Merlin or not on new RT-AX86U and RP-AX56 ?

[JonnyH]

Hi all, new to this forum.

I've just bought an RT-AX86U Pro and an RP-AX56 to act as an AI-Mesh node (and will probably get a 2nd when there's another sale). Not had chance to even unpack them yet.

I'm currently using an old AC66U (that doesn't support AI-Mesh) with a Merlin firmware. Merlin was useful as it allowed me to bypass the ISP's router which would do the logging into the broadband account but I've now changed to full fibre internet and this feature is no longer required.

I know you don't get Merlin firmware for the RP-AX56 but my question is should I put Merlin on the AX86U router or not? Is there any reason not to use Merlin on the router with these Mesh nodes (since they're not running Merlin)?

I don't think I *need* the Merlin firmware for any particular feature now, it's "nice" to have, better GUI etc but is there a good reason to have or not to have it with these Mesh nodes?

And a follow up question, I presume I should just go ahead and install the latest stable Asus firmware on the node (and the router if not using Merlin) before doing anything else with them?

Many thanks!
Jon.

 

[bennor]

Look at the features Asus-Merlin firmware offers, including add-on scripts, and decide for yourself if they are features you want, or need, or want to experiment with for your situation. Everyone's situation and use case is different. Many here will use Asus-Merlin. Some don't. There is no "requirement" that one run one firmware over another unless one has a specific need or desire.

Quite a few recommend leaving AiMesh node's on stock Asus firmware since many of the features in Asus-Merlin are disabled on the AiMesh node.

Also note that you are mixing then name RT-AX86U and RT-AX86U Pro. They are two different routers with different firmware. When discussing the router(s) you have or are interested in it helps to be specific and use the correct model name since issues or features in the firmware may be specific to one router model or the other. For example one can run the Asus beta 3.0.0.6.x firmware on a RT-AX86U Pro but the RT-AX86U does not support running the 3.0.0.6.x firmware.

And welcome to the forum.

 

[bbunge]

Look at the features Asus-Merlin firmware offers, including add-on scripts, and decide for yourself if they are features you want, or need, or want to experiment with for your situation. Everyone's situation and use case is different. Many here will use Asus-Merlin. Some don't. There is no "requirement" that one run one firmware over another unless one has a specific need or desire.

Quite a few recommend leaving AiMesh node's on stock Asus firmware since many of the features in Asus-Merlin are disabled on the AiMesh node.

Also note that you are mixing then name RT-AX86U and RT-AX86U Pro. They are two different routers with different firmware. When discussing the router(s) you have or are interested in it helps to be specific and use the correct model name since issues or features in the firmware may be specific to one router model or the other. For example one can run the Asus beta 3.0.0.6.x firmware on a RT-AX68U Pro but the RT-AX86U does not support running the 3.0.0.6.x firmware.

And welcome to the forum.

There is no AX68U Pro. Another fumble finger?

 

[bennor]

There is no AX68U Pro. Another fumble finger?

Yep fumble fingered/dyslexia it. Been corrected.

 

[OzarkEdge]

Hi all, new to this forum.

I've just bought an RT-AX86U Pro and an RP-AX56 to act as an AI-Mesh node (and will probably get a 2nd when there's another sale). Not had chance to even unpack them yet.

I'm currently using an old AC66U (that doesn't support AI-Mesh) with a Merlin firmware. Merlin was useful as it allowed me to bypass the ISP's router which would do the logging into the broadband account but I've now changed to full fibre internet and this feature is no longer required.

I know you don't get Merlin firmware for the RP-AX56 but my question is should I put Merlin on the AX86U router or not? Is there any reason not to use Merlin on the router with these Mesh nodes (since they're not running Merlin)?

I don't think I *need* the Merlin firmware for any particular feature now, it's "nice" to have, better GUI etc but is there a good reason to have or not to have it with these Mesh nodes?

And a follow up question, I presume I should just go ahead and install the latest stable Asus firmware on the node (and the router if not using Merlin) before doing anything else with them?

Many thanks!
Jon.

Commission your new network with the latest ASUSWRT firmware (upload, Hard Reset, and configure from scratch). If it goes well, start using it. Later, if you need a feature in ASUSWRT-Merlin firmware, install that firmware according to its website instructions.

If you need an RMA, call ASUS and return to using your old network.

