Documente Academic
Documente Profesional
Documente Cultură
43_2 (7-June-2014)
=============================================
About
----Asuswrt is the name of the common
for their various router models.
Tomato, it has since grown into a
some more technical features that
also adding new original features
Supported Devices
----------------Supported devices are:
* RT-N16
* RT-N66U
* RT-AC66U
* RT-AC56U
* RT-AC68U
NOTE: all the "R" versions (for example RT-N66R) are the same as their
"U" counterparts, they are just different packages aimed at large
retailers. The firmware is 100% compatible with both U and R versions
of the routers. Same with the "W" variants that are simply white.
Features
-------Here is a list of features that Asuswrt-merlin brings over the original
firmware:
System:
- Based on 3.0.0.4.374_5656 sources (from RT-AC68U) from Asus
- Various bugfixes and optimizations
- Some components were updated to newer versions, for improved
stability and security
- Persistent JFFS partition
- User scripts that run on specific events
- Cron jobs
- Ability to customize the config files used by the router services
- LED control - put your Dark Knight in Stealth Mode by turning off
all LEDs
sharing:
Enable/disable the use of shorter share names
Disk spindown after user-configurable inactivity timeout
NFS sharing (through webui)
Improved compatibility with 3TB+ and Advanced Format HDDs
Allow or disable WAN access to the FTP server
Networking:
- Force acting as a Master Browser
- Act as a WINS server
- SSHD
- Allows tweaking TCP/UDP connection tracking timeouts
- CIFS client support (for mounting remote SMB share on the router)
- Layer7 iptables matching
- User-defined options for WAN DHCP queries (required by some ISPs)
- Improved NAT loopback (based on code from phuzi0n from the DD-WRT
forums)
- Advanced OpenVPN client and server support (all models except
RT-N16)
- Netfilter ipset module, for efficient blacklist implemetnation
- Configurable min/max UPNP ports
- IPSec kernel support
- DNS-based Filtering, can be applied globally or per client
Web interface:
- Improved client list, with DHCP hostnames
- Optionally save traffic stats to disk (USB or JFFS partition)
- Enhanced traffic monitoring: added monthly, as well as per IP
monitoring
- Name field on the DHCP reservation list and Wireless ACL list
- System info summary page
- Wireless client IP and hostname on the Wireless Log page
- Wifi icon reports the state of both radios
- Display the Ethernet port states
- The various MAC/IP selection pulldowns will also display hostnames
when possible instead of just NetBIOS names
- Wireless site survey
A few features that first debuted in Asuswrt-Merlin have since been
integrated/enabled in the official firmware:
-
-----------Simply flash it like any regular update. You should not need to
reset to factory defaults (see note below for exceptions).
You can revert back to an original Asus firmware at any time just
by flashing a firmware downloaded from Asus's website.
NOTE: resetting to factory default after flashing is
strongly recommended for the following cases:
- Updating from a firmware version that is more than 3 releases older
- Switching from a Tomato/DD-WRT/OpenWRT firmware
If upgrading from anything older and you experience issues, then
consider doing a factory default reset then as well.
In all of these cases, do NOT load a saved copy of your settings!
This would be the same thing as NOT resetting at all, as you will
simply re-enter any invalid setting you wanted to get rid of. Make
sure to create a new backup of your settings after reconfiguring.
Usage
----** JFFS **
JFFS is a writable section of the flash memory which will allow you to
store small files (such as scripts) inside the router without needing
to have a USB disk plugged in. This space will survive reboots (but it
*MIGHT NOT survive firmware flashing*, so back it up first before
flashing!). It will also be available fairly early at boot (before
USB disks).
To enable this option, go to the Administration page, under the System
tab.
First time you enable JFFS, it must be formatted. This can be done
through the web page, same page where you enable it.
Enabling/Disabling/Formating JFFS requires a reboot to take effect.
I do not recommend doing frequent writes to this area, as it will
prematuraly wear out the flash storage. This is a good place to put
files that are written once like scripts or kernel modules, or that
rarely get written to (like once a day). Storing files that constantly
get written to (like logfiles) is NOT recommended - use a USB disk for
that.
