[Beta] Asuswrt-Merlin 384.14 Beta is now available

Status
Not open for further replies.

RMerlin

Asuswrt-Merlin dev
Asuswrt-Merlin 384.14 beta is now available for select models (the RT-AC87U, RT-AC3200 and RT-AC5300 are not available for this release, due to lack of updated components from Asus). This release focuses on merging the latest GPLs (which contained a good amount of code changes).

7-Dec-2019: Beta 3 is now available. Changes since beta 2:

Code:
106c8fdc63 inadyn: re-disable cert validation for AsusDDNS - their server is once again using an expired certificate
e9d5a74edd Bumped revision to beta 3
979171cfeb Updated documentation
0493c9b280 webui: fix malformed Certificate label on DDNS page
935c9e8e29 webui: update popup help for local DNS queries to match the current default behaviour
498663aed4 openvpn: do not run openvpn-event if custom scripts are disabled
6c0ef79e93 kernel: backport 81351 kernel fixes to L2TP to the sdk7.x kernel
b709848521 kernel: backport 81351 kernel fixes to L2TP to the sdk7114 kernel
633622542c rp-l2tp: fix server route can't be added w/o ifname
f5f43d48ac dnsmasq: update to 2.80-95-g1aef66b
672b6b8758 Updated documentation
6ce31ebb13 inadyn: switch Asus DDNS server to ns1.asuscomm.com since their server certificate is missing the nwsrv-ns1.asus.com SAN; re-enable certificate validation when updating an Asus DDNS account
6147885ff9 Restore generic ARM prebuilts from 384_81351, which were accidentally downgraded by the RT-AC5300 81219 component merge in commit 19f730920271bb4c354d4282c3dccd340fbb59d3
6483e2c750 webui: rc: harmonize max ntp server length with upstream, and ensure (legacy) ntp code has a matching buffer size
89ebb9a624 webui: replace broken isPortConflict() with new function; added missing pwrsave code on System page
19f7309202 Merge RT-AC5300 binary blobs from 384_81219

28-Nov-2019: RT-AC5300 384.14 Beta 2 test build added to https://www.asuswrt-merlin.net/test-builds
24-Nov-2019: Beta 2 is now available. Changes since beta 1:
RT-AX88U:
Code:
31efcf7a90 Updated documentation
1589bacedf rc: fix _unlock_erase() return value to match with the rest of the code
5780fb5f8b socat: that is one fat cat, put him on a diet by removing unused features
461cbf34a7 rc: ipv6 ns drop checking wrong nvram for dualwan/multiiptv builds
4b799f4217 rc: silence a few modprobe failures (these either do not exist or are built-in)
94c1890814 Bumped revision to beta 2
35c3d046f7 Updated documentation
ed5fe541ee rc: inadyn: always force AsusDDNS updates on LE-enabled build
fcf39c96c3 inadyn: minor logging changes to Asus DDNS pplugin
1d7eee1063 rc: tell inadyn to accept any SSL cert when using Asus DDNS
a73a8eaed0 letsencrypt: backport new LE support from 384_81351 for AX branch
197ea60300 Revert "dnsmasq: update to 2.80-93-g6ebdc95"
Other models:
Code:
31efcf7a90 Updated documentation
41f01b9346 socat: that is one fat cat, put him on a diet by removing unused features
461cbf34a7 rc: ipv6 ns drop checking wrong nvram for dualwan/multiiptv builds
3c81fa4543 rc: silence a few modprobe failures (these either do not exist or are built-in)
94c1890814 Bumped revision to beta 2
35c3d046f7 Updated documentation
1795fcf34b rc: migrate AP hostname from computer_name to lan_hostname
6c41f71cd2 rc: remove obsolete conn_diag.o blob
fbbc20f31f Merged RT-AC68U binary blobs + SDK from 384_81351
bd000fe9b7 Merge with GPL 384_81351 + binary blobs (RT-AC86U)
ed5fe541ee rc: inadyn: always force AsusDDNS updates on LE-enabled build
fcf39c96c3 inadyn: minor logging changes to Asus DDNS pplugin
1d7eee1063 rc: tell inadyn to accept any SSL cert when using Asus DDNS
197ea60300 Revert "dnsmasq: update to 2.80-93-g6ebdc95"

The original plan was to wait for new releases originally expected from Asus in October, but since these were delayed, I decided to go ahead with what I currently have rather than wait any longer.

The highlights:

  • GPL updates: 384_6436 (RT-AX88U), 384_81351 (other models, with 384_81116 binary blobs used for the RT-AC88U/RT-AC3100)
  • Added option to prevent automatic DoH upgrade by Firefox. By default this option will only prevent automatic upgrade if you use DNSFilter or DNSPrivacy (DNS-over-TLS). You can change it to always prevent the upgrade. Note that this option has no impact if you manually decide to enable DoH in Firefox, only for its automatic option currently only available in the US.
  • Updated components: miniupnpd 20190824, dnsmasq 2.80-95-g1aef66b, OpenSSL (1.0.2t/1.1.1d), curl (7.66), OpenVPN (2.4.8) and nano (4.4).
  • Made self-generated SSL certificate compliant with new IOS 13 and MacOS 10.15 requirements (reduced duration to two years, and added missing attribute)
  • Reimplemented the faketc script (which injects fq_codel support into Adaptive QoS) as a binary executable for better performance (reducing the chances of warning messages during QoS initialization if QoS took too long to initialize)
  • Enhancements to the IPv6 firewall webui (now accepts empty fields to denote "Any IP", and improved EUI-64 handling)
  • Re-added low nvram notification (was lost a few years ago in the move to 382)
  • A number of fixes to Let's Encrypt support
  • A number of misc fixes, please see the changelog for the complete list

