Professional Documents
Culture Documents
===============================
384.14 (14-Dec-2019)
- NEW: Implement option to prevent Firefox's automatic usage of DoH.
By default, this will only apply if you have DNSPrivacy
enabled, or if you have DNSFilter enabled with a global
filter, to ensure that Firefox will not bypass either of
these. You can also have this override applied all the
time, or completely disable it.
- NEW: Added "split" busybox applet.
- NEW: Added IPv6 support to Network Analysis webui
- NOTE: You might need to reconfigure your device hostname on the
LAN -> LAN IP page due to a GPL-level change (exclusing
the RT-AX88U)
- UPDATED: RT-AX88U to GPL 384_6436 (with Let's Encrypt fixes
backported from 384_81351)
- UPDATED: RT-AC68U, RT-AC86U to GPL 384_81351
- UPDATED: RT-AC88U, RT-AC3100 to GPL 384_81351 and binary
blobs from 384_81116
- UPDATED: RT-AC5300 to GPL 384_81351 and binary blobs from
384_81219.
384.13_2 (14-Dec-2019)
This release is only available for the RT-AC87U and RT-AC3200.
384.13_1 (12-Aug-2019)
- FIXED: RT-AC87U failing to boot when configuring in AP mode.
384.13 (31-July-2019)
- NEW: AiMesh Router and node support. Note that automatic live
update of Merlin-based nodes is not supported, you will have
to manually update any Merlin-based nodes when a new firmware
is available. Asus-based nodes (which is recommended) will be
able to make use of the automatic live update.
- NEW: ChaCha20-Poly1305 support in Strongswan (themiron)
- UPDATED: RT-AX88U to GPL 384_6210.
- UPDATED: Curl 7.65.3.
- CHANGED: dhcp_staticlist no longer contains hostnames, these
have been moved to dhcp_hostnames for better
compatibility with upstream and closed source
components, also allows more static leases to be
defined before reaching the size limit.
- CHANGED: Replace Nettle with OpenSSL for dnsmasq's DNSSEC
validation, which opens the door to supporting
more ciphers. (themiron)
- FIXED: Firmware Update check button would redirect to Asus
support site if scheduled checks are disabled.
- FIXED: Firefox was showing a no-op Uninstall button on the
AiCloud page
- FIXED: 5 GHz radio showing as disabled on the Sysinfo page for
the RT-AC87U
- FIXED: FTP would be accessible from the WAN even while disabled
if you had DualWAN load balancing enabled, or IPTV
configured.
- FIXED: IGMP Snooper daemon crashing when more than 32 hosts
are present (themiron)
- FIXED: External DDNS IP checker would fail for Chinese users,
as checkip.dyndns.org is blocked - switched to .com TLD.
- FIXED: Devices without a networkmap-defined alias wouldn't fallback
to their hostname on some webui pages like the IPTraffic
and QoS Classification pages.
- FIXED: Remote IP field filtering on Classification page wasn't
working.
- FIXED: Incorrect user permissions displayed on the FTP page.
- FIXED: Performance issues for some users, following the kernel
security fixes in 384.12. (gzenux)
384.12 (22-June-2019)
- NOTE: The project now has its own domain name. Official website
is now https://www.asuswrt-merlin.net/ and my email address
for anything related to the project is now
merlin@asuswrt-merlin.net.
384.11_2 (18-May-2019)
- NEW: Implemented source/destination IP filtering
for the Netool version of Netstat web page.
- CHANGED: Backported multiple fixes and improvements
for ntpd from upstream, improving handling
of failed server hostname resolution, and better
clock sync discipline.
- FIXED: RT-AC88U/3100/5300 were accidentally compiled
with Netool enabled, which isn't compatible with
these model's kernel.
- FIXED: Movistar stopped working for some users. Re-disabled
udpxy on Movistar profile for now. A more complete
fix will have to come from Asus.
- FIXED: Re-disabled memaccess debugging tool, as it creates
a symlink called "sh" which is a pretty bad
idea from Broadcom. (RT-AC86U, RT-AX88U)
384.11 (8-May-2019)
- NEW: Added DNS Privacy feature, with support for
DNS-over-TLS (also known as DoT).
