forked from RMerl/asuswrt-merlin
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README-merlin.txt
2283 lines (1950 loc) · 106 KB
/
README-merlin.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Asuswrt-Merlin - build 376.50 (xx-xxx-2015)
===========================================
About
-----
Asuswrt is the name of the common firmware Asus has developed
for their various router models. Originally forked from
Tomato, it has since grown into a very different product, removing
some more technical features that were part of Tomato, but
also adding new original features such as support for dual WANs.
Asuswrt-merlin is a customized version of Asus's firmware. The goal is
to provide bugfixes and minor enhancements to Asus's firmware, with also
a few occasional feature additions. This is done while retaining
the look and feel of the original firmware, and also ensuring that
the two codebases remain close enough so it will remain
possible to keep up with any new features brought by Asus in the
original firmware.
This project's goal is NOT to develop yet another firmware filled with
many features that are rarely used by home users - that is already covered
by other excellent projects such as Tomato or DD-WRT.
This more conservative approach will also help ensuring the highest
level of stability possible. Priority is given to stability over
performance, and performance over features.
Supported Devices
-----------------
Supported devices are:
* RT-N16
* RT-N66U
* RT-AC66U
* RT-AC56U
* RT-AC68U
* RT-AC68P
* RT-AC87U
NOTE: all the "R" versions (for example RT-N66R) are the same as their
"U" counterparts, they are just different packages aimed at large
retailers. The firmware is 100% compatible with both U and R versions
of the routers. Same with the "W" variants that are simply white.
Features
--------
Here is a list of features that Asuswrt-merlin brings over the original
firmware:
System:
- Based on 3.0.0.4.376_3677 source code from Asus
- Various bugfixes and optimizations
- Some components were updated to newer versions, for improved
stability and security
- User scripts that run on specific events
- Cron jobs
- Ability to customize the config files used by the router services
- LED control - put your router in "Stealth Mode" by turning off
all LEDs
- Entware easy setup script (alternative to Optware - the two are
mutually exclusive) (not available on RT-AC56/RT-AC68/RT-AC87)
- Full SNMP support (based on experimental code from Asus)
Disk sharing:
- Enable/disable the use of shorter share names
- Disk spindown after user-configurable inactivity timeout
- NFS sharing (through webui)
- Improved compatibility with 3TB+ and Advanced Format HDDs
- Allow or disable WAN access to the FTP server
- Updated Samba version (3.6.x)
Networking:
- Force acting as a Master Browser
- Act as a WINS server
- SSHD
- Allows tweaking TCP/UDP connection tracking timeouts
- CIFS client support (for mounting remote SMB share on the router)
- Layer7 iptables matching (N16/N66/AC66 only)
- User-defined options for WAN DHCP queries (required by some ISPs)
- Advanced OpenVPN client and server support (all models except
RT-N16)
- Netfilter ipset module, for efficient blacklist implementation
- Configurable min/max UPNP ports
- IPSec kernel support (N16/N66/AC66 only)
- DNS-based Filtering, can be applied globally or per client
Web interface:
- Optionally save traffic stats to disk (USB or JFFS partition)
- Enhanced traffic monitoring: added monthly, as well as per IP
monitoring
- Name field on the DHCP reservation list and Wireless ACL list
- System info summary page
- Wireless client IP and hostname on the Wireless Log page
- Wifi icon reports the state of both radios
- Display the Ethernet port states
- Wireless site survey
A few features that first appeared in Asuswrt-Merlin have since been
integrated/enabled/re-implemented in the official firmware:
- 64K NVRAM for the RT-N66U
- HTTPS webui
- Turning WPS button into a radio on/off toggle
- Use shorter share names (folder name only)
- WakeOnLan web interface (with user-entered preset targets)
- clickable MACs on the client list for lookup in the OUI database
- Display active/tracked network connections
- VPN client connection state report
- DualWAN and Repeater mode (while it was still under development
by Asus)
- OpenVPN client and server
- Configurable IPv6 firewall
- Persistent JFFS partition
- The various MAC/IP selection pulldowns will also display hostnames
when possible instead of just NetBIOS names
Installation
------------
Simply flash it like any regular update. You should not need to
reset to factory defaults (see note below for exceptions).
You can revert back to an original Asus firmware at any time just
by flashing a firmware downloaded from Asus's website.
NOTE: resetting to factory default after flashing is
strongly recommended for the following cases:
- Updating from a firmware version that is more than 3 releases older
- Switching from a Tomato/DD-WRT/OpenWRT firmware
If upgrading from anything older and you experience issues, then
consider doing a factory default reset then as well.
In all of these cases, do NOT load a saved copy of your settings!
