[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[Ford Prefect]

...thanks John and @Wisiwyg...will have to try my search-fu then.
I already do have a switch and multi-WAN router, both VLAN capable.
I'd actually prefer to transport guest and non-guest over different VLANs and assign different IP nets as well....will see how to do that.
What is strange though is, that the guest WLAN option is available in AP mode...maybe the guest traffic is already in a different VLAN already?
Can't think of a use-case for using it / enabling it otherwise.

...OK, this is what I was able to bring up via the forum search and this thread kind of sums it up for me: https://www.snbforums.com/threads/access-point-mode-guest-network.30532/#post-240536
Looks like I need to fiddle with a lot of scripts with uncertainty of success or move to another FW where these kind of things are standard.
I am unsure if I am willing to give up on this FW, as it is sooooo stable....maybe employing an extra AP for guest WiFi is another solution.

 

[conquer22]

Many thanks for you reply. since It's working with 25B7, I gave another try upgrade direct to 25E1 without a reset and now it working. Really had no idea with what happened when I did the clean reset and start from wizard last time. Thanks again.

 

[john9527]

380.66.2 said completed but after boot and reset still on V25E1

must be some of this huh!
* Security fixes for CVE-2017-5891, CVE-2017-5892
and CVE-2017-6547

Ahh....sorry I was slow and didn't latch on to you using the CFE mini server. Was able to recreate it. Actually, none of the commands on that page (reboot or nvram reset) will work as well. Pretty sure it's CVE-2017-5892 that's doing it. Since 380.66 and my V25 behave the same, at least it seems as if I did the port correctly

But, try this as a workaround.

edit your local client hosts file to include an entry for the router address pointing to router.asus.com
(normally dnsmasq would handle this, but it's not up when using the mini server).
Now connect to the mini server with http://router.asus.com instead of the address

 

[cowst]

Hi @john9527,
regarding what may or may not be related to what you suggested, I found out another misbehavior.

I am losing connectivity when the hourly(?) vpn renegotiation with nordvpn takes place.
This happens of course on vpn devices, like the fire tv stick.
This is to be unfortunately expected for the ongoing connections, however, since then the stick keeps telling that it is connected to my wifi with problems (namely no internet).

I have to reboot the router, or perhaps something softer might work as well, but you understand that probably the right behavior is just automatically reconnect devices subject to the vpn renegotiation.

Does it make sense?

Sorry for the delay....been tied up with a lot of personal 'stuff'......

I did take a look at the log, and there is nothing unusual from the base router view. The address you pinpointed looked perfectly normal, only showing DHCP renew on schedule.

But, your VPN connect is another story....it's bouncing up and down on an hourly basis. You are another NordVPN user, and it appears as if they have migrated their servers to 2.4.x, and V23 is the first release to move to 2.4.0. In this config it looks like they are pushing custom keepalive and inactive timers to your client, along with using the new ciphers.

So, a couple of things to check/try in your custom config

if you have a keepalive statement, remove it (I've seen problems where a mismatch between client and server causes disconnects)

try adding
inactive 0
push "inactive 0"

finally, try disabling the new ciphers
set Cipher Negotiation to disabled in the gui
add
ncp-disable
to the custom config.

 

[john9527]

Hi @john9527,
regarding what may or may not be related to what you suggested, I found out another misbehavior.

I am losing connectivity when the hourly(?) vpn renegotiation with nordvpn takes place.
This happens of course on vpn devices, like the fire tv stick.
This is to be unfortunately expected for the ongoing connections, however, since then the stick keeps telling that it is connected to my wifi with problems (namely no interne
I have to reboot the router, or perhaps something softer might work as well, but you understand that probably the right behavior is just automatically reconnect devices subject to the vpn renegotiation.

Does it make sense?

I've only been able to recreate the 'hourly/periodic' disconnect when using the 'auth-nocache' custom config entry. I went through the OpenVPN code and see what's happening with that, but it's not a straight forward thing to fix.

As far as reconnecting after the renegotiation, there's nothing to do there. The 'connection' is via the router's routing tables, so should be transparent to the clients.

