Beta Asuswrt-Merlin 388.2 Beta is now available for Wifi 6 models

[aex.perez]

The only thing I can think of with skynet is that it relies on iptables, which can be pretty cpu intensive. Packet processing would experience extra slow downs.

CPU in the single digits except for peaks on occassion, but here are the averages

Doubt it's Skynet but after uninstalling it, and a reboot I did get some relief. Going to unplug the router from the modem for a minute or so, if no change then power off/on of the AX88 next.

 

[SomeWhereOverTheRainBow]

CPU in the single digits except for peaks on occassion, but here are the averages
View attachment 48898

Doubt it's Skynet but after uninstalling it, and a reboot I did get some relief. Going to unplug the router from the modem for a minute or so, if no change then power off/on of the AX88 next.

View attachment 48899

Another factor to consider is , does the speedtest always use the same server? Does that server ever have issues? There are alot of factors to consider, and the only way for you to find resolution on this matter is to process eliminate. Other factors to consider, are there any other scripts performing cpu intensive task during the times these drops occur? You can determine this sometimes by indications made in the syslog that a certain script may be active or there may be indication that a script is performing some sort of maintenance task.

 

[learning_curve]

@RMerlin Did you see the IPv6 DoS Protection bug reported in this thread.

firewall-start generates this line when DoS protection is enabled and Logged packets type = None:

-A ICMP_V6 -p ipv6-icmp --icmpv6-type 128 -m limit --limit 1/s -j RETURN

I think it should really be this:

-A ICMP_V6 -p ipv6-icmp --icmpv6-type 128 -m limit --limit 1/s -j ACCEPT

FWIW I have Dual Stack IPv4 / IPv6 from my ISP and to date, I've had no problems with either protocol, but, by choice / default, I don't enable the 'Enable DoS Protection' option on my router. As per this other thread that you've already posted, enabling / disabling this option, does indeed, change this specific response:

DoS Protection Enabled (extract):

504 RETURN     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 128 limit: avg 1/sec burst 5

DoS Protection Disabled (extract):

112 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 128

 

[RMerlin]

Also in the list for DHCP settings, if scrolling through the page or editing stuff, the most left column starts to show "New device" instead of the name that is previously entered on older items.

Works for me. Try disabling your browser addon, also make sure you don`t have any funky character in a device description.

 

[RMerlin]

There is an issue in the latest beta with OpenVpn when ipv6 is disabled. I found in some discussion that "we now trigger a fatal error if changing the metric for ipv6 interface fails" and "I always get surprised by 'IPv6 might be disabled'...". It should be fixed in 2.6.2.

Source?

 

[cc666]

Merlin can I safely flash the beta 1 firmware over the latest stock firmware for the GT-AXE16000?
No VPN in setup.

CC

 

[RMerlin]

I couldn't change wireless settings for 5GHz-2, it would just say Applying Settings and do nothing.

Bug introduced in Asus's 22525 code, I just fixed it.

The 2nd issue was that I enabled DNS Director and the client list is clearing on a reboot.

Works for me. How many entries do you have? Can you reproduce the issue if you only add one client?

 

[RMerlin]

Merlin can I safely flash the beta 1 firmware over the latest stock firmware for the GT-AXE16000?
No VPN in setup.

Should be fine in theory, VPN settings are the most problematic when migrating from stock to AMNG.

 

[aex.perez]

Another factor to consider is , does the speedtest always use the same server? Does that server ever have issues? There are alot of factors to consider, and the only way for you to find resolution on this matter is to process eliminate. Other factors to consider, are there any other scripts performing cpu intensive task during the times these drops occur? You can determine this sometimes by indications made in the syslog that a certain script may be active or there may be indication that a script is performing some sort of maintenance task.

Been around here long enough to factor all that in. Random or the same Speedtest server the variation is minimal. Right after the router, I run from the PC I get my full speed, from the AT&T modem, full rated speed. CPU is running in the single digits on the router right when the sample is taken. I take 20-25 runs just to get to an average and weed out and high and low to minimize the variables. The log is clean, really noting running of significance. At this point it's process of elimination. Taking out Skynet got me closer to my normal, but can't fathom why as CPU has never been an issue and in the 386 family with the same scripts, never had a drop like this.

A reboot from the GUI, left me with the same results with Skynet removed. So it'll be a power off/on, let it settle down, then run the tests, PC, Modem, Router then average each out. One thing I did see but it's never been an issue is a setting from long ago, cloning the MAC of the PC when I had DSL in the early days. Will turn that off, and re do the passthrough setting at the AT&T device with the actual MAC addr of the Router if the on/off doesn't do it. Trying to be systematic about this since it's not impacting any of the wired clients (the important ones, like the TV's).

First goal is to fix it, second goal is to be able to reproduce on demand to report it if it's something related to 388 family. If it continues to be a mysttery, then it's a HW reset and start from scratch scenario if I can't replicate it. Then monitor for it happening again...

