Release Asuswrt-Merlin 3006.102.4 is now available

[dssboss]

If it were a problem, then Asuswrt-Merlin would simply be rejected by the flash procedure, and you would be back to the original firmware after the router is done rebooting. If you do see the Asuswrt-Merlin logo and the correct version at the top of the webui then all is fine.

I setup my old router RT-AX86u router as a media bridge running latest merlin firmware and it seems to be losing connection every day and needs to be reset. I re-flashed it back to stock Asus latest firmware to see how it behaves in media bridge mode. What firmware is best to use on media bridge devices?? stock or merlin. Please explain. Thx

 

[Ripshod]

I setup my old router RT-AX86u router as a media bridge running latest merlin firmware and it seems to be losing connection every day and needs to be reset. I re-flashed it back to stock Asus latest firmware to see how it behaves in media bridge mode. What firmware is best to use on media bridge devices?? stock or merlin. Please explain. Thx

If you do have the non-pro router you're posting in the wrong thread. This thread is about the 3006 firmware that's not compatible with your router.

 

[fotingo]

I was able to connect all my wireless security cameras and IoTs, but If I disable internet access I can no longer control the IOTs from my iPhone. I have tried using firewall scripts to allow communication between the IoT network and my iPhone but it’s not working. I have to allow Internet access…is there anything else I can try?

 

[Seth Harman]

I was able to connect all my wireless security cameras and IoTs, but If I disable internet access I can no longer control the IOTs from my iPhone. I have tried using firewall scripts to allow communication between the IoT network and my iPhone but it’s not working. I have to allow Internet access…is there anything else I can try?

It's because security camera mobile apps (and IoT device apps in many cases) almost universally use cloud connectivity to allow you to remotely connect to the associated devices, if you turn off Internet connectivity for the VLAN they're a part of there's no way for the mobile app to talk to them.

 

[bennor]

I was able to connect all my wireless security cameras and IoTs, but If I disable internet access I can no longer control the IOTs from my iPhone. I have tried using firewall scripts to allow communication between the IoT network and my iPhone but it’s not working. I have to allow Internet access…is there anything else I can try?

As indicated in reply to one of your prior posts...
"Some IoT devices require internet access in order to work."
Quite often the mobile apps that control the IoT device do so through the internet. Every single one of my IoT devices (cameras, plugs, bulbs) requires internet access, its how they are controlled from the mobile app or by Alexa devices.

 

[fotingo]

@bennor Thanks for that. At least I know that's normal. Last thing is, I know now that the Asus app does not work with Merlin, but how come it was working fine on the previous version?
I have 3 Asus routers and had Merlin all these years and all of them worked fine with the Asus app. This is why I had not idea the app was no compatible with Merlin.. I realized this after I updated to v3006.

 

[inakaya]

If by Synology you mean a Synology NAS you may need to double check the NAS settings to ensure it allows access from different IP address subnets. For example with Synology NAS DSM, check that Enable Multiple Gateways is enabled under DSM Control Panel > Network > General > Advanced Settings. One may also need to configure the NAS firewall to allow alternate IP address subnets if one has locked down the NAS firewall. PS: If using Synology Surveillance Station, not sure if anything needs to be adjusted or set there to deal with devices in different IP address subnets (or VLAN's).

@bennor - thank-you! You are a superstar! Enabled Multple Gateways on my Synology NAS and it's worked (haven't used the NAS firewall yet....).

Synology NAS Surveillance Station client now allowed to connect to my frondoor camera and it looks like the NAS is also recording the footage as am able to scroll back and its bookmarking points of note.

 

[Zaka7]

Use Terminal.app on your Mac. It's in the Utilities folder.

Thanks. Have used that before. Just didn’t realise I could use it for my router too. Will look into how to set it all up and use it but think I have all the answers here. Cheers all. Great stuff.

