Boy am I glad I replaced stock firmware with OpenWRT the moment my router came out of box last week. It was also extremely painless experience, and I'd really recommend people to buy routers with OpenWRT support, even if they cost a little more. A router is something you buy for a decade or more, and it's worth the investment. Our livelihood depends on network availability, and depending on whims of terrible router firmware is not something to rely on.
the best part about it is Diversion and Skynet, a set of scripts that allows you to adblock inside your router (preventing even in-app ads from loading), and an actually viable outbound firewall
seeing weird IP addesses pinging my router from the outside is normal, but when i see something _inside_ my network trying to get _out_, that's when I know it's time to start reformatting
Seconded. I used Merlin before I switched to ubiquiti. My only issue with Merlin was intermittent problems with ipv6 router advertisements which caused connectivity issues. I’ve never had an issue since switching to an edgerouter.
> Boy am I glad I replaced stock firmware with OpenWRT the moment my router came out of box last week.
I have had an Asus for years and use the vendor firmware, and update it semi-regularly when I remember to, and have never had an issue.
I bought an Asus because they have decent capabilities out-of-box, but also because there is the option of using third-party firmware (which I've never bothered to do).
Even with this event I'll probably stick with the OEM firmware.
I'm like you, Asus router on stock firmware and happy. In my case I set that up after a bad experience with openwrt.
Years ago I bought a $100 gigabit Linksys router, immediately flashed it with openwrt, and set it up. I assumed my isp was the reason my download speeds were struggling to hit 100mbps (new house and network all at once), and later when I bought my first NAS I assumed hdds are just inherently slow.
I had abysmal network performance for over a year before I figured out my gigabit router was the performance bottleneck, my isp was giving me 3x what the router could handle. The reason for the terrible performance was that openwrt doesn't have the closed source binary blobs to run hardware accelerated routing, instead everything gets squeezed through the cpu, and my router couldn't do it.
So basically, many routers lose performance, in my case I got a 10x performance drop, and openwrts website is all but useless for telling you which routers to buy.
All I can say is be careful blindly installing openwrt unless your router has a CPU that's complete overkill for what you want to do...and none of the mid range consumer combined routers/access points meet that criteria.
Even if it turns out (once this event has been fully understood) that the vendor-installed firmware "phoned home" to collect an update of sorts that led to this?
Asus, the company that makes routers with paid monthly subscriptions whose trial you cannot opt out of? Go out a buy one of their newer nightshade whatever routers and see what I’m talking about. You literally cannot stop that thing from nmap’ing your home network for the first month.
i agree with you, but after a decade of routers and openwrt i decided to go with ubiquiti. it got to a point where the router hardware just wasn’t good enough, no matter the software. so i got myself a dream machine, a pro switch with poe and an AP and i have never looked back.
Same here. The brand isn’t necessarily important, but rather the idea that the “router” and “access point” don’t need to be bundled in the same physical box. For most people, their incoming internet line comes into their house at an atrocious point for radio transmission and reception.
By separating the router from the Wi-Fi access point, even if you only use one AP, you’re able to put the AP in the best place for full coverage. I hired an electrician to run the cable for me when I bought a house about 10 years ago- he charged a reasonable price, cut a minimum number of holes in the wall, and I was left with a cable in the center ceiling of the house which gave me excellent service throughout with a ceiling mounted AP.
Since then I’ve added on to the house and run additional wires to more ceiling mounted APs to get consistent 5ghz only access throughout the house. Rock solid and never have to think about it (although it is always tempting to tweak)
I have d-link mesh satellites, and needed 4 around the house just so I didn't have any blindspots. To show how bad they are, when my laptop is within a metre of the d-link main satellite, I get the full 150Mbs of my upstream, but 2 metres away but with line of sight, it drops to ~130Mbs. Leave the room, and it's about 90Mbs :(
I was hoping something like Ubiquiti would be something like the full upstream speed without the horrible dropout-per-metre I'm getting right now. Happy to get a few of them in mesh (if that's how they work) if I can get full speed from my office which is curretly 4 hops away.
I actually switched away from a UDM after finding out that I could only hit 500 Mbit/s uplink (out of ~930) due to a PPPoE performance bug as there's no hardware offloading and the old Cortex-A57 cores (in a SoC from a vendor now owned by Amazon, so extremely end-of-life) just couldn't handle that.
Now I'm running a Turris Omnia with the bundled OpenWRT fork for router tasks and that seems to work fine.
