[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[tyspeed42]

Anyone have any thoughts on using LZ4 compression?

 

[RMerlin]

Anyone have any thoughts on using LZ4 compression?

Situational. Personally, a lot of my remote usage is RDesktop (already compressed) and SSH (where interactivity is more important than throughput), so I don't use any compression.

 

[john9527]

Pushed a small refresh to the current stable release.

Enjoy...and thanks again to everyone for their continued support!

LATEST RELEASE: Update-23E3
13-March-2017
Merlin fork 374.43_2-23E3j9527
Download http://bit.ly/1YdgUcP
============================

The key updates:

• Security update for networkmap CVE-2017-6548 - remote code execution
  Note: This fork is NOT exposed to two other reported networkmap CVEs, CVE-2017-6547 and CVE-2017-6549
• Provide ASUSWRT-Merlin 'branding' string that can be queried by those developing add-on scripts
• GUI support to enable IPv6 DNS resolution for Native, Stateless connections
  Note: This replaces the dnsmasq.conf.add requirement of the previous release. You need to remove those lines if enabling through the gui.
• Possible fix for WAN uptime timer not working in a dualwan environment - @Santiago C

SHA256

0bc4e07f12a537e5d99fbcb85d33c2ab8b7091607717b00b86315ba1bcf6b54c  RT-AC56U_3.0.0.4_374.43_2-23E3j9527.trx
db67437e6bf3d9da19437d57c4c28fbd27a82a7c90764b4a950ef78af718c3e3  RT-AC66U_3.0.0.4_374.43_2-23E3j9527.trx
24ead2c41dde4124752259494396bd2f0b081c1037d86927951077f4251ba80e  RT-AC68U_3.0.0.4_374.43_2-23E3j9527.trx
e083cdb01e9d912522a5d92f8cd53a8fc1dd5f54f0285b3250a2e64398255f0c  RT-N16_3.0.0.4_374.43_2-23E3j9527.trx
44fae0aa12d3a6a885d883685cfddd490169bf049e259422ade16e0a96c50e3d  RT-N66U_3.0.0.4_374.43_2-23E3j9527.trx

 

[cybrnook]

Hey, @john9527 Thanks for the new build of course. In the new release after upgrading to openvpn 2.4.0, the global logging level has been removed in the openvpn client page. Is it possible to add this option back?

And I assume these commits haven't been pushed to your branch yet?

 

[john9527]

Hey, @john9527 Thanks for the new build of course. In the new release after upgrading to openvpn 2.4.0, the global logging level has been removed in the openvpn client page. Is it possible to add this option back?

And I assume these commits haven't been pushed to your branch yet?

I had actually never added the OpenVPN logging level to the gui......just add a
verb 1
or whatever logging level you want to the custom config section.

Will be pushing to github in a little while....

 

[cybrnook]

Ah, thanks. I may have Merlin's current builds on my mind (what I was running before your branch). That may be where I remember it from.

 

[RMerlin]

I had actually never added the OpenVPN logging level to the gui......just add a
verb 1
or whatever logging level you want to the custom config section.

It's controlled by the "vpn_loglevel" nvram setting. Default is 3, values are from 0 to 11 (looks like OpenVPN devs are Spinal Tap fans).

 

[cybrnook]

It's controlled by the "vpn_loglevel" nvram setting. Default is 3, values are from 0 to 11 (looks like OpenVPN devs are Spinal Tap fans).

Classic!

For those that don't know the reference:

 

[maurer]

after upgrade i cannot ssh to my remote rt-n16
ovpn and other remote services do work but ssh is KO - i think we already had this issue a few versions ago

 

[john9527]

after upgrade i cannot ssh to my remote rt-n16
ovpn and other remote services do work but ssh is KO - i think we already had this issue a few versions ago

Sorry, but nothing changed in 23E1 to E3 connected with SSH....and i just finished a time when I was connecting regularly with SSH via OpenVPN server.

EDIT: The only thing I can think of is that the N16 is getting nvram challenged with only 32K (E3 added a couple of extra bytes). I may need to remove some features (like DNSCrypt) from the N16 builds.

