Asuswrt-Merlin Changelog

380.65 Beta 1 (15-Jan-2017)
   - NEW: Merged with Asus GPL 380_4180 (and fixed its broken
          Network Tools/Connections/etc... pages)
   - NEW: Upgraded to OpenVPN 2.4.0, and implemented support
          for many of its new features:
            * GCM ciphers
            * LZ4 compression
            * tls-crypt (uses the Static Key field)
            * Cipher negotiation (NCP), with (optional)
              fallback to legacy "cipher" parameter when
              an OpenVPN 2.3 client connects to the
              router's 2.4 server.
          Please refer to the OpenVPN 2.4 documentation for
          more info on these new features.

          You will be warned if any server setting would
          generate an exportable ovpn file that would be
          incompatible with older clients.

          Existing client config shouldn't need to be changed,
          unless you modify the router's server configuration.

   - NEW: Upgraded Busybox to 1.25.1 (patch by theMIROn)
   - NEW: Added the following Busybox applets: ntpd, time, uniq,
          xargs and getopt, for feature parity with John's fork.
   - NEW: Option on Media Server page to enable minidlna's
          built-in status web page.  Default URL is
   - NEW: Support for Vodafone R226 USB LTE (patch by
          Gernot Pansy)
   - NEW: New "update-notification" user script, that gets run
          when a scheduled firmware check detects a new version
          is available.

   - CHANGED: Removed support for all RC ciphers on OpenVPN.
              DES is staying for now, but should still be avoided
              whenever possible.
   - CHANGED: Updated Tor to (patch by blackfuel)
   - CHANGED: Updated nano to 2.7.4.
   - CHANGED: hosts file will now give a higher priority to the
              user-configured hostname for the router ahead of
              hardcoded ones (like
   - CHANGED: Create a system log entry if new firmware is available.
   - FIXED: Invalid DUID used when requesting an IPv6 prefix
            for some of the newer router models, which would
            prevent them from getting working IPv6 (Asus bug)
   - FIXED: Network Service Firewall rules not applied
            under certain configurations
   - FIXED: Port triggering wasn't working if traffic had
            been whitelisted by Network Service Firewall
   - FIXED: Avahi wasn't rejecting connections from
            secondary WAN interface
   - FIXED: Sorting clients by connection time would incorrectly
            treat 10 hours as longer than 9 hours, as it was
            handling it as a string (Asus bug)
   - FIXED: Exported ovpn client file wouldn't use the
            user-configured hostname when using DDNS custom mode.
   - FIXED: Exported OpenVPN client config didn't work when
            using static key authentication.
   - FIXED: Exported OpenVPN client config wasn't editable with
            Notepad, the default editor used by Windows's
            OpenVPN GUI.
   - FIXED: OpenVPN was killed too quickly on disconnection,
            causing issues when using explicit-exit-notify
            (patch by john9527)
   - FIXED: OpenVPN client/server instances weren't properly
            restarted on a WAN restart (patch by john9527)
   - FIXED: Some models (N66/Ac66/AC5300) would reboot 3 times
            if one of the radios was found disabled by the user
            while booting (Asus bug).

380.64_2 (8-Jan-2017)
   - FIXED: IPv6 client list failing to properly show hostnames
            (regression in 64_1)
   - FIXED: A few potential buffer overruns in httpd

380.64_1 (6-Jan-2017)
   - FIXED: Security issues in httpd (backport from GPL 4180 + 
            additional fixes of my own)

380.64 (16-Dec-2016)
   - NEW: New firmware availability notification.  The router will
          notify you if a new firmware is available, and will also
          let you view the changelog before sending you to the
          download page (the update process remains manual).

