Asus RT-AC68U

歡迎開開心心齊吹水
User avatar
RCHK
Posts: 773
Joined: Thu Oct 30, 2014 12:34 pm

Re: Asus RT-AC68U

Post by RCHK »

384.8 (2-Dec-2018)

- NOTE: Asus has put the RT-AC56U on their End of Life
list, meaning no further firmware releases from
them. Since it's impossible for me to support
models without matching GPL releases from Asus,
I also have to retire the RT-AC56U. 384.6 is
the final release for that model.

- NOTE: The RT-AC3200 and RT-AC87U are not supported by this
release, Asus hasn't released any updated code yet for
these models.

Code: Select all

  - NEW: Added RT-AX88U support (based on GPL 384_4736).
  - NEW: Merged with GPL + binary blobs from 384_32799 (all
         supported models except RT-AX88U)
  - NEW: Add LZ4 V2 option to OpenVPN compression
         (more effective at handling already compressed
         data)
  - NEW: Added "extend" support to SNMP.
  - NEW: Added CleanBrowsing to DNSFilter supported services.
  - NEW: Webui HTTP LAN port can now be changed from the default 80.
  - NEW: Added support for the Netfilter TEE target.
  - CHANGED: Removed watchdog from OpenVPN clients, to avoid
             conflicting with more advanced configurations.
  - CHANGED: Vsftpd TLS mode will now reuse the web server
             certificate (including any Let's Encrypt generated
             one).
  - CHANGED: SSL crypto/cipher hardening for httpd (themiron)
  - CHANGED: Syslog will now ignore bwdpi debug output (themiron)
  - CHANGED: Reworked Wireless Log page, adding a new button to
             view low-level details (what stock firmware shows
             on its Wireless Log page), and removed redundant
             option to display DFS channel details.
  - CHANGED: Update dnsmasq to 2.80-11-g59e4703 (themiron)
  - CHANGED: Updated nettle to 3.4
  - CHANGED: Updated net-snmp to 5.8
  - CHANGED: Updated openssl to 1.0.2q
  - CHANGED: Migrated /jffs/ssl/* content to /jffs/.cert (to
             share the same folder used by Asus stock)
  - CHANGED: Re-enabled WTFast on non-HND models (curl-related
             crash has been fixed).  This is still untested.
  - CHANGED: Updated CA bundle to October 17th 2018 version.
  - CHANGED: Support search domains pushed by a remote OpenVPN
             server
  - FIXED: UOPNP port forwarding not working in CGNAT/double NAT
           scenario even if proper ports were forwarded upstream.
  - FIXED: Pages based on table.js (like the port trigger one)
           would fail to work properly under Firefox
           (Michael Ziminsky)
  - FIXED: Dnsmasq issues when running in non-router mode
           (John Bacho)
  - FIXED: Routing issues when in non-router mode (John Bacho)
  - FIXED: Bug in curl that could cause some applications to
           crash on non-HND models
  - FIXED: IFTTT failing to start on non-HND models (caused by
           curl issue).
  - FIXED: Webui could complain about port 8080 being reserved for
           http WAN port (which is no longer supported)
  - FIXED: Cannot change image for device with a vendor name
           containing an apostrophe (like Micro-Star int'l)
           (Asus bug)
  - FIXED: OpenVPN client download was capped by Adaptive QOS
           upload limit (fix devised by FreshJR)
  - FIXED: OpenVPN custom config might be lost after a reboot
           on the RT-AC86U.
User avatar
RCHK
Posts: 773
Joined: Thu Oct 30, 2014 12:34 pm

Re: Asus RT-AC68U

Post by RCHK »

384.9 (xx-xxx-xxxx)

Code: Select all

- NEW: Temporarily reorganized code in separate branches, to handle
         Asus's currently scattered firmware source code releases.
         The GPL situation for this release is as follow:
     o RT-AX88U: Merged GPL 384_5329
     o Other models: Merged GPL 384_45149.
     o Special binary blobs provided by Asus for the RT-AC87U
       and RT-AC3200 (compatible with 384_45149).