It’s pretty stable but frustrations remain. Their Edge series are more powerful but the UI is painful and much must be done via the CLI. The Unifi line doesn’t support such things. For example, on an edge router it was fairly easy to make a rule saying “any port 53 traffic that isn’t coming from the Pihole, redirect back to the Pihole”.
The Dream Machine Pro isn’t 100% stable and occasionally requires the config to be reloaded. It’s support for more modern VPN types has been slow to materialise.
The UDMP has been vastly superior to my crappy IDP supplier routers.
Or, if you're in Germany, get a FRITZ!Box. It's been my favorite product purchase ever[1]. Solid performance, and the software is a bliss. Here are some niceties available out of the box:
- Traffic prioritization (real-time, prioritized, background), and access profiles (per-device data budget, filters, max online time).
- Per device statistics on max data rate, current throughput, Wi-Fi standard, encryption, signal properties (e.g. MU-MIMO or not), etc.
- Special LAN port for guests, without access to the rest of the network (good for that ad filled smart TV).
- Extra LED with customizable function (can light up if there's anybody in the guest network, or a device plugged in the USB, or data cap is exceeded, etc).
- Energy consumption graphs for each major component (CPU, Wi-Fi, USB devices, etc).
- More information about my DSL cable than I know what to do, including spectrum graphs, line attenuation, latency, and even approximate line length.
- Security diagnostics with provider info, firmware status, login credentials type, open ports, egress filters, Wi-Fi security, etc.
- Also has features for smarthome, telephony, NAS, and media center, but I've never tried those.
Yeah these are great pieces of software and hardware, and AVM is a decent company as well. Although I personally prefer to hang up a Ubiquiti WAP.
I wanted to say there used to be Freetz which was neat but they ensured this wouldn't work anymore. But I learned it is continued in form of Freetz-NG!
My ISP (Freedom Internet) allows me to rent a modem for 2 EUR per month. A steal.
I have a 7530-AX and on the whole it's been good - but for some reason the 5GHz service keeps switching off; wondered if you'd had any similar experience?
I would also recommend OpenWRT - to anyone who's tech-savvy enough to upload a new firmware file and go through a web interface to set up the network. I was used to setting up things like Mikrotik or OpenBSD+pf (which while great, are not exactly intuitive), and was surprised it's really no more difficult (often less difficult) than using whatever stock web UI these SoHo routers usually come with.
The kind of hardware offloading included in consumer router hardware is fundamentally broken by design. Relying on the ethernet switch to handle NAT instead of the CPU makes it impossible to do software-based QoS (eg. the SQM module's cake or fq-codel) or any other packet processing that said ethernet switch isn't equipped for.
The router I have right now is the best one I've ever had, it's an APU4D4 from teklager.se.[1]
> APU router is the most open-source network device you can buy. It comes with open-source BIOS, open-source operating system of your choice and open hardware schematics. It's not locked down in any way.
I bought mine with opnsense pre-installed and it has been absolutely rock solid. For wi-fi, I've just used an old router with wifi in "ap-mode" connected to my APU router -- interestingly it turns out that the throughput bandwidth for wi-fi increased by orders of magnitude as soon as the poor Asus box didn't have to perform any logic on the packets passing through.
I would recommend installing opnsense on any old desktop PCs you have lying around. Get an intel LAN card with two ports (or more) and you'll be golden.
OpenWRT is fine but I've found that if you're shopping around for devices it's hard to find ones that will do 1gbps with traffic shaping enabled for an affordable price.
I used to run OPNsense but I switched to Debian because of https://news.ycombinator.com/item?id=34839161 . I wouldn't recommend OPNsense any more for anyone who cares about security.
When I went shopping for a router I had a lot of trouble finding one.
I basically don't care about "features," but I wanted the latest WIFI standards because of reception issues in my house, and at least 4 wired ethernet ports. (I don't want to have to buy dongles / extenders for wired ethernet ports.)
It was surprisingly hard to find an OpenWRT router that supports the latest WIFI features, so I just went with a proprietary router.
I recently picked up a Linksys e8450 (twin sibling of the Belkin RT3200) and flashed it with openWRT and it's been great; WIFI-6 speeds on a router that is actually configurable
Something I learned first-hand from empirical testing is that Intel cards are quantifiably better at receiving frames than cards with Realtek/Mediatek/Ralink chipsets, specifically in congested environments.
