Asus RT-AC68U

歡迎開開心心齊吹水
User avatar
RCHK
Posts: 773
Joined: Thu Oct 30, 2014 12:34 pm

Re: Asus RT-AC68U

Post by RCHK »

384.4_2 (24-Mar-2018)

Code: Select all

- CHANGED: Added visual warning when manually enabling webui
              access on WAN.  Doing so carries serious potential
              security risks, as Asuswrt's web server code should
              not be considered hardened enough for this.
   - FIXED: Security issue in httpd (CVE-2018-8879).
   - FIXED: Potential security issue in httpd related to QiS.
   - FIXED: Minor webui issue in the QoS overhead menu.
User avatar
RCHK
Posts: 773
Joined: Thu Oct 30, 2014 12:34 pm

Re: Asus RT-AC68U

Post by RCHK »

380.70 Beta1

The RT-N66U and RT-AC66U support will be dropped, and all other models have been migrated to the new gen branch, as of release 384.4.

Code: Select all

  - NOTE: This will be the final 380.xx release for
          all models. The RT-N66U and RT-AC66U
          support will be dropped, and all other
          models have been migrated to the new gen
          branch, as of release 384.4.

          People who wish to keep getting updates for
          these two older models should look at the
          john9527 fork: https://bit.ly/2EV5Oat

  - CHANGED: Tightened security around some config files.
  - CHANGED: Samba protocol support can now be set to
             SMBv1, SMBv2, or SMBv1 + SMBv2 (the new default).
             This will result in a performance drop on all
             models, but will be more secure.
             Ideally, people should change it to SMBv2 only,
             and then reboot all their client devices to start
             using only the new protocol.
             If performance is more important than security to
             you, then you can switch it back to SMBv1, which is
             the old default behaviour.
  - CHANGED: Switched to the new Entware repo for armv7 models.
             To upgrade, run the following commands TWICE:

             opkg update; opkg upgrade

  - FIXED: Apply button not working on the OpenVPN
           Client page.
  - FIXED: Potential racing condition that could lead to two
           instances of miniupnpd running at boot time.
  - FIXED: Broken FAQ links (backport from 380_8120)
  - FIXED: Security issue in httpd (CVE-2018-8879).
  - FIXED: Security issues in httpd (backports from 380_8228)
User avatar
RCHK
Posts: 773
Joined: Thu Oct 30, 2014 12:34 pm

Re: Asus RT-AC68U

Post by RCHK »

384.5 (13-May-2018)

Code: Select all

- NEW: Merged withh GPL 384_20648
   - NEW: Merged RT-AC68U, RT-AC5300 binary blobs from 384_20648
   - NEW: Merged RT-AC86U SDK and binary blobs from 384_20648
   - NEW: service-event script, executed before any service
           call is made.  First argument is the event (typically
           stop, start or restart), second argument is the target
           (wireless, httpd, etc...).
           Note that this script will block the execution of
           the event until it returns.
   - NEW: Added USB HID modules (for use with devices such
          as UPS)
   - NEW: Added ip6tables-save command.
   - CHANGED: Updated OpenVPN to 2.4.6.
   - CHANGED: Updated Dropbear to 2018.76.
   - CHANGED: Updated Openssl to 1.0.2o.
   - CHANGED: Updated miniupnpd to version 2.1 (20180508).
   - CHANGED: Updated nano to 2.9.5.
   - CHANGED: Moved RT-AC86U to the same Busybox version (1.25.1)
              as other models.
   - CHANGED: Revised OpenVPN server options:
              o Removed "TLS Reneg time" (rarely used, can manually
                be set as a custom option)
              o Removed "Server Poll" (which didn't work
                properly), and reimplemented watchdog service,
                hardcoded to 2 mins frequency.
              o Removed "Push LAN" and "Redirect Gateway",
                replaced with new Client Access setting
              o Removed Firewall setting (firewall rules are now
                always created, and the broken External mode
                was fixed and integrated into the new Client
                Access setting).  You can now use the postconf
                script to override it.
              o Removed option to respond to DNS queries - enabling
                the option to Push DNS will also handle it
              o Added new Client Access setting to select between
                three types of access: LAN only, WAN only (will
                block access to the LAN, including the router
                itself) and LAN + WAN.
              o Keys and certificates can now be up to 7999
                characters long.