This would be the same thing as NOT resetting at all, as you will
simply re-enter any invalid setting you wanted to get rid of. Make
sure to create a new backup of your settings after reconfiguring.
Usage
-----
** JFFS **
JFFS is a writeable section of the flash memory which will allow you to
store small files (such as scripts) inside the router without needing
to have a USB disk plugged in. This space will survive reboots (but it
*MIGHT NOT survive firmware flashing*, so back it up first before
flashing!). It will also be available fairly early at boot (before
USB disks).
To enable this option, go to the Administration page, under the System
tab.
First time you enable JFFS, it must be formatted. This can be done
through the web page, same page where you enable it.
Enabling/Disabling/Formating JFFS requires a reboot to take effect.
I do not recommend doing frequent writes to this area, as it will
prematuraly wear out the flash storage. This is a good place to put
files that are written once like scripts or kernel modules, or that
rarely get written to (like once a day). Storing files that constantly
get written to (like very busy logfiles) is NOT recommended - use a
USB disk for that.
** User scripts **
These are shell scripts that you can create, and which will be run when
certain events occur. Those scripts must be saved in /jffs/scripts/
(so, JFFS must be enabled and formatted). Available scripts:
* dhcpc-event: Called whenever a DHCP event occurs on the WAN
interface. The type of event (bound, release, etc...)
is passed as an argument.
* firewall-start: Firewall is started (filter rules have been applied)
The WAN interface will be passed as argument (for
example. "eth0")
* init-start: Right after jffs is mounted, before any of the services
get started
* nat-start: nat rules (i.e. port forwards and such) have been applied
(nat table)
* post-mount: Just after a partition is mounted
* pre-mount: Just before a partition is mounted. Be careful with
this script. This is run in a blocking call and will
block the mounting of the partition for which it is
invoked till its execution is complete. This is done so
that it can be used for things like running e2fsck on the
partition before mounting. This script is also passed the
device path being mounted as an argument which can be
used in the script using $1.
* qos-start: Called after both the iptables rules and tc configuration
are completed for QoS.
* openvpn-event: Called whenever an OpenVPN server gets
started/stopped, or an OpenVPN client connects to a
remote server. Uses the same syntax/parameters as
the "up" and "down" scripts in OpenVPN.
* services-start: Initial service start at boot
* services-stop: Services are stopped at shutdown/reboot
* unmount: Just before unmounting a partition. This is a blocking
script, so be careful with it. The mount point is passed
as an argument to the script.
* wan-start: WAN interface just came up (includes if it went down and
back up). The WAN unit number will be passed as argument
(0 = primary WAN)
Don't forget to set them as executable:
chmod a+rx /jffs/scripts/*
And like any Linux script, they need to start with a shebang:
#!/bin/sh
** SSHD **
SSH support (through Dropbear) was re-enabled. Password-based login
will use the same username and password as telnet/web access. You can
also optionally insert a RSA or ECDSA public key there for
keypair-based authentication. There is also an option to make ssh
access available over WAN.
** Crond **
Crond will automatically start at boot time. You can put your cron
tasks in /var/spool/cron/crontabs/ . The file must be named "admin" as
this is the name of the system user. Note that this location resides in
RAM, so you would have to put your cron script somewhere such as in the
jffs partition, and at boot time copy it to /var/spool/cron/crontabs/
using an init-start user script.
A simple way to manage your cron jobs is through the included "cru"
command. Just run "cru" to see the usage information. You can then
put your "cru" commands inside a user script to re-generate your cron
jobs at boot time.
** Enhanced Traffic monitoring **
Under Tools -> Other Settings are options that will allow you to save
your traffic history to disk, preserving it between router reboots (by
default it is currently kept in RAM, so it will disappear when you
reboot).
You can save it to a custom location (for example, "/jffs/" if you have
jffs enabled), or /mnt/sda1/ if you have a USB disk plugged in.
Save frequency is also configurable - it is recommended to keep that
frequency lower (for example, once a day) if you are saving to jffs, to
reduce wearing out your flash memory. Make sure not to forget the
trailing slash ad the end of the path.
Note that the first time you use that option, you must tell the router
to create the data file. Make sure you set "Create or reset data
files" to "Yes".
Also, Asuswrt-Merlin can track the traffic generated by each individual
IP on your network. This option is called IPTraffic. To enable this,
you must first set a custom location to store your traffic database
(see above). Once again, you must also tell it to create the new data
file, by enabling "Create or reset IPTraffic data files". Once done,
enable the IPTraffic Monitoring option. This will add three new
entries to the Traffic Monitor page selector (on the Traffic Monitoring
page).
