[Dev] Asuswrt-Merlin 388.1 development

[RMerlin]

No it is a kernel space implementation that is why the speed is triple that of OpenVPN. I know WireGuard does not work on Kernel 2.6 but these routers are using Kernel 4.4 so they are also using an upgraded CTF.ko module for Kernel 4.4. maybe that is compatible with WireGuard?

Are you sure you are referring to a Broadcom-based model? AFAIK, the newest BCM kernel DD-WRT has is one of the early 3.x versions, as that was the last time brainslayer had access to the BCM SDK. If it's not a Broadcom model, then this isn't using CTF but something else.

 

[DJones]

Are you sure you are referring to a Broadcom-based model? AFAIK, the newest BCM kernel DD-WRT has is one of the early 3.x versions, as that was the last time brainslayer had access to the BCM SDK. If it's not a Broadcom model, then this isn't using CTF but something else.

He’s likely referring to Atheros, Broadcom is basically stagnant on DDWRT last I used it.

 

[DJones]

DD-WRT :: View topic - WireGuard guides and documentation

DD-WRT :: View topic - New Build - 10/19/2022 - r50551

Looks like it does have wireguard least on AC routers. As I ironically link egc’s own post from ddwrt.

 

[PR3MIUM]

Oct 22 02:09:02 kernel: ^[[0;33;41m[ERROR pktrunner] runnerUcast_inet6addr_event,187: Could not rdpa_system_ipv6_host_address_table_find ret=-5^[[0m
Just 1 Error in 5+ Days.

 

[egc]

Are you sure you are referring to a Broadcom-based model? AFAIK, the newest BCM kernel DD-WRT has is one of the early 3.x versions, as that was the last time brainslayer had access to the BCM SDK. If it's not a Broadcom model, then this isn't using CTF but something else.

Yes it looks like it:

root@Asus-AC68:~# uname -r
4.4.302-st25
root@Asus-AC68:~#

root@Asus-AC68:~# lsmod | grep -E 'wireguard|ctf'
wireguard 71536 0
ip6_udp_tunnel 1431 1 wireguard
udp_tunnel 1699 1 wireguard
ipv6 302044 56 ip6table_mangle,nf_conntrack_ipv6,nf_defrag_ipv6,wireguard,ipcomp6,xfrm6_tunnel,xfrm6_mode_tunnel,xfrm6_mode_beet,ip6_tunnel,mip6,ah6,esp6,sit,[permanent]
ctf 51118 0
root@Asus-AC68:~#

 

[asusrunshot]

Yes it looks like it:

root@Asus-AC68:~# uname -r
4.4.302-st25
root@Asus-AC68:~#

root@Asus-AC68:~# lsmod | grep -E 'wireguard|ctf'
wireguard 71536 0
ip6_udp_tunnel 1431 1 wireguard
udp_tunnel 1699 1 wireguard
ipv6 302044 56 ip6table_mangle,nf_conntrack_ipv6,nf_defrag_ipv6,wireguard,ipcomp6,xfrm6_tunnel,xfrm6_mode_tunnel,xfrm6_mode_beet,ip6_tunnel,mip6,ah6,esp6,sit,[permanent]
ctf 51118 0
root@Asus-AC68:~#

I just checked and I think they have kernel 5.10 for Asus AC3100? Am I reading that correctly?

That'd mean it could support Cake QOS on these old dinosaurs?

Do you miss Asus Ai Protection? One of the reasons I have not looked at other firmware is the ease of use in malicious sites and IPS..

Another curiosity is whether these newer kernels can be ported to ASUSWRT/ Merlin?

 

[S.claus]

No trouble with traffic analyzer on my AX88U.

Let me be more specific. It's the Traffic Analyzer-Statistic page that crashes.

 

[DJones]

Another curiosity is whether these newer kernels can be ported to ASUSWRT/ Merlin?

Theoretically, maybe. But no. I’d say because RMerlin has a working relationship with ASUS and touching Broadcom’s closed source driver to get it working with a newer kernel or “hacking/porting” it in probably wouldn’t be permitted and would be outside the scope of this project. ASUS would have to be the one to decide to use a newer kernel and drivers from Broadcom. That said idk what RMerlin could do with permission.. but. Eventually ASUS will use newer kernels on newer devices, but older devices will eventually be EOL unless you decide to move to a different custom firmware like DDWRT.