  - NEW: Added NFS client support (V2 and V3) to the
         RT-AC86U and RT-AX88U (already present in older models)
  - NEW: Report the number of spatial streams and the PHY type
         used by wireless clients for models supporting it
  - NEW: Display tracked connections on the QoS Stats page (now
         relabeled "Classification").
         Fields can be sorted by clicking on the column headers.
         Thanks to FreshJr for his help in deciphering the packet
         mark values.

  - NEW: Implemented ipsec.postconf and strongswan.postconf scripts.
  - KNOWN ISSUE: dcd process crashing on RT-AC86U (bug in Trend
                 Micro's code, outside of my control).
  - KNOWN ISSUE: IPv6s on Tracked Connections have their last
                 two bytes set to 00 (bug in Trend Micro's
                 code truncating the last two bytes).
  - KNOWN ISSUE: No IPS events logged (bug in Asus's code,
                 IPS should work, just fails to log hits)
  - KNOWN ISSUE: Networkmap listing may be unreliable.
                 (Bug in Asus's code)
  - KNOWN ISSUE: Users failing to read changelogs will
                 probably complain about the above issues.
                 (Outside of my control).
  - CHANGED: Updated wget to 1.20.
  - CHANGED: Updated nano to 3.2.
  - CHANGED: Updated curl to 7.62.0.
  - CHANGED: Updated Chart.js to 2.7.3.
  - CHANGED: Updated dnsmasq to 2.80-32-g28cfe36 (themiron)
  - CHANGED: Optimized some JS files to reduce their size
  - CHANGED: OpenVPN clients can now accept CNs up to 255 chars
             when using it to validate the certificate.
  - CHANGED: No longer reset the OpenVPN client's description,
             policy mode and existing rules when uploading an
             .ovpn config file.
  - CHANGED: No longer accept any server-provided route
             when OpenVPN client set to Policy (Strict).
  - CHANGED: Clients bound to DNSFilter rules will no longer
             bypass it by using DoT.  DNSFilter servers that
             support DoT (like Quad9) will only allow filtered
             clients to use that server
  - FIXED: Firmware update checks would not run at boot time
           on the RT-AX88U.
  - FIXED: Name resolution issues for /etc/hosts entries on
           HND models (themiron)
  - FIXED: Syslog not properly copied to JFFS on reboot
           (John Bacho)
  - FIXED: Volumes not properly unmounted on HND platform
           (John Bacho)
  - FIXED: Added missing TEE Netfilter target on the RT-AC86U
  - FIXED: SSH brute force protection didn't work in Dual WAN
           load balancing mode.
  - FIXED: httpd crashes on RT-AC86U (themiron)
  - FIXED: DNSFilter clients could use a different nameserver
           when using an IPv6 connection
  - FIXED: USB disk idle config changes not applying without a
           reboot.
  - FIXED: "Strict" DNS mode wasn't working properly with OpenVPN
           clients
  - FIXED: Cannot upload JFFS backup on HND models
User avatar
RCHK
Posts: 773
Joined: Thu Oct 30, 2014 12:34 pm

Re: Asus RT-AC68U

Post by RCHK »

384.10 (xx-xxx-2019)

Code: Select all

- NEW: Added OpenSSL 1.1.1a in parallel to 1.0.2.  Some services
         are still linked against 1.0.2 because only Asus can
         recompile these (like AiCloud).

         Services that currently use OpenSSL 1.1.1:
         httpd (webui), OpenVPN, wget, net-snmp,
         Tor, Strongswan (IPSEC server), inadyn, vsftpd.

         Note that 1.1.x is slightly slower than 1.0.2, however
         some services can benefit from the TLS 1.3 support (faster
         connection estalishing).

         Models that lack AES acceleration will priorize the use
         of CHACHA20 over AES-256-GCM, for a small performance
         improvement (for instance with the webui).

         Note that OpenVPN 2.4.7's support is still limited.
         TLS 1.3 should be supported, but CHACHA20 support is
         only expected with OpenVPN 2.5.0.

