Asuswrt-Merlin Changelog ======================== 380.70 (8-Apr-2018) - NOTE: This will be the final 380.xx release for all models. The RT-N66U and RT-AC66U support will be dropped, and all other models have been migrated to the new gen branch, as of release 384.4. People who wish to keep getting updates for these two older models should look at the john9527 fork: https://bit.ly/2EV5Oat - CHANGED: Tightened security around some config files. - CHANGED: Samba protocol support can now be set to SMBv1, SMBv2, or SMBv1 + SMBv2 (the new default). This will result in a performance drop on all models, but will be more secure. Ideally, people should change it to SMBv2 only, and then reboot all their client devices to start using only the new protocol. If performance is more important than security to you, then you can switch it back to SMBv1, which is the old default behaviour. - CHANGED: Switched to the new Entware repo for armv7 models. To upgrade, run the following commands TWICE: opkg update; opkg upgrade - FIXED: Apply button not working on the OpenVPN Client page. - FIXED: Potential racing condition that could lead to two instances of miniupnpd running at boot time. - FIXED: Broken FAQ links (backport from 380_8120) - FIXED: Security issue in httpd (CVE-2018-8879). - FIXED: Security issues in httpd (backports from 380_8228) 380.69_2 (28-Jan-2018) - NOTE: The official IRC channel has moved to Freenode (#asuswrt). - CHANGED: Quantenna watchdog is less likely now to incorrectly assume the QTN CPU has crashed (which can lead to router reboots). (RT-AC87U) - FIXED: IE11 field validation issues on OpenVPN and DHCP pages. - FIXED: Router crash when importing an OpenVPN certificate longer than 3499 characters (the supported limit) - FIXED: Users were allowed to enter invalid characters on some of the OpenVPN client page fields. - FIXED: CVE-2018-5999 in httpd (backport from 384_10007) - FIXED: CVE-2018-5721 in httpd (Merlin & theMIROn) 380.69 (11-Dec-2017) - NEW: Added option to disable the Asus NAT tunnel service under Other Settings -> Tweak. Not quite sure what this partly closed source service is for, but it eats a fair amount of CPU and RAM (backport from 382) - CHANGED: Updated odhcp6c to be in sync with upstream (patch by theMIRon) - CHANGED: Updated libogg to 1.3.3 and libvorbis to 1.3.5. - CHANGED: Updated wget to 1.19.2 (fixing connectivity to some TLS 1.2 servers) - CHANGED: Updated RT-N66U and RT-AC66U SDK to GPL 380_8120's (fixing KRACK in repeater/bridge mode) - CHANGED: Updated openssl to 1.0.2n. - CHANGED: Updated tor to 0.2.9.14. - FIXED: allow IA_NA mode downgrade with forced IA_PD (for ISPs with broken IPv6 support) (patch by theMIRon) - FIXED: Trend Micro signature check might randomly fail the RSA validation. - FIXED: Security issues CVE-2017-15275, CVE-2017-12163 and CVE-2017-12150 (backported to Samba 3.6 and 3.5) - FIXED: Httpd crash when accessing certain webui pages with no connected Ethernet clients - FIXED: DNSFILTER rules would have priority over OPENVPN Client rules (when client has DNS set to Exclusive mode). - FIXED: traffic routing from the router itself would fail when restarting the firewall while using an ovpn client with policy rules in effect. 380.68_4 (4-Oct-2017) - CHANGED: Updated dnsmasq to 2.78 (contains a number of security fixes). - FIXED: rstats could crash at start time in some situations. - FIXED: QOS Scheduler would revert back to sfq after you had re-enabled QOS while (fq_)codel was already selected. - FIXED: Missing tabs on the Parental Control page. - FIXED: Realtek port status wouldn't auto-refresh on the Sysinfo page. - FIXED: Incorrect sort by remaining time on the DHCP Lease page. - FIXED: Some LAN clients couldn't be added to the TOR redirected client list. 380.68_2 (12-Sept-2017) - FIXED: Some models would show the wrong menu options while in Repeater mode. - FIXED: USB modem page not displayed if WAN type was set to USB. - FIXED: CVE-2017-12754 security issue. - FIXED: Incorrect LAN ports order on Networkmap (RT-AC3200) (Asus bug) - FIXED: Extra OpenVPN CA not properly handled for OpenVPN clients 3, 4 and 5. - FIXED: Invalid txrate shown on Wireless Client page if client isn't authenticated yet 380.68 (18-Aug-2017) - IMPORTANT: due to major webui changes, you will need to either flush your browser cache, or force it to reload the page (shift-reload) the first time you access the webui after upgrading to 380.68. - NEW: Merged GPL 380_7743 binary blobs for the RT-N66U. - NEW: Backported Ethernet port status report on the Network Map from GPL 382. - NEW: Description field added to OpenVPN client configuration - NEW: Added missing hash types to ipset_arm (Patch by john9527) - NEW: Added hostname Busybox applet, used by some Entware packages - NEW: Added TPROXY netfilter target module (ARM only) - CHANGED: Switched webui menu generation code to GPL 382 code. This new code is easier for me to maintain. - CHANGED: Used webui menu icons from GPL 382. - CHANGED: Re-organized VPN pages, merging some together. - CHANGED: Reworked VPNStatus page, will now refresh itself every 5 seconds. It will also report a client's local and public IP addresses. - CHANGED: Re-designed webui interface for managing SSL certificate. Added Upload button, and revamped certificate info display (includes some backports from GPL 382) - CHANGED: Removed option to enable/disable persistent webui certificate - they are now always persistent. - CHANGED: Reworked Tools -> Sysinfo page, dynamic data will refresh itself every 3 seconds, also port ordering will be more consistent, and display based on the new tableAPI from GPL 382. - CHANGED: Backported system log page from GPL 382: moved logging settings to it, added option to set a remote syslog server's port, and shown log will auto refresh. - CHANGED: Re-designed DHCP Lease log page to use the new tableAPI, with sortable fields (defaults to IP sort) - CHANGED: Do not alternate between ntp server from webui and the one hardcoded in nvram - use webui one, unless it's empty - then use the second server set in nvram. - CHANGED: Moved App icon out of the notification area and into the footer of the page, with other links. - CHANGED: Updated Curl to 7.54.1 - CHANGED: Updated nano to 2.8.6 - CHANGED: Re-designed the way the Tor database gets backed up, so it won't grow stale by never being updated. - CHANGED: Define and forward a small range of ports (57535-57565) for use for passive FTP (needed for TLS over WAN). - CHANGED: Reduce the amount of logging done while configuring policy-based routing for an OpenVPN client when using the default log verbosity level of 3. - FIXED: Duplicate LAN port 1 shown for the RT-AC87U on the Sysinfo page. - FIXED: Port forward/UPNP issues with CTF enabled depending on selected NAT loopback mode. - FIXED: URL filtering wasn't working over IPv4. - FIXED: OpenVPN instances could potentially start too early at boot time (before clock was set) - FIXED: When multiple OpenVPN clients are connected to the router, their username wouldn't show as Connected. - FIXED: Progress report would go to 200% if you changed a setting and started or stopped an OpenVPN client or server. - FIXED: Security issues CVE-2017-11344, CVE-2017-11345 and CVE-2017-11420 in networkmap (patches by Kilo Foxtrot Papa) - FIXED: Webui self-generated certificate could sometime be invalid due to a race condition between the SSL and non-SSL httpd instances starting at the same time. - FIXED: Tor would fail to start if there was a backed up database in /jffs/.tordb, due to bad permissions. - FIXED: SMB sharing without user authentication would fail if router's admin username was changed from "admin" (Asus bug) - FIXED: SMB sharing without user authentication would cause SMB2 to downgrade to SMB1. - FIXED: 5GHz-2 would show an "undefined" channel on the Wireless-> General and in the wifi popup if 5GHz-1 was disabled (Asus bug). 380.67 (16-July-2017) - NEW: Merged with GPL 380_7743 code, with binary blobs from 7378 for N66U - NEW: Custom config support for quagga/ripd. - NEW: Webui SSL certificate can now be saved so it gets reused instead of a new one being constantly generated. It will be stored under /jffs/ssl/, you can also easily provide your own by storing cert.pem and key.pem in that location. Settings to control this can be found under Administration -> System. - NEW: TLS support in vsftpd. Key and certs are automatically generated, and can also be replaced by your own, as ftp.key and ftp.crt under /jffs/ssl/ - NEW: fq_codel and configurable overhead support in Adaptive QoS. - NEW: PEAP/MSCHAPv2 support via 802.1x on WAN interface, in addition to existing MD5 support (patch by Rafi Khardalian) - CHANGED: Remember chosen sort method on DHCP static reservations page. - CHANGED: Updated minidlna to 1.2.0. - CHANGED: Updated nano to 2.8.5. - CHANGED: Updated openssl to 1.0.2l. - CHANGED: Updated ipset (ARM) to 6.32. - CHANGED: Upgraded from vsftpd 2.0.4 to 3.0.3. You might need to revise any custom configuration you have done (if any). - CHANGED: Moved SMB2 support switch to the main samba page. - CHANGED: Optimized all webui images for size - CHANGED: Tor now runs as a limited user instead of as root - CHANGED: Limited number of supported OpenVPN clients to 2 on the RT-AC3200, to save on nvram. - CHANGED: Removed tweak that allowed to disable/enable bridge multicast snooping, as Asus now disables it upstream at the kernel level. - FIXED: OpenVPN client would be shown as having failed to connect if a reconnect attempt initially failed to authenticate, but succesfully connected afterward. - FIXED: Quagga's log could fill up RAM, reduced the amount of logging generated by it. - FIXED: NFS sometimes failing to start properly (patch by john9527) - FIXED: Layout issue of the status bar under Chrome when window is larger than 1800px (patch by Cyrus Dargahi) - FIXED: UPNP and SNMP issues in Dual WAN mode. - FIXED: NAT Loopback (merlin mode) in Dual WAN mode wasn't supported. - FIXED: Internal and external port specifications were swapped in miniupnpd's config file (Asus/Tomato bug) - FIXED: Enabling policy-based routing for a client connecting to a server that doesn't push a redirect-gateway would fail to properly route traffic (for instance with StrongVPN) - FIXED: Invalid port trigger rules when specifying a port range (patch by John Bacho) - FIXED: OpenVPN client with a password containing an "&" could get corrupted when re-editing that client's config. - FIXED: Some remote syslogd would choke on syslog entries sent by the router if there were spaces in the tag parameter. Removed spaces where this was the case. 380.66_6 (22-June-2017) - CHANGED: Updated OpenVPN to 2.4.3 - FIXED: Corrupted firewall rules if enabling SSHD brute-force protection and Respond to WAN Ping at the same time while in Dual WAN mode. 380.66_4 (26-May-2017) - CHANGED: Updated dropbear to 2017.75 - FIXED: Security issue CVE-2017-7494 in Samba. 380.66_2 (16-May-2017) - FIXED: AiCloud fail to start on RT-N66U and RT-AC66U. - FIXED: The generated key/cert for httpds and AiCloud could sometimes be invalid due to a timing probblem. 