[Experimental] Asuswrt-Merlin 384.13 test - AiMesh/DNSSEC through OpenSSL

[RMerlin]

First, the teasers:

And:

dnsmasq OpenSSL support
Dnsmasq uses nettle to handle the crypto portion of DNSSEC, which limits the supported ciphers. @themiron implemented OpenSSL support in dnsmasq, which opens the door for supporting more ciphers.

The implementation required a fair amount of changes to dnsmasq itself, and so it will require in-depth testing to ensure it works properly. I have already personally observed some oddities: when using my ISP's DNS, I am able to to validate DSA signatures despite it not being enabled in dnsmasq. Seems like somehow dnsmasq accepts the upstream server's validation.


AiMesh support
The two main technical obstacles (that I was aware of, so far) to supporting AiMesh were:
- I use a custom format for dhcp_staticlist to store user-defined hostnames
- AiMesh manipulates/validates firmware versions between all nodes

A future change to dhcp_staticlist layout forced me to investigate into ways to deal with that. I ended up moving the hostnames to a separate nvram variable for non-HND models, and reading/writing that new setting directly in /jffs for HND models (where a new variable's max length is 255 characters). Doing so allows me to stay 100% compatible with Asus's current (and future) dhcp_staticlist format. It also allows people to enter more static leases than before (since the 2999 characters of dhcp_staticlist no longer need to also include hostnames). And finally it should make cfg_sync (the daemon that syncs settings between AiMesh nodes) happy, and no longer claiming that an Asuswrt-Merlin router is running firmware 3.8.4...

Since the only remaining obstacle was the firmware version handling, I looked into also making it closer to stock firmware. I've settled with storing a bogus version in the webs_state_info variable, and instead storing the real firmware version announced by the update server into a new variable. This required a fair amount of changes and workarounds to deal with this. Also, the update check code needed to be able to handle both my own update server (for the primary node) and Asus's own servers (for all the child nodes). Therefore, there is one restriction: only your primary AiMesh router can run Asuswrt-Merlin. All the other nodes connected to it must run the stock firmware from Asus. Which shouldn't be a problem, as those nodes wouldn't be able to really benefit from the Asuswrt-Merlin enhancements. Starting with alpha 2, Asuswrt-Merlin nodes are supported, however your primary router must also be running Asuswrt-Merlin.


This is still experimental
At this point, both of these features are considered experimental projects, in need of thorough testing. The result of these tests will determine if it will be possible to go ahead with either of these features as part of the standard feature set. So, nothing is guaranteed yet. There is still a chance that something will go wrong, and ultimately these features might have to be put back on the shelves.


Before you begin
Make a backup of both your Settings and your JFFS partition before you start playing with these experimental builds.

To use the new dnsmasq support you don't need to do anything: just enable DNSSEC support, then watch the general behaviour. DNS-over-TLS settings should not have any impact on these tests.

Note that any node (other than the primary router) that you turn into an AiMesh node will be reset to factory default settings (as part of a standard AiMesh setup). So, make a backup of their configurations first if you intend to revert back to a non-AiMesh state with these.


How to use AiMesh
The procedure is identical to if you were running a "pure" stock firmware environment. Do a factory default reset on any node you wish to connect (use the Reset button on it to do that, somehow trying to use the AiMesh Node option on System Operation Mode page never worked for me). Once the node is done rebooting, log in your primary router, click on the AiMesh icon on the front page, then click on the button to search for nodes, on the right side panel.

Also note that only models that have AiMesh support from Asus will get that support in my firmware. So, RT-AC87U and RT-AC3200 remain unsupported for AiMesh.


Downloads: https://www.asuswrt-merlin.net/test-builds

 

[RMerlin]

AiMesh
Things in need of testing:

• Adding/removing a node
• Updating the firmware on one of your nodes. Try flashing a slightly older version, then make sure the Firmware Check option as well as the automatic firmware upgrade work properly, allowing you to be notified of new releases, and also reading the release notes posted by Asus.
• Validate that clients are able to connect to the separate nodes, and also that the nodes stay properly connected

For Wifi-specific issues, please take a look at the existing posts in the Official Asuswrt Forum here on SNBForums for troubleshooting steps. You may need to tinker with the Roaming Assistant setting, for instance.


