Release Asuswrt-Merlin 386.3 is now available

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.
Status
Not open for further replies.

kernol

Very Senior Member
Thanks kernol for your kind reply. I did read how to test for kill switch operation in this thread but I don't know how to use the two rules that were shown. I can do a lot with my two routers, using one as a node in aimesh and running PIA VPN. Learned a lot along the way but I need instructions from someone like you as to how do I use these rules to test for kill switch operation. I figured everything else out by searching, reading and trying it out. Just can't find any more info on this task.
Your help will be greatly appreciated.
Thanks

To test the VPNClient killswitch you need to open a SSH session on your router. To do that you need to go to the Administration > System tab after logging in with your browser to the router. Half way down the page under "Service" - Enable SSH for LAN only - do not allow SSH Port Forwarding and choose a non-default port [say 222] and allow password login.

I use MobaXterm on my Windows 10 workstation as a terminal for SSH and several other useful remote tools. Use that or Putty or any other terminal of your choice to login to your Router under SSH terminal using your admin username and password.

At the command prompt you can issue those commands that I pointed out to you.
So if you have configured OpenVPN Client No 1 to route certain Local IP's through a VPN service provider - then with that OVPN1 enabled you would type this command at the Terminal prompt ...

Code:
killall vpnclient1

[Change the 1 to a 2, 3 ,4 or 5 .... depending on which VPNClient you want to test].
Check whether the Local IP's that you had directed through the VPN Tunnel have now lost internet connection - and if so - the killswitch is working as designed. Now to bring the VPN Tunnel back up again issue this command at the terminal prompt ...

Code:
service start_vpnclient1

Now check that the Local IP's that you had directed through the VPN tunnel have had their internet connection restored.

If my explanation above is "overkill" - sorry ... but I have no idea of your skills level ... but do remember all too well when I first joined this forum as a non-coder noob ... first posts are not always easy given the high skill levels of so many members :).

PS - If you are a noob like I was - then if not done already - at that SSH command prompt - type "amtm" and open Pandora's Box to a huge array of awesome add-ons [like those in my signature]. Just follow the prompts and read here if stuck ...
 

SomeWhereOverTheRainBow

Part of the Furniture
**Potential GUI Bug**
@RMerlin

Any time changes are made to the Administrator page, this error pops up.

1627450599955.png

Even though no attempts were made to change the Router Login Name.
 

kernol

Very Senior Member
**Potential GUI Bug**
@RMerlin

Any time changes are made to the Administrator page, this error pops up.

View attachment 35296
Even though no attempts were made to change the Router Login Name.

No such problem on my 386.3 - can mod any items on that page without getting the error you refer to.
Make sure your browser cache [or form fill] is not auto filling the Router Login Name over what is/was there. That may cause the error?
 

SomeWhereOverTheRainBow

Part of the Furniture
No such problem on my 386.3 - can mod any items on that page without getting the error you refer to.
Make sure your browser cache [or form fill] is not auto filling the Router Login Name over what is/was there. That may cause the error?
Did all that, issue seems to go away when I unmount the harddrive.
 

RMerlin

Asuswrt-Merlin dev
OpenVPN modifications in 386.3 on Asus AC5300 no longer allow ExpressVPN to hide IP address. Connects, but IP is leaked. Worked fine in previous versions, but had to revert back to 386.1 to work properly.
Your client isn't correctly configured. You need to set Redirect Internet traffic to Yes or to VPN Director and configure rules.
 

RMerlin

Asuswrt-Merlin dev
Did all that, issue seems to go away when I unmount the harddrive.
Old, known issue - the disk sharing user list is invalid. There are a few posts on the forum explaining how to fix it/reset it.
 

SomeWhereOverTheRainBow

Part of the Furniture
Old, known issue - the disk sharing user list is invalid. There are a few posts on the forum explaining how to fix it/reset it.
Fixed it but I had to manually do it. It turns out

Code:
nvram set acc_num="1"
nvram set acc_list="$(nvram get http_username)>$(nvram get http_passwd)"
nvram set acc_webdavproxy="$(nvram get http_username)>1"
nvram commit
reboot

will not work if your http_username has - in it such as admin-name or some-name

it turns out if it does have a dash in the name the nvram get value would be as follows

nvram get acc_list="Some%2DName>encryptedpassword"
so
nvram set acc_list="$(nvram get http_username)>$(nvram get http_passwd)"

cannot be used in this case because that variable actually holds a dash versus the disk sharing user name uses %2D for dashes.

and

nvram set acc_webdavproxy="$(nvram get http_username)>1" cannot be used either since %2D is used in the naming and not a dash.
 
Last edited:

DJones

Occasional Visitor
Just curious RMerlin will you be implementing the security patches released by Asus in a recent stock fw update? Or do you avoid updating base code until their is a major revision change to keep it more in line with LTS?

Question might have already been asked apologies if it was.

==============

2021/07/08 66.29 MBytes
ASUS GT-AX11000 Firmware version 3.0.0.4.386.44266
1. Improved connection stability.
2. Modified the DNS setting and router's DNS can be assigned to the LAN side DNS.
3. Fixed DoS vulnerability from spoofed sae authentication frame. Thanks to Efstratios Chatzoglou, University of the Aegean, Georgios Kambourakis, European Commission at the European Joint Research Centre, and Constantinos Kolias, University of Idaho.
4. Fixed envrams exposed issue. Thanks to Quentin Kaiser from IoT Inspector Research Lab contribution.
 