In the presence of a collision, the Intel cards are able to successfully receive the stronger signal of the two as long as there's enough of a difference in signal strength.
The cards with Realtek chipsets on the other hand, are only able to receive the stronger of the two frames if the stronger frame started being transmitted first.
It's as if Intel's receiver is always looking for frame preambles even when a valid preamble has been heard and the radio is in the middle of receiving a frame. The other receivers stop looking for preambles while in the middle of receiving a frame.
If you live in an urban environment and have wifi problems, you'll likely have an observable improvement if you upgrade.
I don't know how well Qualcomm and Broadcom chipsets perform, but I wouldn't be surprised if at least Qualcomm works as well as Intel.
I've been using a Mikrotik for about 2 years now, switched from an Ubiquiti EdgeRouter X when I upgraded to 1gig at home. It works great and has been rock solid since setting it up. I even have 4 port bonding setup to my main switch because neither has SFP+.
However, it was kind of a bear to get all setup. In terms of setup difficulty it goes Mikrotik -> EdgeRouter - any consumer focused router. I've been putting off setting up VLANs for about a year and a half because I just know I'm going to break everything.
I really liked the Tomato firmware for these things a while back... Been using OpnSense currently, with a dedicated AP mounted centrally in my home. It's a shame that the FCC rules have pretty much guaranteed that routers will only allow signed firmware updates, though the companies could do it differently. In the end, I miss the plethora of home hardware that can be consumer maintained and upgraded. I've avoided most "smart home" stuff for that reason.
More of a Tomato fan myself (used multiple ASUS routers), but using a router with stock firmware always seemed not worth the risk when there are so many great alternatives.
1. Reboot the router via pulling and reconnecting the power cord
2. Log in to WWW interface
3. Go to Administration > System. Enable SSH (enable login/password as well, choose a port of your taste)
4. SSH to your router: ssh admin@192.168.50.1 -p 2424 (assuming your user name is admin, the IP is 192.168.50.1 and you chose port 2424 for ssh). Password is the same as for the web UI
5. In SSH session, type: rm /jffs/asd/chknvram20230516
I mean, this might work for me, but how do we deal with the fact that if I were my wife ASUS has basically turned my very expensive router into a very expensive brick?
Agreed. I had enough issues with my router yesterday I purchased a different brand router and decommissioned my ASUS. I was not aware of this wide-spread issue until today. Much like HP printers, I will think twice about recommending or purchasing an ASUS.
At worst, most troubleshooting guides online (one's phone probably has Internet) and probably even in the manual end with "if all else fails, here's how to factory reset". Someone in the comments of the article said a factory fixed it for them.
I understand the frustration, but after some initial anger, people will eventually get there.
The file in “/jffs/asd” can be named differently depending on your SKU, in my case (ASUS ZenWiFi XD4) it was “blockfile<date>”. Just delete the one with the date appended to it.
Do we know if this file is something downloaded from ASUS, rather than a bogus file created on the router itself? If the former, it might be interesting to make a backup copy in case someone can see what it is they did wrong.
I don't have an ASUS router, but three things leap out at me: a string being logged over and over, running out of space on a filesystem, and rotated log files named something.1.
It is trivially easy to blow right past the size capping on systems that use the old "newsyslog" style of external logfile rotation from the 20th century, and something that is logging a short string "[chknvram_action] Invalid string" over and over very fast is exactly how to do this.
For those interested in investigation, therefore, I would suggest looking at logfile sizes, and seeing whether it was logs eating all of the free space on /jffs and /var .
The underlying cause would be whatever is logging "[chknvram_action] Invalid string" thousands of times over, but the mechanism would be log files filling the tmpfs that the article mentions, which would explain why the system had no memory for forking new processes.
My wild speculation about "[chknvram_action] Invalid string" is that something somewhere in whatever "chknvram" is, the name being suggestive of something checking non-volatile RAM, has either bad data or a broken parser, and the recovery semantics are to retry immediately, incessantly, as fast as possible.
So some somewhat more informed speculation is that the new signature file either yesterday or today either broke a parser or was itself corrupt. The error-handling path for this is still poor.
Why does a router need malware signature files? It has no business monitoring my traffic, except in accordance with the firewall rules that I set myself.
From the article:
> not keeping my firmware up to date
I've had this (non-Asus) router for three years. I've never updated the firmware.
A parsing error due to a signature-based malware definition file update is a totally plausible suspect!
It would explain why the router is downloading “updates” but not firmware upgrades.