Dnsmasq with OpenSSL
Things in need of testing:

• Look for any random lookup failure.
• Look for any permanent/persisting lookup failure. Note down the website address that fails to resolve.
• Please test with different nameservers on your WAN page (or different DoT servers)
• Test with the existing DNSSec validation sites available, like https://rootcanary.org/test.html
• Keep an eye on memory usage for dnsmasq, look for any steady increase in memory usage over multiple days in case of a potential memory leak
• Keep an eye on system log for any dnsmasq error message, about "insecure/missing DS records" or anything else

General

• Check that your DHCP static reservations were properly converted to the new format, that the list shows normally on the DHCP page
• Make sure that editing/adding/removing DHCP static reservations still work properly
• IPSEC could also use some testing, as @themiron did some cleanup to the code, removing some of Asus's customizations that were no longer needed

When reporting any issue, please provide information about the router(s) model(s), the firmware versions on your AiMesh nodes, the DNS servers used (with or without DoT).

 

[RMerlin]

Reserved post.

 

[Kingp1n]

AiMesh
Things in need of testing:

• Adding/removing a node
• Updating the firmware on one of your nodes. Try flashing a slightly older version, then make sure the Firmware Check option as well as the automatic firmware upgrade work properly, allowing you to be notified of new releases, and also reading the release notes posted by Asus.
• Validate that clients are able to connect to the separate nodes, and also that the nodes stay properly connected

For Wifi-specific issues, please take a look at the existing posts in the Official Asuswrt Forum here on SNBForums for troubleshooting steps. You may need to tinker with the Roaming Assistant setting, for instance.


Dnsmasq with OpenSSL
Things in need of testing:

• Look for any random lookup failure.
• Look for any permanent/persisting lookup failure. Note down the website address that fails to resolve.
• Please test with different nameservers on your WAN page (or different DoT servers)
• Test with the existing DNSSec validation sites available, like https://rootcanary.org/test.html
• Keep an eye on memory usage for dnsmasq, look for any steady increase in memory usage over multiple days in case of a potential memory leak
• Keep an eye on system log for any dnsmasq error message, about "insecure/missing DS records" or anything else

When reporting any issue, please provide information about the router(s) model(s), the firmware versions on your AiMesh nodes, the DNS servers used (with or without DoT).

Thanks alot RMerlin. We'll def test this new experimental FW.... question.. I've been seeing alot of post here on how to manually enabled AIMesh on your previous finalized FW which I know it's not supported. For those who have already enabled this feature manually...do you recommend they reset their routers prior to testing this trial FW to minimize any errors?

 

[RMerlin]

Thanks alot RMerlin. We'll def test this new experimental FW.... question.. I've been seeing alot of post here on how to manually enabled AIMesh on your previous finalized FW which I know it's not supported. For those who have already enabled this feature manually...do you recommend they reset their routers prior to testing this trial FW to minimize any errors?

You shouldn't have to. Just make sure however that all your child nodes are running the stock firmware, only the primary router can run Asuswrt-Merlin.

 

[Treadler]

I will hold off on the Aimesh for now, but very interested in the DNSSEC updates.

There is a particular web site that I cannot access with DNSSEC enabled.
All others appear fine......
If this update nails it, I’m a happy traveller!

 

[penguin22]

Also note that only models that have AiMesh support from Asus will get that support in my firmware. So, RT-AC87U and RT-AC3200 remain unsupported for AiMesh.

I am currently using an RT-AC86U in router mode and RT-AC68P in repeater mode to stretch the wireless over a long distance; no other devices connect to the primary 2.4GHz SSID of the AC86U and the repeated signal of the AC68P is also not used. An RT-AC3200 in AP mode is connected to the LAN port of the AC68P and broadcasting on a non-conflicting channel, which has been rock stable in 384.12 with the only real limitation being that devices connected to the AC3200 AP do not show individually in the client list on the AC86U router since the MAC addresses are reported as the AC68P repeater (known limitation).

