1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

[Experimental] Asuswrt-Merlin 384.13 test - AiMesh/DNSSEC through OpenSSL

Discussion in 'Asuswrt-Merlin' started by RMerlin, Jul 8, 2019.

Thread Status:
Not open for further replies.
  1. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    33,278
    Location:
    Canada
    First, the teasers:
    upload_2019-7-8_23-24-43.png
    And:

    upload_2019-7-8_23-24-21.png


    dnsmasq OpenSSL support
    Dnsmasq uses nettle to handle the crypto portion of DNSSEC, which limits the supported ciphers. @themiron implemented OpenSSL support in dnsmasq, which opens the door for supporting more ciphers.

    The implementation required a fair amount of changes to dnsmasq itself, and so it will require in-depth testing to ensure it works properly. I have already personally observed some oddities: when using my ISP's DNS, I am able to to validate DSA signatures despite it not being enabled in dnsmasq. Seems like somehow dnsmasq accepts the upstream server's validation.


    AiMesh support
    The two main technical obstacles (that I was aware of, so far) to supporting AiMesh were:
    - I use a custom format for dhcp_staticlist to store user-defined hostnames
    - AiMesh manipulates/validates firmware versions between all nodes

    A future change to dhcp_staticlist layout forced me to investigate into ways to deal with that. I ended up moving the hostnames to a separate nvram variable for non-HND models, and reading/writing that new setting directly in /jffs for HND models (where a new variable's max length is 255 characters). Doing so allows me to stay 100% compatible with Asus's current (and future) dhcp_staticlist format. It also allows people to enter more static leases than before (since the 2999 characters of dhcp_staticlist no longer need to also include hostnames). And finally it should make cfg_sync (the daemon that syncs settings between AiMesh nodes) happy, and no longer claiming that an Asuswrt-Merlin router is running firmware 3.8.4...

    Since the only remaining obstacle was the firmware version handling, I looked into also making it closer to stock firmware. I've settled with storing a bogus version in the webs_state_info variable, and instead storing the real firmware version announced by the update server into a new variable. This required a fair amount of changes and workarounds to deal with this. Also, the update check code needed to be able to handle both my own update server (for the primary node) and Asus's own servers (for all the child nodes). Therefore, there is one restriction: only your primary AiMesh router can run Asuswrt-Merlin. All the other nodes connected to it must run the stock firmware from Asus. Which shouldn't be a problem, as those nodes wouldn't be able to really benefit from the Asuswrt-Merlin enhancements. Starting with alpha 2, Asuswrt-Merlin nodes are supported, however your primary router must also be running Asuswrt-Merlin.


    This is still experimental
    At this point, both of these features are considered experimental projects, in need of thorough testing. The result of these tests will determine if it will be possible to go ahead with either of these features as part of the standard feature set. So, nothing is guaranteed yet. There is still a chance that something will go wrong, and ultimately these features might have to be put back on the shelves.


    Before you begin
    Make a backup of both your Settings and your JFFS partition before you start playing with these experimental builds.

    To use the new dnsmasq support you don't need to do anything: just enable DNSSEC support, then watch the general behaviour. DNS-over-TLS settings should not have any impact on these tests.

    Note that any node (other than the primary router) that you turn into an AiMesh node will be reset to factory default settings (as part of a standard AiMesh setup). So, make a backup of their configurations first if you intend to revert back to a non-AiMesh state with these.


    How to use AiMesh
    The procedure is identical to if you were running a "pure" stock firmware environment. Do a factory default reset on any node you wish to connect (use the Reset button on it to do that, somehow trying to use the AiMesh Node option on System Operation Mode page never worked for me). Once the node is done rebooting, log in your primary router, click on the AiMesh icon on the front page, then click on the button to search for nodes, on the right side panel.

    Also note that only models that have AiMesh support from Asus will get that support in my firmware. So, RT-AC87U and RT-AC3200 remain unsupported for AiMesh.