** User scripts **
These are shell scripts that you can create, and which will be run when
certain events occur. Those scripts must be saved in /jffs/scripts/
(so, JFFS must be enabled and formatted). Available scripts:
* dhcpc-event: Called whenever a DHCP event occurs on the WAN
interface. The type of event (bound, release, etc...)
is passed as an argument.
* firewall-start: Firewall is started (filter rules have been applied)
The WAN interface will be passed as argument (for
example. "eth0")
** SSHD **
SSH support (through Dropbear) was re-enabled. Password-based login
will use the same username and password as telnet/web access. You can
also optionally insert a RSA or ECDSA public key there for
keypair-based authentication. There is also an option to make ssh
access available over WAN.
** Crond **
Crond will automatically start at boot time. You can put your cron
tasks in /var/spool/cron/crontabs/ . The file must be named "admin" as
this is the name of the system user. Note that this location resides in
RAM, so you would have to put your cron script somewhere such as in the
jffs partition, and at boot time copy it to /var/spool/cron/crontabs/
using an init-start user script.
A simple way to manage your cron jobs is through the included "cru"
command. Just run "cru" to see the usage information. You can then
put your "cru" commands inside a user script to re-generate your cron
jobs at boot time.
Jeff Gibbons's sd-idle-2.6 has been added to the firmware, allowing you
to configure a timeout value (in seconds) on the Tools -> Other Settings
page. Plugged hard drives will stop spinning after being inactive
for that specified period of time. Note that services like Download
Master might be generating background disk activity, preventing it from
idling.
dhcp6s.postconf
dnsmasq.postconf
exports.postconf
fstab.postconf
group.postconf
gshadow.postconf
hosts.postconf
minidlna.postconf
openvpnclient1.postconf (and openvpnclient2.postconf)
openvpnserver1.postconf (and openvpnserver2.postconf)
passwd.postconf
pptpd.postconf
radvd.postconf
shadow.postconf
smb.postconf
upnp.postconf
vsftpd.postconf
** NFS Exports **
IMPORTANT: NFS sharing is still a bit unstable.
In addition to SMB and FTP, you can now also share any plugged
hard disk through NFS. The NFS Exports interface can be accessed
from the USB Applications section, under Servers Center. Click on the
NFS Exports tab.
Select the folder you wish to export by clicking on the Path field.
Under Access List you can enter IPs/Networks to which you wish to give
access. A few examples:
192.168.1.0/24 - will give access to the whole local network
192.168.1.10 192.168.1.11 - will give access to the two IPs (separate with spa
ces)
Entering nothing will allow anyone to access the export.
Under options you can enter the export options, separated by a comma.
For example:
rw,sync
For more info, search the web for documentation on the format of the
/etc/exports file. The same syntax for the access list and the options
is used by the webui.
You can also manually generate an exports file by creating a file named
/jffs/configs/exports.add , and entering your standard exports there.
They will be added to any exports configured on the webui.
Note that by default, only NFSv3 is supported. You can also enable
NFSv2 support from that page, but this is not recommended, unless you
are using an old NFS client that doesn't support V3. NFSv2 has various
filesystem-level limitations.
** DNSFilter **
Under Parental Control there is a tab called DNSFilter. On this
page you can force the use of a DNS service that provides
security/parental filtering. This can be done globally, or on a
per device basis. Each of them can have a different type of filtering
applied. For example, you can have your LAN use OpenDNS's server to
provide basic filtering, but force your children's devices to use
Yandex's family DNS server that filters out malicious and adult
content.
If using a global filter, then specific devices can be told to
bypass the global filter, by creating a client rule for these,
and setting it to "No Filtering".
DNSFilter also lets you define up to three custom nameservers, for
use in filtering rules. This will let you use any unsupported
filtering nameserver.
