[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[Builder71]

updated my good old n66u today to 19e3, no problems seen so far. Thanks John!

Same here, thx.

19B8 -> 19E3

 

[4M4rU]

hi dears
i have one rt-n66u & have problem about mac filter. after many search i know [fork] merlin dont have problem about this. and now have some question:
1- [fork] merlin better or asuswrt-merlin?
2- how can install [fork] merlin? because my fw now is merlin 380.62-beta & when i want update [fork] merlin fw like normal fw, modem show an error about certificate & dont update!!!
3- after update to [fork] merlin may i back to merlin more??
thank you

 

[nivek1612]

Using the latest version of the firmware on RT-AC68U connected to on Sky Fibre in the UK and I have to say its fantastic and working well with IPv6 giving me a score of 19/20 on the http://ipv6-test.com/ test site

.... BUT

and it may be just may lack of knowledge re IPv6.
I have a server running on my network that listens out on port X.

In my port forwarding rules for IPv4 I forward any traffic that arrives on IPv4 public IP address to port X to the relevant local IPv4 lan address of my server. This works perfectly.

However I'm trying to set up the same for IPv6 but not getting what I expect
I have tried the following in the IPV6 firewall tab.

Turn off the IPV6 firewall - this allows access to the server of course but I don't want the firewall off
Turn on the firewall and forward port X as follows to:
- The IPv6 link Local address of my server - this fails
- The Public IPv6 Address based on the MAC address and Prefix - this also fails
- The Public TEMPORARY IPv6 address - This works but of course as a temporary address there is little point using it

In my limited IPv6 knowledge I would expect to use the Link Local address as that is fixed in that its always going to be based on the MAC. My public IPv6 address is only sticky (not fixed) as the prefix can change

What am I doing wrong ?

 

[john9527]

hi dears
i have one rt-n66u & have problem about mac filter. after many search i know [fork] merlin dont have problem about this. and now have some question:
1- [fork] merlin better or asuswrt-merlin

Some people may get better performance from this fork, but it's really based on each individual environment. You need to try it for yourself.

2- how can install [fork] merlin? because my fw now is merlin 380.62-beta & when i want update [fork] merlin fw like normal fw, modem show an error about certificate & dont update!!!

You need to use the ASUS Firmware Restoration tool to downlevel from the later ASUS and Merlin builds. You can find instructions and the application on the ASUS support website.

3- after update to [fork] merlin may i back to merlin more??
thank you

Yes, you can go forward using the normal router gui.

 

[bbunge]

hi dears
i have one rt-n66u & have problem about mac filter. after many search i know [fork] merlin dont have problem about this. and now have some question:
1- [fork] merlin better or asuswrt-merlin?
2- how can install [fork] merlin? because my fw now is merlin 380.62-beta & when i want update [fork] merlin fw like normal fw, modem show an error about certificate & dont update!!!
3- after update to [fork] merlin may i back to merlin more??
thank you

Use the Asus recovery tool and flash the latest Johns fork. I just did just that to my N66R and did a factory reset afterwards then configured the router. Bill

Sent from my P01M using Tapatalk

 

[john9527]

Turn off the IPV6 firewall - this allows access to the server of course but I don't want the firewall off
Turn on the firewall and forward port X as follows to:

Since your IPv6 address is unique, you really aren't 'forwarding' any ports. You are just opening the firewall for the specific address and port. I double checked, and the correct firewall rules are being generated.

- The IPv6 link Local address of my server - this fails

This is to be expected. Link local address are 'local' and not routeable.

- The Public IPv6 Address based on the MAC address and Prefix - this also fails

I'm guessing your are using Windows clients. Microsoft, in it's infinite wisdom defaults to NOT generating the public address based on the MAC, but using a pseudo-random algorithm based on the MAC (AFAIK, it's a sticky algorithm). Easiest way to see what this address is is to do an 'ipconfig /all' on the Windows machine. Alternatively, I've attached a zip file that contains some useful cmd files for changing the Windows IPv6 options. One of them disables this random address generation and makes windows use the Modified EUI-64 standard.

- The Public TEMPORARY IPv6 address - This works but of course as a temporary address there is little point using it

Also expected.

Attached is my little set of Windows IPv6 configuration scripts. (rename the file to remove the .pdf extension, then unzip) It includes Enable/Disable cmd scripts (run as Administrator) for

• Random Address (This is the base public address mentioned above)
• Temporary Address generation (personal preference)
• Teredo (My recommendation is to disable Teredo if you are using another IPv6 option)
• ISATAP

EDIT: You need to reboot the Windows machine after changing any of these options.

