380.65 Beta 1 (15-Jan-2017)
- NEW: Merged with Asus GPL 380_4180 (and fixed its broken
Network Tools/Connections/etc... pages)
- NEW: Upgraded to OpenVPN 2.4.0, and implemented support
for many of its new features:
* GCM ciphers
* LZ4 compression
* tls-crypt (uses the Static Key field)
* Cipher negotiation (NCP), with (optional)
fallback to legacy "cipher" parameter when
an OpenVPN 2.3 client connects to the
router's 2.4 server.
Please refer to the OpenVPN 2.4 documentation for
more info on these new features.
You will be warned if any server setting would
generate an exportable ovpn file that would be
incompatible with older clients.
Existing client config shouldn't need to be changed,
unless you modify the router's server configuration.
- NEW: Upgraded Busybox to 1.25.1 (patch by theMIROn)
- NEW: Added the following Busybox applets: ntpd, time, uniq,
xargs and getopt, for feature parity with John's fork.
- NEW: Option on Media Server page to enable minidlna's
built-in status web page. Default URL is
- NEW: Support for Vodafone R226 USB LTE (patch by
- NEW: New "update-notification" user script, that gets run
when a scheduled firmware check detects a new version
- CHANGED: Removed support for all RC ciphers on OpenVPN.
DES is staying for now, but should still be avoided
- CHANGED: Updated Tor to 0.2.9.8 (patch by blackfuel)
- CHANGED: Updated nano to 2.7.4.
- CHANGED: hosts file will now give a higher priority to the
user-configured hostname for the router ahead of
hardcoded ones (like router.asus.com).
- CHANGED: Create a system log entry if new firmware is available.
- FIXED: Invalid DUID used when requesting an IPv6 prefix
for some of the newer router models, which would
prevent them from getting working IPv6 (Asus bug)
- FIXED: Network Service Firewall rules not applied
under certain configurations
- FIXED: Port triggering wasn't working if traffic had
been whitelisted by Network Service Firewall
- FIXED: Avahi wasn't rejecting connections from
secondary WAN interface
- FIXED: Sorting clients by connection time would incorrectly
treat 10 hours as longer than 9 hours, as it was
handling it as a string (Asus bug)
- FIXED: Exported ovpn client file wouldn't use the
user-configured hostname when using DDNS custom mode.
- FIXED: Exported OpenVPN client config didn't work when
using static key authentication.
- FIXED: Exported OpenVPN client config wasn't editable with
Notepad, the default editor used by Windows's
- FIXED: OpenVPN was killed too quickly on disconnection,
causing issues when using explicit-exit-notify
(patch by john9527)
- FIXED: OpenVPN client/server instances weren't properly
restarted on a WAN restart (patch by john9527)
- FIXED: Some models (N66/Ac66/AC5300) would reboot 3 times
if one of the radios was found disabled by the user
while booting (Asus bug).
- FIXED: IPv6 client list failing to properly show hostnames
(regression in 64_1)
- FIXED: A few potential buffer overruns in httpd
- FIXED: Security issues in httpd (backport from GPL 4180 +
additional fixes of my own)
- NEW: New firmware availability notification. The router will
notify you if a new firmware is available, and will also
let you view the changelog before sending you to the
download page (the update process remains manual).
Note that the automated check will only report new
final releases. The Check button on the Firmware Upgrade
will immediately check for final releases or beta (if you
select that option), but not both at the same time.
- NEW: Added iptables MASK support on MIPS kernel (patch
- NEW: Webui warning shown in the notification area if running
low on free nvram.
- CHANGED: Updated nano to 2.7.1.
- CHANGED: Updated OpenVPN to 2.3.14.
- CHANGED: Updated curl to 7.51.0, resolving numerous security
and stability issues.
- CHANGED: Tor clients will now route other TCP ports than just
80/443, and drop UDP and ICMP traffic (patch by
- CHANGED: QoS Stats info will automatically refresh every
3 seconds (user-configurable)
- CHANGED: IPTraffic charts now show sorted slices, so the
clients with the least traffic will get grouped
under "Others" if truncating the list of shown
- CHANGED: Enabled IPv6 support in curl.
- CHANGED: Improved webui performance, by caching large static
life from 5 mins to 1 hour.
- CHANGED: No longer include Download Master packages in the
firmware for those models that still included them,
reducing firmware size by a few megabytes.
Those were always outdated, the router will download
the latest versions from Asus's servers at install
- CHANGED: Improved webui protection against CSS/XSS attacks
(backport from GPL 4164)
- FIXED: Web server crash if importing an ovpn file with an
invalid key or certificate (Asus bug)
- FIXED: App icon at the top wouldn't work on Firefox,
- FIXED: Firefox would sometime fail to display the client
list, reporting a JSON parsing error in the console.
- FIXED: HMAC setting not properly set when importing an ovpn
file for a config based on TLS authentication mode.
(backport from GPL 4164)
- CHANGED: Added detection for iPhone 7 models in networkmap
(patch by Andrei Coman).
- CHANGED: Enabled --dns-loop-detect support in dnsmasq
- CHANGED: Move Dual WAN static routes to a lower priority, so VPN
policy rules will have priority over them
- FIXED: Traditional QoS labels were off by one on the Stats page.
- FIXED: Adaptive QoS upload stats couldn't be retrieved because
qosd seems to be hardcoded to always set up classes on eth0
rather than on the real WAN interface.
