[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[RMerlin]

Quick question regarding DNS over TLS: is there any impact on latency over DNSSEC?

DNSSEC and DoT are two separate, complementary features. One does not replace the other, in an ideal world you actually want both. DNSSEC's role is to validate that the DNS query you received wasn't modified in transit, and that it came from the legitimate authoritative zone (provided of course that zone is signed, only a small percentage of domains use signed zones).

DoT on the other hand is used to encrypt your DNS query between you and the DNS servers so it cannot be spied upon. It doesn't ensure that the reply you receive is a legitimate one, you'd still need DNSSEC for that.

I would expect both of these to add some latency. DoT especially as it requires establishing a TLS session to transfer the DNS query exchange.

 

[abat119]

DNSSEC and DoT are two separate, complementary features. One does not replace the other, in an ideal world you actually want both. DNSSEC's role is to validate that the DNS query you received wasn't modified in transit, and that it came from the legitimate authoritative zone (provided of course that zone is signed, only a small percentage of domains use signed zones).

DoT on the other hand is used to encrypt your DNS query between you and the DNS servers so it cannot be spied upon. It doesn't ensure that the reply you receive is a legitimate one, you'd still need DNSSEC for that.

I would expect both of these to add some latency. DoT especially as it requires establishing a TLS session to transfer the DNS query exchange.

Thanks for the quick reply and explanation!

I haven't noticed any latency difference with DNSSEC on or off. I'll test out the DNS over TLS when I get home later and will report back if I notice any difference.

Thanks again!

 

[ColinTaylor]

I haven't noticed any latency difference with DNSSEC on or off. I'll test out the DNS over TLS when I get home later and will report back if I notice any difference.

Just to be clear.. we're talking about an occasional increase in latency when doing name resolution. This will not effect for example, the ping times to a game server which is nothing to do with name resolution.

 

[bbunge]

Just to be clear.. we're talking about an occasional increase in latency when doing name resolution. This will not effect for example, the ping times to a game server which is nothing to do with name resolution.

Ping to a URL resolved it is. Ping to an IP resolved it isn't.

Sent from my P01M using Tapatalk

 

[john9527]

I would expect both of these to add some latency. DoT especially as it requires establishing a TLS session to transfer the DNS query exchange.

@abat119
As Merlin said, as the saying goes there's no such thing as a free lunch.
I haven't done any detailed measurements, but one thing I can say is that for me, moving from DNSCrypt to DoT yielded better browsing performance.

 

[jrmwvu04]

I haven't done any detailed measurements, but one thing I can say is that for me, moving from DNSCrypt to DoT yielded better browsing performance.

Following up, I have had no problems with the Quad9 insecure server added in the final release. In my experience, I don't notice any degradation with DoT compared to plain old DNS.

Unrelated, I have been toying around with QoS again since I had to get in and make the changes to add DoT, and have been tweaking with good results. No download minimums required.

 

[bbunge]

Following up, I have had no problems with the Quad9 insecure server added in the final release. In my experience, I don't notice any degradation with DoT compared to plain old DNS.

Unrelated, I have been toying around with QoS again since I had to get in and make the changes to add DoT, and have been tweaking with good results. No download minimums required.

Quad9 insecure does not provide DNSSEC. Should be used for testing only. See the Quad9 FAQ.

Sent from my P01M using Tapatalk

 

[Gabriel Teris]

Is this log entry from when you were having the problem? Your router's DDNS service thinks your WAN IP address is 192.168.100.11, I suspect this is wrong and probably indicates that your cable modem has rebooted itself.

Can you check your WAN IP address to see if it really is 192.168.100.11 please.
View attachment 14179

Yes, my wan ip is indeed .100.11, but that doesn't affect me so much, as I don't care about the ddns right now. All I need is to see the router stable (not restarting & providing reliable lan & wifi).
So, should I install this fork instead of the current Merlin build (380.70)? Or the factory firmware and try to return the router into warranty hoping it will be fixed/replaced?

 

[ColinTaylor]

Yes, my wan ip is indeed .100.11, but that doesn't affect me so much, as I don't care about the ddns right now. All I need is to see the router stable (not restarting & providing reliable lan & wifi).
So, should I install this fork instead of the current Merlin build (380.70)? Or the factory firmware and try to return the router into warranty hoping it will be fixed/replaced?

I suggest that you install the stock Asus firmware (followed by a factory reset and manual configure). If it is still restarting then try to get it replaced under warranty.

Also, try looking at the logs on your cable modem.

 

[onetwobr]

Hi guys,

Anyone using AC66U (single core) with high speed ISP connections?

