[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[telUK]

I sometimes get similar symptoms on one of the bands at a time (2.4 or 5Ghz), what I usually do to solve it is hide and un-hide the SSID, after that the radio remains stable until a reset occurs.

thanks, will try that if it happens again.

 

[avi68]

If I wanted to downgrade to an older version (from V16 to V13) would that be possible without resetting to defaults?

 

[ColinTaylor]

If I wanted to downgrade to an older version (from V16 to V13) would that be possible without resetting to defaults?

That should be OK.

 

[Chazall1]

I am having no issues on 374.43_2-17BAj9527
Thanks

 

[Deleted member 22229]

If I wanted to downgrade to an older version (from V16 to V13) would that be possible without resetting to defaults?

John has said a factory reset is not needed when going from one version to the other with this fork.

 

[Poseidon]

If I wanted to downgrade to an older version (from V16 to V13) would that be possible without resetting to defaults?

Why would you want to downgrade to a much older version, if you don't mind me asking? Is v13 better/more stable than the latest release?

 

[Shayne]

Hi

I am hoping one of the masters here can help me and since this is an older merlin build, 374.38_2, and I did not want to start an entire new thread I thought posting it here may help me.

I am trying to get the entries if my /jffs/scripts/firewall-start file to log to the system log (or any log).

These are ip drop entries. When pinged I get general failure but I have tried a number of things to get them to be logged with no joy.

Log and drop, new chain log and drop, logdrop, merlin firewall toggle log dropped and nothing appears in the log. I read that you need to mod a conf file but can not seem to locate that in this build.

Any help would be greatly appreciated

Regards

 

[ColinTaylor]

@Shayne We'll have to see your firewall-start before we can help you.

 

[avi68]

That should be OK.

Thanks

 

[avi68]

John has said a factory reset is not needed when going from one version to the other with this fork.

Thanks for confirming

 

[avi68]

Why would you want to downgrade to a much older version, if you don't mind me asking? Is v13 better/more stable than the latest release?

Both versions are stable, the problem I am having is with the traffic monitor. It isnt showing correct values. The older v13 (which was the previous version I had) had that working properly.

 

[Trebuin]

I finally upgraded my network to include the RT-AC3200 as my primary router, connecting my drobo to that, and the RT-AC66R wirelessly to it. I put it into Media bridge successfully for the first time and I can say the performance of the AC66R is now very impressive. I do the detailed power settings you have on your firmware with the AC3200. My first thought was "where's John's version for the AC3200." Thank you for all your hard work!

 

[Shayne]

@Shayne We'll have to see your firewall-start before we can help you.

Right now I am working on a few , listed below

#!/bin/sh
iptables -I OUTPUT -d xxx.xxx.xxx.xxx -j DROP

iptables -A OUTPUT -d xxx.xxx.xxx.xxx -j DROP

iptables -I OUTPUT -d xxx.xxx.xxx.xxx -j REJECT

iptables -A OUTPUT -d xxx.xxx.xxx.xxx -j REJECT

I am looking to log the dropped IP and need a point, thanks.

I do not see the log function in help, as I see with online linux examples.

iptables -I OUTPUT -d xxx.xxx.xxx.xxx -j LOG --log-prefix "IP:# "

Regards

 

[ColinTaylor]

Right now I am working on a few , listed below

#!/bin/sh
iptables -I OUTPUT -d xxx.xxx.xxx.xxx -j DROP

iptables -A OUTPUT -d xxx.xxx.xxx.xxx -j DROP

iptables -I OUTPUT -d xxx.xxx.xxx.xxx -j REJECT

iptables -A OUTPUT -d xxx.xxx.xxx.xxx -j REJECT

I am looking to log the dropped IP and need a point, thanks.

I do not see the log function in help, as I see with online linux examples.

iptables -I OUTPUT -d xxx.xxx.xxx.xxx -j LOG --log-prefix "IP:# "

Regards

Err, OK. That looks kind of strange. So you want to block outgoing traffic from the router, not clients on your LAN. Correct?

#!/bin/sh

iptables -I OUTPUT -d xxx.xxx.xxx.xxx -j logdrop

You can use the existing "logdrop" chain to log DROP messages to syslog.

 

[Shayne]

Err, OK. That looks kind of strange. So you want to block outgoing traffic from the router, not clients on your LAN. Correct?

#!/bin/sh

iptables -I OUTPUT -d xxx.xxx.xxx.xxx -j logdrop

You can use the existing "logdrop" chain to log DROP messages to syslog.