You can optionally specify which IP to monitor, or exclude some IPs
from monitoring. Each IP must be separated by a comma.
It's strongly recommended that you assign a static IP to devices you
wish to monitor to ensure they don't get a different IP over time,
which would make the collected data somewhat unreliable. The
monitoring is done per IP, NOT per MAC.
** Adjustable TCP/IP connection tracking settings **
Under Tools -> Other Settings there are various parameters that lets
you tweak the timeout values related to connection tracking for TCP and
UDP connections. You should be careful with those settings. Most
commonly, people will tweak the UDP timeout values to make them more
VoIP-friendly, by using smaller timeouts. Timeout values are in
seconds.
** Mounting remote CIFS shares on the router **
You can mount remote SMB shares on your router. The syntax will
be something like this:
mount \\\\192.168.1.100\\ShareName /cifs1 -t cifs -o "username=User,password=Pass"
(backslashes must be doubled.)
** Disk Spindown when idle **
Jeff Gibbons's sd-idle-2.6 has been added to the firmware, allowing you
to configure a timeout value (in seconds) on the Tools -> Other Settings
page. Plugged hard drives will stop spinning after being inactive
for that specified period of time. Note that services like Download
Master might be generating background disk activity, preventing it from
idling.
** OpenVPN (client and server) **
OpenVPN is an SSL-based VPN technology that is provided as a secure
alternative to the PPTP VPN. OpenVPN is far more secure and more
flexible, however it is not as easy to configure, and requires the
installation of a client software on your computer client. The client
can be obtained through this download page:
http://openvpn.net/index.php/open-source/downloads.html
Explaining the details of OpenVPN are beyond the scope of this
documentation, and I am in no way an expert on OpenVPN.
Fortunately, there is a lot of available documentation and Howto guides
out there. I tried to stick to the same option descriptions as used by
Tomato, so about any guide written for Tomato can easily be used to
guide you on Asuswrt-Merlin. For pointers, check the Wiki on the
Asuswrt-Merlin Github repository.
You can provide your own custom client config files for the two server
instances. Store them in the /jffs/configs/openvpn/ccd1/ (and ccd2/)
directory based on which server instance they belong to, with the
filenames matching the client common names. See the OpenVPN
documentation for more details on the ccd directory.
** Customized config files **
The services executed by the router such as minidlna or dnsmasq relies
on dynamically-generated config files. There are various methods
through which you can interact with these config scripts to customize
them.
The first method is through custom configs. You can append content to
various configuration files that are created by the firmware, or even
completely replace them with custom config files you have created.
Those config override files must be stored in /jffs/configs/. To have
a config file appended to the one created by the firmware, simply add
".add" at the end of the file listed below. For example,
/jffs/configs/dnsmasq.conf.add will be added at the end of the dnsmasq
configuration file that is created by the firmware, while
/jffs/configs/dnsmasq.conf would completely replace it.
Note that replacing a config file with your own implies that you
properly fill in all the fields usually dynamically created by the
firmware. Since some of these entries require dynamic parameters, you
might be better using the postconf scripts added in 374.36 (see the
postconf scripts section below).
The list of available config overrides:
* dhcp6s.conf
* dnsmasq.conf
* exports (only exports.add supported)
* fstab (only fstab supported, remember to create mount point
through init-start first if it doesn't exist!)
* group, gshadow, passwd, shadow (only .add versions supported)
* hosts (for /etc/hosts)
* minidlna.conf
* pptpd.conf
* profile (shell profile, only profile.add suypported)
* radvd.conf
* smb.conf
* snmpd.conf
* vsftpd.conf
* upnp (for miniupnpd)
Also, you can put OpenVPN ccd files in the following directories:
/jffs/configs/openvpn/ccd1/
/jffs/configs/openvpn/ccd2/
The content of these will be copied to their respective
server instance's ccd directory when the server is started.
** Postconf scripts **
A lot of the configuration scripts used by the router services
(such as dnsmasq) are dynamically generated by the firmware. This
makes it hard for advanced users to apply modifications to these, short
of entirely replacing the config file.
Postconf scripts are the solution to that. Those scripts are
executed after the router has generated a configuration script, but
before the related service gets started. This means you can use those
scripts to manipulate the configuration script, using tools such as
"sed" for example.
Postconf scripts must be stored in /jffs/scripts/ .
The path/filename of the target config file is passed as argument to
the postconf script.