   - CHANGED: Revised OpenVPN client options:
              o Reorganized settings into groups
              o Removed "Poll Interval" (which didn't work
                properly), and reimplemented watchdog service,
                with a hardcoded frequency of 2 mins.
              o Removed Firewall setting (firewall rules are now
                always created).  You can now use the postconf
                script to override it.
              o Modified behaviour of Connection Retry.  Instead
                of taking a value in seconds that only affected
                resolution failure, it now takes a number of
                attempts, and affects connection failures.
                Resolution failures will now retry for an infinite
                period of time (the default OpenVPN value).
              o Added "refresh" link which can be clicked to
                re-query the public IP endpoint of the tunnel
              o Keys and certificates can now be up to 7999
                characters long.

   - CHANGED: Removed option to resolve names on the
              Log -> Connections page.
              That functionality was added to the
              Network Tools -> Netstat page instead.
   - CHANGED: Re-designed Log -> Connections page into a table
              with sortable fields - click on a column header to
              sort on that field.
   - CHANGED: From now on, setting the router to act as a master
              browser or a WINS server will also require you to
              enable sharing.  This will ensure that users understand
              that enabling either of these settings requires disk
              sharing to also be enabled (which it was already
              silently doing before).
   - CHANGED: Moved "Beta firmware" option to the Tools -> Other
              Settings page
   - CHANGED: Improved layout of the Firmware Update page
   - CHANGED: WPAD behaviour (sending a carriage return on
              DHCP option 252) can now be controlled in the
              Tweaks section.
   - CHANGED: Blocking custom scripts such as service-event
              and pre-mount will now wait a maximum of 120
              seconds before resuming normal operations, to
              prevent accidental lockouts.
   - CHANGED: Autofill start/end time for DST when selecting
              a timezone (LostFreq)
   - FIXED: Some dnsmasq issues related to DNSSEC were fixed,
            including CVE-2017-15107. (backported from
            dnsmasq 2.79 by John Bacho)
   - FIXED: Restoring an OpenVPN instance to default values
            would fail to disable its Start with WAN setting.
   - FIXED: Hardware authentication failure for the RT-AC3100
            and RT-AC5300.
   - FIXED: Minidlna web status page could no longer be enabled.
   - FIXED: CVE-2017-9022, CVE-2017-9023 and CVE-2017-11185 in
            Strongswan (odkrys)
   - FIXED: Various issues with download traffic in Traditional
            QoS (Cédric Dufour)
   - FIXED: TCP timeout values couldn't be changed on the
            Tools -> Other Settings page.
   - FIXED: Security issue related to webui logging in (Asus bug)
User avatar
RCHK
Posts: 773
Joined: Thu Oct 30, 2014 12:34 pm

Re: Asus RT-AC68U

Post by RCHK »

384.6 (xx-xxx-xxxx)

Code: Select all

- NOTE: The RT-AC87U is not supported in this release, as
           Asus hasn't released any updated code for that model.
   - NEW: Merged with GPL 384_21045/382_50624.
   - NEW: Added support for the "-p" option to netstat.
   - NEW: Added setting to enable DNS rebind protection, on the
          DHCP page.  This works by rejecting upstream server
          responses that would point at a private IP.
   - CHANGED: Updated nano to 2.9.8
   - CHANGED: Updated curl to 7.60.0 (contains security fixes)
   - CHANGED: Allow selecting text (for copy/paste operations)
              on AiProtection pages.
   - CHANGED: Added AES-*-GCM ciphers to the OpenVPN legacy
              ciphers (so they can be explicitely used without
              using NCP).
   - CHANGED: Updated dnsmasq to 2.80test2-17-g51e4eee (themiron)
   - CHANGED: Since dnsmasq 2.80, dnsmasq now ensures that unsigned
              DNS replies received with DNSSEC enabled are legitimate.
              If your upstream DNS doesn't support DNSSEC, this means
              all replies from signed zones will be considered
              invalid.  Make sure you only enable DNSSEC if your
              upstream DNS servers do support it.  This behaviour is
              a bit slower, but far more secure than the old default.
   - CHANGED: Network Tools -> Netstat output also report program/PID
   - CHANGED: Updated CA bundle to June 20th version.
   - FIXED: IPv6-related issues on non-HND platform (themiron)
   - FIXED: Couldn't log on WTFast if accessing the router
            webui over https.
   - FIXED: USB modem support code failing to properly pass
            parameters to the kernel module (themiron)
   - REMOVED: WTFast support for RT-AC88U/RT-AC3100/RT-AC5300,
              as it's incompatible with recent versions of
              curl (and has been broken for quite some time).
              Not gonna revert back to a 7 years old curl
              version just for wtfast.
User avatar
RCHK
Posts: 773
Joined: Thu Oct 30, 2014 12:34 pm

Re: Asus RT-AC68U

Post by RCHK »

384.7 (xx-xxx-xxxx)

