 C, CIRA (all 3 IPv4) C, 1.1.1.1 C. Ran each 3 times.

EDIT: No DoT if it matters

 

[Deleted member 22229]

With 9.9.9.9 I get a B, with 9.9.9.11 C, CIRA (all 3 IPv4) C. Ran each 3 times.

Interesting thanks for posting.

 

[digits n bits]

I’m using NextDNS and I just got an A on the test

 

[Frankflash]

because Next DNS has not left any thing out it looks like some things have been left out and need to be added in to firmware !!!

 

[digits n bits]

I can’t figure out what you’re referring to.

 

[Frankflash]

because next DNS has not left any thing out like Qname Minimization and EDNS

 

[RMerlin]

because next DNS has not left any thing out like Qname Minimization and EDNS

Those are server features, they have nothing to do with the firmware.

And those have also nothing to do with this alpha build thread...

 

[Rik Stigter]

Using one DNS provider may be more a matter of preference than performance. I have no hard testing data to back up my claim. I was one of the initial Stubby on Asus testers and have banged away on many of the settings and their variations. While I, still, do not feel comfortable with the way the Merlin adaption handles the loop back to stubby, it works. I also do not feel the round robin upstream, which rotates through the cited DNS servers, enhances performance. In your case you are rotating through DNS providers that filter queries (Quad9) and those that don't (Cloudflare). My choice of Quad9 is to try to filter out the malicious sites. Yes, I could use another filtering DNS provider but Quad9 has kept my home network and the couple not for profits I manage safe. I also use AIProtection. I do not use an add blocker as I feel this small annoyance does no harm and provides a small revenue source to the web sites I visit. This is my choice and is not wrong although I bet I will be flamed for it.
I am on my third Asus router. Sometime in the future I will likely go to an AX or whatever comes up in the future. For now I will stick with the AC86U that provides wonderful coverage for my small home!

Ah, OK!
Spurned by your words I reconfigured. First using Cloudflare, but that somehow (a problem I already described in https://www.snbforums.com/threads/weird-google-problem.61756/ but fortunately this 'what DoT servers do you use' gives us more information on that subject as well) interfered with reading news.google.nl. I now use Quad9 (times two for (more) redundancy) and that turns out to be OK.

One more question: since you are using Quad9 do you implement Skynet or do you feel that Quad9's filtering is sufficient (perhaps in combination with AIProtection)? Just curious!

But I'm digressing a bit now. I'm pretty happy with the current setup. Next (perhaps tomorrow) I'm going to do the same all over again on my AX88. Maybe I'll start that one with UnBound (perhaps with ad-blocking enabled) in stead of Diversion/DoT, just for testing purposes (or the fun of testing anyway; it tends to be addicting).


PS. Kudos to Coolblue (a Dutch webshop). They gave me back my money for my RMA'd AC86, with (quite a lot of) change too spare! For a > 2 years old router that is very good service, if you ask me.

 

[Treadler]

because next DNS has not left any thing out like Qname Minimization and EDNS

Unbound.