The list of available postconf scripts is:
* dhcp6s.postconf
* dnsmasq.postconf
* exports.postconf
* fstab.postconf
* group.postconf
* gshadow.postconf
* hosts.postconf
* minidlna.postconf
* openvpnclient1.postconf (and openvpnclient2.postconf)
* openvpnserver1.postconf (and openvpnserver2.postconf)
* passwd.postconf
* pptpd.postconf
* radvd.postconf
* shadow.postconf
* smb.postconf
* snmpd.postconf
* upnp.postconf
* vsftpd.postconf
To make things easier for novice users who don't want to
learn the arcane details of using "sed", a script providing
support functions is available. The following dnsmasq.postconf
script demonstrates how to modify the maximum number of leases
in the dnsmasq configuration:
-----
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_replace "dhcp-lease-max=253" "dhcp-lease-max=100" $CONFIG
-----
Three functions are currently available through helper.sh:
pc_replace "original string" "new string" "config filename"
pc_insert "string to locate" "string to insert after" "config filename"
pc_append "string to append" "config filename"
Note that postconf scripts are blocking the firmware while they run, to
ensure the service only gets started once the script is done. Make
sure those scripts do exit properly, or the router will be stuck
during boot, requiring a factory default reset to recover it.
** NFS Exports **
IMPORTANT: NFS sharing is still a bit unstable.
In addition to SMB and FTP, you can now also share any plugged
hard disk through NFS. The NFS Exports interface can be accessed
from the USB Applications section, under Servers Center. Click on the
NFS Exports tab.
Select the folder you wish to export by clicking on the Path field.
Under Access List you can enter IPs/Networks to which you wish to give
access. A few examples:
192.168.1.0/24 - will give access to the whole local network
192.168.1.10 192.168.1.11 - will give access to the two IPs (separate with spaces)
Entering nothing will allow anyone to access the export.
Under options you can enter the export options, separated by a comma.
For example:
rw,sync
For more info, search the web for documentation on the format of the
/etc/exports file. The same syntax for the access list and the options
is used by the webui.
You can also manually generate an exports file by creating a file named
/jffs/configs/exports.add , and entering your standard exports there.
They will be added to any exports configured on the webui.
Note that by default, only NFSv3 is supported. You can also enable
NFSv2 support from that page, but this is not recommended, unless you
are using an old NFS client that doesn't support V3. NFSv2 has various
filesystem-level limitations.
** Easy Entware setup **
Entware is an alternative to Optware. They are both online software
repositories that let you easily install additional software to your
router (such as an Apache web server, or an Asterisk PBX). The main
benefit of Entware over Optware (which is used by Asus for their own
Download Master) is it is very actively maintained, with recent
software versions.
Entware and Optware cannot be used at the same time however, so you
can't use Download Master while using Entware.
There is now a script to make setting up Entware ware easier.
Access your router through SSH/Telnet, and run
"entware-setup.sh".
Note that Entware requires the JFFS partition to be enabled, and an
ext2/ext3 formatted USB disk (NTFS, HFS+ and FAT32 are not supported).
Also note that Entware is not available for the RT-AC56U, RT-AC68U
or RT-AC87 due to the different CPU architecture.
** DNSFilter **
Under Parental Control there is a tab called DNSFilter. On this
page you can force the use of a DNS service that provides
security/parental filtering. This can be done globally, or on a
per device basis. Each of them can have a different type of filtering
applied. For example, you can have your LAN use OpenDNS's server to
provide basic filtering, but force your children's devices to use
Yandex's family DNS server that filters out malicious and adult
content.
If using a global filter, then specific devices can be told to
bypass the global filter, by creating a client rule for these,
and setting it to "No Filtering".
DNSFilter also lets you define up to three custom nameservers, for
use in filtering rules. This will let you use any unsupported
filtering nameserver.
You can configure a filter rule to force your clients to
use whichever DNS is provided by the router's DHCP server (if
you changed it from the default value, otherwise it will be
the router's IP). Set the filtering rule to "Router" for this.
Note that DNSFilter will interfere with resolution of local
hostnames. This is a side effect of having devices forced to use
a specific external nameserver. If this is an issue for you, then set
the default filter to "None", and only filter out specific devices.
** Layer7-based Netfilter module **
Support for layer7 rules in iptables has been enabled on MIPS-based
routers (RT-N16/N66/AC66). You will need to manually configure the
iptables rules to make use of it - there is no web interface exposing
this. The defined protocols can be found in /etc/l7-protocols.
To use it, you must first load the module:
modprobe xt_layer7
An example iptable rules that would mark all SSH-related packets
with the value "22", for processing later on in another chain:
iptables -I FORWARD -m layer7 --l7proto ssh -j MARK --set-mark 22
These could be inserted in a firewall-start script, for example.