 

[nivek1612]

Thanks for the quick reply

I'm actually using Mac OS and getting the respective ipv6 addresses via the 'ifconfig en0' cmd from the terminal prompt
I was trying the Link Local - I understand now from further reading that this is not routable, trying to ping6 it confirms this

I also tried the other addresses that ifconfig gave me

inet6 2a02:c7f:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx prefixlen 64 autoconf - DID NOT WORK

inet6 2a02:c7f:xxxx:xxxx:yyyy:yyyy:yyyy:yyyy prefixlen 64 autoconf temporary - WORKED

Are you saying Mac OS is behaving like windows in the address is creates is not real ?
The big challenge of course with either of these addresses is they are based on the allocated prefix which is not fixed only sticky

 

[john9527]

You can check the public address generation via the following....
if the MAC is
m1:m2:m3:m4:m5:m6

EUI-64 will give an address
prefix:m1<m2&2>:m3FF:FEm4:m5m6 (the m2 entry is and'ed with 0x02)

If you are still having a problem, the Mac OS firewall may be blocking the access.

The big challenge of course with either of these addresses is they are based on the allocated prefix which is not fixed only sticky

That's why we added the 'No release' option. But ultimately, it's a limitation of the ISP not providing static addresses.

 

[Gravityz]

installed V19E3 (upgraded from V16)

formatted jffs afterwards just to make sure

all fine

 

[nivek1612]

You can check the public address generation via the following....
if the MAC is
m1:m2:m3:m4:m5:m6

EUI-64 will give an address
prefix:m1<m2&2>:m3FF:FEm4:m5m6 (the m2 entry is and'ed with 0x02)

If you are still having a problem, the Mac OS firewall may be blocking the access.


That's why we added the 'No release' option. But ultimately, it's a limitation of the ISP not providing static addresses.

John9527 I feel foolish now.

I'm using Duiadns IPv6 update client, It passes the current TEMPORARY address to my DUIA DDNS to set the HOSTNAME of my Server. The Duiadns client then maintains the IPV6 address as it changes overtime. There lies the problem.

I was thinking of the firewall rules as port forwarding like in IPv4 of course you mentioned above

Since your IPv6 address is unique, you really aren't 'forwarding' any ports. You are just opening the firewall for the specific address and port. I double checked, and the correct firewall rules are being generated.

Hence of course accessing my server using its TEMPORARY address and trying to route to its permanent ADDRESS gives an error
If I set the HOSTNAME of my server to my permanent IPv6 address as a test then of course the firewall rule can be used with that IPV6 address and all is well (until the prefix changes) and will allow the connection.

On the point of sticky IPv6 prefixes is there any plans to allow a MAC address to be specified as the destination so any call to port X will got to a certain MAC address.

 

[john9527]

If I set the HOSTNAME of my server to my permanent IPv6 address as a test then of course the firewall rule can be used with that IPV6 address and all is well (until the prefix changes) and will allow the connection.

Glad to hear the pieces came together and you figured it out.

On the point of sticky IPv6 prefixes is there any plans to allow a MAC address to be specified as the destination so any call to port X will got to a certain MAC address.

Sorry, but AFAIK not possible. MAC addresses can't travel outside of the originating lan. So it is possible to filter on outgoing (source) MACs, but there is no info available to filter on incoming (destination) MACs.

 

[nivek1612]

Thanks for your help John9527

 

[john9527]

On the point of sticky IPv6 prefixes is there any plans to allow a MAC address to be specified as the destination so any call to port X will got to a certain MAC address.

Sorry, but AFAIK not possible. MAC addresses can't travel outside of the originating lan. So it is possible to filter on outgoing (source) MACs, but there is no info available to filter on incoming (destination) MACs.

Hmmm....I did a little more research and there may be a way with EUI-64 (SLAAC) addresses I need to experiment a bit.

 

[nivek1612]

Hmmm....I did a little more research and there may be a way with EUI-64 (SLAAC) addresses I need to experiment a bit.

Sounds interesting

 

[ColinTaylor]

Hmmm....I did a little more research and there may be a way with EUI-64 (SLAAC) addresses I need to experiment a bit.

This sounds like the solution!

http://blog.dupondje.be/?p=17

 

[john9527]

This sounds like the solution!

http://blog.dupondje.be/?p=17

That's the one I found

 

[Nullity]

This sounds like the solution!

http://blog.dupondje.be/?p=17

Let us know if it works in practice.

IPv6's Privacy Extensions are a potential problem.

 

[ColinTaylor]

Let us know if it works in practice.

IPv6's Privacy Extensions are a potential problem.

Interesting. Looks like Windows clients will have to issue the following to disable RFC 4941.

netsh int ipv6 set global randomizeidentifiers=disable store=active

I guess enabling it by default makes sense. After all, the vast majority of users on the internet would want it enabled. A bit of a hassle though (remembering to disable it).

http://computer-outlines.over-blog.com/article-windows-ipv6-privacy-addresses-118018020.html

 

[john9527]

Interesting. Looks like Windows clients will have to issue the following to disable RFC 4941.

That was one of the cmd scripts in the zip I attached a couple of posts back.

 

[ColinTaylor]

That was one of the cmd scripts in the zip I attached a couple of posts back.

Doh! As usual you're way ahead of us John.