380.66 (12-May-2017) - NEW: Merged with GPL 380_7378 Notable changes: * Port forwards can select a specific source IP * Security fixes for CVE-2017-5891, CVE-2017-5892 and CVE-2017-6547 Note: * If you are experiencing new wifi stability issues, try disabling Airtime Fairness on the Wireless -> Professional page (on all bands). - NEW: Option to disable Wanduck's constant DNS probing for WAN state (Tools -> Other Settings) - NEW: Allow disabling the use of DH, by entering "none" in the DH field for OpenVPN server config. - NEW: Added new Internet redirection mode to OpenVPN clients called "Policy Rule (Strict)". The difference from the existing "Policy Rule" mode is that in strict mode, only rules that specifically target the tunnel's interface will be used. This ensures that you don't leak traffic through global or other tunnel routes, however it also means any static route you might have defined at the WAN level will not be copied either. - CHANGED: Ovpn importer now recognizes the "port" and "reneg-sec" parameters. - CHANGED: Ovpn importer now support a third argument for the "remote" parameter, allowing to specify the protocol. - CHANGED: Updated Tor to 0.2.9.10 - CHANGED: Updated nano to 2.8.1 - CHANGED: Updated OpenVPN to 2.4.2 - CHANGED: Updated LZ4 to 1.7.5 (used by OpenVPN) - CHANGED: SSL certificate generated for httpds will now contain SANs for hostname, router.asus.com, IP and DDNS hostname. - CHANGED: Make minidlna always use the same uuid, based on the LAN MAC (original patch by john9527) - CHANGED: Better feedback provided when an ovpn file upload generates a problem due to a key/cert that's not provided inline. Inform the user which of these he will need to manually provide. - CHANGED: Disable bridge multicast_snooping, as this should be unnecessary, and it could interfere with EMF, UPNP and other multicast applications. Can be re-enabled from the Tools -> Other Settings page. - REMOVED: The Virtual Server page no longer allows users to edit existing port forwards (our existing code is incompatible with Asus's newer webui code and will need to be re-implemented.) - FIXED: WOL page fails to load if adding a client with a quote in its name. - FIXED: Couldn't add a DHCP reservation client if its name contained a quote. - FIXED: New outbound connections weren't logged if firewall logging was enabled. - FIXED: OpenVPN server didn't always work properly in udp mode when in a dual stack IPv4/IPv6 environment (backport from GPL 382_9736) - FIXED: When disabling NCP support in OpenVPN, the router could still be trying to use it if the remote end had it enabled. - FIXED: Potential CVE-2016-10229 security issue in kernel (unsure whether our kernel was vulnerable or not) - FIXED: ovpn file import would fail to import auth hash or cipher if they weren't uppercase. - FIXED: Couldn't edit SMB permissions if the disk had multiple partitions (Asus bug) (patch by Jeremy Goss) - FIXED: Exporting a client.ovpn file with no existing CA could generate garbled output in the generated file. 380.65_4 (28-Mar-2017) - FIXED: Various LAN/WAN issues with the RT-AC3200 due to incorrect GMAC state checks (Asus bug) (patch by john9527) - FIXED: Some models would sometime randomly fail to start one of their wifi radio, possibly due to a hardware design issue. Partly revert the 380.65 changes that removed the automatic reboot if one radio was disabled at boot time, but reduced the maximum number of reboots to 1. 380.65_2 (10-Mar-2017) - FIXED: CVE-2017-6549 (implemented temporary workaround, until a proper fix from Asus) - FIXED: CVE-2017-6548 (backport from GPL 7266) - FIXED: WOL page fails to load if adding a client with a quote in its name. - FIXED: Couldn't add a DHCP reservation client if its name contained a quote. 380.65 (3-Feb-2017) - NEW: Merged with parts of Asus GPL 380_4180, left out most of it because of too many bugs in it. - NEW: Upgraded to OpenVPN 2.4.0, and implemented support for many of its new features: * GCM ciphers * LZ4 compression * tls-crypt (uses the Static Key field) * Cipher negotiation (NCP), with (optional) fallback to legacy "cipher" parameter when an OpenVPN 2.3 client connects to the router's 2.4 server. Please refer to the OpenVPN 2.4 documentation for more info on these new features. You will be warned if any server setting would generate an exportable ovpn file that would be incompatible with older clients. Existing client config shouldn't need to be changed, unless you modify the router's server configuration. - NEW: Upgraded Busybox to 1.25.1 (patch by theMIROn) - NEW: Added the following Busybox applets: ntpd, time, uniq, xargs and getopt, for feature parity with John's fork. - NEW: Option on Media Server page to enable minidlna's built-in status web page. Default URL is http://router.asus.com:8200 . - NEW: Support for Vodafone R226 USB LTE (patch by Gernot Pansy) - NEW: New "update-notification" user script, that gets run when a scheduled firmware check detects a new version is available. - CHANGED: Removed support for all RC ciphers on OpenVPN. DES is staying for now, but should still be avoided whenever possible. - CHANGED: Updated openssl to 1.0.2k - CHANGED: Updated tor to 0.2.9.9 (0.2.9.x patch by blackfuel) - CHANGED: Updated nano to 2.7.4. - CHANGED: hosts file will now give a higher priority to the user-configured hostname for the router ahead of hardcoded ones (like router.asus.com). - CHANGED: Create a system log entry if a new firmware version is available. - CHANGED: Display name and icon for clients configured on the Tor page. - CHANGED: Streamlined miniupnpd stop/start events during boot, so there are fewer of them now. - FIXED: Invalid DUID used when requesting an IPv6 prefix for some of the newer router models, which would prevent them from getting working IPv6 (Asus bug) - FIXED: Network Service Firewall rules not applied under certain configurations - FIXED: Port triggering wasn't working if traffic had been whitelisted by Network Service Firewall - FIXED: Avahi wasn't rejecting connections from secondary WAN interface - FIXED: Sorting clients by connection time would incorrectly treat 10 hours as shorter than 9 hours, as it was handling it as a string (Asus bug) - FIXED: Exported ovpn client file wouldn't use the user-configured hostname when using DDNS custom mode. - FIXED: Exported OpenVPN client config didn't work when using static key authentication. - FIXED: Exported OpenVPN client config wasn't editable with Notepad, the default editor used by Windows's OpenVPN GUI. - FIXED: OpenVPN was killed too quickly on disconnection, causing issues when using explicit-exit-notify (patch by john9527) - FIXED: OpenVPN client/server instances weren't properly restarted on a WAN restart (patch by john9527) - FIXED: Some models (N66/AC66/AC5300) would reboot 3 times if one of the radios was found disabled by the user while booting (Asus bug). - FIXED: Webui layout was broken under Chrome 56. 380.64_2 (8-Jan-2017) - FIXED: IPv6 client list failing to properly show hostnames (regression in 64_1) - FIXED: A few potential buffer overruns in httpd 380.64_1 (6-Jan-2017) - FIXED: Security issues in httpd (backport from GPL 4180 + additional fixes of my own) 380.64 (16-Dec-2016) - NEW: New firmware availability notification. The router will notify you if a new firmware is available, and will also let you view the changelog before sending you to the download page (the update process remains manual). Note that the automated check will only report new final releases. The Check button on the Firmware Upgrade will immediately check for final releases or beta (if you select that option), but not both at the same time. - NEW: Added iptables MASK support on MIPS kernel (patch by john9527) - NEW: Webui warning shown in the notification area if running low on free nvram. - CHANGED: Updated nano to 2.7.1. - CHANGED: Updated OpenVPN to 2.3.14. - CHANGED: Updated curl to 7.51.0, resolving numerous security and stability issues. - CHANGED: Tor clients will now route other TCP ports than just 80/443, and drop UDP and ICMP traffic (patch by blackfuel) - CHANGED: QoS Stats info will automatically refresh every 3 seconds (user-configurable) - CHANGED: IPTraffic charts now show sorted slices, so the clients with the least traffic will get grouped under "Others" if truncating the list of shown clients. - CHANGED: Enabled IPv6 support in curl. - CHANGED: Improved webui performance, by caching large static Javascript files such as jquery, and increased cache life from 5 mins to 1 hour. - CHANGED: No longer include Download Master packages in the firmware for those models that still included them, reducing firmware size by a few megabytes. Those were always outdated, the router will download the latest versions from Asus's servers at install time. - CHANGED: Improved webui protection against CSS/XSS attacks (backport from GPL 4164) - FIXED: Web server crash if importing an ovpn file with an invalid key or certificate (Asus bug) - FIXED: App icon at the top wouldn't work on Firefox, generating a Javascript error (Asus bug) - FIXED: Firefox would sometime fail to display the client list, reporting a JSON parsing error in the console. - FIXED: HMAC setting not properly set when importing an ovpn file for a config based on TLS authentication mode. (backport from GPL 4164) 380.63_2 (12-Nov-2016) - CHANGED: Added detection for iPhone 7 models in networkmap (patch by Andrei Coman). - CHANGED: Enabled --dns-loop-detect support in dnsmasq - CHANGED: Move Dual WAN static routes to a lower priority, so VPN policy rules will have priority over them - FIXED: Traditional QoS labels were off by one on the Stats page. - FIXED: Adaptive QoS upload stats couldn't be retrieved because qosd seems to be hardcoded to always set up classes on eth0 rather than on the real WAN interface. - FIXED: USB driver was removed too early at shutdown time on the RT-AC56U and RT-AC87U (fix by john9527) 380.63 (6-Nov-2016) - NEW: QoS Statistics page, showing the amount of traffic assigned to each available classes, as well as the current throughput. - NEW: Charts added to various Traffic Monitor pages. Note that you can click on legend items to reveal/hide the DL/UL data. Hovering over a bar or a pie slice will display the exact value for that item. - NEW: Added pc_delete() to the helper script (patch by john95287) - NEW: IPv6 firewall now supports fixed interface ID (EUI64) ipv6 destination addresses (Patch by john9527) - CHANGED: Updated Tor to 0.2.8.9 - CHANGED: Updated OUI database. - CHANGED: ipset was updated to version 6.29 on ARM models. IMPORTANT: this means you will probably need to update your script to the new syntax. You need to load the xt_set.ko module at the start of your script. There has been no change to MIPS models, due to their older kernel. (original code by Shibby and Victek, Asuswrt port by john9527) (ARM only) - CHANGED: OpenVPN policy rules now start at prio 10000 instead of 1000 - CHANGED: Added help popups to various settings that are unique to Asuswrt-Merlin. - FIXED: Custom group/shadow/passwd weren't applied at boot time. - FIXED: CVE-2016-5195 (Dirty COW) vulnerability in kernel (patches by blackfuel and Joseph A. Yasi) - FIXED: Network Service Filter rules would only apply to clients under Parental Control if that was enabled (original debugging by john9527) (Asus bug) - FIXED: A few memory leaks in httpd and rc services. 380.62_1 (29-Sept-2016) - CHANGED: Updated OpenSSL to 1.0.2j 380.62 (23-Sept-2016) - NEW: Added nano 2.7.0 (user-friendly text editor) Documentation: https://www.nano-editor.org/dist/v2.6/nano.html Note that for space reasons, some of its features are disabled for the RT-N66U and RT-AC66U. Entware users might want to uninstall the Entware version if they had it installed and want to use the built-in version instead. - NEW: Option to toggle the display of passwords on the PPTPD and OpenVPN server pages. - NEW: Allow providing a vendor class on the WAN page (DHCP option 60) - NEW: Add option to disable sending a RELEASE request when odhcp6c exits, allowing you to retain your received prefix with some ISPs. - CHANGED: Updated nettle to 3.2 (used for dnssec) and increased optimization level. - CHANGED: Updated minidlna to 1.1.6 - CHANGED: Updated OpenVPN to 2.3.12 - CHANGED: Updated OpenSSL to 1.0.2i - CHANGED: Revamped the Wireless Log page: - Merged some columns to gain more horizontal space - Longer hostname shown (truncated names are now shown in a tooltip) - Display clients' IPv6 if they have one - CHANGED: Accept up to 250 characters for OpenVPN client's username and password (one provider needs 64). - CHANGED: Hide the WPA key on the Wireless config page, and only reveal it when you click on the field to edit it. - FIXED: OpenVPN client shouldn't display policy routing settings when using a TAP interface. - FIXED: DSL/ATM overhead setting was visible on MIPS models, which don't support it. - FIXED: Editing OpenVPN or PPTP users with any value longer than 32 chars could lead to corruption of the user list. - FIXED: Custom config file for igmpproxy wasn't working. - FIXED: After turning off a Guest network, the next visit to the Wireless Settings page would show that guest network's settings instead of the parent band settings (Asus bug) - FIXED: Smart Connect rules didn't apply on the RT-AC88U (backported fix from 380_3941). - FIXED: Numerous memory leaks in the networkmap service. (Asus bug) - FIXED: Potential buffer overrun in the networkmap service. (Asus bug) - FIXED: Broken IPv6 connectivity if enabling SSH brute force protection (only MIPS models were affected) - FIXED: 5G LED would fail to turn back on when exiting stealth mode. - FIXED: Only hostname was used as remote server in an exported OpenVPN client config when using Namecheap DDNS. - FIXED: Security vulnerability (XSS/CSR) in httpd (backported fix from 380_4005). - FIXED: Chrome would try to autofill some fields (such as on the DDNS configuration page), which could be problematic. - FIXED: IPTraffic database was no longer properly named after the router's MAC address on the AC88/AC3100/AC5300. If you recently enabled it, you will need to either re-create a new database, or rename the existing database from tomato_cstats_000000000000.gz to tomato_cstats_XXXXXXXXXXXX.gz, where "XXXXXXXXXXXX" is your MAC as found with "nvram get et2macaddr", in lowercase (AC88/AC3100/AC5300 only). Regular traffic monitoring (stored in tomato_rstats_XXXXXXXXXXXX.gz) is fine. 380.61 (4-Aug-2016) - FIXED: Connected OpenVPN clients reporting as disconnected on the status page following any wireless config change (Asus bug) - FIXED: OpenVPN server would report being "Initializing" while it already was ready, following any wireless config change (Asus bug) - FIXED: Various stability issues with minidlna (reverted some of Asus's customizations) 380.61 Beta 1 (31-July-2016) - NEW: Merged with GPL 3831. - CHANGED: updated dropbear to 2016.74. - FIXED: Do not enforce b/g mode as "auto" if wireless mode is also set to Auto. 380.60 There was no non-beta release, due to limited model support and unsolved WAN stability issues. 