Release Asuswrt-Merlin 3006.102.4 is now available

[bennor]

Stupid question.. but seeing somethings from previous changelogs still being relevant. Do I need to run the command to downgrade before installing this version?

I’ve just got a BE-86u I’m setting up shortly and want to run this version of Merlin?

From the Change Log:
3006.102.3 (11-Jan-2025)
- NOTE: If flashing on top of Asus stock firmware 3006.102_37000
or greater, then you first need to enable downgrade
capabilities before flashing Asuswrt-Merlin on top
of it. Connect Over SSH, and run the following command:

nvram set DOWNGRADE_CHECK_PASS=1

After that, you can upload Asuswrt-Merlin through
the webui like any regular firmware upgrade.

This is only required when flashing Asuswrt-Merlin
for the first time.

 

[Zaka7]

From the Change Log:
3006.102.3 (11-Jan-2025)
- NOTE: If flashing on top of Asus stock firmware 3006.102_37000
or greater, then you first need to enable downgrade
capabilities before flashing Asuswrt-Merlin on top
of it. Connect Over SSH, and run the following command:

nvram set DOWNGRADE_CHECK_PASS=1

After that, you can upload Asuswrt-Merlin through
the webui like any regular firmware upgrade.

This is only required when flashing Asuswrt-Merlin
for the first time.

From the Change Log:
3006.102.3 (11-Jan-2025)
- NOTE: If flashing on top of Asus stock firmware 3006.102_37000
or greater, then you first need to enable downgrade
capabilities before flashing Asuswrt-Merlin on top
of it. Connect Over SSH, and run the following command:

nvram set DOWNGRADE_CHECK_PASS=1

After that, you can upload Asuswrt-Merlin through
the webui like any regular firmware upgrade.

This is only required when flashing Asuswrt-Merlin
for the first time.

I have seen that. The reason I asked is that’s the version before. It’s not mentioned in this changelog. If I loaded a release in say 2-3 more versions, I wouldn’t read back that far.

 

[fotingo]

If you don't provide detailed information about your setup and settings, no one can help you.

EDIT:
If the Bue NVR software is running on a machine in the main network and the cameras are running on the IoT network, which is separated from the main network, the software cannot find the cameras. That's logical, and that's exactly how it should be.

That would make sense. I just didn't have this issue before with YazFi. None of them had access to the Main Network and Blue Iris had no issues.

 

[Seth Harman]

I had to do a factory reset on the router. I use Blue Iris NVR and if I do not provide access to Intranet to the wireless cameras, Blue Iris will not see them. As soon as I give access to Main Network, they immediately pop up in Blue Iris.

I'd suggest giving the Blue Iris machine/appliance a fixed IP on the main LAN and then add a rule to the firewall-start script giving that fixed IP access to the IoT VLAN. Then give each camera a fixed IP in the IoT VLAN and add them to Blue Iris manually by IP. If you give the IoT VLAN access to the main LAN it defeats the purpose of having Guest Network VLANs in the first place, which is security.

 

[bennor]

The reason I asked is that’s the version before. It’s not mentioned in this changelog.

It's part of the entire full change log. It apparently applies to any stock Asus firmware version that is 3006.102_37000 and newer. So if you are on the latest stock 3.0.0.6.102_37841 firmware for the RT-BE86U, then you would issue the indicated command via SSH if you want to flash the Asus-Merlin 3006.102.4 firmware.

 

[Donga120]

Not sure why, but I've had slow internet, pages not responding and airplay lag since updating from beta 3, rebooted twice now, thinking of downgrading as never had these issues just to see...

 

[leonftw]

I don’t see that it ever showed anything besides “Disabled” when in Passthrough mode. I suppose there is nothing to show in that mode.

asuswrt-merlin.ng/release/src/router/httpd/data_arrays.c at 0c35adea7e346e27c9921cf0ae54c87460a625be · RMerl/asuswrt-merlin.ng

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

You're right on this -- sorry for the confusion. Just tested on official Asus firmware. IPv6 passthrough enabled. It too says "Disabled" under "IPv6 System Log." Not sure if this is a bug or by design. Again, IPv6 working as expected.

 

[Analog-1]

Asus firmware. IPv6 passthrough enabled.

Be advised using IPv6 Passthrough mode you will have no Ipv6 firewall it simply passes it through.

 

[leonftw]

Be advised using IPv6 Passthrough mode you will have no Ipv6 firewall it simply passes it through.

Thanks for the reply. This thread has some discussion on this with no clear answer. What would be a good scanner I can use to test?

https://www.snbforums.com/threads/ipv6-passthrough-disadvantages.81668/

 

[fotingo]

I'd suggest giving the Blue Iris machine/appliance a fixed IP on the main LAN and then add a rule to the firewall-start script giving that fixed IP access to the IoT VLAN. Then give each camera a fixed IP in the IoT VLAN and add them to Blue Iris manually by IP. If you give the IoT VLAN access to the main LAN it defeats the purpose of having Guest Network VLANs in the first place, which is security.

The Blue Iris machine has a fixed IP as well as all the wireless cameras. Where can I find the necessary script to accomplish your suggestion?
I'm kind of new at this. I guess I was pampered with the previous version where everything just worked with minimal effort on my end haha.

The main LAN is 192.168.1.1 - sec Cams are on 192.168.53.1.
I really appreciate the help.

Thank you.

 

[bennor]

Where can I find the necessary script to accomplish your suggestion?

