Page 14 of 15
Re: Asus RT-AC68U
Posted: Tue Dec 04, 2018 2:13 pm
by RCHK
384.8 (2-Dec-2018)
- NOTE: Asus has put the RT-AC56U on their End of Life
list, meaning no further firmware releases from
them. Since it's impossible for me to support
models without matching GPL releases from Asus,
I also have to retire the RT-AC56U. 384.6 is
the final release for that model.
- NOTE: The RT-AC3200 and RT-AC87U are not supported by this
release, Asus hasn't released any updated code yet for
these models.
Code: Select all
- NEW: Added RT-AX88U support (based on GPL 384_4736).
- NEW: Merged with GPL + binary blobs from 384_32799 (all
supported models except RT-AX88U)
- NEW: Add LZ4 V2 option to OpenVPN compression
(more effective at handling already compressed
data)
- NEW: Added "extend" support to SNMP.
- NEW: Added CleanBrowsing to DNSFilter supported services.
- NEW: Webui HTTP LAN port can now be changed from the default 80.
- NEW: Added support for the Netfilter TEE target.
- CHANGED: Removed watchdog from OpenVPN clients, to avoid
conflicting with more advanced configurations.
- CHANGED: Vsftpd TLS mode will now reuse the web server
certificate (including any Let's Encrypt generated
one).
- CHANGED: SSL crypto/cipher hardening for httpd (themiron)
- CHANGED: Syslog will now ignore bwdpi debug output (themiron)
- CHANGED: Reworked Wireless Log page, adding a new button to
view low-level details (what stock firmware shows
on its Wireless Log page), and removed redundant
option to display DFS channel details.
- CHANGED: Update dnsmasq to 2.80-11-g59e4703 (themiron)
- CHANGED: Updated nettle to 3.4
- CHANGED: Updated net-snmp to 5.8
- CHANGED: Updated openssl to 1.0.2q
- CHANGED: Migrated /jffs/ssl/* content to /jffs/.cert (to
share the same folder used by Asus stock)
- CHANGED: Re-enabled WTFast on non-HND models (curl-related
crash has been fixed). This is still untested.
- CHANGED: Updated CA bundle to October 17th 2018 version.
- CHANGED: Support search domains pushed by a remote OpenVPN
server
- FIXED: UOPNP port forwarding not working in CGNAT/double NAT
scenario even if proper ports were forwarded upstream.
- FIXED: Pages based on table.js (like the port trigger one)
would fail to work properly under Firefox
(Michael Ziminsky)
- FIXED: Dnsmasq issues when running in non-router mode
(John Bacho)
- FIXED: Routing issues when in non-router mode (John Bacho)
- FIXED: Bug in curl that could cause some applications to
crash on non-HND models
- FIXED: IFTTT failing to start on non-HND models (caused by
curl issue).
- FIXED: Webui could complain about port 8080 being reserved for
http WAN port (which is no longer supported)
- FIXED: Cannot change image for device with a vendor name
containing an apostrophe (like Micro-Star int'l)
(Asus bug)
- FIXED: OpenVPN client download was capped by Adaptive QOS
upload limit (fix devised by FreshJR)
- FIXED: OpenVPN custom config might be lost after a reboot
on the RT-AC86U.
Re: Asus RT-AC68U
Posted: Tue Jan 29, 2019 8:29 am
by RCHK
384.9 (xx-xxx-xxxx)
Code: Select all
- NEW: Temporarily reorganized code in separate branches, to handle
Asus's currently scattered firmware source code releases.
The GPL situation for this release is as follow:
o RT-AX88U: Merged GPL 384_5329
o Other models: Merged GPL 384_45149.
o Special binary blobs provided by Asus for the RT-AC87U
and RT-AC3200 (compatible with 384_45149).
- NEW: Added NFS client support (V2 and V3) to the
RT-AC86U and RT-AX88U (already present in older models)
- NEW: Report the number of spatial streams and the PHY type
used by wireless clients for models supporting it
- NEW: Display tracked connections on the QoS Stats page (now
relabeled "Classification").
Fields can be sorted by clicking on the column headers.
Thanks to FreshJr for his help in deciphering the packet
mark values.
- NEW: Implemented ipsec.postconf and strongswan.postconf scripts.
- KNOWN ISSUE: dcd process crashing on RT-AC86U (bug in Trend
Micro's code, outside of my control).
- KNOWN ISSUE: IPv6s on Tracked Connections have their last
two bytes set to 00 (bug in Trend Micro's
code truncating the last two bytes).