You
use
you
the
Source code
----------The source code with all my modifications can be found on Github, at:
https://github.com/RMerl/asuswrt-merlin
History
------374.43_2 (7-June-2014)
- FIXED: NTFS disks couldn't be mounted (Paragon driver not
loading due to a kernel change) (AC56, AC68)
374.43 (6-June-2014)
- NEW: User-configurable refresh period to trigger a DDNS
update after a certain number of days.
- CHANGED: dnsmasq option 252 now defaults to an empty string,
to silence broken clients such as Win7.
Important: if you were previously using a customized
252 reply (to use with a valid wpad/pac file), you
will need to use a postconf script to change the
default config instead of appending your own
config.
If you use DNS-based WPAD setting, you will need
to remove the 252 option using postconf, as IE will
not query for the DNS entry if there is a 252
option through DHCP, even if it fails to connect to it.
- CHANGED: Updated miniupnpd to 1.8.20140523.
- CHANGED: Updated openssl to 1.0.0m.
- CHANGED: More backports from OpenSSL 1.0.2, improving SHA
performance on ARM routers.
- FIXED: If you replaced the Asus generated CA with your own, the
exported ovpn file would contain your CA with the
Asus-signed client cert/key. Now, we only insert the
client cert/key if it was signed by the current CA.
- FIXED: MSS clamping for clients connecting to the PPTPD server
(Asus bug)
- FIXED: networkmap's DLNA detection was broken with some devices,
and could result in very long delays during scan (Asus bug)
- FIXED: Adjusted various timings in networkmap which should help
with device lists being incomplete especially after a
reboot.
3.0.0.4.374.35_4 (30-Nov-2013):
- CHANGED: Added a VPN mode selector on the VPN Server Details page.
- FIXED: JS error on the VPN Server Details page related to PPTP
- FIXED: Clicking on "Apply" on VPN Details page would fail to
apply your new settings to a running OpenVPN server.
- FIXED: Some port forward rules were incorrectly generated when
in load-balancing mode (Asus bug)
- FIXED: After adding/removing a user to OpenVPN Server, the password
file was not immediately updated. Note that this fix will
break backward compatibility with Asus as the nvram value
storing the list of OpenVPN user/pass had to be renamed
(so not to be instanced).
- FIXED: VPN client not working on MIPS devices (N66/AC66).
- FIXED: Various formatting issues with generated client.ovpn file
3.0.0.4.374.35_2 (24-Nov-2013):
- FIXED: updown.sh script location was changed in
339, causing issues with OpenVPN clients
3.0.0.4.374.35 (24-Nov-2013):
- NEW: Merged with Asus 374_339 GPL (from RT-AC68U).
Asus added some new features in this release:
* Support for HFS+ and Time Machine (AC56/AC68U only)
* OpenVPN support. Their implementation uses the backend
code from Asuswrt-Merlin but with a more
simplistic, novice-friendly webui. This required
adapting the current webui to be able to retain some
of their improvements without sacrificing the
flexibility of being able to have two separate server
and client configurations.
-
Asuswrt-Merlin).
- NEW: Merged with Asus 374_726 code from RT-AC66U GPL. Notable changes:
* RT-N66U now based on the SDK6 driver. This resolved the
numerous connectivity issues, at the expense of a shorter
range (a separate SDK5 build based on driver 5.100 is
available in the Experimental folder as an alternative).
* AiCloud 2.0
- NEW: Added bonding.ko kernel module.
- NEW: Repeater mode moved into regular builds.
- NEW: Dual WAN moved into regular builds.
Note that there are still a few issues left, such as recovery
from failover mode when the primary WAN comes back up.
- NEW: YandexDNS support moved into regular builds. This is
a DNS-based filter list, which can be configured under
Parental Control.
- NEW: Added support for last seen devices on Ethernet port status
(Tools-> Sysinfo) for RT-AC56U.
- NEW: Option to control 802.11 extensions that deal with
regulations. On the Wireless Professional page
you can now enable 802.11d and 802.11h support.
- CHANGED: robocfg now (almost) completely supports the
Northstar platform (RT-AC56U)
- CHANGED: Enabled Syn Cookies for ARM devices (RT-AC56U)
- CHANGED: Allow selecting the Download2 folder for media server
location.