Also, these signature files contain tons of hex strings and unusual characters used to identify the actual malware (IOCs).
We rollback these updates all the time when a bad malware signature update pegs the AV scan daemon. They are released several times per month depending on the vendor.
Someone more knowledgeable about ASUS asd can probably confirm/deny.
In the comments of the article someone mentions that deleting the file solved the issue without a firmware update. Too bad they didn't save it before, a comparison with the newer working version would be nice.
I guess Asus quickly discovered their mistake and removed the faulty file from their servers, but affected devices never got to the point where they'd look for a newer file but just choked on the local one.
What's your recommended alternative to the newsyslog style of external logfile rotation? I'm not much of a sysadmin but it might be useful to know at some point. Thanks in advance!
The one that people came up with in the 1990s. There are quite a number of implementations to choose from. The shame of this hitting ASUS in 2023 is that this is a long-known problem and a long-since solved one. I have vague memories of grumpy posts on Usenet about this. It's that old a problem; and it has been solved for nigh on a quarter of a century.
This seems to be related to “ASUS Healing System” which I don’t even know if I have enabled or not.
That name already sounds creepy enough, but searching for that string (with the quotes) currently returns only 4 results, of people asking what it is. My guess is some sort of hidden backdoor, disguised as an ostensibly useful feature.
I'm going to take a wild guess that the "ASUS Healing System" periodically checks system health and reboots a Daemon or the whole system if stuff breaks.
That seems to be the way to keep consumer grade routers from requiring the user walk over and reboot them once a week...
A lot of routers have this healing system built in. I had a netgear at close to the end of life which was two years After I bought it (I think), would reboot every hour. It was ok for the most part until my uncle came from elsewhere and was working remotely on a video call. It drove him bonkers.
I assume that ASUS routers are based on Linux, so shouldn't the source for these routers be readily available? I am able to find custom third party mods (asuswrt-merlin) but I can't actually find a clear copy of the original sources!
This is very common when I look to find source for embedded devices like this. What I expect is the next step is that you will find (or be given) a borderline useless blob of source that doesn't explain any of it's build process, which is absurd because the GPL clearly defines the build "glue" as part of the source.
Is ASUS another company that is doing a poor job of GPL compliance in this space?
The power of blogging and HN. Asus or my ISP didn't tell me why my router/internet went out twice today. I honestly thought thieves stole my copper again:
I love when thieves are trying to steal copper, but all they get is a broken fiber optic ;)
My dad works as a network engineer, and he told me a story that one of the banks in Poland lost one of the internet providers. They investigated and found out that thieves stole hundreds of meters of a fiber cable, because they thought that it's copper.
Oddly, I'm also running Merlin but I did have a problem where my laptop thought it was connected to the AP but couldn't get local network traffic routed to it. Easiest solution turned out to be to just reconnect, so I don't actually know the deeper problem.
I don't think it has any relation, but since it's the first time it's happened, it was kind of a freaky coincidence!
That’s a totally reasonable point of view, would be nice. But, the days of fixed-function hardware are almost completely gone. These routers (and lots of electronics) are just Linux computers stuffed in small boxes, and come with a lot of the same kinds of dependencies as your desktop. As such, when a security vulnerability is discovered, for example, it’s kind-of a good idea to be able to accept a software update, and when people are discovering them in every corner of the OS and utilities and daemons they run, it suddenly makes sense from a completely practical perspective to update automatically on a regular basis, which is what most people need for their computers & phones. They all should accept and respect the ability to disable auto-updates though. Maybe this case is an exploit or something.
I'm convinced there are now multiple generations of engineers that have no idea that it is possible to write software that doesn't require over the air updates nor telemetry.
Have we all forgotten how Nest thermostats turned off the heat in the middle of January 2016 because of a botched software update? (Probably. It was hard to get Google to surface a link without a date due to so much SEO bullshit).
Maybe, I guess, but it’d be pretty weird to be an engineer of any kind and not know about local file systems. More likely, both companies and most users want remote updates, and companies certainly love as much telemetry as they can get.
At least in this case, ASUS routers all have local firmware install functionality, so this particular case is certainly not an example of engineers not knowing it’s possible to write offline updates.
Now if you’re really lamenting the lack of computing devices that cannot be updated remotely by design, that’s a different story, and might be on a ship that sailed a while back. The problem there is that local updates are inconvenient enough for most people that they aren’t done, which is problematic from support and security perspectives, even though there are legit problems with remote updates too…
It’s not necessarily the engineers. Product and Leadership needs the telemetry in order to justify the expenses for their department or team or whatever and therefore justify the existence of those engineers.
