Release Asuswrt-Merlin 3006.102.4 is now available

[RMerlin]

Your reply reminded me to check this since I had just swapped routers yesterday, and sure enough, the DNSFILTER chain was incomplete, as originally reported. This was on a cold boot while also waiting for the cable modem to initialize (on Comcast/Xfinity).

I’ve seen other router platforms recommend using loopback IPs for the redirect, but that doesn’t seem to work on our Linux in some quick tests.

I was able to backport the REDIRECT target from iptables 1.4.19. Testing seemed to work properly for me - when setting the router to Cleanbrowsing, resolving an adult site returned the IP for Cleanbrowsing's block page even when having nslookup set to use an open resolver like Cloudflare.

 

[Weblee2407]

Finally got my update to 3006.102.4 done. I did several resets but, something was always sluggish. I decided to wipe both disks and hard reset 3 times in a row. Left all the settings defaulted unless one of the AMTM scripts needed something set. Great thru-put with low memory and CPU usage. I tried to leave all the devices on the IOT network without DHCP reservations, but my OCD got the best of me. THAT ended up being the only place I had issues. While the applet says there is a max of 32 entries, I could not get it to accept more than 23! I wonder if where it says 32 it's a typo. lol.

One other strange occurrence - I played around with ssh-copy-id when the system was blank and got a confirmation the pub key was accepted, but it never showed in the GUI. I don't know if it's supposed to because I had never gotten confirmation from other revisions. It would lose the pub key for the client on reboot. I went ahead and finished setting up the router. Later, when I was gathering pub keys from the various devices I use to access the router, I tried to connect from this particular laptop again before I generated a new pub key and it connected! Still, its pub key is not listed in the GUI. One of these days I will search out where that dhcp client file is for that IOT VLAN.

Great work on this revision Merlin!

 

[RMerlin]

One other strange occurrence - I played around with ssh-copy-id when the system was blank and got a confirmation the pub key was accepted, but it never showed in the GUI. I don't know if it's supposed to because I had never gotten confirmation from other revisions.

You are using a tool designed for a Linux system, not for an embedded device like a router. That tool has no understanding of how settings are stored on your router.

 

[Weblee2407]

The windows subsystem for Linux Ubuntu

 

[RMerlin]

The windows subsystem for Linux Ubuntu

ssh-copy-id is a tool designed to deposit the key on a Linux system that keeps public keys in a persistent home directory. That's not the case of a router, keys are stored in nvram, not in ~/.ssh/authorized_keys. There is no persistent home directory.

 

[sl4fko]

Finaly found time to upgrade my router.

GT-AX6000 from 388.8_4 to 3006.102.4, no hard reset after upgrade (no time and willpower to config from scratch...)

So far, so good...

 

[sl4fko]

So...

After casually browsing through (our) forum, I found this.

RT-AX55｜WiFi Routers｜ASUS USA

www.asus.com

Leave the model aside, read the red colored text near the newest firmware description.

"We recommend updating to this firmware version and performing a factory reset to ensure all the latest security enhancements are properly applied."

So it IS adviseble to perform a hard reset after the (major) upgrades!

 

[ColinTaylor]

So...

After casually browsing through (our) forum, I found this.

RT-AX55｜WiFi Routers｜ASUS USA

www.asus.com

Leave the model aside, read the red colored text near the newest firmware description.

"We recommend updating to this firmware version and performing a factory reset to ensure all the latest security enhancements are properly applied."

So it IS adviseble to perform a hard reset after the (major) upgrades!

Whilst the recommendation from this forum (and the Merlin wiki) has always been to do a factory reset (not necessarily a hard factory reset) when performing a major update (unless noted otherwise in the release notes) that is not the reason for that Asus statement. Asus issued that statement in response to the most recently disclosed firmware security vulnerability. In that specific case a factory reset is required to remove the vulnerability from an already compromised router. As your average Joe probably lacks the knowledge to determine whether their router has been compromised suggesting a factory reset is a safe course of action.

 

[bennor]

So it IS adviseble to perform a hard reset after the (major) upgrades!

For that specific router, and that specific firmware, yes Asus is recommending one perform a factory reset to ensure all the latest security enhancements are properly applied.

 

[Weblee2407]

I tried to leave all the devices on the IOT network without DHCP reservations, but my OCD got the best of me. THAT ended up being the only place I had issues. While the applet says there is a max of 32 entries, I could not get it to accept more than 23! I wonder if where it says 32 it's a typo. lol.

Great work on this revision Merlin!

I had to back out of the IOT DHCP reservations by a full restore - the GUI would hang and when I rebooted the router it would take 5 minutes for it to come back to my laptop connected by cable and another 5 for the networks to allow network connections, which were way slower. Seems those entries overwrote something, somewhere. Its back to normal thanks to a timely backup using backupmon.