- CHANGED: MIPS builds optimized for mips32r2 code generation, which
should improve general performance. (N16/N66/AC66)
- CHANGED: More openssl backports from 1.0.2, adding
mips32r2 support, improving performance
especially for sha1 (RT-N16/N66/AC66)
- CHANGED: Increased OpenVPN crt/key fields to allow up to 3499
characters - enough to accomodate even a 4096 bits key.
- CHANGED: Removed the firewall rules for acsd since it no longer
listens on a TCP socket.
- FIXED: Samba binding to WAN interface would cause warnings
about WINS/master browser (regression in 374)
- FIXED: The ARM kernel was missing the Advanced IP Routing option,
preventing some of the "ip" command functions from
working (was breaking Astrill's plugin) (RT-AC56U)
- FIXED: With FW 374 Asus changed the Samba priority from too high to
too low (-19), resulting in poor sharing performance.
I changed it to a priority of 0, providing more balanced
performance. (N16/N66/AC66)
- FIXED: Some fields would allow invalid characters (such as
single quotes) which might break the webui JS. There might
still be a few unprotected fields.
- FIXED: Memory leak in httpd service (Asus bug)
- FIXED: Parental Control not working with certain schedules
(patch provided by Makkie2002)
- FIXED: Potential key truncation in httpd if one was to use very
large OpenVPN keys and certs in all fields of all four
instances.
- FIXED: Samba would start sharing local disks even if all you
wanted was its WINS/Browser services.
- FIXED: The JFFS formatting code could encounter a case
where it wouldn't write back its cleared
format flag.
- FIXED: Restarting the wireless service would break
stealth mode.
- FIXED: The new thumbnail cache code Asus added in build 720's
minidlna will prevent scanning from completing on very
large collections. Reverted that code for now.
- FIXED: Wireless key field was automatically activated on
page load, which could lead to accidental changes
(issue introduced in 374_720).
- FIXED: Router believed that NTP wasn't properly working after a
LAN or wireless service restart (issue introduced in
374_720).
- FIXED: IPv6 client list was incorrectly displayed if a client
didn't have a known hostname (Asus bug)
3.0.0.4.374.32 (24-Aug-2013):
- NEW: Merged with Asus 374_168 GPL code.
- NEW: wan-start script will get passed the WAN unit number as
argument
- NEW: Webui option to select the location of the DLNA database
(patch by VinceV)
- NEW: IPv6 firewalling. Originally, Asuswrt would allow any IPv6
traffic to be forwarded to your LAN devices. This new option
(enabled by default) will prevent traffic forwarding to LAN
devices. You can also create firewall rules to allow inbound
traffic to specific hosts. The firewall configuration can be
accessed through the "Firewall -> IPv6 Firewall" page.
- CHANGED: Upgraded OpenVPN to 2.3.2
- CHANGED: Implemented IPTraffic support in DualWAN - Load balanced
mode (Experimental builds)
- CHANGED: Updated miniupnpd to 20130730
- CHANGED: Updated some prebuilt binaries (RT-AC56U)
- CHANGED: Updated 2.6.36 kernel to the latest code used
in 372_184 (RT-AC56U), includes some changes
related to USB3, and PPP/CTF.
- CHANGED: Smarter location selection for the DLNA database
location to reduce the chances of having it in
RAM if left to default location, filling it up
(patch by VinceV)
- CHANGED: Updated e2fsprogs to 1.42.8 to be in sync with Asus
- FIXED: Web server would crash if you entered too much data in
OpenVPN key/cert fields.
- FIXED: The ACSD service could be exploited by a LAN user to
gain shell access to the router. TCP connections to
ACSD are now blocked by the firewall.
- FIXED: You could not define time periods on the Parental
Control calendar under IE.
- FIXED: Wireless client list would sometime return incorrect
hostname or be missing IP.