Thank you for your time. I had already tried that chain but have again with no luck. I tried it with the GUI firewall "logged packet types" set to none, dropped, both and still no logging (which one should be set in the GUI, should none still work and it is overridden?). If I ping out, from a local machine, to one of the ip's it should be logged correct?

Spoiler

firewall-start
#!/bin/sh
iptables -I OUTPUT -d xxx.xxx.xxx.xxx -j logdrop
iptables -I OUTPUT -d xxx.xxx.xxx.xxx -j logdrop
iptables -I OUTPUT -d xxx.xxx.xxx.xxx -j logdrop
iptables -I OUTPUT -d xxx.xxx.xxx.xxx -j logdrop
iptables -I OUTPUT -d xxx.xxx.xxx.xxx -j logdrop
iptables -I OUTPUT -d xxx.xxx.xxx.xxx -j logdrop
.
.
.

Output of cammand

# iptables -L -v
.
.
.
.

Chain OUTPUT (policy ACCEPT 49892 packets, 25M bytes)
pkts bytes target prot opt in out source destination
0 0 logdrop all -- any any anywhere xxx.xxx.xxx.xxx
0 0 logdrop all -- any any anywhere xxx.xxx.xxx.xxx
0 0 logdrop all -- any any anywhere xxx.xxx.xxx.xxx
.
.
.
.
Chain logdrop (52 references)
pkts bytes target prot opt in out source destination
3056 182K LOG all -- any any anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP'
3308 192K DROP all -- any any anywhere anywhere

Ping out from local network

ping xxx.xxx.xxx.xxx

Pinging xxx.xxx.xxx.xxx with 32 bytes of data:
General failure.
General failure.
General failure.
General failure.

Ping statistics for 65.55.252.92:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

I know one ip's is sending but still no joy in getting the log to work. Must be something simple that I am doing wrong. Clear log is working as seen in tmp/syslog.log (and mirrors the gui). Your input is appreciated.

Regards

 

[ColinTaylor]

I tried it with the GUI firewall "logged packet types" set to none, dropped, both and still no logging (which one should be set in the GUI, should none still work and it is overridden?).

It makes no difference, so set it to "none".

If I ping out, from a local machine, to one of the ip's it should be logged correct?

No. That is the point I made earlier. The OUTPUT chain is only for traffic originating from the router itself, not the LAN.

If you want to log/block traffic from the LAN you must use the FORWARD chain. Because there are already entries in the FORWARD chain you must make sure you insert your rules in the correct position. This should work:

iptables -I FORWARD 5 -d xxx.xxx.xxx.xxx -i br0 -j logdrop

The "General failure" message from your ping might suggest that there is already something on your PC that is blocking the outgoing traffic.

 

[Shayne]

^^^^

Thank you;

Spoiler

Pinging xxx.xxx.xxx.xxx with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for xxx.xxx.xxx.xxx
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Feb 19 15:53:55 kernel: DROP <4>DROPIN=br0 OUT=tun11 <1>SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx <1>LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4829 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=51

Said it would be somthing silly, it is working now as hoped. Is there a way to create a REJECT_log chain? Or get the log command slipped in? I can replace logdrop after I monitor for a bit. It is much appreciated, sorry guys just a wee bit OT .

Regards

 

[Trebuin]

On the first page of this long tread

The following routers were released after the base code used for this fork was available, and are NOT supported.

• AC87U, AC3200 (and the retail R versions)
  

Sadly, I was aware that the AC3200 is not supported due to the newer release and other hardware related support issues. I can still hope that another fork this this quality will be developed in the future. I did run into an issue where my drive won't mount correctly with the newer hardware...can't handle some NTFS fault that is not seen on my older hardware.

 

[ColinTaylor]

Is there a way to create a REJECT_log chain?

Try something like this:

#!/bin/sh

iptables -N logreject
iptables -A logreject -j LOG --log-prefix "REJECT "
iptables -A logreject -j REJECT

iptables -I FORWARD 5 -d xxx.xxx.xxx.xxx -i br0 -j logreject
iptables -I FORWARD 5 -d yyy.yyy.yyy.yyy -i br0 -j logreject
iptables -I FORWARD 5 -d zzz.zzz.zzz.zzz -i br0 -j logreject

 

[marnold]

I'm currently using the latest Merlin firmware on my RT-N66U. I've been having increasing problems with the 2.4Ghz radio stopping working so I'm thinking of trying this firmware. Can I just install it as is and use it or should I do a reset after installing it?

Update: Nevermind. I found my answer. I really should read the README first