[Release] Asuswrt-Merlin 384.6 is now available

Grisu

Part of the Furniture
I'm not trying to sound overly demanding, and so now I understand its not Merlin's fault. But unpatched vulnerabilities for a month seem like too large a window for those concerned with security. Which, back in my day was the whole reason to use open source firmware on a router. Because the vendor never actually patched anything. Now I guess open source firmware is just to sound cool, but in reality its becoming obsolete. It seems routers have more vendor support, and once that support ends so does the open source community support.

Although, I guess it is more comforting to know the source code for the updated firmware was only released two weeks ago, but still disconcerting because there is always groups of people in the know before the firmware is released let alone the source code. Too bad Merlin is not one of them, though I thought he was? Maybe he should not be so generous to them since the feeling is not mutual?

This is partly why Microsoft has changed its update policy, even though its somewhat in vain, because too many people always know the patches are coming before they are released. This goes for dark circles too.
I think you're completely wrong with your assumptions!
Nobody said that, Merlin even put in more security before Asus will do, for things he can do on his own.
Asus will only permanently fix their bugs weekly with new beta-soft they introduced in the last year and its ongoing.
Wifi and Aimesh issues mostly when Merlin not even supports Aimesh ...
 
I'm really getting sick and tired of these kind of posts...

I'll try not to make it overly personal (seriously) but I really have to get this off my chest. It'll probably be deleted as it's off-topic, but that's fine by me.

First of all:
I'm not trying to sound overly demanding
Sorry to say so, but to me you're not doing a great job at it.
But unpatched vulnerabilities for a month seem like too large a window for those concerned with security.
I agree (in general), but I'm confident every new security related issue gets assessed by @RMerlin. If you read through the various release threads, you'll find many occasions where Eric comments on questions regarding security issues and whether they're actually a real threat for most users. Actually, when it comes to the non-closed source components of AsusWRT, I wonder who's actually better at keeping AsusWRT safe.
there is always groups of people in the know before the firmware is released let alone the source code.
So is RMerlin, but keep in mind, it's a one man show, running volutarily in his free time and according to his own development cycle. Pushing doesn't help. I think we should be grateful for what he has done for the community, by unleashing our routers to their full potential. Who are we to 'demand' anything? Have you ever realised that Eric is releasing excellent firmware frequently, despite the fact that more and more components are getting closed source, while in the meantime ASUS has a complete development team working on it?
Maybe he should not be so generous to them since the feeling is not mutual?
As if you just read my mind* ! I wonder often how he keeps up with the sh*t some people are posting here, trying to not sound overly demanding, complaining, nagging and whining for updates. I personally have a tremendous amount of respect for him continuing his efforts to make Asuswrt-Merlin available to all of us. I would have probably given up long time ago.
*) Yes, I know that wasn't what you meant, but this intepretation of your comment seems even be more applicable in this case.
This is partly why Microsoft has changed its update policy
The comparison actually made me laugh. I think Microsoft's changes were mostly some sort of reputation management (no native tongue, so I don't know how else to describe this). Not saying it's bad thing, though. But you just can't compare a dedicated, voluntary developer spending lots of free time to a project like this to a trillion dollar tech company with unlimited resources.
This goes for dark circles too.
If you feel unsafe, please do feel free to return to stock firmware. If these security patches are reason for you to sacrifice all the additional functionality Asuswrt-Merlin has to offer, I'm actually wondering why you posted here in the first place.
 
Last edited by a moderator:

cooloutac

Very Senior Member
Hes a one man show, he doesn't think they are a threat. Got it.

As for the additional functionality, the only thing I liked to have was the temperature readings. Merlin doesn't have much else to offer me, so yes I went back to the stock firmware. I think its more stable and safer. I'm posting here because open source software always meant better security to me, and I'm still in shock how much times have changed.
 

dave14305

Part of the Furniture
To me, this is like everyone nagging Mom, "When is dinner going to be ready?" but no one willing to help prepare the meal or set the table.

I think individuals only look at the ASUSWRT-Merlin firmware from the perspective of their individual router model, and forget the need for ALL supported models' source code to be released by ASUS before RMerlin can really begin his next development cycle in earnest.

This place feels a little weird lately with some newer outspoken members, and the influx of new TM-AC1900 owners due to the recent deals posted on slickdeals. I've gone so far as to "ignore" a few members who I just don't want to give my attention to, which is unfortunate, but I still want to believe this is still a respectable forum, where we can treat each other intelligently.
 

ppfoong

Regular Contributor
Open source is never meant for selfish person.