For more details on how to use layer7 filters, see the documentation on
the project's website:
http://l7-filter.clearfoundation.com/
Source code
-----------
The source code with all my modifications can be found on Github, at:
https://github.com/RMerl/asuswrt-merlin
History
-------
376.50 (xx-xxx-2015)
- FIXED: OpenVPN server page would report an initializing
state when it was already running under certain
conditions
376.49_4 (27-Dec-2014)
- FIXED: WAN page error when entering a hostname, and broken
UPNP FAQ link
- FIXED: OpenVPN Server wasn't showing the Advertize DNS to
Client option (regression from 3677 merge)
- FIXED: bootloop when enabling Traditional QoS (or any other
feature that forces CTF to be disabled) due to
FA being left enabled (Asus bug) (AC87)
376.49_2 (23-Dec-2014)
- FIXED: Asus DDNS couldn't be configured on the webui
- FIXED: OpenVPN server wouldn't let you edit user accounts
- FIXED: Missing DLNA icon on clients (Asus bug) (N66, AC66)
376.49 (21-Dec-2014)
- NEW: Merged with Asus GPL 376_3677. This new code
includes a lot of changes related to USB modem
support.
- NEW: IPv6 handling based on dnsmasq + odhcp6c. This new
code which has been developped by Asus these past few
months but kept disabled so far has been enabled.
Initial tests show much better reliability with
different ISPs.
- NEW: Added IPv6 support to DNSFilter (currently only
Yandex has IPv6 servers). Note that unlike IPv4
filtering, we cannot automatically NAT queries
to the desire server, so the current implementation
works like Asus's YandexDNS service, where IPv6 servers
are simply returned to DHCPv6/RA client queries,
and ip6tables ensures that you cannot override
them, by rejecting connection to other DNS servers.
- CHANGED: Merged newer DPI engine from 378_3123 beta
(AC87)
- CHANGED: Removed SSLv2 and v3 support from OpenSSL
(we had already stopped using these in
376.48, so this removes unused code)
- CHANGED: The VPN webui is now a bit closer to Asus's code.
This will mostly make it easier to keep in
sync with future changes to that UI by
Asus (they rearranged the layout a bit in
376_36xx).
- CHANGED: Updated OpenVPN to 2.3.6
- CHANGED: Reverted to Asus's max-lease number calculation
for dnsmasq
- CHANGED: Hide wireless key on settings page unless field
has focus (patch by John9527)
- CHANGED: Ported USB 3.0 (XHCI) kernel driver from
Netgear GPL (which seems to have in turn
backported it from upstream kernel 3.x)
- CHANGED: Updated Quantenna to v36.7.3.23 (AC87)
- FIXED: vsftpd wasn't properly compiled with SSL
support.
- FIXED: MAC filtering couldn't be disabled on Guest
networks (Asus bug) (Patch by John9527)
- FIXED: Various fixes and tweaks to the new IPv6
code from Pinwing and saintdev
- FIXED: Editing a client on the networkmap would
cause any matching DHCP reservation entry to
lost its hostname
- REMOVED: The web redirection control setting was
removed, as it is being replaced by the
(simpler) redirection setting Asus added
to the System page.
376.48_3 (20-Nov-2014)
- FIXED: NAT loopback was broken on MIPS devices
(backported Asus fix from 376_3626)
376.48_2 (8-Nov-2014)
- FIXED: Samba would fail to start on the RT-N16 due to a
missing library.
376.48_1 (7-Nov-2014)
- FIXED: Max-lease calculation Asus introduced in 376_2769 is
broken - re-hardcode it to 253 like they used to do in
previous release. Will be properly fixed once they
release a newer GPL with this issue resolved.
(Asus bug)
376.48 (7-Nov-2014)
- NEW: Added the RT-AC68P to the list of supported devices
- CHANGED: Use sha256 checksums instead of MD5 for improved
security when validating your downloads.
(note: checksums are also posted on the support
forum at SmallNetBuilder)
- CHANGED: Switched my fix for unmounted/hidden partition
support with Asus's own fix from GPL 3561.
- FIXED: Samba would fail to start if the router admin username contained
upper case characters. Samba was modified to have it try to
local the UNIX user as provided (it was previously only
trying upper and lower case versions) (Samba 3.6 bug)
376.48 Beta 3 (02-Nov-2014)
- CHANGED: Updated miniupnpd to release 1.9 (plus upstream PCP fix)
- FIXED: Couldn't edit share permissions for Samba if your disk
contained an unmounted/hidden partition (Asus bug in 2769)
- FIXED: Couldn't edit share permissions for Samba for the RT-N66U
internal SDcard reader (Asus bug in 2769)
- FIXED: Missing Max User field to Samba page (Asus bug)
376.48 Beta 2 (26-Oct-2014)
- NEW: Added logo to the webui header
- CHANGED: Samba 3.6 will now use libiconv to handle
charset conversion (will resolve CP850
warnings amongst other things)
- CHANGED: Updated miniupnpd to 20141023 code from Github.