380.60 Beta 2 (5-July-2016) IMPORTANT: The firmware image file format was changed by Asus. Starting with 380.60, you will no longer be able to flash versions older than 380.60, or Asus versions older than 3.0.0.4.380_3000. You can currently downgrade by using Firmware Recovery mode, but there's not guarantee that this will keep working in the future. - NEW: Merged with GPL 3479. This includes the new file format required for certification purposes. - NEW: Option to enable overhead calculation on Traditional QoS for DSL users (ARM-only) - NEW: Option on System page to disable the new forced redirection to router.asus.com (defaults to disabled) - CHANGED: Updated OpenVPN to 2.3.11 - CHANGED: Allow to specify IPv6 prefixes up to 126 on the IPv6 config - CHANGED: Networkmap will now announce itself as "Asuswrt/networkmap" when connecting to LAN's web services. - FIXED: OpenVPN server instances weren't properly reporting if an error occurred at start time. - FIXED: wget was unable to access https site due to not having a CA bundle to verify certificates - FIXED: odhcp6c was sending bogus preferred prefixes, so anything larger than 64 could result in an invalid prefix - FIXED: Language selector is missing on router set for the JP region (reverted Asus change) - FIXED: Client names with single quotes couldn't be edited in the networkmap client popup (Asus bug) - FIXED: Router wouldn't run SMB to provide browser master or Wins services if no USB disk was plugged - FIXED: Router would sometime fail to renew a WAN DHCP lease. (fix by theMIROn) 380.59 (10-May-2016) - NEW: Merged with 380_2697 GPL. This includes beta MU-MIMO support for the RT-AC87U/AC88U/AC3100/AC5300, and IPTV fixes. - NEW: Option on OpenVPN client/server page to reset them back to the factory default settings. - EXPERIMENTAL: Added support for codel and fq_codel to ARM models (RT-AC56U and newer). When enabling Traditional QoS or Bandwidth Limiter, you can now change from the default sfq queue discipline to codel or fq_codel. (based on Kyle Sanderson's Tomato backport) NOTE: Traditional QoS is currently broken on the newer models (RT-AC88U and up). This is a known issue in recent Asus releases. - CHANGED: WAN -> NAT Passthrough now allows you to determine whether or not to load the NAT helper module for h323, rtsp and sip. Asus's old behaviour is "Enabled + NAT Helper". - CHANGED: DNSFilter client dropdown now uses Asus's new one integrated with networkmap. - CHANGED: minidlna now supports refreshing an existing database, so the Tweak setting was updated accordingly - CHANGED: Enable SPNEGO support in Samba - CHANGED: Integrated Asus's networkmap into the DHCP reservations page - CHANGED: Updated Tor to 0.2.7.6 - CHANGED: SSH WAN access will also work over IPv6 - CHANGED: Updated miniupnpd to 2.0 - CHANGED: Fields on the DHCP static lease page are now sortable (original patch by Allan Jensen) - CHANGED: Updated openssl to 1.0.2h - FIXED: Daily/Monthly traffic monitoring shows invalid values on the RT-AC88U/3100/5300, even with CTF disabled. Implemented a temporary workaround. - FIXED: WPS wasn't working on the RT-AC3200 - FIXED: Backported security fixes from OpenWRT to Samba 3.6.25, addressing the following: CVE-2015-5252, CVE-2015-5370, CVE-2015-5296, CVE-2015-5299, CVE-2015-7560, CVE-2016-2110, CVE-2016-2111, CVE-2016-2112, CVE-2016-2115, CVE-2016-2118. - FIXED: OpenVPN clients set to policy-based routing and Exclusive DNS mode were still adding the tunnel nameservers to dnsmasq, causing both routed and non-routed clients to use them. 380.58 (20-Mar-2016) - NEW: Merged with 380_1354 GPL - NEW: Added Tweaks and Hacks settings to Tools -> Other Settings. These are UNSUPPORTED tweaks, intended mostly for experimentation, or very specific situations. If unsure how to apply these, manually reboot after changing them. One of new settings there lets you disable hourly network rescans, to resolve issues with NAS/printers coming out of sleep every hour. - NEW: Added setting to configure OpenVPN's auth digest algo. - NEW: Added setting to configure OpenVPN's logging verbosity. Note that this setting is global to all clients/servers. - CHANGED: Updated OpenVPN to 2.3.10 - CHANGED: Updated openssl to 1.0.2g - CHANGED: Updated miniupnpd to 1.9.20160222 - CHANGED: Updated udpxy to 1.0-build 23-10 (backport from GPL 380_2345) - CHANGED: if you set an OpenVPN client DNS mode to "Exclusive" and you enable policy-based routing, then those policies will also determine which DNS to use (the tunnel's or the ISP's). This is based on DNSFilter's technology. You no longer need to use DNSFilter to control the DNS used by your OpenVPN clients. - CHANGED: Made OpenVPN traffic bypass CTF, which resolves some throughput issues with it - CHANGED: Disabled X11 Forwarding support in Dropbear, for security reasons. - FIXED: PPTP static route handling script was broken - FIXED: minidlna would check for the wrong database filename at start time - FIXED: Wrong status shown for VPN Client 3 - FIXED: OpenVPN clients were run on the wrong CPU cores. Now, odd instances correctly run on the second core. - FIXED: Using DNSFilter with default mode set to "router" would prevent using the router for IPv6 lookups. - FIXED: Account limit wasn't properly allowing up to 10 clients for SMB/FTP (patch by vit9696) - FIXED: Having multiple OpenVPN clients configured with multiple "Accept DNS configuration" modes would only apply the last client's setting. Now, we apply the most restrictive setting of all configured clients. - FIXED: RT-AC68U 2.4 GHz was broken if CTF was disabled (downgraded wifi driver to 6.37.14.105) - FIXED: Diasbling the SIP NAT helper would also drop all port 5060 traffic. Some users need to keep the SIP helper disabled with their SIP client. Reverted that GPL 858 change. 380.57 (24-Dec-2015) - NEW: Merged with 380_1031 GPL - NEW: Added RT-AC3100 and RT-AC5300 support - NEW: Added RT-AC68U HW Revision C1 support - NEW: Backup/Restore of the content of the JFFS partition (under Administration Restore/Save Settings) - NEW: Added DNSSEC support. Can be enabled under LAN -> DHCP. - NEW: Added custom/postconf support for igmpproxy.conf. - CHANGED: Increased user account limit from 16 to 32 on the VPN server pages. - CHANGED: Updated e2fsprogs to 1.42.13 - CHANGED: Increased maximum entries in Parental Control (time scheduler) to 32. - CHANGED: Updated miniupnpd to 1.9.20151119. - CHANGED: Updated Openssl to 1.0.2e. - CHANGED: Downgraded Dropbear to 2014.66, too many issues in the newer releases. - CHANGED: Improvements to VPN Status page - FIXED: CTF not automatically disabled when enabling IPTraffic. - FIXED: Openvpn clients 3 through 5 were all run on the first CPU core. They are now properly alternated like the first two (odd on CPU1, even on CPU0) - FIXED: smb.log generated by networkmap could fill up RAM - FIXED: upnpc_xml.log generated by miniupnpc could fill up RAM - FIXED: Inconsistant names used on IPTraffic and Sysinfo page. Now, we give priority to any description manually entered on the networkmap, followed by static hostname, then any current (lease) hostname. - FIXED: MAC queries sent to the OUI database were broken due to changes on the IEEE website - FIXED: Applying changes to OpenVPN client page would start the client even if it was disabled/stopped. 378.56_2 (2-Nov-2015) - CHANGED: Reverted the memory buffering optimization for ARM devices, as people keep panicking over the lower amount of free RAM. You can manually re-enable the optimization by setting "drop_caches=0" in nvram. - CHANGED: Allow using a port < 1024 for http(s) webui interface. - FIXED: EMF wasn't working on AC56/AC68/AC87. - FIXED: Couldn't connect to ISPs using VLANs (RT-AC87U) - FIXED: Editing Port Forward entry with ellipsis in the description or the port range would still edit the shortened version instead of the full content. - FIXED: Debug log from mDNSNetMonitor could gradually fill up RAM - disabled it. - FIXED: Router crash if pasting SSH key > 2047 characters. - FIXED: Editing an entry on the networkmap would clear the hostname if entry existed in the DHCP static list. - FIXED: OpenVPN server in secret key mode would fail to start. - FIXED: Couldn't add entries to the MAC Filter list of Guest Networks (reverted our previous implementation which conflicted with Asus's new one). - FIXED: NTP failing to refresh for some cases. Implemented temporary workaround. - FIXED: Some services not properly starting at boot time (like Parental Control or Tor) 378.56 (25-Oct-2015) NOTE: There is no 378.56 build for the RT-N66U at this time, as Asus hasn't released updated source code for this model yet, and there are new closed source binary components that are necessary for this new release. Make sure to read the changelog of the two previous betas for the complete list of changes since 378.55. - CHANGED: Nameserver handling is more resilient to scenarios where dnsmasq fails to start due to a broken configuration - FIXED: PPTP/L2TP client page broken on French locale - FIXED: Entries on the Virtual Server page with ellipsis in their name or port range weren't properly copied to the Add fields when edited. - FIXED: Additional fixes to truncated hostnames related to networkmap 378.56 Beta 2 (18-Oct-2015) - CHANGED: Increased Guest MAC filter entries limit to 64. - CHANGED: DHCP query logging no longer override configured syslog level, and option was renamed to "Hide queries" to be more intuitive in regard to the level logging configured. - CHANGED: Enabling Hide DHCP queries also silences any RA routine event. - CHANGED: Reverted networkmap's printer detection change as it didn't resolve the printer wakeups. - CHANGED: Reorganized settings on the System page - FIXED: QoS page layout in Firefox - FIXED: curl wasn't using the firmware's CA list (regression) - FIXED: Models with 128 KB support were only reporting 64 KB in the nvram userspace tool - FIXED: Traditional QoS not working when IPv6 is enabled (patch by charlie2alpha) - FIXED: Smart Connect page fails to save interface policies - FIXED: VPNStatus page was broken on French locale 378.56 Beta 1 (12-Oct-2015) - NEW: Merged with GPL 9177. - NEW: Added support for the RT-AC88U. - NEW: Support for Russian ISP Telenet (code by theMIROn) - NEW: ipset support in dnsmasq (patch by ryzhov_al) - NEW: default loglevel is now configurable and defaults to 5 (notice) instead of 0 (emergency) - NEW: local syslogd loglevel is now configurable through the webui. - NEW: Support for extra-certs in OpenVPN - NEW: Editable DHCP static leases list, virtual servers, port triggers. - NEW: IP addresses on the Network Service Filter page can now be subnets in CIDR format (i.e. 10.0.0.0/24) - CHANGED: Updated miniupnpd to 20150723 snapshot - CHANGED: Updated openvpn to 2.3.8 - CHANGED: Updated dropbear to 2015.68 + upstream patches - CHANGED: Updated minidlna to 1.1.5. - CHANGED: Support up to 5 different OpenVPN clients (to match Asus) - CHANGED: Maximum openvpn policy rules reduced from 128 to 100, fewer priority slots wasted in the RPDB tables (could have been a problem with the increase in the number of supported clients) - CHANGED: Improvements to VPN Status page - CHANGED: Connection failure reason shown on the OpenVPN client configuration page. - FIXED: Router crash when an invalid or corrupted DH parameter is used on an OpenVPN server configuration. - FIXED: 2.4 GHz temperature would be missing on the Sysinfo page when disabling the 5 GHz radio on the RT-AC3200. - FIXED: Max tracked connection limit wasn't user-editable - FIXED: Resource leaks in ez-ipupdate if an update failed - FIXED: Networked printers coming out of sleep every time networkmap queried their LPR service - FIXED: Resource leak in networkmap when scanning for printer servers - REMOVED: Regulation mode setting on Wireless -> Professional. This can't be adjusted anymore, as it was moved to a closed source component. 