          Note that the automated check will only report new
          final releases.  The Check button on the Firmware Upgrade
          will immediately check for final releases or beta (if you
          select that option), but not both at the same time.
   - NEW: Added iptables MASK support on MIPS kernel (patch
          by john9527)
   - NEW: Webui warning shown in the notification area if running
          low on free nvram.
   - CHANGED: Updated nano to 2.7.1.
   - CHANGED: Updated OpenVPN to 2.3.14.
   - CHANGED: Updated curl to 7.51.0, resolving numerous security
              and stability issues.
   - CHANGED: Tor clients will now route other TCP ports than just
              80/443, and drop UDP and ICMP traffic (patch by
   - CHANGED: QoS Stats info will automatically refresh every
              3 seconds (user-configurable)
   - CHANGED: IPTraffic charts now show sorted slices, so the
              clients with the least traffic will get grouped
              under "Others" if truncating the list of shown
   - CHANGED: Enabled IPv6 support in curl.
   - CHANGED: Improved webui performance, by caching large static
              Javascript files such as jquery, and increased cache
              life from 5 mins to 1 hour.
   - CHANGED: No longer include Download Master packages in the
              firmware for those models that still included them,
              reducing firmware size by a few megabytes.
              Those were always outdated, the router will download
              the latest versions from Asus's servers at install
   - CHANGED: Improved webui protection against CSS/XSS attacks
              (backport from GPL 4164)
   - FIXED: Web server crash if importing an ovpn file with an
            invalid key or certificate (Asus bug)
   - FIXED: App icon at the top wouldn't work on Firefox,
            generating a Javascript error (Asus bug)
   - FIXED: Firefox would sometime fail to display the client
            list, reporting a JSON parsing error in the console.
   - FIXED: HMAC setting not properly set when importing an ovpn
            file for a config based on TLS authentication mode.
            (backport from GPL 4164)

380.63_2 (12-Nov-2016)
   - CHANGED: Added detection for iPhone 7 models in networkmap
              (patch by Andrei Coman).
   - CHANGED: Enabled --dns-loop-detect support in dnsmasq
   - CHANGED: Move Dual WAN static routes to a lower priority, so VPN
              policy rules will have priority over them
   - FIXED: Traditional QoS labels were off by one on the Stats page.
   - FIXED: Adaptive QoS upload stats couldn't be retrieved because
            qosd seems to be hardcoded to always set up classes on eth0
            rather than on the real WAN interface.
   - FIXED: USB driver was removed too early at shutdown time on the
            RT-AC56U and RT-AC87U (fix by john9527)

380.63 (6-Nov-2016)
   - NEW: QoS Statistics page, showing the amount of traffic assigned to
          each available classes, as well as the current throughput.
   - NEW: Charts added to various Traffic Monitor pages.
          Note that you can click on legend items to reveal/hide the
          DL/UL data.  Hovering over a bar or a pie slice will
          display the exact value for that item.
   - NEW: Added pc_delete() to the helper script (patch by john95287)
   - NEW: IPv6 firewall now supports fixed interface ID (EUI64) ipv6
          destination addresses (Patch by john9527)
   - CHANGED: Updated Tor to
   - CHANGED: Updated OUI database.
   - CHANGED: ipset was updated to version 6.29 on ARM models.
              IMPORTANT: this means you will probably need to
              update your script to the new syntax.  You need to
              load the xt_set.ko module at the start of your script.
              There has been no change to MIPS models, due to their
              older kernel.  (original code by Shibby and Victek,
              Asuswrt port by john9527) (ARM only)
  - CHANGED: OpenVPN policy rules now start at prio 10000 instead of 1000
  - CHANGED: Added help popups to various settings that are unique to
  - FIXED: Custom group/shadow/passwd weren't applied at boot time.
  - FIXED: CVE-2016-5195 (Dirty COW) vulnerability in kernel
           (patches by blackfuel and Joseph A. Yasi)
  - FIXED: Network Service Filter rules would only apply to clients
           under Parental Control if that was enabled (original
           debugging by john9527) (Asus bug)
  - FIXED: A few memory leaks in httpd and rc services.