OE

 

[jerry6]

Merlin keeps up with security fixes quicker than Stock Asus FW that is the reason i use Merlin , plue even if you have to return router using Merlin FW does not void the warranty I know I had to return a router that was no good and it was running Merlin

 

[Piotrek]

Merlin keeps up with security fixes quicker than Stock Asus FW that is the reason i use Merlin

Can you show security bugs in the stock firmware that were fixed in Asuswrt-Merlin but not fixed in stock firmware?

 

[L&LD]

RMerlin firmware is not a mirror of stock firmware. Too much work needed to only accomplish that.

RMerlin firmware exists for over a decade because it has been superior to stock firmware.

For security, reliability, dependability, and performance reasons.

If you want the proof, compare the changelogs from each, over the last 10 years.

And, keep in mind that the most relevant changes are not always reflected in those changelogs.

 

[RMerlin]

Can you show security bugs in the stock firmware that were fixed in Asuswrt-Merlin but not fixed in stock firmware?

CVE-2023-48795 just to pick the most recent one.

I am almost always more proactive at updating OpenSSL, dropbear, etc...

 

[jerry6]

Can you show security bugs in the stock firmware that were fixed in Asuswrt-Merlin but not fixed in stock firmware?

you can check yourself go through the last 10 years of FW changes

Can you show security bugs in the stock firmware that were fixed in Asuswrt-Merlin but not fixed in stock firmware?

it is listed inall his updated FW you have plenty to read if you want to check it out

 

[Piotrek]

CVE-2023-48795 just to pick the most recent one.

OK. Can you use this to hack my router? What should I share with you so you can hack my router with stock firmware?

I am almost always more proactive at updating OpenSSL, dropbear, etc...

I know that. I really appreciate and respect what you do for Asuswrt. I hope Asus appreciates it too.
I think Asuswrt-Merlin is great software and has many uses for many people.

However, I do not agree with the statement that they should be installed for security.
There are really many reasons to use Asuswrt-Merlin, but not this one.

If this were true, it would mean that Asus is a really shirtty company and Asus routers are only garbage.

Do you confirm that Asuswrt is not secure? Do you think that Asus stock firmware does not provide security and that if someone uses stock firmware, their router can be hacked?

Because this is how I understand the recommendations of some users, repeated many times on this forum, to install Asuswrt-Merlin for security.

you can check yourself go through the last 10 years of FW changes

I checked but didn't find it. Can you help me?

it is listed inall his updated FW you have plenty to read if you want to check it out

I read it and didn't find it. Please help me find it.
You can also hack into my router with stock firmware - that's enough proof for me.

 

[L&LD]

Security is only one aspect of the benefits of using RMerlin firmware. Some of that is actual security fixes.

Most of that is what can be installed via scripts.

You can make some argument for any side of a debate. Doesn't make your stance correct though.


Hacking into your router isn't important. You're a pawn in the www. If you were a high-premium site, you'd be singing a different tune, no matter what hardware/firmware you're using. Whether you would admit it or not (in a timely manner) is another thing. As demonstrated many times by many companies on that same www.

Download RMerlin firmware. Check the changelogs. Compare this to changelogs from Asus with similar dates/firmware levels. Decide based on the results you see. You need to do the work to see the results you are asking for. Nobody here spoon-feeds anyone.

I've done the above. Asus hardware + RMerlin firmware is obviously superior.

 

[dave14305]

You can also hack into my router with stock firmware - that's enough proof for me.

It’s much more likely to hack into your router from the LAN side by first infecting a LAN device through phishing or malware. More router services are exposed on the LAN side.

 

[RMerlin]

However, I do not agree with the statement that they should be installed for security.

Do you confirm that Asuswrt is not secure? Do you think that Asus stock firmware does not provide security and that if someone uses stock firmware, their router can be hacked?

It's the age-old debate some people are having that one firmware is more secure than the other.

The correct answer is: neither is. Some fixes will happen faster in Asuswrt (as they will fix issues within their own code, and I will get the fixed code only the next time they provide me with updated source code), and other fixes will happen faster in Asuswrt-Merlin (as I am more aggressive in merging third party component updates, and also I can issue a security-focused release faster than their dev + QA + release schedule cycle would allow, being more agile than they can be).

And as in any modern software, both have their share of security issues that will be discovered and resolved over time.

People need to treat them as two softwares developed in parallel.