378.55 (17-July-2015) - FIXED: DHCP lease page could get confused by IPv6 clients on the LAN. 378.55 Beta 2 (11-July-2015) - CHANGED: Updated dnsmasq to 2.73 RC9 (backport from GPL 6975) - CHANGED: Updated odhcp6c to newer version (backport from GPL 6975) - CHANGED: Updated openssl to 1.0.2d (fixes CVE-2015-1793, only present in Beta 1 - 54_2 was not affected) - CHANGED: Display existing key/certs on the OpenVPN pages once they've been migrated to JFFS. - FIXED: Time scheduler-related features (Parental Control & Wifi scheduler) were broken (backported fix from Asus's GPL 6975) (beta 1 regression) - FIXED: QTN firmware was still being copied to RAM rather than rely on the symlink to flash added in Beta 1, to save 4 MB of RAM. (AC87U) - FIXED: Dropbox cloud sync would fail on some setups (backport from GPL 6975) - FIXED: Entware-setup script would generate an invalid services-start script - FIXED: Duplicate zoneedit entry on the DDNS service list. 378.55 Beta 1 (3-July-2015) - NEW: Merged with GPL 6117. Notable changes from Asus: o New token-based webui authentication (more secure) o OpenVPN certificates moved to JFFS2, saving nvram. key/cert fields will show up empty on the webui, any new key/cert you paste will be written back to /jffs/openvpn/ . This means that if you revert back to a previous version, your key/certs will no longer be in nvram, so OpenVPN instances will fail to start. o New network client list on the network map o CTF support for PPTP/L2TP WAN (Russian ISPs) (ARM) - NEW: Reformatted DHCP lease list under System Log. - NEW: Reformatted Port Forward page under System Log. - NEW: Reformatted Route Table page under System Log. - NEW: Reformatted IPv6 Status page under System Log. - NEW: Display more details about UPNP/NAT-PMP/PCP redirections on the Port Forward page. - CHANGED: The JFFS2 partition is now always enabled, as it is required by various firmware functions. The options to format it or to enable/disable user config/scripts remain configurable. - CHANGED: Updated OpenVPN to 2.3.7. - CHANGED: Updated OpenSSL to 1.0.2c. - CHANGED: Use a pre-generated 2048-bit DH from RFC 3526 instead of generating our own when doing the first time setup for OpenVPN servers. This is necessary as openssl 1.0.2b and up now reject 512-bit DHs, and generating a 1024-bit would take far too long on a router. The end-user still has the possibility of providing his own - as long it's 1024-bit or stronger. - CHANGED: Updated minidlna to upstream Git snapshot from 2015-06-26, and switched to the newer build system. - CHANGED: Upgraded ffmpeg from 0.6.0 to 0.7.17. - CHANGED: Accept DHCP lease duration of up to 31 days on the DHCP page - CHANGED: No longer regularly flush caches from memory on ARM router. This will mean a lower amount of free memory is shown, however that memory gets freed whenever something actually needs it, so this is normal. (ARM) - CHANGED: Display the size of cache memory on the Tools -> Sysinfo page - CHANGED: Improvements to the Networkmap (ability to remove an entry, removed the alert() from modifying an existing entry) - CHANGED: Save over 4 MB of RAM on the RT-AC87U by not copying the QTN firmware to RAM (RT-AC87) - FIXED: Wireless Log page would fail to load if the SSID contained certain characters - FIXED: Wireless Log page would fail to load when in Media Bridge mode on the RT-AC87U - FIXED: DDNS page would complain about an empty account field when setting it to CUSTOM with no prior value in that field. - FIXED: Automatically generated DH was too weak (512-bit) and preventing clients based on newer OpenSSL releases from connecting. We automatically replace any weak PEM with our 2048-bit one. - FIXED: minidlna could get stuck building its database (reverted Asus's recent memory optimizations) 378.54_2 (10-June-2015) - FIXED: The exported opvn config for clients had the incorrect port value. - FIXED: Busybox's zcip was missing a patch from 378_4950, preventing it from working (and in turn preventing igmpproxy from working for people with PPPoE connections where their modem does not provide any DHCP lease to the physical WAN interface) 378.54_1 (8-June-2015) - Some of the builds were unstable, did a complete recompile of all releases. There was no code change. 378.54 (7-June-2015) IMPORTANT: if you were previously using the AiProtection ad blocker, you will need to manually disable it over SSH after flashing this release, by running the following commands: nvram set wrs_adblock_popup=0 nvram set wrs_adblock_stream=0 nvram commit - NEW: Merged with Asus GPL 378_5134. - NEW: OpenVPN policy rules can now be set to route matching traffic through either the tunnel, or to your ISP (allowing you to create exceptions to your tunnelling rules) - NEW: Added OpenVPN server setting to let the OS manage socket buffers (by inserting rcvbuf 0 and sndbuf 0 in the server configuration) - CHANGED: Upgraded OpenSSL to 1.0.2a, adding new tls ciphers to OpenVPN and the https webui - CHANGED: Updated miniupnpd to 1.9.20150430 - CHANGED: Reverted kernel backport of the parallel printer support, and reintroduced fix in lprng. This should hopefully fix the recent printing breakage issues. - CHANGED: Removed AiProtection's ad blocker, as it's too buggy to be usable, breaking numerous mobile applications, and not being configurable in any way. - CHANGED: OpenVPN policy routing rules are now applied at boot time (when WAN comes up), so clients who are blocked while a tunnel is down will immediately be blocked until the tunnel comes up. - CHANGED: Upgraded Quantenna firmware to 378_6065 release (AC87) - FIXED: Router DNS weren't reverted to their original values when shutting down an OpenVPN client with "explicit- exit-notify" enabled. Now we manually clean it up after the user manually terminates the client - it might still not be cleaned up after an unexpected shutdown however. Ideally, users should try avoiding using this setting when possible. - FIXED: Some legitimate VPN packets could get dropped due to their conntrack state. Now, only INVALID packets coming from the WAN interface are dropped. - FIXED: OpenVPN client would sometime try to connect before the clock had been set by NTP at boot time, preventing it from connecting. - FIXED: AiProtection security check would fail to load when Dual WAN is enabled - FIXED: Various fields would allow you to enter a single quote character, which could break the webui. Now these fields re-validate the content after you deactivate the text field. - FIXED: Switching between All Traffic and Policy Mode OpenVPN routing while the option to block traffic when the tunnel goes down wasn't properly removing those rules, so a tunnel going down in All Traffic would still block policed clients. - FIXED: EMF wasn't working on ARM models (missing userspace tool) 378.53 (26-Apr-2015) - NEW: Merged with Asus GPL 378_4980 (with pieces from 378_4850 for AC56/AC68 and 378_5183 beta for AC87) - NEW: OpenVPN policy routing. You can select client IPs or destination IPs which you want to route through your VPN tunnel. You can enter a single IP (192.168.0.1) or a whole subnet in CIDR format (for example 74.125.226.112/30). You can optionally block WAN access to these as well when the tunnel goes down. - NEW: Ad blocker based on Trend Micro's Web Reputation System (WRS). This is an EXPERIMENTAL feature implemented by Asus but that isn't enabled in the stock firmware. - CHANGED: Updated Tor to 0.2.5.12 - CHANGED: Those providing a signed SSL certificate for httpd can now provide chain certificate. The three PEMs must be in that order: client, intermediate, CA. (Patch by sasoiliev) - CHANGED: The setting to enable the neighbour solication filter rule for Comcast's request flooding was changed to "ipv6_ns_drop", and now defaults to "0" as this hack causes issues with other ISPs. - CHANGED: Backported dnsmasq patch that reverts a fix for Windows 8 clients as it could cause issues with other clients. - FIXED: DNSFilter would fail if you had it set to "Router", and didn't have a DNS IP entered on the WAN page. - FIXED: MSS clamping wasn't applied to traffic in both direction, moved it to the mangle table. - FIXED: OpenVPN client firewall "external" mode does not exist - removed from the webui. - FIXED: PPTP account list could become corrupted after removing an entry on the PPTP server page. 378.52_2 (5-Apr-2015) - CHANGED: Updated AiCloud prebuilt binaries for MIPS models - CHANGED: Applied kernel patch for MIPS kernel ported from 376_3861, related to CTF support - FIXED: AiCloud would fail to start unless you had HTTPS enabled for the webui (causing the key/cert to be missing) - FIXED: DDNS hostname would become corrupted after backing up your router configuration (Asus bug) 378.52 (3-Apr-2015) - NEW: Merged with Asus GPL 378_4608 - NEW: Added ECDHE support to the webui (when accessed over HTTPS) - NEW: The DHCP server can now provide a second DNS to its clients - NEW: You can tell the router not to advertise itself as a DNS - NEW: Experimental Tor support (feature originally developed by Asus, but not available yet on stock firmware). You can enable it in the VPN section of the webui. - CHANGED: Updated miniupnpd to 1.9.20150309 - CHANGED: You can no longer disable the JFFS2 partition if Traffic Analyzer is enabled. Likewise, you can no longer enable Traffic Analyzer if the JFFS2 partition is disabled. - CHANGED: The selected refresh rate of the Wireless Clients page will be saved to a cookie - CHANGED: Removed obsolete (non-safe) ciphers such as RC4 from the router's https webui - CHANGED: Updated OpenSSL to 1.0.0r - CHANGED: Removed Turbo button support from webui, as that feature doesn't work with the current bootloader everyone is using now (RT-AC68) - CHANGED: Performance optimization to the httpd, dropbear and rc services - FIXED: 2.4 GHz and 5 GHz-1 clients were swapped on the Sysinfo page (RT-AC3200 only) - FIXED: Wifi PSK wasn't blurred until activated (regression from 378.51) - FIXED: Samba's custom config/postconf were ignoring the state of the global option to enable them (they would always be used) - FIXED: Samba's custom config/postconf usage wasn't logged - FIXED: Some services would fail on their first attempt to start at boot time due to the QTN subsystem taking too long. Implemented patch from Asus which eliminates the long QTN stall at boot time. This resolves the issue where some users had trouble connecting their WAN at boot time (RT-AC87U) - FIXED: NAT rules could occasionally fail to be applied (patch by john9527) - FIXED: The Apply button on the Adaptive Bandwidth page had a clickable area so wide that it even covered part of the left side menu. (Asus bug) - FIXED: USB menu was removed instead of Parental Control on DPI-enabled models - FIXED: QoS page was still available on the AP/RP modes on DPI-enabled models - FIXED: Error on OpenVPN Server page if using a DHCP pool for connected clients. - FIXED: UPNP would be reported as enabled on the security report if it was enabled on the secondary WAN even if Dual WAN itself wasn't enabled. Now we check that Dual WAN itself is also enabled before reporting so. (Asus bug) - FIXED: mtd-erase was unable to erase the brcmnand partition, which is used as the JFFS2 partition starting with the RT-AC66U (patch by benoitm974) - FIXED: JFFS2 partition couldn't be formatted for all routers but the RT-N66U (wrong partition name). Also resolved the case where a second reboot was required to mount it. - FIXED: RT-AC3200 port numbering was reversed on the Sysinfo page. 378.51 (6-Mar-2015) - CHANGED: Updated OpenSSL to 1.0.0q (no real code change) - CHANGED: Split the changelog into a separate file - CHANGED: Added logging on custom config/script