- CHANGED: Updated dropbear to 2014.66.
- CHANGED: Reverted NTP update code to GPL 2678 in hopes of
resolving the few cases where it didn't work anymore.
- FIXED: minidlna is once again able to use inotify for updates.
A temporary workaround has been implemented where
minidlna will be staticly linked with a threadsafe
build of sqlite3, while BWDPI will continue to use
the shared non-threadsafe library. (Asus bug)
376.48 Beta 1 (18-Oct-2014)
- NEW: Merged with Asus 376_2769 AC87 GPL
- NEW: Enabled numerous modules in net-snmp (based on the list
used by OpenWRT)
- NEW: Added postconf and custom config support for snmpd.conf
- NEW: Added HID support to ARM kernel (AC56,AC68,AC87)
- CHANGED: Reverted NAT loopback code to Asus's, since our own
code is currently broken by recent FW code changes.
- CHANGED: Updated openssl to 1.0.0o, resolving a few security issues.
- CHANGED: Disabled SSLv2 and SSLv3 support for https access to the
router webui. IE6 users, your time is up - upgrade.
TLS 1.0 is now the only supported protocol.
- CHANGED: upgraded main Samba server from 3.0.x to 3.6.24. This might
cause a slight drop in performance, but should improve
both reliability and security.
- FIXED: DNSFilter client list dropdown would sometime be empty.
- FIXED: DNS queries run on the router were forwarded to upstream
nameservers instead of the local dnsmasq
- FIXED: Re-added the USB HID kernel module needed for UPS monitoring
(patch by ryzhov_al)
- FIXED: Incorrect top margin on some pages such as AiCloud, and
stretched font on the progress splash (Asus bug)
- FIXED: URL and keyword filtering wasn't working under certain
situations when CTF was enabled
- FIXED: Mac Filtering wasn't working with Guest networks
(Asus bug) (Patch by saintdev)
- FIXED: Chosing a client on the MAC Filter page wasn't properly
filling the Name field. Also reorganized layout a bit.
376.47 (20-Sept-2014)
- NEW: Added sha256 and sha512 HMAC support to dropbear (SSH)
- CHANGED: Moved OpenVPN postconf scripts right before server/client
gets started, so you can also use them to modify the other
generated files such as the exported ovpn config file.
- FIXED: SSHD options visibility (patch by pinwing)
- FIXED: EMF/IGMP settings were reverting to the select profile
default (Asus bug introduced in GPL 2678)
- FIXED: PPTP account list failed to display (regression in Beta 1)
- FIXED: VPN server page was switching back to PPTP when changing
OpenVPN unit and you were initially on the PPTP page
- FIXED: Activity indicator wasn't shown during a networkmap
scan
376.47 Beta 1 (14-Sept-2014)
- NEW: Merged with Asus GPL 2678 (AC87)
- NEW: Report Quantenna FW version on Sysinfo page
- NEW: Enabled experimental FTP and Samba Cloud Sync support in AiCloud.
This feature is still in development by Asus, so it might not be
fully functional yet.
- NEW: Enabled experimental SNMPD support, under Administration -> SNMP.
This feature is still in development by Asus, so it might not be
fully functional yet. (not available on the RT-N16)
- NEW: Added option to enable WAN access to SNMPD, defaults to disabled.
(Asus's implementation has it open to the WAN by default)
- CHANGED: Re-increased max allowed FTP user limit to 10 (was reverted
to 5 in the GPL merge when the setting was moved to the
FTP page)
- FIXED: PPTPD was getting enabled every time you clicked Apply while on
the PPTPD VPN Server page
376.46 (26-Aug-2014)
- NEW: Merged with Asus GPL 2061. This is essentially
the new QTN driver for the AC87.
- FIXED: Various webui issues with IE10/IE11 (patch by pinwing)
- FIXED: OpenVPN Client page was visible on the RT-N16
- FIXED: DHCP pool validation error on VPN Server advanced page.
- FIXED: Couldn't edit the first VPN Client entry due to broken
duplicate check (Asus bug)
376.45 (17-Aug-2014)
- NEW: Compiled vsftpd with SSL support (must be manually
configured if you intend to use it)
- NEW: Report FA state (Level 2 CTF) on Sysinfo page.
- CHANGED: Updated dropbear to 2014.65.