380.62_1 (29-Sept-2016)
   - CHANGED: Updated OpenSSL to 1.0.2j

380.62 (23-Sept-2016)
   - NEW: Added nano 2.7.0 (user-friendly text editor)
          Note that for space reasons, some of its features are disabled
          for the RT-N66U and RT-AC66U.  Entware users might want to
          uninstall the Entware version if they had it installed and want
          to use the built-in version instead.
   - NEW: Option to toggle the display of passwords on the PPTPD and
          OpenVPN server pages.
   - NEW: Allow providing a vendor class on the WAN page (DHCP option 60)
   - NEW: Add option to disable sending a RELEASE request when odhcp6c
          exits, allowing you to retain your received prefix with some
   - CHANGED: Updated nettle to 3.2 (used for dnssec) and increased
              optimization level.
   - CHANGED: Updated minidlna to 1.1.6
   - CHANGED: Updated OpenVPN to 2.3.12
   - CHANGED: Updated OpenSSL to 1.0.2i
   - CHANGED: Revamped the Wireless Log page:
                - Merged some columns to gain more horizontal space
                - Longer hostname shown (truncated names are now
                  shown in a tooltip)
                - Display clients' IPv6 if they have one
   - CHANGED: Accept up to 250 characters for OpenVPN client's
              username and password (one provider needs 64).
   - CHANGED: Hide the WPA key on the Wireless config page, and only
              reveal it when you click on the field to edit it.
   - FIXED: OpenVPN client shouldn't display policy routing settings
            when using a TAP interface.
   - FIXED: DSL/ATM overhead setting was visible on MIPS models, which
            don't support it.
   - FIXED: Editing OpenVPN or PPTP users with any value longer than
            32 chars could lead to corruption of the user list.
   - FIXED: Custom config file for igmpproxy wasn't working.
   - FIXED: After turning off a Guest network, the next visit to the
            Wireless Settings page would show that guest network's settings
            instead of the parent band settings (Asus bug)
   - FIXED: Smart Connect rules didn't apply on the RT-AC88U (backported
            fix from 380_3941).
   - FIXED: Numerous memory leaks in the networkmap service. (Asus bug)
   - FIXED: Potential buffer overrun in the networkmap service. (Asus bug)
   - FIXED: Broken IPv6 connectivity if enabling SSH brute force
            protection (only MIPS models were affected)
   - FIXED: 5G LED would fail to turn back on when exiting stealth mode.
   - FIXED: Only hostname was used as remote server in an exported
            OpenVPN client config when using Namecheap DDNS.
   - FIXED: Security vulnerability (XSS/CSR) in httpd (backported
            fix from 380_4005).
   - FIXED: Chrome would try to autofill some fields (such as on the
            DDNS configuration page), which could be problematic.
   - FIXED: IPTraffic database was no longer properly named after
            the router's MAC address on the AC88/AC3100/AC5300.
            If you recently enabled it, you will need to either
            re-create a new database, or rename the existing
            database from tomato_cstats_000000000000.gz to
            tomato_cstats_XXXXXXXXXXXX.gz, where "XXXXXXXXXXXX" is
            your MAC as found with "nvram get et2macaddr", in
            lowercase (AC88/AC3100/AC5300 only).

            Regular traffic monitoring (stored in
            tomato_rstats_XXXXXXXXXXXX.gz) is fine.

380.61 (4-Aug-2016)
   - FIXED: Connected OpenVPN clients reporting as disconnected
            on the status page following any wireless config change
            (Asus bug)
   - FIXED: OpenVPN server would report being "Initializing"
            while it already was ready, following any
            wireless config change (Asus bug)
   - FIXED: Various stability issues with minidlna (reverted some
            of Asus's customizations)

380.61 Beta 1 (31-July-2016)
   - NEW: Merged with GPL 3831.
   - CHANGED: updated dropbear to 2016.74.
   - FIXED: Do not enforce b/g mode as "auto" if wireless mode
            is also set to Auto.

    There was no non-beta release, due to limited model support
    and unsolved WAN stability issues.

380.60 Beta 2 (5-July-2016)
    IMPORTANT: The firmware image file format was changed by Asus.
               Starting with 380.60, you will no longer be able to
               flash versions older than 380.60, or Asus versions
               older than

               You can currently downgrade by using Firmware Recovery
               mode, but there's not guarantee that this will keep
               working in the future.

