- NOTE: This will be the final 380.xx release for all models.
The EA6900 and WS880 support will be dropped,
and R7000 have been migrated to the new gen branch,
as of release 384.4.
- CHANGED: Tightened security around some config files.
- CHANGED: Samba protocol support can now be set to
SMBv1, SMBv2, or SMBv1 + SMBv2 (the new default).
This will result in a performance drop on all
models, but will be more secure.
Ideally, people should change it to SMBv2 only,
and then reboot all their client devices to start
using only the new protocol.
If performance is more important than security to
you, then you can switch it back to SMBv1, which is
the old default behaviour.
- CHANGED: Switched to the new Entware repo for armv7 models.
To upgrade, run the following commands TWICE:
opkg update; opkg upgrade
- FIXED: Apply button not working on the OpenVPN
- FIXED: Potential racing condition that could lead to two
instances of miniupnpd running at boot time.
- FIXED: Broken FAQ links (backport from 380_8120)
- FIXED: Security issue in httpd (CVE-2018-8879).
- FIXED: Security issues in httpd (backports from 380_8228)
- NOTE: The official IRC channel has moved to
- CHANGED: Quantenna watchdog is less likely now to
incorrectly assume the QTN CPU has crashed
(which can lead to router reboots). (RT-AC87U)
- FIXED: IE11 field validation issues on OpenVPN and
- FIXED: Router crash when importing an OpenVPN certificate
longer than 3499 characters (the supported limit)
- FIXED: Users were allowed to enter invalid characters on
some of the OpenVPN client page fields.
- FIXED: CVE-2018-5999 in httpd (backport from 384_10007)
- FIXED: CVE-2018-5721 in httpd (Merlin & theMIROn)
- NEW: Added option to disable the Asus NAT tunnel service under
Other Settings -> Tweak. Not quite sure what this
partly closed source service is for, but it eats a
fair amount of CPU and RAM (backport from 382)
- CHANGED: Updated odhcp6c to be in sync with upstream
(patch by theMIRon)
- CHANGED: Updated libogg to 1.3.3 and libvorbis to 1.3.5.
- CHANGED: Updated wget to 1.19.2 (fixing connectivity to some
TLS 1.2 servers)
- CHANGED: Updated RT-N66U and RT-AC66U SDK to GPL 380_8120's
(fixing KRACK in repeater/bridge mode)
- CHANGED: Updated openssl to 1.0.2n.
- CHANGED: Updated tor to 0.2.9.14.
- FIXED: allow IA_NA mode downgrade with forced IA_PD
(for ISPs with broken IPv6 support)
(patch by theMIRon)
- FIXED: Trend Micro signature check might randomly fail the
- FIXED: Security issues CVE-2017-15275, CVE-2017-12163
and CVE-2017-12150 (backported to Samba 3.6 and 3.5)
- FIXED: Httpd crash when accessing certain webui pages with
no connected Ethernet clients
- FIXED: DNSFILTER rules would have priority over OPENVPN Client
rules (when client has DNS set to Exclusive mode).
- FIXED: traffic routing from the router itself would fail when
restarting the firewall while using an ovpn client with
policy rules in effect.
- CHANGED: Updated dnsmasq to 2.78 (contains a number of
- FIXED: rstats could crash at start time in some situations.
- FIXED: QOS Scheduler would revert back to sfq after you had
re-enabled QOS while (fq_)codel was already selected.
- FIXED: Missing tabs on the Parental Control page.
- FIXED: Realtek port status wouldn't auto-refresh on the Sysinfo
- FIXED: Incorrect sort by remaining time on the DHCP Lease page.
- FIXED: Some LAN clients couldn't be added to the TOR redirected
- FIXED: Some models would show the wrong menu options while in
- FIXED: USB modem page not displayed if WAN type was set to USB.
- FIXED: CVE-2017-12754 security issue.
- FIXED: Incorrect LAN ports order on Networkmap (RT-AC3200)
- FIXED: Extra OpenVPN CA not properly handled for OpenVPN
clients 3, 4 and 5.
- FIXED: Invalid txrate shown on Wireless Client page if client
isn't authenticated yet
- IMPORTANT: due to major webui changes, you will need to
either flush your browser cache, or force it
to reload the page (shift-reload) the first time
you access the webui after upgrading to 380.68.
- NEW: Merged GPL 380_7743 binary blobs for the RT-N66U.
- NEW: Backported Ethernet port status report on the Network Map
from GPL 382.
- NEW: Description field added to OpenVPN client configuration
- NEW: Added missing hash types to ipset_arm (Patch by john9527)
- NEW: Added hostname Busybox applet, used by some Entware packages
- NEW: Added TPROXY netfilter target module (ARM only)
- CHANGED: Switched webui menu generation code to GPL 382 code.
This new code is easier for me to maintain.
- CHANGED: Used webui menu icons from GPL 382.
- CHANGED: Re-organized VPN pages, merging some together.
- CHANGED: Reworked VPNStatus page, will now refresh itself every
5 seconds. It will also report a client's local
and public IP addresses.
- CHANGED: Re-designed webui interface for managing SSL
certificate. Added Upload button, and revamped
certificate info display (includes some backports
from GPL 382)
- CHANGED: Removed option to enable/disable persistent webui
certificate - they are now always persistent.
- CHANGED: Reworked Tools -> Sysinfo page, dynamic data will
refresh itself every 3 seconds, also port
ordering will be more consistent, and display based
on the new tableAPI from GPL 382.
- CHANGED: Backported system log page from GPL 382: moved logging
settings to it, added option to set a remote syslog
server's port, and shown log will auto refresh.
- CHANGED: Re-designed DHCP Lease log page to use the new
tableAPI, with sortable fields (defaults to IP sort)
- CHANGED: Do not alternate between ntp server from webui and
the one hardcoded in nvram - use webui one, unless
it's empty - then use the second server set in nvram.
- CHANGED: Moved App icon out of the notification area and into
the footer of the page, with other links.
- CHANGED: Updated Curl to 7.54.1
- CHANGED: Updated nano to 2.8.6
- CHANGED: Re-designed the way the Tor database gets backed up,
so it won't grow stale by never being updated.
- CHANGED: Define and forward a small range of ports
(57535-57565) for use for passive FTP (needed for
TLS over WAN).
- CHANGED: Reduce the amount of logging done while configuring
policy-based routing for an OpenVPN client when
using the default log verbosity level of 3.
- FIXED: Duplicate LAN port 1 shown for the RT-AC87U on
the Sysinfo page.
- FIXED: Port forward/UPNP issues with CTF enabled depending on
selected NAT loopback mode.
- FIXED: URL filtering wasn't working over IPv4.
- FIXED: OpenVPN instances could potentially start too early at
boot time (before clock was set)
- FIXED: When multiple OpenVPN clients are connected to the router,
their username wouldn't show as Connected.
- FIXED: Progress report would go to 200% if you changed a setting
and started or stopped an OpenVPN client or server.
- FIXED: Security issues CVE-2017-11344, CVE-2017-11345 and
CVE-2017-11420 in networkmap (patches by
Kilo Foxtrot Papa)
- FIXED: Webui self-generated certificate could sometime be
invalid due to a race condition between the SSL and
non-SSL httpd instances starting at the same time.
- FIXED: Tor would fail to start if there was a backed up
database in /jffs/.tordb, due to bad permissions.
- FIXED: SMB sharing without user authentication would fail if
router's admin username was changed from "admin"
- FIXED: SMB sharing without user authentication would cause
SMB2 to downgrade to SMB1.
- FIXED: 5GHz-2 would show an "undefined" channel on the
Wireless-> General and in the wifi popup if
5GHz-1 was disabled (Asus bug).
- NEW: Merged with GPL 380_7743 code, with binary blobs from
7378 for N66U
- NEW: Custom config support for quagga/ripd.
- NEW: Webui SSL certificate can now be saved so it gets reused
instead of a new one being constantly generated. It will
be stored under /jffs/ssl/, you can also easily provide
your own by storing cert.pem and key.pem in that location.
Settings to control this can be found under
Administration -> System.
- NEW: TLS support in vsftpd. Key and certs are automatically
generated, and can also be replaced by your own, as
ftp.key and ftp.crt under /jffs/ssl/
- NEW: fq_codel and configurable overhead support in Adaptive QoS.
- NEW: PEAP/MSCHAPv2 support via 802.1x on WAN interface, in
addition to existing MD5 support (patch by Rafi Khardalian)
- CHANGED: Remember chosen sort method on DHCP static reservations
- CHANGED: Updated minidlna to 1.2.0.
- CHANGED: Updated nano to 2.8.5.
- CHANGED: Updated openssl to 1.0.2l.
- CHANGED: Updated ipset (ARM) to 6.32.
- CHANGED: Upgraded from vsftpd 2.0.4 to 3.0.3. You might need to
revise any custom configuration you have done (if any).
- CHANGED: Moved SMB2 support switch to the main samba page.
- CHANGED: Optimized all webui images for size
- CHANGED: Tor now runs as a limited user instead of as root
- CHANGED: Limited number of supported OpenVPN clients to 2 on
the RT-AC3200, to save on nvram.
- CHANGED: Removed tweak that allowed to disable/enable bridge
multicast snooping, as Asus now disables it upstream
at the kernel level.
- FIXED: OpenVPN client would be shown as having failed to connect
if a reconnect attempt initially failed to authenticate,
but succesfully connected afterward.
- FIXED: Quagga's log could fill up RAM, reduced the amount of
logging generated by it.
- FIXED: NFS sometimes failing to start properly (patch by john9527)
- FIXED: Layout issue of the status bar under Chrome when window
is larger than 1800px (patch by Cyrus Dargahi)
- FIXED: UPNP and SNMP issues in Dual WAN mode.
- FIXED: NAT Loopback (merlin mode) in Dual WAN mode wasn't supported.
- FIXED: Internal and external port specifications were swapped in
miniupnpd's config file (Asus/Tomato bug)
- FIXED: Enabling policy-based routing for a client connecting to
a server that doesn't push a redirect-gateway would fail
to properly route traffic (for instance with StrongVPN)
- FIXED: Invalid port trigger rules when specifying a port range
(patch by John Bacho)
- FIXED: OpenVPN client with a password containing an "&" could get
corrupted when re-editing that client's config.
- FIXED: Some remote syslogd would choke on syslog entries sent by
the router if there were spaces in the tag parameter.
Removed spaces where this was the case.
- CHANGED: Updated OpenVPN to 2.4.3
- FIXED: Corrupted firewall rules if enabling SSHD brute-force
protection and Respond to WAN Ping at the same time
while in Dual WAN mode.
- CHANGED: Updated dropbear to 2017.75
- FIXED: Security issue CVE-2017-7494 in Samba.
- FIXED: AiCloud fail to start on RT-N66U and RT-AC66U.
- FIXED: The generated key/cert for httpds and AiCloud could
sometimes be invalid due to a timing probblem.
- NEW: Merged with GPL 380_7378
* Port forwards can select a specific source IP
* Security fixes for CVE-2017-5891, CVE-2017-5892
* If you are experiencing new wifi stability
issues, try disabling Airtime Fairness on
the Wireless -> Professional page (on all
- NEW: Option to disable Wanduck's constant DNS probing
for WAN state (Tools -> Other Settings)
- NEW: Allow disabling the use of DH, by entering
"none" in the DH field for OpenVPN server config.
- NEW: Added new Internet redirection mode to OpenVPN clients
called "Policy Rule (Strict)". The difference from the
existing "Policy Rule" mode is that in strict mode,
only rules that specifically target the tunnel's
interface will be used. This ensures that you don't
leak traffic through global or other tunnel routes,
however it also means any static route you might have
defined at the WAN level will not be copied either.
- CHANGED: Ovpn importer now recognizes the "port" and
- CHANGED: Ovpn importer now support a third argument for
the "remote" parameter, allowing to specify the
- CHANGED: Updated Tor to 0.2.9.10
- CHANGED: Updated nano to 2.8.1
- CHANGED: Updated OpenVPN to 2.4.2
- CHANGED: Updated LZ4 to 1.7.5 (used by OpenVPN)
- CHANGED: SSL certificate generated for httpds will now
contain SANs for hostname, router.asus.com, IP
and DDNS hostname.
- CHANGED: Make minidlna always use the same uuid, based on
the LAN MAC (original patch by john9527)
- CHANGED: Better feedback provided when an ovpn file upload
generates a problem due to a key/cert that's
not provided inline. Inform the user which of
these he will need to manually provide.
- CHANGED: Disable bridge multicast_snooping, as this should be
unnecessary, and it could interfere with EMF, UPNP and
other multicast applications. Can be re-enabled from
the Tools -> Other Settings page.
- REMOVED: The Virtual Server page no longer allows users to
edit existing port forwards (our existing code is
incompatible with Asus's newer webui code and will
need to be re-implemented.)
- FIXED: WOL page fails to load if adding a client with a
quote in its name.
- FIXED: Couldn't add a DHCP reservation client if its name
contained a quote.
- FIXED: New outbound connections weren't logged if firewall
logging was enabled.
- FIXED: OpenVPN server didn't always work properly in udp mode
when in a dual stack IPv4/IPv6 environment (backport
from GPL 382_9736)
- FIXED: When disabling NCP support in OpenVPN, the router
could still be trying to use it if the remote end
had it enabled.
- FIXED: Potential CVE-2016-10229 security issue in kernel
(unsure whether our kernel was vulnerable or not)
- FIXED: ovpn file import would fail to import auth hash or
cipher if they weren't uppercase.
- FIXED: Couldn't edit SMB permissions if the disk had
multiple partitions (Asus bug) (patch by
- FIXED: Exporting a client.ovpn file with no existing CA
could generate garbled output in the generated
- FIXED: Various LAN/WAN issues with the RT-AC3200 due to
incorrect GMAC state checks (Asus bug) (patch
- FIXED: Some models would sometime randomly fail to start one
of their wifi radio, possibly due to a hardware design
issue. Partly revert the 380.65 changes that removed
the automatic reboot if one radio was disabled at boot
time, but reduced the maximum number of reboots to 1.
- FIXED: CVE-2017-6549 (implemented temporary workaround,
until a proper fix from Asus)
- FIXED: CVE-2017-6548 (backport from GPL 7266)
- FIXED: WOL page fails to load if adding a client with a
quote in its name.
- FIXED: Couldn't add a DHCP reservation client if its name
contained a quote.
- NEW: Merged with parts of Asus GPL 380_4180, left out
most of it because of too many bugs in it.
- NEW: Upgraded to OpenVPN 2.4.0, and implemented support
for many of its new features:
* GCM ciphers
* LZ4 compression
* tls-crypt (uses the Static Key field)
* Cipher negotiation (NCP), with (optional)
fallback to legacy "cipher" parameter when
an OpenVPN 2.3 client connects to the
router's 2.4 server.
Please refer to the OpenVPN 2.4 documentation for
more info on these new features.
You will be warned if any server setting would
generate an exportable ovpn file that would be
incompatible with older clients.
Existing client config shouldn't need to be changed,
unless you modify the router's server configuration.
- NEW: Upgraded Busybox to 1.25.1 (patch by theMIROn)
- NEW: Added the following Busybox applets: ntpd, time, uniq,
xargs and getopt, for feature parity with John's fork.
- NEW: Option on Media Server page to enable minidlna's
built-in status web page. Default URL is
- NEW: Support for Vodafone R226 USB LTE (patch by
- NEW: New "update-notification" user script, that gets run
when a scheduled firmware check detects a new version
- CHANGED: Removed support for all RC ciphers on OpenVPN.