- FIXED: USB driver was removed too early at shutdown time on the
RT-AC56U and RT-AC87U (fix by john9527)
- NEW: QoS Statistics page, showing the amount of traffic assigned to
each available classes, as well as the current throughput.
- NEW: Charts added to various Traffic Monitor pages.
Note that you can click on legend items to reveal/hide the
DL/UL data. Hovering over a bar or a pie slice will
display the exact value for that item.
- NEW: Added pc_delete() to the helper script (patch by john95287)
- NEW: IPv6 firewall now supports fixed interface ID (EUI64) ipv6
destination addresses (Patch by john9527)
- CHANGED: Updated Tor to 0.2.8.9
- CHANGED: Updated OUI database.
- CHANGED: ipset was updated to version 6.29 on ARM models.
IMPORTANT: this means you will probably need to
update your script to the new syntax. You need to
load the xt_set.ko module at the start of your script.
There has been no change to MIPS models, due to their
older kernel. (original code by Shibby and Victek,
Asuswrt port by john9527) (ARM only)
- CHANGED: OpenVPN policy rules now start at prio 10000 instead of 1000
- CHANGED: Added help popups to various settings that are unique to
- FIXED: Custom group/shadow/passwd weren't applied at boot time.
- FIXED: CVE-2016-5195 (Dirty COW) vulnerability in kernel
(patches by blackfuel and Joseph A. Yasi)
- FIXED: Network Service Filter rules would only apply to clients
under Parental Control if that was enabled (original
debugging by john9527) (Asus bug)
- FIXED: A few memory leaks in httpd and rc services.
- CHANGED: Updated OpenSSL to 1.0.2j
- NEW: Added nano 2.7.0 (user-friendly text editor)
Note that for space reasons, some of its features are disabled
for the RT-N66U and RT-AC66U. Entware users might want to
uninstall the Entware version if they had it installed and want
to use the built-in version instead.
- NEW: Option to toggle the display of passwords on the PPTPD and
OpenVPN server pages.
- NEW: Allow providing a vendor class on the WAN page (DHCP option 60)
- NEW: Add option to disable sending a RELEASE request when odhcp6c
exits, allowing you to retain your received prefix with some
- CHANGED: Updated nettle to 3.2 (used for dnssec) and increased
- CHANGED: Updated minidlna to 1.1.6
- CHANGED: Updated OpenVPN to 2.3.12
- CHANGED: Updated OpenSSL to 1.0.2i
- CHANGED: Revamped the Wireless Log page:
- Merged some columns to gain more horizontal space
- Longer hostname shown (truncated names are now
shown in a tooltip)
- Display clients' IPv6 if they have one
- CHANGED: Accept up to 250 characters for OpenVPN client's
username and password (one provider needs 64).
- CHANGED: Hide the WPA key on the Wireless config page, and only
reveal it when you click on the field to edit it.
- FIXED: OpenVPN client shouldn't display policy routing settings
when using a TAP interface.
- FIXED: DSL/ATM overhead setting was visible on MIPS models, which
don't support it.
- FIXED: Editing OpenVPN or PPTP users with any value longer than
32 chars could lead to corruption of the user list.
- FIXED: Custom config file for igmpproxy wasn't working.
- FIXED: After turning off a Guest network, the next visit to the
Wireless Settings page would show that guest network's settings
instead of the parent band settings (Asus bug)
- FIXED: Smart Connect rules didn't apply on the RT-AC88U (backported
fix from 380_3941).
- FIXED: Numerous memory leaks in the networkmap service. (Asus bug)
- FIXED: Potential buffer overrun in the networkmap service. (Asus bug)
- FIXED: Broken IPv6 connectivity if enabling SSH brute force
protection (only MIPS models were affected)
- FIXED: 5G LED would fail to turn back on when exiting stealth mode.
- FIXED: Only hostname was used as remote server in an exported
OpenVPN client config when using Namecheap DDNS.
- FIXED: Security vulnerability (XSS/CSR) in httpd (backported
fix from 380_4005).
- FIXED: Chrome would try to autofill some fields (such as on the
DDNS configuration page), which could be problematic.
- FIXED: IPTraffic database was no longer properly named after
the router's MAC address on the AC88/AC3100/AC5300.
If you recently enabled it, you will need to either
re-create a new database, or rename the existing
database from tomato_cstats_000000000000.gz to
tomato_cstats_XXXXXXXXXXXX.gz, where "XXXXXXXXXXXX" is
your MAC as found with "nvram get et2macaddr", in
lowercase (AC88/AC3100/AC5300 only).
Regular traffic monitoring (stored in
tomato_rstats_XXXXXXXXXXXX.gz) is fine.
- FIXED: Connected OpenVPN clients reporting as disconnected
on the status page following any wireless config change
- FIXED: OpenVPN server would report being "Initializing"
while it already was ready, following any
wireless config change (Asus bug)
- FIXED: Various stability issues with minidlna (reverted some
of Asus's customizations)
380.61 Beta 1 (31-July-2016)
- NEW: Merged with GPL 3831.
- CHANGED: updated dropbear to 2016.74.
- FIXED: Do not enforce b/g mode as "auto" if wireless mode
is also set to Auto.
There was no non-beta release, due to limited model support
and unsolved WAN stability issues.
380.60 Beta 2 (5-July-2016)
IMPORTANT: The firmware image file format was changed by Asus.
