Asuswrt-Merlin 376.48 Beta 2 is out

[RMerlin]

Howdy folks,

Asuswrt-merlin 376.48 Beta 3 is now available for download. Thanks to Asus slowing down on the frequency of releases, it gave me some time to tinker with some new improvements of my own.

Highlight of changes:

• Merged with Asus GPL 3.0.0.4.376.2769 (from AC87U). Some bits were also updated for MIPS routers from 2678.
• Upgraded main Samba from 3.0.xx to 3.6.24. This upgrade might cause a slight performance drop in Windows file sharing, however the increased interoperability and security is probably well worth the minor tradeoff. Anyone anxious for top SMB performance would probably be better served by a real NAS anyway.
• Much more complete SNMP support. Numerous standard modules were added, which should allow you to fully monitor/manage your router over SNMP now.
• OpenSSL was also updated to 1.0.0-o, resolving a few new security issues
• While on that topic, the SSLv2 (long deprecated) and SSLv3 (recently found to be highly vulnerable to the so-called POODLE attack) have now been disabled. That means to access the webui over HTTPS, you will need a web browser that supports the TLS 1.0 standard. To my knowledge, the only browser that doesn't support this is Internet Explorer 6, which should have been put to pasture years ago anyway...
• The NAT loopback was reverted to Asus' own implementation, as due to the way the DPI engine works, it would randomly disable my NAT loopback code. Asus' own still has a few issues, but it should generally work better for the time being.
• Various fixes here and left to the webui (DNSFilter, MAC filtering) and to a few other features

Beta 3 changes:

376.48 Beta 3 (02-Nov-2014)
   - CHANGED: Updated miniupnpd to release 1.9 (plus upstream PCP fix)
   - FIXED: Couldn't edit share permissions for Samba if your disk
            contained an unmounted/hidden partition (Asus bug in 2769)
   - FIXED: Couldn't edit share permissions for Samba for the RT-N66U
            internal SDcard reader (Asus bug in 2769)
   - FIXED: Missing Max User field to Samba page (Asus bug)

Beta 2 changes:

   - NEW: Added logo to the webui header
   - CHANGED: Samba 3.6 will now use libiconv to handle
              charset conversion (will resolve CP850
              warnings amongst other things)
  - CHANGED: Updated miniupnpd to 20141023 code from Github.
  - CHANGED: Updated dropbear to 2014.66.
  - CHANGED: Reverted NTP update code to GPL 2678 in hopes of
             resolving the few cases where it didn't work anymore.
  - FIXED: minidlna is once again able to use inotify for updates.
           A temporary workaround has been implemented where
           minidlna will be staticly linked with a threadsafe
           build of sqlite3, while BWDPI will continue to use
           the shared non-threadsafe library. (Asus bug)

What will mostly need tested in this beta release:

• The new Samba version. Please report both regressions and improvements you are seeing when trying to access a disk share.
• Test for any regression in AiCloud caused by the Samba upgrade (although AiCloud still uses its own Samba 3.5.8 code - I was unable to merge Asus's customisations into the 3.6.24 codebase)
• Any unexpected side effect when accessing the webui over https
• Feedback would be appreciated on the current SNMP support

No factory default reset is required if coming from a recent Asuswrt-Merlin release. If in doubt, just go ahead and do a factory default reset - it's always the safe bet if unsure.

Downloads are here.
Changelog is here.

MD5 checksums:

Beta 1:
01f0c403743d384e2c7b9964aa477407  RT-AC56U_3.0.0.4_376.48_beta1.trx
2c1520a00695d4c96f885460b355f3dc  RT-AC66U_3.0.0.4_376.48_beta1.trx
b4f571b12806b954ef2a795969d7cf67  RT-AC68U_3.0.0.4_376.48_beta1.trx
ee9cba51d4cb067544ee6b90f99459de  RT-AC87U_3.0.0.4_376.48_beta1.trx
fc4b098280e107dd44e3e047fee25f5a  RT-N16_3.0.0.4_376.48_beta1.trx
61eb6b83c39dd308adc2748bca1fe91d  RT-N66U_3.0.0.4_376.48_beta1.trx

Beta 2:
d790651d1ca0f52df8897abb63dfb55d  RT-AC56U_3.0.0.4_376.48_beta2.trx
df1e997f0a4b517f59a6a175e39bcd18  RT-AC66U_3.0.0.4_376.48_beta2.trx
eb48ea805da2c9894a9748b2613902fb  RT-AC68U_3.0.0.4_376.48_beta2.trx
6d602b18967df01cee33a8ff7498d3fa  RT-AC87U_3.0.0.4_376.48_beta2.trx
cbab2f1ae3b371d012d36e41774955dc  RT-N16_3.0.0.4_376.48_beta2.trx
8dabb7e71421d03caf95c03dab8befa8  RT-N66U_3.0.0.4_376.48_beta2.trx

