Asuswrt-Merlin 374.39 is out

[dancemonkey]

Of course I clicked on the links Google came up with.
Everything shows up when "Norton Children" is active.
Including the website above.

When I set "Yandex Family" I get the funny Russian site, when I click on the Google porn links.

When I change filter settings on the router, I do a ipconfig /flushdns on my test client. (Windows 7 laptop.)
I also close and open my browser again to make sure I don't see my browser caching.

To me it seems only Yandex is working properly.
Using "Norton Children" gives a false sense of security.

I agree. But Open DNS is very good. Get yourself a free account then use dnsomatic to update it. Very configurable.

 

[Builder71]

I agree. But Open DNS is very good. Get yourself a free account then use dnsomatic to update it. Very configurable.

I'll take a look into that, thx.
I want my router default to use my ISP DNS. For fastest name resolving.
I'll try OpenDNS filter mode for my kids devices.

 

[wsarahan]

it's better to flash merlin's fw then do a factory reset . settings are easy to configure

So i should update to merlin's one and after is complete just make a hadware reset in the router's back button right? This is the right think to do?

The bad thing is that i'll miss all my configs and port fowards...

Thanks again guys

 

[Builder71]

I have an interesting DNS issue after upgrading to .39 from .35.4. My ddns hostname no longer resolves inside my network

I'll use myk.net in place of my actual domain for the examples below:

my DDNS is home.myk.net
my DHCP domain is home.myk.net, so internal network machines show up as laptop.home.myk.net, etc

I access my webcam with http://home.myk.net which previously worked inside and outside the network, but no longer does inside (still works fine outside)

any way to get this to start resolving again without either changing my dhcp domain or losing the ability to resolve internal hostnames (by forwarding ALL local domain names)

thanks

Not sure if related but if you use Parental control, you should leave the "Global Filter Mode" setting on "No filtering".

 

[jsmiddleton4]

"The only thing I can suggest is go to your iPhone settings:

Setting>general>reset>reset network settings

Then on your router, test it by changing to a plain jane password like.....abc1234defg"

Thanks, done all that.

Have an E3000 with Toastman's firmware on it as a slave AP. Have tried turning it completely off and getting anything it might be impacting out of the picture.

All with no positive impact.

While I'm not using WPA with 732.31, WPA2 only, it as a choice is not in my choices with this .39, nor with any version starting with 734.

My family, ie clients, won't let me mess with the firmware too much because 732.31 works so well. They get annoyed when I break things by playing. I'll hear a scream from the back of the house, "Hey, are messing with the router because my iPhone just lost connection and I do not want to use my data plan...." if I mess with it too much.

 

[bmn1]

I'll take a look into that, thx.
I want my router default to use my ISP DNS. For fastest name resolving.
I'll try OpenDNS filter mode for my kids devices.

Be careful before you assume that your ISP has the fastest name resolution. In my case it is not. You may have to go through several hops before you get to your ISP's DNS server or their server may just be slow in comparison to OpenDNS or even my favorite Google DNS. Google DNS is actually ten times faster than my ISP. Check this out and you can benchmark not only your ISP's but many other DNS servers to see which is the fastest.

https://www.grc.com/dns/Benchmark.htm

 

[Briant73]

Just wondering what is the best way to update to a new firmware and do a factory reset to make sure the device took new firmware and any drivers?

I just want to make sure I am doing it the best way.

 

[jim769]

Is jffs enabled by default in this new build? Just asking because the first time I flashed it it was enabled by default the second time I flashed it due to issues it was not enabled by default. Not a big concern just curious.

 

[RMerlin]

It is the case the newer versions including this .39 one have fewer choices for security as compared to 732.31 so something is different in the code. Here's my choices in 732.31.

The only option I see missing in this list is WEP, and that's because WEP is not compatible with 802.11n. You need to set wireless mode to "Legacy" for WEP to become available now. This is simply something Asus clarified with the GUI to avoid people setting their router to WEP and then complaining at their router not going over 54 Mbps.

 

[Myk]

Not sure if related but if you use Parental control, you should leave the "Global Filter Mode" setting on "No filtering".

No parental control enabled

 

[RMerlin]

Another great firmware - thanks Merlin.

I'm interested in setting up the DNS filtering under parental controls per device. Are you required to sign up at all to any of the three services offered or are they good to go as soon as you turn them on via the router?

No need to register for any of the three supported services. Just be aware that the Norton service has a disclaimer about their service only being available for home usage.

 

[RMerlin]

Well, Norton does *not* block "redtube.com" while Yandex family does.
So the term "properly" is somewhat in the eye of the beholder.

It works. Now, if the particular site you want blocked isn't blocked, then it's just that this specific site isn't in Norton's blacklist. The implementation in the router is working correctly.

