RT-AC68U problem with DHCP?

jarip

Occasional Visitor
I have a problem with ASUS RT-AC68U:

1. After installing ASUS firmware 3.0.0.4.386.49703 I could not access web GUI anymore. Did reset factory defaults and configured, everything seemed to be ok.

2. Sometime later noticed, that web GUI was again unreachable, so repeated #1.

3. Sometime later Web GUI became unreachable again.

4. Did reset factory defaults, but did not configure more than just get the GUI up.

5. Loaded Asuswrt RT-AC68U_386.7_2.trx and configured, all seemed to be ok.

6. Next day opened the GUI and rebooted from there just to be sure, that all is still ok. GUI indicated applying settings for quite some time, which was weird, because I had not made any changes with GUI.

7. After reboot GUI was again unreachable, so I tested with nmap TCP SYN scanning ports 1-65535. Nmap found these TCP ports open: 53, 7788 and 18017.

What is going on?

TCP port 7788 seems to be used by some trojans, so do I have malware somewhere in LAN? Capable of hacking the router?

Edit: Router is in AP mode and behind pfSense firewall.
 

ColinTaylor

Part of the Furniture
TBH it's unlikely that you've been hacked. There are numerous reports of the web interface becoming unresponsive/unreachable. It's not something I've personally suffered from so I haven't been following the detail of those posts.

I'm assuming that you haven't enabled remote access to the web interface. If you have then disable it immediately.

As for ports 53, 7788 and 18017, they're all normal.

I suggest that you enable SSH access from the LAN only. Then when the problem occurs you can log in and see what processes are running (or not).

Also examine the router's System Log for error messages.
 
Last edited:

bennor

Very Senior Member
Just to clarify. Do you have a Asus branded RT-AC68U or a T-Mobile branded RT-AC68U?
Some common troubleshooting question/steps:
Have you disconnected the router from broadband when performing the firmware update?
Do you have a USB hard drive attached to the router? (If so remove it when doing a firmware update.)
Have you tried a different web browser, or disabled all browser extensions? Or us different computer, one that is connected direct by Ethernet to the RT-AC68U?
Have you, or are you, doing a hard factory reset using the WPS button?
Have you downloaded the Asus firmware or the Asus Merlin firmware from the source sites (not from third party sites) and checked their MD5/SHA256 signatures values?
 

jarip

Occasional Visitor
TBH it's unlikely that you've been hacked. There are numerous reports of the web interface becoming unresponsive/unreachable. It's not something I've personally suffered from so I haven't been following the detail of those posts.

I'm assuming that you haven't enabled remote access to the web interface. If you have then disable it immediately.

As for ports 53, 7788 and 18017, they're all normal.

I suggest that you enable SSH access from the LAN only. Then when the problem occurs you can log in and see what processes are running (or not).

Also examine the router's System Log for error messages.
Upto and including ASUS firmware 3.0.0.4.386.48262 I have never experienced this kind on behaviour, although I must say, that because RT-AC68U has been so stable, there has been no reason to reboot it except for when updating firmware.

Router is behind firewall, so no remote access. It is possible to get to web GUI via wifi connection (if one knows wifi password, or can somehow bypass it), but GUI is password protected.

According to speedguide.net, 7788 is used by trojans.

I don't have access to the GUI now, so it is possible to restrict SSH to the LAN only?
 

jarip

Occasional Visitor
Just to clarify. Do you have a Asus branded RT-AC68U or a T-Mobile branded RT-AC68U?
Some common troubleshooting question/steps:
Have you disconnected the router from broadband when performing the firmware update?
Do you have a USB hard drive attached to the router? (If so remove it when doing a firmware update.)
Have you tried a different web browser, or disabled all browser extensions? Or us different computer, one that is connected direct by Ethernet to the RT-AC68U?
Have you, or are you, doing a hard factory reset using the WPS button?
Have you downloaded the Asus firmware or the Asus Merlin firmware from the source sites (not from third party sites) and checked their MD5/SHA256 signatures values?
This is ASUS branded RT-AC68U.

Usually I have not disconnected it from internet (that is from pfSense firewall) and there is no USB disk connected.