 

[aex.perez]

Been around here long enough to factor all that in. Random or the same Speedtest server the variation is minimal. Right after the router, I run from the PC I get my full speed, from the AT&T modem, full rated speed. CPU is running in the single digits on the router right when the sample is taken. I take 20-25 runs just to get to an average and weed out and high and low to minimize the variables. The log is clean, really noting running of significance. At this point it's process of elimination. Taking out Skynet got me closer to my normal, but can't fathom why as CPU has never been an issue and in the 386 family with the same scripts, never had a drop like this.

A reboot from the GUI, left me with the same results with Skynet removed. So it'll be a power off/on, let it settle down, then run the tests, PC, Modem, Router then average each out. One thing I did see but it's never been an issue is a setting from long ago, cloning the MAC of the PC when I had DSL in the early days. Will turn that off, and re do the passthrough setting at the AT&T device with the actual MAC addr of the Router if the on/off doesn't do it. Trying to be systematic about this since it's not impacting any of the wired clients (the important ones, like the TV's).

First goal is to fix it, second goal is to be able to reproduce on demand to report it if it's something related to 388 family. If it continues to be a mysttery, then it's a HW reset and start from scratch scenario if I can't replicate it. Then monitor for it happening again...

OK, power of/on, modem off/on, getting rid of the MAC Clone and redoing the passthrough, even built-in vs external libraries, in all cases no change. I'd say carrier but the their speedtest at the modem(resedential gateway) is fine;

Also good a the PC and what I would normally see at the router

Going to let it run overnite after all the individual reboots and run through all of the speedtests again. If nothing changes, then HW reset, start from scratch and setup all the scripts (incl Skynet) again, testing along each step of the way...

 

[seabass]

I just tried upgrading my GT-AX11000 to 388.2b1. Unfortunately, my TAP based VPN server crash issue still remains

(dirty update this time)

I find it strange that I see the same crash/reboot (~20-30 seconds after a successful tunnel is established) with all three of the most recent firmware versions, specifically 386_7_2, 388.1, and 388.2.

My AC5300 is still working just fine (same configuration, acting as the VPN server) and is now upgraded to 386.10 (was also working fine on 386_7_2 and 396.9). The client is running on an AX68U on 388.1

I do have two different .opvn files client configs to match each server, which I switch between on the client when experimenting with each server router, but the only differences is the order of the ciphers. I wouldn't have thought this mattered, but maybe it does?
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC vs ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC

That all said, I'm starting to believe the issue is hardware / driver related (because the AC works and the AX doesn't when on the lowest common firmware, i.e. 386_7_2)

The one thing I haven't tried yet is upgrading my client router (AX68U) to 388.2 from 388.1. I may do that soon, but it's risky for me as it's at my remote location that's not so easy to physically manage.

System log doesn't show anything interesting that I can see.

Any ideas?

For more details, if anyone cares, this is the original post:

Internet access inconsistency and a repeatable crash with GT-AX6000 and GT-AX11000 vs my RT-AC class routers

I recently decided to upgrade my primary home router (AC5300) to an AX class router to match my remote location, which is already running an AX68U and is connected to my home via a site-to-site TAP based Open VPN connection. Since the firmware versioning between AC and AX seems to be diverging...

www.snbforums.com

I upgraded my AX client to 388.2b1 and unfortunately TAP VPN between my server and client is still broken. The same client works fine (as always) with my TAP VPN server running on my AC router, just not my AX, unfortunately.

I've tried AX6000 and AX11000 vs my older AC5300 as my servers.

Both AX's are broken

 

[SomeWhereOverTheRainBow]

Been around here long enough to factor all that in. Random or the same Speedtest server the variation is minimal. Right after the router, I run from the PC I get my full speed, from the AT&T modem, full rated speed. CPU is running in the single digits on the router right when the sample is taken. I take 20-25 runs just to get to an average and weed out and high and low to minimize the variables.

Yea the reason why I asked about this is because I wondered if you varied test servers to eliminate that as a possible variable. Also, are the speed test execution times coinciding with any of the speedtests conducted by the router. This could be another factor. Similar to trying to run two speedtest on two computers at the exact same time on the same network. This creates a variation in results during times of execution since both test runs may be competing to hold bandwidth.

Also, if possible investigate the logs in your modem specifically looking at lines that talk about the link connection between your modem and router to ensure at no point is your modem downgrading or adjusting the parameter. This could mean you are dealing with a bad connection from either one of the ethernet ports, possibly a bad ethernet cable, or bad modem firmware provisioning supplied to your modem from the ISP.

 

[Calkulin]

Bug introduced in Asus's 22525 code, I just fixed it.

Works for me. How many entries do you have? Can you reproduce the issue if you only add one client?

Glad you were able to reproduce the issue and fix it. As for the DNS Director issue, I only had 3 entries in there but I just tested with 1 and it still cleared on reboot for me

EDIT: I just noticed on the 388.2 routers, there is 2 NVRAM entries for dnsfilter_rulelist, 1 is empty and the other has the MACs that are added in the list. On the 386.10 routers, the only dnsfilter_rulelist entry in NVRAM is the one with the MAC list. Could that be the issue?

