[Beta] Asuswrt-Merlin 384.11 Beta is now available

[Swistheater]

Is DNS-over-HTTPS possible with 384.11? I’m not sure which one (DoH or DoT) is “faster” for general usage. Thank you.

DoT appears to be faster because of having less over head, but it is debatable depending on the type of dnssec you are using.

 

[Sonyrolfy]

Thanks for taking the time to perform the test and report results. Everything appears to work as expected except for Test Case 4. I would have expected dnsleak.com to not report a leak and for the VPN tunnel to use the DNS of the provider and not Cloudflare DoT. I will run the test once I cut over. I should be able to cut over to the beta after I finish the development project this weekend.

A few weeks ago, I noticed that my provider TorGuard started using Cloudflare DNS !

Hi Xentrk

Absolute pleasure to help out.

I can’t say why test 4 didn’t gave you the expected results, considering my knowledge that won’t beat most of you . Anyway, if you have something ready then I’m happy to test and give feedback.

Torguard is using Cloudfare.. i cant say if thats a good or bad thing, the only thing i would expect from a VPN provider is that the have control over the hardware and own it..

 

[Swistheater]

Make sure you have Native ipv6 enabled

384.11_beta2 RT-AX88U does not connect to IPv6 no matter what I try.

turn on custom scripts under administration page and turn on ssh.
download a putty client
open putty client by typing in your routers IP
admin name
and password to log in
copy and paste

cat << EOF > /jffs/scripts/wan-start
#
#!/bin/sh
echo "1" > /proc/sys/net/ipv6/conf/all/accept_ra
echo "1" > /proc/sys/net/ipv6/conf/all/forwarding
echo "1" > /proc/sys/net/ipv6/conf/eth0/accept_ra
echo "0" > /proc/sys/net/ipv6/conf/eth0/forwarding
EOF

into putty and press enter
make executable by copy and pasting
chmod a+rx /jffs/scripts/wan-start
reboot router

If you already have a wan-start script you can just copy and paste

echo "1" > /proc/sys/net/ipv6/conf/all/accept_ra
echo "1" > /proc/sys/net/ipv6/conf/all/forwarding
echo "1" > /proc/sys/net/ipv6/conf/eth0/accept_ra
echo "0" > /proc/sys/net/ipv6/conf/eth0/forwarding

to the bottom of the script using nano /jffs/scripts/wan-start

 

[L&LD]

Got it. The problem with forcing the client to use a different DNS is that the PC running Steam is also the main one that I use on a daily basis, so I don't see much point in running DoT on everything else but this machine. Then again, a resolver too far away from my location would probably make the browsing experience slower. I'm kind of in a pickle here.

@RMerlin, I mentioned the router login issue before, and found this thread about it, where a user said it's a "known issue" and firmware-related. I'd never had this issue in years using the AC87U with your firmware and in the few weeks since switching to the AC86U, on version 384.10_2.

It started, coincidentally, after I disabled one of the router's radios (5G). Could it be related to that, or does the issue lie somewhere else?

Eek, have you installed any of the Jack Yaz scripts? The one you could use is the scMerlin to restart the Web Interface (httpd).

If you have those scripts installed, are they all up to date (even the ones that don't list in the latest v2.1 amtm)?

Your issue may be something else, but I don't believe it's the disabled radio. It may be from an older Jack Yaz script though.

 

[EmeraldDeer]

edns_client_subnet_private: 1 ---- would be set to zero right?

Yes

# cat /jffs/scripts/stubby.postconf
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
#
pc_replace "edns_client_subnet_private: 1" "edns_client_subnet_private: 0" $CONFIG
#

 

[Swistheater]

Yes

# cat /jffs/scripts/stubby.postconf
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
#
pc_replace "edns_client_subnet_private: 1" "edns_client_subnet_private: 0" $CONFIG
#

I figured such. I wouldn't change this because I have no real reason to. I do like some of the other features(not specific to this tho) that can be added tho.

 

[EeK]

Eek, have you installed any of the Jack Yaz scripts? The one you could use is the scMerlin to restart the Web Interface (httpd).

If you have those scripts installed, are they all up to date (even the ones that don't list in the latest v2.1 amtm)?

Your issue may be something else, but I don't believe it's the disabled radio. It may be from an older Jack Yaz script though.