- KNOWN ISSUE: No IPS events logged (bug in Asus's code,
IPS should work, just fails to log hits)
- KNOWN ISSUE: Networkmap listing may be unreliable.
(Bug in Asus's code)
- KNOWN ISSUE: Users failing to read changelogs will
probably complain about the above issues.
(Outside of my control).
- CHANGED: Updated wget to 1.20.
- CHANGED: Updated nano to 3.2.
- CHANGED: Updated curl to 7.62.0.
- CHANGED: Updated Chart.js to 2.7.3.
- CHANGED: Updated dnsmasq to 2.80-32-g28cfe36 (themiron)
- CHANGED: Optimized some JS files to reduce their size
- CHANGED: OpenVPN clients can now accept CNs up to 255 chars
when using it to validate the certificate.
- CHANGED: No longer reset the OpenVPN client's description,
policy mode and existing rules when uploading an
.ovpn config file.
- CHANGED: No longer accept any server-provided route
when OpenVPN client set to Policy (Strict).
- CHANGED: Clients bound to DNSFilter rules will no longer
bypass it by using DoT. DNSFilter servers that
support DoT (like Quad9) will only allow filtered
clients to use that server
- FIXED: Firmware update checks would not run at boot time
on the RT-AX88U.
- FIXED: Name resolution issues for /etc/hosts entries on
HND models (themiron)
- FIXED: Syslog not properly copied to JFFS on reboot
(John Bacho)
- FIXED: Volumes not properly unmounted on HND platform
(John Bacho)
- FIXED: Added missing TEE Netfilter target on the RT-AC86U
- FIXED: SSH brute force protection didn't work in Dual WAN
load balancing mode.
- FIXED: httpd crashes on RT-AC86U (themiron)
- FIXED: DNSFilter clients could use a different nameserver
when using an IPv6 connection
- FIXED: USB disk idle config changes not applying without a
reboot.
- FIXED: "Strict" DNS mode wasn't working properly with OpenVPN
clients
- FIXED: Cannot upload JFFS backup on HND models
Re: Asus RT-AC68U
Posted: Wed Mar 13, 2019 4:24 pm
by RCHK
384.10 (xx-xxx-2019)
Code: Select all
- NEW: Added OpenSSL 1.1.1a in parallel to 1.0.2. Some services
are still linked against 1.0.2 because only Asus can
recompile these (like AiCloud).
Services that currently use OpenSSL 1.1.1:
httpd (webui), OpenVPN, wget, net-snmp,
Tor, Strongswan (IPSEC server), inadyn, vsftpd.
Note that 1.1.x is slightly slower than 1.0.2, however
some services can benefit from the TLS 1.3 support (faster
connection estalishing).
Models that lack AES acceleration will priorize the use
of CHACHA20 over AES-256-GCM, for a small performance
improvement (for instance with the webui).
Note that OpenVPN 2.4.7's support is still limited.
TLS 1.3 should be supported, but CHACHA20 support is
only expected with OpenVPN 2.5.0.
The 1.0.2 userspace tool is still named "openssl", while
the 1.1.x version is named "openssl11".
- CHANGED: Some firmware cleanups to regain flash space (for
use with the parallel OpeNSSL 1.1.x install)
(RMerlin, Themiron)
- CHANGED: Updated curl to 7.64.0.
- CHANGED: Updated OpenVPN to 2.4.7.
- CHANGED: Updated Tor to 0.3.5.8.
- CHANGED: Updated strongswan to 5.7.2.
- CHANGED: Updated OpenSSL 1.0.x to 1.0.2r.
- CHANGED: Updated dnsmasq to 2.81-g6799320.
- CHANGED: Removed CFB and OFB ciphers from OpenVPN client
- CHANGED: Limit Classification entries to 300 max, to prevent
major performance issues with many connections.
- CHANGED: Strongswan is no longer compiled 64-bit
on HND, allowing it to use a shared openssl library
instead of a static one. This should significantly
reduce the memory usage of Strongswan as well as
flash usage. (Themiron)
- FIXED: IPSEC log display wasn't properly formatted (showed
entirely on a single line)
- FIXED: Compatibility issues between recent Tuxera NTFS driver
and Samba
- FIXED: NFSv2 support
- REMOVED: Beceem Wimax driver. This is deprecated, and was
already removed from the HND models. This allows
to reclaim close to 2 MB of flash space.