Starting with 380.60, you will no longer be able to
flash versions older than 380.60, or Asus versions
older than 18.104.22.168.380_3000.
You can currently downgrade by using Firmware Recovery
mode, but there's not guarantee that this will keep
working in the future.
- NEW: Merged with GPL 3479. This includes the new file format
required for certification purposes.
- NEW: Option to enable overhead calculation on Traditional QoS
for DSL users (ARM-only)
- NEW: Option on System page to disable the new forced
redirection to router.asus.com (defaults to disabled)
- CHANGED: Updated OpenVPN to 2.3.11
- CHANGED: Allow to specify IPv6 prefixes up to 126 on the IPv6 config
- CHANGED: Networkmap will now announce itself as "Asuswrt/networkmap"
when connecting to LAN's web services.
- FIXED: OpenVPN server instances weren't properly reporting
if an error occurred at start time.
- FIXED: wget was unable to access https site due to not
having a CA bundle to verify certificates
- FIXED: odhcp6c was sending bogus preferred prefixes, so
anything larger than 64 could result in an invalid
- FIXED: Language selector is missing on router set for the
JP region (reverted Asus change)
- FIXED: Client names with single quotes couldn't be edited
in the networkmap client popup (Asus bug)
- FIXED: Router wouldn't run SMB to provide browser master
or Wins services if no USB disk was plugged
- FIXED: Router would sometime fail to renew a WAN DHCP lease.
(fix by theMIROn)
- NEW: Merged with 380_2697 GPL. This includes beta MU-MIMO support for
the RT-AC87U/AC88U/AC3100/AC5300, and IPTV fixes.
- NEW: Option on OpenVPN client/server page to reset them back to the
factory default settings.
- EXPERIMENTAL: Added support for codel and fq_codel to ARM models
(RT-AC56U and newer).
When enabling Traditional QoS or Bandwidth Limiter,
you can now change from the default sfq queue
discipline to codel or fq_codel.
(based on Kyle Sanderson's Tomato backport)
NOTE: Traditional QoS is currently broken on the
newer models (RT-AC88U and up). This is a known
issue in recent Asus releases.
- CHANGED: WAN -> NAT Passthrough now allows you to determine whether or
not to load the NAT helper module for h323, rtsp and sip.
Asus's old behaviour is "Enabled + NAT Helper".
- CHANGED: DNSFilter client dropdown now uses Asus's new one integrated
- CHANGED: minidlna now supports refreshing an existing database, so the
Tweak setting was updated accordingly
- CHANGED: Enable SPNEGO support in Samba
- CHANGED: Integrated Asus's networkmap into the DHCP reservations page
- CHANGED: Updated Tor to 0.2.7.6
- CHANGED: SSH WAN access will also work over IPv6
- CHANGED: Updated miniupnpd to 2.0
- CHANGED: Fields on the DHCP static lease page are now sortable
(original patch by Allan Jensen)
- CHANGED: Updated openssl to 1.0.2h
- FIXED: Daily/Monthly traffic monitoring shows invalid values on the
RT-AC88U/3100/5300, even with CTF disabled. Implemented a
- FIXED: WPS wasn't working on the RT-AC3200
- FIXED: Backported security fixes from OpenWRT to Samba 3.6.25,
addressing the following:
CVE-2015-5252, CVE-2015-5370, CVE-2015-5296,
CVE-2015-5299, CVE-2015-7560, CVE-2016-2110,
CVE-2016-2111, CVE-2016-2112, CVE-2016-2115,
- FIXED: OpenVPN clients set to policy-based routing and Exclusive
DNS mode were still adding the tunnel nameservers to
dnsmasq, causing both routed and non-routed clients to use
- NEW: Merged with 380_1354 GPL
- NEW: Added Tweaks and Hacks settings to Tools -> Other Settings.
These are UNSUPPORTED tweaks, intended mostly for
experimentation, or very specific situations. If unsure how
to apply these, manually reboot after changing them.
One of new settings there lets you disable hourly network
rescans, to resolve issues with NAS/printers coming out
of sleep every hour.
- NEW: Added setting to configure OpenVPN's auth digest algo.
- NEW: Added setting to configure OpenVPN's logging verbosity.
Note that this setting is global to all clients/servers.
- CHANGED: Updated OpenVPN to 2.3.10
- CHANGED: Updated openssl to 1.0.2g
- CHANGED: Updated miniupnpd to 1.9.20160222
- CHANGED: Updated udpxy to 1.0-build 23-10 (backport from GPL
- CHANGED: if you set an OpenVPN client DNS mode to "Exclusive"
and you enable policy-based routing, then those policies
will also determine which DNS to use (the tunnel's or
the ISP's). This is based on DNSFilter's technology.
You no longer need to use DNSFilter to control
the DNS used by your OpenVPN clients.
- CHANGED: Made OpenVPN traffic bypass CTF, which resolves
some throughput issues with it
- CHANGED: Disabled X11 Forwarding support in Dropbear,
for security reasons.
- FIXED: PPTP static route handling script was broken
- FIXED: minidlna would check for the wrong database filename
at start time
- FIXED: Wrong status shown for VPN Client 3
- FIXED: OpenVPN clients were run on the wrong CPU cores.
Now, odd instances correctly run on the second core.
- FIXED: Using DNSFilter with default mode set to "router" would
prevent using the router for IPv6 lookups.