Security updates is the important part. Particularly when dealing with vulnerable equipment which can be compromised and botnet malware dropped on it. A 0 day in a popular DVR/NVR or home router can lead to tens of thousands of devices that can throw a lot of heat. ISPs have been not great in this space so it's left to a small community to chase down the manufacturers to push updates out. The tragic part is for some devices - the company has gone out of business.
The scary part of auto update is when a company does a bad job of it. For example: letting the auto update site domain expire or point to an IP at a hosting provider that someone might pick up and if the devices don't do proper endpoint validation folks can use it to force downloads of compromised images.
"Do all routers these days "phone home" anyway and modify settings on autopilot?"
Depends.
"Homemade" routers running open source OS that computer owner can compile themselves need not "phone home" against owner intent. "Home" is the computer owner, not some company.
Commercial routers running closed source OS that owner cannot edit and re-compile can be expected to try to phone home for something, IMHO. A disturbing trend certainly not started by ASUS but which seems to be infecting most hardware sold with pre-installed closed source OS.
> A disturbing trend
I think it's inevitable and probably not completely bad that hardware vendors are taking responsibility for vulnerabilities in their products.
I know I would prefer something like that for my non-savvy people. Considering there are smart light bulbs with vulnerabilities which are years away from the landfill. The only question is which botnet will they join the next time they power cycle.
1. A modem that handles ADSL/VDSL/fibre incoming and 10GB ethernet outgoing with passthrough to:
2. A good wifi 6 mesh router + APs (eg Netgear or equivalent).
I don't want them to do anything but:
a) Support both DHCP and fixed assigned IPv4 configuration
b) IPv6 /56 subnet assignment
c) NAT outgoing IPv4, no incoming connections allowed
d) IPv6 ingress/egress
I don't want them scanning the traffic, protecting me from malware, upgrading themselves, doing anything fancy.
I want the bandwidth of my home ISP connection to be supported and I want the bandwidth of my 5G wifi and 10GB internal LAN to be fully supported.
A modem that handles ADSL, and VDSL, and Fibre, with 10GBASE-T? Why would such a thing exist?
All ADSL and VDSL connections known to man will have adequate bandwidth over 1000BASE-T, simple and cheap modems that support RFC 1483 bridging abound. If you've got >1Gb/s fibre, presumably your ISP provides equipment to support such, and why not simply have a router with SFP+?
> If you've got >1Gb/s fibre, presumably your ISP provides equipment to support suc
Why would they do that? If they sell me 10GBit but I can only reasonably use 1, then they can sell the same thing to 10x the people with the same hardware.
Your best bet is still to run your own hardware and software like opnsense [1]. An old PC would do or if you need more a newer one. You can easily add cards for 10 or 25 GBit and upgrade later I needed with more memory etc.
I have 1.5gbps internet and the ISP modem has a multi-gig port on it (2.5G) so tplink deco series (X90) come with a 2.5G port on each unit, and the XE200's have 10G ports.
I used to run a full 10gb-t datacenter switch (dell) and put the fiber right into the sfp+ ports to do my own routing, but once the ISP started providing modems that could actually network at 2.5G it was overkill and I moved back to modem -> APs and modem->smaller 10G switch for PCs and Servers.
I’m a big fan of Ruckus for anything wireless, but they’re not cheap. But they’re extremely reliable, high-quality hardware that work especially well in multi-AP setups. You’ll probably want a separate modem+router device, though.
Readit News
https://www.asuswrt-merlin.net/
seeing weird IP addesses pinging my router from the outside is normal, but when i see something _inside_ my network trying to get _out_, that's when I know it's time to start reformatting
So far, no issues, and it has the ability to let me ssh in, and install third party untilites via n opkg-style interface.
My error was a complaint about a lack of disk space in the logs, fwiw. RT-AX92U.
I have had an Asus for years and use the vendor firmware, and update it semi-regularly when I remember to, and have never had an issue.
I bought an Asus because they have decent capabilities out-of-box, but also because there is the option of using third-party firmware (which I've never bothered to do).
Even with this event I'll probably stick with the OEM firmware.
Years ago I bought a $100 gigabit Linksys router, immediately flashed it with openwrt, and set it up. I assumed my isp was the reason my download speeds were struggling to hit 100mbps (new house and network all at once), and later when I bought my first NAS I assumed hdds are just inherently slow.
