New kernel version

[networkplumber]

Is there any plan in place to update to a later kernel version?
The 4.1 kernel reached end of life in 2018 and will not be getting any more security fixes.
Plus don't fell comfortable with having some of the kernel modules Merlin is using.
IMQ was never merged upstream because it was buggy. Is the out of tree tfat really necessary.
Understand that board support wifi is always a mess and ends up dragging in proprietary code.

 

[RMerlin]

Is there any plan in place to update to a later kernel version?

Technically impossible.

 

[drinkingbird]

Technically impossible.

Without Asus/Broadcom/etc completely starting from scratch anyway.

Since Asus WRT is essentially based on Linksys's original WRT-54G code, it probably is due for a full overhaul. Doubt they have any plans to do that though.

 

[drinkingbird]

Is there any plan in place to update to a later kernel version?
The 4.1 kernel reached end of life in 2018 and will not be getting any more security fixes.
Plus don't fell comfortable with having some of the kernel modules Merlin is using.
IMQ was never merged upstream because it was buggy. Is the out of tree tfat really necessary.
Understand that board support wifi is always a mess and ends up dragging in proprietary code.

Home oriented routers are not for you then.

Look at more professional stuff that isn't based on very old Linux/Busybox design, which is what all these cheap home routers are running.
Ubiquiti, Mikrotik, Cisco, TP-Link Omada are some ones to look at to start with.

If you don't need more than about 500 megs to 1G of WAN throughput (depending how many features you enable), the Ubiquiti ER-X router with their access points is a tough combo to beat.

 

[networkplumber]

Without Asus/Broadcom/etc completely starting from scratch anyway.

Since Asus WRT is essentially based on Linksys's original WRT-54G code, it probably is due for a full overhaul. Doubt they have any plans to do that though.

Sad because current Netgear and Linksys routers can run more recent OpenWrt which uses a supported kernel.
Concerned because vulnerabilities arrive all the time, and if not using upstream supported kernel then you are sheep.

 

[networkplumber]

Home oriented routers are not for you then.

Look at more professional stuff that isn't based on very old Linux/Busybox design, which is what all these cheap home routers are running.
Ubiquiti, Mikrotik, Cisco, TP-Link Omada are some ones to look at to start with.

If you don't need more than about 500 megs to 1G of WAN throughput (depending how many features you enable), the Ubiquiti ER-X router with their access points is a tough combo to beat.

Ubiquiti has its own business / trust issues.
Mikrotik uses same design and has violated GPL in past.
Cisco is overpriced, vulnerable.
TP-Link is ok as long as you update firmware.
The issue is that low end devices rarely get firmware updates.

 

[drinkingbird]

Ubiquiti has its own business / trust issues.
Mikrotik uses same design and has violated GPL in past.
Cisco is overpriced, vulnerable.
TP-Link is ok as long as you update firmware.
The issue is that low end devices rarely get firmware updates.

Every single networking company out there has had a vulnerability or issue. The important part is how quickly they address it and how severe the issue was. Ubituiti has been solid for me, there is some uproar over them trying to push people over to dream machine and trying to sunset Unifi, but it looks like they've backpedaled on that.

You really think OpenWRT is immune? Just because they use a newer Kernel (which may or may not work on Asus routers, not sure, would have to check their supported device list) does not make them immune to vulnerabilities and attacks.

Out of the whole list you really think TP Link is the most secure? I have bad news for you on that front.....

 

[jj22038]

"How do we get a release out the door without pissing off our customers too much?"

• It has to be "good enough" that customers will come back for a newer model some day.
• It costs money to update firmware and remove bugs. If you can't charge more for that, you lose money.
• It takes time to update firmware and remove bugs. A later release of, say, a WiFi 6 router means lost sales to competitors who weren't as concerned about up-to-date and stable.
• Broadcom already has their license $$ for a given chip. If you want newer kernel drivers, buy a product with their new chip.
• This community is a small minority of Asus' router business. If they pissed off everybody here, they'd still have enough business with people who aren't as informed or demanding, and who think the first release of firmware is "good enough".

Something that costs 5 cents (like good heatsink pads on the AC86) can be debated and left out if it's "good enough".

You're in the wrong product space to get up-to-date kernel, drivers, packages, etc.

Been there. My 2 cents.

 

[RMerlin]

Concerned because vulnerabilities arrive all the time,

A router barely uses a fraction of the kernel's features. A security vulnerability in the audio stack for instance will have no impact on a router. And Broadcom does backport fixes from upstream if they are relevant.

In the embedded space, kernels almost never get upgraded. Check your smartphone for instance, it will keep the same kernel version through its entire lifespan. Because migrating drivers to a new kernel version isn`t just a simple recompile, it requires major development and investment, that make no business sense. So companies backport fixes rather than upgrading the entire stack, possibly introducing new issues.

The vast majority of exploitable security issues target userland, not kernel space. The kernel should be the last piece of software you should worry about on the router's entire software stack.

 

[sfx2000]

A router barely uses a fraction of the kernel's features. A security vulnerability in the audio stack for instance will have no impact on a router. And Broadcom does backport fixes from upstream if they are relevant.