- FIXED: Account limit wasn't properly allowing up to 10
clients for SMB/FTP (patch by vit9696)
- FIXED: Having multiple OpenVPN clients configured with
multiple "Accept DNS configuration" modes would
only apply the last client's setting. Now, we
apply the most restrictive setting of all
- FIXED: RT-AC68U 2.4 GHz was broken if CTF was disabled
(downgraded wifi driver to 22.214.171.124)
- FIXED: Diasbling the SIP NAT helper would also drop all port 5060
traffic. Some users need to keep the SIP helper disabled
with their SIP client. Reverted that GPL 858 change.
- NEW: Merged with 380_1031 GPL
- NEW: Added RT-AC3100 and RT-AC5300 support
- NEW: Added RT-AC68U HW Revision C1 support
- NEW: Backup/Restore of the content of the JFFS
partition (under Administration Restore/Save Settings)
- NEW: Added DNSSEC support. Can be enabled under LAN -> DHCP.
- NEW: Added custom/postconf support for igmpproxy.conf.
- CHANGED: Increased user account limit from 16 to 32 on
the VPN server pages.
- CHANGED: Updated e2fsprogs to 1.42.13
- CHANGED: Increased maximum entries in Parental Control
(time scheduler) to 32.
- CHANGED: Updated miniupnpd to 1.9.20151119.
- CHANGED: Updated Openssl to 1.0.2e.
- CHANGED: Downgraded Dropbear to 2014.66, too many issues in
the newer releases.
- CHANGED: Improvements to VPN Status page
- FIXED: CTF not automatically disabled when enabling IPTraffic.
- FIXED: Openvpn clients 3 through 5 were all run on the first
CPU core. They are now properly alternated like the
first two (odd on CPU1, even on CPU0)
- FIXED: smb.log generated by networkmap could fill up RAM
- FIXED: upnpc_xml.log generated by miniupnpc could fill up RAM
- FIXED: Inconsistant names used on IPTraffic and Sysinfo page.
Now, we give priority to any description manually entered
on the networkmap, followed by static hostname, then any
current (lease) hostname.
- FIXED: MAC queries sent to the OUI database were broken due to
changes on the IEEE website
- FIXED: Applying changes to OpenVPN client page would start the
client even if it was disabled/stopped.
- CHANGED: Reverted the memory buffering optimization
for ARM devices, as people keep panicking
over the lower amount of free RAM. You can
manually re-enable the optimization by setting
"drop_caches=0" in nvram.
- CHANGED: Allow using a port < 1024 for http(s) webui
- FIXED: EMF wasn't working on AC56/AC68/AC87.
- FIXED: Couldn't connect to ISPs using VLANs (RT-AC87U)
- FIXED: Editing Port Forward entry with ellipsis in
the description or the port range would
still edit the shortened version instead
of the full content.
- FIXED: Debug log from mDNSNetMonitor could gradually
fill up RAM - disabled it.
- FIXED: Router crash if pasting SSH key > 2047
- FIXED: Editing an entry on the networkmap would
clear the hostname if entry existed in
the DHCP static list.
- FIXED: OpenVPN server in secret key mode
would fail to start.
- FIXED: Couldn't add entries to the MAC Filter list
of Guest Networks (reverted our previous
implementation which conflicted with
Asus's new one).
- FIXED: NTP failing to refresh for some cases.
Implemented temporary workaround.
- FIXED: Some services not properly starting at
boot time (like Parental Control or Tor)
NOTE: There is no 378.56 build for the RT-N66U at
this time, as Asus hasn't released updated
source code for this model yet, and there are
new closed source binary components that are
necessary for this new release.
Make sure to read the changelog of the two
previous betas for the complete list of
changes since 378.55.
- CHANGED: Nameserver handling is more resilient to
scenarios where dnsmasq fails to start due
to a broken configuration
- FIXED: PPTP/L2TP client page broken on French locale
- FIXED: Entries on the Virtual Server page with ellipsis
in their name or port range weren't properly
copied to the Add fields when edited.
- FIXED: Additional fixes to truncated hostnames related
378.56 Beta 2 (18-Oct-2015)
- CHANGED: Increased Guest MAC filter entries limit to 64.
- CHANGED: DHCP query logging no longer override configured
syslog level, and option was renamed to "Hide queries"
to be more intuitive in regard to the level logging
- CHANGED: Enabling Hide DHCP queries also silences any RA
- CHANGED: Reverted networkmap's printer detection change
as it didn't resolve the printer wakeups.
- CHANGED: Reorganized settings on the System page
- FIXED: QoS page layout in Firefox
- FIXED: curl wasn't using the firmware's CA list (regression)
- FIXED: Models with 128 KB support were only reporting 64 KB
in the nvram userspace tool
- FIXED: Traditional QoS not working when IPv6 is enabled
(patch by charlie2alpha)
- FIXED: Smart Connect page fails to save interface policies
- FIXED: VPNStatus page was broken on French locale
378.56 Beta 1 (12-Oct-2015)
- NEW: Merged with GPL 9177.
- NEW: Added support for the RT-AC88U.
- NEW: Support for Russian ISP Telenet (code by theMIROn)
- NEW: ipset support in dnsmasq (patch by ryzhov_al)
- NEW: default loglevel is now configurable and defaults to
5 (notice) instead of 0 (emergency)
- NEW: local syslogd loglevel is now configurable through the webui.
- NEW: Support for extra-certs in OpenVPN
- NEW: Editable DHCP static leases list, virtual servers, port triggers.