execution. An error message will also be logged if those are disabled while such a file is found. - CHANGED: Allow pasting the password in some fields that would disable it (patch by gfairchild) - FIXED: RSSI not reported for guest clients (beta 1 regression) - FIXED: DM failing to install on RT-AC66U (beta 1 regression) 378.51 Beta 1 (28-Feb-2015) - IMPORTANT: The RT-N16 is no longer officially supported. The increased number of separate router platforms is becoming too much of a burden for one single developer, as some features must be implemented 2-3 separate times for different architectures. The RT-N16 support will remain in the source code, so other developers can still compile their own builds, and possibly take over for supporting this older platform. However, no new features will be implemented, and it will no longer get tested. I still welcome external contributions if someone else wants to take care of testing and providing fixes to new issues. - NEW: Added support for the RT-AC3200. - NEW: ARM support for Entware, using Zyxmon's Qnapware repository. - NEW: Re-designed Wireless Log page displaying connected wireless clients. The new page uses Ajax to automatically update itself at a user-selected frequency, for near realtime monitoring of your connected wifi clients. - NEW: NAT loopback can now be chosen between Disable, Asus's original, and Merlin's own (based on Phuzi0n's original DD-WRT design). The option can be found on the Firewall page. - CHANGED: Reverted RT-AC66U driver to previous version as some users were experiencing stability issues with the 3754 version. - CHANGED: Updated p910nd to 0.97 to resolve incomplete print jobs (patch by stsichler) - CHANGED: Updated Samba to 3.6.25 - CHANGED: The Entware setup scripts will now backup any existing installation rather than remove it (patch by TeHashX) - CHANGED: Re-implemented our original NAT loopback code, with attempts at reconfiguring it whenever the DPI engine is restarted. This is still experimental, as most of the DPI engine is closed source, so unsure if the loopback gets re-enabled in every regular DPI restart scenarios. - CHANGED: Disabled the offline default error page. Clear your offline content in your browser to fully get rid of it. - CHANGED: Removed security warnings if FTP/Samba are configured to allow unauthenticated users. - FIXED: Issues when connecting with Russian ISPs relying on DHCP+VPN (such as Beeline) - FIXED: When enabling WAN access to webui, the router would always forward both http and https ports regardless of if either of these were disabled. - FIXED: Shared printers over LPRng would sometime fail to completely print the last page (patch by stsichler) - FIXED: CVE-2015-0240 security issue in Samba 3.5.8 (used by AiCloud). The main Samba daemon was patched by the update to 3.6.25. 378.50 (7-Feb-2015) - IMPORTANT: You must do a factory default reset, and manually reconfigure your setting if coming from a version older than 378.50. Failure to do so can lead to various issues with wifi, OpenVPN, and the new AC68U bootloader. - IMPORTANT: Please read this changelog, especially the changes related to jffs, user scripts/config and OpenVPN in the previous 378.50 betas. - NEW: Merged with Asus GPL 378_4129 code. - CHANGED: Reverted back to vsftpd 2.x, as 3.0.2 doesn't work properly on MIPS architectures (and possibly other particular scenarios as well). - CHANGED: Added warning to the DDNS page if you set the type to Custom and either JFFS or custom script support isn't enabled - FIXED: A few unescaped quotes in the French dict breaking VPN pages - FIXED: MAC list would get corrupted when removing and re-adding entries on the MAC filter list - FIXED: AC68U CFE update wasn't written to flash due to permission issues - FIXED: Static Key field wasn't visible when using HMAC authentication - FIXED: syslogd was always enforcing the -S switch - FIXED: When setting a static DHCP from the networkmap, the user-entered name wouldn't be used. Now it gets used, and we rely on the rc daemon to properly handle it if it's not a valid hostname (it will simply not provide it to dnsmasq's static name list). 378.50 Beta 2 (31-Jan-2015) - NEW: Added custom config and postconf support for avahi, netatalk and mt-daapd (iTunes server). - CHANGED: Moved the AC68U CFE update process to the same location as in GPL 3626 to see if it works more consistently. - FIXED: Non-DPI build of AC56U had incompatible Tuxera modules - FIXED: vsftpd wouldn't start if you had IPv6 enabled. - FIXED: Asus had disabled the NAT loopback fix on MIPS's iptables in GPL 3762. Re-enabled. - FIXED: Wireless clients that hadn't communicated in a while wouldn't be properly shown on the Wireless log (patch by pinwing) - FIXED: QoS rules weren't applied properly when IPv6 was enabled (was changed in recent GPL - reverted it) - FIXED: Can't apply a Custom DDNS if you don't have something entered in the username/password fields (shown in other DDNS services) - FIXED: NFS page wasn't properly loading 378.50 Beta 1 (25-Jan-2015) - IMPORTANT: You must do a factory default reset, and manually reconfigure your setting. Failure to do so can lead to various issues with wifi, OpenVPN, and the new AC68U bootloader. - IMPORTANT: Please read this changelog, especially the changes related to jffs, user scripts/config and OpenVPN. - NEW: Merged with Asus 378_3913 GPL code. Most notable changes: * Trend Micro DPI engine for RT-AC68U * Updated Trend Micro engine for RT-AC87U * Updated Quantenna firmware/driver * Various updates to 3G/4G support and Dual WAN - NEW: ddns-start user script, executed after the DDNS update was launched (can be used to update additional services) - NEW: Custom DDNS (handled through ddns-start script) See the documentation for how to create such a script. - NEW: Option to enable support for custom scripts and config files. This option is disabled by default, so if you have a broken script that prevents the router from booting, doing a factory default reset will ensure that the broken script won't be executed, and recover access to the router. This is necessary since the JFFS2 partition is now enabled by default. - CHANGED: Added logo to DNSFilter on the AiProtection homepage (contributed by Piterel) - CHANGED: Updated Openssl to 1.0.0p - CHANGED: Merged Asus's newer NTP update code, with a fix to prevent hourly log spam from the update process when in a DST enabled timezone. - CHANGED: Updated vsftpd to 3.0.2 (newer version used by Asus on their Qualcomm-based routers) - CHANGED: the qos-start script will be passed an argument that will contain "init" (when setting up tc) or "rules" (when setting up iptables). - CHANGED: JFFS2 partition is now enabled by default, to be in sync with Asus, who are starting to make use of this partition. - CHANGED: The Local IP in an IPv6 firewall rule can now be left empty. - CHANGED: Download Master will now be downloaded at install time rather than included in the firmware, to increase the amount of space available to JFFS - this matches the AC56/AC68. (N16, N66) - FIXED: Under certain conditions, the OpenVPN server page would report an initializing state when it was already running. - FIXED: First OpenVPN client/server instance wasn't properly run on the second CPU core, resulting in lower performance (AC56/AC68/AC87) - FIXED: Router IP wasn't advertised through DHCP as WINS server if WINS was enabled - FIXED: OpenVPN would crash if specifying "None" as the cipher (regression in OpenVPN 2.3.6) - FIXED: The "empty" category was removed by Asus a few months ago, preventing you from removing an assigned priority on the Adaptive QoS page. Re-added it. - FIXED: Port triggers weren't written to the correct iptables chain (Asus bug) - FIXED: When moving from stock to this firmware, the OpenVPN Server 1 instance gets automatically enabled because Asus hardcodes "1" into the nvram setting that handles start at wan. Changed to a different nvram to resolve this conflict. This means everyone must re-enable their OpenVPN server instance after upgrading from any version before 376.50. - FIXED: dnsmasq would run out of available leases if you had a very small DHCP pool combined with many out-of-pool reservations. Now the limit will be either 253 or the pool size, whichever is the largest (Asus issue) - FIXED: SSHD port forwarding couldn't be enabled/disabled - FIXED: DHCP log spam when using IPv6 with a Windows 8 client (patch by pinwing) - FIXED: snmp exposes a lot of sensitive information such as login credentials, therefore all the custom Asus MIBs have been disabled. - FIXED: Very long SSIDs with special characters/spaces in them would be shown as "undefined" in the banner. - FIXED: Curl would fail to access SSL sites due to lack of a CA bundle. 376.49_5 (9-Jan-2015) - FIXED: Vulnerability in infosvr (CVE-2014-9583) (Asus bug) - FIXED: Additional security issue in infosvr (incorrect memcpy() call) (Asus bug) 376.49_4 (27-Dec-2014) - FIXED: WAN page error when entering a hostname, and broken UPNP FAQ link - FIXED: OpenVPN Server wasn't showing the Advertize DNS to Client option (regression from 3677 merge) - FIXED: bootloop when enabling Traditional QoS (or any other feature that forces CTF to be disabled) due to FA being left enabled (Asus bug) (AC87) 376.49_2 (23-Dec-2014) - FIXED: Asus DDNS couldn't be configured on the webui - FIXED: OpenVPN server wouldn't let you edit user accounts - FIXED: Missing DLNA icon on clients (Asus bug) (N66, AC66) 376.49 (21-Dec-2014) - NEW: Merged with Asus GPL 376_3677. This new code includes a lot of changes related to USB modem support. - NEW: IPv6 handling based on dnsmasq + odhcp6c. This new code which has been developped by Asus these past few months but kept disabled so far has been enabled. Initial tests show much better reliability with different ISPs. - NEW: Added IPv6 support to DNSFilter (currently only Yandex has IPv6 servers). Note that unlike IPv4 filtering, we cannot automatically NAT queries to the desire server, so the current implementation works like Asus's YandexDNS service, where IPv6 servers are simply returned to DHCPv6/RA client queries, and ip6tables ensures that you cannot override them, by rejecting connection to other DNS servers. - CHANGED: Merged newer DPI engine from 378_3123 beta (AC87) - CHANGED: Removed SSLv2 and v3 support from OpenSSL (we had already stopped using these in 376.48, so this removes unused code) - CHANGED: The VPN webui is now a bit closer to Asus's code. This will mostly make it easier to keep in sync with future changes to that UI by Asus (they rearranged the layout a bit in 376_36xx). - CHANGED: Updated OpenVPN to 2.3.6 - CHANGED: Reverted to Asus's max-lease number calculation for dnsmasq - CHANGED: Hide wireless key on settings page unless field has focus (patch by John9527) - CHANGED: Ported USB 3.0 (XHCI) kernel driver from Netgear GPL (which seems to have in turn backported it from upstream kernel 3.x) - CHANGED: Updated Quantenna to v36.7.3.23 (AC87) - FIXED: vsftpd wasn't properly compiled with SSL support. - FIXED: MAC filtering couldn't be disabled on Guest networks (Asus bug) (Patch by John9527) - FIXED: Various fixes and tweaks to the new IPv6 code from Pinwing and saintdev - FIXED: Editing a client on the networkmap would cause any matching DHCP reservation entry to lost its hostname - REMOVED: The web redirection control setting was removed, as it is being replaced by the (simpler) redirection setting Asus added to the System page. 376.48_3 (20-Nov-2014) - FIXED: NAT loopback was broken on MIPS devices (backported Asus fix from 376_3626) 376.48_2 (8-Nov-2014) - FIXED: Samba would fail to start on the RT-N16 due to a missing library. 