A link to a post explaining in general terms how to setup a firewall-start script file to pass traffic from Guest Network Pro to a specific IP address on the main LAN was posted in reply to one of your earlier posts one page back (post #162). Here is that link again:
https://www.snbforums.com/threads/t...st-network-pro-limitations.94438/#post-952345

#!/bin/sh
iptables -I FORWARD -i br53 -s 192.168.53.0/24 -d 192.168.1.10 -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.1.10 -d 192.168.53.0/24 -j ACCEPT

Replace the IP address 192.168.1.10 with the IP address of the Blue Iris device on your main LAN. This example script when adjusted for your use should allow the Guest Network Pro (br53) clients to access the specific IP address you input in place of 192.168.1.10 in the code example, and allow that specific IP address to access the Guest Network Pro (br53) clients. Make sure the Blue Iris device has a fixed (manually reserved or static) IP address.

Follow the basic steps in the provided link to create the firewall-start file, add the scripting, set its permissions, and trigger a firewall restart so what ever script you create loads. Then try it out.

 

[fotingo]

Thank you Bennor. I had tried disabling internet access altogether to those in the meantime, but I see they stop working altogether. Why would they won't work inside the LAN when internet is disabled? Shouldn't they be still accessible within the LAN as long as they are connected to wifi?

 

[Aiadi]

Not sure why, but I've had slow internet, pages not responding and airplay lag since updating from beta 3, rebooted twice now, thinking of downgrading as never had these issues just to see...

I have experienced the exact same issue with the final stable release on my RT-BE88U. Had to perform a hard reset for things to start working again and not sure whether it is a dent in my confidence but things just don't feel as smooth as they were on last beta. I have also removed USB drive and all third party scripts and turned dual wan fail over off and will monitor. Something doesn't feel right but difficult to put my finger on it.

 

[bennor]

Thank you Bennor. I had tried disabling internet access altogether to those in the meantime, but I see they stop working altogether. Why would they won't work inside the LAN when internet is disabled? Shouldn't they be still accessible within the LAN as long as they are connected to wifi?

I'm not sure which devices you are referring to, nor have I seen you explained specifically how you are disabling internet access to what ever the devices are you are referring to.

Some IoT devices require internet access in order to work. Some IoT devices only require internet access for the initial setup. Some IoT devices are actually accessed (even from your local LAN) entirely through the internet. It all depends on the IoT device and it's needs. Some devices will fail to operate properly if they cannot "phone home".

 

[fotingo]

So far, it's the TAPO C-110 & TAPO C-120. Reolink Doorbell 5MP. If there is no Internet access, they don't work at all.
I disable internet access via Parental Controls.

So all this means that YazFi wasn't really working as it should?
I ask because none of the issues I am encountering with this version were in the previous one. All devices had no internet access and no intranet access either, yet they worked perfectly fine with Blue Iris.

 

[madre]

A link to a post explaining in general terms how to setup a firewall-start script file to pass traffic from Guest Network Pro to a specific IP address on the main LAN was posted in reply to one of your earlier posts one page back (post #162). Here is that link again:
https://www.snbforums.com/threads/t...st-network-pro-limitations.94438/#post-952345

#!/bin/sh
iptables -I FORWARD -i br53 -s 192.168.53.0/24 -d 192.168.1.10 -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.1.10 -d 192.168.53.0/24 -j ACCEPT

Replace the IP address 192.168.1.10 with the IP address of the Blue Iris device on your main LAN. This example script when adjusted for your use should allow the Guest Network Pro (br53) clients to access the specific IP address you input in place of 192.168.1.10 in the code example, and allow that specific IP address to access the Guest Network Pro (br53) clients. Make sure the Blue Iris device has a fixed (manually reserved or static) IP address.

Follow the basic steps in the provided link to create the firewall-start file, add the scripting, set its permissions, and trigger a firewall restart so what ever script you create loads. Then try it out.

I have tried to do that same thing on a GT-AXE16000 with Merlin firmware 3006.102.4 with no results.
The strange thing is that when I run the iptables -nL | grep command it shows the correct entries in the firewall's IPTables list but I can't connect a VLAN from the guest network to the main network VLAN.
I don't know if this is a firmware bug or a issue with this model of router.

 

[jebnz]

I might have found a bug, could be wrong but using DNS Director and unticking an entry seems to work but the GUI still shows the entry as enabled.

Sorry if someone else has mentioned this in the thread already.

EDIT: VPN Director not DNS Director.

 

[dave14305]

I might have found a bug, could be wrong but using DNS Director and unticking an entry seems to work but the GUI still shows the entry as enabled.

Can you post a screenshot? To me, “unticking” suggests a checkbox, but there aren’t any checkboxes in DNS Director.

 

[jebnz]

Can you post a screenshot? To me, “unticking” suggests a checkbox, but there aren’t any checkboxes in DNS Director.

Sorry, I meant VPN Director.

 

[dom2114]

Chiming in on several recent posts here.
I too have been experiencing slowness in loading web pages. I have performed a complete factory reset and am able to replicate the issue. In my case, I think it is related to the VPN director.

I have a Client VPN connection to Private Internet Access, with a single IP address being directed through it. (I have had this setup working flawlessly for years on my old RT-AC86u, and upgraded to the BE-86u a week ago). When the VPN is enabled, loading web pages on all devices is noticeably slower (sometimes 5 seconds before anything happens) - note: 'Accept DNS Configuration' is set to Strict. As soon as I disable the VPN connection, web page load times on the same devices immediately return to normal. If I also set Accept DNS Configuration to Disabled, the slowness also disappears.

I have confirmed that devices not being routed via the VPN correctly show my home WAN IP address. However, it feels like perhaps all DNS traffic might be being routed through the VPN (I am not skilled enough to say definitively). Appreciate any suggestions anyone may have to get 'Strict' DNS working while not causing a reduction in page load times for all devices.