DES is staying for now, but should still be avoided
- CHANGED: Updated openssl to 1.0.2k
- CHANGED: Updated tor to 0.2.9.9 (0.2.9.x patch by blackfuel)
- CHANGED: Updated nano to 2.7.4.
- CHANGED: hosts file will now give a higher priority to the
user-configured hostname for the router ahead of
hardcoded ones (like router.asus.com).
- CHANGED: Create a system log entry if a new firmware
version is available.
- CHANGED: Display name and icon for clients configured on the
- CHANGED: Streamlined miniupnpd stop/start events during boot,
so there are fewer of them now.
- FIXED: Invalid DUID used when requesting an IPv6 prefix
for some of the newer router models, which would
prevent them from getting working IPv6 (Asus bug)
- FIXED: Network Service Firewall rules not applied
under certain configurations
- FIXED: Port triggering wasn't working if traffic had
been whitelisted by Network Service Firewall
- FIXED: Avahi wasn't rejecting connections from
secondary WAN interface
- FIXED: Sorting clients by connection time would incorrectly
treat 10 hours as shorter than 9 hours, as it was
handling it as a string (Asus bug)
- FIXED: Exported ovpn client file wouldn't use the
user-configured hostname when using DDNS custom mode.
- FIXED: Exported OpenVPN client config didn't work when
using static key authentication.
- FIXED: Exported OpenVPN client config wasn't editable with
Notepad, the default editor used by Windows's
- FIXED: OpenVPN was killed too quickly on disconnection,
causing issues when using explicit-exit-notify
(patch by john9527)
- FIXED: OpenVPN client/server instances weren't properly
restarted on a WAN restart (patch by john9527)
- FIXED: Some models (N66/AC66/AC5300) would reboot 3 times
if one of the radios was found disabled by the user
while booting (Asus bug).
- FIXED: Webui layout was broken under Chrome 56.
- FIXED: IPv6 client list failing to properly show hostnames
(regression in 64_1)
- FIXED: A few potential buffer overruns in httpd
- FIXED: Security issues in httpd (backport from GPL 4180 +
additional fixes of my own)
- NEW: New firmware availability notification. The router will
notify you if a new firmware is available, and will also
let you view the changelog before sending you to the
download page (the update process remains manual).
Note that the automated check will only report new
final releases. The Check button on the Firmware Upgrade
will immediately check for final releases or beta (if you
select that option), but not both at the same time.
- NEW: Added iptables MASK support on MIPS kernel (patch
- NEW: Webui warning shown in the notification area if running
low on free nvram.
- CHANGED: Updated nano to 2.7.1.
- CHANGED: Updated OpenVPN to 2.3.14.
- CHANGED: Updated curl to 7.51.0, resolving numerous security
and stability issues.
- CHANGED: Tor clients will now route other TCP ports than just
80/443, and drop UDP and ICMP traffic (patch by
- CHANGED: QoS Stats info will automatically refresh every
3 seconds (user-configurable)
- CHANGED: IPTraffic charts now show sorted slices, so the
clients with the least traffic will get grouped
under "Others" if truncating the list of shown
- CHANGED: Enabled IPv6 support in curl.
- CHANGED: Improved webui performance, by caching large static
life from 5 mins to 1 hour.
- CHANGED: No longer include Download Master packages in the
firmware for those models that still included them,
reducing firmware size by a few megabytes.
Those were always outdated, the router will download
the latest versions from Asus's servers at install
- CHANGED: Improved webui protection against CSS/XSS attacks
(backport from GPL 4164)
- FIXED: Web server crash if importing an ovpn file with an
invalid key or certificate (Asus bug)
- FIXED: App icon at the top wouldn't work on Firefox,
- FIXED: Firefox would sometime fail to display the client
list, reporting a JSON parsing error in the console.
- FIXED: HMAC setting not properly set when importing an ovpn
file for a config based on TLS authentication mode.
(backport from GPL 4164)
- CHANGED: Added detection for iPhone 7 models in networkmap
(patch by Andrei Coman).
- CHANGED: Enabled --dns-loop-detect support in dnsmasq
- CHANGED: Move Dual WAN static routes to a lower priority, so VPN
policy rules will have priority over them
- FIXED: Traditional QoS labels were off by one on the Stats page.
- FIXED: Adaptive QoS upload stats couldn't be retrieved because
qosd seems to be hardcoded to always set up classes on eth0
rather than on the real WAN interface.
- FIXED: USB driver was removed too early at shutdown time on the
RT-AC56U and RT-AC87U (fix by john9527)
- NEW: QoS Statistics page, showing the amount of traffic assigned to
each available classes, as well as the current throughput.
- NEW: Charts added to various Traffic Monitor pages.
Note that you can click on legend items to reveal/hide the
DL/UL data. Hovering over a bar or a pie slice will
display the exact value for that item.
- NEW: Added pc_delete() to the helper script (patch by john95287)
- NEW: IPv6 firewall now supports fixed interface ID (EUI64) ipv6
destination addresses (Patch by john9527)
- CHANGED: Updated Tor to 0.2.8.9
- CHANGED: Updated OUI database.
- CHANGED: ipset was updated to version 6.29 on ARM models.
IMPORTANT: this means you will probably need to
update your script to the new syntax. You need to
load the xt_set.ko module at the start of your script.
There has been no change to MIPS models, due to their
older kernel. (original code by Shibby and Victek,
Asuswrt port by john9527) (ARM only)
- CHANGED: OpenVPN policy rules now start at prio 10000 instead of 1000
- CHANGED: Added help popups to various settings that are unique to
- FIXED: Custom group/shadow/passwd weren't applied at boot time.
- FIXED: CVE-2016-5195 (Dirty COW) vulnerability in kernel
(patches by blackfuel and Joseph A. Yasi)
- FIXED: Network Service Filter rules would only apply to clients
under Parental Control if that was enabled (original
debugging by john9527) (Asus bug)
- FIXED: A few memory leaks in httpd and rc services.
- CHANGED: Updated OpenSSL to 1.0.2j
- NEW: Added nano 2.7.0 (user-friendly text editor)
Note that for space reasons, some of its features are disabled
for the RT-N66U and RT-AC66U. Entware users might want to
uninstall the Entware version if they had it installed and want
to use the built-in version instead.
- NEW: Option to toggle the display of passwords on the PPTPD and
OpenVPN server pages.
- NEW: Allow providing a vendor class on the WAN page (DHCP option 60)
- NEW: Add option to disable sending a RELEASE request when odhcp6c
exits, allowing you to retain your received prefix with some
- CHANGED: Updated nettle to 3.2 (used for dnssec) and increased
- CHANGED: Updated minidlna to 1.1.6
- CHANGED: Updated OpenVPN to 2.3.12
- CHANGED: Updated OpenSSL to 1.0.2i
- CHANGED: Revamped the Wireless Log page:
- Merged some columns to gain more horizontal space
- Longer hostname shown (truncated names are now
shown in a tooltip)
- Display clients' IPv6 if they have one
- CHANGED: Accept up to 250 characters for OpenVPN client's
username and password (one provider needs 64).
- CHANGED: Hide the WPA key on the Wireless config page, and only
reveal it when you click on the field to edit it.
- FIXED: OpenVPN client shouldn't display policy routing settings
when using a TAP interface.
- FIXED: DSL/ATM overhead setting was visible on MIPS models, which
don't support it.
- FIXED: Editing OpenVPN or PPTP users with any value longer than
32 chars could lead to corruption of the user list.
- FIXED: Custom config file for igmpproxy wasn't working.
- FIXED: After turning off a Guest network, the next visit to the
Wireless Settings page would show that guest network's settings
instead of the parent band settings (Asus bug)
- FIXED: Smart Connect rules didn't apply on the RT-AC88U (backported
fix from 380_3941).
- FIXED: Numerous memory leaks in the networkmap service. (Asus bug)
- FIXED: Potential buffer overrun in the networkmap service. (Asus bug)
- FIXED: Broken IPv6 connectivity if enabling SSH brute force
protection (only MIPS models were affected)
- FIXED: 5G LED would fail to turn back on when exiting stealth mode.
- FIXED: Only hostname was used as remote server in an exported
OpenVPN client config when using Namecheap DDNS.
- FIXED: Security vulnerability (XSS/CSR) in httpd (backported
fix from 380_4005).
- FIXED: Chrome would try to autofill some fields (such as on the
DDNS configuration page), which could be problematic.
- FIXED: IPTraffic database was no longer properly named after
the router's MAC address on the AC88/AC3100/AC5300.
If you recently enabled it, you will need to either
re-create a new database, or rename the existing
database from tomato_cstats_000000000000.gz to
tomato_cstats_XXXXXXXXXXXX.gz, where "XXXXXXXXXXXX" is
your MAC as found with "nvram get et2macaddr", in
lowercase (AC88/AC3100/AC5300 only).
Regular traffic monitoring (stored in
tomato_rstats_XXXXXXXXXXXX.gz) is fine.
- FIXED: Connected OpenVPN clients reporting as disconnected
on the status page following any wireless config change
- FIXED: OpenVPN server would report being "Initializing"
while it already was ready, following any
wireless config change (Asus bug)
- FIXED: Various stability issues with minidlna (reverted some
of Asus's customizations)
380.61 Beta 1 (31-July-2016)
- NEW: Merged with GPL 3831.
- CHANGED: updated dropbear to 2016.74.
- FIXED: Do not enforce b/g mode as "auto" if wireless mode
is also set to Auto.
There was no non-beta release, due to limited model support
and unsolved WAN stability issues.
380.60 Beta 2 (5-July-2016)
IMPORTANT: The firmware image file format was changed by Asus.
Starting with 380.60, you will no longer be able to
flash versions older than 380.60, or Asus versions
older than 220.127.116.11.380_3000.
You can currently downgrade by using Firmware Recovery
mode, but there's not guarantee that this will keep
working in the future.
- NEW: Merged with GPL 3479. This includes the new file format
required for certification purposes.
- NEW: Option to enable overhead calculation on Traditional QoS
for DSL users (ARM-only)
- NEW: Option on System page to disable the new forced
redirection to router.asus.com (defaults to disabled)
- CHANGED: Updated OpenVPN to 2.3.11
- CHANGED: Allow to specify IPv6 prefixes up to 126 on the IPv6 config
- CHANGED: Networkmap will now announce itself as "Asuswrt/networkmap"
when connecting to LAN's web services.
- FIXED: OpenVPN server instances weren't properly reporting
if an error occurred at start time.
- FIXED: wget was unable to access https site due to not
having a CA bundle to verify certificates
- FIXED: odhcp6c was sending bogus preferred prefixes, so
anything larger than 64 could result in an invalid
- FIXED: Language selector is missing on router set for the
JP region (reverted Asus change)
- FIXED: Client names with single quotes couldn't be edited
in the networkmap client popup (Asus bug)
- FIXED: Router wouldn't run SMB to provide browser master
or Wins services if no USB disk was plugged
- FIXED: Router would sometime fail to renew a WAN DHCP lease.
(fix by theMIROn)
- NEW: Merged with 380_2697 GPL. This includes beta MU-MIMO support for
the RT-AC87U/AC88U/AC3100/AC5300, and IPTV fixes.
- NEW: Option on OpenVPN client/server page to reset them back to the
factory default settings.
- EXPERIMENTAL: Added support for codel and fq_codel to ARM models
(RT-AC56U and newer).
When enabling Traditional QoS or Bandwidth Limiter,
you can now change from the default sfq queue
discipline to codel or fq_codel.
(based on Kyle Sanderson's Tomato backport)
NOTE: Traditional QoS is currently broken on the
newer models (RT-AC88U and up). This is a known
issue in recent Asus releases.
- CHANGED: WAN -> NAT Passthrough now allows you to determine whether or
not to load the NAT helper module for h323, rtsp and sip.
Asus's old behaviour is "Enabled + NAT Helper".
- CHANGED: DNSFilter client dropdown now uses Asus's new one integrated
- CHANGED: minidlna now supports refreshing an existing database, so the
Tweak setting was updated accordingly
- CHANGED: Enable SPNEGO support in Samba
- CHANGED: Integrated Asus's networkmap into the DHCP reservations page
- CHANGED: Updated Tor to 0.2.7.6
- CHANGED: SSH WAN access will also work over IPv6
- CHANGED: Updated miniupnpd to 2.0
- CHANGED: Fields on the DHCP static lease page are now sortable
(original patch by Allan Jensen)
- CHANGED: Updated openssl to 1.0.2h
- FIXED: Daily/Monthly traffic monitoring shows invalid values on the
RT-AC88U/3100/5300, even with CTF disabled. Implemented a
- FIXED: WPS wasn't working on the RT-AC3200
- FIXED: Backported security fixes from OpenWRT to Samba 3.6.25,
addressing the following:
CVE-2015-5252, CVE-2015-5370, CVE-2015-5296,
CVE-2015-5299, CVE-2015-7560, CVE-2016-2110,
CVE-2016-2111, CVE-2016-2112, CVE-2016-2115,
- FIXED: OpenVPN clients set to policy-based routing and Exclusive
DNS mode were still adding the tunnel nameservers to
dnsmasq, causing both routed and non-routed clients to use
- NEW: Merged with 380_1354 GPL
- NEW: Added Tweaks and Hacks settings to Tools -> Other Settings.
These are UNSUPPORTED tweaks, intended mostly for
experimentation, or very specific situations. If unsure how
to apply these, manually reboot after changing them.
One of new settings there lets you disable hourly network
rescans, to resolve issues with NAS/printers coming out
of sleep every hour.
- NEW: Added setting to configure OpenVPN's auth digest algo.
- NEW: Added setting to configure OpenVPN's logging verbosity.
Note that this setting is global to all clients/servers.
- CHANGED: Updated OpenVPN to 2.3.10
- CHANGED: Updated openssl to 1.0.2g
- CHANGED: Updated miniupnpd to 1.9.20160222
- CHANGED: Updated udpxy to 1.0-build 23-10 (backport from GPL
- CHANGED: if you set an OpenVPN client DNS mode to "Exclusive"
and you enable policy-based routing, then those policies
will also determine which DNS to use (the tunnel's or
the ISP's). This is based on DNSFilter's technology.
You no longer need to use DNSFilter to control
the DNS used by your OpenVPN clients.
- CHANGED: Made OpenVPN traffic bypass CTF, which resolves
some throughput issues with it
- CHANGED: Disabled X11 Forwarding support in Dropbear,
for security reasons.
- FIXED: PPTP static route handling script was broken
- FIXED: minidlna would check for the wrong database filename
at start time
- FIXED: Wrong status shown for VPN Client 3
- FIXED: OpenVPN clients were run on the wrong CPU cores.
Now, odd instances correctly run on the second core.
- FIXED: Using DNSFilter with default mode set to "router" would
prevent using the router for IPv6 lookups.
- FIXED: Account limit wasn't properly allowing up to 10
clients for SMB/FTP (patch by vit9696)
- FIXED: Having multiple OpenVPN clients configured with
multiple "Accept DNS configuration" modes would
only apply the last client's setting. Now, we
apply the most restrictive setting of all
- FIXED: RT-AC68U 2.4 GHz was broken if CTF was disabled
(downgraded wifi driver to 18.104.22.168)
- FIXED: Diasbling the SIP NAT helper would also drop all port 5060
traffic. Some users need to keep the SIP helper disabled
with their SIP client. Reverted that GPL 858 change.
- NEW: Merged with 380_1031 GPL
- NEW: Added RT-AC3100 and RT-AC5300 support
- NEW: Added RT-AC68U HW Revision C1 support
- NEW: Backup/Restore of the content of the JFFS
partition (under Administration Restore/Save Settings)
- NEW: Added DNSSEC support. Can be enabled under LAN -> DHCP.