376.48_1 (7-Nov-2014) - FIXED: Max-lease calculation Asus introduced in 376_2769 is broken - re-hardcode it to 253 like they used to do in previous release. Will be properly fixed once they release a newer GPL with this issue resolved. (Asus bug) 376.48 (7-Nov-2014) - NEW: Added the RT-AC68P to the list of supported devices - CHANGED: Use sha256 checksums instead of MD5 for improved security when validating your downloads. (note: checksums are also posted on the support forum at SmallNetBuilder) - CHANGED: Switched my fix for unmounted/hidden partition support with Asus's own fix from GPL 3561. - FIXED: Samba would fail to start if the router admin username contained upper case characters. Samba was modified to have it try to local the UNIX user as provided (it was previously only trying upper and lower case versions) (Samba 3.6 bug) 376.48 Beta 3 (02-Nov-2014) - CHANGED: Updated miniupnpd to release 1.9 (plus upstream PCP fix) - FIXED: Couldn't edit share permissions for Samba if your disk contained an unmounted/hidden partition (Asus bug in 2769) - FIXED: Couldn't edit share permissions for Samba for the RT-N66U internal SDcard reader (Asus bug in 2769) - FIXED: Missing Max User field to Samba page (Asus bug) 376.48 Beta 2 (26-Oct-2014) - NEW: Added logo to the webui header - CHANGED: Samba 3.6 will now use libiconv to handle charset conversion (will resolve CP850 warnings amongst other things) - CHANGED: Updated miniupnpd to 20141023 code from Github. - CHANGED: Updated dropbear to 2014.66. - CHANGED: Reverted NTP update code to GPL 2678 in hopes of resolving the few cases where it didn't work anymore. - FIXED: minidlna is once again able to use inotify for updates. A temporary workaround has been implemented where minidlna will be staticly linked with a threadsafe build of sqlite3, while BWDPI will continue to use the shared non-threadsafe library. (Asus bug) 376.48 Beta 1 (18-Oct-2014) - NEW: Merged with Asus 376_2769 AC87 GPL - NEW: Enabled numerous modules in net-snmp (based on the list used by OpenWRT) - NEW: Added postconf and custom config support for snmpd.conf - NEW: Added HID support to ARM kernel (AC56,AC68,AC87) - CHANGED: Reverted NAT loopback code to Asus's, since our own code is currently broken by recent FW code changes. - CHANGED: Updated openssl to 1.0.0o, resolving a few security issues. - CHANGED: Disabled SSLv2 and SSLv3 support for https access to the router webui. IE6 users, your time is up - upgrade. TLS 1.0 is now the only supported protocol. - CHANGED: upgraded main Samba server from 3.0.x to 3.6.24. This might cause a slight drop in performance, but should improve both reliability and security. - FIXED: DNSFilter client list dropdown would sometime be empty. - FIXED: DNS queries run on the router were forwarded to upstream nameservers instead of the local dnsmasq - FIXED: Re-added the USB HID kernel module needed for UPS monitoring (patch by ryzhov_al) - FIXED: Incorrect top margin on some pages such as AiCloud, and stretched font on the progress splash (Asus bug) - FIXED: URL and keyword filtering wasn't working under certain situations when CTF was enabled - FIXED: Mac Filtering wasn't working with Guest networks (Asus bug) (Patch by saintdev) - FIXED: Chosing a client on the MAC Filter page wasn't properly filling the Name field. Also reorganized layout a bit. 376.47 (20-Sept-2014) - NEW: Added sha256 and sha512 HMAC support to dropbear (SSH) - CHANGED: Moved OpenVPN postconf scripts right before server/client gets started, so you can also use them to modify the other generated files such as the exported ovpn config file. - FIXED: SSHD options visibility (patch by pinwing) - FIXED: EMF/IGMP settings were reverting to the select profile default (Asus bug introduced in GPL 2678) - FIXED: PPTP account list failed to display (regression in Beta 1) - FIXED: VPN server page was switching back to PPTP when changing OpenVPN unit and you were initially on the PPTP page - FIXED: Activity indicator wasn't shown during a networkmap scan 376.47 Beta 1 (14-Sept-2014) - NEW: Merged with Asus GPL 2678 (AC87) - NEW: Report Quantenna FW version on Sysinfo page - NEW: Enabled experimental FTP and Samba Cloud Sync support in AiCloud. This feature is still in development by Asus, so it might not be fully functional yet. - NEW: Enabled experimental SNMPD support, under Administration -> SNMP. This feature is still in development by Asus, so it might not be fully functional yet. (not available on the RT-N16) - NEW: Added option to enable WAN access to SNMPD, defaults to disabled. (Asus's implementation has it open to the WAN by default) - CHANGED: Re-increased max allowed FTP user limit to 10 (was reverted to 5 in the GPL merge when the setting was moved to the FTP page) - FIXED: PPTPD was getting enabled every time you clicked Apply while on the PPTPD VPN Server page 376.46 (26-Aug-2014) - NEW: Merged with Asus GPL 2061. This is essentially the new QTN driver for the AC87. - FIXED: Various webui issues with IE10/IE11 (patch by pinwing) - FIXED: OpenVPN Client page was visible on the RT-N16 - FIXED: DHCP pool validation error on VPN Server advanced page. - FIXED: Couldn't edit the first VPN Client entry due to broken duplicate check (Asus bug) 376.45 (17-Aug-2014) - NEW: Compiled vsftpd with SSL support (must be manually configured if you intend to use it) - NEW: Report FA state (Level 2 CTF) on Sysinfo page. - CHANGED: Updated dropbear to 2014.65. - CHANGED: Updated openssl to 1.0.0n (numerous security fixes) - CHANGED: Updated lzo to 2.08 - CHANGED: Reworked VPN Server pages to be more intuitive - FIXED: Garbled client dropdown selector on DNSFilter page - FIXED: The Comcast neighbour solicitation block wasn't enabled anymore (regression in 376.44) (Patch by Sinshiva) - FIXED: 5 GHz N+AC mode was incorrectly setting router to N-only mode (Asus bug, fix backported from 2381, additional fix by me for AC66) - FIXED: PControl page failing to display on French and Italian locales (Asus bug) - FIXED: IPv6 can occasionally fail to work properly when using a PPPoE WAN interface (patch by pinwing) 376.44 (3-Aug-2014) IMPORTANT: Make a backup of your JFFS partition if upgrading an RT-AC56U or RT-AC68U and you have stored files on that partition! The partition layout has been changed. - NEW: Merged with Asus's 376_2044 GPL. Summary of changes: * New networkmap, lets users edit device names, assign icons to devices, etc... * Reworked IPv6 support * New filesystem driver provider for NTFS/HFS+/FAT * Webui visual update * Updated components (minidlna, radvd, dnsmasq) - NEW: Added support for RT-AC87U. - CHANGED: Updated N66U wireless driver to Asus's 1071 build - CHANGED: Updated miniupnpd to Git head (as of 20140731) - CHANGED: The JFFS partition on ARM devices now uses Asus's code, which means the whole unused space is now used for the JFFS partition. (AC56, AC68) - CHANGED: Made all ARM models use the new filesystem drivers from Tuxera, resulting in general improved USB disk performance (and hopefully improved reliability as well) (AC56, AC68) - CHANGED: The wifi notification icon will now report channel and channel width for the 5 GHz band, as the extension channel wasn't always accurately reported. - CHANGED: Reworked layout of SSH settings on System page (based on Asus's own WIP) - CHANGED: Allow FQDN (hostname + domain) rather than just hostnames on the WAN page (some ISPs require that) - FIXED: Missing mDNSResponder daemon preventing mt-daapd from working on MIPS devices (N16,N66,AC66) - FIXED: System Log wouldn't properly be positioned at the bottom (Patch by John9527) - FIXED: DNSFilter clients configured to bypass DNSFilter would still be prevented from using an IPv6 DNS. - FIXED: Incorrect IPv6 prefix if not a multiple of 8 (patch by NickZ) - FIXED: OpenVPN firewall cleanup was missing rules (patch by sinshiva) - FIXED: Minidlna issues with Philips smart TVs - FIXED: SSHD brute force protection wasn't working if Dual WAN was enabled and set to LB mode. - FIXED: Miniupnpd error flood in Syslog when using a Plex server on your LAN (fix from upstream) - REMOVED: Reverted various IPv6-related patches as they conflicted with Asus's own changes. These might make it back at a later time if deemed necessary. - REMOVED: Removed layer7 filtering support in Netfilter from ARM devices due to compatibility issues (AC56,AC68) - REMOVED: Removed IPsec support from ARM devices due to compatibility issues (AC56, AC68) 374.43_2 (7-June-2014) - FIXED: NTFS disks couldn't be mounted (Paragon driver not loading due to a kernel change) (AC56, AC68) 374.43 (6-June-2014) - NEW: User-configurable refresh period to trigger a DDNS update after a certain number of days. - CHANGED: dnsmasq option 252 now defaults to an empty string, to silence broken clients such as Win7. Important: if you were previously using a customized 252 reply (to use with a valid wpad/pac file), you will need to use a postconf script to change the default config instead of appending your own config. If you use DNS-based WPAD setting, you will need to remove the 252 option using postconf, as IE will not query for the DNS entry if there is a 252 option through DHCP, even if it fails to connect to it. - CHANGED: Updated miniupnpd to 1.8.20140523. - CHANGED: Updated openssl to 1.0.0m. - CHANGED: More backports from OpenSSL 1.0.2, improving SHA performance on ARM routers. - CHANGED: The JFFS2 partition is now disabled by default after a factory default reset. - FIXED: Media server page wouldn't let you enable the iTunes server unless you also enabled DLNA (Asus bug) - FIXED: Restricted guests still had access to the router (Asus bug introduced in GPL 4887) - FIXED: 6in4 traffic wasn't bypassing CTF if dualwan mode was either disabled or set to failover mode (AC56/AC68) - FIXED: Single character workgroups were rejected as invalid (Asus bug) - FIXED: Networks with SSIDs containing single quotes would break the client list (Asus bug) - FIXED: Traffic Monitor results are wrong on PPPoE connections (Asus bug) (Patch by pinwing, additional debugging by fantom1) - FIXED: Crash if entering close to 64 MACs plus their names on the MAC filter page. 374.42_2 (16-May-2014) - FIXED: Time Machine support (AC56, AC68) 374.42 (9-May-2014) - NEW: Merged with Asus's 374_5656 GPL. - NEW: Added Comodo Secure DNS to supported DNSFilter services - FIXED: Download2 folder wasn't selectable anymore on the Media Server page. - FIXED: Pass correct valid and preferred lifetime to radvd when using DHCPv6-PD (Patch by pinwing) - FIXED: IPv6 connectivity could be lost after 1-2 hours due to the time shift caused by NTP at boot time (Patch by pinwing) - FIXED: Various IPv6 connectivity issues related to services being (re)started at the wrong time, or twice. (Patch by pinwing) - FIXED: Build system would sometime try to use the local system's header/libs - use a pkg-config wrapper to avoid this issue (Patch by ppuryear) - FIXED: Erratic 5G led blinking behaviour as the watchdog's software- based blinking was constantly writing to the wireless chip's registers for led control. (AC68) - FIXED: LEDs weren't all turning back on when coming out of Stealth Mode (AC56) - CHANGED: Make the router use dnsmasq for internal name resolution rather than directly using the WAN DNS. - CHANGED: Upgraded OpenVPN to 2.3.4. - CHANGED: Upgraded miniupnpd to 1.8.20140422 (PCP-related fixes) 374.41 (18-Apr-2014) - NEW: Merged with Asus's 374_5047 GPL. Notable changes: * Fixed RT-AC68U random reboots * Additionnal security fixes * Improved Media server, SMB and FTP webui * minidlna and radvd updates - NEW: PCP support (Port Control Protocol) - NEW: Option to allow/deny FTP access from WAN. Default is to reject WAN connections. The option can be found on the USB Servers -> FTP Share - NEW: Option to control web redirection while Internet is down (configurable on the WAN page). - CHANGED: Upgraded miniupnpd to 1.8.20140401. - CHANGED: Disk idle exclusion now supports up to 9 disks. - FIXED: WOL wasn't working (Asus bug in 4887/5047) - FIXED: Replaced webui glue with permanent concrete. It won't fall again. - FIXED: Language dropdown not properly shown with 8-bit characters. - FIXED: Comcast's IPv6 network would flood the LAN with neighbour solicitation packets, which should normally not cross beyond their modem. There is now an ip6tables rule to filter out those packets, preventing your log from being spammed with table overflows. The filter is is enabled by default and can be disabled by setting the "ipv6_neighsol_drop" nvram setting to "0". (rule suggested by diplomat7) - FIXED: EMF wasn't properly configured after wireless was restarted (patch from Vahur) - FIXED: Router crashing when more than around 30 static routes were entered - FIXED: webui would die for some users when accessing the VPN Server config page and there were connected OpenVPN clients - FIXED: Added missing iptables-save on ARM platform (AC56, AC68) - FIXED: nvram factory default reset would sometime fail on MIPS devices (N16, N66, AC66) (Patch by ryzhov_al) - FIXED: Under a certain situation the router could lose track of whether an OpenVPN server/client instance was running or not. This could result in the webui trying to restart it, and returning