Release Asuswrt-Merlin 386.7 is now available for all models

[SomeWhereOverTheRainBow]

Pick a process, almost any process and dump it. They all have the same "Tainted:" information being displayed.

killall -s SEGV dnsmasq
killall -s SEGV vsftpd
killall -s SEGV miniupnpd
killall -s SEGV vnstatd

Jun 29 14:08:14 kernel: CPU: 1 PID: 18692 Comm: dnsmasq Tainted: P           O    4.1.52 #2
Jun 29 14:09:07 kernel: CPU: 3 PID: 3251 Comm: vsftpd Tainted: P           O    4.1.52 #2
Jun 29 14:10:30 kernel: CPU: 0 PID: 3259 Comm: miniupnpd Tainted: P           O    4.1.52 #2
Jun 29 14:12:54 kernel: CPU: 2 PID: 3213 Comm: vnstatd Tainted: P           O    4.1.52 #2

for i in $(seq 18); do echo $(($i-1)) $(($(cat /proc/sys/kernel/tainted)>>($i-1)&1));done

what does this return for you.

 

[ColinTaylor]

for i in $(seq 18); do echo $(($i-1)) $(($(cat /proc/sys/kernel/tainted)>>($i-1)&1));done

what does this return for you.

I don't have seq.

# for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do echo $(($i-1)) $(($(cat /proc/sys/kernel/tainted)>>($i-1)&1));done
0 1
1 0
2 0
3 0
4 0
5 0
6 0
7 0
8 0
9 0
10 0
11 0
12 1
13 0
14 0
15 0
16 0
17 0

 

[EmeraldDeer]

So does 149.112.112.11, so if you want to be consistent replace that with 149.112.112.112 (No ECS) in your copy.

Yes, here are all of the Quad9 options in one webpage
https://support.quad9.net/hc/en-us/articles/360041193212-Quad9-IPs-and-other-settings

I choose to use the Secure w/ECS support settings so that I get closer content delivery servers.

 

[SomeWhereOverTheRainBow]

I don't have seq.

# for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do echo $(($i-1)) $(($(cat /proc/sys/kernel/tainted)>>($i-1)&1));done
0 1
1 0
2 0
3 0
4 0
5 0
6 0
7 0
8 0
9 0
10 0
11 0
12 1
13 0
14 0
15 0
16 0
17 0

Now you see where I was looking at the 12th bit.

 

[SomeWhereOverTheRainBow]

I don't have seq.

Easily rectified with

for i in $(i=0; while [ $i -lt 18 ]; do i="$((i+1))"; printf "%s" " $i"; done); do echo $(($i-1)) $(($(cat /proc/sys/kernel/tainted)>>($i-1)&1));done

 

[donnikhan]

It sure is. My DHCP handout gives out the two IP addresses for my two main Pi-holes. I have a third Pi-hole instance on an older RPi that I stood up to goof around with PiVPN on.

Are you using ipv6 also or just ipv4?

 

[RMerlin]

I think this affects only MIPS routers.

That's correct. It does not affect any of the routers supported by Asuswrt-Merlin.

 

[RMerlin]

In reality, from what I can tell is that it works just fine, and the tainted message is the kernels way of screaming impropriety at the modules being used (or atleast at what it is interpreting).

What is going on is the packet checksum is invalid. You get the csum error in the log, and what follows is just debugging info dumped to the log by the invalid checksum error handler.

The kernel is reported as being tainted because it contains non open source module. It's not an error state, it's just an attribute of every single kernels running on Asus routers. The kernel becomes flagged as tainted the instant it boots and loads proprietary kernel modules from Broadcom, Tuxera and Trend Micro.

 

[Akore]

RMerlin, thx for the hard work. Can you check into this issue with Backhaul Connection Priority that started back in alpha1 on the RT-AC68U firmware, it was good up to 386.5_2:

 

[RMerlin]

RMerlin, thx for the hard work. Can you check into this issue with Backhaul Connection Priority that started back in alpha1 on the RT-AC68U firmware, it was good up to 386.5_2:

Everything related to AiMesh is closed source and outside of my control.

 

[Akore]

Everything related to AiMesh is closed source and outside of my control.

Ok, thx. strange that they got rid of the 1G Wan first selection.

If anyone else has a strange issue with Node not wanting to connect via powerline adapters after dirty flashing from alpha just flash 386.5_2 or earlier back on the Node and set it to 1G Wan first and then update to latest version.

 

[capncybo]

Ok, thx. strange that they got rid of the 1G Wan first selection.

If anyone else has a strange issue with Node not wanting to connect via powerline adapters after dirty flashing from alpha just flash 386.5_2 or earlier back on the Node and set it to 1G Wan first and then update to latest version.