- CHANGED: Updated openssl to 1.0.0n (numerous
security fixes)
- CHANGED: Updated lzo to 2.08
- CHANGED: Reworked VPN Server pages to be more intuitive
- FIXED: Garbled client dropdown selector on DNSFilter page
- FIXED: The Comcast neighbour solicitation block wasn't
enabled anymore (regression in 376.44) (Patch by
Sinshiva)
- FIXED: 5 GHz N+AC mode was incorrectly setting router to
N-only mode (Asus bug, fix backported from 2381,
additional fix by me for AC66)
- FIXED: PControl page failing to display on French and
Italian locales (Asus bug)
- FIXED: IPv6 can occasionally fail to work properly when
using a PPPoE WAN interface (patch by pinwing)
376.44 (3-Aug-2014)
IMPORTANT: Make a backup of your JFFS partition if upgrading
an RT-AC56U or RT-AC68U and you have stored files
on that partition! The partition layout has been
changed.
- NEW: Merged with Asus's 376_2044 GPL.
Summary of changes:
* New networkmap, lets users edit device names,
assign icons to devices, etc...
* Reworked IPv6 support
* New filesystem driver provider for NTFS/HFS+/FAT
* Webui visual update
* Updated components (minidlna, radvd, dnsmasq)
- NEW: Added support for RT-AC87U.
- CHANGED: Updated N66U wireless driver to Asus's 1071 build
- CHANGED: Updated miniupnpd to Git head (as of 20140731)
- CHANGED: The JFFS partition on ARM devices now uses
Asus's code, which means the whole unused space
is now used for the JFFS partition.
(AC56, AC68)
- CHANGED: Made all ARM models use the new filesystem drivers from Tuxera,
resulting in general improved USB disk performance (and
hopefully improved reliability as well) (AC56, AC68)
- CHANGED: The wifi notification icon will now report
channel and channel width for the 5 GHz band,
as the extension channel wasn't always accurately
reported.
- CHANGED: Reworked layout of SSH settings on System page (based
on Asus's own WIP)
- CHANGED: Allow FQDN (hostname + domain) rather than just
hostnames on the WAN page (some ISPs require that)
- FIXED: Missing mDNSResponder daemon preventing mt-daapd
from working on MIPS devices (N16,N66,AC66)
- FIXED: System Log wouldn't properly be positioned
at the bottom (Patch by John9527)
- FIXED: DNSFilter clients configured to bypass DNSFilter
would still be prevented from using an IPv6 DNS.
- FIXED: Incorrect IPv6 prefix if not a multiple of 8
(patch by NickZ)
- FIXED: OpenVPN firewall cleanup was missing rules
(patch by sinshiva)
- FIXED: Minidlna issues with Philips smart TVs
- FIXED: SSHD brute force protection wasn't working if
Dual WAN was enabled and set to LB mode.
- FIXED: Miniupnpd error flood in Syslog when using a
Plex server on your LAN (fix from upstream)
- REMOVED: Reverted various IPv6-related patches as they
conflicted with Asus's own changes. These might
make it back at a later time if deemed
necessary.
- REMOVED: Removed layer7 filtering support in Netfilter from
ARM devices due to compatibility issues (AC56,AC68)
- REMOVED: Removed IPsec support from ARM devices due to
compatibility issues (AC56, AC68)
374.43_2 (7-June-2014)
- FIXED: NTFS disks couldn't be mounted (Paragon driver not
loading due to a kernel change) (AC56, AC68)
374.43 (6-June-2014)
- NEW: User-configurable refresh period to trigger a DDNS
update after a certain number of days.
- CHANGED: dnsmasq option 252 now defaults to an empty string,
to silence broken clients such as Win7.
Important: if you were previously using a customized
252 reply (to use with a valid wpad/pac file), you
will need to use a postconf script to change the
default config instead of appending your own
config.
If you use DNS-based WPAD setting, you will need
to remove the 252 option using postconf, as IE will
not query for the DNS entry if there is a 252
option through DHCP, even if it fails to connect to it.
- CHANGED: Updated miniupnpd to 1.8.20140523.
- CHANGED: Updated openssl to 1.0.0m.
- CHANGED: More backports from OpenSSL 1.0.2, improving SHA
performance on ARM routers.
- CHANGED: The JFFS2 partition is now disabled by default after
a factory default reset.
- FIXED: Media server page wouldn't let you enable the iTunes
server unless you also enabled DLNA (Asus bug)
- FIXED: Restricted guests still had access to the router (Asus
bug introduced in GPL 4887)
- FIXED: 6in4 traffic wasn't bypassing CTF if dualwan mode was
either disabled or set to failover mode (AC56/AC68)
- FIXED: Single character workgroups were rejected as invalid
(Asus bug)
- FIXED: Networks with SSIDs containing single quotes
would break the client list (Asus bug)
- FIXED: Traffic Monitor results are wrong on PPPoE connections
(Asus bug) (Patch by pinwing, additional debugging
by fantom1)
- FIXED: Crash if entering close to 64 MACs plus their names on
the MAC filter page.