an error message because it was already running. - REMOVED: The Media server database location is no longer configurable, as we've switched to Asus's new automatic location selection. - REMOVED: Removed the Run Cmd page as it was a security risk. This is also needed to keep in line with recent security fixes Asus applied to the httpd backend to limit what external processes it can run, otherwise any malicious page could run arbitrary commands on your router if you were currently logged on a separate tab. 374.40 (6-March-2014) - KNOWN ISSUE: Some people are experiencing random reboots with the RT-AC68U running firmwares based on recent Asus GPL. If you are are affected, please revert to 374.40 alpha4 for now. Asus are looking into the issue, which affects this model since 374_4422. - FIXED: Asuswrt was calling wl_defaults() every time the wifi was restarted, causing Regulation Mode to be overwritten. Now we force it to h mode if the router model and region requires DFS compliance (same as Asus's code, except we won't enforce it to off in other scenarios, and will only do so if it was previously set to off). - FIXED: Advanced wireless page broken on Internet Explorer, due to missing Array.IndexOf() support in IE (Asus bug) - FIXED: Incorrect model detection prevented CPU temperature from being shown on the Sysinfo page on the "R" SKUs. 374.40 Beta 2 (5-March-2014) - FIXED: Numerous buffer overruns in networkmap that would result in crashes or empty/incomplete device list. Was often visible on networks hosting a Windows Home Server machine. (Asus bug) - FIXED: Site survey was reporting 5G as being disabled on RT-N16. - FIXED: Various issues related to the helper.sh script for postconf - FIXED: The OpenVPN instance wasn't restarted if it was currently stopped due to a syntax error in its config and you had just corrected it. - FIXED: Restarting the wireless service would stop emf/igs snooping until they were manually restarted/recconfigured. (Asus bug) - FIXED: Channels above 153 were missing on 5 GHz band if width is set to 40 MHz (Asus bug) - FIXED: reg_mode was being enforced to "h" (EU region) or "off" (others) since GPL 4422. We now stick again to what's set in the webui by the end user. - FIXED: Allow LAN traffic while dualwan mode is set to lb (issue caused by the default policy fix in beta 1) 374.40 Beta 1 (1-March-2014) - NEW: Merged with Asus's 374_4561 GPL. Notable changes: * Various security-related fixes * Redesigned Parental Control webui * Notification in case of insecure configuration - NEW: Added OpenDNS Family Shield support to DNSFilter - NEW: Added support for up to three user-defined servers to DNSFilter - NEW: Added option to force DNSfilter clients to always use the DNS provided to them by the router's DHCP server (which will be the router itself if you didn't change it on the DHCP webui page) - NEW: Option to disable the DHCP6 Server (code contributed by kdarbyshirebryant) - CHANGED: The RT-N66U is now compiled with EM enabled by default. That means there will no longer be a separate experimental build for this. - CHANGED: Updated dropbear to 2014.63 - CHANGED: New type of glue for the webui header - CHANGED: Switched to a shorter version numbering scheme - FIXED: RT-N16 firmware (missing files were obtained from the new GPL release Asus made for this model) - FIXED: Last24 page wasn't properly displaying the Avg value (regression in 374.39) - FIXED: Clients with a configured IPv6 DNS would bypass DNSFilter. DNSFilter-enabled clients will now be prevented from using IPv6 nameservers, forcing them through the (IPv4-only) filtering nameserver - FIXED: DNSFilter clients set to "None" would still be forced through your WAN-configured nameservers, preventing nameservers configured on the clients from working. Now they will fully ignore the DNSFilter settings. - FIXED: The global DNSFilter would sometime not get properly configured in the firewall. - FIXED: When the firewall was disabled, the FORWARD chain policy was still left to "DROP" - changed to "ACCEPT". - FIXED: typo in SMB config ("use spne go") (Asus bug) - FIXED: PPPoE with an MTU of 1500 requires the WAN interface to have its MTU set at 1508 (patch by pinwing) - FIXED: IPv6 Prefix Delegation issues (patch by pinwing) - FIXED: MTU setting on IPv6 connections (patch by pinwing) 3.0.0.4.374.39 (31-Jan-2014) This version isn't available for the RT-N16 as support for the SDK5 platform is currently broken in the latest GPL sources. - NEW: Merged with Asus 374_583 GPL. Notable changes: * USB hub support - NEW: DNS-based filtering. Under Parental Control there is now a new tab called DNS Filter where you can enable a DNS-based filtering service, and apply a specific filter both globally and on a per-client basis. Supported are: OpenDNS, Norton Connect Safe and YandexDNS. - NEW: helper.sh script, to simplify creation of postconf scripts. See the postconf section for details. - CHANGED: Discontinued SDK5 builds for the RT-N66U. The new EM builds resolved wifi range issues by running the SDK6 driver set in Engineering Mode (driver provided by Asus). Look in the Experimental folder for the EM build - it will eventually become the standard build for the N66U once it gets sufficiently tested. You might need to do a factory default reset after switching to an EM build, for best results. - CHANGED: Re-switched back to rp-pppoe 3.11 since nobody confirmed that 3.10 worked better for them. - CHANGED: Allow PPPoE MTU up to 1500, for ISPs that support RFC 4638. - CHANGED: Additional webui performance improvement by caching CSS. - FIXED: DHCPv6 client failing to start if the router username was changed from "admin" (Asus bug) (patch from Saintdev) - FIXED: DHCPv6 client failing to request an IP with some ISPs such as Comcast (Asus bug) (patch from Saintdev) - FIXED: SMB shares were accessible over WAN, bypassing Netfilter (Asus bug) (AC56/AC68) - FIXED: USB read speed would be limited by the QoS upstream configuration (Asus bug) (AC56/AC68) - FIXED: Resolution of local machines with domain appended would fail when using a nameserver that does not return nxdomain errors (such as OpenDNS) (Asus bug) The new behaviour is configurable on the LAN-> DHCP page, in case you run your own nameserver which is expected to handle both local and remote domains. Default is to not forward these (to allow OpenDNS to work properly). - FIXED: OpenVPN Client page - changing the local IP wouldn't always be properly saved. - FIXED: Well-known services not properly applying settings on the Network Services Filtering page (Asus bug) - FIXED: Webui crash when importing an ovpn with invalid cert/keys - FIXED: resolv.conf not reverted to its original content after an OpenVPN client that gets DNS pushed to it would disconnect. - FIXED: The average rates on the realtime traffic page would be calculated based on the max number of samples (300) instead of the currently collected number of samples (Asus bug) - REMOVED: YandexDNS has been removed, since its functionality is now provided by the new DNSFilter. 3.0.0.4.374.38_2 (17-Jan-2014): - CHANGED: Improved webui responsiveness by instructing the browser to cache images. - CHANGED: Reverted minidlna to 374.37 code. While the latest code brings some fixes, it seems to also break functionality for a small number of users. Too many low-level changes from the minidlna author to make it easy to debug. - FIXED: Syntax error in DHCPv6 client config (Asus bug) - FIXED: Domain field wasn't clearly identified on the webui when DDNS set to Namecheap (Saintdev) - FIXED: Missing carriage return in dnsmasq.conf when PPTP VPN is enabled, causing LAN name resolution issues. (Asus bug) - FIXED: A few unescaped quotes in the French dict would break some webui pages (such as the Wireless page). (Asus bug) - FIXED: OpenVPN server export would always export the first server instance configuration. - FIXED: Bogus "Config file is missing" error logged by pptpd when it was starting (Asus bug) - FIXED: "Advertise DNS" wasn't visible if the page was loaded and "Respond to DNS" was already enabled. 3.0.0.4.374.38_1 (12-Jan-2014): - FIXED: Tools -> Run Cmd page wasn't working (regression in 374.38) - FIXED: Router getting stuck on various webui changes due to a broken precompiled emf module (AC56/AC68) 3.0.0.4.374.38 (11-Jan-2014): This version isn't available for the RT-N16 or the SDK5 build of the RT-N66U as support for the SDK5 platform is currently broken. Please stick to 374.36 Beta 1 for the time being on these two platforms. Note that the RT-N66U did get a newer wifi driver, so give it a try, as it might have resolved or at least improved on the wifi range issues. Remember to do a factory default reset if switching from SDK5 to SDK6 builds! Keep a backup of your existing settings in case you decide to revert back to an SDK5 build. - NEW: Merged with 374_2078 GPL provided by Asus (From RT-N66U). Notable changes: * Updated SDK for MIPS devices - 6.30.163.2002 (r382208) * PPPoE HW acceleration should be fixed by the new SDK * Updated AiCloud closed source components (MIPS) - CHANGED: Reverted Parental Control code to our fixed code, as I see Asus is still making fixes to their own code past version 2078. - CHANGED: Updated AC56 and AC68U wifi driver and CTF to January 3rd builds (provided by Asus) - FIXED: emf/igs userspace tools were missing on ARM devices - FIXED: USB devices missing on MIPS devices (regression in 374.37) - FIXED: Wifi stability on ARM devices (regression in 374.37) 3.0.0.4.374.37 (31-Dec-2013): * This build was pulled due to numerous issues * - NEW: Merged with Asus 374_501 GPL (from RT-AC68U). Notable changes in this version: * New SDK (wireless driver and CTF) for AC56/AC68 * dnsmasq updated to 2.68 * radvd updated to 1.9.5 * Improved IPv6 support * Fixed Parental Control (A-M's own fix was replaced with this new one for consistency) * More details shown on Wireless Log page (their changes were merged with our own changes) - CHANGED: Dropbear default path will now include the locations inside /opt - CHANGED: Don't include a cert/key section in exported .ovpn if the router has "User authentication only" enabled - CHANGED: Display in which chain a given port forward rule is, on the Port Forwarding page. Allows to distinguish manual forwards from upnp forwards. - CHANGED: The state of PPTP/L2TP client connections will be reported on the VPN Status page. - CHANGED: Removed the display of global OpenVPN statistics on the VPN Status page. - CHANGED: Upgraded AiCloud binary components on MIPS routers to 374_1631 build (N16/N66/AC66) - FIXED: OpenVPN clients with DNS set to "Strict" weren't properly setting dnsmasq to use "strict-order" - FIXED: Garbled resolv.conf generated when adding an OpenVPN client DNS to it - FIXED: OpenVPN Client static key was incorrectly processed when shown on the webui. 3.0.0.4.374.36 Beta 1 (23-Dec-2013): - NEW: Added ECDSA key support for SSH - NEW: postconf scripts. This allow you to modify a generated config file (for example, smb.conf) before the service using it gets started. - NEW: layer7 Netfilter module on ARM devices (AC56, AC68). Note: traffic accounting must be manually enabled on these devices (see the Layer7 section in the FW's README) - CHANGED: Updated dropbear to 2013.62 - CHANGED: Improved rendering of the VPN Status page - CHANGED: Extended retry period for WAN DHCP queries to 160 secs in Normal DHCP mode to give time to Charter to unblacklist customers being accidentally blocked by them. - CHANGED: Downgraded rp-pppoe from 3.11 to 3.10 to see if it's more stable for some PPPoE users - FIXED: Some VPN client username/passwords were incorrectly handled - FIXED: When disabling Dual WAN, WAN unit wasn't being reset to unit 0, preventing users from editing the correct unit (Asus bug) - FIXED: If you replaced the Asus generated CA with your own, the exported ovpn file would contain your CA with the Asus-signed client cert/key. Now, we only insert the client cert/key if it was signed by the current CA. - FIXED: MSS clamping for clients connecting to the PPTPD server (Asus bug) - FIXED: networkmap's DLNA detection was broken with some devices, and could result in very long delays during scan (Asus bug) - FIXED: Adjusted various timings in networkmap which should help with device lists being incomplete especially after a reboot. 