- NEW: IP addresses on the Network Service Filter page can now be
subnets in CIDR format (i.e. 10.0.0.0/24)
- CHANGED: Updated miniupnpd to 20150723 snapshot
- CHANGED: Updated openvpn to 2.3.8
- CHANGED: Updated dropbear to 2015.68 + upstream patches
- CHANGED: Updated minidlna to 1.1.5.
- CHANGED: Support up to 5 different OpenVPN clients (to match Asus)
- CHANGED: Maximum openvpn policy rules reduced from 128 to 100, fewer
priority slots wasted in the RPDB tables (could have been a
problem with the increase in the number of supported clients)
- CHANGED: Improvements to VPN Status page
- CHANGED: Connection failure reason shown on the OpenVPN client
- FIXED: Router crash when an invalid or corrupted DH parameter
is used on an OpenVPN server configuration.
- FIXED: 2.4 GHz temperature would be missing on the Sysinfo
page when disabling the 5 GHz radio on the RT-AC3200.
- FIXED: Max tracked connection limit wasn't user-editable
- FIXED: Resource leaks in ez-ipupdate if an update failed
- FIXED: Networked printers coming out of sleep every time
networkmap queried their LPR service
- FIXED: Resource leak in networkmap when scanning for
- REMOVED: Regulation mode setting on Wireless -> Professional.
This can't be adjusted anymore, as it was moved to
a closed source component.
- FIXED: DHCP lease page could get confused by IPv6 clients on
378.55 Beta 2 (11-July-2015)
- CHANGED: Updated dnsmasq to 2.73 RC9 (backport from GPL 6975)
- CHANGED: Updated odhcp6c to newer version (backport from GPL 6975)
- CHANGED: Updated openssl to 1.0.2d (fixes CVE-2015-1793, only present
in Beta 1 - 54_2 was not affected)
- CHANGED: Display existing key/certs on the OpenVPN pages once
they've been migrated to JFFS.
- FIXED: Time scheduler-related features (Parental Control & Wifi
scheduler) were broken (backported fix from Asus's GPL 6975)
(beta 1 regression)
- FIXED: QTN firmware was still being copied to RAM rather than rely
on the symlink to flash added in Beta 1, to save 4 MB of RAM.
- FIXED: Dropbox cloud sync would fail on some setups (backport
from GPL 6975)
- FIXED: Entware-setup script would generate an invalid services-start
- FIXED: Duplicate zoneedit entry on the DDNS service list.
378.55 Beta 1 (3-July-2015)
- NEW: Merged with GPL 6117. Notable changes from Asus:
o New token-based webui authentication (more secure)
o OpenVPN certificates moved to JFFS2, saving nvram.
key/cert fields will show up empty on the webui,
any new key/cert you paste will be written back
to /jffs/openvpn/ . This means that if you revert
back to a previous version, your key/certs will
no longer be in nvram, so OpenVPN instances will
fail to start.
o New network client list on the network map
o CTF support for PPTP/L2TP WAN (Russian ISPs) (ARM)
- NEW: Reformatted DHCP lease list under System Log.
- NEW: Reformatted Port Forward page under System Log.
- NEW: Reformatted Route Table page under System Log.
- NEW: Reformatted IPv6 Status page under System Log.
- NEW: Display more details about UPNP/NAT-PMP/PCP redirections
on the Port Forward page.
- CHANGED: The JFFS2 partition is now always enabled, as it is
required by various firmware functions. The options
to format it or to enable/disable user config/scripts
- CHANGED: Updated OpenVPN to 2.3.7.
- CHANGED: Updated OpenSSL to 1.0.2c.
- CHANGED: Use a pre-generated 2048-bit DH from RFC 3526 instead of
generating our own when doing the first time setup for
OpenVPN servers. This is necessary as openssl 1.0.2b and
up now reject 512-bit DHs, and generating a 1024-bit
would take far too long on a router.
The end-user still has the possibility of providing his
own - as long it's 1024-bit or stronger.
- CHANGED: Updated minidlna to upstream Git snapshot from 2015-06-26,
and switched to the newer build system.
- CHANGED: Upgraded ffmpeg from 0.6.0 to 0.7.17.
- CHANGED: Accept DHCP lease duration of up to 31 days on the DHCP page
- CHANGED: No longer regularly flush caches from memory on ARM
router. This will mean a lower amount of free memory is
shown, however that memory gets freed whenever something
actually needs it, so this is normal. (ARM)
- CHANGED: Display the size of cache memory on the Tools -> Sysinfo page
- CHANGED: Improvements to the Networkmap (ability to remove an entry,
removed the alert() from modifying an existing entry)
- CHANGED: Save over 4 MB of RAM on the RT-AC87U by not copying
the QTN firmware to RAM (RT-AC87)
- FIXED: Wireless Log page would fail to load if the SSID
contained certain characters
- FIXED: Wireless Log page would fail to load when in Media Bridge
mode on the RT-AC87U
- FIXED: DDNS page would complain about an empty account field
when setting it to CUSTOM with no prior value in that field.
- FIXED: Automatically generated DH was too weak (512-bit) and
preventing clients based on newer OpenSSL releases from
connecting. We automatically replace any weak PEM with our
- FIXED: minidlna could get stuck building its database (reverted
Asus's recent memory optimizations)
- FIXED: The exported opvn config for clients had the incorrect port
- FIXED: Busybox's zcip was missing a patch from 378_4950, preventing
it from working (and in turn preventing igmpproxy from working
for people with PPPoE connections where their modem does not
provide any DHCP lease to the physical WAN interface)
- Some of the builds were unstable, did a complete recompile of all
releases. There was no code change.