    - NEW: Merged with GPL 3479.  This includes the new file format
           required for certification purposes.
    - NEW: Option to enable overhead calculation on Traditional QoS
           for DSL users (ARM-only)
    - NEW: Option on System page to disable the new forced 
           redirection to (defaults to disabled)
    - CHANGED: Updated OpenVPN to 2.3.11
    - CHANGED: Allow to specify IPv6 prefixes up to 126 on the IPv6 config
    - CHANGED: Networkmap will now announce itself as "Asuswrt/networkmap"
               when connecting to LAN's web services.
    - FIXED: OpenVPN server instances weren't properly reporting
             if an error occurred at start time.
    - FIXED: wget was unable to access https site due to not
             having a CA bundle to verify certificates
    - FIXED: odhcp6c was sending bogus preferred prefixes, so
             anything larger than 64 could result in an invalid
    - FIXED: Language selector is missing on router set for the
             JP region (reverted Asus change)
    - FIXED: Client names with single quotes couldn't be edited
             in the networkmap client popup (Asus bug)
    - FIXED: Router wouldn't run SMB to provide browser master
             or Wins services if no USB disk was plugged
    - FIXED: Router would sometime fail to renew a WAN DHCP lease.
             (fix by theMIROn)

380.59 (10-May-2016)
    - NEW: Merged with 380_2697 GPL.  This includes beta MU-MIMO support for 
           the RT-AC87U/AC88U/AC3100/AC5300, and IPTV fixes.
    - NEW: Option on OpenVPN client/server page to reset them back to the 
           factory default settings.
    - EXPERIMENTAL: Added support for codel and fq_codel to ARM models
                    (RT-AC56U and newer).

                    When enabling Traditional QoS or Bandwidth Limiter,
                    you can now change from the default sfq queue 
                    discipline to codel or fq_codel.
                    (based on Kyle Sanderson's Tomato backport)

                    NOTE: Traditional QoS is currently broken on the
                          newer models (RT-AC88U and up).  This is a known
                          issue in recent Asus releases.

    - CHANGED: WAN -> NAT Passthrough now allows you to determine whether or 
               not to load the NAT helper module for h323, rtsp and sip.  
               Asus's old behaviour is "Enabled + NAT Helper".
    - CHANGED: DNSFilter client dropdown now uses Asus's new one integrated 
               with networkmap.
    - CHANGED: minidlna now supports refreshing an existing database, so the 
               Tweak setting was updated accordingly
    - CHANGED: Enable SPNEGO support in Samba
    - CHANGED: Integrated Asus's networkmap into the DHCP reservations page
    - CHANGED: Updated Tor to
    - CHANGED: SSH WAN access will also work over IPv6
    - CHANGED: Updated miniupnpd to 2.0
    - CHANGED: Fields on the DHCP static lease page are now sortable
               (original patch by Allan Jensen)
    - CHANGED: Updated openssl to 1.0.2h
    - FIXED: Daily/Monthly traffic monitoring shows invalid values on the 
             RT-AC88U/3100/5300, even with CTF disabled.  Implemented a 
             temporary workaround.
    - FIXED: WPS wasn't working on the RT-AC3200
    - FIXED: Backported security fixes from OpenWRT to Samba 3.6.25, 
             addressing the following: 
             CVE-2015-5252, CVE-2015-5370, CVE-2015-5296, 
             CVE-2015-5299, CVE-2015-7560, CVE-2016-2110, 
             CVE-2016-2111, CVE-2016-2112, CVE-2016-2115, 
   - FIXED: OpenVPN clients set to policy-based routing and Exclusive
            DNS mode were still adding the tunnel nameservers to 
            dnsmasq, causing both routed and non-routed clients to use 