Re: Asus RT-AC68U
Posted: Tue Apr 16, 2019 9:24 am
by RCHK
384.10_2 (3-Apr-2019)
Code: Select all
- CHANGED: Increased OpenVPN interface queue length from 100
to 1000 bytes, to reduce the amount of dropped
packets if router can't keep up.
- CHANGED: Updated CA bundle to January 23rd version
- FIXED: Moviestar VLAN routes weren't properly configured
(broken quagga configuration)
- FIXED: Layout issues on the Wireless Log page for some
models
- FIXED: Missing tooltip content for the new local DNS
resolution setting on the Tweak page
- FIXED: FAQ URL on Bandwidth Monitor points to a non-existing
page on Asus's servers (point to old page for now)
- FIXED: OpenVPN CA would be overwritten if there was no
server key or cert present - only generate them
if all three are missing.
- FIXED: Bandwidth Limiter not working properly in some
cases, as it failed to disable hardware acceleration
Re: Asus RT-AC68U
Posted: Sat Apr 27, 2019 10:02 am
by RCHK
384.11 (xx-xxx-2019)
Code: Select all
- NEW: DNS-Over-TLS (also known as DoT) is now supported.
You can configure it on the WAN -> Internet Connection
page. You can manually add your own servers, or chose
one (or a few) from the preset list. (themiron)
- NEW: NTP daemon on the router, to allow your LAN clients to
synchronize their clocks with it.
- NEW: Added service-event-end custom script, executed at the
end of an rc service call. Receives the same arguments
as service-event, but is a non-blocking script.
- UPDATED: RT-AX88U to 384_5951 GPL.
- UPDATED: Other models to 384_45713 GPL (RT-AC87U, RT-AC3200 and
RT-AC5300 still using 384_45149 binary blobs)
- UPDATED: Nano 4.0.
- UPDATED: Curl 7.64.1.
- UPDATED: Dropbear 2019.78.
- CHANGED: Replaced the custom ntpclient with a proper ntpd
implementation, for reduced memory footprint and
increased accuracy.
- CHANGED: Made the secondary NTP server configurable through the
webui. Note that ntpd will use BOTH servers, so clear
the second server if there is one and you don't want
to use it.
- CHANGED: Re-designed firmware upgrade page, moving the schedule
option to that page, and removed support for the Beta
channel.
- CHANGED: Removed popup messages showing on the DDNS page when
a service state change was detected. Report it within
the page instead.
- CHANGED: Report available firmware version within the new firmware
notification popup.
- CHANGED: Moved LED control (formerly known as Stealth Mode) to
the System page.
- CHANGED: Do not restart whole network whenever changing an IP
reservation on the Networkmap card.
- CHANGED: Allow URLs up to 64 chars long on the URL filter.
- CHANGED: pre-mount user script now receives the filesystem
as second argument.
- CHANGED: Moved various DNS-related settings from the DHCP page
to a more appropriate location on the WAN page.
- CHANGED: OpenSSL default dir moved to /etc/ssl/. Allows
programs to automatically locate the CA bundle
without requiring explicit configuration.
- FIXED: Reboot scheduler would sometime get stuck or corrupt
plugged USB drives. Now doing a more thorough
shutdown of services, should hopefully make it
more reliable.
- FIXED: CVE-2019-1543 issue with Chacha20-poly1305 in
OpenSSL 1.1 (themiron)
- FIXED: Client count on the Sysinfo page was missing
Guest clients
- FIXED: Miniupnpd sometimes sending ssdp notifies to
the wrong interface (themiron)
Re: Asus RT-AC68U
Posted: Thu May 09, 2019 8:14 am
by RCHK
384.11 (8-May-2019)
Code: Select all
- NEW: Added DNS Privacy feature, with support for
DNS-over-TLS (also known as DoT).
You can configure it on the WAN -> Internet Connection
page. You can manually add your own servers, or chose
one (or a few) from the preset list. (themiron)
- NEW: NTP daemon on the router, to allow your LAN clients to
synchronize their clocks with it.
- NEW: Option to intercept NTP requests from clients, and
redirect them to the router's own NTP daemon.
- NEW: Added service-event-end custom script, executed at the
end of an rc service call. Receives the same arguments
as service-event, but is a non-blocking script.
- NEW: Added sqlite3 CLI command, to allow script authors to
create/manage their own sqlite3 database
- UPDATED: RT-AX88U to 384_5951 GPL.
- UPDATED: Other models to 384_45713 GPL (RT-AC87U, RT-AC3200
and RT-AC5300 still using 384_45149 binary blobs)
- UPDATED: Nano 4.0.
- UPDATED: Curl 7.64.1.