I had abysmal network performance for over a year before I figured out my gigabit router was the performance bottleneck, my isp was giving me 3x what the router could handle. The reason for the terrible performance was that openwrt doesn't have the closed source binary blobs to run hardware accelerated routing, instead everything gets squeezed through the cpu, and my router couldn't do it.
So basically, many routers lose performance, in my case I got a 10x performance drop, and openwrts website is all but useless for telling you which routers to buy.
All I can say is be careful blindly installing openwrt unless your router has a CPU that's complete overkill for what you want to do...and none of the mid range consumer combined routers/access points meet that criteria.
/edit I might be getting mixed up with netgear!
By separating the router from the Wi-Fi access point, even if you only use one AP, you’re able to put the AP in the best place for full coverage. I hired an electrician to run the cable for me when I bought a house about 10 years ago- he charged a reasonable price, cut a minimum number of holes in the wall, and I was left with a cable in the center ceiling of the house which gave me excellent service throughout with a ceiling mounted AP.
Since then I’ve added on to the house and run additional wires to more ceiling mounted APs to get consistent 5ghz only access throughout the house. Rock solid and never have to think about it (although it is always tempting to tweak)
I have d-link mesh satellites, and needed 4 around the house just so I didn't have any blindspots. To show how bad they are, when my laptop is within a metre of the d-link main satellite, I get the full 150Mbs of my upstream, but 2 metres away but with line of sight, it drops to ~130Mbs. Leave the room, and it's about 90Mbs :(
I was hoping something like Ubiquiti would be something like the full upstream speed without the horrible dropout-per-metre I'm getting right now. Happy to get a few of them in mesh (if that's how they work) if I can get full speed from my office which is curretly 4 hops away.
Now I'm running a Turris Omnia with the bundled OpenWRT fork for router tasks and that seems to work fine.
It’s pretty stable but frustrations remain. Their Edge series are more powerful but the UI is painful and much must be done via the CLI. The Unifi line doesn’t support such things. For example, on an edge router it was fairly easy to make a rule saying “any port 53 traffic that isn’t coming from the Pihole, redirect back to the Pihole”.
The Dream Machine Pro isn’t 100% stable and occasionally requires the config to be reloaded. It’s support for more modern VPN types has been slow to materialise.
The UDMP has been vastly superior to my crappy IDP supplier routers.
- Traffic prioritization (real-time, prioritized, background), and access profiles (per-device data budget, filters, max online time).
- Per device statistics on max data rate, current throughput, Wi-Fi standard, encryption, signal properties (e.g. MU-MIMO or not), etc.
- Special LAN port for guests, without access to the rest of the network (good for that ad filled smart TV).
- Extra LED with customizable function (can light up if there's anybody in the guest network, or a device plugged in the USB, or data cap is exceeded, etc).
- Energy consumption graphs for each major component (CPU, Wi-Fi, USB devices, etc).
- More information about my DSL cable than I know what to do, including spectrum graphs, line attenuation, latency, and even approximate line length.
- Security diagnostics with provider info, firmware status, login credentials type, open ports, egress filters, Wi-Fi security, etc.
- Also has features for smarthome, telephony, NAS, and media center, but I've never tried those.
[1] https://avm.de/produkte/fritzbox/fritzbox-7530-ax/
I wanted to say there used to be Freetz which was neat but they ensured this wouldn't work anymore. But I learned it is continued in form of Freetz-NG!
My ISP (Freedom Internet) allows me to rent a modem for 2 EUR per month. A steal.
https://github.com/Freetz-NG/freetz-ng
it kept adjusting the settings I had configured after some period of time
e.g. set up a hole for SSH. I then tested it to ensure that it worked
then a few days later, trying to use it for real... finding out the device had decided to change the DNAT target ip
I replaced it with a mikrotik box that cost 1/6th as much and has functioned perfectly ever since
> APU router is the most open-source network device you can buy. It comes with open-source BIOS, open-source operating system of your choice and open hardware schematics. It's not locked down in any way.
I bought mine with opnsense pre-installed and it has been absolutely rock solid. For wi-fi, I've just used an old router with wifi in "ap-mode" connected to my APU router -- interestingly it turns out that the throughput bandwidth for wi-fi increased by orders of magnitude as soon as the poor Asus box didn't have to perform any logic on the packets passing through.