- NEW: Added custom/postconf support for igmpproxy.conf.
- CHANGED: Increased user account limit from 16 to 32 on
the VPN server pages.
- CHANGED: Updated e2fsprogs to 1.42.13
- CHANGED: Increased maximum entries in Parental Control
(time scheduler) to 32.
- CHANGED: Updated miniupnpd to 1.9.20151119.
- CHANGED: Updated Openssl to 1.0.2e.
- CHANGED: Downgraded Dropbear to 2014.66, too many issues in
the newer releases.
- CHANGED: Improvements to VPN Status page
- FIXED: CTF not automatically disabled when enabling IPTraffic.
- FIXED: Openvpn clients 3 through 5 were all run on the first
CPU core. They are now properly alternated like the
first two (odd on CPU1, even on CPU0)
- FIXED: smb.log generated by networkmap could fill up RAM
- FIXED: upnpc_xml.log generated by miniupnpc could fill up RAM
- FIXED: Inconsistant names used on IPTraffic and Sysinfo page.
Now, we give priority to any description manually entered
on the networkmap, followed by static hostname, then any
current (lease) hostname.
- FIXED: MAC queries sent to the OUI database were broken due to
changes on the IEEE website
- FIXED: Applying changes to OpenVPN client page would start the
client even if it was disabled/stopped.
- CHANGED: Reverted the memory buffering optimization
for ARM devices, as people keep panicking
over the lower amount of free RAM. You can
manually re-enable the optimization by setting
"drop_caches=0" in nvram.
- CHANGED: Allow using a port < 1024 for http(s) webui
- FIXED: EMF wasn't working on AC56/AC68/AC87.
- FIXED: Couldn't connect to ISPs using VLANs (RT-AC87U)
- FIXED: Editing Port Forward entry with ellipsis in
the description or the port range would
still edit the shortened version instead
of the full content.
- FIXED: Debug log from mDNSNetMonitor could gradually
fill up RAM - disabled it.
- FIXED: Router crash if pasting SSH key > 2047
- FIXED: Editing an entry on the networkmap would
clear the hostname if entry existed in
the DHCP static list.
- FIXED: OpenVPN server in secret key mode
would fail to start.
- FIXED: Couldn't add entries to the MAC Filter list
of Guest Networks (reverted our previous
implementation which conflicted with
Asus's new one).
- FIXED: NTP failing to refresh for some cases.
Implemented temporary workaround.
- FIXED: Some services not properly starting at
boot time (like Parental Control or Tor)
NOTE: There is no 378.56 build for the RT-N66U at
this time, as Asus hasn't released updated
source code for this model yet, and there are
new closed source binary components that are
necessary for this new release.
Make sure to read the changelog of the two
previous betas for the complete list of
changes since 378.55.
- CHANGED: Nameserver handling is more resilient to
scenarios where dnsmasq fails to start due
to a broken configuration
- FIXED: PPTP/L2TP client page broken on French locale
- FIXED: Entries on the Virtual Server page with ellipsis
in their name or port range weren't properly
copied to the Add fields when edited.
- FIXED: Additional fixes to truncated hostnames related
378.56 Beta 2 (18-Oct-2015)
- CHANGED: Increased Guest MAC filter entries limit to 64.
- CHANGED: DHCP query logging no longer override configured
syslog level, and option was renamed to "Hide queries"
to be more intuitive in regard to the level logging
- CHANGED: Enabling Hide DHCP queries also silences any RA
- CHANGED: Reverted networkmap's printer detection change
as it didn't resolve the printer wakeups.
- CHANGED: Reorganized settings on the System page
- FIXED: QoS page layout in Firefox
- FIXED: curl wasn't using the firmware's CA list (regression)
- FIXED: Models with 128 KB support were only reporting 64 KB
in the nvram userspace tool
- FIXED: Traditional QoS not working when IPv6 is enabled
(patch by charlie2alpha)
- FIXED: Smart Connect page fails to save interface policies
- FIXED: VPNStatus page was broken on French locale
378.56 Beta 1 (12-Oct-2015)
- NEW: Merged with GPL 9177.
- NEW: Added support for the RT-AC88U.
- NEW: Support for Russian ISP Telenet (code by theMIROn)
- NEW: ipset support in dnsmasq (patch by ryzhov_al)
- NEW: default loglevel is now configurable and defaults to
5 (notice) instead of 0 (emergency)
- NEW: local syslogd loglevel is now configurable through the webui.
- NEW: Support for extra-certs in OpenVPN
- NEW: Editable DHCP static leases list, virtual servers, port triggers.
- NEW: IP addresses on the Network Service Filter page can now be
subnets in CIDR format (i.e. 10.0.0.0/24)
- CHANGED: Updated miniupnpd to 20150723 snapshot
- CHANGED: Updated openvpn to 2.3.8
- CHANGED: Updated dropbear to 2015.68 + upstream patches
- CHANGED: Updated minidlna to 1.1.5.
- CHANGED: Support up to 5 different OpenVPN clients (to match Asus)
- CHANGED: Maximum openvpn policy rules reduced from 128 to 100, fewer
priority slots wasted in the RPDB tables (could have been a
problem with the increase in the number of supported clients)
- CHANGED: Improvements to VPN Status page
- CHANGED: Connection failure reason shown on the OpenVPN client
- FIXED: Router crash when an invalid or corrupted DH parameter
is used on an OpenVPN server configuration.
- FIXED: 2.4 GHz temperature would be missing on the Sysinfo
page when disabling the 5 GHz radio on the RT-AC3200.
- FIXED: Max tracked connection limit wasn't user-editable
- FIXED: Resource leaks in ez-ipupdate if an update failed
- FIXED: Networked printers coming out of sleep every time
networkmap queried their LPR service
- FIXED: Resource leak in networkmap when scanning for
- REMOVED: Regulation mode setting on Wireless -> Professional.
This can't be adjusted anymore, as it was moved to
a closed source component.
- FIXED: DHCP lease page could get confused by IPv6 clients on
378.55 Beta 2 (11-July-2015)
- CHANGED: Updated dnsmasq to 2.73 RC9 (backport from GPL 6975)
- CHANGED: Updated odhcp6c to newer version (backport from GPL 6975)
- CHANGED: Updated openssl to 1.0.2d (fixes CVE-2015-1793, only present
in Beta 1 - 54_2 was not affected)
- CHANGED: Display existing key/certs on the OpenVPN pages once
they've been migrated to JFFS.
- FIXED: Time scheduler-related features (Parental Control & Wifi
scheduler) were broken (backported fix from Asus's GPL 6975)
(beta 1 regression)
- FIXED: QTN firmware was still being copied to RAM rather than rely
on the symlink to flash added in Beta 1, to save 4 MB of RAM.
- FIXED: Dropbox cloud sync would fail on some setups (backport
from GPL 6975)
- FIXED: Entware-setup script would generate an invalid services-start
- FIXED: Duplicate zoneedit entry on the DDNS service list.
378.55 Beta 1 (3-July-2015)
- NEW: Merged with GPL 6117. Notable changes from Asus:
o New token-based webui authentication (more secure)
o OpenVPN certificates moved to JFFS2, saving nvram.
key/cert fields will show up empty on the webui,
any new key/cert you paste will be written back
to /jffs/openvpn/ . This means that if you revert
back to a previous version, your key/certs will
no longer be in nvram, so OpenVPN instances will
fail to start.
o New network client list on the network map
o CTF support for PPTP/L2TP WAN (Russian ISPs) (ARM)
- NEW: Reformatted DHCP lease list under System Log.
- NEW: Reformatted Port Forward page under System Log.
- NEW: Reformatted Route Table page under System Log.
- NEW: Reformatted IPv6 Status page under System Log.
- NEW: Display more details about UPNP/NAT-PMP/PCP redirections
on the Port Forward page.
- CHANGED: The JFFS2 partition is now always enabled, as it is
required by various firmware functions. The options
to format it or to enable/disable user config/scripts
- CHANGED: Updated OpenVPN to 2.3.7.
- CHANGED: Updated OpenSSL to 1.0.2c.
- CHANGED: Use a pre-generated 2048-bit DH from RFC 3526 instead of
generating our own when doing the first time setup for
OpenVPN servers. This is necessary as openssl 1.0.2b and
up now reject 512-bit DHs, and generating a 1024-bit
would take far too long on a router.
The end-user still has the possibility of providing his
own - as long it's 1024-bit or stronger.
- CHANGED: Updated minidlna to upstream Git snapshot from 2015-06-26,
and switched to the newer build system.
- CHANGED: Upgraded ffmpeg from 0.6.0 to 0.7.17.
- CHANGED: Accept DHCP lease duration of up to 31 days on the DHCP page
- CHANGED: No longer regularly flush caches from memory on ARM
router. This will mean a lower amount of free memory is
shown, however that memory gets freed whenever something
actually needs it, so this is normal. (ARM)
- CHANGED: Display the size of cache memory on the Tools -> Sysinfo page
- CHANGED: Improvements to the Networkmap (ability to remove an entry,
removed the alert() from modifying an existing entry)
- CHANGED: Save over 4 MB of RAM on the RT-AC87U by not copying
the QTN firmware to RAM (RT-AC87)
- FIXED: Wireless Log page would fail to load if the SSID
contained certain characters
- FIXED: Wireless Log page would fail to load when in Media Bridge
mode on the RT-AC87U
- FIXED: DDNS page would complain about an empty account field
when setting it to CUSTOM with no prior value in that field.
- FIXED: Automatically generated DH was too weak (512-bit) and
preventing clients based on newer OpenSSL releases from
connecting. We automatically replace any weak PEM with our
- FIXED: minidlna could get stuck building its database (reverted
Asus's recent memory optimizations)
- FIXED: The exported opvn config for clients had the incorrect port
- FIXED: Busybox's zcip was missing a patch from 378_4950, preventing
it from working (and in turn preventing igmpproxy from working
for people with PPPoE connections where their modem does not
provide any DHCP lease to the physical WAN interface)
- Some of the builds were unstable, did a complete recompile of all
releases. There was no code change.
IMPORTANT: if you were previously using the AiProtection ad blocker, you
will need to manually disable it over SSH after flashing this
release, by running the following commands:
nvram set wrs_adblock_popup=0
nvram set wrs_adblock_stream=0
- NEW: Merged with Asus GPL 378_5134.
- NEW: OpenVPN policy rules can now be set to route matching traffic
through either the tunnel, or to your ISP (allowing you to
create exceptions to your tunnelling rules)
- NEW: Added OpenVPN server setting to let the OS manage
socket buffers (by inserting rcvbuf 0 and sndbuf 0 in
the server configuration)
- CHANGED: Upgraded OpenSSL to 1.0.2a, adding new tls ciphers
to OpenVPN and the https webui
- CHANGED: Updated miniupnpd to 1.9.20150430
- CHANGED: Reverted kernel backport of the parallel printer support,
and reintroduced fix in lprng. This should hopefully fix
the recent printing breakage issues.
- CHANGED: Removed AiProtection's ad blocker, as it's too buggy to
be usable, breaking numerous mobile applications,
and not being configurable in any way.
- CHANGED: OpenVPN policy routing rules are now applied at boot
time (when WAN comes up), so clients who are blocked while
a tunnel is down will immediately be blocked until
the tunnel comes up.
- CHANGED: Upgraded Quantenna firmware to 378_6065 release (AC87)
- FIXED: Router DNS weren't reverted to their original values
when shutting down an OpenVPN client with "explicit-
exit-notify" enabled. Now we manually clean it up
after the user manually terminates the client - it might
still not be cleaned up after an unexpected shutdown however.
Ideally, users should try avoiding using this setting when
- FIXED: Some legitimate VPN packets could get dropped due to their
conntrack state. Now, only INVALID packets coming from the
WAN interface are dropped.
- FIXED: OpenVPN client would sometime try to connect before the clock had
been set by NTP at boot time, preventing it from connecting.
- FIXED: AiProtection security check would fail to load when Dual WAN is
- FIXED: Various fields would allow you to enter a single quote character,
which could break the webui. Now these fields re-validate the
content after you deactivate the text field.
- FIXED: Switching between All Traffic and Policy Mode OpenVPN routing while
the option to block traffic when the tunnel goes down wasn't
properly removing those rules, so a tunnel going down in
All Traffic would still block policed clients.
- FIXED: EMF wasn't working on ARM models (missing userspace tool)
- NEW: Merged with Asus GPL 378_4980 (with pieces from 378_4850 for AC56/AC68
and 378_5183 beta for AC87)
- NEW: OpenVPN policy routing. You can select client IPs or destination
IPs which you want to route through your VPN tunnel. You can enter
a single IP (192.168.0.1) or a whole subnet in CIDR format (for
You can optionally block WAN access to these as well when the
tunnel goes down.
- NEW: Ad blocker based on Trend Micro's Web Reputation System (WRS).
This is an EXPERIMENTAL feature implemented by Asus but that
isn't enabled in the stock firmware.
- CHANGED: Updated Tor to 0.2.5.12
- CHANGED: Those providing a signed SSL certificate for httpd can now
provide chain certificate. The three PEMs must be in
that order: client, intermediate, CA. (Patch by sasoiliev)
- CHANGED: The setting to enable the neighbour solication filter rule
for Comcast's request flooding was changed to "ipv6_ns_drop",
and now defaults to "0" as this hack causes issues with
- CHANGED: Backported dnsmasq patch that reverts a fix for Windows 8
clients as it could cause issues with other clients.
- FIXED: DNSFilter would fail if you had it set to "Router", and didn't
have a DNS IP entered on the WAN page.
- FIXED: MSS clamping wasn't applied to traffic in both direction, moved
it to the mangle table.
- FIXED: OpenVPN client firewall "external" mode does not exist - removed
from the webui.
- FIXED: PPTP account list could become corrupted after removing an entry
on the PPTP server page.
- CHANGED: Updated AiCloud prebuilt binaries for MIPS models
- CHANGED: Applied kernel patch for MIPS kernel ported from 376_3861,
related to CTF support
- FIXED: AiCloud would fail to start unless you had HTTPS enabled for
the webui (causing the key/cert to be missing)
- FIXED: DDNS hostname would become corrupted after backing up
your router configuration (Asus bug)
- NEW: Merged with Asus GPL 378_4608
- NEW: Added ECDHE support to the webui (when accessed over HTTPS)
- NEW: The DHCP server can now provide a second DNS to its clients
- NEW: You can tell the router not to advertise itself as a DNS
- NEW: Experimental Tor support (feature originally developed by
Asus, but not available yet on stock firmware). You can
enable it in the VPN section of the webui.
- CHANGED: Updated miniupnpd to 1.9.20150309
- CHANGED: You can no longer disable the JFFS2 partition if
Traffic Analyzer is enabled. Likewise, you can
no longer enable Traffic Analyzer if the JFFS2
partition is disabled.