         The 1.0.2 userspace tool is still named "openssl", while
         the 1.1.x version is named "openssl11".

  - CHANGED: Some firmware cleanups to regain flash space (for
             use with the parallel OpeNSSL 1.1.x install)
             (RMerlin, Themiron)
  - CHANGED: Updated curl to 7.64.0.
  - CHANGED: Updated OpenVPN to 2.4.7.
  - CHANGED: Updated Tor to 0.3.5.8.
  - CHANGED: Updated strongswan to 5.7.2.
  - CHANGED: Updated OpenSSL 1.0.x to 1.0.2r.
  - CHANGED: Updated dnsmasq to 2.81-g6799320.
  - CHANGED: Removed CFB and OFB ciphers from OpenVPN client
  - CHANGED: Limit Classification entries to 300 max, to prevent
             major performance issues with many connections.
  - CHANGED: Strongswan is no longer compiled 64-bit
             on HND, allowing it to use a shared openssl library
             instead of a static one.  This should significantly
             reduce the memory usage of Strongswan as well as
             flash usage.  (Themiron)
  - FIXED: IPSEC log display wasn't properly formatted (showed
                 entirely on a single line)
  - FIXED: Compatibility issues between recent Tuxera NTFS driver
           and Samba
  - FIXED: NFSv2 support
  - REMOVED: Beceem Wimax driver.  This is deprecated, and was
             already removed from the HND models.  This allows
             to reclaim close to 2 MB of flash space.
User avatar
RCHK
Posts: 773
Joined: Thu Oct 30, 2014 12:34 pm

Re: Asus RT-AC68U

Post by RCHK »

384.10_2 (3-Apr-2019)

Code: Select all

 - CHANGED: Increased OpenVPN interface queue length from 100
             to 1000 bytes, to reduce the amount of dropped
             packets if router can't keep up.
  - CHANGED: Updated CA bundle to January 23rd version
  - FIXED: Moviestar VLAN routes weren't properly configured
           (broken quagga configuration)
  - FIXED: Layout issues on the Wireless Log page for some
           models
  - FIXED: Missing tooltip content for the new local DNS
           resolution setting on the Tweak page
  - FIXED: FAQ URL on Bandwidth Monitor points to a non-existing
           page on Asus's servers (point to old page for now)
  - FIXED: OpenVPN CA would be overwritten if there was no
           server key or cert present - only generate them
           if all three are missing.
  - FIXED: Bandwidth Limiter not working properly in some
           cases, as it failed to disable hardware acceleration
User avatar
RCHK
Posts: 773
Joined: Thu Oct 30, 2014 12:34 pm

Re: Asus RT-AC68U

Post by RCHK »

384.11 (xx-xxx-2019)

Code: Select all

  - NEW: DNS-Over-TLS (also known as DoT) is now supported.
         You can configure it on the WAN -> Internet Connection
         page.  You can manually add your own servers, or chose
         one (or a few) from the preset list.  (themiron)
  - NEW: NTP daemon on the router, to allow your LAN clients to
         synchronize their clocks with it.
  - NEW: Added service-event-end custom script, executed at the
         end of an rc service call.  Receives the same arguments
         as service-event, but is a non-blocking script.
  - UPDATED: RT-AX88U to 384_5951 GPL.
  - UPDATED: Other models to 384_45713 GPL (RT-AC87U, RT-AC3200 and
             RT-AC5300 still using 384_45149 binary blobs)
  - UPDATED: Nano 4.0.
  - UPDATED: Curl 7.64.1.
  - UPDATED: Dropbear 2019.78.
  - CHANGED: Replaced the custom ntpclient with a proper ntpd
             implementation, for reduced memory footprint and
             increased accuracy.
  - CHANGED: Made the secondary NTP server configurable through the
             webui.  Note that ntpd will use BOTH servers, so clear
             the second server if there is one and you don't want
             to use it.
  - CHANGED: Re-designed firmware upgrade page, moving the schedule
             option to that page, and removed support for the Beta
             channel.
  - CHANGED: Removed popup messages showing on the DDNS page when
             a service state change was detected.  Report it within
             the page instead.
  - CHANGED: Report available firmware version within the new firmware
             notification popup.
  - CHANGED: Moved LED control (formerly known as Stealth Mode) to
             the System page.
  - CHANGED: Do not restart whole network whenever changing an IP
             reservation on the Networkmap card.
  - CHANGED: Allow URLs up to 64 chars long on the URL filter.
  - CHANGED: pre-mount user script now receives the filesystem
             as second argument.
  - CHANGED: Moved various DNS-related settings from the DHCP page
             to a more appropriate location on the WAN page.
  - CHANGED: OpenSSL default dir moved to /etc/ssl/.  Allows
             programs to automatically locate the CA bundle
             without requiring explicit configuration.
  - FIXED: Reboot scheduler would sometime get stuck or corrupt
           plugged USB drives.  Now doing a more thorough
           shutdown of services, should hopefully make it
           more reliable.
  - FIXED: CVE-2019-1543 issue with Chacha20-poly1305 in
           OpenSSL 1.1 (themiron)
  - FIXED: Client count on the Sysinfo page was missing
           Guest clients
  - FIXED: Miniupnpd sometimes sending ssdp notifies to
           the wrong interface (themiron)
User avatar
RCHK
Posts: 773
Joined: Thu Oct 30, 2014 12:34 pm