You can configure it on the WAN -> Internet Connection
page. You can manually add your own servers, or chose
one (or a few) from the preset list. (themiron)
- NEW: NTP daemon on the router, to allow your LAN clients to
synchronize their clocks with it.
- NEW: Option to intercept NTP requests from clients, and
redirect them to the router's own NTP daemon.
- NEW: Added service-event-end custom script, executed at the
end of an rc service call. Receives the same arguments
as service-event, but is a non-blocking script.
- NEW: Added sqlite3 CLI command, to allow script authors to
create/manage their own sqlite3 database
- UPDATED: RT-AX88U to 384_5951 GPL.
- UPDATED: Other models to 384_45713 GPL (RT-AC87U, RT-AC3200
and RT-AC5300 still using 384_45149 binary blobs)
- UPDATED: Nano 4.0.
- UPDATED: Curl 7.64.1.
- UPDATED: Dropbear 2019.78.
- CHANGED: Replaced the custom ntpclient with a proper ntpd
implementation, for reduced memory usage and
increased accuracy.
- CHANGED: Made the secondary NTP server configurable through the
webui. Note that ntpd will use both servers, so clear
the second server if there is one and you don't want
to use it.
- CHANGED: Re-designed firmware upgrade page, moving the schedule
option to that page, and removed support for the Beta
channel.
- CHANGED: Removed popup messages showing on the DDNS page when
a service state change was detected. Report it within
the page instead.
- CHANGED: Report firmware version within the new firmware
notification popup that appears at the top of the webui.
- CHANGED: Moved LED control (formerly known as Stealth Mode) to
the System page.
- CHANGED: Do not restart whole network whenever changing an IP
reservation on the Networkmap card.
- CHANGED: Allow URLs up to 64 chars long on the URL filter.
- CHANGED: pre-mount user script now receives the filesystem
as second argument.
- CHANGED: Moved various DNS-related settings from the DHCP page
to a more appropriate location on the WAN page.
- CHANGED: OpenSSL default dir moved to /etc/ssl/. Allows
programs to automatically locate the CA bundle
without requiring explicit configuration.
- CHANGED: Optimized service restarts generated by the
System page.
- CHANGED: Replaced Network Analysis and Netstat pages (under
Network Tools) with new versions based on Asus's
Netool daemon (RT-AC86U, RT-AX88U)
- FIXED: Reboot scheduler would sometime get stuck, or corrupt
plugged USB drives. Now doing a more thorough
shutdown of services, should hopefully make it
more reliable.
- FIXED: CVE-2019-1543 issue with Chacha20-poly1305 in
OpenSSL 1.1 (themiron)
- FIXED: Client count on the Sysinfo page was missing
Guest clients
- FIXED: Miniupnpd sometimes sending ssdp notifies to
the wrong interface (themiron)
- FIXED: udpxy not working when using the Movistar
IPTV profile on RT-AC86U and RT-AX88U.
384.10_2 (3-Apr-2019)
- CHANGED: Increased OpenVPN interface queue length from 100
to 1000 bytes, to reduce the amount of dropped
packets if router can't keep up.
- CHANGED: Updated CA bundle to January 23rd version
- FIXED: Moviestar VLAN routes weren't properly configured
(broken quagga configuration)
- FIXED: Layout issues on the Wireless Log page for some
models
- FIXED: Missing tooltip content for the new local DNS
resolution setting on the Tweak page
- FIXED: FAQ URL on Bandwidth Monitor points to a non-existing
page on Asus's servers (point to old page for now)
- FIXED: OpenVPN CA would be overwritten if there was no
server key or cert present - only generate them
if all three are missing.
- FIXED: Bandwidth Limiter not working properly in some
cases, as it failed to disable hardware acceleration
384.10 (24-March-2019)
- NEW: Added OpenSSL 1.1.1b in parallel to 1.0.2. Some services
like AiCloud are still linked against 1.0.2 because they
would require Asus to recompile them against 1.1.1.
384.9 (2-Feb-2019)
- NEW: Temporarily reorganized code in separate branches, to handle
Asus's currently scattered firmware source code releases.
The GPL situation for this release is as follow:
o RT-AX88U: Merged GPL 384_5329
o Other models: Merged GPL 384_45149.
o Special binary blobs provided by Asus for the RT-AC87U
and RT-AC3200 (compatible with 384_45149).