3.0.0.4.374.35_4 (30-Nov-2013): - CHANGED: Added a VPN mode selector on the VPN Server Details page. - FIXED: JS error on the VPN Server Details page related to PPTP - FIXED: Clicking on "Apply" on VPN Details page would fail to apply your new settings to a running OpenVPN server. - FIXED: Some port forward rules were incorrectly generated when in load-balancing mode (Asus bug) - FIXED: After adding/removing a user to OpenVPN Server, the password file was not immediately updated. Note that this fix will break backward compatibility with Asus as the nvram value storing the list of OpenVPN user/pass had to be renamed (so not to be instanced). - FIXED: VPN client not working on MIPS devices (N66/AC66). - FIXED: Various formatting issues with generated client.ovpn file 3.0.0.4.374.35_2 (24-Nov-2013): - FIXED: updown.sh script location was changed in 339, causing issues with OpenVPN clients 3.0.0.4.374.35 (24-Nov-2013): - NEW: Merged with Asus 374_339 GPL (from RT-AC68U). Asus added some new features in this release: * Support for HFS+ and Time Machine (AC56/AC68U only) * OpenVPN support. Their implementation uses the backend code from Asuswrt-Merlin but with a more simplistic, novice-friendly webui. This required adapting the current webui to be able to retain some of their improvements without sacrificing the flexibility of being able to have two separate server and client configurations. - NEW: Support for Namecheap DDNS (Patch provided by saintdev) - NEW: Added qos-start user script - FIXED: Incorrect range validation for UPnP ports on WAN page. - FIXED: Accidentaly lock out of webui due to software hammering the router's webui without valid login credentials - FIXED: NAT Loopback broken with CTF enabled (AC56/AC68) (Asus bug) - FIXED: Backing up your settings would return an empty CFG file. - FIXED: Kernel panic when inserting ebtables rule (AC56/AC68, fix backported from kernel 2.6.37) - FIXED: If an IP/CIDR on the IPv6 firewall page was long enough to be shortened with "..." it would be incorrectly saved. - CHANGED: IPTraffic will now account for traffic going through an OpenVPN tunnel - CHANGED: VPN webui is now an hybrid of our original webui, along with Asus's own. This allows the addition of these features developed by Asus: * Ability to export an ovpn config file to give to your clients * Support for username/password authentcation on the built-in server * Ability to import a tunnel provider's .ovpn config file to configure a client connection on the router 3.0.0.4.374.34_2 (01-Nov-2013): - FIXED: DNS resolution not working for VPN clients (bug in Asus 374_979) - FIXED: USB disk detection on AC56/AC68. - FIXED: Turbo mode option couldn't be saved (RT-AC68) 3.0.0.4.374.34 (30-Oct-2013): - NEW: Merged with Asus 374_979 (from RT-N66U). AC56/AC68 AiCloud components taken from 374_217. - NEW: Added RT-AC68U support. - NEW: Added IPSec support to the kernel. Userspace tools such as StrongWAN must be installed from Optware/Entware, and manually configured. (Patch provided by saintdev) - NEW: Adjustable MTU for DHCP/static IP WAN users - NEW: WAN interface name passed as argument to firewall-start - NEW: Configurable min/max ports allowed to be redirected by UPNP. This allows WHS users to change the min allowed port from the default value of 1024 to allow UPNP forwarding of HTTP/HTTPS. - NEW: Display CPU temperature on Sysinfo page (AC56 and AC68) - NEW: Display CPU chart on Performance page (AC56 and AC68) - CHANGED: UPnP rules will now be processed after manual forwards and port trigger rules. - CHANGED: Site Survey now reports supported protocol. - CHANGED: Updated Dropbear to 2013.60. - CHANGED: Updated dnsmasq to 2.67 final. - FIXED: Some Traffic Monitor pages were missing the page tabs. - FIXED: The webui would allow you to enable SSHD while not setting an authkey or enabling password-based authentication. - FIXED: 802.11h options should only be available on the 5 GHz band. - FIXED: Wifi icon hover would report 5G channel as undefined if 2.4GHz radio was disabled. - FIXED: IPv6 clients list failed to properly merge IPs from similar MACs (Asus bug) - FIXED: Minor layout issues with the Clients list - FIXED: Samba wasn't started at boot time if browser master or WINS was enabled and we had no USB disk plugged in. - FIXED: Router/minidlna crashes when processing very large image collections - various memory leaks plugged. (patches provided by Paulo Capani) - FIXED: Buffer overrun when entering more than 35 MACs on the filter list. We now support up to 64 MACs. 3.0.0.4.374.33 (3-Oct-2013): * IMPORTANT *: RT-N66U users must revert back to factory defaults and manually reconfigure their settings if coming from a FW older than 3.0.0.4.374.xxx (applies to both Asus or Asuswrt-Merlin). - NEW: Merged with Asus 374_726 code from RT-AC66U GPL. Notable changes: * RT-N66U now based on the SDK6 driver. This resolved the numerous connectivity issues, at the expense of a shorter range (a separate SDK5 build based on driver 5.100 is available in the Experimental folder as an alternative). * AiCloud 2.0 - NEW: Added bonding.ko kernel module. - NEW: Repeater mode moved into regular builds. - NEW: Dual WAN moved into regular builds. Note that there are still a few issues left, such as recovery from failover mode when the primary WAN comes back up. - NEW: YandexDNS support moved into regular builds. This is a DNS-based filter list, which can be configured under Parental Control. - NEW: Added support for last seen devices on Ethernet port status (Tools-> Sysinfo) for RT-AC56U. - NEW: Option to control 802.11 extensions that deal with regulations. On the Wireless Professional page you can now enable 802.11d and 802.11h support. - CHANGED: robocfg now (almost) completely supports the Northstar platform (RT-AC56U) - CHANGED: Enabled Syn Cookies for ARM devices (RT-AC56U) - CHANGED: Allow selecting the Download2 folder for media server location. - CHANGED: MIPS builds optimized for mips32r2 code generation, which should improve general performance. (N16/N66/AC66) - CHANGED: More openssl backports from 1.0.2, adding mips32r2 support, improving performance especially for sha1 (RT-N16/N66/AC66) - CHANGED: Increased OpenVPN crt/key fields to allow up to 3499 characters - enough to accomodate even a 4096 bits key. - CHANGED: Removed the firewall rules for acsd since it no longer listens on a TCP socket. - FIXED: Samba binding to WAN interface would cause warnings about WINS/master browser (regression in 374) - FIXED: The ARM kernel was missing the Advanced IP Routing option, preventing some of the "ip" command functions from working (was breaking Astrill's plugin) (RT-AC56U) - FIXED: With FW 374 Asus changed the Samba priority from too high to too low (-19), resulting in poor sharing performance. I changed it to a priority of 0, providing more balanced performance. (N16/N66/AC66) - FIXED: Some fields would allow invalid characters (such as single quotes) which might break the webui JS. There might still be a few unprotected fields. - FIXED: Memory leak in httpd service (Asus bug) - FIXED: Parental Control not working with certain schedules (patch provided by Makkie2002) - FIXED: Potential key truncation in httpd if one was to use very large OpenVPN keys and certs in all fields of all four instances. - FIXED: Samba would start sharing local disks even if all you wanted was its WINS/Browser services. - FIXED: The JFFS formatting code could encounter a case where it wouldn't write back its cleared format flag. - FIXED: Restarting the wireless service would break stealth mode. - FIXED: The new thumbnail cache code Asus added in build 720's minidlna will prevent scanning from completing on very large collections. Reverted that code for now. - FIXED: Wireless key field was automatically activated on page load, which could lead to accidental changes (issue introduced in 374_720). - FIXED: Router believed that NTP wasn't properly working after a LAN or wireless service restart (issue introduced in 374_720). - FIXED: IPv6 client list was incorrectly displayed if a client didn't have a known hostname (Asus bug) 3.0.0.4.374.32 (24-Aug-2013): - NEW: Merged with Asus 374_168 GPL code. - NEW: wan-start script will get passed the WAN unit number as argument - NEW: Webui option to select the location of the DLNA database (patch by VinceV) - NEW: IPv6 firewalling. Originally, Asuswrt would allow any IPv6 traffic to be forwarded to your LAN devices. This new option (enabled by default) will prevent traffic forwarding to LAN devices. You can also create firewall rules to allow inbound traffic to specific hosts. The firewall configuration can be accessed through the "Firewall -> IPv6 Firewall" page. - CHANGED: Upgraded OpenVPN to 2.3.2 - CHANGED: Implemented IPTraffic support in DualWAN - Load balanced mode (Experimental builds) - CHANGED: Updated miniupnpd to 20130730 - CHANGED: Updated some prebuilt binaries (RT-AC56U) - CHANGED: Updated 2.6.36 kernel to the latest code used in 372_184 (RT-AC56U), includes some changes related to USB3, and PPP/CTF. - CHANGED: Smarter location selection for the DLNA database location to reduce the chances of having it in RAM if left to default location, filling it up (patch by VinceV) - CHANGED: Updated e2fsprogs to 1.42.8 to be in sync with Asus - FIXED: Web server would crash if you entered too much data in OpenVPN key/cert fields. - FIXED: The ACSD service could be exploited by a LAN user to gain shell access to the router. TCP connections to ACSD are now blocked by the firewall. - FIXED: You could not define time periods on the Parental Control calendar under IE. - FIXED: Wireless client list would sometime return incorrect hostname or be missing IP. - FIXED: Security issue with Samba and symlinks 3.0.0.4.372.31_2 (28-July-2013): - FIXED: Samba wouldn't start due to missing symlink (RT-AC56U) 3.0.0.4.372.31 (24-July-2013: - NEW: Merged with 372_1393 code from Asus. Notes: * Beamforming support for RT-AC66U/RT-AC56U * RT-N66U driver still downgraded to build 270 (which means no HW acceleration for PPP, but more reliable connectivity on the 5 GHz band) * Minidlna was updated to 1.1.0 * AiCloud security hole fixed * Parental Control ui still broken under IE10 (use Fx or Chrome for now) - NEW: YandexDNS. Asus is currently implementing support in the firmware for this DNS-based filter. This can be found under Parental Control. See http://dns.yandex.ru/ for more info (go go Google translate!). (Experimental builds only) - NEW: User-provided client config files (ccd) for OpenVPN server. See the OpenVPN and Custom Config sections of the firmware's documentation for more info. - CHANGED: Connections list under System Log will now progressively display the result while the router is still resolving IPs (if that option was enabled). - CHANGED: OpenVPN client password hidden by default (and added checkbox to display it similar to what Asus added to the System page) - FIXED: Sysinfo page was reporting IPv6 as reason for CTF to be disabled - since 372 that is only true for ARM devices. - FIXED: OpenVPN Server in TAP mode + DHCP wasn't routing properly (DHCP was overruling the default GW) 3.0.0.4.372_30_3 (11-July-2013): - NEW: Added support for newest RT-N66U hardware revision. This router has a new model of flash, you can NOT use any older FW on these. (RT-N66U) 3.0.0.4.372.30_2 (7-July-2013): (note: since people always thought adding a "b" meant "beta' rather than revision "b", I am switching to Asus's new numbering scheme, hence "30_2" for this revised 372.30.) - FIXED: NAT loopback (invalid iptable rules was silently accepted by iptables) - FIXED: Removed empty Yandex tab - FIXED: Entware setup script missing from all builds - FIXED: pptpd failing to start (was missing from build) - FIXED: OpenVPN server not starting if using a static key - FIXED: Disks plugged to USB 2.0 port weren't getting mounted (RT-AC56U) 3.0.0.4.372.30 (5-July-2013): - NEW: Merged with preliminary 372 code provided by Asus (initialy meant for the ARM environment) - NEW: RT-AC56U support. Various bugs have been fixed over the original FW that initially shipped with these routers. Thanks to Asus for providing a development sample. - NEW: Added JFFS support to RT-AC56U. - CHANGED: Downgraded wireless driver + CTF to build 270 version (RT-N66U, fixes 5 GHz stability issues). Note that this means that HW acceleration for PPPoE is no longer available for the RT-N66U, as it was new in the 5.110 SDK. - CHANGED: Updated iptables-1.4.x to 1.4.14 (RT-AC56U) - CHANGED: Brought back the Connection page under System Logs - CHANGED: Updated e2fs