The spirit of open source is that everyone can contribute something to make the thing great. There are so many ways to make contribution. You can contribute your codes, your technical logics, your business logics, your ideas, your designs, your optimization, your test results, your bug reports which should be specific for troubleshooting, your donation, your words of encouragement, ...

In this situation, you are going after the wrong party. In fact, you can make your contribution by chasing after Asus technical team, pushing them to release their source code faster, demanding them to reveal in detail documentation what they have technically changed in each release, etc.

Please, go after Asus, and bring back your result here. Looking forward for your contribution.
 

RMerlin

Asuswrt-Merlin dev
Open source means that anyone can spot flaws, and provide fixes. It does not mean that flaws and fixes happen faster than closed source products.

I'm devoting almost all of my spare time lately working on a far more glaring security flaw - the fact that DDNS updates were sent in the clear, without encryption. If that's not good enough for you and you also expect me to spot every other security issues in those hundred of thousands of lines of code on my own and also fix all of them on my own, and out of my spare time, then you simply have unreasonable expectations out of this project.

So once again, open source means that anyone can chip in, it does not mean that everything magically happens on its own and faster. The fact that a firmware contains hundreds of thousands of lines of code (versus a few thousands for your typical application) means it's impossible for one single developer to fully grasp it. Some of these issues (like a recent xss blacklist bug) are actually in closed source portions, meaning we can't even spot them nor fix them. Even Linus recently said that there are large portions of Linux's code that he's no longer familiar with, and he relies on module owners to take care of it. Combine that with the complexity of the code, and you have a very high learning curve ahead of anyone considering contributing to the code, spotting bugs and providing fixes. According to Github's stats, over the past 10 months, there's been a total of 8 persons who contributed code to the project. Only three of these provided more than one single commit, and a fourth one didn't directly contribute, it was code merged by one of us from another repo (dnsmasq code, to be precise).

Some of these reported security issues take months to be fixed by Asus (or other manufacturers for that matter). If for you the fact I can't do the same amount of fixing as a whole team of 20+ programmers within days isn't good enough, then go ahead, switch to the stock firmware. Better not use DDNS then, because I have no idea how long it will take before Asus resolves that one glaring security issue that's been there for years...

My point is, some issues are addressed faster by Asus, and other issues are addressed faster by me. It depends on who finds the issue first. Quite often I have addressed security issues weeks before Asus did. In some cases within a few days of the issue being reported to me. So I think it's totally unfair to claim that, suddenly, the proprietary stock firmware is more secure than mine, and that "open source has failed you". Because that's completely ignoring every single instance where the complete opposite happened.

And to comment on other people's posts about this, yes, it does get highly annoying to get these kind of public complains. And yes at times I do wonder whether it is worth all the trouble to go through all of this when I could be spending my spare time doing other, less demanding things. I know for a fact that many former Tomato devs quit because of these kind of things.
 

RMerlin

Asuswrt-Merlin dev
The fact that Asuswrt is open-sourced is also the reason why you can now use OpenVPN instead of the highly insecure PPTP that was supported by Asuswrt until I spent the time and efforts in implementing OpenVPN support to my firmware (which was afterward merged into the stock firmware). My firmware was also the first to support HTTPS (stock was still HTTP only). I was also the one that removed SSLv2 and SSLv3 support, got OpenSSL updated from an EOL to an actively supported version, and added support for ECDH ciphers to the webui. I'm also the one that added SSH support.

DNSSEC, DNSCrypt, DNS-over-TLS, FTP over TLS, all currently only available in open sourced variants of Asuswrt.

All of these security enhancements happened first in either my firmware or a fork of it. Because it's open-sourced.

I could also mention half a dozen buffer overruns I have personally fixed in networkmap over the years (before it became closed source). I fixed the infosrv backdoor within a few days.

Asuswrt as a whole has grown far more secure thanks to open sourced development.
 
Last edited:

peraburek

Senior Member
@RMelin - I can speak for myself, and I respect your work, stock ASUS firmware is nowhere near your work! If we would have completely open-source firmware provided from ASUS we could do even more, but ASUS finds it easier going closed source (hiding) rather than fixing bugs & security issues

what is necessary to be able to use curl --dns-interface option and --dns-ipv4-addr option ?

Code:
 curl --interface ppp0 http://www.ovh.net/files/md5sum.txt --dns-ipv4-addr 1.1.1.1  --dns-interface ppp0

curl: (4) A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.

this works without --dns options
curl --interface ppp0 http://www.ovh.net/files/md5sum.txt
curl --interface vlan2 http://www.ovh.net/files/md5sum.txt

I would like to use this in order to test if interface is up and running (Intenet HTTP TCP 80 connection check)
 

crapinon

Occasional Visitor
Any idea if/when RFC 4638 (baby jumbo frames, MTU1508) will be enabled on the new RT-AC86U?