- CHANGED: The selected refresh rate of the Wireless Clients
page will be saved to a cookie
- CHANGED: Removed obsolete (non-safe) ciphers such as RC4
from the router's https webui
- CHANGED: Updated OpenSSL to 1.0.0r
- CHANGED: Removed Turbo button support from webui, as that feature
doesn't work with the current bootloader everyone is
using now (RT-AC68)
- CHANGED: Performance optimization to the httpd, dropbear
and rc services
- FIXED: 2.4 GHz and 5 GHz-1 clients were swapped on the
Sysinfo page (RT-AC3200 only)
- FIXED: Wifi PSK wasn't blurred until activated (regression
- FIXED: Samba's custom config/postconf were ignoring the
state of the global option to enable them (they
would always be used)
- FIXED: Samba's custom config/postconf usage wasn't logged
- FIXED: Some services would fail on their first attempt
to start at boot time due to the QTN subsystem
taking too long. Implemented patch from Asus
which eliminates the long QTN stall at boot
time. This resolves the issue where some users
had trouble connecting their WAN at boot time (RT-AC87U)
- FIXED: NAT rules could occasionally fail to be applied
(patch by john9527)
- FIXED: The Apply button on the Adaptive Bandwidth page
had a clickable area so wide that it even covered
part of the left side menu. (Asus bug)
- FIXED: USB menu was removed instead of Parental Control on
- FIXED: QoS page was still available on the AP/RP modes on
- FIXED: Error on OpenVPN Server page if using a DHCP pool for
- FIXED: UPNP would be reported as enabled on the security report
if it was enabled on the secondary WAN even if Dual WAN
itself wasn't enabled. Now we check that Dual WAN itself
is also enabled before reporting so. (Asus bug)
- FIXED: mtd-erase was unable to erase the brcmnand partition, which
is used as the JFFS2 partition starting with the RT-AC66U
(patch by benoitm974)
- FIXED: JFFS2 partition couldn't be formatted for all routers but
the RT-N66U (wrong partition name). Also resolved the case
where a second reboot was required to mount it.
- FIXED: RT-AC3200 port numbering was reversed on the Sysinfo page.
- CHANGED: Updated OpenSSL to 1.0.0q (no real code change)
- CHANGED: Split the changelog into a separate file
- CHANGED: Added logging on custom config/script execution.
An error message will also be logged if those
are disabled while such a file is found.
- CHANGED: Allow pasting the password in some fields that would
disable it (patch by gfairchild)
- FIXED: RSSI not reported for guest clients (beta 1 regression)
- FIXED: DM failing to install on RT-AC66U (beta 1 regression)
378.51 Beta 1 (28-Feb-2015)
- IMPORTANT: The RT-N16 is no longer officially supported. The increased
number of separate router platforms is becoming too much of
a burden for one single developer, as some features must be
implemented 2-3 separate times for different architectures.
The RT-N16 support will remain in the source code, so other
developers can still compile their own builds, and possibly
take over for supporting this older platform. However, no new
features will be implemented, and it will no longer get
tested. I still welcome external contributions if
someone else wants to take care of testing and providing
fixes to new issues.
- NEW: Added support for the RT-AC3200.
- NEW: ARM support for Entware, using Zyxmon's Qnapware repository.
- NEW: Re-designed Wireless Log page displaying connected wireless
clients. The new page uses Ajax to automatically update
itself at a user-selected frequency, for near realtime
monitoring of your connected wifi clients.
- NEW: NAT loopback can now be chosen between Disable, Asus's original,
and Merlin's own (based on Phuzi0n's original DD-WRT design). The
option can be found on the Firewall page.
- CHANGED: Reverted RT-AC66U driver to previous version as some users
were experiencing stability issues with the 3754 version.
- CHANGED: Updated p910nd to 0.97 to resolve incomplete print jobs
(patch by stsichler)
- CHANGED: Updated Samba to 3.6.25
- CHANGED: The Entware setup scripts will now backup any existing
installation rather than remove it (patch by TeHashX)
- CHANGED: Re-implemented our original NAT loopback code, with attempts
at reconfiguring it whenever the DPI engine is restarted.
This is still experimental, as most of the DPI engine is
closed source, so unsure if the loopback gets re-enabled
in every regular DPI restart scenarios.
- CHANGED: Disabled the offline default error page. Clear your offline
content in your browser to fully get rid of it.
- CHANGED: Removed security warnings if FTP/Samba are configured to
allow unauthenticated users.
- FIXED: Issues when connecting with Russian ISPs relying on DHCP+VPN
(such as Beeline)
- FIXED: When enabling WAN access to webui, the router would always
forward both http and https ports regardless of if either of
these were disabled.
- FIXED: Shared printers over LPRng would sometime fail to
completely print the last page (patch by stsichler)
- FIXED: CVE-2015-0240 security issue in Samba 3.5.8 (used by
AiCloud). The main Samba daemon was patched by the
update to 3.6.25.
- IMPORTANT: You must do a factory default reset, and manually
reconfigure your setting if coming from a version
older than 378.50. Failure to do so can
lead to various issues with wifi, OpenVPN,
and the new AC68U bootloader.
- IMPORTANT: Please read this changelog, especially the changes
related to jffs, user scripts/config and OpenVPN in
the previous 378.50 betas.
- NEW: Merged with Asus GPL 378_4129 code.
- CHANGED: Reverted back to vsftpd 2.x, as 3.0.2 doesn't work properly
on MIPS architectures (and possibly other particular
scenarios as well).
- CHANGED: Added warning to the DDNS page if you set the type
to Custom and either JFFS or custom script support isn't
- FIXED: A few unescaped quotes in the French dict breaking VPN pages
- FIXED: MAC list would get corrupted when removing and re-adding
entries on the MAC filter list
- FIXED: AC68U CFE update wasn't written to flash due to permission
- FIXED: Static Key field wasn't visible when using HMAC authentication
- FIXED: syslogd was always enforcing the -S switch
- FIXED: When setting a static DHCP from the networkmap, the user-entered
name wouldn't be used. Now it gets used, and we rely on the rc
daemon to properly handle it if it's not a valid hostname (it will
simply not provide it to dnsmasq's static name list).
378.50 Beta 2 (31-Jan-2015)
- NEW: Added custom config and postconf support for avahi, netatalk
and mt-daapd (iTunes server).
- CHANGED: Moved the AC68U CFE update process to the same location
as in GPL 3626 to see if it works more consistently.
- FIXED: Non-DPI build of AC56U had incompatible Tuxera modules
- FIXED: vsftpd wouldn't start if you had IPv6 enabled.
- FIXED: Asus had disabled the NAT loopback fix on MIPS's iptables
in GPL 3762. Re-enabled.
- FIXED: Wireless clients that hadn't communicated in a while wouldn't
be properly shown on the Wireless log (patch by pinwing)
- FIXED: QoS rules weren't applied properly when IPv6 was enabled
(was changed in recent GPL - reverted it)
- FIXED: Can't apply a Custom DDNS if you don't have something entered
in the username/password fields (shown in other DDNS services)
- FIXED: NFS page wasn't properly loading
378.50 Beta 1 (25-Jan-2015)
- IMPORTANT: You must do a factory default reset, and manually
reconfigure your setting. Failure to do so can
lead to various issues with wifi, OpenVPN,
and the new AC68U bootloader.
- IMPORTANT: Please read this changelog, especially the changes
related to jffs, user scripts/config and OpenVPN.
- NEW: Merged with Asus 378_3913 GPL code. Most notable changes:
* Trend Micro DPI engine for RT-AC68U
* Updated Trend Micro engine for RT-AC87U
* Updated Quantenna firmware/driver
* Various updates to 3G/4G support and Dual WAN
- NEW: ddns-start user script, executed after the DDNS update
was launched (can be used to update additional services)
- NEW: Custom DDNS (handled through ddns-start script)
See the documentation for how to create such
- NEW: Option to enable support for custom scripts and
config files. This option is disabled by default, so
if you have a broken script that prevents the router from
booting, doing a factory default reset will ensure that the
broken script won't be executed, and recover access to the
router. This is necessary since the JFFS2 partition is
now enabled by default.
- CHANGED: Added logo to DNSFilter on the AiProtection
homepage (contributed by Piterel)
- CHANGED: Updated Openssl to 1.0.0p
- CHANGED: Merged Asus's newer NTP update code, with a fix
to prevent hourly log spam from the update process
when in a DST enabled timezone.
- CHANGED: Updated vsftpd to 3.0.2 (newer version used by
Asus on their Qualcomm-based routers)
- CHANGED: the qos-start script will be passed an argument
that will contain "init" (when setting up tc)
or "rules" (when setting up iptables).
- CHANGED: JFFS2 partition is now enabled by default, to be in
sync with Asus, who are starting to make use of this
- CHANGED: The Local IP in an IPv6 firewall rule can now be
- CHANGED: Download Master will now be downloaded at install time
rather than included in the firmware, to increase the
amount of space available to JFFS - this matches
the AC56/AC68. (N16, N66)
- FIXED: Under certain conditions, the OpenVPN server page
would report an initializing state when it was
- FIXED: First OpenVPN client/server instance wasn't properly
run on the second CPU core, resulting in lower
- FIXED: Router IP wasn't advertised through DHCP as WINS
server if WINS was enabled
- FIXED: OpenVPN would crash if specifying "None" as
the cipher (regression in OpenVPN 2.3.6)
- FIXED: The "empty" category was removed by Asus a
few months ago, preventing you from removing
an assigned priority on the Adaptive QoS
page. Re-added it.
- FIXED: Port triggers weren't written to the correct
iptables chain (Asus bug)
- FIXED: When moving from stock to this firmware, the OpenVPN
Server 1 instance gets automatically enabled because
Asus hardcodes "1" into the nvram setting that handles
start at wan. Changed to a different nvram to resolve
this conflict. This means everyone must re-enable their
OpenVPN server instance after upgrading from any version
- FIXED: dnsmasq would run out of available leases if you had a
very small DHCP pool combined with many out-of-pool
reservations. Now the limit will be either 253 or the
pool size, whichever is the largest (Asus issue)
- FIXED: SSHD port forwarding couldn't be enabled/disabled
- FIXED: DHCP log spam when using IPv6 with a Windows 8
client (patch by pinwing)
- FIXED: snmp exposes a lot of sensitive information such as
login credentials, therefore all the custom Asus MIBs
have been disabled.
- FIXED: Very long SSIDs with special characters/spaces in them
would be shown as "undefined" in the banner.
- FIXED: Curl would fail to access SSL sites due to lack of
a CA bundle.
- FIXED: Vulnerability in infosvr (CVE-2014-9583) (Asus bug)
- FIXED: Additional security issue in infosvr (incorrect memcpy()
call) (Asus bug)
- FIXED: WAN page error when entering a hostname, and broken
UPNP FAQ link
- FIXED: OpenVPN Server wasn't showing the Advertize DNS to
Client option (regression from 3677 merge)
- FIXED: bootloop when enabling Traditional QoS (or any other
feature that forces CTF to be disabled) due to
FA being left enabled (Asus bug) (AC87)
- FIXED: Asus DDNS couldn't be configured on the webui
- FIXED: OpenVPN server wouldn't let you edit user accounts
- FIXED: Missing DLNA icon on clients (Asus bug) (N66, AC66)
- NEW: Merged with Asus GPL 376_3677. This new code
includes a lot of changes related to USB modem
- NEW: IPv6 handling based on dnsmasq + odhcp6c. This new
code which has been developped by Asus these past few
months but kept disabled so far has been enabled.
Initial tests show much better reliability with
- NEW: Added IPv6 support to DNSFilter (currently only
Yandex has IPv6 servers). Note that unlike IPv4
filtering, we cannot automatically NAT queries
to the desire server, so the current implementation
works like Asus's YandexDNS service, where IPv6 servers
are simply returned to DHCPv6/RA client queries,
and ip6tables ensures that you cannot override
them, by rejecting connection to other DNS servers.
- CHANGED: Merged newer DPI engine from 378_3123 beta
- CHANGED: Removed SSLv2 and v3 support from OpenSSL
(we had already stopped using these in
376.48, so this removes unused code)
- CHANGED: The VPN webui is now a bit closer to Asus's code.
This will mostly make it easier to keep in
sync with future changes to that UI by
Asus (they rearranged the layout a bit in
- CHANGED: Updated OpenVPN to 2.3.6
- CHANGED: Reverted to Asus's max-lease number calculation
- CHANGED: Hide wireless key on settings page unless field
has focus (patch by John9527)
- CHANGED: Ported USB 3.0 (XHCI) kernel driver from
Netgear GPL (which seems to have in turn
backported it from upstream kernel 3.x)
- CHANGED: Updated Quantenna to v22.214.171.124 (AC87)
- FIXED: vsftpd wasn't properly compiled with SSL
- FIXED: MAC filtering couldn't be disabled on Guest
networks (Asus bug) (Patch by John9527)
- FIXED: Various fixes and tweaks to the new IPv6
code from Pinwing and saintdev
- FIXED: Editing a client on the networkmap would
cause any matching DHCP reservation entry to
lost its hostname
- REMOVED: The web redirection control setting was
removed, as it is being replaced by the
(simpler) redirection setting Asus added
to the System page.
- FIXED: NAT loopback was broken on MIPS devices
(backported Asus fix from 376_3626)
- FIXED: Samba would fail to start on the RT-N16 due to a
- FIXED: Max-lease calculation Asus introduced in 376_2769 is
broken - re-hardcode it to 253 like they used to do in
previous release. Will be properly fixed once they
release a newer GPL with this issue resolved.
- NEW: Added the RT-AC68P to the list of supported devices
- CHANGED: Use sha256 checksums instead of MD5 for improved
security when validating your downloads.
(note: checksums are also posted on the support
forum at SmallNetBuilder)
- CHANGED: Switched my fix for unmounted/hidden partition
support with Asus's own fix from GPL 3561.
- FIXED: Samba would fail to start if the router admin username contained
upper case characters. Samba was modified to have it try to
local the UNIX user as provided (it was previously only
trying upper and lower case versions) (Samba 3.6 bug)
376.48 Beta 3 (02-Nov-2014)
- CHANGED: Updated miniupnpd to release 1.9 (plus upstream PCP fix)
- FIXED: Couldn't edit share permissions for Samba if your disk
contained an unmounted/hidden partition (Asus bug in 2769)
- FIXED: Couldn't edit share permissions for Samba for the RT-N66U
internal SDcard reader (Asus bug in 2769)
- FIXED: Missing Max User field to Samba page (Asus bug)
376.48 Beta 2 (26-Oct-2014)
- NEW: Added logo to the webui header
- CHANGED: Samba 3.6 will now use libiconv to handle
charset conversion (will resolve CP850
warnings amongst other things)
- CHANGED: Updated miniupnpd to 20141023 code from Github.
- CHANGED: Updated dropbear to 2014.66.
- CHANGED: Reverted NTP update code to GPL 2678 in hopes of
resolving the few cases where it didn't work anymore.
- FIXED: minidlna is once again able to use inotify for updates.
A temporary workaround has been implemented where
minidlna will be staticly linked with a threadsafe
build of sqlite3, while BWDPI will continue to use
the shared non-threadsafe library. (Asus bug)
376.48 Beta 1 (18-Oct-2014)
- NEW: Merged with Asus 376_2769 AC87 GPL
- NEW: Enabled numerous modules in net-snmp (based on the list
used by OpenWRT)
- NEW: Added postconf and custom config support for snmpd.conf
- NEW: Added HID support to ARM kernel (AC56,AC68,AC87)
- CHANGED: Reverted NAT loopback code to Asus's, since our own
code is currently broken by recent FW code changes.
- CHANGED: Updated openssl to 1.0.0o, resolving a few security issues.
- CHANGED: Disabled SSLv2 and SSLv3 support for https access to the
router webui. IE6 users, your time is up - upgrade.
TLS 1.0 is now the only supported protocol.
- CHANGED: upgraded main Samba server from 3.0.x to 3.6.24. This might
cause a slight drop in performance, but should improve
both reliability and security.
- FIXED: DNSFilter client list dropdown would sometime be empty.