Hi, L&LD.

No scripts other than Diversion and Skynet installed (via amtm), and they're both updated.

On the two instances that the issue occurred, I used "service restart_httpd" to "fix" it. But, like I said, that had never happened before in almost 5 years of using Asus routers with Merlin's firmware. My new AC86U ran without issues for about two weeks.

I mentioned disabling the 5G radio because it was one of the few settings that I changed manually after that period and almost immediately before I lost access to the router's GUI (which only happened after closing the browser tab). This is what I did:

Under LAN > DHCP Server, the default gateway and both DNS servers fields were blank. And even though everything was working fine (I had already uninstalled Stubby at that point), I decided to type in the relevant information. Hit apply, everything loaded up fine. Following that, I also disabled the 5G radio. Again hit apply and, once more, the GUI loaded correctly.

Closed that tab, continued browsing the web, and minutes later, when trying to access the GUI again, it got stuck in an infinite loading loop, without actually loading the page. I panicked, thinking the same thing that had happened to my AC87U was happening again, but after a reboot through PuTTY, it was back to normal. So I changed back the gateway and DNS servers fields to what they were - blank. I kept the 5G radio disabled, however, thinking it probably had nothing to do with the login issue.

About 24 hours later, I had the same issue. This time, I found the thread I mentioned earlier and used the "service restart_httpd" command to gain access to the GUI via web browser, but only today, so it hasn't been 24 hours yet since the last restart.

 

[EmeraldDeer]

Is DNS-over-HTTPS possible with 384.11?

DoH is a browser feature, not a router feature, so firmware version is not a factor.

I’m not sure which one (DoH or DoT) is “faster” for general usage. Thank you.

Hard to say which would be faster overall. I would go with DoT even with a latency disadvantage.
DoH

• Direct from browser to DNS provider
• Does not benefit from DNS cache on router (lookups from other computers on your LAN as well)
• Does benefit from browser cache and operating system cache
• So far only on firefox
• You can have any DNS provider you like so long as it is Cloudflare
• Does not benefit from Diversion

DoT

• Browser > dnsmasq on router > stubby on router > DNS provider
• Benefits from DNS cache on router (lookups from other computers on your LAN as well)
• Does benefit from Diversion

 

[Swistheater]

DoH is a browser feature, not a router feature, so firmware version is not a factor.

Hard to say which would be faster overall. I would go with DoT even with a latency disadvantage.
DoH

• Direct from browser to DNS provider
• Does not benefit from DNS cache on router (lookups from other computers on your LAN as well)
• Does benefit from browser cache and operating system cache
• So far only on firefox
• You can have any DNS provider you like so long as it is Cloudflare
• Does not benefit from Diversion

DoT

• Browser > dnsmasq on router > stubby on router > DNS provider
• Benefits from DNS cache on router (lookups from other computers on your LAN as well)
• Does benefit from Diversion

DoH can be run via the router on DNSCRYPT PROXY 2 so to say it isn't supported via router is false -- it has to be done by some one who knows something about that though. - meaning it is not supported at the firmware level.

The choice between the two relies more on how you think DNS should function, and what kind of privacy you want and how you want it.- Both use TLS, but one offers(DoT) a way to traffic tls at a different port, while the other (DoH) hides traffic inside the existing HTTPS protocol.

If you are worried your ISP has blocked ports DoT uses - DoH is a better option, if you want more choices on DNS servers (DoT) is probably the route.

Both of these fall on the function (DNS PRIVACY)
along with an older dated privacy called DNSCRYPT.

 

[lilstone87]

Hey @RMerlin

I don't think this is related to your latest beta build... However I know you have been using a AX88U, and just tonight I got one online. However my system log is being spammed with these.

"kernel: net_ratelimit: *** callbacks suppressed"

Any ideal what might be the cause of this?

EDIT: I found the cause of this.... I enabled "WAN Aggregation" and have WAN, and LAN port 4 connected to both ports on my SB8200, which I have LAG enabled on.

Now the question is... How do I go about alerting asus about this? I know it's the cause, because as soon as I disconnect one of the cable's to the modem, these errors stop in the system log.

 

[Mutzli]

Hey @RMerlin

I don't think this is related to your latest beta build... However I know you have been using a AX88U, and just tonight I got one online. However my system log is being spammed with these.