IMPORTANT: if you were previously using the AiProtection ad blocker, you
will need to manually disable it over SSH after flashing this
release, by running the following commands:
nvram set wrs_adblock_popup=0
nvram set wrs_adblock_stream=0
- NEW: Merged with Asus GPL 378_5134.
- NEW: OpenVPN policy rules can now be set to route matching traffic
through either the tunnel, or to your ISP (allowing you to
create exceptions to your tunnelling rules)
- NEW: Added OpenVPN server setting to let the OS manage
socket buffers (by inserting rcvbuf 0 and sndbuf 0 in
the server configuration)
- CHANGED: Upgraded OpenSSL to 1.0.2a, adding new tls ciphers
to OpenVPN and the https webui
- CHANGED: Updated miniupnpd to 1.9.20150430
- CHANGED: Reverted kernel backport of the parallel printer support,
and reintroduced fix in lprng. This should hopefully fix
the recent printing breakage issues.
- CHANGED: Removed AiProtection's ad blocker, as it's too buggy to
be usable, breaking numerous mobile applications,
and not being configurable in any way.
- CHANGED: OpenVPN policy routing rules are now applied at boot
time (when WAN comes up), so clients who are blocked while
a tunnel is down will immediately be blocked until
the tunnel comes up.
- CHANGED: Upgraded Quantenna firmware to 378_6065 release (AC87)
- FIXED: Router DNS weren't reverted to their original values
when shutting down an OpenVPN client with "explicit-
exit-notify" enabled. Now we manually clean it up
after the user manually terminates the client - it might
still not be cleaned up after an unexpected shutdown however.
Ideally, users should try avoiding using this setting when
- FIXED: Some legitimate VPN packets could get dropped due to their
conntrack state. Now, only INVALID packets coming from the
WAN interface are dropped.
- FIXED: OpenVPN client would sometime try to connect before the clock had
been set by NTP at boot time, preventing it from connecting.
- FIXED: AiProtection security check would fail to load when Dual WAN is
- FIXED: Various fields would allow you to enter a single quote character,
which could break the webui. Now these fields re-validate the
content after you deactivate the text field.
- FIXED: Switching between All Traffic and Policy Mode OpenVPN routing while
the option to block traffic when the tunnel goes down wasn't
properly removing those rules, so a tunnel going down in
All Traffic would still block policed clients.
- FIXED: EMF wasn't working on ARM models (missing userspace tool)
- NEW: Merged with Asus GPL 378_4980 (with pieces from 378_4850 for AC56/AC68
and 378_5183 beta for AC87)
- NEW: OpenVPN policy routing. You can select client IPs or destination
IPs which you want to route through your VPN tunnel. You can enter
a single IP (192.168.0.1) or a whole subnet in CIDR format (for
You can optionally block WAN access to these as well when the
tunnel goes down.
- NEW: Ad blocker based on Trend Micro's Web Reputation System (WRS).
This is an EXPERIMENTAL feature implemented by Asus but that
isn't enabled in the stock firmware.
- CHANGED: Updated Tor to 0.2.5.12
- CHANGED: Those providing a signed SSL certificate for httpd can now
provide chain certificate. The three PEMs must be in
that order: client, intermediate, CA. (Patch by sasoiliev)
- CHANGED: The setting to enable the neighbour solication filter rule
for Comcast's request flooding was changed to "ipv6_ns_drop",
and now defaults to "0" as this hack causes issues with
- CHANGED: Backported dnsmasq patch that reverts a fix for Windows 8
clients as it could cause issues with other clients.
- FIXED: DNSFilter would fail if you had it set to "Router", and didn't
have a DNS IP entered on the WAN page.
- FIXED: MSS clamping wasn't applied to traffic in both direction, moved
it to the mangle table.
- FIXED: OpenVPN client firewall "external" mode does not exist - removed
from the webui.
- FIXED: PPTP account list could become corrupted after removing an entry
on the PPTP server page.
- CHANGED: Updated AiCloud prebuilt binaries for MIPS models
- CHANGED: Applied kernel patch for MIPS kernel ported from 376_3861,
related to CTF support
- FIXED: AiCloud would fail to start unless you had HTTPS enabled for
the webui (causing the key/cert to be missing)
- FIXED: DDNS hostname would become corrupted after backing up
your router configuration (Asus bug)
- NEW: Merged with Asus GPL 378_4608
- NEW: Added ECDHE support to the webui (when accessed over HTTPS)
- NEW: The DHCP server can now provide a second DNS to its clients
- NEW: You can tell the router not to advertise itself as a DNS
- NEW: Experimental Tor support (feature originally developed by
Asus, but not available yet on stock firmware). You can
enable it in the VPN section of the webui.
- CHANGED: Updated miniupnpd to 1.9.20150309
- CHANGED: You can no longer disable the JFFS2 partition if
Traffic Analyzer is enabled. Likewise, you can
no longer enable Traffic Analyzer if the JFFS2
partition is disabled.