 

[cowst]

I am not sure I understood.

There are 2 issues?

1 - one hour reconnections (isn't it something that can be configured but if client and server don't match, it takes the shorter? And I think it didn't happen on v23 or 24,or at least I didn't notice)

2 - Internet lost at reconnect. Although it should be transparent thanks to routing tables, isn't there a bug in that logic since Internet is lost? If it makes sense I can try to print some info before and after the fact, just tell me what

I've only been able to recreate the 'hourly/periodic' disconnect when using the 'auth-nocache' custom config entry. I went through the OpenVPN code and see what's happening with that, but it's not a straight forward thing to fix.

As far as reconnecting after the renegotiation, there's nothing to do there. The 'connection' is via the router's routing tables, so should be transparent to the clients.

 

[john9527]

I am not sure I understood.

There are 2 issues?

1 - one hour reconnections (isn't it something that can be configured but if client and server don't match, it takes the shorter? And I think it didn't happen on v23 or 24,or at least I didn't notice)

The renegotiation has always been there.....most providers use 3600 secs as the default time. You can try and change this in the gui under TLS Renegotiation time, but I think it may be possible that the provider can ignore it. Here's an example from my syslog (occurs hourly)

May 21 07:19:11 openvpn[3037]: TLS: tls_process: killed expiring key
May 21 07:19:12 openvpn[3037]: TLS: soft reset sec=0 bytes=640479960/-1 pkts=664791/0
May 21 07:19:12 openvpn[3037]: VERIFY OK: depth=1, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
May 21 07:19:12 openvpn[3037]: VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=xxxxxxxxxxxxxxxxxxxxxxxxxxx, name=xxxxxxxxxxxxxxxxxxxxxxxx
May 21 07:19:14 openvpn[3037]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
May 21 07:19:14 openvpn[3037]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
May 21 07:19:14 openvpn[3037]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
May 21 07:19:14 openvpn[3037]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
May 21 07:19:14 openvpn[3037]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA

2 - Internet lost at reconnect. Although it should be transparent thanks to routing tables, isn't there a bug in that logic since Internet is lost? If it makes sense I can try to print some info before and after the fact, just tell me what

Shouldn't matter. Are you using the block internet if tunnel goes down option? The only thing I can think of is if there is a bug there.

About the only other suggestion it to let me 'borrow' your NordVPN id via a PM if they allow multiple logins, and I can see if I can recreate the problem (I promise I won't abuse it ) NordVPN is a bit unique in that they are the only provider I know of that has migrated to OpenVPN 2.4 on their servers.

 

[cowst]

PMed

The renegotiation has always been there.....most providers use 3600 secs as the default time. You can try and change this in the gui under TLS Renegotiation time, but I think it may be possible that the provider can ignore it. Here's an example from my syslog (occurs hourly)

May 21 07:19:11 openvpn[3037]: TLS: tls_process: killed expiring key
May 21 07:19:12 openvpn[3037]: TLS: soft reset sec=0 bytes=640479960/-1 pkts=664791/0
May 21 07:19:12 openvpn[3037]: VERIFY OK: depth=1, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
May 21 07:19:12 openvpn[3037]: VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=xxxxxxxxxxxxxxxxxxxxxxxxxxx, name=xxxxxxxxxxxxxxxxxxxxxxxx
May 21 07:19:14 openvpn[3037]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
May 21 07:19:14 openvpn[3037]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
May 21 07:19:14 openvpn[3037]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
May 21 07:19:14 openvpn[3037]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
May 21 07:19:14 openvpn[3037]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA

Shouldn't matter. Are you using the block internet if tunnel goes down option? The only thing I can think of is if there is a bug there.

About the only other suggestion it to let me 'borrow' your NordVPN id via a PM if they allow multiple logins, and I can see if I can recreate the problem (I promise I won't abuse it ) NordVPN is a bit unique in that they are the only provider I know of that has migrated to OpenVPN 2.4 on their servers.