    Downloads: https://www.asuswrt-merlin.net/test-builds
     
    Last edited: Jul 12, 2019
  2. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    33,278
    Location:
    Canada
    AiMesh
    Things in need of testing:
    • Adding/removing a node
    • Updating the firmware on one of your nodes. Try flashing a slightly older version, then make sure the Firmware Check option as well as the automatic firmware upgrade work properly, allowing you to be notified of new releases, and also reading the release notes posted by Asus.
    • Validate that clients are able to connect to the separate nodes, and also that the nodes stay properly connected
    For Wifi-specific issues, please take a look at the existing posts in the Official Asuswrt Forum here on SNBForums for troubleshooting steps. You may need to tinker with the Roaming Assistant setting, for instance.


    Dnsmasq with OpenSSL
    Things in need of testing:
    • Look for any random lookup failure.
    • Look for any permanent/persisting lookup failure. Note down the website address that fails to resolve.
    • Please test with different nameservers on your WAN page (or different DoT servers)
    • Test with the existing DNSSec validation sites available, like https://rootcanary.org/test.html
    • Keep an eye on memory usage for dnsmasq, look for any steady increase in memory usage over multiple days in case of a potential memory leak
    • Keep an eye on system log for any dnsmasq error message, about "insecure/missing DS records" or anything else
    General
    • Check that your DHCP static reservations were properly converted to the new format, that the list shows normally on the DHCP page
    • Make sure that editing/adding/removing DHCP static reservations still work properly
    • IPSEC could also use some testing, as @themiron did some cleanup to the code, removing some of Asus's customizations that were no longer needed


    When reporting any issue, please provide information about the router(s) model(s), the firmware versions on your AiMesh nodes, the DNS servers used (with or without DoT).
     
    Last edited: Jul 8, 2019
    8thphloor, DaveMishSr, MDM and 13 others like this.
  3. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    33,278
    Location:
    Canada
    Reserved post.
     
    bitmonster and Vexira like this.
  4. Kingp1n

    Kingp1n Very Senior Member

    Joined:
    Feb 27, 2018
    Messages:
    616
    Thanks alot RMerlin. We'll def test this new experimental FW.... question.. I've been seeing alot of post here on how to manually enabled AIMesh on your previous finalized FW which I know it's not supported. For those who have already enabled this feature manually...do you recommend they reset their routers prior to testing this trial FW to minimize any errors?
     
    Last edited: Jul 8, 2019
    HuskyHerder likes this.
  5. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    33,278
    Location:
    Canada
    You shouldn't have to. Just make sure however that all your child nodes are running the stock firmware, only the primary router can run Asuswrt-Merlin.
     
    HuskyHerder, Vexira and Kingp1n like this.
  6. Treadler

    Treadler Very Senior Member

    Joined:
    Nov 9, 2017
    Messages:
    711
    Location:
    South Australia
    I will hold off on the Aimesh for now, but very interested in the DNSSEC updates.

    There is a particular web site that I cannot access with DNSSEC enabled.
    All others appear fine......
    If this update nails it, I’m a happy traveller!
     
    scjr likes this.
  7. penguin22

    penguin22 Regular Contributor

    Joined:
    Jan 22, 2014
    Messages:
    143
    I am currently using an RT-AC86U in router mode and RT-AC68P in repeater mode to stretch the wireless over a long distance; no other devices connect to the primary 2.4GHz SSID of the AC86U and the repeated signal of the AC68P is also not used. An RT-AC3200 in AP mode is connected to the LAN port of the AC68P and broadcasting on a non-conflicting channel, which has been rock stable in 384.12 with the only real limitation being that devices connected to the AC3200 AP do not show individually in the client list on the AC86U router since the MAC addresses are reported as the AC68P repeater (known limitation).

    Q1) Would AiMesh still allow for the AC3200 AP to connect to the AC68P via a LAN port and, if so, does this in effect make it a flat LAN, thus allowing devices to report the correct MAC addresses? This is important when wanting to use various services, e.g. QOS or usage and reporting in Diversion, Parental Controls, etc.

    I would test myself and report back, but am away on travel and won't be back until the weekend, so figured you might know ahead of my return.