"kernel: net_ratelimit: *** callbacks suppressed"

Any ideal what might be the cause of this?

EDIT: I found the cause of this.... I enabled "WAN Aggregation" and have WAN, and LAN port 4 connected to both ports on my SB8200, which I have LAG enabled on.

Now the question is... How do I go about alerting asus about this? I know it's the cause, because as soon as I disconnect one of the cable's to the modem, these errors stop in the system log.

Could be a modem issue. Does your modem have the latest firmware from March 2019 installed? LAG was only recently enabled on this modem with the March firmware update.

 

[lilstone87]

Could be a modem issue. Does your modem have the latest firmware from March 2019 installed? LAG was only recently enabled on this modem with the March firmware update.

Yes it does, I turned the option on as well. This is what the log looked like after a couple minute period. You will see when I disconnected LAN port 4 from the modem. It logs the disconnect, and I actually screenshot that like 2-3 minutes after I unplugged one of the cables. No more of them errors. As soon as I have both cables connected, these errors continue to add up very often.

 

[Mutzli]

Yes it does, I turned the option on as well. This is what the log looked like after a couple minute period. You will see when I disconnected LAN port 4 from the modem. It logs the disconnect, and I actually screenshot that like 2-3 minutes after I unplugged one of the cables. No more of them errors. As soon as I have both cables connected, these errors continue to add up very often.

Looks like a conflict. How did you configure your router WAN ports? Can you check what's in the suppressed system log?

 

[lilstone87]

Looks like a conflict. How did you configure your router WAN ports? Can you check what's in the suppressed system log?

If you look at that screenshot, I actually ran a speedtest during that period, which you will notice the higher rates of callbacks being suppressed. This isn't a "user" error either. I actually tested a couple times before I posted here. I even turned lag off on the modem, and re-enabled it. Which each time you change the LAG setting, and apply on the modem side, it restarts the modem.

At first I thought it might be a looping issue within my network.. However the one switch I do use, I removed, and tested more, nothing changed with, or without it. I know this is likely something @RMerlin can't test himself. But I can tell you it's an issue with the AX88U currently, with "WAN Aggregation" enabled, and being used.

 

[jasonho]

When you use an OpenVPN client and that server's DNS, DNSSEC support will be up to them, you can't control it.

I Istall 384.11 b2 on my AC86U with openvpn dot and dnssec enabled .

my mobile (openvpn client) connect to the my AC86U (openvpn server), I test the dnnsec is not enabled. when I at home and connect with wifi, I test and found dnnsec is enabled.
I am not connect to other vpn server, only connect from outside to my ac86u,

Should I need to edit the dnsmasq/openvpn config manually?

Thanks for your reply and great contribution.

 

[RMerlin]

It started, coincidentally, after I disabled one of the router's radios (5G). Could it be related to that, or does the issue lie somewhere else?

I can't think of any relation between disabling a wifi radio and httpd stopping answering.

 

[RMerlin]

Is DNS-over-HTTPS possible with 384.11? I’m not sure which one (DoH or DoT) is “faster” for general usage. Thank you.

No, just DNS-over-TLS as you can see in the dropdown.

 

[RMerlin]

my mobile (openvpn client) connect to the my AC86U (openvpn server), I test the dnnsec is not enabled. when I at home and connect with wifi, I test and found dnnsec is enabled.

Validation might be done by the remote server you are using.

 

[Xentrk]

Hi Xentrk

Absolute pleasure to help out.

I can’t say why test 4 didn’t gave you the expected results, considering my knowledge that won’t beat most of you . Anyway, if you have something ready then I’m happy to test and give feedback.

Torguard is using Cloudfare.. i cant say if thats a good or bad thing, the only thing i would expect from a VPN provider is that the have control over the hardware and own it..

It could be the DNSFILTER setting that is effecting the behavior. What do you have it set to?

 

[RMerlin]

Thanks @RMerlin, this is the output commands:

# nvram get udpxy_enable_x
4022
# nvram get switch_stb_x
8
# nvram get iptv_ifname
eth0.v1

Should be fixed with https://github.com/RMerl/asuswrt-merlin.ng/commit/993112744fb2d1e94066b59b4223fdb9681c471d .