Things that require particular testing:

  • LED disabling option. That feature was completely re-implemented to make the code simpler and easier to maintain. Please confirm that when LEDs are disabled through the webui, that they work as intended. (disabling through the physical button was unchanged)
  • Confirm that there are no oddities when using codel/fq_codel with Adaptive QoS. If you previously saw warnings about QoS "missing rules" in the past, are these warnings gone now with the new implementation?
  • Beta 2 Let's Encrypt support (both with Asus DDNS, and other DDNS providers, which use a different validation method)
  • Beta 2 DNS/DHCP stability on RT-AX88U - does dnsmasq still randomly stops answering queries?
  • Beta 2JFFS mounting at boot time for RT-AX88U - does it still fail for those it used to?
  • Beta 2: Look for any new issues following the merge of newer GPL code on AC68U/AC88U/AC3100/AC86U

Please keep posts on topics specific to these beta builds.

Downloads are here.
Changelog is here.
 
Last edited:

RMerlin

Asuswrt-Merlin dev
Known issues:

  • Let's Encrypt doesn't work (ACME client no longer supported, will have to be fixed by Asus in the future due to the closed source portions of this feature) Fixed in beta 2 with GPL 384_81351 merge/backport)
  • JFFS partition fails to mount on RT-AX88U if you had tried to wipe it/reset it (bug in GPL 384_6436, fixed in beta 2)
  • dnsmasq random failure on RT-AX88U (Seems to be a bug in latest dnsmasq code, reverted that code for beta 2)
  • L2TP client fails to connect/setup routes (bug in Asus 384_81351 code, fixed in beta 3)
 
Last edited:

Mutzli

Very Senior Member
Known issues:

  • Made self-generated SSL certificate compliant with new IOS 13 and MacOS 10.15 requirements (reduced duration to two years, and added missing attribute)
I thought the 2 year limit was not necessary for self-generated certificates.
 

RMerlin

Asuswrt-Merlin dev
I thought the 2 year limit was not necessary for self-generated certificates.
No idea, the documentation available at the time did not mention that.
 

octopus

Very Senior Member
Just updated to beta1 and working fine so far.
Uptime 0 days 0 hour(s) 25 minute(s) 37 seconds
 

Asad Ali

Very Senior Member
I thought the 2 year limit was not necessary for self-generated certificates.
It's not necessary for Root CA but certificates signed with it still needs to be 2 years or less.
 

rgnldo

Very Senior Member
Very good job. I will install it on another device. I will give the return.
 

Mutzli

Very Senior Member
I did a dirty updated from 384.13 and it works as expected. I noticed that this update fixed the QoS being lost after updating. All the settings transferred over without any issues.
 

rgnldo

Very Senior Member
@RMerlin I don't know how they do it, the NextDNS service can stop the hole made by using other DNS or VPN.


Something like
Added option to prevent automatic DoH upgrade by Firefox. By default this option will only prevent automatic upgrade if you use DNSFilter or DNSPrivacy (DNS-over-TLS). You can change it to always prevent the upgrade. Note that this option has no impact if you manually decide to enable DoH in Firefox, only for its automatic option currently only available in the US.
 

Mutzli

Very Senior Member
@RMerlin I don't know how they do it, the NextDNS service can stop the hole made by using other DNS or VPN.


Something like
Isn't that a cloud DoH service similar to what Cloudflare and Firefox offers with Firefox Private Network? If so, they control a user generated black list.
 

RMerlin

Asuswrt-Merlin dev
Will that setting propagate to AiMesh nodes?
No, because it's an Asuswrt-Merlin specific setting, and I have no control over which settings are propagated by AiMesh's config_sync service.
 

RMerlin

Asuswrt-Merlin dev
@RMerlin I don't know how they do it, the NextDNS service can stop the hole made by using other DNS or VPN.


Something like
The DoH automatic switch handling is done through a special canary domain defined by Mozilla. If that canary domain fails to resolve, then Firefox will not automatically switch to DoH. Asuswrt-Merlin's implementation is simply a config entry in dnsmasq to reject that canary domain.
 

TheOldMan

Senior Member
Color me shocked that 384.14_b1 works better than the alphas I had issues with. Thanks, @RMerlin. All the programmers that work with you deserve kudos for fixing bugs. Will report if I find more bugs. So far everything is working like it should.
 

rgnldo

Very Senior Member
then Firefox will not automatically switch to DoH
Had added in unbound. But it only works if Firefox's DoH "network.trr.mode" option is 2. If you are an advanced user, you will choose 3. I don't find this implementation useful. Best control is by proxy or firewall.
 

CaptainSTX

Part of the Furniture
Dirty update from 14.2 Alpha on my AC86. Everything functioning normally. Hopefully changes will eliminate random spontaneous reboots that were happening every couple of days.
 

Rossco57

Occasional Visitor
Bit of topic but I’m running ASUS beta with wpa 3 and Wi-fi 6 on for new iPhone when will that be included in Merlin
As I’m having issues with chrome cast appearing multiple times and some iot stuff homebridge I’m having to reboot router every other day
Thanks
 

skeal

Part of the Furniture
Bit of topic but I’m running ASUS beta with wpa 3 and Wi-fi 6 on for new iPhone when will that be included in Merlin
As I’m having issues with chrome cast appearing multiple times and some iot stuff homebridge I’m having to reboot router every other day
Thanks
Asus is still Beta testing WPA 3.
 
Status
Not open for further replies.

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top