380.58 (20-Mar-2016)
    - NEW: Merged with 380_1354 GPL
    - NEW: Added Tweaks and Hacks settings to Tools -> Other Settings.
           These are UNSUPPORTED tweaks, intended mostly for 
           experimentation, or very specific situations.  If unsure how
           to apply these, manually reboot after changing them.
           One of new settings there lets you disable hourly network
           rescans, to resolve issues with NAS/printers coming out
           of sleep every hour.
    - NEW: Added setting to configure OpenVPN's auth digest algo.
    - NEW: Added setting to configure OpenVPN's logging verbosity.
           Note that this setting is global to all clients/servers.
    - CHANGED: Updated OpenVPN to 2.3.10
    - CHANGED: Updated openssl to 1.0.2g
    - CHANGED: Updated miniupnpd to 1.9.20160222
    - CHANGED: Updated udpxy to 1.0-build 23-10 (backport from GPL 
    - CHANGED: if you set an OpenVPN client DNS mode to "Exclusive"
               and you enable policy-based routing, then those policies
               will also determine which DNS to use (the tunnel's or
               the ISP's).  This is based on DNSFilter's technology.
               You no longer need to use DNSFilter to control
               the DNS used by your OpenVPN clients.
    - CHANGED: Made OpenVPN traffic bypass CTF, which resolves
               some throughput issues with it
    - CHANGED: Disabled X11 Forwarding support in Dropbear,
               for security reasons.
    - FIXED: PPTP static route handling script was broken
    - FIXED: minidlna would check for the wrong database filename
             at start time
    - FIXED: Wrong status shown for VPN Client 3
    - FIXED: OpenVPN clients were run on the wrong CPU cores.
             Now, odd instances correctly run on the second core.
    - FIXED: Using DNSFilter with default mode set to "router" would
             prevent using the router for IPv6 lookups.
    - FIXED: Account limit wasn't properly allowing up to 10 
             clients for SMB/FTP (patch by vit9696)
    - FIXED: Having multiple OpenVPN clients configured with
             multiple "Accept DNS configuration" modes would
             only apply the last client's setting.  Now, we
             apply the most restrictive setting of all
             configured clients.
    - FIXED: RT-AC68U 2.4 GHz was broken if CTF was disabled
             (downgraded wifi driver to
    - FIXED: Diasbling the SIP NAT helper would also drop all port 5060 
             traffic.  Some users need to keep the SIP helper disabled 
             with their SIP client.  Reverted that GPL 858 change.

380.57 (24-Dec-2015)
    - NEW: Merged with 380_1031 GPL
    - NEW: Added RT-AC3100 and RT-AC5300 support
    - NEW: Added RT-AC68U HW Revision C1 support
    - NEW: Backup/Restore of the content of the JFFS
           partition (under Administration Restore/Save Settings)
    - NEW: Added DNSSEC support.  Can be enabled under LAN -> DHCP.
    - NEW: Added custom/postconf support for igmpproxy.conf.
    - CHANGED: Increased user account limit from 16 to 32 on
               the VPN server pages.
    - CHANGED: Updated e2fsprogs to 1.42.13
    - CHANGED: Increased maximum entries in Parental Control
               (time scheduler) to 32.
    - CHANGED: Updated miniupnpd to 1.9.20151119.
    - CHANGED: Updated Openssl to 1.0.2e.
    - CHANGED: Downgraded Dropbear to 2014.66, too many issues in
               the newer releases.
    - CHANGED: Improvements to VPN Status page
    - FIXED: CTF not automatically disabled when enabling IPTraffic.
    - FIXED: Openvpn clients 3 through 5 were all run on the first
             CPU core.  They are now properly alternated like the
             first two (odd on CPU1, even on CPU0)
    - FIXED: smb.log generated by networkmap could fill up RAM
    - FIXED: upnpc_xml.log generated by miniupnpc could fill up RAM
    - FIXED: Inconsistant names used on IPTraffic and Sysinfo page.
             Now, we give priority to any description manually entered
             on the networkmap, followed by static hostname, then any
             current (lease) hostname.
   - FIXED: MAC queries sent to the OUI database were broken due to
            changes on the IEEE website
   - FIXED: Applying changes to OpenVPN client page would start the
            client even if it was disabled/stopped.

378.56_2 (2-Nov-2015)
    - CHANGED: Reverted the memory buffering optimization
               for ARM devices, as people keep panicking
               over the lower amount of free RAM.  You can 
               manually re-enable the optimization by setting
               "drop_caches=0" in nvram.
    - CHANGED: Allow using a port < 1024 for http(s) webui
    - FIXED: EMF wasn't working on AC56/AC68/AC87.
    - FIXED: Couldn't connect to ISPs using VLANs (RT-AC87U)
    - FIXED: Editing Port Forward entry with ellipsis in
             the description or the port range would
             still edit the shortened version instead 
             of the full content.
    - FIXED: Debug log from mDNSNetMonitor could gradually
             fill up RAM - disabled it.
    - FIXED: Router crash if pasting SSH key > 2047
    - FIXED: Editing an entry on the networkmap would
             clear the hostname if entry existed in
             the DHCP static list.
    - FIXED: OpenVPN server in secret key mode 
             would fail to start.
    - FIXED: Couldn't add entries to the MAC Filter list
             of Guest Networks (reverted our previous
             implementation which conflicted with
             Asus's new one).
    - FIXED: NTP failing to refresh for some cases.
             Implemented temporary workaround.
    - FIXED: Some services not properly starting at
             boot time (like Parental Control or Tor)

378.56 (25-Oct-2015)
     NOTE: There is no 378.56 build for the RT-N66U at
           this time, as Asus hasn't released updated 
           source code for this model yet, and there are
           new closed source binary components that are
           necessary for this new release.