- FIXED: DNS queries run on the router were forwarded to upstream
nameservers instead of the local dnsmasq
- FIXED: Re-added the USB HID kernel module needed for UPS monitoring
(patch by ryzhov_al)
- FIXED: Incorrect top margin on some pages such as AiCloud, and
stretched font on the progress splash (Asus bug)
- FIXED: URL and keyword filtering wasn't working under certain
situations when CTF was enabled
- FIXED: Mac Filtering wasn't working with Guest networks
(Asus bug) (Patch by saintdev)
- FIXED: Chosing a client on the MAC Filter page wasn't properly
filling the Name field. Also reorganized layout a bit.
- NEW: Added sha256 and sha512 HMAC support to dropbear (SSH)
- CHANGED: Moved OpenVPN postconf scripts right before server/client
gets started, so you can also use them to modify the other
generated files such as the exported ovpn config file.
- FIXED: SSHD options visibility (patch by pinwing)
- FIXED: EMF/IGMP settings were reverting to the select profile
default (Asus bug introduced in GPL 2678)
- FIXED: PPTP account list failed to display (regression in Beta 1)
- FIXED: VPN server page was switching back to PPTP when changing
OpenVPN unit and you were initially on the PPTP page
- FIXED: Activity indicator wasn't shown during a networkmap
376.47 Beta 1 (14-Sept-2014)
- NEW: Merged with Asus GPL 2678 (AC87)
- NEW: Report Quantenna FW version on Sysinfo page
- NEW: Enabled experimental FTP and Samba Cloud Sync support in AiCloud.
This feature is still in development by Asus, so it might not be
fully functional yet.
- NEW: Enabled experimental SNMPD support, under Administration -> SNMP.
This feature is still in development by Asus, so it might not be
fully functional yet. (not available on the RT-N16)
- NEW: Added option to enable WAN access to SNMPD, defaults to disabled.
(Asus's implementation has it open to the WAN by default)
- CHANGED: Re-increased max allowed FTP user limit to 10 (was reverted
to 5 in the GPL merge when the setting was moved to the
- FIXED: PPTPD was getting enabled every time you clicked Apply while on
the PPTPD VPN Server page
- NEW: Merged with Asus GPL 2061. This is essentially
the new QTN driver for the AC87.
- FIXED: Various webui issues with IE10/IE11 (patch by pinwing)
- FIXED: OpenVPN Client page was visible on the RT-N16
- FIXED: DHCP pool validation error on VPN Server advanced page.
- FIXED: Couldn't edit the first VPN Client entry due to broken
duplicate check (Asus bug)
- NEW: Compiled vsftpd with SSL support (must be manually
configured if you intend to use it)
- NEW: Report FA state (Level 2 CTF) on Sysinfo page.
- CHANGED: Updated dropbear to 2014.65.
- CHANGED: Updated openssl to 1.0.0n (numerous
- CHANGED: Updated lzo to 2.08
- CHANGED: Reworked VPN Server pages to be more intuitive
- FIXED: Garbled client dropdown selector on DNSFilter page
- FIXED: The Comcast neighbour solicitation block wasn't
enabled anymore (regression in 376.44) (Patch by
- FIXED: 5 GHz N+AC mode was incorrectly setting router to
N-only mode (Asus bug, fix backported from 2381,
additional fix by me for AC66)
- FIXED: PControl page failing to display on French and
Italian locales (Asus bug)
- FIXED: IPv6 can occasionally fail to work properly when
using a PPPoE WAN interface (patch by pinwing)
IMPORTANT: Make a backup of your JFFS partition if upgrading
an RT-AC56U or RT-AC68U and you have stored files
on that partition! The partition layout has been
- NEW: Merged with Asus's 376_2044 GPL.
Summary of changes:
* New networkmap, lets users edit device names,
assign icons to devices, etc...
* Reworked IPv6 support
* New filesystem driver provider for NTFS/HFS+/FAT
* Webui visual update
* Updated components (minidlna, radvd, dnsmasq)
- NEW: Added support for RT-AC87U.
- CHANGED: Updated N66U wireless driver to Asus's 1071 build
- CHANGED: Updated miniupnpd to Git head (as of 20140731)
- CHANGED: The JFFS partition on ARM devices now uses
Asus's code, which means the whole unused space
is now used for the JFFS partition.
- CHANGED: Made all ARM models use the new filesystem drivers from Tuxera,
resulting in general improved USB disk performance (and
hopefully improved reliability as well) (AC56, AC68)
- CHANGED: The wifi notification icon will now report
channel and channel width for the 5 GHz band,
as the extension channel wasn't always accurately
- CHANGED: Reworked layout of SSH settings on System page (based
on Asus's own WIP)
- CHANGED: Allow FQDN (hostname + domain) rather than just
hostnames on the WAN page (some ISPs require that)
- FIXED: Missing mDNSResponder daemon preventing mt-daapd
from working on MIPS devices (N16,N66,AC66)
- FIXED: System Log wouldn't properly be positioned
at the bottom (Patch by John9527)
- FIXED: DNSFilter clients configured to bypass DNSFilter
would still be prevented from using an IPv6 DNS.
- FIXED: Incorrect IPv6 prefix if not a multiple of 8
(patch by NickZ)
- FIXED: OpenVPN firewall cleanup was missing rules
(patch by sinshiva)
- FIXED: Minidlna issues with Philips smart TVs
- FIXED: SSHD brute force protection wasn't working if
Dual WAN was enabled and set to LB mode.
- FIXED: Miniupnpd error flood in Syslog when using a
Plex server on your LAN (fix from upstream)
- REMOVED: Reverted various IPv6-related patches as they
conflicted with Asus's own changes. These might
make it back at a later time if deemed
- REMOVED: Removed layer7 filtering support in Netfilter from
ARM devices due to compatibility issues (AC56,AC68)
- REMOVED: Removed IPsec support from ARM devices due to
compatibility issues (AC56, AC68)
- FIXED: NTFS disks couldn't be mounted (Paragon driver not
loading due to a kernel change) (AC56, AC68)
- NEW: User-configurable refresh period to trigger a DDNS
update after a certain number of days.
- CHANGED: dnsmasq option 252 now defaults to an empty string,
to silence broken clients such as Win7.
Important: if you were previously using a customized
252 reply (to use with a valid wpad/pac file), you
will need to use a postconf script to change the
default config instead of appending your own
If you use DNS-based WPAD setting, you will need
to remove the 252 option using postconf, as IE will
not query for the DNS entry if there is a 252
option through DHCP, even if it fails to connect to it.
- CHANGED: Updated miniupnpd to 1.8.20140523.
- CHANGED: Updated openssl to 1.0.0m.
- CHANGED: More backports from OpenSSL 1.0.2, improving SHA
performance on ARM routers.
- CHANGED: The JFFS2 partition is now disabled by default after
a factory default reset.
- FIXED: Media server page wouldn't let you enable the iTunes
server unless you also enabled DLNA (Asus bug)
- FIXED: Restricted guests still had access to the router (Asus
bug introduced in GPL 4887)
- FIXED: 6in4 traffic wasn't bypassing CTF if dualwan mode was
either disabled or set to failover mode (AC56/AC68)
- FIXED: Single character workgroups were rejected as invalid
- FIXED: Networks with SSIDs containing single quotes
would break the client list (Asus bug)
- FIXED: Traffic Monitor results are wrong on PPPoE connections
(Asus bug) (Patch by pinwing, additional debugging
- FIXED: Crash if entering close to 64 MACs plus their names on
the MAC filter page.
- FIXED: Time Machine support (AC56, AC68)
- NEW: Merged with Asus's 374_5656 GPL.
- NEW: Added Comodo Secure DNS to supported DNSFilter services
- FIXED: Download2 folder wasn't selectable anymore on the
Media Server page.
- FIXED: Pass correct valid and preferred lifetime to radvd when
using DHCPv6-PD (Patch by pinwing)
- FIXED: IPv6 connectivity could be lost after 1-2 hours due
to the time shift caused by NTP at boot time
(Patch by pinwing)
- FIXED: Various IPv6 connectivity issues related to services
being (re)started at the wrong time, or twice.
(Patch by pinwing)
- FIXED: Build system would sometime try to use the local system's
header/libs - use a pkg-config wrapper to avoid this
issue (Patch by ppuryear)
- FIXED: Erratic 5G led blinking behaviour as the watchdog's software-
based blinking was constantly writing to the wireless chip's
registers for led control. (AC68)
- FIXED: LEDs weren't all turning back on when coming out of
Stealth Mode (AC56)
- CHANGED: Make the router use dnsmasq for internal name
resolution rather than directly using the WAN DNS.
- CHANGED: Upgraded OpenVPN to 2.3.4.
- CHANGED: Upgraded miniupnpd to 1.8.20140422 (PCP-related fixes)
- NEW: Merged with Asus's 374_5047 GPL. Notable changes:
* Fixed RT-AC68U random reboots
* Additionnal security fixes
* Improved Media server, SMB and FTP webui
* minidlna and radvd updates
- NEW: PCP support (Port Control Protocol)
- NEW: Option to allow/deny FTP access from WAN. Default is to
reject WAN connections. The option can be found on the
USB Servers -> FTP Share
- NEW: Option to control web redirection while Internet is
down (configurable on the WAN page).
- CHANGED: Upgraded miniupnpd to 1.8.20140401.
- CHANGED: Disk idle exclusion now supports up to 9 disks.
- FIXED: WOL wasn't working (Asus bug in 4887/5047)
- FIXED: Replaced webui glue with permanent concrete. It won't
- FIXED: Language dropdown not properly shown with 8-bit
- FIXED: Comcast's IPv6 network would flood the LAN with
neighbour solicitation packets, which should normally
not cross beyond their modem. There is now an ip6tables
rule to filter out those packets, preventing your log
from being spammed with table overflows. The filter is
is enabled by default and can be disabled by setting the
"ipv6_neighsol_drop" nvram setting to "0". (rule suggested
- FIXED: EMF wasn't properly configured after wireless was
restarted (patch from Vahur)
- FIXED: Router crashing when more than around 30 static routes
- FIXED: webui would die for some users when accessing the VPN Server
config page and there were connected OpenVPN clients
- FIXED: Added missing iptables-save on ARM platform (AC56, AC68)
- FIXED: nvram factory default reset would sometime fail on MIPS
devices (N16, N66, AC66) (Patch by ryzhov_al)
- FIXED: Under a certain situation the router could lose track of
whether an OpenVPN server/client instance was running or not.
This could result in the webui trying to restart it, and
returning an error message because it was already running.
- REMOVED: The Media server database location is no longer
configurable, as we've switched to Asus's new
automatic location selection.
- REMOVED: Removed the Run Cmd page as it was a security
risk. This is also needed to keep in line with
recent security fixes Asus applied to the
httpd backend to limit what external processes
it can run, otherwise any malicious page could
run arbitrary commands on your router if you
were currently logged on a separate tab.
- KNOWN ISSUE: Some people are experiencing random reboots
with the RT-AC68U running firmwares based on recent Asus GPL.
If you are are affected, please revert to 374.40 alpha4 for now.
Asus are looking into the issue, which affects this model since
- FIXED: Asuswrt was calling wl_defaults() every time the
wifi was restarted, causing Regulation Mode to be
overwritten. Now we force it to h mode if the
router model and region requires DFS compliance
(same as Asus's code, except we won't enforce
it to off in other scenarios, and will only do
so if it was previously set to off).
- FIXED: Advanced wireless page broken on Internet Explorer, due
to missing Array.IndexOf() support in IE (Asus bug)
- FIXED: Incorrect model detection prevented CPU temperature
from being shown on the Sysinfo page on the "R" SKUs.
374.40 Beta 2 (5-March-2014)
- FIXED: Numerous buffer overruns in networkmap that would result
in crashes or empty/incomplete device list. Was often
visible on networks hosting a Windows Home Server machine.
- FIXED: Site survey was reporting 5G as being disabled on RT-N16.
- FIXED: Various issues related to the helper.sh script for postconf
- FIXED: The OpenVPN instance wasn't restarted if it was currently
stopped due to a syntax error in its config and you had
just corrected it.
- FIXED: Restarting the wireless service would stop emf/igs snooping
until they were manually restarted/recconfigured. (Asus bug)
- FIXED: Channels above 153 were missing on 5 GHz band if width
is set to 40 MHz (Asus bug)
- FIXED: reg_mode was being enforced to "h" (EU region) or "off"
(others) since GPL 4422. We now stick again to what's
set in the webui by the end user.
- FIXED: Allow LAN traffic while dualwan mode is set to lb (issue
caused by the default policy fix in beta 1)
374.40 Beta 1 (1-March-2014)
- NEW: Merged with Asus's 374_4561 GPL. Notable changes:
* Various security-related fixes
* Redesigned Parental Control webui
* Notification in case of insecure configuration
- NEW: Added OpenDNS Family Shield support to DNSFilter
- NEW: Added support for up to three user-defined servers to DNSFilter
- NEW: Added option to force DNSfilter clients to always use the DNS
provided to them by the router's DHCP server (which will be
the router itself if you didn't change it on the DHCP
- NEW: Option to disable the DHCP6 Server (code contributed by
- CHANGED: The RT-N66U is now compiled with EM enabled
by default. That means there will no longer be a separate
experimental build for this.
- CHANGED: Updated dropbear to 2014.63
- CHANGED: New type of glue for the webui header
- CHANGED: Switched to a shorter version numbering scheme
- FIXED: RT-N16 firmware (missing files were obtained from
the new GPL release Asus made for this model)
- FIXED: Last24 page wasn't properly displaying the
Avg value (regression in 374.39)
- FIXED: Clients with a configured IPv6 DNS would bypass
DNSFilter. DNSFilter-enabled clients will now
be prevented from using IPv6 nameservers, forcing
them through the (IPv4-only) filtering nameserver
- FIXED: DNSFilter clients set to "None" would still be
forced through your WAN-configured nameservers,
preventing nameservers configured on the clients
from working. Now they will fully ignore the DNSFilter
- FIXED: The global DNSFilter would sometime not get properly
configured in the firewall.
- FIXED: When the firewall was disabled, the FORWARD chain
policy was still left to "DROP" - changed to "ACCEPT".
- FIXED: typo in SMB config ("use spne go") (Asus bug)
- FIXED: PPPoE with an MTU of 1500 requires the WAN interface
to have its MTU set at 1508 (patch by pinwing)
- FIXED: IPv6 Prefix Delegation issues (patch by pinwing)
- FIXED: MTU setting on IPv6 connections (patch by pinwing)
This version isn't available for the RT-N16 as support for the
SDK5 platform is currently broken in the latest GPL sources.
- NEW: Merged with Asus 374_583 GPL. Notable changes:
* USB hub support
- NEW: DNS-based filtering. Under Parental Control there is
now a new tab called DNS Filter where you can enable
a DNS-based filtering service, and apply a specific
filter both globally and on a per-client basis. Supported
are: OpenDNS, Norton Connect Safe and YandexDNS.
- NEW: helper.sh script, to simplify creation of postconf
scripts. See the postconf section for details.
- CHANGED: Discontinued SDK5 builds for the RT-N66U. The new EM
builds resolved wifi range issues by running the SDK6
driver set in Engineering Mode (driver provided by Asus).
Look in the Experimental folder for the EM build - it will
eventually become the standard build for the N66U once
it gets sufficiently tested. You might need to do a
factory default reset after switching to an EM build,
for best results.
- CHANGED: Re-switched back to rp-pppoe 3.11 since nobody confirmed
that 3.10 worked better for them.