Code: Select all

- NOTE: The RT-AC3200 and RT-AC56U are not supported by this
          release, Asus hasn't released any updated code for these
          models.
  - NEW: Merged with GPL 384_21152.
  - NEW: Merged RT-AC87U binary blobs + SDK from 382_50702.
  - NEW: Replaced old ez-ipupdate DDNS client with inadyn.
         A plugin was developed to fully support Asus's DDNS
         service.
         Custom services can now be configured through ddns-start,
         inadyn.conf, inadyn.conf.add or inadyn.postconf.  See the
         inadyn documentation as many custom services can be defined
         for it.
  - NEW: Added support for freedns.afraid.org DDNS service to webui.
  - NEW: Added option to retrieve WAN IP from either the local
         interface (like before) or through a remote server
         (which works through double NAT) for DDNS.
  - NEW: Display DFS channel info on Wireless Log page.
  - NEW: Added option to disable checks on unsigned DNSSEC replies.
         Disabling these will speed up lookups, but it will also
         remove part of the security benefits of DNSSEC, so it
         should not be used unless you have a very specific reason
         to do so.
  - CHANGED: Updated curl to 7.61.1.
  - CHANGED: Updated wget to 1.19.5.
  - CHANGED: Updated openssl to 1.0.2p.
  - CHANGED: Updated dnsmasq to v2.80test4 (themiron).
  - CHANGED: Updated nano to 3.1
  - CHANGED: All DDNS services now use HTTPS.
  - CHANGED: Replaced Google Domains DDNS script with inadyn's own
             plugin.
  - CHANGED: Moved DNSFilter to the LAN section, to make it clear
             that it's unrelated to Trend Micro's engine.
  - CHANGED: Report hostname and IP on Wireless Log page if the
             info is missing from dnsmasq but available from
             networkmap.
  - FIXED: Invalid dnsmasq config when setting DNSFilter to Router
           mode and having IPv6 enabled (themiron).
  - FIXED: dnsmasq crashing on RT-AC86U with IPv6 Stateful mode
           (themiron).
  - FIXED: client table would be shown twice on the VPN Status
           page if the only connections to an OVPN server
           were invalid clients (like a port scanner)
  - FIXED: DDNS forced updates after "x" days wouldn't be
           fired.
  - REMOVED: Ez-ipupdate DDNS client (replaced with inadyn).
             Update your scripts if you were relying on it.
User avatar
RCHK
Posts: 773
Joined: Thu Oct 30, 2014 12:34 pm

Re: Asus RT-AC68U

Post by RCHK »

384.7 (7-Oct-2018)

- NOTE: The RT-AC3200 and RT-AC56U are not supported by this
release, Asus hasn't released any updated code yet for
these models.

- NOTE: Important changes to DDNS, please read below.

- NOTE: Important changes to DNSFilter, please read below.

Code: Select all

 - NEW: Merged with GPL 384_21152.
  - NEW: Merged RT-AC87U binary blobs + SDK from 382_50702.
  - NEW: Replaced old ez-ipupdate DDNS client with In-a-Dyn.
         A plugin was developed to fully support Asus's DDNS
         service.
         Custom services can now be configured through ddns-start,
         inadyn.conf, inadyn.conf.add or inadyn.postconf.  See the
         In-a-Dyn documentation as many custom services can be
         defined for it.
  - NEW: Added support for freedns.afraid.org DDNS service to webui.
  - NEW: Added option to retrieve WAN IP from either the local
         interface (like before) or through a remote server
         (which works through double NAT) for DDNS.
  - NEW: Display DFS channel info on Wireless Log page.
  - NEW: Added option to disable checks on unsigned DNSSEC replies.
         Disabling these will speed up lookups, but it will also
         remove part of the security benefits of DNSSEC, so it
         should not be used unless you have a very specific reason
         to do so.
  - NEW: Added Quad9 to DNSFilter supported services.
  - CHANGED: Updated curl to 7.61.1.
  - CHANGED: Updated wget to 1.19.5.
  - CHANGED: Updated openssl to 1.0.2p.
  - CHANGED: Updated dnsmasq to v2.80test8 (themiron).
  - CHANGED: Updated nano to 3.1.
  - CHANGED: All DDNS services now use HTTPS.
  - CHANGED: Replaced Google Domains DDNS script with In-a-Dyn's own
             plugin.
  - CHANGED: Moved DNSFilter to the LAN section, to make it clear
             that it's unrelated to Trend Micro's engine.
  - CHANGED: Report hostname and IP on Wireless Log page if the
             info is missing from dnsmasq but available from
             networkmap.
  - FIXED: Invalid dnsmasq config when setting DNSFilter to Router
           mode and having IPv6 enabled (themiron).
  - FIXED: dnsmasq crashing on RT-AC86U with IPv6 Stateful mode
           (themiron).
  - FIXED: client table would be shown twice on the VPN Status
           page if the only connections to an OVPN server
           were invalid clients (like a port scanner)
  - FIXED: DDNS forced updates after "x" days wouldn't be
           initiated.
  - FIXED: CERT VU#598349 vulnerability (DHCP client could
           claim the special "wpad" hostname)
  - REMOVED: Ez-ipupdate DDNS client (replaced with In-a-Dyn).
             Update your scripts if you were relying on it.
  - REMOVED: Norton Safe DNSFilter services (being discontinued
             by Symantec in November).  Configured clients will
             be automatically migrated to OpenDNS Family - make
             sure to edit your DNSFIlter settings if you desire
             to use a different service.
User avatar
RCHK
Posts: 773
Joined: Thu Oct 30, 2014 12:34 pm