Re: Asus RT-AC68U

Post by RCHK »

384.11 (8-May-2019)

Code: Select all

- NEW: Added DNS Privacy feature, with support for
         DNS-over-TLS (also known as DoT).
         You can configure it on the WAN -> Internet Connection
         page.  You can manually add your own servers, or chose
         one (or a few) from the preset list.  (themiron)
  - NEW: NTP daemon on the router, to allow your LAN clients to
         synchronize their clocks with it.
  - NEW: Option to intercept NTP requests from clients, and
         redirect them to the router's own NTP daemon.
  - NEW: Added service-event-end custom script, executed at the
         end of an rc service call.  Receives the same arguments
         as service-event, but is a non-blocking script.
  - NEW: Added sqlite3 CLI command, to allow script authors to
         create/manage their own sqlite3 database
  - UPDATED: RT-AX88U to 384_5951 GPL.
  - UPDATED: Other models to 384_45713 GPL (RT-AC87U, RT-AC3200
             and RT-AC5300 still using 384_45149 binary blobs)
  - UPDATED: Nano 4.0.
  - UPDATED: Curl 7.64.1.
  - UPDATED: Dropbear 2019.78.
  - CHANGED: Replaced the custom ntpclient with a proper ntpd
             implementation, for reduced memory usage and
             increased accuracy.
  - CHANGED: Made the secondary NTP server configurable through the
             webui.  Note that ntpd will use both servers, so clear
             the second server if there is one and you don't want
             to use it.
  - CHANGED: Re-designed firmware upgrade page, moving the schedule
             option to that page, and removed support for the Beta
             channel.
  - CHANGED: Removed popup messages showing on the DDNS page when
             a service state change was detected.  Report it within
             the page instead.
  - CHANGED: Report firmware version within the new firmware
             notification popup that appears at the top of the webui.
  - CHANGED: Moved LED control (formerly known as Stealth Mode) to
             the System page.
  - CHANGED: Do not restart whole network whenever changing an IP
             reservation on the Networkmap card.
  - CHANGED: Allow URLs up to 64 chars long on the URL filter.
  - CHANGED: pre-mount user script now receives the filesystem
             as second argument.
  - CHANGED: Moved various DNS-related settings from the DHCP page
             to a more appropriate location on the WAN page.
  - CHANGED: OpenSSL default dir moved to /etc/ssl/.  Allows
             programs to automatically locate the CA bundle
             without requiring explicit configuration.
  - CHANGED: Optimized service restarts generated by the
             System page.
  - CHANGED: Replaced Network Analysis and Netstat pages (under
             Network Tools) with new versions based on Asus's
             Netool daemon (RT-AC86U, RT-AX88U)
  - FIXED: Reboot scheduler would sometime get stuck, or corrupt
           plugged USB drives.  Now doing a more thorough
           shutdown of services, should hopefully make it
           more reliable.
  - FIXED: CVE-2019-1543 issue with Chacha20-poly1305 in
           OpenSSL 1.1 (themiron)
  - FIXED: Client count on the Sysinfo page was missing
           Guest clients
  - FIXED: Miniupnpd sometimes sending ssdp notifies to
           the wrong interface (themiron)
  - FIXED: udpxy not working when using the Movistar
           IPTV profile on RT-AC86U and RT-AX88U.
User avatar
RCHK
Posts: 773
Joined: Thu Oct 30, 2014 12:34 pm