Beta 3:
c4539515ec5af334083ac6e4a1c4757c  RT-AC56U_3.0.0.4_376.48_beta3.trx
37f5ac4632f827d462c071054bedcc3e  RT-AC66U_3.0.0.4_376.48_beta3.trx
080416f21039a37acf9fbe6601b30fe1  RT-AC68U_3.0.0.4_376.48_beta3.trx
41a748c8dfd5d1ac69a82922417c8f02  RT-AC87U_3.0.0.4_376.48_beta3.trx
0e9011084b66dfd75d1458bde9071030  RT-N16_3.0.0.4_376.48_beta3.trx
d037a2356ed78f7daf0a4c135d0b9380  RT-N66U_3.0.0.4_376.48_beta3.trx

 

[RMerlin]

One more note regarding Samba 3.6.24: while this version supports the SMB2 protocol, enabling it caused a drastic drop in performance since the bottleneck is currently the CPU and the IO subsystem, not the network, and the SMB2 protocol causes an increase in CPU usage, resulting in a drop in performance.

For those who do want to enable it for experimental purposes:

nvram set smbd_enable_smb2=1
nvram commit

Afterward, either reboot your PC (otherwise it will remember which protocol it was previously using and will keep using it), or restart the Workstation service (under Windows).

Setting it back to "0" will disable it, reverting back to the old NT1 protocol as used by previous versions of Samba.

 

[shantanugoel]

Although not mentioned in the changelog, but from the commit history I see that sqlite threadsafe option is enabled in this build (so that minidlna can get inotify updates).
Correct?

 

[john9527]

Although not mentioned in the changelog, but from the commit history I see that sqlite threadsafe option is enabled in this build (so that minidlna can get inotify updates).
Correct?

Check a couple of commits later.....looks like he had to revert it (i.e no threadsafe)....

https://github.com/RMerl/asuswrt-merlin/commit/3e34dd2d4535c9f2865aa80eb423d5c9afe1a8c1

 

[shantanugoel]

oh, thanks for pointing that out.

 

[Maghook]

My unit: RT-AC68u operating in ap mode with cleared NVRAM settings on cfe 1.0.1.8 (EU) on .48b1

Noticed a bug with NVRAM defaults: if I enable IGMP snooping on 5G my 5G auto settings will switch immediately to 20MHz ch. width. Undo will revert back to 80MHz ch. width. Noticed this behaviour also on 376.47 on my 68u. (On 2Ghz I manually switched to 20Mhz cause of interference with other APs around.)

 

[pcss]

Really appreciate the SNMP support on my RT-AC66U after struggling with net-snmpd previously. Some early feedback:


Using both the latest version of Networx on Windows and Peakhour on OSX, it seems slow to report speeds (cable modem in bridge mode on eth0/WAN); more in 2 second bursts than anything. EG: during a speed test I see 0.0 and then a burst of info every approx 2 seconds.

Hope this helps.

 

[White_Knight]

Hello Merlin,

After upgrade to a new Beta FW my samba server can't work property. In log i see this:

Oct 19 13:45:22 smbd[999]: [2014/10/19 13:45:22.386123,  0] auth/auth_util.c:841(make_system_session_info_from_pw)
Oct 19 13:45:22 smbd[999]:   make_server_info_info3 failed with NT code 0xc0000064

I use MIPS N66U router.

 

[octopus]

Thank you RMerlin for new beta build!

I have run this build a couple of hour and get this in log, charset CP850 error:

Oct 19 11:19:38 smbd[1678]: [2014/10/19 11:19:38.203628, 0] ../lib/util/charset/codepoints.c:319(get_conv_handle)
Oct 19 11:19:38 smbd[1678]: dos charset 'CP850' unavailable - using ASCII

Haven't tried new samba yet, it's coming soon.

Octopus

 

[matthew_eli]

I tried beta1 only for few minutes: on my RT-AC68U it seems the nat-loopback was broken. The router was accessible only by its IP. Furthermore, I don't know why, but also the WAN traffic seems blocked.

I checked the log, but I'm not an expert and I can enclose it here for further analisys

 

[AudiTuner]

I apologize if this has been covered already - my AC68U broadcasts a 2.4GHz signal when it is set to Media Bridge Mode and connected to the 5GHz network from my main router (AC87U).

If the AC68U was previously configured as a Wireless Router it will broadcast the last used 2.4GHz SSID (along with whatever encryption was used), even if configured as a Media Bridge that is connected to a 5GHz network.

By default (after a factory reset/clearing NVRAM) the AC68U will broadcast an unsecured 2.4GHz connection with the default SSID ("ASUS") after connecting to my 5GHz network in Media Bridge Mode.

The issue is not present in 376.45 but appeared in 376.47 and again in 376.48 beta 1. Can anyone replicate this?

 

[cmillar6]

I apologize if this has been covered already - my AC68U broadcasts a 2.4GHz signal when it is set to Media Bridge Mode and connected to the 5GHz network from my main router (AC87U).