           Make sure to read the changelog of the two
           previous betas for the complete list of
           changes since 378.55.

   - CHANGED: Nameserver handling is more resilient to
              scenarios where dnsmasq fails to start due
              to a broken configuration
   - FIXED: PPTP/L2TP client page broken on French locale
   - FIXED: Entries on the Virtual Server page with ellipsis 
            in their name or port range weren't properly 
            copied to the Add fields when edited.
   - FIXED: Additional fixes to truncated hostnames related
            to networkmap

378.56 Beta 2 (18-Oct-2015)
   - CHANGED: Increased Guest MAC filter entries limit to 64.
   - CHANGED: DHCP query logging no longer override configured
              syslog level, and option was renamed to "Hide queries"
              to be more intuitive in regard to the level logging
   - CHANGED: Enabling Hide DHCP queries also silences any RA 
              routine event.
   - CHANGED: Reverted networkmap's printer detection change
              as it didn't resolve the printer wakeups.
   - CHANGED: Reorganized settings on the System page
   - FIXED: QoS page layout in Firefox
   - FIXED: curl wasn't using the firmware's CA list (regression)
   - FIXED: Models with 128 KB support were only reporting 64 KB
            in the nvram userspace tool
   - FIXED: Traditional QoS not working when IPv6 is enabled
            (patch by charlie2alpha)
   - FIXED: Smart Connect page fails to save interface policies
   - FIXED: VPNStatus page was broken on French locale

378.56 Beta 1 (12-Oct-2015)
   - NEW: Merged with GPL 9177.
   - NEW: Added support for the RT-AC88U.
   - NEW: Support for Russian ISP Telenet (code by theMIROn)
   - NEW: ipset support in dnsmasq (patch by ryzhov_al)
   - NEW: default loglevel is now configurable and defaults to 
          5 (notice) instead of 0 (emergency)
   - NEW: local syslogd loglevel is now configurable through the webui.
   - NEW: Support for extra-certs in OpenVPN
   - NEW: Editable DHCP static leases list, virtual servers, port triggers.
   - NEW: IP addresses on the Network Service Filter page can now be 
          subnets in CIDR format (i.e.
   - CHANGED: Updated miniupnpd to 20150723 snapshot
   - CHANGED: Updated openvpn to 2.3.8
   - CHANGED: Updated dropbear to 2015.68 + upstream patches
   - CHANGED: Updated minidlna to 1.1.5.
   - CHANGED: Support up to 5 different OpenVPN clients (to match Asus)
   - CHANGED: Maximum openvpn policy rules reduced from 128 to 100, fewer
              priority slots wasted in the RPDB tables (could have been a
              problem with the increase in the number of supported clients)
   - CHANGED: Improvements to VPN Status page
   - CHANGED: Connection failure reason shown on the OpenVPN client
              configuration page.
   - FIXED: Router crash when an invalid or corrupted DH parameter
            is used on an OpenVPN server configuration.
   - FIXED: 2.4 GHz temperature would be missing on the Sysinfo
            page when disabling the 5 GHz radio on the RT-AC3200.
   - FIXED: Max tracked connection limit wasn't user-editable
   - FIXED: Resource leaks in ez-ipupdate if an update failed
   - FIXED: Networked printers coming out of sleep every time 
            networkmap queried their LPR service
   - FIXED: Resource leak in networkmap when scanning for
            printer servers
   - REMOVED: Regulation mode setting on Wireless -> Professional.
              This can't be adjusted anymore, as it was moved to
              a closed source component.

378.55 (17-July-2015)
   - FIXED: DHCP lease page could get confused by IPv6 clients on
            the LAN.