Recently I´ve upgraded my FTTH from 100/50 to 300/150Mbps and noticed the AC66U easily reaching 60~70% of CPU consumption with not so high speeds like it used to be, especially on P2P.

I use the Asus just for routing/gateway with a few NAT rules and PPPoE WAN setup mode (USB, VPN, QOS and WiFi are all disabled/not in use).

Before the "ISP upgrade" the CPU consumption rarely reaches 30% and simple files (p2p) speed up almost instantly, now I am noticing some limitation in scenarios with multiple connections. Could I reaching the limit of the equipment?

Today I´m using last "official" Merlin (380.70) and thinking about to test LTS, does it have any improvement in that regard?

Sorry about the bad english

Best regards!

 

[john9527]

@onetwobr
The AC66U should be able to handle 300/150 as long as HW (NAT) Acceleration is enabled (without HW Acceleration it will only handle about 150Mbps). You can check the status of HW Acceleration on the Tools > Sysinfo page near the bottom.

 

[onetwobr]

@onetwobr
The AC66U should be able to handle 300/150 as long as HW (NAT) Acceleration is enabled (without HW Acceleration it will only handle about 150Mbps). You can check the status of HW Acceleration on the Tools > Sysinfo page near the bottom.

Oh, I forgot to mention that but HW Acceleration is enabled, as well as ipv6 (native).

I engaged a couple of torrent files to test speed again and here´s the router usage:

Spoiler

During the tests the aggregate speed of the torrents did not exceed 10~12MB/s in each direction simultaneously (even with many seeds and peers). With just one file in the download queue I still have not seen the speed go above 15 or 20MB/s in a sustained way.

So far I've only been able to achieve higher speeds on "simple" connections (http/ftp download, speedtest, iperf, wget, etc.).

Next weekend I´ll do more tests with the Merlin LTS and also with the ONT/HGU that ISP provided me working in router mode, it has the BCM68380 chipset (2-core @ 600mhz) and today is running in bridge mode with the AC66U doing all the work.

Thanks a lot for the reply and best regards from Brazil.
Eduardo.

 

[vincom]

Oh, I forgot to mention that but HW Acceleration is enabled, as well as ipv6 (native).

I engaged a couple of torrent files to test speed again and here´s the router usage:


During the tests the aggregate speed of the torrents did not exceed 10~12MB/s in each direction simultaneously (even with many seeds and peers). With just one file in the download queue I still have not seen the speed go above 15 or 20MB/s in a sustained way.

So far I've only been able to achieve higher speeds on "simple" connections (http/ftp download, speedtest, iperf, wget, etc.).

Next weekend I´ll do more tests with the Merlin LTS and also with the ONT/HGU that ISP provided me working in router mode, it has the BCM68380 chipset (2-core @ 600mhz) and today is running in bridge mode with the AC66U doing all the work.

Thanks a lot for the reply and best regards from Brazil.
Eduardo.

i have the ac66u, i had issues with internet, on cable 100/10 then switched providers and modem for a better deal and my internet was better espicially if having active torrents, speeds tanked when torrents were running.
w/new provider and modem all is great now, torrents dont mess up speeds and or lag.
was problem because of old provider or modem? idk?
ymmv, imo

 

[maurer]

could be both https://www.cablelabs.com/how-docsis-3-1-reduces-latency-with-active-queue-management/

 

[keeka]

I recently switched from Asus-Merlin to John's fork for my RT-N66U.
I initially installed 33E7j9527, following a full reset. I was able to successfully run one instance of openvpn-server and one of openvpn-client. I could stop and start each with no issues. Disconnect and reconnect clients from the openvpn-server and stop/start the openvpn-client without issue. 33E7 has been working flawlessly for me

I upgraded to 34E3. The openvpn-client appears to work fine. However, openvpn-server needs to be restarted after disconnecting a client session in order to have subsequent successful connections. The second connection attempt gets as far as auth and waits (no success or failure) and 3rd attempt results in nothing at all (according to the router's log). This happens with or without an openvpn client running on the router. service restart_openvpnserver1 solves this. But I need to do this after each each client disconnect and of course I can't do it remotely once I'm disconnected from the vpn server. I prefer not to have ssh enabled on the WAN interface.

Reverting to 33E7 (again without a reset) resolves the issue. I can disconnect/reconnect and I can have two clients connected simultaneously. I'm using username/password with custom server ca and server certs plus client certs.
I have jffs enabled and have some custom dnsmasq settings to assign a few devices a pihole DNS. That's the only jffs customisation I have.
dnsmasq is , as I understand it, one of the changes between the two firmwares. May be it is relevant though seems unlikely.