- UPDATED: Dropbear 2019.78.
- CHANGED: Replaced the custom ntpclient with a proper ntpd
implementation, for reduced memory usage and
increased accuracy.
- CHANGED: Made the secondary NTP server configurable through the
webui. Note that ntpd will use both servers, so clear
the second server if there is one and you don't want
to use it.
- CHANGED: Re-designed firmware upgrade page, moving the schedule
option to that page, and removed support for the Beta
channel.
- CHANGED: Removed popup messages showing on the DDNS page when
a service state change was detected. Report it within
the page instead.
- CHANGED: Report firmware version within the new firmware
notification popup that appears at the top of the webui.
- CHANGED: Moved LED control (formerly known as Stealth Mode) to
the System page.
- CHANGED: Do not restart whole network whenever changing an IP
reservation on the Networkmap card.
- CHANGED: Allow URLs up to 64 chars long on the URL filter.
- CHANGED: pre-mount user script now receives the filesystem
as second argument.
- CHANGED: Moved various DNS-related settings from the DHCP page
to a more appropriate location on the WAN page.
- CHANGED: OpenSSL default dir moved to /etc/ssl/. Allows
programs to automatically locate the CA bundle
without requiring explicit configuration.
- CHANGED: Optimized service restarts generated by the
System page.
- CHANGED: Replaced Network Analysis and Netstat pages (under
Network Tools) with new versions based on Asus's
Netool daemon (RT-AC86U, RT-AX88U)
- FIXED: Reboot scheduler would sometime get stuck, or corrupt
plugged USB drives. Now doing a more thorough
shutdown of services, should hopefully make it
more reliable.
- FIXED: CVE-2019-1543 issue with Chacha20-poly1305 in
OpenSSL 1.1 (themiron)
- FIXED: Client count on the Sysinfo page was missing
Guest clients
- FIXED: Miniupnpd sometimes sending ssdp notifies to
the wrong interface (themiron)
- FIXED: udpxy not working when using the Movistar
IPTV profile on RT-AC86U and RT-AX88U.
Re: Asus RT-AC68U
Posted: Sat Jun 08, 2019 10:07 pm
by RCHK
384.12 Beta 1 (xx-xxx-2019)
Code: Select all
- NEW: Added WS-Discovery support. This allows Windows clients
to detect the router's shared USB drives even if SMBv1
support is disabled.
- NEW: Re-added option to extend the WAN's TTL (from stock
firmware, was previously disabled as it used to
be broken)
- UPDATED: RT-AC3200 and RT-AC87U to 382_51634/51636 binary blobs
(with a few exceptions for 384_xxxx compatibility)
- UPDATED: Merged GPL 384_45717 (except for RT-AX88U)
- UPDATED: Nano 4.2.
- UPDATED: OpenSSL-11x to 1.1.1c.
- UPDATED: OpenSSL-10x to 1.0.2s.
- UPDATED: curl 7.65.0.
- UPDATED: miniupnpd 20190604.
- CHANGED: Local clients will be shown by their hostname
on the Classification page.
- CHANGED: Reworked handling of up/down events in OpenVPN.
Server instance will now also use its own
updown script, which will handle firing up
openvpn-event (if present).
- CHANGED: Inbound traffic sent to you through an OpenVPN client
will now be dropped by default. This can be changed
through the new "Inbound Firewall" parameter found
on the OpenVPN client page. You should only change
this to "Allow" if running a site2site tunnel with
a trusted remote server, or if you do expect
traffic to be forwarded to you through the tunnel.
- CHANGED: The router will now use ISP-provided resolvers
instead of local dnsmasq when attempting to
resolve addresses, for improved reliability.
This reproduces how stock firmware behaves.
This only affects name resolution done
by the router itself, not by the LAN clients.
The behaviour can still be changed on the
Tools -> Other Settings page.
- CHANGED: Randomize the serial number of certificates
generated by the router for its httpd. If
using a router-generated certificate, then
it's recommended to generate a new one.
- CHANGED: Allow USB idle values up to 9999.
- CHANGED: Replaced Network Analysis and Netstat pages (under
Network Tools) with new versions based on Asus's
Netool daemon for non-HND models, but based
around the more limited traceroute busybox applet.
RT-AC86U and RT-AX88U still use the newer
traceroute executable.
- FIXED: openvpn-event script not launching if the
client was configured in Secret Key auth
mode.
- FIXED: IPv6 on RT-AX88U - backported accept_ra fix
from 45717 (themiron)
- FIXED: Memory leak in erp_monitor process.