OR, Perhaps not so STRANGE as I seem to recall reading somewhere...
For 1G to even function, It needs to be set to AUTOMATIC Negotiation.
(However I'm just going from my "Muddy" Memory)

EDIT: thinking about it logically (in some instances) a 1G connection might have to Negotiate with a slower link so I suppose "automatic" negotiation...
instead of 1G-Only... makes some sense.

 

[Akore]

(However I'm just going from my "Muddy" Memory)

At pushing 60 I know what you mean. Heck RMerlin even said a few posts back that AiMesh is black boxed and he has nothing to do with it and I had already forgot he posted that.

 

[RMerlin]

OR, Perhaps not so STRANGE as I seem to recall reading somewhere...
For 1G to even function, It needs to be set to AUTOMATIC Negotiation.

And also you shouldn't mix auto-negotiate with preconfigured rate. I've heard reports of networking equipment defaulting to half-duplex if they fail to auto-negotiate with the other end (because that end has auto-negotiate disabled).

 

[ColinTaylor]

OR, Perhaps not so STRANGE as I seem to recall reading somewhere...
For 1G to even function, It needs to be set to AUTOMATIC Negotiation.
(However I'm just going from my "Muddy" Memory)

I think you're confusing gigabit Ethernet auto-negotiation with the AiMesh backhaul network interface priority. Two different things.

 

[rlfromm]

I upgraded 2 RT-AC68U access point units to asuswrt-merlin 386.7. One unit upgraded OK and is working OK. The other unit requested a manual reboot after the upgrade and after the reboot it appears to operate. However, when I try to access its webpage I got the error "192.168.1.3 refused to connect." and therefore I cannot access the administration screens. I can login successfully using SSH and it displays the correct asuswrt-merlin release level. But no access is possible using the webpages.

Does anyone else have this issue? How can I resolve the issue?

 

[BuTTuS]

Most like to run it on the router itself as you then eliminate other variables like WiFi interference, etc... For those that are hardwired from the PC to router with a verified good patch cable though can go that route.

Yes, I don't even have any wired PCs atm, so it has been nice to be able to do speed tests including packet loss from the router up until now. Packet loss is missing from the history as well so I guess some column/value just is not shown? Is this something within @RMerlin ´s control or some closed module?

 

[Wanabo]

I upgraded 2 RT-AC68U access point units to asuswrt-merlin 386.7. One unit upgraded OK and is working OK. The other unit requested a manual reboot after the upgrade and after the reboot it appears to operate. However, when I try to access its webpage I got the error "192.168.1.3 refused to connect." and therefore I cannot access the administration screens. I can login successfully using SSH and it displays the correct asuswrt-merlin release level. But no access is possible using the webpages.

Does anyone else have this issue? How can I resolve the issue?

Try 192.168.1.1

 

[SomeWhereOverTheRainBow]

What is going on is the packet checksum is invalid. You get the csum error in the log, and what follows is just debugging info dumped to the log by the invalid checksum error handler.

The kernel is reported as being tainted because it contains non open source module. It's not an error state, it's just an attribute of every single kernels running on Asus routers. The kernel becomes flagged as tainted the instant it boots and loads proprietary kernel modules from Broadcom, Tuxera and Trend Micro.

While I don't think there is away to actually fix packet checksum issue, would it be possible to prevent the type of packet with the firewall since it seems to result in NXdomain any ways?

similar to how the outbound ipv6 dns is already padded

-A OUTPUT -p udp -m udp --dport 53 -m u32 --u32 "0x30>>0xf&0x1=0x0" -j OUTPUT_DNS
-A OUTPUT -p tcp -m tcp --dport 53 -m u32 --u32 "0x34>>0x1a&0x3c@0x8>>0xf&0x1=0x0" -j OUTPUT_DNS


-A OUTPUT_DNS -m string --hex-string "|10706f697579747975696f706b6a666e6603636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|0d72666a656a6e666a6e65666a6503636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|1131306166646d617361787373736171726b03636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|0f376d667364666173646d6b676d726b03636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|0d386d617361787373736171726b03636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|0f3966646d617361787373736171726b03636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|1265666274686d6f6975796b6d6b6a6b6a677403636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|086861636b7563647403636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|076c696e77756469056633333232036e657400|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|0f6c6b6a68676664736174727975696f03636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|0b6d6e627663787a7a7a313203636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|077131313133333303746f7000|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|057371353230056633333232036e657400|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|077563746b6f6e6503636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|0e7a786376626d6e6e666a6a66777103636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|0a65756d6d6167766e627003636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns

-A logdrop_dns -j LOG --log-prefix "DROP_DNS " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop_dns -j DROP

 

[ColinTaylor]

While I don't think there is away to actually fix packet checksum issue, would it be possible to prevent the type of packet with the firewall since it seems to result in NXdomain any ways?

Isn't the end result the same as @dave14305's idea.