Q1) Would AiMesh still allow for the AC3200 AP to connect to the AC68P via a LAN port and, if so, does this in effect make it a flat LAN, thus allowing devices to report the correct MAC addresses? This is important when wanting to use various services, e.g. QOS or usage and reporting in Diversion, Parental Controls, etc.

Spoiler: Not being lazy

I would test myself and report back, but am away on travel and won't be back until the weekend, so figured you might know ahead of my return.

Q2a) Also, assuming no other devices are using the primary SSID of the AC86U router, would AiMesh mitigate any performance penalty since the only communication is that of the primary to secondary router?

Q2b) Alternatively, does AiMesh make it so it shouldn't matter if more devices are using the primary SSID as the performance penalty typically seen in repeater mode is negated otherwise?

 

[RMerlin]

The test builds will have to wait until tomorrow. Dnsmasq is currently crashing at run time on some of the models.

 

[RMerlin]

Penguin: I suggest you ask the general AiMesh questions in a different thread, as this thread is intended for test purposes. I want to keep the noise to a minimum to help keeping test results focused, sorry.

 

[SomeWhereOverTheRainBow]

Penguin: I suggest you ask the general AiMesh questions in a different thread, as this thread is intended for test purposes. I want to keep the noise to a minimum to help keeping test results focused, sorry.

question about test features, does this also disable Aimesh as well, what does it mainly do?

touch /jffs/.gomesh
reboot

 

[Jack Yaz]

question about test features, does this also disable Aimesh as well, what does it mainly do?

touch /jffs/.gomesh
reboot

I'd hazard a guess that you have to remove that file, i.e.

rm /jffs/.gomesh
reboot

 

[Delusion]

How can I reset https://rootcanary.org/test.html website? It gives last result, have to wait an hour or more for it fully begin the test from the beginning , hard to test this way

 

[SomeWhereOverTheRainBow]

How can I reset https://rootcanary.org/test.html website? It gives last result, have to wait an hour or more for it fully begin the test from the beginning , hard to test this way

you need to run a browser cleaner or manually clean your browser junk using settings of the browser.

 

[Delusion]

you need to run a browser cleaner or manually clean your browser junk using settings of the browser.

Running it on InPrivae window seems to do the trick. DSA seems not activated for me using surfnet (securedns3) dns server

 

[RMerlin]

question about test features, does this also disable Aimesh as well, what does it mainly do?

touch /jffs/.gomesh
reboot

This creates a small file which, when present at boot, will cause the router to set the amas_force=1 nvram value. This basically instructs the webui to not hide the AiMesh content.

To disable, you will have to remove the file, and unset the nvram:

rm /jffs/.gomesh
nvram unset amas_force
nvram commit
reboot

you need to run a browser cleaner or manually clean your browser junk using settings of the browser.

Also might be best to flush your computer's DNS cache. Under Windows, run this in a command prompt:

ipconfig /flushdns

 

[karma]

I'll give the AI Mesh stuff a try/test once the firmware for the rt-ac5300 is available and in front of my routers.

this is very exciting stuff, thanks Merlin!

 

[bbunge]

Should I be impressed with the Root Canary results in the first post when I get the same results with DNSSEC via Stubby? Still feel there should be a choice of where DNSSEC is processed.

?

 

[heysoundude]

wowzers...AiMesh on a Merlin router is an unexpected surprise...Lucky 13, I suppose.
I'm holding off until it's release quality, even with RMerlin's caution to only release stuff that he's confident WORKS mostly well/correctly.

 

[RMerlin]

Should I be impressed with the Root Canary results in the first post when I get the same results with DNSSEC via Stubby?

Not everyone wants to use DoT (for instance I personally don't use DoT). This will allow all the same ciphers to be validated by dnsmasq when using your ISP servers.

 

[RMerlin]

Firmware images are currently being uploaded to Onedrive, and should be available in the Aimesh_DNSSEC folder over the coming minutes.

https://www.asuswrt-merlin.net/test-builds