 

[Greg2053]

A suggestion. Provide information about how you have configure your router including the DNS Director settings if you have enabled that feature, and any addon scripts you may be using. Without any information on how you have configured your router one generally cannot provide any suggestions to your question or issue with the firmware.

Basically - a very simple system, with a few security settings tweaked for improved security. And with an Ethernet VLAN added to ring fence my Amazon Fire-Stick from my Main Network.
As I stated above I have set DNS Director to OFF.

3 Clients:-
Desktop on Ethernet on Main Network.
Mobile Phone on Wi Fi on Main Network.
Amazon Fire Stick on Ethernet with separate VLAN.
There is also a separate WiFi IoT Network, which I have set to have no connection to the Main Network.
I'm not currently using that IoT Network, but found that to set up the Wired VLAN it was also added...

I'm NOT using any of the following:-
AI Protection - since I don't want Trend Micro on my system.
Parental Controls - since I have no kids
Adaptive QoS - since my system is so simple it would be overkill
Game Features
Open NAT
Any of the USB applications
AI Cloud
And I'm most certainly NOT using Amazon Alexa!!

In LAN:-
I'm using the DHCP server
DNS is set to both Cloudflare servers 1.1.1.1 and 1.0.0.1
DNS Director is set to OFF, since I found that it did not work with the Quad9 or Cloudflare DNS settings I was using.
(I had tried Quad9, but found that for some reason it was SLOW, while Cloudflare is very snappy.)

In WAN:-
Automatic IP - set
UPnP - DISABLED
Once again DNS servers set here to both Cloudflare servers.
DNS Privacy Protocol - DNS over TLS (DoT)
With Strict DoT profile
My ISP uses VLANs for WAN connection, so those ISP settings are made here.

IPV6:- Currently not using

VPN:- I have a VPN, which I can use on all my clients, so I'm not using the hard coded VPN on the Router. Some sites I require do not work with VPNs, so having the Router VPN doesn't make sense.

Firewall:-
Enabled.
DoS Protection - Enabled
ICMP Echo - Disabled
No rules currently set

Administration:-
Authentication - HTTPS
Remote Access - DENIED

Basically - a very simple system, with a few security settings tweaked for improved security. And with an Ethernet VLAN added to ring fence my Amazon Fire-Stick from my Main Network.

- - -
The system is simple, and was fully working on the previous firmware, which is why I find it puzzling that SOME sites I need to visit regularly do not work on the new RT-BE86U_3006_102.4_0 firmware, which is supposed to sort out problems with DNS Director. Meanwhile other sites worked fine.
The message I got after waiting for the sites to load, was that a secure connection could not be established on those sites...

Clearly I can't upgrade to the new firmware till I can sort out the connection issue here.
Any help gratefully received Greg

 

[dave14305]

@RMerlin I encountered an issue with DNS Director IPv6 today after rebooting the router after a factory reset and reconfigure. The DNSFILTER chain for ip6tables did not include the default DNAT statement, and I assume it was due to a race condition with the population of the router's IPv6 address on startup. This was the state of the generated rules:

# cat nat_rules_ipv6.dnsfilter
*nat
:DNSFILTER - [0:0]
-A PREROUTING -i br+ -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -i br+ -p tcp -m tcp --dport 53 -j DNSFILTER
-A DNSFILTER -m mac --mac-source 4C:03:xx:xx:xx:xx -j RETURN
COMMIT

I restarted dnsfilter and it came back as expected:

# service restart_dnsfilter
# cat nat_rules_ipv6.dnsfilter
*nat
:DNSFILTER - [0:0]
-A PREROUTING -i br+ -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -i br+ -p tcp -m tcp --dport 53 -j DNSFILTER
-A DNSFILTER -m mac --mac-source 4C:03:xx:xx:xx:xx -j RETURN
-A DNSFILTER -j DNAT --to-destination [2601:dead:beef:cafe::1]
COMMIT

And I assume this is because nvram variable ipv6_rtr_addr was still empty when dnsfilter last "started". So this could be an argument to use the REDIRECT target for IPv6 as well, or include another restart of dnsfilter when IPv6 is bound.