384.8_2 (8-Dec-2018)
- CHANGED: Updated miniupnpd to 20181205.
- CHANGED: Push LAN domain to OpenVPN clients as DNS suffix
for the connection.
- FIXED: Cannot save custom settings on OpenVPN server page
on non-HND models.
- FIXED: Some webui pages fail to load properly in French
- FIXED: dnsmasq fails to start when certain options are
configured (themiron)
- FIXED: Non-functionnal Show Password option on OpenVPN/PPTP
server page for RT-AX88U (removed)
- FIXED: Persistent SSL cert was wiped at boot time in
some specific scenarios.
384.8 (2-Dec-2018)
- NOTE: Asus has put the RT-AC56U on their End of Life
list, meaning no further firmware releases from
them. Since it's impossible for me to support
models without matching GPL releases from Asus,
I also have to retire the RT-AC56U. 384.6 is
the final release for that model.
384.7_2 (21-Oct-2018)
- FIXED: Namecheap DDNS service not working
- FIXED: CVE-2018-15599 security issue in Dropbear
- FIXED: Potential buffer overrun in httpd
384.7 (7-Oct-2018)
- NOTE: The RT-AC3200 and RT-AC56U are not supported by this
release, Asus hasn't released any updated code yet for
these models.
384.6 (25-July-2018)
- NOTE: The RT-AC87U is not supported in this release, as
Asus hasn't released any updated code for that model.
- NEW: Merged with GPL 384_21045/382_50624.
- NEW: Added support for the "-p" option to netstat.
- NEW: Added setting to enable DNS rebind protection, on the
DHCP page. This works by rejecting upstream server
responses that would point at a private IP.
- CHANGED: Updated nano to 2.9.8
- CHANGED: Updated curl to 7.60.0 (contains security fixes)
- CHANGED: Allow selecting text (for copy/paste operations)
on AiProtection pages.
- CHANGED: Added AES-*-GCM ciphers to the OpenVPN legacy
ciphers (so they can be explicitely used without
using NCP).
- CHANGED: Updated dnsmasq to 2.80test2-17-g51e4eee (themiron)
- CHANGED: Since dnsmasq 2.80, dnsmasq now ensures that unsigned
DNS replies received with DNSSEC enabled are legitimate.
If your upstream DNS doesn't support DNSSEC, this means
all replies from signed zones will be considered
invalid. Make sure you only enable DNSSEC if your
upstream DNS servers do support it. This behaviour is
a bit slower, but far more secure than the old default.
- CHANGED: Network Tools -> Netstat output also report program/PID
- CHANGED: Updated CA bundle to June 20th version.
- FIXED: IPv6-related issues on non-HND platform (themiron)
- FIXED: Couldn't log on WTFast if accessing the router
webui over https.
- FIXED: USB modem support code failing to properly pass
parameters to the kernel module (themiron)
- REMOVED: WTFast support for RT-AC88U/RT-AC3100/RT-AC5300,
as it's incompatible with recent versions of
curl (and has been broken for quite some time).
Not gonna revert back to a 7 years old curl
version just for wtfast.
384.5 (13-May-2018)
- NEW: Merged withh GPL 384_20648
- NEW: Merged RT-AC68U, RT-AC5300 binary blobs from 384_20648
- NEW: Merged RT-AC86U SDK and binary blobs from 384_20648
- NEW: service-event script, executed before any service
call is made. First argument is the event (typically
stop, start or restart), second argument is the target
(wireless, httpd, etc...).
Note that this script will block the execution of
the event until it returns.
- NEW: Added USB HID modules (for use with devices such
as UPS)
- NEW: Added ip6tables-save command.
- CHANGED: Updated OpenVPN to 2.4.6.
- CHANGED: Updated Dropbear to 2018.76.
- CHANGED: Updated Openssl to 1.0.2o.
- CHANGED: Updated miniupnpd to version 2.1 (20180508).
- CHANGED: Updated nano to 2.9.5.
- CHANGED: Moved RT-AC86U to the same Busybox version (1.25.1)
as other models.