Yes, concur...

there are dozens of subsystems that are not built in the kernel for routers, and most SDK's turn off unnecessary drivers and features to save space...

Backports for security are a given, some from the chipset OEM's, others from the device vendors themselves.

Most of the security issues are not the kernel directly, but in other parts of the SW - from Busybox to OpenSSL to Zlib and points in-between...

 

[sfx2000]

Since Asus WRT is essentially based on Linksys's original WRT-54G code, it probably is due for a full overhaul. Doubt they have any plans to do that though.

Based on my review of AsusWRT - there's a bit of Tomato in there, but most of it has been refactored over time to support the Vendor SDK's (remember, AsusWRT isn't just Broadcom) and their WebUI and applications suite.

To that end, there's a fair amount of patches, some upstream from sources, many from Asus directly - and if you were to sync up to RMerlin's Github Repo, you get the full monte, and a deeper appreciation for what the Asus SW team has to deal with...

 

[gerardr]

Maybe you should investigate OpenWRT. There are several Asus AX routers based upon MediaTek SOCs that show up on the supported devices page (here's a link to their AX router search). OpenWRT is currently at kernel 5.15 (longterm) but moving to the next longterm kernel, 6.1. Some Qualcomm AX SOCs are also supported, with the snapshot (as opposed to a specific release) already at 6.1.38.

 

[drinkingbird]

Maybe you should investigate OpenWRT. There are several Asus AX routers based upon MediaTek SOCs that show up on the supported devices page (here's a link to their AX router search). OpenWRT is currently at kernel 5.15 (longterm) but moving to the next longterm kernel, 6.1. Some Qualcomm AX SOCs are also supported, with the snapshot (as opposed to a specific release) already at 6.1.38.

But on the other hand, openwrt has had issues with security that may not be addressed as quickly as Asus. Not that Asus has not had issues but they are not relying on volunteers to manage the many, many customizations. Which is more important, the kernel that has limited exposure in this environment, or the user level stuff that is the primary attack surface?

Not saying any firmware is better or worse than any other, just don't go picking one based on a perceived (not actual) security issue.

 

[sfx2000]

Maybe you should investigate OpenWRT. There are several Asus AX routers based upon MediaTek SOCs that show up on the supported devices page (here's a link to their AX router search). OpenWRT is currently at kernel 5.15 (longterm) but moving to the next longterm kernel, 6.1. Some Qualcomm AX SOCs are also supported, with the snapshot (as opposed to a specific release) already at 6.1.38.

thye're supported - just barely - and the WiFi driver support there has lots of room for improvement for the WiFi6 cards...

Similar goes with ath11k support for QCA as well as mt76...

Not making excuses here - the chipset vendors are not as open as it would appear...

 

[sfx2000]

But on the other hand, openwrt has had issues with security that may not be addressed as quickly as Asus.

Just want to say - on Master, OpenWRT is one of the most pro-active distro's out there to address security issues, not just in the kernel, but across the software packages...

They're well ahead of Asus on security...

 

[DocUmibozu]

thye're supported - just barely - and the WiFi driver support there has lots of room for improvement for the WiFi6 cards...

Mediatek soc are well supported by openwrt. There's only a problem with 160mhz mode, which is possibile for the chip but deprecated by mediatek. Somehow the openwrt team decided to leave the 160mhz mode available for those who live in a green field situation (0,5% of the world). The other 99,5% of the users need to compile the firmware with a patch to remove 160mhz, otherwise the upload speed drops to abysmal even if you use a 80mhz or 20mhz channel.

 

[gerardr]

Just want to say - on Master, OpenWRT is one of the most pro-active distro's out there to address security issues, not just in the kernel, but across the software packages...

They're well ahead of Asus on security...

I just thought that I should add that maybe OpenWRT got the poor reputation during the period when they lost many developers to a fork named LEDE (dispute over rules and priorities, IIRC), which 18 months or so later re-merged with OpenWRT. However, this was when KRACK was discovered. LEDE had a fix out within a month, but OpenWRT lagged behind, basically until the re-merge a few months later. The OpenWRT/LEDE combo has been on point since then.

 

[sfx2000]

I just thought that I should add that maybe OpenWRT got the poor reputation during the period when they lost many developers to a fork named LEDE (dispute over rules and priorities, IIRC), which 18 months or so later re-merged with OpenWRT.

You realize that the split/fork of OpenWRT to LEDE was back in 2016...

Jan 2018 they sorted their differences and merged...

Announcing the OpenWrt/LEDE merge

Both the OpenWrt and LEDE projects are happy to announce their unification under the OpenWrt name. After long and sometimes slowly moving discussions about the specifics of the re-merge, with multiple similar proposals but little subsequent action, we're happy to announce that both projects are...

forum.openwrt.org

There is no "poor reputation" with OpenWRT - never has been...

 

[sfx2000]

There's only a problem with 160mhz mode, which is possibile for the chip but deprecated by mediatek.

There is actually a problem with certain Mediatek chips there - so the driver default is 80 - you can go under the hood and play with things...