Different browser is of no help in this situation, because the router has no TCP port open to connect to for the GUI.

I have done hard factory reset and also formatted the jffs partition. Both firmware packages were donwloaded from source.
 

ColinTaylor

Part of the Furniture
TCP port 7788 seems to be used by some trojans, so do I have malware somewhere in LAN? Capable of hacking the router?
It's not a trojan. Port 7788 is used by Asus for their cfg_server process which is part of the AiMesh support.

Edit: Router is in AP mode and behind pfSense firewall.
Even less likely you've been hacked then.

I don't have access to the GUI now, so it is possible to restrict SSH to the LAN only?
You said that GUI access returns after you reboot so I suggest that you enable SSH access straight after the reboot (Administration - System).
 

jarip

Occasional Visitor
It's not a trojan. Port 7788 is used by Asus for their cfg_server process which is part of the AiMesh support.

You said that GUI access returns after you reboot so I suggest that you enable SSH access straight after the reboot (Administration - System).
Re port 7788: OK, that is good to know.

Re GUI access:

7. After reboot GUI was again unreachable, so I tested with nmap TCP SYN scanning ports 1-65535. Nmap found these TCP ports open: 53, 7788 and 18017.

Rebooting does not bring back access to GUI.
 

ColinTaylor

Part of the Furniture
Upto and including ASUS firmware 3.0.0.4.386.48262 I have never experienced this kind on behaviour, although I must say, that because RT-AC68U has been so stable, there has been no reason to reboot it except for when updating firmware.
It's quite possible that it's simply a bug in the latest firmware. As you're using it AP mode there's probably no great need to be on the latest firmware. You could just go back to the previous firmware and wait for the next firmware update from Asus.
 

ColinTaylor

Part of the Furniture
Another random thought... Try setting the GUI "Authentication Method" to "Both" rather than just "HTTP". That way if the httpd process dies there's a chance that httpds will still be running allowing you access on port 8443.
 

jarip

Occasional Visitor
Another random thought... Try setting the GUI "Authentication Method" to "Both" rather than just "HTTP". That way if the httpd process dies there's a chance that httpds will still be running allowing you access on port 8443.
"Both" was configured with both used firmwares.

I think I'll revert back to 3.0.0.4.386.48262 (or Asuswrt RT-AC68U_386.5_0) and stick with it, if GUI stays available across reboots. If not, then I guess it's time to get a new router.
 

jarip

Occasional Visitor
I was getting ready to revert the firmware and connected the router directly to a laptop, which is normally connected via wifi. I disconnected the router from LAN, power cycled it and fired up Asus Discovery, which found the router at 192.168.1.1. I thought that maybe that was at least related to the reason, why I couldn't access web GUI earlier (router's LAN segment is 192.168.3.*). Because the router had no connection to the firewall/DHCP-server, it choosed default IP, I guess.

I changed "Get LAN IP Automatically?" from "Yes" to "No" and filled the rest of the fields with relevant information. Then I connected the router to LAN and rebooted it. GUI was accessible to a PC in another LAN segment, even after a couple of more reboots initiated from GUI. Will keep an eye on it.

Seems like there might be an issue with DHCP, in lease renewal, perhaps.
 

Tech9

Part of the Furniture
Router is in AP mode and behind pfSense firewall.

What IP address you are using to access the GUI? It changes to what your firewall’s DHCP is assigning to it. Sometimes simple things are missed in the process.
 

jarip

Occasional Visitor
What IP address you are using to access the GUI? It changes to what your firewall’s DHCP is assigning to it. Sometimes simple things are missed in the process.
PfSense has static mappings based on MAC addresses that live in the LAN segment, so it would always give the same IP address for the router. The one, that is now configured to be used as router's LAN IP. After that I have not had any trouble accessing web GUI.

I don't have any recollection of how the router's LAN IP was configured up to and including ASUS firmware 3.0.0.4.386.48262, it probably was static. It would be somewhat interesting to find out the root cause for the trouble with DHCP, but I've always considered the router as an appliance, not something I would like to tinker with. Now that it works, why bother.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top