But there are risks consider every update to be a perpetual beta, and you’re the guinea pig if you’re the first to install or don’t read the forums, because you can brick your router. I’ve done it 3 times using ddwrt on older non-ASUS routers, and needed a serial JTAG to fix.

Sometimes your lucky other times… not.

 

[Jeffrey Young]

One of the exceptions being a pure fiber connection, but i am not even sure if that would make a difference. Also, show of hands, how many of us can say our area provides us with a "pure" fiber connections?

Where I am in Northeastern Ontario, Canada, 80/40 connection is the best we get, and only because a single entrepreneur setup his own microwave link between us and the city. We are way too small for the big ISPs to even look at.

 

[PR3MIUM]

Have made a Hard Reset on my 3 RT-AX88U.

Have added 2 AiMesh Nodes to the Main one, then I noticed after switching from WPA2 -> WPA3 that 1 AiMesh Node was missing.
Switched back to WPA2 and the missing AiMesh Node showed up again (dont know if its a bug).

EDIT:
getting some wired Kernel log now.

Oct 23 11:40:35 kernel: TCP: request_sock_TCP: Possible SYN flooding on port 7788. Sending cookies.  Check SNMP counters.

 

[jakey]

@RMerlin thanks for the AX58U alpha, out of curiosity I've been waiting for it to try wireguard.

Just putting up a few comparison speed tests up.

I have a 500Gb symmetrical fibre connection over PPPoE to my ISP.

I use Astrill VPN as a client to the outside world and all tests are to the same host server.

Win11 PC no VPN

Win11 PC Astrill WG client

AX58U OpenVPN

AX58U WireGuard

So even on this relatively low powered AX58U WireGuard is over 3 times faster than OpenVPN.

 

[Civ]

Upgraded my GT-AX6000 to 388.1_alpha1 yesterday and haven't noticed any issues so far.

I don't currently use its VPN functions so I can't speak on that.

 

[visortgw]

I attempted to upgrade my GT-AX6000 to 388.1_alpha1 from 386.7_2, but I was forced to revert — I also tried the same unsuccessfully a couple of days back. The router was virtually crippled. When I waited long enough for the GUI to launch, all four (4) cores were pegged at 100% CPU usage — none of my four (4) AiMesh nodes would connect. Not sure what the issue is as others appear to have upgraded without issue. As part of reverting, I reset to factory and reconfigured from scratch, including re-adding the AiMesh nodes.

 

[skeal]

I'm trying to login to my AiMesh-node, when I login it asks for user ID and password, after entering that on the AiMesh-node's login, it instantly redirects me to my main router's network map page. Is this the intended outcome? I used to be able to login to the mesh node and see a limited GUI, now that seems impossible to achieve. Am I missing something? Is this new with this firmware?

 

[jakey]

After initial success when first installed on my AX58U connecting to my VPN provider Astrill is now having problems with OVPN.

No rules are set.

If I do set a wan rule in VPN Director it seems to be ignored.

This all I see in the log.