Re: Asus RT-AC68U

Post by RCHK »

384.12 Beta 1 (xx-xxx-2019)

Code: Select all

- NEW: Added WS-Discovery support.  This allows Windows clients
         to detect the router's shared USB drives even if SMBv1
         support is disabled.
  - NEW: Re-added option to extend the WAN's TTL (from stock
         firmware, was previously disabled as it used to
         be broken)
  - UPDATED: RT-AC3200 and RT-AC87U to 382_51634/51636 binary blobs
             (with a few exceptions for 384_xxxx compatibility)
  - UPDATED: Merged GPL 384_45717 (except for RT-AX88U)
  - UPDATED: Nano 4.2.
  - UPDATED: OpenSSL-11x to 1.1.1c.
  - UPDATED: OpenSSL-10x to 1.0.2s.
  - UPDATED: curl 7.65.0.
  - UPDATED: miniupnpd 20190604.
  - CHANGED: Local clients will be shown by their hostname
             on the Classification page.
  - CHANGED: Reworked handling of up/down events in OpenVPN.
             Server instance will now also use its own
             updown script, which will handle firing up
             openvpn-event (if present).
  - CHANGED: Inbound traffic sent to you through an OpenVPN client
             will now be dropped by default.  This can be changed
             through the new "Inbound Firewall" parameter found
             on the OpenVPN client page.  You should only change
             this to "Allow" if running a site2site tunnel with
             a trusted remote server, or if you do expect
             traffic to be forwarded to you through the tunnel.
  - CHANGED: The router will now use ISP-provided resolvers
             instead of local dnsmasq when attempting to
             resolve addresses, for improved reliability.
             This reproduces how stock firmware behaves.
             This only affects name resolution done
             by the router itself, not by the LAN clients.
             The behaviour can still be changed on the
             Tools -> Other Settings page.
  - CHANGED: Randomize the serial number of certificates
             generated by the router for its httpd.  If
             using a router-generated certificate, then
             it's recommended to generate a new one.
  - CHANGED: Allow USB idle values up to 9999.
  - CHANGED: Replaced Network Analysis and Netstat pages (under
             Network Tools) with new versions based on Asus's
             Netool daemon for non-HND models, but based
             around the more limited traceroute busybox applet.
             RT-AC86U and RT-AX88U still use the newer
             traceroute executable.
  - FIXED: openvpn-event script not launching if the
           client was configured in Secret Key auth
           mode.
  - FIXED: IPv6 on RT-AX88U - backported accept_ra fix
           from 45717 (themiron)
  - FIXED: Memory leak in erp_monitor process.
User avatar
RCHK
Posts: 773
Joined: Thu Oct 30, 2014 12:34 pm

Re: Asus RT-AC68U

Post by RCHK »

384.13 (xx-xxx-xxxx)