    Q2a) Also, assuming no other devices are using the primary SSID of the AC86U router, would AiMesh mitigate any performance penalty since the only communication is that of the primary to secondary router?

    Q2b) Alternatively, does AiMesh make it so it shouldn't matter if more devices are using the primary SSID as the performance penalty typically seen in repeater mode is negated otherwise?
     
  8. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    33,278
    Location:
    Canada
    The test builds will have to wait until tomorrow. Dnsmasq is currently crashing at run time on some of the models.
     
  9. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    33,278
    Location:
    Canada
    Penguin: I suggest you ask the general AiMesh questions in a different thread, as this thread is intended for test purposes. I want to keep the noise to a minimum to help keeping test results focused, sorry.
     
    QuikSilver and Vexira like this.
  10. SomeWhereOverTheRainBow

    SomeWhereOverTheRainBow Very Senior Member

    Joined:
    Jun 4, 2019
    Messages:
    1,225
    question about test features, does this also disable Aimesh as well, what does it mainly do?

    Code:
    touch /jffs/.gomesh
    reboot
     
    Vexira likes this.
  11. Jack Yaz

    Jack Yaz Part of the Furniture

    Joined:
    Apr 20, 2017
    Messages:
    3,831
    I'd hazard a guess that you have to remove that file, i.e.
    Code:
    rm /jffs/.gomesh
    reboot
     
    visortgw likes this.
  12. Delusion

    Delusion Senior Member

    Joined:
    May 4, 2019
    Messages:
    223
    How can I reset https://rootcanary.org/test.html website? It gives last result, have to wait an hour or more for it fully begin the test from the beginning , hard to test this way
     
  13. SomeWhereOverTheRainBow

    SomeWhereOverTheRainBow Very Senior Member

    Joined:
    Jun 4, 2019
    Messages:
    1,225
    you need to run a browser cleaner or manually clean your browser junk using settings of the browser.
     
  14. Delusion

    Delusion Senior Member

    Joined:
    May 4, 2019
    Messages:
    223
    Running it on InPrivae window seems to do the trick. DSA seems not activated for me using surfnet (securedns3) dns server
     
  15. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    33,278
    Location:
    Canada
    This creates a small file which, when present at boot, will cause the router to set the amas_force=1 nvram value. This basically instructs the webui to not hide the AiMesh content.

    To disable, you will have to remove the file, and unset the nvram:

    Code:
    rm /jffs/.gomesh
    nvram unset amas_force
    nvram commit
    reboot
    

    Also might be best to flush your computer's DNS cache. Under Windows, run this in a command prompt:

    Code:
    ipconfig /flushdns
    
     
    visortgw likes this.
  16. karma

    karma Regular Contributor

    Joined:
    Jan 7, 2019
    Messages:
    67
    I'll give the AI Mesh stuff a try/test once the firmware for the rt-ac5300 is available and in front of my routers.

    this is very exciting stuff, thanks Merlin!
     
    Kingp1n likes this.
  17. bbunge

    bbunge Very Senior Member

    Joined:
    Aug 11, 2014
    Messages:
    1,214
    Location:
    Pennsylvania USA
    Should I be impressed with the Root Canary results in the first post when I get the same results with DNSSEC via Stubby? Still feel there should be a choice of where DNSSEC is processed. rootcanary_test.jpg ?
     
  18. heysoundude

    heysoundude Very Senior Member

    Joined:
    Sep 20, 2016
    Messages:
    1,010
    wowzers...AiMesh on a Merlin router is an unexpected surprise...Lucky 13, I suppose.
    I'm holding off until it's release quality, even with RMerlin's caution to only release stuff that he's confident WORKS mostly well/correctly.
     
  19. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    33,278
    Location:
    Canada
    Not everyone wants to use DoT (for instance I personally don't use DoT). This will allow all the same ciphers to be validated by dnsmasq when using your ISP servers.
     
    MDM, Kingp1n, Gar and 2 others like this.
  20. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    33,278
    Location:
    Canada
    eclp, Sicario, L&LD and 7 others like this.
Thread Status:
Not open for further replies.