Internet access inconsistency and a repeatable crash with GT-AX6000 and GT-AX11000 vs my RT-AC class routers

seabass

New Around Here
I recently decided to upgrade my primary home router (AC5300) to an AX class router to match my remote location, which is already running an AX68U and is connected to my home via a site-to-site TAP based Open VPN connection.

Since the firmware versioning between AC and AX seems to be diverging, I figured now is a good time to do this. I like to have matching firmware at both locations. My AX68U is on 388.1, and working well, note, there was a time before the “binary blobs” bundle that was pretty unstable, but that seems fixed for ~6 months now…)

I also have a complex TAP VPN configuration that allows me to have a wide subnet with separate DHCP servers at each location serving discrete parts of my shared subnet. Both routers are within the same subnet, my shared mask is 255.255.252.0. I do this to have independent functional routers at each location, even if the tunnel goes down. I also needed to block DHCP protocol from crossing over the tunnel (remember it’s TAP) so that my devices don’t get confused about what IP range they allocate form at each location. Networking works perfectly without routing or NAT because it’s a TAP tunnel. This means my devices cannot determine their physical separation, it’s like one big happy seamless LAN. I block the DHCP over the tunnel by running a dedicated JFFS script “openvpn-event” to modify my ebtables when my tunnel starts by catching the VPN Event “up” event and running my script just in time.

HOWEVER, I am experiencing significant stability problems when I introduce with the new AX router at my primary location.

  • I first tried a new GT-AX6000 on 388.1, fresh upgrade along with factory reset (WPS hold for 10 secs on boot). However, despite my meticulous from scratch configuration, I was experiencing strange inconsistencies across devices regarding their internet connectivity. I say “internet” because for sure my phone connects (S22U) with Wi-Fi 6, but traffic will not route to the internet, but I can connect to the management UI for the router, hmm. I also experienced similar (gateway-less?) connectivity issues with other IoT class devices like Amazon Fire Sticks, my thermostat, and other “things”. I could see the devices were connecting in system log/wireless log, but with no internet access. So, I then tired downgrading to 386.7_2, and even the latest stock ASUS firmware but I experienced the same issues! (As before, all clean from scratch setups). At this point I was just trying to determine if this was a hardware issue before my return window closed. I got tired and returned the router… I then decided to buy the GT-AX11000 instead. (In the meantime, I dropped my AC5300 back into place, and all was perfect, just as it was before…)
  • GT-AX11000 arrived, yay? No (you’ll see…). I started with an upgrade to 388.1. I setup everything from scratch as before (no restore). I was shocked to see the same problem! Some devices were just fine (same as before) such as my wired and wireless Windows 11 PCs. However, I experienced the same issues with most wired and wireless IoT devices. My phone connected as Wi-Fi 6, I could see the router management UI, but still no internet! I tried disabling Wi-Fi 6, limited to 80Mhz, and all that stuff but nothing seemed to work… Eventually I decided to enable “Native” IPv6 (it defaults to disabled) and then suddenly everything started working!! I’m not 100% sure this was the fix, but I think it was. If it was anything else it was something related to messing around with WiFi 6 in conjunction with enabling native IPv6. I can say that it’s working now, and WiFi 6 is on, with 160Mhz and 80Mhz devices, so it must be the native IPv6 right?
  • Even though all devices (wired and wireless) are now working (combo of 6/AX, 5/AC and lots of 2/N for older IoT devices) I still sometimes see a “no internet” message briefly on my phone while waking up and re-negotiating (I suppose that is what it’s doing) but it works. Maybe the connection time for AX protocol isn’t as nibble as AC?
  • THE BIG HOWEVER, and this is something I cannot seem to solve. As soon as I enable the TAP VPN server and the site-to-site connection is made I then have a very short ticking clock before my primary router (acting as the VPN server) will crash and reboot. This happens regardless of data transfer rate, i.e. streaming video (security cameras) or not, the crash time is about the same, about 60 seconds in total. Probably less than 30 seconds after the tunnel is established. I thought, hmm, this must be a bug in 388.1, while noticing that 388.2 has an OpenVPN upgrade coming… So, thought to myself, I suppose I can downgrade to 386.7_2 in the meantime (since I know this firmware works perfectly on my AC5300). I downgraded (in place, why not, it’s only temporary anyway). HOWEVER, the crash still happens ☹ I was shocked to see this. Now I’m wondering how this can happen. Is it possible there are bugs outside of the firmware packages? If so, does that mean I’m doomed?
  • I plan to switch back to my AC5300 later today, as I know that works, and I need the functionality. It’s disappointing to have my new AX11000 doing nothing, still hoping this can be solved so my AX11000 doesn’t become an ugly paperweight. Is this another “binary blobs” moment? (btw are binary blobs synonymous with hardware drivers?)
 