 

[RMerlin]

I just noticed on the 388.2 routers, there is 2 NVRAM entries for dnsfilter_rulelist, 1 is empty and the other has the MACs that are added in the list. On the 386.10 routers, the only entry in NVRAM is the one with the MAC list. Could that be an issue?

On newer HND models, custom nvram variables are limited to 255 chars values, so for these the rulelist is split between 6 separate variables (dnsfilter_rulelist, and dnsfilter_rulelist1 through dnsfilter_rulelist5). That`s why I was asking about the number of entries, to see if the issue might occur when you end up filling one variable and having it split between two.

Do you run any custom script that might be modifying the content of these variables?

 

[Ranger802004]

Bug introduced in Asus's 22525 code, I just fixed it.

Works for me. How many entries do you have? Can you reproduce the issue if you only add one client?

I noticed this too and assuming the fix will come in the final release.

 

[Calkulin]

On newer HND models, custom nvram variables are limited to 255 chars values, so for these the rulelist is split between 6 separate variables (dnsfilter_rulelist, and dnsfilter_rulelist1 through dnsfilter_rulelist5). That`s why I was asking about the number of entries, to see if the issue might occur when you end up filling one variable and having it split between two.

Do you run any custom script that might be modifying the content of these variables?

No scripts that modify NVRAM variables but to clarify, are you saying the duplicate dnsfilter_rulelist I see is ok? I see the 1-5 rulelist but I also see a duplicate dnsfilter_rulelist

 

[RMerlin]

I noticed this too and assuming the fix will come in the final release.

The Wireless settings issue was fixed last night and also sent upstream. However I am unable to reproduce the dnsfilter issue so far.

No scripts that modify NVRAM variables but to clarify, are you saying the 2nd dnsfilter_rulelist I see should have a 1? Because on mine, both variables have the same name with no numbers

No. What I mean is there are 6 separate variables:

dnsfilter_rulelist
dnsfilter_rulelist1
dnsfilter_rulelist2
dnsfilter_rulelist3
dnsfilter_rulelist4
dnsfilter_rulelist5

If your configured rules take less than 256 characters, they will be saved to dnsfilter_rulelist. If you have more entries that require more than 255 characters in total, then it will start using dnsfilter_rulelist1 to save anything past the 255 first characters. Up to a maximum of 6 * 255 characters can be used by rules, which would fill up all 6 variables then.

Maybe your settings are corrupted, one of the numbered rulelist variable contains bogus data. Try clearing them all, then reconfiguring them again from the webui:

nvram unset dnsfilter_rulelist
nvram unset dnsfilter_rulelist1
nvram unset dnsfilter_rulelist2
nvram unset dnsfilter_rulelist3
nvram unset dnsfilter_rulelist4
nvram unset dnsfilter_rulelist5
nvram commit

 

[Calkulin]

The Wireless settings issue was fixed last night and also sent upstream. However I am unable to reproduce the dnsfilter issue so far.


No. What I mean is there are 6 separate variables:

dnsfilter_rulelist
dnsfilter_rulelist1
dnsfilter_rulelist2
dnsfilter_rulelist3
dnsfilter_rulelist4
dnsfilter_rulelist5

If your configured rules take less than 256 characters, they will be saved to dnsfilter_rulelist. If you have more entries that require more than 255 characters in total, then it will start using dnsfilter_rulelist1 to save anything past the 255 first characters. Up to a maximum of 6 * 255 characters can be used by rules, which would fill up all 6 variables then.

Maybe your settings are corrupted, one of the numbered rulelist variable contains bogus data. Try clearing them all, then reconfiguring them again from the webui:

nvram unset dnsfilter_rulelist
nvram unset dnsfilter_rulelist1
nvram unset dnsfilter_rulelist2
nvram unset dnsfilter_rulelist3
nvram unset dnsfilter_rulelist4
nvram unset dnsfilter_rulelist5
nvram commit

Sorry I edited my post after but I have 7 settings, with the 7th being a duplicate dnsfilter_rulelist. If I try to unset everything, I can't seem to remove the duplicate dnsfilter_rulelist, it keeps showing up even after trying multiple times to unset it

 

[ColinTaylor]

Sorry I edited my post after but I have 7 settings, with the 7th being a duplicate dnsfilter_rulelist. If I try to unset everything, I can't seem to remove the duplicate dnsfilter_rulelist, it keeps showing up even after trying multiple time to unset it

View attachment 48928
View attachment 48929

If dnsfilter_rulelist is one of the variables that's been moved to /jffs/nvram then what you're seeing is normal (you're using nvram show aren't you). The first blank entry is the stub that's left in nvram and can be ignored.

 

[RMerlin]

If dnsfilter_rulelist is one of the variables that's been moved to /jffs/nvram

Right, I believe Asus uses dnsfilter_rulelist for their mobile app features, in which case they probably defined it as a "large_nvram" within wlcsm, and stored it to JFFS. Which leads to another possibility: is the JFFS partition full?