 

[bennor]

Last thing is, I know now that the Asus app does not work with Merlin, but how come it was working fine on the previous version?

No one (I think) has said the Asus app wouldn't work, just that RMerlin (the developer of Asus-Merlin) has indicated his firmware doesn't officially support the Asus mobile app. There are certain features and options in the Asus-Merlin firmware not found in the stock Asus firmware. As such the Asus mobile app cannot control/access certain Asus-Merlin specific features. Some past RMerlin commentary on the Asus app:

There are a number of features that aren't compatible. Anything related to VPN for starter.

Also the app's Ad Blocking feature might possibly have issues, as I don't know if Asus kept the DNSDirector implementation intact, or if they changed its behaviour.

Configure it through the webui. The mobile app is not supported.

 

[Natty]

I noticed that router's roaming assitant didn't disconnect my phone when moving out of signal range. Enabled (by default, unchanged) to disconnect when 2.4GHz RSSI falls below -70dBm, but the phone is still connected at -83dBm. Meanwhile, much better 5GHz and 2.4GHz networks are available from my AP but phone won't connect to the AP until I open its Wi-Fi menu. Shouldn't the roaming assistant automatically kick the phone off at -70dBm?

 

[bennor]

@bennor - thank-you! You are a superstar! Enabled Multple Gateways on my Synology NAS and it's worked (haven't used the NAS firewall yet....).

Synology NAS Surveillance Station client now allowed to connect to my frondoor camera and it looks like the NAS is also recording the footage as am able to scroll back and its bookmarking points of note.

You're welcome. The NAS firewall and other NAS settings are often overlooked and the default assumption is the problem lies with the router and it's configuration.

 

[Analog-1]

I noticed that router's roaming assitant didn't disconnect my phone when moving out of signal range.

Roaming is 99% controlled by the client not the router.

 

[Natty]

Roaming is 99% controlled by the client not the router.

Then the router isn't doing its 1% - roaming assistant not assisting

 

[bennor]

In WAN:-
DNS Privacy Protocol - DNS over TLS (DoT)
With Strict DoT profile

You have enabled DNS Privacy Protocol. As a troubleshooting step (if you haven't tried it already), what happens if you set it back to the default setting of None?

 

[Analog-1]

Then the router isn't doing its 1% - roaming assistant not assisting

Maybe it's trying but your client will not listen.

 

[Natty]

Hmm... reading here https://www.snbforums.com/threads/is-roaming-assistant-a-myth.60660/ it sounds like never worked well, and @RMerlin says it is outside of his control. But I do not understand why Android 15 would hold on to a crappy Wi-Fi signal from the router miles away when it has the credentials to connect to a much better faster signal from an AP 4m away. The router is AX but the AP is AC. Could that be the reason? Badly programmed client firmware?

EDIT: after further research (other threads on this forum) I believe the feature is working correctly. I had misunderstood how roaming assistant works. It is up to the client if it takes the advice from the router to disconnect and look for a better connection. My choices at this point are either ignore/accept and live with it as-is, or turn the roaming assistant off.

 

[fotingo]

@bennor This router (AX88u-Pro) won't even come up as an option to login in the Asus app anymore. I can only see the older Asus Router AC68P I am using as an AP that also has Merlin on it.

 

[bennor]

@bennor This router (AX88u-Pro) won't even come up as an option to login in the Asus app anymore. I can only see the older Asus Router AC68P I am using as an AP that also has Merlin on it.

Make sure you are on the main LAN of the router (not on a Guest Network Pro network). App, on an Android device connected to the main LAN of a RT-AX86U Pro running 3006.102.4, see's the RT-AX86U Pro as indicated in the attached images. PS: I don't have AiMesh nodes nor any AP's active at the moment.