 

[Piotrek]

And as in any modern software, both have their share of security issues that will be discovered and resolved over time.

People need to treat them as two softwares developed in parallel.

This is exactly what I mean all the time.

It’s much more likely to hack into your router from the LAN

If someone is already on my LAN, the rest doesn't matter.

Hacking into your router isn't important.

It is very important.

Download RMerlin firmware. [...] Decide based on the results you see.

The Asus routers I manage are mainly on stock firmware. I also have a few with Asuswrt-Merlin and a few with FreshTomato. I also have many different routers and APs from other manufacturers.
I always select hardware and software to meet the indicated needs, uses and budget.
I don't recommend the same thing to everyone for different uses.

 

[NXIL]

OK. Can you use this to hack my router?

Maybe. It's an SSH issue.

SSH shaken, not stirred by Terrapin downgrade vulnerability

No need to panic, but grab those updates or mitigations anyway just to be safe

www.theregister.com

And it is a MITM, Man In The Middle Attack, not a web facing weakness.

What should I share with you so you can hack my router with stock firmware?

Username, password, and IP address.

But unless you have Federal Reserve access, Launch Code access, Panama Papers accounts, etc, unlikely that you will be a target.

 

[Piotrek]

Maybe. It's an SSH issue.

Terrapin Attack

terrapin-attack.com

So how practical is the attack?​

The Terrapin attack requires an active Man-in-the-Middle attacker, that means some way for an attacker to intercept and modify the data sent from the client or server to the remote peer. This is difficult on the Internet, but can be a plausible attacker model on the local network.

Besides that, we also require the use of a vulnerable encryption mode. Encrypt-then-MAC and ChaCha20-Poly1305 have been introduced by OpenSSH over 10 years ago. Both have become the default for many years and as such spread across the SSH ecosystem. Our scan indicated that at least 77% of SSH servers on the internet supported at least one mode that can be exploited in practice.

Username, password, and IP address.

If I also provide username and password, it will not be a hack.

unlikely that you will be a target.

I know...

PS: Who enable SSH or Web Access from the router to WAN?

 

[NXIL]

If I also provide username and password, it will not be a hack.

Hi--

Actually, weak/default usernames and passwords are STILL an issue in lots of places, just like in this 1989 book:

The Cuckoo's Egg (book) - Wikipedia

en.wikipedia.org

If you like to read, this is a great book.

No spoilers, but, hackers were trying to get all sorts of defense department information including about Reagan's Star Wars missile defense systems.

In one scene, the author is watching the hackers, and sees them log into Los Angeles Air Force Base (it's still there https://www.losangeles.spaceforce.mil ) using ADMIN/PASSWORD as user/PW, since like so many places at that time, they did not change the UNIX defaults.

He called the Duty Officer/Officer of the day, told them someone from overseas had logged into their mainframe, Duty Officer told them "They Can't, it has a password!"

He told them their username and password, and told them what directories they were copying over at the time.

As I recall, the Duty Officer saw he was correct, and unplugged the system.

Anyway, multiple incidents like this as he tracked them. And, getting the FBI to believe him at first was hard, then FBI wanted him to do a lot of work for them since they had NO ONE who knew anything about computers/UNIX/Hacking/or what was going on.

One of the scenes in the book is the author and his roomate going over charges for long distance calls from the house phone. You know, the phone on the wall, with the rotary dial.

I think we are at two generations of people who never experienced long distance calling charges?

Highly recommended.

Author Clifford Stoll, an astronomer by training, managed computers at Lawrence Berkeley National Laboratory (LBNL) in California. One day in 1986 his supervisor asked him to resolve an accounting error of 75 cents in the computer usage accounts. Stoll traced the error to an unauthorized user who had apparently used nine seconds of computer time and not paid for it. Stoll eventually realized that the unauthorized user was a hacker who had acquired superuser access to the LBNL system by exploiting a vulnerability in the movemail function of the original GNU Emacs.

 

[Piotrek]

If you like to read, this is a great book.

Thank you for your recommendation. Added to future reading list.
Personally, I recommend reading The Art of Deception (Kevin Mitnick).

The Art of Deception - Wikipedia

en.wikipedia.org

Kevin Mitnick - Wikipedia

en.wikipedia.org

I think we are at two generations of people who never experienced long distance calling charges?

I remember those times very well, it wasn't that long ago