- CHANGED: Revised OpenVPN server options:
o Removed "TLS Reneg time" (rarely used, can manually
be set as a custom option)
o Removed "Server Poll" (which didn't work
properly), and reimplemented watchdog service,
hardcoded to 2 mins frequency.
o Removed "Push LAN" and "Redirect Gateway",
replaced with new Client Access setting
o Removed Firewall setting (firewall rules are now
always created, and the broken External mode
was fixed and integrated into the new Client
Access setting). You can now use the postconf
script to override it.
o Removed option to respond to DNS queries - enabling
the option to Push DNS will also handle it
o Added new Client Access setting to select between
three types of access: LAN only, WAN only (will
block access to the LAN, including the router
itself) and LAN + WAN.
o Keys and certificates can now be up to 7999
characters long.
384.4_2 (24-Mar-2018)
- CHANGED: Added visual warning when manually enabling webui
access on WAN. Doing so carries serious potential
security risks, as Asuswrt's web server code should
not be considered hardened enough for this.
- FIXED: Security issue in httpd (CVE-2018-8879).
- FIXED: Potential security issue in httpd related to QiS.
- FIXED: Minor webui issue in the QoS overhead menu.
384.4 (16-Mar-2018)
- NEW: Merged with GPL 384_20379 (with some binary components
from 382_50010 and 384_20308 depending on models)
- NEW: Added support for the RT-AC5300.
- NEW: Added support for the RT-AC87U.
- NEW: Added IPSEC support to the RT-AC86U.
- NEW: Support the new Entware 64-bit repo on the RT-AC86U.
To switch to the new repository, re-run the
entware-setup.sh script. You will need to reinstall
your apps (your old config files are backed up on
your USB disk).
- CHANGED: Tightened security around some config files.
- CHANGED: Allow guest networks settings for AP isolation
and SSID broadcast to be set separately from
their parent interface (John Bacho)
- CHANGED: Samba protocol support can now be set to
SMBv1, SMBv2, or SMBv1 + SMBv2 (the new default).
This will result in a performance drop on all
models but the RT-AC86U, but will be more secure.
Ideally, people should change it to SMBv2 only,
and then reboot all their client devices to start
using only the new protocol.
- CHANGED: Re-added some of the logging sd-idle used to do
in 380.xx.
- CHANGED: Switched to the new Entware repo for armv7 models.
To upgrade, run the following commands TWICE:
384.3 (14-Feb-2018)
- NOTE: To reduce confusion following the version
bump to 384, the current Github repository
was renamed from asuswrt-merlin.382 to
asuswrt-merlin.ng (for New Generation).
It's recommended that you update your
local repository if you're a developer,
for example by running:
382.1_2 (2-Dec-2017)
- NEW: Added custom/add/postconf support for mcpd.conf (RT-AC86U)
- CHANGED: Updated odhcp6c to latest upstream version
(patch by theMIRon)
- CHANGED: cifs and xt_set kernel modules will get automatically
loaded as needed.
- CHANGED: Updated openssl to 1.0.2m.
- CHANGED: Updated libogg to 1.3.3 and libvorbis to 1.3.5.
- CHANGED: Merged wireless components from GPL 382_18991 for
RT-AC88U and RT-AC3100 (should in theory fix KRACK
issue on these two models)
- FIXED: allow IA_NA mode downgrade with forced IA_PD
(for ISPs with broken IPv6 support)
(patch by theMIRon)
- FIXED: SSH brute force protection would break WAN
connectivity (RT-AC86U)
- FIXED: Wrong Trend Micro signature updater was used when
compiling with FW update checker enabled.
- FIXED: QoS Upload chart missing on PPPoE connections with
Adaptive QoS enabled.
- FIXED: client and vendor id fields on WAN page would fail
to accept new values longer than 32 characters.
- FIXED: The Desc field in the OpenVPN policy section would
reject ":" if field contained a MAC address.
- FIXED: Security issues CVE-2017-15275, CVE-2017-12163 and
CVE-2017-12150 (backported to Samba 3.6 and 3.5)
- FIXED: DHCP static lease list would refuse any change if
the list of leases+hostnames was longer than 1000
chars due to an HND platform limitation (RT-AC86U)
382.1 (12-Nov-2017)
Asuswrt-Merlin 382 was rebuilt from a clean GPL codebase, as
merging the new 382 GPL on top of the existing code proved too
difficult.