I read that it is working correctly for ac66u/ac68u/rt-n16u/rt-n66u

TIA
 

RMerlin

Asuswrt-Merlin dev
what is necessary to be able to use curl --dns-interface option and --dns-ipv4-addr option ?

I'll have to check to determine what is required for this option to be enabled. I tried to limit the build time options to save on size and external requirements.

Any idea if/when RFC 4638 (baby jumbo frames, MTU1508) will be enabled on the new RT-AC86U?

I read that it is working correctly for ac66u/ac68u/rt-n16u/rt-n66u

TIA

Will probably be up to Asus. The RT-AC86U uses a different switch with a different API, so I have no idea how to configure/control that new switch.
 

RMerlin

Asuswrt-Merlin dev
@RMelin - I can speak for myself, and I respect your work, stock ASUS firmware is nowhere near your work! If we would have completely open-source firmware provided from ASUS we could do even more, but ASUS finds it easier going closed source (hiding) rather than fixing bugs & security issues

what is necessary to be able to use curl --dns-interface option and --dns-ipv4-addr option ?

Code:
 curl --interface ppp0 http://www.ovh.net/files/md5sum.txt --dns-ipv4-addr 1.1.1.1  --dns-interface ppp0

curl: (4) A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.

this works without --dns options
curl --interface ppp0 http://www.ovh.net/files/md5sum.txt
curl --interface vlan2 http://www.ovh.net/files/md5sum.txt

I would like to use this in order to test if interface is up and running (Intenet HTTP TCP 80 connection check)

The various DNS features require an additional library (c-ares). Since that would only be used by curl and for that esoteric feature, I currently have no plan to add it, sorry.
 

Henk59

Regular Contributor
(Minor) Router crash with this fw. on AC86, OpenVPN couldn't connect to ISP VPN Sever, it works for some month's just fine.
Nothing has changed on the server side and nothing has changed in the router.
BUT it wouldn't connect to the outside server after this morning.

After trial and error, I decide to upload the latest Settings_RT-AC86U.CFG
And after that OpenVPN works again.
Restore backup_jffs.tar resulting in an file error, thats strange to me.
Anyone some hints.
Thanks in advance.
 

lev

New Around Here
@RMelin, please keep the faith. Many of us do appreciate all you have done. Don't let those who don't take the time to inform themselves sway you. Those of us who have followed your work for years know that you are very focused on security, that you have actually led the way in this area and understand that you have limited resources to devote to the project and must prioritize. Allow me again to say thanks to you for everything you do related to this project!
 
Last edited:

AntonK

Very Senior Member
@RMelin, please keep the faith. Many of us do appreciate all you have done. Don't let those who don't take the time to inform themselves sway you. Those of us who have followed your work for years know that you are very focused on security, that you have actually led the way in this area and understand that you have limited resources to devote to the project and must prioritize. Allow me again to say thanks to you for everything you do related to this project!
Hear, hear!
 

bmn1

Senior Member
My WiFi oven has stopped connecting to the cloud even though it responds to ping. If I check connections it says SYN_SENT on a bunch of TCP connections from the oven.

This is s problem since I cannot adjust temperature now.

Coincidence or could there be something in this release causing it? I think I updated to this firmware around the time when it stopped working.
 

Asad Ali

Very Senior Member
@RMerlin My load averages on AC86U is constantly above 3, is it normal for that router?

Load average: 3.50 3.34 3.42
 

muffintastic

Senior Member
@RMerlin Will the UI get a remake for mobile phones, instead of the desktop mode, is this a closed source thing or is it possible to do? So, the router can switch between mobile and desktop mode automatically.
 

ppfoong

Regular Contributor
@RMerlin Will the UI get a remake for mobile phones, instead of the desktop mode, is this a closed source thing or is it possible to do? So, the router can switch between mobile and desktop mode automatically.

For mobile you should make use of Asus Router app. Can download from app store.
 

RMerlin

Asuswrt-Merlin dev
My load averages on AC86U is constantly above 3, is it normal for that router?

Yes.

Will the UI get a remake for mobile phones, instead of the desktop mode, is this a closed source thing or is it possible to do? So, the router can switch between mobile and desktop mode automatically.

Such major changes are beyond the scope of this project, and would make it impossible to keep things in sync with Asus.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top