- CHANGED: The selected refresh rate of the Wireless Clients
page will be saved to a cookie
- CHANGED: Removed obsolete (non-safe) ciphers such as RC4
from the router's https webui
- CHANGED: Updated OpenSSL to 1.0.0r
- CHANGED: Removed Turbo button support from webui, as that feature
doesn't work with the current bootloader everyone is
using now (RT-AC68)
- CHANGED: Performance optimization to the httpd, dropbear
and rc services
- FIXED: 2.4 GHz and 5 GHz-1 clients were swapped on the
Sysinfo page (RT-AC3200 only)
- FIXED: Wifi PSK wasn't blurred until activated (regression
- FIXED: Samba's custom config/postconf were ignoring the
state of the global option to enable them (they
would always be used)
- FIXED: Samba's custom config/postconf usage wasn't logged
- FIXED: Some services would fail on their first attempt
to start at boot time due to the QTN subsystem
taking too long. Implemented patch from Asus
which eliminates the long QTN stall at boot
time. This resolves the issue where some users
had trouble connecting their WAN at boot time (RT-AC87U)
- FIXED: NAT rules could occasionally fail to be applied
(patch by john9527)
- FIXED: The Apply button on the Adaptive Bandwidth page
had a clickable area so wide that it even covered
part of the left side menu. (Asus bug)
- FIXED: USB menu was removed instead of Parental Control on
- FIXED: QoS page was still available on the AP/RP modes on
- FIXED: Error on OpenVPN Server page if using a DHCP pool for
- FIXED: UPNP would be reported as enabled on the security report
if it was enabled on the secondary WAN even if Dual WAN
itself wasn't enabled. Now we check that Dual WAN itself
is also enabled before reporting so. (Asus bug)
- FIXED: mtd-erase was unable to erase the brcmnand partition, which
is used as the JFFS2 partition starting with the RT-AC66U
(patch by benoitm974)
- FIXED: JFFS2 partition couldn't be formatted for all routers but
the RT-N66U (wrong partition name). Also resolved the case
where a second reboot was required to mount it.
- FIXED: RT-AC3200 port numbering was reversed on the Sysinfo page.
- CHANGED: Updated OpenSSL to 1.0.0q (no real code change)
- CHANGED: Split the changelog into a separate file
- CHANGED: Added logging on custom config/script execution.
An error message will also be logged if those
are disabled while such a file is found.
- CHANGED: Allow pasting the password in some fields that would
disable it (patch by gfairchild)
- FIXED: RSSI not reported for guest clients (beta 1 regression)
- FIXED: DM failing to install on RT-AC66U (beta 1 regression)
378.51 Beta 1 (28-Feb-2015)
- IMPORTANT: The RT-N16 is no longer officially supported. The increased
number of separate router platforms is becoming too much of
a burden for one single developer, as some features must be
implemented 2-3 separate times for different architectures.
The RT-N16 support will remain in the source code, so other
developers can still compile their own builds, and possibly
take over for supporting this older platform. However, no new
features will be implemented, and it will no longer get
tested. I still welcome external contributions if
someone else wants to take care of testing and providing
fixes to new issues.
- NEW: Added support for the RT-AC3200.
- NEW: ARM support for Entware, using Zyxmon's Qnapware repository.
- NEW: Re-designed Wireless Log page displaying connected wireless
clients. The new page uses Ajax to automatically update
itself at a user-selected frequency, for near realtime
monitoring of your connected wifi clients.
- NEW: NAT loopback can now be chosen between Disable, Asus's original,
and Merlin's own (based on Phuzi0n's original DD-WRT design). The
option can be found on the Firewall page.
- CHANGED: Reverted RT-AC66U driver to previous version as some users
were experiencing stability issues with the 3754 version.
- CHANGED: Updated p910nd to 0.97 to resolve incomplete print jobs
(patch by stsichler)
- CHANGED: Updated Samba to 3.6.25
- CHANGED: The Entware setup scripts will now backup any existing
installation rather than remove it (patch by TeHashX)
- CHANGED: Re-implemented our original NAT loopback code, with attempts
at reconfiguring it whenever the DPI engine is restarted.
This is still experimental, as most of the DPI engine is
closed source, so unsure if the loopback gets re-enabled
in every regular DPI restart scenarios.
- CHANGED: Disabled the offline default error page. Clear your offline
content in your browser to fully get rid of it.
- CHANGED: Removed security warnings if FTP/Samba are configured to
allow unauthenticated users.
- FIXED: Issues when connecting with Russian ISPs relying on DHCP+VPN
(such as Beeline)
- FIXED: When enabling WAN access to webui, the router would always
forward both http and https ports regardless of if either of
these were disabled.
- FIXED: Shared printers over LPRng would sometime fail to
completely print the last page (patch by stsichler)
- FIXED: CVE-2015-0240 security issue in Samba 3.5.8 (used by
AiCloud). The main Samba daemon was patched by the
update to 3.6.25.
- IMPORTANT: You must do a factory default reset, and manually
reconfigure your setting if coming from a version
older than 378.50. Failure to do so can
lead to various issues with wifi, OpenVPN,
and the new AC68U bootloader.
- IMPORTANT: Please read this changelog, especially the changes
related to jffs, user scripts/config and OpenVPN in
the previous 378.50 betas.
- NEW: Merged with Asus GPL 378_4129 code.
- CHANGED: Reverted back to vsftpd 2.x, as 3.0.2 doesn't work properly
on MIPS architectures (and possibly other particular
scenarios as well).