Jakem

New Around Here
To test the VPNClient killswitch you need to open a SSH session on your router. To do that you need to go to the Administration > System tab after logging in with your browser to the router. Half way down the page under "Service" - Enable SSH for LAN only - do not allow SSH Port Forwarding and choose a non-default port [say 222] and allow password login.

I use MobaXterm on my Windows 10 workstation as a terminal for SSH and several other useful remote tools. Use that or Putty or any other terminal of your choice to login to your Router under SSH terminal using your admin username and password.

At the command prompt you can issue those commands that I pointed out to you.
So if you have configured OpenVPN Client No 1 to route certain Local IP's through a VPN service provider - then with that OVPN1 enabled you would type this command at the Terminal prompt ...

Code:
killall vpnclient1

[Change the 1 to a 2, 3 ,4 or 5 .... depending on which VPNClient you want to test].
Check whether the Local IP's that you had directed through the VPN Tunnel have now lost internet connection - and if so - the killswitch is working as designed. Now to bring the VPN Tunnel back up again issue this command at the terminal prompt ...

Code:
service start_vpnclient1

Now check that the Local IP's that you had directed through the VPN tunnel have had their internet connection restored.

If my explanation above is "overkill" - sorry ... but I have no idea of your skills level ... but do remember all too well when I first joined this forum as a non-coder noob ... first posts are not always easy given the high skill levels of so many members :).

PS - If you are a noob like I was - then if not done already - at that SSH command prompt - type "amtm" and open Pandora's Box to a huge array of awesome add-ons [like those in my signature]. Just follow the prompts and read here if stuck ...
kernol you are the best. I am a noob (newbie), such a noob I had to look that up. Followed your very detailed instructions, operated the kill switch thus stopping all access to the internet. Ran your second command and restored internet service. You made it easy. I was certain the kill switch would work because rmerlin turns out only premium firmware. I just had to see it work for myself. You are a good person kernol for helping a stranger.
 

Robert Tickle

Occasional Visitor
Dirty upgrade from 386.2_6 to 386.3 on router and node. All 40 wifi clients reconnected immediately without issue.
 

Hawk

Very Senior Member
Just curious RMerlin will you be implementing the security patches released by Asus in a recent stock fw update? Or do you avoid updating base code until their is a major revision change to keep it more in line with LTS?

Question might have already been asked apologies if it was.

==============

2021/07/08 66.29 MBytes
ASUS GT-AX11000 Firmware version 3.0.0.4.386.44266
1. Improved connection stability.
2. Modified the DNS setting and router's DNS can be assigned to the LAN side DNS.
3. Fixed DoS vulnerability from spoofed sae authentication frame. Thanks to Efstratios Chatzoglou, University of the Aegean, Georgios Kambourakis, European Commission at the European Joint Research Centre, and Constantinos Kolias, University of Idaho.
4. Fixed envrams exposed issue. Thanks to Quentin Kaiser from IoT Inspector Research Lab contribution.
Merlin get GPL directly from Asus so most likely they will included in next GPL Asus send to Merlin.
 

RMerlin

Asuswrt-Merlin dev

jsbeddow

Senior Member
Merlin get GPL directly from Asus so most likely they will included in next GPL Asus send to Merlin.
This is true, but @RMerlin has mentioned that there is some sort of GPL build problem with recent releases, and this is why we seem to have a relatively large gap (both in time and version number) between official Asus releases and Merlin's versions at the moment. Perhaps he could update us on that situation, please?
 

jeden

Regular Contributor
Define "broken".
If you set up a 6in4 tunnel with RA on (default) and then reboot the router, RA stops working. You have to disable it, apply settings, then enable it again so it works until the next reboot. It's an upstream bug actually.
In ipv6 router advertisements are necessary every x minutes or devices lose their ip address(es). Therefore after 10 minutes of booting the router ipv6 connectivity is lost forever.
 
Last edited:

RMerlin

Asuswrt-Merlin dev
Perhaps he could update us on that situation, please?
Latest news I got today was: "No ETA, recently generated a new test GPL for one model, awaiting validation".

So basically, no news for the time being.
 

anotherengineer

Regular Contributor
Flashed
Rebooted
Then formatted jffs and reboot
Then factory defaults/wipe reboot
Then set up and reboot

seems to be ok. Need to give it a few weeks and see if that random disconnect is cured.
 

guho

Regular Contributor
Hi,
Can you please explain in a bit more detail as to which files I need to copy/ create in which folders - some sample content of the file would be very helpful.


All I mainly want to achieve is change the default IPSec ikev2 range from 10.10.10.0/24 to 192.168.2.0/24 as specified in the line rightsourceip=

@guho
What additional file(s) do I create where and what do I modify in the existing /etc/ipsec.conf to achieve this? Many thanks...
Please read https://github.com/RMerl/asuswrt-merlin.ng/wiki/Custom-config-files

In your case, enable custom scripts and create /jffs/scripts/ipsec.postconf containing:

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_replace "rightsourceip=10.10.10.0/24" "rightsourceip=192.168.2.0/24" $CONFIG
 
Status
Not open for further replies.

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top