- CHANGED: Allow PPPoE MTU up to 1500, for ISPs that support RFC 4638.
- CHANGED: Additional webui performance improvement by caching CSS.
- FIXED: DHCPv6 client failing to start if the router username was
changed from "admin" (Asus bug) (patch from Saintdev)
- FIXED: DHCPv6 client failing to request an IP with some ISPs
such as Comcast (Asus bug) (patch from Saintdev)
- FIXED: SMB shares were accessible over WAN, bypassing Netfilter
(Asus bug) (AC56/AC68)
- FIXED: USB read speed would be limited by the QoS upstream
configuration (Asus bug) (AC56/AC68)
- FIXED: Resolution of local machines with domain appended would fail
when using a nameserver that does not return nxdomain errors
(such as OpenDNS) (Asus bug)
The new behaviour is configurable on the LAN-> DHCP page,
in case you run your own nameserver which is expected to
handle both local and remote domains. Default is to not
forward these (to allow OpenDNS to work properly).
- FIXED: OpenVPN Client page - changing the local IP wouldn't always be
- FIXED: Well-known services not properly applying settings on the
Network Services Filtering page (Asus bug)
- FIXED: Webui crash when importing an ovpn with invalid cert/keys
- FIXED: resolv.conf not reverted to its original content after an
OpenVPN client that gets DNS pushed to it would disconnect.
- FIXED: The average rates on the realtime traffic page would be
calculated based on the max number of samples (300) instead of
the currently collected number of samples (Asus bug)
- REMOVED: YandexDNS has been removed, since its functionality is now
provided by the new DNSFilter.
- CHANGED: Improved webui responsiveness by instructing the browser
to cache images.
- CHANGED: Reverted minidlna to 374.37 code. While the latest code
brings some fixes, it seems to also break functionality
for a small number of users. Too many low-level changes
from the minidlna author to make it easy to debug.
- FIXED: Syntax error in DHCPv6 client config (Asus bug)
- FIXED: Domain field wasn't clearly identified on the webui
when DDNS set to Namecheap (Saintdev)
- FIXED: Missing carriage return in dnsmasq.conf when PPTP VPN
is enabled, causing LAN name resolution issues.
- FIXED: A few unescaped quotes in the French dict would break
some webui pages (such as the Wireless page).
- FIXED: OpenVPN server export would always export the first
server instance configuration.
- FIXED: Bogus "Config file is missing" error logged by pptpd when
it was starting (Asus bug)
- FIXED: "Advertise DNS" wasn't visible if the page was loaded and
"Respond to DNS" was already enabled.
- FIXED: Tools -> Run Cmd page wasn't working (regression
- FIXED: Router getting stuck on various webui changes due
to a broken precompiled emf module (AC56/AC68)
This version isn't available for the RT-N16 or the SDK5 build
of the RT-N66U as support for the SDK5 platform is currently
broken. Please stick to 374.36 Beta 1 for the time being on
these two platforms.
Note that the RT-N66U did get a newer wifi driver, so give it a
try, as it might have resolved or at least improved on the wifi
Remember to do a factory default reset if switching from SDK5 to
SDK6 builds! Keep a backup of your existing settings in case you
decide to revert back to an SDK5 build.
- NEW: Merged with 374_2078 GPL provided by Asus (From RT-N66U).
* Updated SDK for MIPS devices - 126.96.36.1992 (r382208)
* PPPoE HW acceleration should be fixed by the new SDK
* Updated AiCloud closed source components (MIPS)
- CHANGED: Reverted Parental Control code to our fixed code,
as I see Asus is still making fixes to their own
code past version 2078.
- CHANGED: Updated AC56 and AC68U wifi driver and CTF to
January 3rd builds (provided by Asus)
- FIXED: emf/igs userspace tools were missing on ARM devices
- FIXED: USB devices missing on MIPS devices (regression
- FIXED: Wifi stability on ARM devices (regression in
* This build was pulled due to numerous issues *
- NEW: Merged with Asus 374_501 GPL (from RT-AC68U).
Notable changes in this version:
* New SDK (wireless driver and CTF) for AC56/AC68
* dnsmasq updated to 2.68
* radvd updated to 1.9.5
* Improved IPv6 support
* Fixed Parental Control (A-M's own fix was replaced with
this new one for consistency)
* More details shown on Wireless Log page (their changes
were merged with our own changes)
- CHANGED: Dropbear default path will now include the locations
- CHANGED: Don't include a cert/key section in exported .ovpn if the
router has "User authentication only" enabled
- CHANGED: Display in which chain a given port forward rule is, on the
Port Forwarding page. Allows to distinguish manual forwards
from upnp forwards.
- CHANGED: The state of PPTP/L2TP client connections will be reported
on the VPN Status page.
- CHANGED: Removed the display of global OpenVPN statistics on the
VPN Status page.
- CHANGED: Upgraded AiCloud binary components on MIPS routers to
374_1631 build (N16/N66/AC66)
- FIXED: OpenVPN clients with DNS set to "Strict" weren't properly
setting dnsmasq to use "strict-order"
- FIXED: Garbled resolv.conf generated when adding an OpenVPN client DNS
- FIXED: OpenVPN Client static key was incorrectly processed when shown
on the webui.
188.8.131.52.374.36 Beta 1 (23-Dec-2013):
- NEW: Added ECDSA key support for SSH
- NEW: postconf scripts. This allow you to modify a generated
config file (for example, smb.conf) before the service
using it gets started.
- NEW: layer7 Netfilter module on ARM devices (AC56, AC68).
Note: traffic accounting must be manually enabled on
these devices (see the Layer7 section in the FW's README)
- CHANGED: Updated dropbear to 2013.62
- CHANGED: Improved rendering of the VPN Status page
- CHANGED: Extended retry period for WAN DHCP queries to 160 secs
in Normal DHCP mode to give time to Charter to
unblacklist customers being accidentally blocked by them.
- CHANGED: Downgraded rp-pppoe from 3.11 to 3.10 to see if it's
more stable for some PPPoE users
- FIXED: Some VPN client username/passwords were incorrectly handled
- FIXED: When disabling Dual WAN, WAN unit wasn't being reset to
unit 0, preventing users from editing the correct unit
- FIXED: If you replaced the Asus generated CA with your own, the
exported ovpn file would contain your CA with the
Asus-signed client cert/key. Now, we only insert the
client cert/key if it was signed by the current CA.
- FIXED: MSS clamping for clients connecting to the PPTPD server
- FIXED: networkmap's DLNA detection was broken with some devices,
and could result in very long delays during scan (Asus bug)
- FIXED: Adjusted various timings in networkmap which should help
with device lists being incomplete especially after a
- CHANGED: Added a VPN mode selector on the VPN Server Details page.
- FIXED: JS error on the VPN Server Details page related to PPTP
- FIXED: Clicking on "Apply" on VPN Details page would fail to
apply your new settings to a running OpenVPN server.
- FIXED: Some port forward rules were incorrectly generated when
in load-balancing mode (Asus bug)
- FIXED: After adding/removing a user to OpenVPN Server, the password
file was not immediately updated. Note that this fix will
break backward compatibility with Asus as the nvram value
storing the list of OpenVPN user/pass had to be renamed
(so not to be instanced).
- FIXED: VPN client not working on MIPS devices (N66/AC66).
- FIXED: Various formatting issues with generated client.ovpn file
- FIXED: updown.sh script location was changed in
339, causing issues with OpenVPN clients
- NEW: Merged with Asus 374_339 GPL (from RT-AC68U).
Asus added some new features in this release:
* Support for HFS+ and Time Machine (AC56/AC68U only)
* OpenVPN support. Their implementation uses the backend
code from Asuswrt-Merlin but with a more
simplistic, novice-friendly webui. This required
adapting the current webui to be able to retain some
of their improvements without sacrificing the
flexibility of being able to have two separate server
and client configurations.
- NEW: Support for Namecheap DDNS (Patch provided by saintdev)
- NEW: Added qos-start user script
- FIXED: Incorrect range validation for UPnP ports on WAN page.
- FIXED: Accidentaly lock out of webui due to software hammering
the router's webui without valid login credentials
- FIXED: NAT Loopback broken with CTF enabled (AC56/AC68) (Asus bug)
- FIXED: Backing up your settings would return an empty CFG file.
- FIXED: Kernel panic when inserting ebtables rule (AC56/AC68,
fix backported from kernel 2.6.37)
- FIXED: If an IP/CIDR on the IPv6 firewall page was long enough
to be shortened with "..." it would be incorrectly saved.
- CHANGED: IPTraffic will now account for traffic going through
an OpenVPN tunnel
- CHANGED: VPN webui is now an hybrid of our original webui,
along with Asus's own. This allows the addition
of these features developed by Asus:
* Ability to export an ovpn config file to give to
* Support for username/password authentcation on
the built-in server
* Ability to import a tunnel provider's .ovpn
config file to configure a client connection
on the router
- FIXED: DNS resolution not working for VPN clients
(bug in Asus 374_979)
- FIXED: USB disk detection on AC56/AC68.
- FIXED: Turbo mode option couldn't be saved (RT-AC68)
- NEW: Merged with Asus 374_979 (from RT-N66U).
AC56/AC68 AiCloud components taken from 374_217.
- NEW: Added RT-AC68U support.
- NEW: Added IPSec support to the kernel. Userspace tools
such as StrongWAN must be installed from Optware/Entware,
and manually configured. (Patch provided by saintdev)
- NEW: Adjustable MTU for DHCP/static IP WAN users
- NEW: WAN interface name passed as argument to firewall-start
- NEW: Configurable min/max ports allowed to be redirected by UPNP.
This allows WHS users to change the min allowed port from
the default value of 1024 to allow UPNP forwarding of
- NEW: Display CPU temperature on Sysinfo page (AC56 and AC68)
- NEW: Display CPU chart on Performance page (AC56 and AC68)
- CHANGED: UPnP rules will now be processed after manual
forwards and port trigger rules.
- CHANGED: Site Survey now reports supported protocol.
- CHANGED: Updated Dropbear to 2013.60.
- CHANGED: Updated dnsmasq to 2.67 final.
- FIXED: Some Traffic Monitor pages were missing the page tabs.
- FIXED: The webui would allow you to enable SSHD while not
setting an authkey or enabling password-based authentication.
- FIXED: 802.11h options should only be available on the 5 GHz band.
- FIXED: Wifi icon hover would report 5G channel as undefined if
2.4GHz radio was disabled.
- FIXED: IPv6 clients list failed to properly merge IPs from similar
MACs (Asus bug)
- FIXED: Minor layout issues with the Clients list
- FIXED: Samba wasn't started at boot time if browser master or WINS
was enabled and we had no USB disk plugged in.
- FIXED: Router/minidlna crashes when processing very large image
collections - various memory leaks plugged.
(patches provided by Paulo Capani)
- FIXED: Buffer overrun when entering more than 35 MACs on the
filter list. We now support up to 64 MACs.
* IMPORTANT *: RT-N66U users must revert back to factory defaults and
manually reconfigure their settings if coming from a FW
older than 184.108.40.206.374.xxx (applies to both Asus or
- NEW: Merged with Asus 374_726 code from RT-AC66U GPL. Notable changes:
* RT-N66U now based on the SDK6 driver. This resolved the
numerous connectivity issues, at the expense of a shorter
range (a separate SDK5 build based on driver 5.100 is
available in the Experimental folder as an alternative).
* AiCloud 2.0
- NEW: Added bonding.ko kernel module.
- NEW: Repeater mode moved into regular builds.
- NEW: Dual WAN moved into regular builds.
Note that there are still a few issues left, such as recovery
from failover mode when the primary WAN comes back up.
- NEW: YandexDNS support moved into regular builds. This is
a DNS-based filter list, which can be configured under
- NEW: Added support for last seen devices on Ethernet port status
(Tools-> Sysinfo) for RT-AC56U.
- NEW: Option to control 802.11 extensions that deal with
regulations. On the Wireless Professional page
you can now enable 802.11d and 802.11h support.
- CHANGED: robocfg now (almost) completely supports the
Northstar platform (RT-AC56U)
- CHANGED: Enabled Syn Cookies for ARM devices (RT-AC56U)
- CHANGED: Allow selecting the Download2 folder for media server
- CHANGED: MIPS builds optimized for mips32r2 code generation, which
should improve general performance. (N16/N66/AC66)
- CHANGED: More openssl backports from 1.0.2, adding
mips32r2 support, improving performance
especially for sha1 (RT-N16/N66/AC66)
- CHANGED: Increased OpenVPN crt/key fields to allow up to 3499
characters - enough to accomodate even a 4096 bits key.
- CHANGED: Removed the firewall rules for acsd since it no longer
listens on a TCP socket.
- FIXED: Samba binding to WAN interface would cause warnings
about WINS/master browser (regression in 374)
- FIXED: The ARM kernel was missing the Advanced IP Routing option,
preventing some of the "ip" command functions from
working (was breaking Astrill's plugin) (RT-AC56U)
- FIXED: With FW 374 Asus changed the Samba priority from too high to
too low (-19), resulting in poor sharing performance.
I changed it to a priority of 0, providing more balanced
- FIXED: Some fields would allow invalid characters (such as
single quotes) which might break the webui JS. There might
still be a few unprotected fields.
- FIXED: Memory leak in httpd service (Asus bug)
- FIXED: Parental Control not working with certain schedules
(patch provided by Makkie2002)
- FIXED: Potential key truncation in httpd if one was to use very
large OpenVPN keys and certs in all fields of all four
- FIXED: Samba would start sharing local disks even if all you
wanted was its WINS/Browser services.
- FIXED: The JFFS formatting code could encounter a case
where it wouldn't write back its cleared
- FIXED: Restarting the wireless service would break
- FIXED: The new thumbnail cache code Asus added in build 720's
minidlna will prevent scanning from completing on very
large collections. Reverted that code for now.
- FIXED: Wireless key field was automatically activated on
page load, which could lead to accidental changes
(issue introduced in 374_720).
- FIXED: Router believed that NTP wasn't properly working after a
LAN or wireless service restart (issue introduced in
- FIXED: IPv6 client list was incorrectly displayed if a client
didn't have a known hostname (Asus bug)
- NEW: Merged with Asus 374_168 GPL code.
- NEW: wan-start script will get passed the WAN unit number as
- NEW: Webui option to select the location of the DLNA database
(patch by VinceV)
- NEW: IPv6 firewalling. Originally, Asuswrt would allow any IPv6
traffic to be forwarded to your LAN devices. This new option
(enabled by default) will prevent traffic forwarding to LAN
devices. You can also create firewall rules to allow inbound
traffic to specific hosts. The firewall configuration can be
accessed through the "Firewall -> IPv6 Firewall" page.
- CHANGED: Upgraded OpenVPN to 2.3.2
- CHANGED: Implemented IPTraffic support in DualWAN - Load balanced
mode (Experimental builds)
- CHANGED: Updated miniupnpd to 20130730
- CHANGED: Updated some prebuilt binaries (RT-AC56U)
- CHANGED: Updated 2.6.36 kernel to the latest code used
in 372_184 (RT-AC56U), includes some changes
related to USB3, and PPP/CTF.
- CHANGED: Smarter location selection for the DLNA database
location to reduce the chances of having it in
RAM if left to default location, filling it up
(patch by VinceV)
- CHANGED: Updated e2fsprogs to 1.42.8 to be in sync with Asus
- FIXED: Web server would crash if you entered too much data in
OpenVPN key/cert fields.
- FIXED: The ACSD service could be exploited by a LAN user to
gain shell access to the router. TCP connections to
ACSD are now blocked by the firewall.