Oct 23 13:27:29 rc_service: httpd 1606:notify_rc restart_logger
Oct 23 13:27:29 custom_script: Running /jffs/scripts/service-event (args: restart logger)
Oct 23 13:27:30 custom_script: Running /jffs/scripts/service-event-end (args: restart logger)
Oct 23 13:28:06 rc_service: httpd 1606:notify_rc stop_vpnclient1
Oct 23 13:28:06 custom_script: Running /jffs/scripts/service-event (args: stop vpnclient1)
Oct 23 13:28:06 ovpn-client1[22594]: event_wait : Interrupted system call (code=4)
Oct 23 13:28:06 openvpn-event[24197]: No scripts found to run for openvpn-event: vpnclient1-route-pre-down
Oct 23 13:28:06 custom_script: Running openvpn-event
Oct 23 13:28:07 openvpn-routing: Clearing routing table for VPN client 1
Oct 23 13:28:07 custom_script: Running /jffs/scripts/service-event-end (args: stop vpnclient1)
Oct 23 13:29:14 rc_service: httpd 1606:notify_rc start_vpnclient1
Oct 23 13:29:14 custom_script: Running /jffs/scripts/service-event (args: start vpnclient1)
Oct 23 13:29:15 ovpn-client1[24690]: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Oct 23 13:29:15 ovpn-client1[24690]: DEPRECATED OPTION: --max-routes option ignored.The number of routes is unlimited as of OpenVPN 2.4. This option will be removed in a future version, please remove it from your configuration.
Oct 23 13:29:15 ovpn-client1[24690]: Unrecognized option or missing or extra parameter(s) in config.ovpn:39: block-outside-dns (2.5.7)
Oct 23 13:29:15 custom_script: Running /jffs/scripts/service-event-end (args: start vpnclient1)
Oct 23 13:29:15 ovpn-client1[24691]: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Oct 23 13:29:15 ovpn-client1[24691]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct 23 13:29:16 openvpn-routing: Routing all traffic through ovpnc1
Oct 23 13:29:18 openvpn-event[24765]: No scripts found to run for openvpn-event: vpnclient1-route-up
Oct 23 13:29:18 custom_script: Running openvpn-event
Oct 23 13:29:18 ovpn-client1[24691]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

 

[skeal]

Let me be more specific. It's the Traffic Analyzer-Statistic page that crashes.
View attachment 44980
View attachment 44981

Mine populates with all the information as usual and doesn't freeze the page or the GUI in any way.

 

[commodoro]

Hello everybody,

this is the first time I write in the forum, but first of all I would like to thank @RMerlin for the fantastic work he does on his custom firmware, without your firmware I could not start up my personal homelab with proxmoxVE, which can be reached safely in a very long time short.

I could just say a word THANK YOU.

I just updated my rt-ax58U to 388.1_alpha1-g89b92e5ff6 but I encountered a problem, from the DDNS page I can't use the "Method to retrieve WAN IP", unfortunately, in spite of myself, I have to use the router provided by my ISP (Vodafone IT ) as ONT, so the good Asus is set up with a static but private wan IP address.

I must revert to 386.7_2 and all ok.

Thanks
Commodoro

 

[skeal]

Hello everybody,

this is the first time I write in the forum, but first of all I would like to thank @RMerlin for the fantastic work he does on his custom firmware, without your firmware I could not start up my personal homelab with proxmoxVE, which can be reached safely in a very long time short.

I could just say a word THANK YOU.

I just updated my rt-ax58U to 388.1_alpha1-g89b92e5ff6 but I encountered a problem, from the DDNS page I can't use the "Method to retrieve WAN IP", unfortunately, in spite of myself, I have to use the router provided by my ISP (Vodafone IT ) as ONT, so the good Asus is set up with a static but private wan IP address.

I must revert to 386.7_2 and all ok.

Thanks
Commodoro


View attachment 44997

Is your ISP modem/router bridged? The ONT probably can't do anything but hand your AX58U a private IP. If the ISP modem/router is bridged it passes the public IP to your AX58U, in effect becoming just a modem.

 

[commodoro]

Hi @skeal,

thanks for the feedback, unfortunately the Vodafone custom firmware does not allow me to set the bridge mode, but only the DMZ or a static NAT, and this forces me to stay in an environment with double NAT, with the version 386.7_2 and the check of the wan ip external la DDNS resolution works smoothly.

Thanks
Commodoro

 

[octopus]

If I do set a wan rule in VPN Director it seems to be ignored.
This all I see in the log.

Oct 23 13:29:15 ovpn-client1[24690]: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.Oct 23 13:29:15 ovpn-client1[24690]: DEPRECATED OPTION: --max-routes option ignored.The number of routes is unlimited as of OpenVPN 2.4. This option will be removed in a future version, please remove it from your configuration.
Oct 23 13:29:15 ovpn-client1[24690]: Unrecognized option or missing or extra parameter(s) in config.ovpn:39: block-outside-dns (2.5.7)
Oct 23 13:29:15 ovpn-client1[24691]: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.

Try to fix this and test again.