 

[maurer]

ssh seems ok from lan but not from wan...strange...

 

[john9527]

ssh seems ok from lan but not from wan...strange...

I just double checked after setting Allow WAN access....and it worked without any problem (My neighbor is on a different ISP and let's me connect to his ISP for testing).

Are you using a DDNS for access? Maybe double check it's been updated correctly, or if your IP changed after the code upgrade, it may take a bit to propagate to the DNS servers.

 

[scaramonga]

I'm getting hundreds of these in log, I mean hundreds!! 23E1 firmware??

Mar 16 05:48:26 dnsmasq[544]: server 81.139.56.100#53: resp: 0x00 query failed for d1ulmmr4d4i8j4.cloudfront.net
Mar 16 05:48:27 dnsmasq[544]: server 81.139.56.100#53: resp: 0x00 query failed for da2lh5cs8ikqj.cloudfront.net
Mar 16 05:50:23 dnsmasq[544]: server 81.139.56.100#53: resp: 0x00 query failed for www.pcmrace.com
Mar 16 05:50:25 dnsmasq[544]: server 81.139.56.100#53: resp: 0x00 query failed for i.ytimg.com
Mar 16 06:04:58 dnsmasq[544]: server 81.139.56.100#53: resp: 0x00 query failed for www.pcmrace.com
Mar 16 06:14:41 dnsmasq[544]: server 81.139.56.100#53: resp: 0x00 query failed for www.nfohump.com
Mar 16 06:17:01 dnsmasq[544]: server 81.139.56.100#53: resp: 0x00 query failed for cs.rin.ru
Mar 16 06:17:46 dnsmasq[544]: server 81.139.57.100#53: resp: 0x00 query failed for scaramonga.imgur.com
Mar 16 06:20:19 dnsmasq[544]: server 81.139.56.100#53: resp: 0x00 query failed for avencolony.com
Mar 16 06:21:23 dnsmasq[544]: server 81.139.56.100#53: resp: 0x00 query failed for www.componentsuk.co.uk
Mar 16 06:21:53 dnsmasq[544]: server 81.139.56.100#53: resp: 0x00 query failed for www.watercoolinguk.co.uk
Mar 16 06:21:54 dnsmasq[544]: server 81.139.56.100#53: resp: 0x00 query failed for code.instantcart.com
Mar 16 06:24:55 dnsmasq[544]: server 81.139.56.100#53: resp: 0x00 query failed for www.chilledpc.co.uk
Mar 16 06:27:14 dnsmasq[544]: server 81.139.56.100#53: resp: 0x00 query failed for images.nvidia.com
Mar 16 06:27:14 dnsmasq[544]: server 81.139.56.100#53: resp: 0x00 query failed for api.digitalriver.com
Mar 16 06:27:15 dnsmasq[544]: server 81.139.56.100#53: resp: 0x00 query failed for gethatch.com
Mar 16 06:27:15 dnsmasq[544]: server 81.139.56.100#53: resp: 0x00 query failed for i.ytimg.com
Mar 16 06:37:35 dnsmasq[544]: server 81.139.56.100#53: resp: 0x00 query failed for www.adobe.com
Mar 16 06:38:02 dnsmasq[544]: server 81.139.56.100#53: resp: 0x00 query failed for cs.rin.ru
Mar 16 07:46:42 dnsmasq[544]: server 81.139.56.100#53: resp: 0x00 query failed for 1fizorp.oloadcdn.net
Mar 16 07:46:56 dnsmasq[544]: server 81.139.57.100#53: resp: 0x00 query failed for www.googleapis.com
Mar 16 08:04:53 dnsmasq[544]: server 81.139.56.100#53: resp: 0x00 query failed for cdn2.alphr.com
Mar 16 08:18:59 dnsmasq[544]: server 81.139.56.100#53: resp: 0x00 query failed for s.youtube.com
Mar 16 08:22:35 dnsmasq[544]: server 81.139.56.100#53: resp: 0x00 query failed for q.ebaystatic.com
Mar 16 08:23:41 dnsmasq[544]: server 81.139.56.100#53: resp: 0x00 query failed for promotions.ebay.co.uk
Mar 16 08:25:01 dnsmasq[544]: server 81.139.56.100#53: resp: 0x00 query failed for www.yalldata.com
Mar 16 08:26:24 dnsmasq[544]: server 81.139.57.100#53: resp: 0x00 query failed for store.akamai.steamstatic.com
Mar 16 08:29:53 dnsmasq[544]: server 81.139.56.100#53: resp: 0x00 query failed for www.smallnetbuilder.com