- FIXED: You could not define time periods on the Parental
Control calendar under IE.
- FIXED: Wireless client list would sometime return incorrect
hostname or be missing IP.
- FIXED: Security issue with Samba and symlinks
- FIXED: Samba wouldn't start due to missing symlink (RT-AC56U)
- NEW: Merged with 372_1393 code from Asus. Notes:
* Beamforming support for RT-AC66U/RT-AC56U
* RT-N66U driver still downgraded to build 270 (which
means no HW acceleration for PPP, but more reliable
connectivity on the 5 GHz band)
* Minidlna was updated to 1.1.0
* AiCloud security hole fixed
* Parental Control ui still broken under IE10 (use Fx or Chrome
- NEW: YandexDNS. Asus is currently implementing support in the
firmware for this DNS-based filter. This can be
found under Parental Control. See http://dns.yandex.ru/
for more info (go go Google translate!).
(Experimental builds only)
- NEW: User-provided client config files (ccd) for OpenVPN server.
See the OpenVPN and Custom Config sections of the firmware's
documentation for more info.
- CHANGED: Connections list under System Log will now progressively
display the result while the router is still
resolving IPs (if that option was enabled).
- CHANGED: OpenVPN client password hidden by default (and added
checkbox to display it similar to what Asus added
to the System page)
- FIXED: Sysinfo page was reporting IPv6 as reason for
CTF to be disabled - since 372 that is only true
for ARM devices.
- FIXED: OpenVPN Server in TAP mode + DHCP wasn't routing
properly (DHCP was overruling the default GW)
- NEW: Added support for newest RT-N66U hardware revision.
This router has a new model of flash, you can NOT
use any older FW on these. (RT-N66U)
(note: since people always thought adding a "b" meant "beta'
rather than revision "b", I am switching to Asus's new
numbering scheme, hence "30_2" for this revised 372.30.)
- FIXED: NAT loopback (invalid iptable rules was silently accepted
- FIXED: Removed empty Yandex tab
- FIXED: Entware setup script missing from all builds
- FIXED: pptpd failing to start (was missing from build)
- FIXED: OpenVPN server not starting if using a static key
- FIXED: Disks plugged to USB 2.0 port weren't getting mounted
- NEW: Merged with preliminary 372 code provided by Asus
(initialy meant for the ARM environment)
- NEW: RT-AC56U support. Various bugs have been fixed
over the original FW that initially shipped with these routers.
Thanks to Asus for providing a development sample.
- NEW: Added JFFS support to RT-AC56U.
- CHANGED: Downgraded wireless driver + CTF to build 270 version
(RT-N66U, fixes 5 GHz stability issues). Note that this
means that HW acceleration for PPPoE is no longer
available for the RT-N66U, as it was new in the 5.110 SDK.
- CHANGED: Updated iptables-1.4.x to 1.4.14 (RT-AC56U)
- CHANGED: Brought back the Connection page under System Logs
- CHANGED: Updated e2fsprogs to 1.42.7. Amongst other things
this new version is more memory-efficient on large
- CHANGED: Renamed Advanced (Per IP) Traffic monitoring for
IPTraffic (to match the Tomato name for that same
- FIXED: GRO kills upload speed if CTF is disabled (patch provided
by Asus, RT-AC56U)
- FIXED: Buffer overrun in NVRAM handling, leading to random crashes
(Asus bug, RT-AC56U)
- FIXED: NVRAM values getting corrupted or disappearing if using more
than 32 KB (Asus bug, RT-AC56U)
- FIXED: Reapply layout fixes to Guest network and DHCP page (were
lost in a recent webui update)
- FIXED: JFFS2 could get reformated again at each subsequent reboots.
- FIXED: Devices with a NetBIOS name of 15 chars long would have
their name merged with the next device's.
- FIXED: Empty Site Survey list if there was only one AP found
- FIXED: Saved settings might fail to restore if they contained
OpenVPN or SSHD keys with CRLF line endings. You should
access the OpenVPN Keys page, click on Apply to re-save
them, then re-create any backup you had of your router
- FIXED: Numerous bugs in ipt_account for Kernel 2.6.36 (RT-AC56U)
220.127.116.11.354.29 Beta 1 (17-May-2013):
- KNOWN ISSUE: 5 GHz 40 MHz is unreliable with some wireless
- NEW: RT-N16 is no longer an experimentally supported device.
Thanks to Mike from Sapphyre Software for providing
me with an RT-N16.
- NEW: Report currently used channels when mousing over
the wifi icon at the top of the webui
- NEW: Sysinfo: Ethernet port state will report each port's VLAN ID.
- CHANGED: Merged with webui content from 18.104.22.168.364
- CHANGED: Increased list height on Site Survey page
- CHANGED: Warn if trying to do a site survey with either
- CHANGED: Updated to miniupnpd 1.8.20130426
- CHANGED: Updated to dropbear 2013.58
- FIXED: Syslogd must be restarted if we had to adjust its log
level for DHCP query logging.
- FIXED: br0 would change MAC address when starting an OpenVPN server
with a tap interface.
- FIXED: Sysinfo: Port numbering order (RT-N16)
- FIXED: Sysinfo: 5G radio infos weren't hidden if the
router did not support that band (RT-N16)
- FIXED: Wifi status icon would remain half-lit if 2.4 GHz was
disabled on a router without 5 GHz support (RT-N16)
- FIXED: Various fixes related to site survey display
- FIXED: Improved compatibility with USB disks > 2 TB
(must use ext2 or ext3)
- FIXED: Unable to clear DMZ IP (fixed in 364 webui files)
- FIXED: PPTP/L2TP Internet connection unable to connect at boot
(bug introduced in 358.28)
- FIXED: PPTP/L2TP Internet connection unable to reconnect after
going down (unsure if Asus bug or 358.28 bug)
- FIXED: Numerous bugs in the Per IP traffic monitoring causing
inaccurate traffic accounting if there was too much
traffic, or if update requests occured in a too short
period of time.
- FIXED: Asking for traffic monitoring (regular and Per IP) database
to be re-created would re-create it again on next reboot if
in the mean time you didn't change any other settings,
causing the flag not to be cleared on the mtd partition.
22.214.171.124.354.28 Beta 1 (19-Apr-2013):
- KNOWN ISSUE: 5 GHz 40 MHz is unreliable with some wireless
- KNOWN ISSUE: Sort order is sometimes wrong on the Site Survey page
- NEW: Wireless site survey (on the Wireless tab)
- NEW: openvpn-event user script that gets run when a tunnel goes
up/down. Read the OpenVPN documentation on the "up" and
"down" events for more on how to use this script, and to use
the passed parameters.
- NEW: Enabled sftp support in Dropbear (the sftp server must be
installed from Entware)
- NEW: Option to prevent SSH port hammering (patch submited by dodava)
- CHANGED: Merged with webui pages extract from the Asus released FW,
as they were more recent than the GPL ones
- CHANGED: Port state on Sysinfo page now uses the new OUI lookup
code from Asus
- CHANGED: Try to report on Sysinfo what is forcing HW acceleration
to be disabled
- FIXED: Build 354 reduced minimum syslog level to WARNING - bumped
back to INFO as in previous versions (resolves DHCP events
not being logged). Also ensured we readjusted it if DHCP
logging is enabled, to handle routers that got upgraded
with the new loglevel already set.
- FIXED: Port numbering on the Sysinfo page for devices that has
them backward (untested) (RT-N16)
- FIXED: Client list wasn't using the new OUI code from Asus (was
missing from the GPL archive)
- FIXED: LAN traffic going through the NAT loopback would be counted
in the Per IP traffic monitoring.
- FIXED: IE rendering of the Other Settings page when toggling Per
- FIXED: Cannot set webui to HTTPS-only (causes port conflict error)
(Asus bug in 354)
- FIXED: Cannot create/modify folders in AiDisk
- FIXED: Couldn't resolve LAN hostnames if WAN was down (the web
redirection would hijack all DNS queries). Now, we let
dnsmasq handle both LAN and redirected queries.
- FIXED: Fixed support for Broadcom Wimax devices
- FIXED: smbpasswd wasn't properly updated when deleting a user
- FIXED: Aicloud: handling of disks with multiple partitions on the
webui (Asus bug) (fix submitted by hshang)
126.96.36.199.354.27 Beta 1 (31-Mar-2013):
- NEW: Merged with 188.8.131.52.354. Notable changes:
* New wireless driver
* New Network Tools
* WOL (Under Network Tools
* HW acceleration support for PPPoE
* DHCP Normal/aggressive behaviour. Similar to the 270.25
implementation, except it can be enabled/disabled
Asus considers build 354 to still be beta, so be advised that
there might still be some issues left (there are known issues
related to 3G/4G dongles for instance).
- CHANGED: Removed WOL webui - Asus added their own WOL support on
the Network Tools page. You will have to re-add your
- CHANGED: Removed System Log -> Connections page, and integrated it
into the new Network Tools -> Netstat page from Asus (as
- CHANGED: Removed wol binary, since Asus's WOL page uses ether-wake.
- CHANGED: Removed option to control SIP helper on Firewall page
(use the new Asus option from WAN - NAT PAssthrough page
- CHANGED: WPS button when set as a radio toggle will now behave the
same way as Asus's firmware: pressing it will fully
enable/disable both radios in the webui, rather than just
toggle the state of the enabled radios. This means the
button will override the webui, and radio states will
- FIXED: Avoid duplicate shares when using simpler share naming
using Asus's code from 354)
- FIXED: Improved fdisk support for 4KB sector size
- FIXED: openvpn: Client-specific entries weren't properly parsed
- FIXED: dnsmasq warning in syslog if DHCP static leases are disabled
- FIXED: Volume labels with spaces were rejected (Asus used the same
code to validate hostnames and volume labels)
- NEW: ipset Netfilter support + userspace tool to create ipset lists.
- CHANGED: Router's hostname is now set all the time, regardless of
telnet/ssh states (and including in AP mode)
- CHANGED: Added device name field on the LAN page, since it's now
relevant to the router's hostname (not just SMB). Left
it on the SMB page as well, for those used to see it there.
- CHANGED: Router will supply its device name when requesting an IP
while in AP mode.
- CHANGED: Various webui lists were increased from 32 to 128 entries
- CHANGED: Improved networkmap:
* Will also use DHCP hostnames and user-defined static
names instead of just NetBIOS names
* Client list will show an animation while networkmap is
still busy scanning and resolving device names
* Dropdown menus that use Networkmap to build a list
of devices will also display names in addition to IP/MAC.
- CHANGED: Don't restart the whole network if you only changed DHCP
reservations (LAN -> DHCP page)
- FIXED: Openvpn: Non-CBC ciphers weren't working (their use is still
- FIXED: Proxy auto-configuration support (Asus bug)
- FIXED: Disabling DHCP logging would cause a syntax error in
dnsmasq's configuration (regression from dnsmasq update)
- FIXED: Outbound VPN client traffic was dropped (regression from
- NEW: NFS folder sharing. Webui can be found on the
USB Applications -> Servers Center page (NFS Exports tab)
- NEW: dhcpc-event and zcip-event scripts (called on WAN events)
- NEW: Ccustom configs: group.add, gshadow.add, passwd.add,
- NEW: New script that will setup Entware for you (written by
ryzhov_al). Run "entware-setup.sh" through SSH/Telnet to
launch the install process.
- CHANGED: Added a folder picker to the Tools Other Settings page to
select a location to store your traffic data files.
- CHANGED: Updated dnsmasq to 2.65 (backported from 184.108.40.206.334)
- CHANGED: Enabled additional optimizations for openssl and openvpn
for a significant performance gain
- CHANGED: Reverted wireless driver to build 220 (RT-AC66U only)
- FIXED: Added missing badblocks program
- FIXED: Timing issues under IE where resolved device names would
not display on certain pages (such as the Sysinfo page)
- FIXED: VPN client "common name" wasn't getting saved
- FIXED: DHCP client will be less aggressive in attempting to obtain
a lease (wait 2 mins instead of 20 secs between attempts),
should help with ISPs like Charter who will blacklist you
if you send too many Discovery packets in a short period of
- FIXED: Made profile.add be run after any Optware profile, so the
user changes will have priority over anything else.
- FIXED: WOL list corruption when removing an entry in some browsers
- FIXED: No longer forward packets with a LAN IP as destination
(Asus bug, fixed CDRouter test firewall_2)
- FIXED: IPv6 WAN would have the wrong prefix length (Asus bug, patch
submitted by PiotrKa)
- NEW: Rebased on 220.127.116.11.270. Notable changes:
o New driver builds (these are NOT the new major versions that
Asus are still working on)
o NTP-related changes
- NEW: Report CTF (HW Acceleration) state on Sysinfo page.
- NEW: Display Ethernet port states on the Sysinfo page.
- NEW: Replaced Busybox fsck/mkfs tools with those from e2fsprogs,
should be more reliable.
- CHANGED: Temperatures on Sysinfo page will now auto-update every 3
- CHANGED: Connections page now uses Ajax for slightly better rendering
- CHANGED: Improved name resolution on traffic monitor page, now uses
a device's hostname if it reported one.
- CHANGED: Client List now uses our improved name resolution code,
will overwrite names with those entered on the DHCP static
- CHANGED: Updated to OpenVPN 2.3.0 and lzo 2.06.
- CHANGED: Updated Busybox to 1.20.2 (with Oleg/wl500g patches
re-applied). Lots of fixes, including GPT support in
- CHANGED: Updated Miniupnpd to version 1.8. NOTE: previous
versions were NOT affected by the recent UPNP exploit
disclosure. This is just as an added security precaution.
- FIXED: Temperature on Performance Tuning page would fail to update
if a radio was disabled.
- FIXED: Various timing issues causing some TrafficMonitoring and the
Sysinfo pages to often fail loading under IE.
- FIXED: JS error on the Per Device pages if FW failed to load the
- FIXED: ebtables were still broken, fixed by a complete rebuild.
- FIXED: Some OpenVPN fields rejected -1 as being valid.
- FIXED: Hide 5G radio info from Sysinfo page if router is \
single band (RT-N16)
- FIXED: Master Browser/WINS would not work if there was no USB disk
- FIXED: Samba would bind to the WAN interface while in router mode
- FIXED: Backported various kernel fixes from Oleg/WL500G, Tomato
and Kernel.org to help improve HDD > 2 TB support (still
not perfect, some USB enclosures are simply not Linux
- FIXED: Display of Connections under IE
- FIXED: Trying to apply settings on the System page with a username
containing a non-alphanum would incorrectly assume you just
tried to change to an account name that already existed
- FIXED: Wouldn't enable wins in Samba if you had a WINS IP entered
on the DHCP configuration page.
- FIXED: The IE fix ended up breaking Firefox (and meanwhile, Chrome
worked fine no matter which method was used to build that
- NEW: Rebased on 18.104.22.168.266 (from the RT-AC66U GPL)
- NEW: Tools icon contributed by Maximilian Czarnecki.
- FIXED: Skip bad blocks while erasing MTD partition (fixes RT-AC66U
failing to format JFFS2 partition due to bad blocks)
- FIXED: Router would have no hostname if you enabled ssh but kept
- FIXED: Couldn't add new ebtables rules (regression in 264.22)
- FIXED: customized minidlna.conf
- FIXED: Traffic monitoring per IP is unreliable if HW acceleration
is enabled. Do not load CTF if booting with cstats enabled.
- FIXED: Per Device traffic monitor pages missing under IE
- NEW: Rebased on 22.214.171.124.264 (from the RT-N53 GPL).
- NEW: Traffic monitoring per IP added to the Traffic Monitor section.