If the AC68U was previously configured as a Wireless Router it will broadcast the last used 2.4GHz SSID (along with whatever encryption was used), even if configured as a Media Bridge that is connected to a 5GHz network.

By default (after a factory reset/clearing NVRAM) the AC68U will broadcast an unsecured 2.4GHz connection with the default SSID ("ASUS") after connecting to my 5GHz network in Media Bridge Mode.

The issue is not present in 376.45 but appeared in 376.47 and again in 376.48 beta 1. Can anyone replicate this?

I noticed exactly the same thing, this is a huge security risk if you don't catch it. You can fix it by accessing the hidden wireless page when the router is in media bridge mode and disabling the 2.4GHz radio.

http://192.168.1.1/Advanced_WAdvanced_Content.asp

 

[MikePort]

I tried beta1 only for few minutes: on my RT-AC68U it seems the nat-loopback was broken. The router was accessible only by its IP. Furthermore, I don't know why, but also the WAN traffic seems blocked.

Same here. On my RT-AC66U I upgraded from 376.47 to the new beta1 and NAT loopback is not working anymore. I have to revert to the previous version.

Regards.

 

[SVettel]

AC68U:
With this firmware, I can no longer get any response from DNS query run from the router. e.g.: When I ping some host from router, I always get "bad address". But if I first ping this host from my PC--whose dns server is the router--then doing it again on the router I can get the correct address for a short period of time(maybe it's because it's in the cache of dnsmasq for that period of time due to the query from PC). Query from PC is working good.
Because there's no way to get the ip address through DNS query from the router, the consequence is "time can't be synced to NTP server", so bad ddns update, error over auto updating ipv6in4 tunneling from WAN-START and many more.
Went back to 376.47, problem gone immediately.
I notice in the changlog: - FIXED: DNS queries run on the router were forwarded to upstream nameservers instead of dnsmasq.
Maybe some regression from this fixing?

 

[RMerlin]

Thank you RMerlin for new beta build!

I have run this build a couple of hour and get this in log, charset CP850 error:


Haven't tried new samba yet, it's coming soon.

Octopus

Yes, you can simply ignore it. I couldn't find any clear explanation as to the nature of this warning, especially since I have Samba configured to use UTF-8 as its charset, not those older codepages.

 

[RMerlin]

AC68U:
With this firmware, I can no longer get any response from DNS query run from the router. e.g.: When I ping some host from router, I always get "bad address". But if I first ping this host from my PC--whose dns server is the router--then doing it again on the router I can get the correct address for a short period of time(maybe it's because it's in the cache of dnsmasq for that period of time due to the query from PC). Query from PC is working good.
Because there's no way to get the ip address through DNS query from the router, the consequence is "time can't be synced to NTP server", so bad ddns update, error over auto updating ipv6in4 tunneling from WAN-START and many more.
Went back to 376.47, problem gone immediately.
I notice in the changlog: - FIXED: DNS queries run on the router were forwarded to upstream nameservers instead of dnsmasq.
Maybe some regression from this fixing?

Are you using any customized dnsmasq setting? Name resolution from the router is working fine for me, both local and public hostnames.

 

[RMerlin]

I noticed exactly the same thing, this is a huge security risk if you don't catch it. You can fix it by accessing the hidden wireless page when the router is in media bridge mode and disabling the 2.4GHz radio.

http://192.168.1.1/Advanced_WAdvanced_Content.asp

Known issue. I'm letting Asus resolve this one as I don't feel like trying to dive into the (completely uncommented and undocumented) source code related to this. It would take me hours just to begin to understand that part of the code.

 

[RMerlin]

Hello Merlin,

After upgrade to a new Beta FW my samba server can't work property. In log i see this:

Oct 19 13:45:22 smbd[999]: [2014/10/19 13:45:22.386123,  0] auth/auth_util.c:841(make_system_session_info_from_pw)
Oct 19 13:45:22 smbd[999]:   make_server_info_info3 failed with NT code 0xc0000064

I use MIPS N66U router.

Need more info about your connecting clients, how you have security configured on your shares, etc...

 

[Carnagerover]

Hi all,

I am setting a AC87U up for a friend, I received it today from Amazon and it already has the latest stock firmware update applied, I haven't ran into any problems yet but I was wondering if I should be putting Merlin's firmware on it?

Or is it too early in the cycle and I should stick with stock for the moment?

Thanks

 

[Pyropetepete]

Merlin

1st thank you, have been using your FW for a while not a RT-N66U in the UK. Mega leap in speed from stock FW. Wifi is still an issue sadly.

Am risk to do this update, never had a problem with any of your FW's so want to be able to help. AM uber new to all this, don't even know how too Telnet to the router but if some shows me or tells me I'll do it!

I do have a problem. Under 'VPN - Status' I have something showing

'OpenVPN Server 1 - Running Last updated: Sun Oct 19 21:01:24 2014'

I've never ever used VPN on here, I have done a full factory reset, power cycle and it still is showing.....