Re: Asus RT-AC68U
Posted: Sun Jul 28, 2019 2:39 pm
by RCHK
384.13 (xx-xxx-xxxx)
Code: Select all
- NEW: AiMesh Router and node support. Note that automatic live
update of Merlin-based nodes is not supported, you will have
to manually update any Merlin-based nodes when a new firmware
is available. Asus-based nodes (which is recommended) will be
able to make use of the automatic live update.
- NEW: ChaCha20-Poly1305 support in Strongswan (themiron)
- UPDATED: RT-AX88U to GPL 384_6210.
- UPDATED: Curl 7.65.3.
- CHANGED: dhcp_staticlist no longer contains hostnames, these
have been moved to dhcp_hostnames for better
compatibility with upstream and closed source
components, also allows more static leases to be
defined before reaching the size limit.
- CHANGED: Replace Nettle with OpenSSL for dnsmasq's DNSSEC
validation, which opens the door to supporting
more ciphers. (themiron)
- FIXED: Firmware Update check button would redirect to Asus
support site if scheduled checks are disabled.
- FIXED: Firefox was showing a no-op Uninstall button on the
AiCloud page
- FIXED: 5 GHz radio showing as disabled on the Sysinfo page for
the RT-AC87U
- FIXED: FTP would be accessible from the WAN even while disabled
if you had DualWAN load balancing enabled, or IPTV
configured.
- FIXED: IGMP Snooper daemon crashing when more than 32 hosts
are present (themiron)
- FIXED: External DDNS IP checker would fail for Chinese users,
as checkip.dyndns.org is blocked - switched to .com TLD.
- FIXED: Devices without a networkmap-defined alias wouldn't fallback
to their hostname on some webui pages like the IPTraffic
and QoS Classification pages.
- FIXED: Remote IP field filtering on Classification page wasn't
working.
Re: Asus RT-AC68U
Posted: Wed Nov 13, 2019 9:03 pm
by RCHK
384.14 (xx-xxx-xxxx)
Code: Select all
- NEW: Implement option to prevent Firefox's automatic usage of DoH.
By default, this will only apply if you have DNSPrivacy
enabled, or if you have DNSFilter enabled with a global
filter, to ensure that Firefox will not bypass either of
these. You can also have this override applied all the
time, or completely disable it.
- NEW: Added "split" busybox applet.
- NEW: Added IPv6 support to Network Analysis webui
- UPDATED: RT-AX88U to GPL 384_6436.
- UPDATED: RT-AC68U, RT-AC88U, RT-AC3100 to GPL 384_81116.
- UPDATED: RT-AC86U to GPL 384_81116 + binary blobs from 384_81049
- NOTE: There is currently no builds available for the RT-AC87U,
RT-AC3200 or RT-AC5300 due to lack of updated compatible
components from Asus for this release.
- UPDATED: miniupnpd 20190824
- UPDATED: dnsmasq 2.80-93-g6ebdc95 (themiron)
- UPDATED: OpenSSL 1.0.2 to 1.0.2t (themiron)
- UPDATED: OpenSSL 1.1.1 to 1.1.1d (themiron)
- UPDATED: Curl 7.66.0
- UPDATED: nano 4.4
- UPDATED: OpenVPN 2.4.8
- UPDATED: OUI database to 2018-08-17 version
- UPDATED: CA root certificates to October 9th 2019
- CHANGED: Made webui SSL certificate generation compliant with
IOS 13 and MacOS 10.15 new requirements.
- CHANGED: Rewrote the faketc script used to inject Codel into
Adaptive QoS as a C program for improved performance.
- CHANGED: Moved /usr/bin/ip to /usr/sbin/ip on the RT-AC86U and
RT-AX88U to match other models.
- CHANGED: IPv6 firewall now accepts empty values for local IP
(which means any local IP).
- FIXED: Webui wouldn't notify when running dangerously low on
free nvram (feature was lost at some point in the past)
- FIXED: Non-working link to YandexDNS on the webui for
Russian models.
- FIXED: Backported various httpd fixes to RT-AX88 from other
models.
- FIXED: Custom clientlist would be wiped if stopping an
OpenVPN server instance.
- FIXED: Incorrect detection of EUI64 addresses on the IPv6
firewall (would prevent using ::/0 for instance).
- FIXED: EUI64 support missing while in Load Balancing or
using Multicast IPTV.
Re: Asus RT-AC68U
Posted: Fri Nov 15, 2019 8:20 pm
by fire