- CHANGED: Added warning to the DDNS page if you set the type
to Custom and either JFFS or custom script support isn't
- FIXED: A few unescaped quotes in the French dict breaking VPN pages
- FIXED: MAC list would get corrupted when removing and re-adding
entries on the MAC filter list
- FIXED: AC68U CFE update wasn't written to flash due to permission
- FIXED: Static Key field wasn't visible when using HMAC authentication
- FIXED: syslogd was always enforcing the -S switch
- FIXED: When setting a static DHCP from the networkmap, the user-entered
name wouldn't be used. Now it gets used, and we rely on the rc
daemon to properly handle it if it's not a valid hostname (it will
simply not provide it to dnsmasq's static name list).
378.50 Beta 2 (31-Jan-2015)
- NEW: Added custom config and postconf support for avahi, netatalk
and mt-daapd (iTunes server).
- CHANGED: Moved the AC68U CFE update process to the same location
as in GPL 3626 to see if it works more consistently.
- FIXED: Non-DPI build of AC56U had incompatible Tuxera modules
- FIXED: vsftpd wouldn't start if you had IPv6 enabled.
- FIXED: Asus had disabled the NAT loopback fix on MIPS's iptables
in GPL 3762. Re-enabled.
- FIXED: Wireless clients that hadn't communicated in a while wouldn't
be properly shown on the Wireless log (patch by pinwing)
- FIXED: QoS rules weren't applied properly when IPv6 was enabled
(was changed in recent GPL - reverted it)
- FIXED: Can't apply a Custom DDNS if you don't have something entered
in the username/password fields (shown in other DDNS services)
- FIXED: NFS page wasn't properly loading
378.50 Beta 1 (25-Jan-2015)
- IMPORTANT: You must do a factory default reset, and manually
reconfigure your setting. Failure to do so can
lead to various issues with wifi, OpenVPN,
and the new AC68U bootloader.
- IMPORTANT: Please read this changelog, especially the changes
related to jffs, user scripts/config and OpenVPN.
- NEW: Merged with Asus 378_3913 GPL code. Most notable changes:
* Trend Micro DPI engine for RT-AC68U
* Updated Trend Micro engine for RT-AC87U
* Updated Quantenna firmware/driver
* Various updates to 3G/4G support and Dual WAN
- NEW: ddns-start user script, executed after the DDNS update
was launched (can be used to update additional services)
- NEW: Custom DDNS (handled through ddns-start script)
See the documentation for how to create such
- NEW: Option to enable support for custom scripts and
config files. This option is disabled by default, so
if you have a broken script that prevents the router from
booting, doing a factory default reset will ensure that the
broken script won't be executed, and recover access to the
router. This is necessary since the JFFS2 partition is
now enabled by default.
- CHANGED: Added logo to DNSFilter on the AiProtection
homepage (contributed by Piterel)
- CHANGED: Updated Openssl to 1.0.0p
- CHANGED: Merged Asus's newer NTP update code, with a fix
to prevent hourly log spam from the update process
when in a DST enabled timezone.
- CHANGED: Updated vsftpd to 3.0.2 (newer version used by
Asus on their Qualcomm-based routers)
- CHANGED: the qos-start script will be passed an argument
that will contain "init" (when setting up tc)
or "rules" (when setting up iptables).
- CHANGED: JFFS2 partition is now enabled by default, to be in
sync with Asus, who are starting to make use of this
- CHANGED: The Local IP in an IPv6 firewall rule can now be
- CHANGED: Download Master will now be downloaded at install time
rather than included in the firmware, to increase the
amount of space available to JFFS - this matches
the AC56/AC68. (N16, N66)
- FIXED: Under certain conditions, the OpenVPN server page
would report an initializing state when it was
- FIXED: First OpenVPN client/server instance wasn't properly
run on the second CPU core, resulting in lower
- FIXED: Router IP wasn't advertised through DHCP as WINS
server if WINS was enabled
- FIXED: OpenVPN would crash if specifying "None" as
the cipher (regression in OpenVPN 2.3.6)
- FIXED: The "empty" category was removed by Asus a
few months ago, preventing you from removing
an assigned priority on the Adaptive QoS
page. Re-added it.
- FIXED: Port triggers weren't written to the correct
iptables chain (Asus bug)
- FIXED: When moving from stock to this firmware, the OpenVPN
Server 1 instance gets automatically enabled because
Asus hardcodes "1" into the nvram setting that handles
start at wan. Changed to a different nvram to resolve
this conflict. This means everyone must re-enable their
OpenVPN server instance after upgrading from any version
- FIXED: dnsmasq would run out of available leases if you had a
very small DHCP pool combined with many out-of-pool
reservations. Now the limit will be either 253 or the
pool size, whichever is the largest (Asus issue)
- FIXED: SSHD port forwarding couldn't be enabled/disabled
- FIXED: DHCP log spam when using IPv6 with a Windows 8
client (patch by pinwing)
- FIXED: snmp exposes a lot of sensitive information such as
login credentials, therefore all the custom Asus MIBs
have been disabled.
- FIXED: Very long SSIDs with special characters/spaces in them
would be shown as "undefined" in the banner.
- FIXED: Curl would fail to access SSL sites due to lack of
a CA bundle.
- FIXED: Vulnerability in infosvr (CVE-2014-9583) (Asus bug)
- FIXED: Additional security issue in infosvr (incorrect memcpy()
call) (Asus bug)
(older history removed - please consult the Changelog distributed with the firmware for complete history)