- FIXED: Security issue with Samba and symlinks
3.0.0.4.372.31_2 (28-July-2013):
- FIXED: Samba wouldn't start due to missing symlink (RT-AC56U)
3.0.0.4.372.31 (24-July-2013:
- NEW: Merged with 372_1393 code from Asus. Notes:
* Beamforming support for RT-AC66U/RT-AC56U
* RT-N66U driver still downgraded to build 270 (which
means no HW acceleration for PPP, but more reliable
connectivity on the 5 GHz band)
3.0.0.4.270.24 (13-Feb-2013):
- NEW: Rebased on 3.0.0.4.270. Notable changes:
o New driver builds (these are NOT the new major versions that
Asus are still working on)
o NTP-related changes
- NEW: Report CTF (HW Acceleration) state on Sysinfo page.
- NEW: Display Ethernet port states on the Sysinfo page.
- NEW: Replaced Busybox fsck/mkfs tools with those from e2fsprogs,
should be more reliable.
- CHANGED: Temperatures on Sysinfo page will now auto-update every 3
seconds.
- CHANGED: Connections page now uses Ajax for slightly better rendering
- CHANGED: Improved name resolution on traffic monitor page, now uses
a device's hostname if it reported one.
- CHANGED: Client List now uses our improved name resolution code,
will overwrite names with those entered on the DHCP static
lease page.
- CHANGED: Updated to OpenVPN 2.3.0 and lzo 2.06.
- CHANGED: Updated Busybox to 1.20.2 (with Oleg/wl500g patches
re-applied). Lots of fixes, including GPT support in
fdisk.
in release 260.21).
- FIXED: Router crash if the list of MAC filters + their names got
too long.
- FIXED: OpenVPN webui: TLS Reneg and Connection Retry wouldn't let
you enter -1 as value.
- FIXED: Layout issues on the DHCP page (one in Asus code, another
in Merlin code)
- FIXED: Beeline Corbina was unable to connect to PPTP/L2TP server
due to DNS issues.
- CHANGED: System log starts at the bottom (backported from GPL 314)
- CHANGED: Dual WAN is no longer enabled in regular builds - too many
issues with it at this point. Regular USB failover
still works.
3.0.0.4.260.21 (5-Dec-2012):
- NEW: Rebased on 3.0.0.4.260. This version should
resolve issues with some Russian ISPs. Note that
the RT-N66U build still uses the wireless driver
from release 220, as this seems to be the most stable
at this time.
- NEW: Option to force the router into becoming the SMB Master Browser.
- NEW: Option to make the router act as a WINS server.
- NEW: Option to control Spanning-Tree Protocol
- NEW: fstab custom config file
- FIXED: Firefox compatibility issues on the DHCP static and
MAC filter name fields.
- FIXED: Wifi status icon wasn't accurately reporting states if they
were changed by a radio schedule.
- FIXED: QIS would report newer firmwares, potentially overwriting
Asuswrt-Merlin with an original Asus firmware.
- FIXED: Wifi LEDs would turn back on if radios were enabled while
in Stealth Mode (now they turn back off after a few seconds)
- FIXED: Webui would break if a network device had an invalid
NetBIOS name (such as the Sonos Dock).
3.0.0.4.246.20 (14-Nov-2012):
- NEW: Wifi status icon will be half colored if only one radio is
enabled.
- NEW: Wifi status icon popup will report the state of each radios.
- NEW: upnp custom config file for miniupnpd
- NEW: unmount user script
- NEW: led_ctrl and makemime (for use in conjunction with sendmail)
applets.
- NEW: Implemented control for network switch LEDs (all four at once)
- NEW: Stealth Mode: option to disable all LEDs
- NEW: Added CONFIG_IP_NF_RAW and CONFIG_NETFILTER_XT_TARGET_NOTRACK
modules.
- FIXED: Radio toggle through WPS button would be overriden by a
scheduled radio. Reverted "switch" to "toggle" code to
prevent this.
- FIXED: You couldn't disable DMZ by clearing the IP field.
- FIXED: You couldn't edit entered text in DHCP/MAC/etc name field
- FIXED: clientid passing for some ISPs requiring it (like Sky UK)
was broken with the DHCP client change of build 220.