 

[john9527]

I'm getting hundreds of these in log, I mean hundreds!! 23E1 firmware??

Don't use 'Debug' as the syslog loglevel...

EDIT: Just as a reminder to everyone, you can use the Search box in the upper right hamd corner to search within a thread you have open.

 

[punchsuckr]

Don't use 'Debug' as the syslog loglevel...

EDIT: Just as a reminder to everyone, you can use the Search box in the upper right hamd corner to search within a thread you have open.

Maybe it's time we had a community maintained FAQ...

 

[cybrnook]

@john9527 , is it normal that after a clean install and nvram erase, during my initial setup I could see from the "tools" page that CTF (only) was enabled, but on the switch config page, NAT acceleration was set to "Disabled" out of the box. I know you have different "levels" in CTF, but I figured if tools showed as enabled, I would have seen it set to level 1 or 2 at least.

Unless CTF is just On all the time as it causes no issues since there is no Trend Micro DPI engine in your builds...?

 

[maurer]

I just double checked after setting Allow WAN access....and it worked without any problem (My neighbor is on a different ISP and let's me connect to his ISP for testing).

Are you using a DDNS for access? Maybe double check it's been updated correctly, or if your IP changed after the code upgrade, it may take a bit to propagate to the DNS servers.

actually the issue is that dropbear binds on lan address only even if "aalow access from wan" is ON

6552 admin 1200 S dropbear -p 192.168.1.1:8000 -a

currently i run an sslh in front so i can connect to the lan address and i can connect but maybe I can fix this.
from what i found my nvram is empty for:
"sshd_addr="
woh should I enter 0.0.0.0 here?

 

[john9527]

actually the issue is that dropbear binds on lan address only even if "aalow access from wan" is ON

currently i run an sslh in front so i can connect to the lan address and i can connect but maybe I can fix this.
from what i found my nvram is empty for:
"sshd_addr="
woh should I enter 0.0.0.0 here?

Ahh....the non-standard config using sslh (had to look that one up) The binding to only the router was done for security reasons.

As far as sshd_addr goes, it's part of a nvram only (not in gui), fork unique option that I added for another user a long time ago. It may indeed be able to help you out. Check the Merlin_Fork_Options.txt file to see how to use it.

 

[john9527]

@john9527 , is it normal that after a clean install and nvram erase, during my initial setup I could see from the "tools" page that CTF (only) was enabled, but on the switch config page, NAT acceleration was set to "Disabled" out of the box. I know you have different "levels" in CTF, but I figured if tools showed as enabled, I would have seen it set to level 1 or 2 at least.

Unless CTF is just On all the time as it causes no issues since there is no Trend Micro DPI engine in your builds...?

It all depends on when you looked and what options you set up (i.e. if you set up something that would automatically disable CTF). Sometimes the entry on the tools page requires a reboot to get in sync with the actual state.....the entry on the switch page will generally immediately reflect if you did something to disable CTF. Try and reboot and they should be in sync.

 

[cybrnook]

Oh, I set it all up in the meantime, so I am way past that (Plus I use your QoS, so it normally gets disabled anyways)

But this was a fresh boot off a fresh install, then a subsequent nvram erase && reboot. So no custom config had been performed yet.

Do you set CTF to enabled by default, or disabled? So I know for the future.


Gear switch, you think there are any limitations on why the RT-AC1900P would not run this fork? With it's close similarities to the RT-AC68U, would it not be possible? Granted Flash and RAM are larger....