FWiW, as it seems, any change to a client specific setting in the DNS Filter will only apply *after* the clients reconnects (will be (re-)issued the IP).
Does this actually mean this does just change the DNS entry/config submitted
via the DHCP request/grant to the client?

No. The filtering is done by the router's firewall, so your client definitely cannot work around it unless they were to change their MAC address. You could even have your client set to a static DNS, and the router would still intercept that request, and redirect it to the filtering server.

The only reason why a setting wouldn't "apply" is because your device already had the original IP in its own local cache. DHCP is not involved in any way with this implementation.

Also, I do not see any port-forwarding rules for this client in the router.
IMHO, a 12-year old will simply work around that kind of client-side-only "restriction" in sub-second

Port forwards are only for inbound connections - a DNS query is an outbound connection. I'm not using a port forward, I'm redirecting the destination IP in iptables's PREROUTING chain.

 

[HawkInOz]

Important: DNSFilter forces select clients to bypass dnsmasq, and connect directly to the specified DNS server. While this means it will be impossible for clients to manually bypass this (the redirection is done at the firewall level), it also means that clients going through one of these special nameservers will NOT be able to resolve local hostnames, since they will be bypassing the router's own internal DNS. This is the price to pay for filtering to be enforced.

I'm currently using Mobile Net Switch to customize, among many other things, entries in my local HOSTS file based on my location (like the IP addresses I specify for *all* my known devices on my local home network). Given that name resolution of all these local networked devices can be resolved via the HOSTS file (which is referenced *before* DNS), utilizing DNSFilter with this computer should have no adverse affects as described in the first post in this thread - correct?

 

[RMerlin]

Of course I clicked on the links Google came up with.
Everything shows up when "Norton Children" is active.
Including the website above.

I don't know how your computer is managing to display it, because it's definitely blocked here:

 

[RMerlin]

Well, Norton does *not* block "redtube.com" while Yandex family does.

No idea what's going on then. This is also working fine for me.

All I can think is that perhaps Norton's service might not work in certain countries. The implementation in the router is definitely working as intended, as you can see in this screenshot.

 

[RMerlin]

Be careful before you assume that your ISP has the fastest name resolution. In my case it is not. You may have to go through several hops before you get to your ISP's DNS server or their server may just be slow in comparison to OpenDNS or even my favorite Google DNS. Google DNS is actually ten times faster than my ISP. Check this out and you can benchmark not only your ISP's but many other DNS servers to see which is the fastest.

https://www.grc.com/dns/Benchmark.htm

I wish that infamous benchmark page would die already. Sigh.

The time to resolve a lookup is meaningless when we're talking about milliseconds. What matters is that the DNS must return the IP of the cloest server when requesting for an hostname that uses a Contend Distribution Network (CDN). If you use your ISP's DNS, connecting to Youtube will connect you to a server that is close to you, for optimal streaming performance. Using OpenDNS, you might get the reply 10ms faster, and connect to a Youtube server on the other end of the continent, causing buffering issues while streaming.

So you can either connect 10ms faster to Youtube and suffer from frequent buffering issues, or spend 10ms more on the very first DNS lookup (which will get cached locally afterward anyway), and get perfect streaming.

THAT, is what really matters with the choice of a DNS. And GRC's benchmark completely ignores this.

 

[RMerlin]

Is jffs enabled by default in this new build? Just asking because the first time I flashed it it was enabled by default the second time I flashed it due to issues it was not enabled by default. Not a big concern just curious.

Yes, it should be enabled by default now. Note that this will only show up if you do a factory default reset - if you had it disabled, then flashing a new firmware won't enable it automatically.

 

[RMerlin]

I'm currently using Mobile Net Switch to customize, among many other things, entries in my local HOSTS file based on my location (like the IP addresses I specify for *all* my known devices on my local home network). Given that name resolution of all these local networked devices can be resolved via the HOSTS file (which is referenced *before* DNS), utilizing DNSFilter with this computer should have no adverse affects as described in the first post in this thread - correct?

The host file is accessed by dnsmasq for those local resolutions. DNSFiltering totally bypasses dnsmasq, so entries located in hosts won't resolve either.

 

[jim769]

Yes, it should be enabled by default now. Note that this will only show up if you do a factory default reset - if you had it disabled, then flashing a new firmware won't enable it automatically.

Thank you Merlin that is indeed the case.

 

[LoneWolf]

Hopefully I'm not asking a question that's been beat to death (new job, been living under a rock), but was the .39 release pulled for the RT-AC66?

I see it for download for the RT-AC68, and the RT-N56, but the AC66 listed build is still on 38.2.