[1]: https://teklager.se/en/products/routers/apu4d4-open-source-r... -- I have no affiliation with the company, just a happy customer.
OpenWRT is fine but I've found that if you're shopping around for devices it's hard to find ones that will do 1gbps with traffic shaping enabled for an affordable price.
I basically don't care about "features," but I wanted the latest WIFI standards because of reception issues in my house, and at least 4 wired ethernet ports. (I don't want to have to buy dongles / extenders for wired ethernet ports.)
It was surprisingly hard to find an OpenWRT router that supports the latest WIFI features, so I just went with a proprietary router.
In the presence of a collision, the Intel cards are able to successfully receive the stronger signal of the two as long as there's enough of a difference in signal strength.
The cards with Realtek chipsets on the other hand, are only able to receive the stronger of the two frames if the stronger frame started being transmitted first.
It's as if Intel's receiver is always looking for frame preambles even when a valid preamble has been heard and the radio is in the middle of receiving a frame. The other receivers stop looking for preambles while in the middle of receiving a frame.
If you live in an urban environment and have wifi problems, you'll likely have an observable improvement if you upgrade.
I don't know how well Qualcomm and Broadcom chipsets perform, but I wouldn't be surprised if at least Qualcomm works as well as Intel.
However, it was kind of a bear to get all setup. In terms of setup difficulty it goes Mikrotik -> EdgeRouter - any consumer focused router. I've been putting off setting up VLANs for about a year and a half because I just know I'm going to break everything.
It is certainly a step up from "plug in and it works" consumer routers/APs but the setup has gotten much easier since the early days.
Recommended. And if you check you can even find some of their hardware can run OpenWRT so you have that as a backup.
We have Rukus unleashed (AP) + PfSense at one of my hotel
But I prefer Aruba Instant on APs. Most easist and simple.
1. Reboot the router via pulling and reconnecting the power cord
2. Log in to WWW interface
3. Go to Administration > System. Enable SSH (enable login/password as well, choose a port of your taste)
4. SSH to your router: ssh admin@192.168.50.1 -p 2424 (assuming your user name is admin, the IP is 192.168.50.1 and you chose port 2424 for ssh). Password is the same as for the web UI
5. In SSH session, type: rm /jffs/asd/chknvram20230516
6. In SSH session, type: reboot
Seems to have done the trick for me.
I understand the frustration, but after some initial anger, people will eventually get there.
The router is a brick now, the worst that can happen is that it’ll be a brick after.
It is trivially easy to blow right past the size capping on systems that use the old "newsyslog" style of external logfile rotation from the 20th century, and something that is logging a short string "[chknvram_action] Invalid string" over and over very fast is exactly how to do this.
For those interested in investigation, therefore, I would suggest looking at logfile sizes, and seeing whether it was logs eating all of the free space on /jffs and /var .
The underlying cause would be whatever is logging "[chknvram_action] Invalid string" thousands of times over, but the mechanism would be log files filling the tmpfs that the article mentions, which would explain why the system had no memory for forking new processes.
My wild speculation about "[chknvram_action] Invalid string" is that something somewhere in whatever "chknvram" is, the name being suggestive of something checking non-volatile RAM, has either bad data or a broken parser, and the recovery semantics are to retry immediately, incessantly, as fast as possible.
* https://www.snbforums.com/threads/what-is-asd-process.76242/...
So some somewhat more informed speculation is that the new signature file either yesterday or today either broke a parser or was itself corrupt. The error-handling path for this is still poor.
They argue that he doesn't understand and he's stupid to want to be part of a botnet and that Asus obviously know what they're doing.
Why does a router need malware signature files? It has no business monitoring my traffic, except in accordance with the firewall rules that I set myself.
From the article:
> not keeping my firmware up to date
I've had this (non-Asus) router for three years. I've never updated the firmware.
It would explain why the router is downloading “updates” but not firmware upgrades.
Also, these signature files contain tons of hex strings and unusual characters used to identify the actual malware (IOCs).
We rollback these updates all the time when a bad malware signature update pegs the AV scan daemon. They are released several times per month depending on the vendor.
Someone more knowledgeable about ASUS asd can probably confirm/deny.
I guess Asus quickly discovered their mistake and removed the faulty file from their servers, but affected devices never got to the point where they'd look for a newer file but just choked on the local one.