Code: Select all

  - NEW: AiMesh Router and node support.  Note that automatic live
         update of Merlin-based nodes is not supported, you will have
         to manually update any Merlin-based nodes when a new firmware
         is available.  Asus-based nodes (which is recommended) will be
         able to make use of the automatic live update.
  - NEW: ChaCha20-Poly1305 support in Strongswan (themiron)
  - UPDATED: RT-AX88U to GPL 384_6210.
  - UPDATED: Curl 7.65.3.
  - CHANGED: dhcp_staticlist no longer contains hostnames, these
             have been moved to dhcp_hostnames for better
             compatibility with upstream and closed source
             components, also allows more static leases to be
             defined before reaching the size limit.
  - CHANGED: Replace Nettle with OpenSSL for dnsmasq's DNSSEC
             validation, which opens the door to supporting
             more ciphers.  (themiron)
  - FIXED: Firmware Update check button would redirect to Asus
           support site if scheduled checks are disabled.
  - FIXED: Firefox was showing a no-op Uninstall button on the
           AiCloud page
  - FIXED: 5 GHz radio showing as disabled on the Sysinfo page for
           the RT-AC87U
  - FIXED: FTP would be accessible from the WAN even while disabled
           if you had DualWAN load balancing enabled, or IPTV
           configured.
  - FIXED: IGMP Snooper daemon crashing when more than 32 hosts
           are present (themiron)
  - FIXED: External DDNS IP checker would fail for Chinese users,
           as checkip.dyndns.org is blocked - switched to .com TLD.
  - FIXED: Devices without a networkmap-defined alias wouldn't fallback
           to their hostname on some webui pages like the IPTraffic
           and QoS Classification pages.
  - FIXED: Remote IP field filtering on Classification page wasn't
           working.
User avatar
RCHK
Posts: 773
Joined: Thu Oct 30, 2014 12:34 pm

Re: Asus RT-AC68U

Post by RCHK »

384.14 (xx-xxx-xxxx)

Code: Select all

- NEW: Implement option to prevent Firefox's automatic usage of DoH.
         By default, this will only apply if you have DNSPrivacy
         enabled, or if you have DNSFilter enabled with a global
         filter, to ensure that Firefox will not bypass either of
         these.  You can also have this override applied all the
         time, or completely disable it.
  - NEW: Added "split" busybox applet.
  - NEW: Added IPv6 support to Network Analysis webui
  - UPDATED: RT-AX88U to GPL 384_6436.
  - UPDATED: RT-AC68U, RT-AC88U, RT-AC3100 to GPL 384_81116.
  - UPDATED: RT-AC86U to GPL 384_81116 + binary blobs from 384_81049

  - NOTE: There is currently no builds available for the RT-AC87U,
          RT-AC3200 or RT-AC5300 due to lack of updated compatible
          components from Asus for this release.

  - UPDATED: miniupnpd 20190824
  - UPDATED: dnsmasq 2.80-93-g6ebdc95 (themiron)
  - UPDATED: OpenSSL 1.0.2 to 1.0.2t (themiron)
  - UPDATED: OpenSSL 1.1.1 to 1.1.1d (themiron)
  - UPDATED: Curl 7.66.0
  - UPDATED: nano 4.4
  - UPDATED: OpenVPN 2.4.8
  - UPDATED: OUI database to 2018-08-17 version
  - UPDATED: CA root certificates to October 9th 2019
  - CHANGED: Made webui SSL certificate generation compliant with
             IOS 13 and MacOS 10.15 new requirements.
  - CHANGED: Rewrote the faketc script used to inject Codel into
             Adaptive QoS as a C program for improved performance.
  - CHANGED: Moved /usr/bin/ip to /usr/sbin/ip on the RT-AC86U and
             RT-AX88U to match other models.
  - CHANGED: IPv6 firewall now accepts empty values for local IP
             (which means any local IP).
  - FIXED: Webui wouldn't notify when running dangerously low on
           free nvram (feature was lost at some point in the past)
  - FIXED: Non-working link to YandexDNS on the webui for
           Russian models.
  - FIXED: Backported various httpd fixes to RT-AX88 from other
           models.
  - FIXED: Custom clientlist would be wiped if stopping an
           OpenVPN server instance.
  - FIXED: Incorrect detection of EUI64 addresses on the IPv6
           firewall (would prevent using ::/0 for instance).
  - FIXED: EUI64 support missing while in Load Balancing or
           using Multicast IPTV.
fire
Posts: 27
Joined: Wed Nov 12, 2014 3:16 pm

Re: Asus RT-AC68U

Post by fire »

^:)^ ^:)^ ^:)^ ^:)^
Post Reply