Based on the Tomato IPTraffic implementation by Teaman.
- NEW: Option to disable the Netfilter SIP helper (Firewall page),
allows people to manually forward port 5060 to their own SIP
- NEW: Option to enable/disable logging DHCP client queries
- FIXED: Tabs would disappear while on the Monthly traffic page.
- FIXED: Really fixed Firefox issue (the fix wasn't merged
in release 260.21).
- FIXED: Router crash if the list of MAC filters + their names got
- FIXED: OpenVPN webui: TLS Reneg and Connection Retry wouldn't let
you enter -1 as value.
- FIXED: Layout issues on the DHCP page (one in Asus code, another
in Merlin code)
- FIXED: Beeline Corbina was unable to connect to PPTP/L2TP server
due to DNS issues.
- CHANGED: System log starts at the bottom (backported from GPL 314)
- CHANGED: Dual WAN is no longer enabled in regular builds - too many
issues with it at this point. Regular USB failover
- NEW: Rebased on 126.96.36.199.260. This version should
resolve issues with some Russian ISPs. Note that
the RT-N66U build still uses the wireless driver
from release 220, as this seems to be the most stable
at this time.
- NEW: Option to force the router into becoming the SMB Master Browser.
- NEW: Option to make the router act as a WINS server.
- NEW: Option to control Spanning-Tree Protocol
- NEW: fstab custom config file
- FIXED: Firefox compatibility issues on the DHCP static and
MAC filter name fields.
- FIXED: Wifi status icon wasn't accurately reporting states if they
were changed by a radio schedule.
- FIXED: QIS would report newer firmwares, potentially overwriting
Asuswrt-Merlin with an original Asus firmware.
- FIXED: Wifi LEDs would turn back on if radios were enabled while
in Stealth Mode (now they turn back off after a few seconds)
- FIXED: Webui would break if a network device had an invalid
NetBIOS name (such as the Sonos Dock).
- NEW: Wifi status icon will be half colored if only one radio is
- NEW: Wifi status icon popup will report the state of each radios.
- NEW: upnp custom config file for miniupnpd
- NEW: unmount user script
- NEW: led_ctrl and makemime (for use in conjunction with sendmail)
- NEW: Implemented control for network switch LEDs (all four at once)
- NEW: Stealth Mode: option to disable all LEDs
- NEW: Added CONFIG_IP_NF_RAW and CONFIG_NETFILTER_XT_TARGET_NOTRACK
- FIXED: Radio toggle through WPS button would be overriden by a
scheduled radio. Reverted "switch" to "toggle" code to
- FIXED: You couldn't disable DMZ by clearing the IP field.
- FIXED: You couldn't edit entered text in DHCP/MAC/etc name field
- FIXED: clientid passing for some ISPs requiring it (like Sky UK)
was broken with the DHCP client change of build 220.
- FIXED: No longer reboot the router three times during boot time if
one of the radios is disabled by the user. (RT-N66U)
- FIXED: Changing the router login name to anything other than "admin"
would prevent radvd, ecmh and the cru script from working
properly - they all assumed "admin". Made then use
http_username instead (which is tied to the superuser)
- CHANGED: Improved SMB and vsftpd read performance by up to 30%
- FIXED: Reverted wireless driver to build 220 version as the new
one caused various connection issues for some (RT-N66U).
- NEW: Rebased on 188.8.131.52.246. Some notable changes:
o New "Enhanced interference management" option under
Wireless -> Professional.
o Improved AiCloud webui
o dnsmasq updated to 2.64
- NEW: Option to enable simpler share names. When enabled, the folder
Share will be shared as "Share" instead of "Share (on sda1)".
The option can be found on the Misc tab, under USB Application.
- NEW: User customized config files for various services. Those custom
config entries can either be appended, or completely replace the
config file generated by the firmware.
- NEW: Added Name field to the Wireless ACL page.
- NEW: Added service applet to rc. For example, "service restart_samba" will
restart the Samba service. For advanced usage/debugging only.
- NEW: Backported OpenSSL ASM optimization from 1.0.1, for significant performance
improvements in applications such as OpenVPN or SSH when using AES.
- NEW: Report the current CFE/Bootloader version on the Sysinfo page.
- FIXED: Minor tweaks to the AiCloud pages so they can fit on a 15" laptop screen
(some close buttons at the bottom were unreachable)
- FIXED: Enabling SSH access from WAN didn't work if DualWAN
was set to load-balancing.
- FIXED: Removed MAC Filter page, as it doesn't work (not compatible
with Parental Control).
- FIXED: OpenVPN Client "Username Auth only" option was broken.
- FIXED: Limit valid characters in a DHCP/WOL description to prevent
breaking the webui by using invalid ones such as quotes.
- FIXED: OpenVPN Client wasn't properly applying DNS settings that
the server was pushing to us.
- FIXED: Wireless client list alignment in AP mode.
- CHANGED: Less strict rules when validating user-entered MAC hwaddr.
- NEW: Report both rx and tx rates on wifi connections
- FIXED: Handle cases where the wireless driver returns a speed of -1
- FIXED: Removed rssi retrieval retries, as it would make the first access to
the wireless page take forever if you had multiple connected clients.
You will have to manually refresh the page the first time you access it
if the RSSI is reported as "??".
- NEW: Added OpenVPN logging verbosity setting (vpn_loglevel, must be
manually set to a value between 0 and 15, with 3 being the default).
- FIXED: Buffer overrun in init code that would crash the router when
too many features were enabled at compile time.
- FIXED: Re-enabled DualWAN (RT-N66U, RT-AC66U)
- FIXED: Re-enabled Beceem (Wimax) support in RT-AC66U.
- FIXED: OpenVPN 'Start with WAN' and 'Respond to DNS' settings were
not properly saved.
- FIXED: First time a client's rssi is polled it would return 0.
- FIXED: post-mount user script wasn't executed (regression in 220.17)
- CHANGED: Added some info to the OpenVPN server and client pages.
- CHANGED: Improved load time of the VPN Status page.
- NEW: Rebased on 184.108.40.206.220, which includes:
* Fixes to IPv6 6rd
* Fixes to AC66U Wifi + QoS
* Interference mode once again enabled
- NEW: Display last received rate and rssi for each clients on Wireless Log page.
- FIXED: dnsmasq not listening to DNS requests from OpenVPN clients
if you had just enabled the option on the webui.
- FIXED: PPTP clients not always showing on VPN Status page.
- CHANGED: Disabled DualWAN as it's currently broken in 220.
- CHANGED: Disabled Beceem Wimax support in RT-AC66U as it bricks
- CHANGED: Removed firmware update checker to avoid accidental
revert to original FW.
- NEW: (RT-N66U, RT-AC66U) Implemented OpenVPN, based on code written by
Keith Moyer (from the Tomato project).
- NEW: Added crontab command
- FIXED: (RT-AC66U) Would crash when accessing a LAN device through either
VPN or the NAT Loopback (GRO is now disabled for that device)
- FIXED: dnsmasq was listening to all interfaces by default, allowing
even dhcp requests to be serviced from the wan side if you
had the firewall disabled (Asus bug) (fixed by dev0id)
- FIXED: Default disk idle spindown now set to 0 (disabled).
- FIXED: Corrupted WOL list when using IE.
- CHANGED: Upgraded openssl to 1.0.0j.
- CHANGED: Included fully functional openssl command (will allow you to
create keypairs and certificates from the router).
- CHANGED: Removed power adjustments from the Performance page, as they
are redundant, and not as reliable.
- CHANGED: (RT-N16) Disabled Dual WAN, as it exhibited many issues, and I
am unable to work on them without an actual router.
- NEW: Rebased on 220.127.116.11.178. Notable fixes by Asus:
* Radio turns back on based on schedule
* Reorganized QoS pages
* Turning WAN DHCP connection off will first release current DHCP lease
- NEW: RT-AC66U officialy supported, with all the same features as the RT-N66U.
- NEW: (RT-AC66U) Implemented JFFS support. Limiting partition to 32 MB
max, as using the whole 90+ MB available makes little sense for
JFFS, and was also displaying some issues.
- NEW: Added nat-start user script, as NAT rules get applied separately from
other firewall rules (firewall-start changes to the nat table are
being overwritten when the router starts NAT)
- NEW: Added additional info to Sysinfo page
- NEW: Added chroot applet
- NEW: Option to allow SSH access from WAN
- NEW: Option to exclude specific devices from idle spindown
- FIXED: Performance page now uses the new Sysinfo API, and is now able
to deal with cases where radios are disabled.
- FIXED: Web server would crash for some people when accessing
the Wireless Log page.
- NEW: Spin down disks after (user-configurable) inactivity timeout
(using Jeff Gibbons' sd-idle-2.6)
- NEW: System information page under the Tools menu.
- NEW: Station list on the Wireless Log page will now report associated
IP and hostnames (when possible).
- CHANGED: Upgraded to MiniDLNA 1.0.25 (changelog:
- CHANGED: Better integration of the Run Cmd page.
- FIXED: Incorrect left menu rendering when under the Tools menu.
- NEW: Rebased on 18.104.22.168.162.
- CHANGED: Switched to WPS radio toggle code Asus added,
now on the Administration -> System tab.
This is based on unreleased Asus code, which they have
graciously provided me with.
- NEW: Rebased on 22.214.171.124.157. Notable changes from Asus:
. IPv6 tunnel memory leak fixed
. They fixed many issues, making some of my patches
no longer necessary, such as timezone DST, https auth, etc...
. Upgraded radvd
- NEW: Added link to the command shell page in Tools menu.
- NEW: (RT-N16) Enabled power settings (EXPERIMENTAL)
- NEW: Added "tee" command.
- FIXED: NAT loopback rules would actually NAT every lan to lan
connections instead of only those needing the loopback
(bug in Asus's code). Replaced with new code based on a
suggestion from Phuzi0n on the DD-WRT forums.
- FIXED: Accessing the WOL page would make it resend the last
- FIXED: 'cru' was using 'root' instead of 'admin'
- CHANGED: Re-enabled Dual WAN (EXPERIMENTAL)
- CHANGED: Made tracked connections load async from rest of the page
- CHANGED: Increased hostname width on Connection status page
- CHANGED: Improved WOL page functionality.
126.96.36.199.144.11 Beta (6-July-2012):
- NEW: Name field added to DHCP reservation list
- NEW: Webui option to enable resolving IPs on the Connections tab
- NEW: Store a list of computer MACs to use as WOL targets
- CHANGED: Increased dhcp options from 32 to 128 characters
- FIXED: Brought max PPTPD password lenght back to 32 chars (Asus had reduced
it to 16 in recent versions)
- FIXED: Retrieve dhcpc options for the correct wan interface
- NEW: Rebased on 188.8.131.52.144.
- NEW: Support for 64K NVRAM enabled. ***First flash will
wipe out ALL your settings! And you cannot restore
from saved settings - you must manually reconfigure
everything. Be warned!***
- NEW: Enabled support for Broadcom Wimax devices
- NEW: Added cifs kernel module (for mounting remote SMB shares)
- NEW: Added layer7 iptables matching
- NEW: Added user-options for DHCP on the WAN page
- FIXED: Router crashing when connecting to it over Wifi
and running the newer QoS code (disabled GRO)
- FIXED: Router crashing when connecting to a network
device behind the router from over a VPN
connection (disabled GRO).
- FIXED: Incorrect timezone set unless enabling
- NEW: Enabled new Dual WAN support from Asus
- FIXED: no-ip DDNS entry would revert to Asus DDNS on webui
*** Reverting to factory defaults BEFORE and AFTER flashing
this version is strongly recommended! The newer Asus code base
seems to have changed quite a few settings, so you'll want to
not only start with the new default values, but also get rid
of obsolete settings. Otherwise you will be wasting a
good amount of the limited available nvram. ***
- KNOWN ISSUE: Memory leak when using IPv6 (bug in Asus's code
and/or kernel code)
- KNOWN ISSUE: PPTP VPN can randomly reboot the router if accessing
a LAN device behind the router. Workaround is to
use an IP range outside of the local LAN
(i.e. 10.0.0.0 instead of 192.168.1.0), and either
set your VPN to use the VPN tunnel as default
gateway, or manually add a route to your VPN
- NEW: Rebased patches on 184.108.40.206.130 (RT-N53U sources).
Build 130 brings various code changes to IPv6, not sure
what else (as I have no changelog between 112 and 130).
The QoS code remains from build 108, as build 130 is
- NEW: Added "diff" utility
- NEW: Keyword-based filter (new in 130)
- FIXED: Firmware/settings can now be uploaded over HTTPS
(bug fixed by Asus)
- FIXED: Buffer overflow in networkmap that would cause garbled
device names to appear on the clists list (bug in
- FIXED: Firewall would break when applying a game preset that
had multiple ports separated by a "," (bug in Asus's
- FIXED: WOL through webui wasn't working when IPv6 is enabled
- FIXED: Memory leak in sit.ko (backported from Linux 220.127.116.11)
- IMPROVED: /jffs/scripts/ will be created automatically if it
doesn't exist (you must still make any new script
executable using "chmod a+rx script_filename")
- NEW: Added no-ip.com support to DDNS (patch submitted by Igor Pavlov)
- NEW: Added webui page under System Log to display active/tracked
- NEW: Added netstat-nat command.
- NEW: Added pre-mount and post-mount user scripts (patch submitted by
- NEW: Allows tweaking TCP/UDP connection tracking timeouts
- FIXED: Removed check in Asus's code that would reject txpower > 80
unless you clicked three times on Apply (?!).
NOTE: Still not sure power setting even works, as I get
-80db from the other end of the house no matter if I use
40 or 500 mW.
- NEW: HTTP access list (backported from build 112)
- NEW: PPTP VPN encryption options (backported from build 112)
- FIXED: Traffic history location was't properly saved
when changed in webui.
- FIXED: Disabled traffic history saving to nvram for now,
to avoid people accidentally filling their limited nvram space.
- FIXED: Missing bottom pixels from the bottom of General menu
- FIXED: Removed invalid CSS attribute
- FIXED: typo in VPN iptables entries (bug in Asus's code)
- NEW: Crond starts at boot time.
- NEW: init-start is a new user script that will be run early on
at boot time (right after jffs is mounted, and before any
service gets started)
- NEW: Can save traffic history to a custom location (USB or
JFFS, for instance) to preserve it between reboots.
- NEW: Added Monthly traffic page (ported from Tomato)
- NEW: Added the Performance Tuning page (with temperature).
- FIXED: Webui authentication was bypassed by the web server (bug in
- FIXED: Httpd crash when uploading a FW or settings file over
https - should simply fail now. For now you have to
use http for flashing the FW or restoring your settings
from a saved config file.
- NEW: Clicking on the MAC address of an unidentified client will do a lookup in
the OUI database (ported from DD-WRT).
- NEW: Added HTTPS access to web interface (configurable under Administration)
- NEW: Option to turn the WPS button into a radio on/off toggle (under Administration)
- FIXED: sshd would start even if disabled
- CHANGE: Switched back to wol, as people report better compatibility with it.
ether-wake remains available over Telnet.
- NEW: JFFS support (mounted under /jffs)
- NEW: services-start, services-stop, wan-start and firewall-start user scripts,
must be located in /jffs/scripts/ .
- NEW: SSHD support
- IMPROVED: Fleshed out this documentation, updated Contact info with SNB forum URL
- CHANGE: Removed wol binary, and switched to ether-wake (from busybox) instead.
- CHANGE: Added "Merlin build" next to the firmware version on web interface.
- NEW: Added WakeOnLan web page
- Initial release.