See https://jdebp.uk/FGA/do-not-use-logrotate.html for everything from Bryan Cantrill to comments in GNU source code. (-:
That name already sounds creepy enough, but searching for that string (with the quotes) currently returns only 4 results, of people asking what it is. My guess is some sort of hidden backdoor, disguised as an ostensibly useful feature.
That seems to be the way to keep consumer grade routers from requiring the user walk over and reboot them once a week...
This is very common when I look to find source for embedded devices like this. What I expect is the next step is that you will find (or be given) a borderline useless blob of source that doesn't explain any of it's build process, which is absurd because the GPL clearly defines the build "glue" as part of the source.
Is ASUS another company that is doing a poor job of GPL compliance in this space?
Is it intentional?
So DSP magic?
https://news.yahoo.com/rise-copper-theft-officials-concerned...
My dad works as a network engineer, and he told me a story that one of the banks in Poland lost one of the internet providers. They investigated and found out that thieves stole hundreds of meters of a fiber cable, because they thought that it's copper.
I don't think it has any relation, but since it's the first time it's happened, it was kind of a freaky coincidence!
May be i am old fashioned but shouldn't hardware appliances be designed as standalone devices that have minimal external dependencies.
If there was no firmware update or patch applied -- the functionality of the device shouldn't change.
Do all routers these days "phone home" anyway and modify settings on autopilot? Even if user has chosen to turn off updates?
Have we all forgotten how Nest thermostats turned off the heat in the middle of January 2016 because of a botched software update? (Probably. It was hard to get Google to surface a link without a date due to so much SEO bullshit).
https://www.nytimes.com/2016/01/14/fashion/nest-thermostat-g...
Google no longer does search, it does "recommendation" and it sucks hard.
At least in this case, ASUS routers all have local firmware install functionality, so this particular case is certainly not an example of engineers not knowing it’s possible to write offline updates.
Now if you’re really lamenting the lack of computing devices that cannot be updated remotely by design, that’s a different story, and might be on a ship that sailed a while back. The problem there is that local updates are inconvenient enough for most people that they aren’t done, which is problematic from support and security perspectives, even though there are legit problems with remote updates too…
The scary part of auto update is when a company does a bad job of it. For example: letting the auto update site domain expire or point to an IP at a hosting provider that someone might pick up and if the devices don't do proper endpoint validation folks can use it to force downloads of compromised images.
All of these things have happened.
Depends.
"Homemade" routers running open source OS that computer owner can compile themselves need not "phone home" against owner intent. "Home" is the computer owner, not some company.
Commercial routers running closed source OS that owner cannot edit and re-compile can be expected to try to phone home for something, IMHO. A disturbing trend certainly not started by ASUS but which seems to be infecting most hardware sold with pre-installed closed source OS.
I know I would prefer something like that for my non-savvy people. Considering there are smart light bulbs with vulnerabilities which are years away from the landfill. The only question is which botnet will they join the next time they power cycle.
Users won't apply fixes.
Therefore auto-updates became the norm.
You can trust the users implicitly, or you can trust ASUS implicitly.
It seems that the appropriate place to deal with network traffic security issues is with the network bandwidth provider, which would be your ISP.
1. A modem that handles ADSL/VDSL/fibre incoming and 10GB ethernet outgoing with passthrough to:
2. A good wifi 6 mesh router + APs (eg Netgear or equivalent).
I don't want them to do anything but:
a) Support both DHCP and fixed assigned IPv4 configuration b) IPv6 /56 subnet assignment c) NAT outgoing IPv4, no incoming connections allowed d) IPv6 ingress/egress
I don't want them scanning the traffic, protecting me from malware, upgrading themselves, doing anything fancy.
I want the bandwidth of my home ISP connection to be supported and I want the bandwidth of my 5G wifi and 10GB internal LAN to be fully supported.
All ADSL and VDSL connections known to man will have adequate bandwidth over 1000BASE-T, simple and cheap modems that support RFC 1483 bridging abound. If you've got >1Gb/s fibre, presumably your ISP provides equipment to support such, and why not simply have a router with SFP+?
Why would they do that? If they sell me 10GBit but I can only reasonably use 1, then they can sell the same thing to 10x the people with the same hardware.
[1] https://sschueller.github.io/posts/wiring-a-home-with-fiber/...
I used to run a full 10gb-t datacenter switch (dell) and put the fiber right into the sfp+ ports to do my own routing, but once the ISP started providing modems that could actually network at 2.5G it was overkill and I moved back to modem -> APs and modem->smaller 10G switch for PCs and Servers.