 

[bennor]

I tried to leave all the devices on the IOT network without DHCP reservations, but my OCD got the best of me. THAT ended up being the only place I had issues. While the applet says there is a max of 32 entries, I could not get it to accept more than 23! I wonder if where it says 32 it's a typo. lol.

Not a typo. Rather a likely issue with NVRAM. Per RMerlin in the beta 3006.102.4 thread where the issue came up:

Your entries are probably too large and there's not enough space in nvram to store them all. Nothing I can do about it.

The solution/workaround is not to use the GUI Guest Network Pro's Manually assign IP's around the DHCP list option. Instead use either the dnsmasq-INDEX.conf.add or dnsmasq-sdn.postconf file option mentioned in the 3006 change log to setup manual IP reservations and Host Names for Guest Network Pro Profile clients. One example of how to do so is explained at this link:
https://www.snbforums.com/threads/a...-4-is-now-available.94651/page-26#post-958305
There are other posts discussing this specific issue (GNP IP reservations) that can be found using the forum search feature.

 

[mmjlmjl]

@mmjlmjl - Why are we given the option to connect the iot network to the main network then, see below? Or am I missing your point?

View attachment 65631

Like I said this worked previously so not sure why this would now be subject to needing stricter 'advanced' firewall rules.

n.b. - The use of "vlan_guest" to name my guest network is purely coincidental

Just test it connecting a PC to the IOT wifi and one to the main lan, check if it behaves as you expected.

 

[jksmurf]

I tried to leave all the devices on the IOT network without DHCP reservations, but my OCD got the best of me. THAT ended up being the only place I had issues. While the applet says there is a max of 32 entries, I could not get it to accept more than 23! I wonder if where it says 32 it's a typo. lol.

Per @bennor post, that was me and yes, I hit a memory-governed limit well before the stated 32, no typo.

@bennor pointed out his posts on how to do this, my trials (for IPTables-beginners like me) of his and others excellent suggestions are documented here.

 

[Weblee2407]

Not a typo. Rather a likely issue with NVRAM. Per RMerlin in the beta 3006.102.4 thread where the issue came up:

The solution/workaround is not to use the GUI Guest Network Pro's Manually assign IP's around the DHCP list option. Instead use either the dnsmasq-INDEX.conf.add or dnsmasq-sdn.postconf file option mentioned in the 3006 change log to setup manual IP reservations and Host Names for Guest Network Pro Profile clients. One example of how to do so is explained at this link:
https://www.snbforums.com/threads/a...-4-is-now-available.94651/page-26#post-958305
There are other posts discussing this specific issue (GNP IP reservations) that can be found using the forum search feature.

Worked on first try! Thanks...I can rest easy tonight knowing my isolated network devices have hostnames.

 

[Weblee2407]

Has anyone tried iPhone tether with this revision? I'm in a bit of a quandary. Bad weather in my area has knocked out power somewhere that killed my ISP. I cannot add an AMTM script due to no NTP sync and when I just post the environment variable as true, then it fails because it can't reach GitHub. I tried the embedded dual WAN and the phone PINGS connected but no traffic passes. Any and all ideas would be appreciated.

 

[dave14305]

but no traffic passes

Have you tried enabling the TTL options on the WAN page?

 

[Weblee2407]

No because I had no idea of the inputs. Let me search the forum and see whats being used.

 

[Weblee2407]

After some hit and misses, I pushed the easy button and rolled back to the last revision I knew supported the iPhone tether. After all, I do have backupmon I'm shocked that after the storm early yesterday afternoon, I just got a text that the company has started to route around the power impacted facilities!

Thanks for the input, Dave14305

 

[kuchkovsky]

@RMerlin while not specific only to this release, I noticed that rendering the second half of the System Info page (starting from Memory, Swap, etc.) takes around 20 seconds when there are many connections (22466 / 300000 with 4342 active, specifically).

Would it be possible to optimize this? Perhaps by separating the logic that counts connections from the rest of the rendering, so the main page loads instantly and the connection count updates asynchronously?

 

[MDM]

@RMerlin while not specific only to this release, I noticed that rendering the second half of the System Info page (starting from Memory, Swap, etc.) takes around 20 seconds when there are many connections (22466 / 300000 with 4342 active, specifically).

Would it be possible to optimize this? Perhaps by separating the logic that counts connections from the rest of the rendering, so the main page loads instantly and the connection count updates asynchronously?

Not for me on Waterfox (Firefox based), even with more connections... Takes cca 2-3 sec.
Have you tried on different browser?