#/jffs/config/dnsmasq.conf.add
dhcp-option=tag:pihole_dns,option:dns-server,192.168.0.35
## tablet
dhcp-host=BC:20:A4:AA:AA:AA,set:pihole_dns
## phone
dhcp-host=40:88:05:BB:BB:BB,set:pihole_dns

I am not sure if this is a quirk of my setup or an issue with firmware 34E3.
Does amazon affiliate link work if I switch to amazon.co.uk?

 

[john9527]

I am not sure if this is a quirk of my setup or an issue with firmware 34E3.

I have a slightly different setup (I don't use individual client certs), but I just connected/disconnected several times in a row without a problem. There was no change in the VPN server between 33E7 and 34E3. I doubt that dnsmasq is playing into it.

One thing you might try since you are running an N66. Backup your jffs on 33E7. Then when you move to 34E3, reformat your jffs space and restore the backup from 33E7. (The jffs space on the N66 is allocated from space leftover after the firmware is loaded and a change in the firmware size can corrupt jffs).

 

[keeka]

One thing you might try since you are running an N66. Backup your jffs on 33E7. Then when you move to 34E3, reformat your jffs space and restore the backup from 33E7.

I will try that next I get the opportunity and report back.
Many thanks for the help and the firmware.

 

[onetwobr]

i have the ac66u, i had issues with internet, on cable 100/10 then switched providers and modem for a better deal and my internet was better espicially if having active torrents, speeds tanked when torrents were running.
w/new provider and modem all is great now, torrents dont mess up speeds and or lag.
was problem because of old provider or modem? idk?
ymmv, imo

Sorry for the delay in answering.

I think my scenario is a bit different because I just changed/increased the speed on the same provider, all the equipment remained the same.

With high traffic I believe that the CPU load of your AC66U should not exceed 20~30% average, right? It was what I had too, but when I increased from 100/50 to 300/150 the processor load went up in the same proportion (basically 3 times!) and it did not take long for me to realize that this was affecting even browsing the web at certain times.

Anyway, yesterday I turned off the Asus and left only the equipment provided by the ISP routing my network and the results were better, confirming that the hardware of the AC66U should have some limitation around 150~200Mbps in "real world" (with multiple connections opened simultaneously, like torrent).

I still want to test John's firmware but today I found a RB750Gr3 (hEX) for a good deal and I'm going to test it at the weekeng, depending on the results I can still sell the AC66U and end up with some money in my pocket

Thanks for the reply and please forgive my bad english

 

[maurer]

hi John,

i've tried to compile a firmware for my rt-n66u and rt-n16 on debian 9 and ubuntu 16.04 and getting the error:

Spoiler: error log

make[4]: Leaving directory '/home/debian/asuswrt-merlin-374.43_2-update/release/src/router/zlib'
make -C wget
make[4]: Entering directory '/home/debian/asuswrt-merlin-374.43_2-update/release/src/router/wget'
CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/bash /home/debian/asuswrt-merlin-374.43_2-update/release/src/router/wget/build-aux/missing aclocal-1.15 -I m4
configure.ac:499: warning: macro 'AM_PATH_GPGME' not found in library
missing file lib/fopen.c
configure.ac:269: error: expected source file, required through AC_LIBSOURCES, not found
m4/gnulib-comp.m4:316: gl_INIT is expanded from...
configure.ac:269: the top level
autom4te: /usr/bin/m4 failed with exit status: 1
aclocal-1.15: error: echo failed with exit status: 1
Makefile:1450: recipe for target 'aclocal.m4' failed
make[4]: *** [aclocal.m4] Error 1
make[4]: Leaving directory '/home/debian/asuswrt-merlin-374.43_2-update/release/src/router/wget'
Makefile:3614: recipe for target 'wget' failed
make[3]: *** [wget] Error 2
make[3]: Leaving directory '/home/debian/asuswrt-merlin-374.43_2-update/release/src/router'
Makefile:185: recipe for target 'all' failed
make[2]: *** [all] Error 2
make[2]: Leaving directory '/home/debian/asuswrt-merlin-374.43_2-update/release/src-rt-6.x'
Makefile:2549: recipe for target 'bin' failed
make[1]: *** [bin] Error 2
make[1]: Leaving directory '/home/debian/asuswrt-merlin-374.43_2-update/release/src-rt-6.x'
Makefile:2619: recipe for target 'rt-n66u' failed
make: *** [rt-n66u] Error 2

any idea how to fix it?

thanks

 

[john9527]

any idea how to fix it?

make sure you have automake-1.15 installed

EDIT: I have both automake-1.15 and automake 1.11 installed....some packages are particular in looking for a specific level.