Re: Asus RT-AC68U

Post by RCHK »

384.7_2 (21-Oct-2018)

Code: Select all

  - FIXED: Namecheap DDNS service not working
  - FIXED: CVE-2018-15599 security issue in Dropbear
  - FIXED: Potential buffer overrun in httpd
User avatar
Gundam
Posts: 1096
Joined: Mon Oct 27, 2014 8:46 pm

Re: Asus RT-AC68U

Post by Gundam »

Still using 56U....
User avatar
RCHK
Posts: 773
Joined: Thu Oct 30, 2014 12:34 pm

Re: Asus RT-AC68U

Post by RCHK »

384.8 (xx-xxx-xxxx)

- NOTE: Asus has put the RT-AC56U on their End of Life
list, meaning no further firmware releases from
them. Since it's impossible for me to support
models without matching GPL releases from Asus,
I also have to retire the RT-AC56U. 384.6 is
the final release for that model.

- NOTE: The RT-AC3200 and RT-AC87U are not supported by this
release, Asus hasn't released any updated code yet for
these models.

Code: Select all

- NEW: Added RT-AX88U support (based on GPL 384_4730).
  - NEW: Merged with GPL + binary blobs from 384_32799 (all
         supported models except RT-AX88U)
  - NEW: Add LZ4 V2 option to OpenVPN compression
         (more effective at handling already compressed
         data)
  - NEW: Added "extend" support to SNMP.
  - NEW: Added CleanBrowsing to DNSFilter supported services.
  - NEW: Webui HTTP LAN port can now be changed from the default 80.
  - CHANGED: Updated dnsmasq to 2.80-7-g24b8760 (themiron)
  - CHANGED: Removed watchdog from OpenVPN clients, to avoid
             conflicting with more advanced configurations.
  - CHANGED: Vsftpd TLS mode will now reuse the web server
             certificate (including any Let's Encrypt generated
             one).
  - CHANGED: SSL crypto/cipher hardening for httpd (themiron)
  - CHANGED: Syslog will now ignore bwdpi debug output (themiron)
  - CHANGED: Reworked Wireless Log page, adding a new button to
             view low-level details (what stock firmware shows
             on its Wireless Log page), and removed redundant
             option to display DFS channel details.
  - CHANGED: Updated nettle to 3.4
  - CHANGED: Updated net-snmp to 5.8
  - CHANGED: Migrated /jffs/ssl/* content to /jffs/.cert (to
             share the same folder used by Asus stock)
  - CHANGED: Re-enabled WTFast on non-HND models (curl-related
             crash has been fixed).  This is still untested.
  - CHANGED: Updated CA bundle to October 17th 2018 version.
  - FIXED: UOPNP port forwarding not working in CGNAT/double NAT
           scenario even if proper ports were forwarded upstream.
  - FIXED: Pages based on table.js (like the port trigger one)
           would fail to work properly under Firefox
           (Michael Ziminsky)
  - FIXED: Dnsmasq issues when running in non-router mode
           (John Bacho)
  - FIXED: Routing issues when in non-router mode (John Bacho)
  - FIXED: Bug in curl that could cause some applications to
           crash on non-HND models
  - FIXED: IFTTT failing to start on non-HND models (caused by
           curl issue).
  - FIXED: Webui could complain about port 8080 being reserved for
           http WAN port (which is no longer supported)
  - FIXED: Cannot change image for device with a vendor name
           containing an apostrophe (like Micro-Star int'l)
           (Asus bug)
  - FIXED: OpenVPN client download was capped by Adaptive QOS
           upload limit (fix devised by FreshJR)
User avatar
Gundam
Posts: 1096
Joined: Mon Oct 27, 2014 8:46 pm

Re: Asus RT-AC68U

Post by Gundam »

Mine is RT-N56U.... :onion116:
Post Reply