- FIXED: No longer reboot the router three times during boot time if
one of the radios is disabled by the user. (RT-N66U)
- FIXED: Changing the router login name to anything other than "admin"
would prevent radvd, ecmh and the cru script from working
3.0.0.4.220.18b (25-Sept-2012):
- NEW: Report both rx and tx rates on wifi connections
- FIXED: Handle cases where the wireless driver returns a speed of -1
- FIXED: Removed rssi retrieval retries, as it would make the first access to
the wireless page take forever if you had multiple connected clients
.
You will have to manually refresh the page the first time you access
it
if the RSSI is reported as "??".
3.0.0.4.220.18 (23-Sept-2012):
3.0.0.3.108.4 (28-Apr-2012):
- NEW: Clicking on the MAC address of an unidentified client will do a lookup
in
the OUI database (ported from DD-WRT).
- NEW: Added HTTPS access to web interface (configurable under Administration
)
- NEW: Option to turn the WPS button into a radio on/off toggle (under Admini
stration)
- FIXED: sshd would start even if disabled
- CHANGE: Switched back to wol, as people report better compatibility with it
.
ether-wake remains available over Telnet.
3.0.0.3.108.3 (18-Apr-2012):
- NEW: JFFS support (mounted under /jffs)
- NEW: services-start, services-stop, wan-start and firewall-start user scrip
ts,
must be located in /jffs/scripts/ .
- NEW: SSHD support
- IMPROVED: Fleshed out this documentation, updated Contact info with SNB for
um URL
- CHANGE: Removed wol binary, and switched to ether-wake (from busybox) inste
ad.
- CHANGE: Added "Merlin build" next to the firmware version on web interface.
3.0.0.3.108.2 (14-Apr-2012):
- NEW: Added WakeOnLan web page
3.0.0.3.108.1 (5-Apr-2012):
- Initial release.
Contact information
------------------SmallNetBuilder forums (preferred method: http://forums.smallnetbuilder.com/show
thread.php?t=7047 as RMerlin)
Website: http://www.lostrealm.ca/
Github: https://github.com/RMerl/asuswrt-merlin
Email: rmerl@lostrealm.ca
Twitter: https://twitter.com/RMerlinDev
IRC: #asuswrt on DALnet
Download: http://www.lostrealm.ca/asuswrt-merlin/download
Development news will be posted on Twitter. You can also keep a closer
eye on development as it happens through the Github site.
For support questions, please use the SmallNetBuilder forums whenever
possible. There's a dedicated Asuswrt-Merlin sub-forum there, under
the Asus Wireless section.
Drop me a note if you are using this firmware and are enjoying it. If
you really like it and want to give more than a simple "Thank you",
there is also a Paypal donation button on my website.
I want to give my special thanks to Asus for showing an interest in
this project, and also providing me with support when needed. Also,
thank you everyone who has donated through Paypal. Much appreciated!
Finally, special thanks to r00t4rd3d for designing the Asuswrt-Merlin
logo.
Disclaimer
---------This is the part where you usually put a lot of legalese stuff that nobody
reads. I'm not a lawyer, so I'll just make it simple, using my own words
rather than some pre-crafted text that will bore you to death and that
nobody but a highly paid lawyer would even understand anyway:
I take no responsibility for issues caused by this project. I do my best to
ensure that everything works fine. If something goes wrong, my apologies.
Copyrights belong to the appropriate individuals/entities, under the appropriate
licences. GPL code is covered by GPL, proprietary code is (c)Copyright their
respective owners, yadda yadda.
I try my best to honor the licences (as far as I can understand them, as a
normal human being). Anything GPL or otherwise open-sourced that I modify
will see my changes published to Github at some point. A release might get
delayed if I'm working using pre-release code. If it's GPL, it will eventually
be published - no need to send a volley of legal threats at me.
In any other cases not covered, Common Sense prevails, and I shall also make use
of Good Will.
Concerning privacy:
This firmware does not contact me back in any way whatsoever. Not even through
any update checker - the only update code there is Asus's.
--Eric Sauvageau