374.42_2 (16-May-2014)
- FIXED: Time Machine support (AC56, AC68)
374.42 (9-May-2014)
- NEW: Merged with Asus's 374_5656 GPL.
- NEW: Added Comodo Secure DNS to supported DNSFilter services
- FIXED: Download2 folder wasn't selectable anymore on the
Media Server page.
- FIXED: Pass correct valid and preferred lifetime to radvd when
using DHCPv6-PD (Patch by pinwing)
- FIXED: IPv6 connectivity could be lost after 1-2 hours due
to the time shift caused by NTP at boot time
(Patch by pinwing)
- FIXED: Various IPv6 connectivity issues related to services
being (re)started at the wrong time, or twice.
(Patch by pinwing)
- FIXED: Build system would sometime try to use the local system's
header/libs - use a pkg-config wrapper to avoid this
issue (Patch by ppuryear)
- FIXED: Erratic 5G led blinking behaviour as the watchdog's software-
based blinking was constantly writing to the wireless chip's
registers for led control. (AC68)
- FIXED: LEDs weren't all turning back on when coming out of
Stealth Mode (AC56)
- CHANGED: Make the router use dnsmasq for internal name
resolution rather than directly using the WAN DNS.
- CHANGED: Upgraded OpenVPN to 2.3.4.
- CHANGED: Upgraded miniupnpd to 1.8.20140422 (PCP-related fixes)
374.41 (18-Apr-2014)
- NEW: Merged with Asus's 374_5047 GPL. Notable changes:
* Fixed RT-AC68U random reboots
* Additionnal security fixes
* Improved Media server, SMB and FTP webui
* minidlna and radvd updates
- NEW: PCP support (Port Control Protocol)
- NEW: Option to allow/deny FTP access from WAN. Default is to
reject WAN connections. The option can be found on the
USB Servers -> FTP Share
- NEW: Option to control web redirection while Internet is
down (configurable on the WAN page).
- CHANGED: Upgraded miniupnpd to 1.8.20140401.
- CHANGED: Disk idle exclusion now supports up to 9 disks.
- FIXED: WOL wasn't working (Asus bug in 4887/5047)
- FIXED: Replaced webui glue with permanent concrete. It won't
fall again.
- FIXED: Language dropdown not properly shown with 8-bit
characters.
- FIXED: Comcast's IPv6 network would flood the LAN with
neighbour solicitation packets, which should normally
not cross beyond their modem. There is now an ip6tables
rule to filter out those packets, preventing your log
from being spammed with table overflows. The filter is
is enabled by default and can be disabled by setting the
"ipv6_neighsol_drop" nvram setting to "0". (rule suggested
by diplomat7)
- FIXED: EMF wasn't properly configured after wireless was
restarted (patch from Vahur)
- FIXED: Router crashing when more than around 30 static routes
were entered
- FIXED: webui would die for some users when accessing the VPN Server
config page and there were connected OpenVPN clients
- FIXED: Added missing iptables-save on ARM platform (AC56, AC68)
- FIXED: nvram factory default reset would sometime fail on MIPS
devices (N16, N66, AC66) (Patch by ryzhov_al)
- FIXED: Under a certain situation the router could lose track of
whether an OpenVPN server/client instance was running or not.
This could result in the webui trying to restart it, and
returning an error message because it was already running.
- REMOVED: The Media server database location is no longer
configurable, as we've switched to Asus's new
automatic location selection.
- REMOVED: Removed the Run Cmd page as it was a security
risk. This is also needed to keep in line with
recent security fixes Asus applied to the
httpd backend to limit what external processes
it can run, otherwise any malicious page could
run arbitrary commands on your router if you
were currently logged on a separate tab.
374.40 (6-March-2014)
- KNOWN ISSUE: Some people are experiencing random reboots
with the RT-AC68U running firmwares based on recent Asus GPL.
If you are are affected, please revert to 374.40 alpha4 for now.
Asus are looking into the issue, which affects this model since
374_4422.
- FIXED: Asuswrt was calling wl_defaults() every time the
wifi was restarted, causing Regulation Mode to be
overwritten. Now we force it to h mode if the
router model and region requires DFS compliance
(same as Asus's code, except we won't enforce
it to off in other scenarios, and will only do
so if it was previously set to off).
- FIXED: Advanced wireless page broken on Internet Explorer, due
to missing Array.IndexOf() support in IE (Asus bug)
- FIXED: Incorrect model detection prevented CPU temperature