 

[majkel]

Hi, today flashed my asus n16 with john's fork (25E1) and can't belive my eyes - iperf from wan to lan shows 925Mb/s ! john how the hell is this possible on such old hw ? yep checked twice nat is enabled , even ftp are showing 115MB/s . john what is this magic ? with tomato shibby's mod i can't get no more than 250Mb/s with bcm_nat enabled .

 

[flinchlock]

didn,t know it was 7am I was working on loading two old VAX780's system 5 unix.....

VAX780, that brings back memories! I think the one I was sysadmin for was a VAX-11/785.

 

[slobodan]

Hi, today flashed my asus n16 with john's fork (25E1) and can't belive my eyes - iperf from wan to lan shows 925Mb/s ! john how the hell is this possible on such old hw ? yep checked twice nat is enabled , even ftp are showing 115MB/s . john what is this magic ? with tomato shibby's mod i can't get no more than 250Mb/s with bcm_nat enabled .

It's called CTF or CTF+FA. Tomato does not have it.

 

[majkel]

yep i know about ctf, and tomato arm have it, workng great. In tomato u can enable it but there is some costs like no qos and some other services. the question is what is the cost of that fast nat translating ?

 

[slobodan]

yep i know about ctf, and tomato arm have it, workng great. In tomato u can enable it but there is some costs like no qos and some other services. the question is what is the cost of that fast nat translating ?

See https://www.snbforums.com/threads/hw-acceleration-on-rt-n66u.9888/

 

[Lotta Cox]

My network went down twice since installing 25E1 on a 68R. Actually it went down Saturday and Today. Like went down as if the router was shut off. No wireless or lan functioned. The wireless was on, but no lan. Nothing in the logs. I have never had that happen with John's FW. I have been using his FW since I PM'd him years ago.
Not looking for support. Just throwing it out there incase anyone has seen something similiar. Could be just a coincedince or my router going bad.

 

[sfx2000]

VAX780, that brings back memories! I think the one I was sysadmin for was a VAX-11/785.

Crazy enough - one still finds old vaxen out there... mostly these days in banking, industrial, and govt services...

My first experience with sysadmin work with 11/785 as well, and then took over a 38 unit MicroVAX II cluster - VMS is weird, but it is secure...

OpenVMS is still out there - running on Intel's 64 bit Itanium processors on HP hardware... one of the more common applications these days is with a certain telecom vendor that does messaging (SMS/MMS) - and they take full advantage of the high-availability of VMS in a cluster environment.

 

[sfx2000]

Been retired since 2001 and been working hit and miss on them since, mainly now seems everyone else is dead! I guess they retired the one at the mountain..

I think the ones over in Mt. Weather are still active, because govt doesn't throw anything away...

You raise a good point though - the pool of experienced vax guys is shrinking fast.... similar to cobol/fortran programmers - bugs still need to be fixed, and systems still need to be sorted - I know of several guys that have a good second income sorting things out on these platforms on a consultant basis...

 

[joegreat]

OpenVMS is still out there - running on Intel's 64 bit Itanium processors on HP hardware...

Both discontinued by HP/HPE:

• OpenVMS Standard Support ends by 2015 to 2021 (depending on version)
• Itanium Hardware Support ends by 2019

RIP VAX & VMS/OpenVMS!

I am currently running a big application migration project from OpenVMS to Linux at a car manufacturer: very important application on OpenVMS as it runs the production lines world wide.

 

[conquer22]

with "set it and forget it", it uses 62% of the memory. is this ok? can I some how disable some service to gain more memory?

Sent from my SM-A710F using Tapatalk

 

[RMerlin]

I found out , don't know if totally true but loading (V25E1 and 380.66) overlay the second time seems to trash the firmware meaning running 380.66.2 updated again to 380.66.2 has problems "HTTPS" related I guess

Considering that I've updated different 380.66 test builds one after another throughout development without any problem, I highly doubt that.

 

[ColinTaylor]

it uses 62% of the memory. is this ok?

That's fine (in fact it's better than most people). So no action is required.