Last edited:

Spartan

Regular Contributor
Why are you upgrading the routers to Merlin Firmware right away before even testing them how they work out of the box with the factory firmware? This cannot be a coincidence that 2 new high-end routers have the same issue.
 
Last edited:

seabass

New Around Here
Why are you upgrading the routers to Merlin Firmware right away before even testing them how they work out of the box with the factory firmware? This cannot be a coincidence that 2 new high-end routers have the same issue.
It's because I need the sophistication of the VPN configuration that's made possible with Merlin firmware. In particular, I need the custom JFFS script functionality so that I can tweak my ebtables to block DHCP over my TAP tunnel. I am under the impression that the custom scripts feature is only possible with Merlin builds. However, if there's another way to achieve the same with stock firmware, I'd at least try it?

BTW I'm now wondering if I need to install ASUS firmware at least initially in order to have whatever is installed outside of Merlin's packages (i.e. h/w specific drivers for example). Is that something I need to think about? (I've never needed to think or do this before, and I've been using Merlin firmware on new devices for about 7 years)

Also (I'm new) please let me know if this thread should be in a different place...
 

Spartan

Regular Contributor
It's because I need the sophistication of the VPN configuration that's made possible with Merlin firmware. In particular, I need the custom JFFS script functionality so that I can tweak my ebtables to block DHCP over my TAP tunnel. I am under the impression that the custom scripts feature is only possible with Merlin builds. However, if there's another way to achieve the same with stock firmware, I'd at least try it?

BTW I'm now wondering if I need to install ASUS firmware at least initially in order to have whatever is installed outside of Merlin's packages (i.e. h/w specific drivers for example). Is that something I need to think about? (I've never needed to think or do this before, and I've been using Merlin firmware on new devices for about 7 years)

Also (I'm new) please let me know if this thread should be in a different place...
the next time you get a router, please at least test it the way it came first without touching any firmware then once you're satisfied with it. Upgrade to the latest firmware after reading the feedback threads here or the latest Merlin. It just seems very strange that you have 2 high end routers with the same issue.

For now, I would flash the ASUS stock firmware and reset the router to defaults just to see if it's working or not.
 

seabass

New Around Here
I decide to have another go.

I have determined thay my inconsistent wifi connectivity issues were the strange result of trying to pre-configure the router before dropping it into place to replace my existing working router.

Somehow, methodically configuring the router without a WAN connection leads to an unstable result. However, as soon as I configure the router with an active WAN connection (following about the same order of steps) everything works!

There are many parts to my configuration, so unfortunately it would be just too time consuming to determine exactly what step causes the problem. I am 100% sure that order and/or an active WAN connection are the reason though, as my from scratch configuration details are fully documented and verifiable, which I have done every time I have attempted this. Each time I started with a clean factory reset.

The reason I said "about the same order" earlier is that while configuring live, I prioritized getting the WAN interface configured, so that my home was back online as early as possible. I wonder if order of operations matters, or if just the live WAN is what matters, I honestly don't know, unfortunately.

That all said, TAP VPN *server* (not client) is still broken on AX routers, per the original post. As such, I'm currently back on my AC5300 until this changes...
 

Tech9

Part of the Furniture
Not sure why you play with all-in-one home routers and heavily invest in even more when your requirements are site-to-site VPN and more complex LAN segmentation. This project needs some planning, but better hardware is available and built for this purpose. Now you have to wait for typical Asuswrt beta cycle on the new firmware base and for someone else to build on top the functionality you need above stock firmware. See you again around Asuswrt 388_4xxxx and Asuswrt-Merlin 388.4_x or above firmware releases - what you need may start working again.
 

seabass

New Around Here
Not sure why you play with all-in-one home routers and heavily invest in even more when your requirements are site-to-site VPN and more complex LAN segmentation. This project needs some planning, but better hardware is available and built for this purpose. Now you have to wait for typical Asuswrt beta cycle on the new firmware base and for someone else to build on top the functionality you need above stock firmware. See you again around Asuswrt 388_4xxxx and Asuswrt-Merlin 388.4_x or above firmware releases - what you need may start working again.
Indeed, I've had great luck over the past several years. But I think luck is the key word here...

I also tried a WireGaurd based alternative, but that's not happening yet either...

I'm a cheapskate and a bit of hacker at heart :)
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top