378.55 Beta 2 (11-July-2015)
   - CHANGED: Updated dnsmasq to 2.73 RC9 (backport from GPL 6975)
   - CHANGED: Updated odhcp6c to newer version (backport from GPL 6975)
   - CHANGED: Updated openssl to 1.0.2d (fixes CVE-2015-1793, only present
              in Beta 1 - 54_2 was not affected)
   - CHANGED: Display existing key/certs on the OpenVPN pages once
              they've been migrated to JFFS.
   - FIXED: Time scheduler-related features (Parental Control & Wifi 
            scheduler) were broken (backported fix from Asus's GPL 6975)
            (beta 1 regression)
   - FIXED: QTN firmware was still being copied to RAM rather than rely
            on the symlink to flash added in Beta 1, to save 4 MB of RAM.
   - FIXED: Dropbox cloud sync would fail on some setups (backport
            from GPL 6975)
   - FIXED: Entware-setup script would generate an invalid services-start
   - FIXED: Duplicate zoneedit entry on the DDNS service list.

378.55 Beta 1 (3-July-2015)
   - NEW: Merged with GPL 6117.  Notable changes from Asus:
             o New token-based webui authentication (more secure)
             o OpenVPN certificates moved to JFFS2, saving nvram.
               key/cert fields will show up empty on the webui,
               any new key/cert you paste will be written back
               to /jffs/openvpn/ .  This means that if you revert
               back to a previous version, your key/certs will
               no longer be in nvram, so OpenVPN instances will
               fail to start.
             o New network client list on the network map
             o CTF support for PPTP/L2TP WAN (Russian ISPs) (ARM)

  - NEW: Reformatted DHCP lease list under System Log.
  - NEW: Reformatted Port Forward page under System Log.
  - NEW: Reformatted Route Table page under System Log.
  - NEW: Reformatted IPv6 Status page under System Log.
  - NEW: Display more details about UPNP/NAT-PMP/PCP redirections
         on the Port Forward page.
  - CHANGED: The JFFS2 partition is now always enabled, as it is
             required by various firmware functions.  The options
             to format it or to enable/disable user config/scripts
             remain configurable.
  - CHANGED: Updated OpenVPN to 2.3.7.
  - CHANGED: Updated OpenSSL to 1.0.2c.
  - CHANGED: Use a pre-generated 2048-bit DH from RFC 3526 instead of 
             generating our own when doing the first time setup for 
             OpenVPN servers.  This is necessary as openssl 1.0.2b and 
             up now reject 512-bit DHs, and generating a 1024-bit
             would take far too long on a router.
             The end-user still has the possibility of providing his
             own - as long it's 1024-bit or stronger.
  - CHANGED: Updated minidlna to upstream Git snapshot from 2015-06-26,
             and switched to the newer build system.
  - CHANGED: Upgraded ffmpeg from 0.6.0 to 0.7.17.
  - CHANGED: Accept DHCP lease duration of up to 31 days on the DHCP page
  - CHANGED: No longer regularly flush caches from memory on ARM
             router.  This will mean a lower amount of free memory is
             shown, however that memory gets freed whenever something
             actually needs it, so this is normal. (ARM)
  - CHANGED: Display the size of cache memory on the Tools -> Sysinfo page
  - CHANGED: Improvements to the Networkmap (ability to remove an entry,
             removed the alert() from modifying an existing entry)
  - CHANGED: Save over 4 MB of RAM on the RT-AC87U by not copying
             the QTN firmware to RAM (RT-AC87)
  - FIXED: Wireless Log page would fail to load if the SSID
           contained certain characters
  - FIXED: Wireless Log page would fail to load when in Media Bridge
           mode on the RT-AC87U
  - FIXED: DDNS page would complain about an empty account field
           when setting it to CUSTOM with no prior value in that field.
  - FIXED: Automatically generated DH was too weak (512-bit) and 
           preventing clients based on newer OpenSSL releases from 
           connecting.  We automatically replace any weak PEM with our 
           2048-bit one.
  - FIXED: minidlna could get stuck building its database (reverted
           Asus's recent memory optimizations)

378.54_2 (10-June-2015)
  - FIXED: The exported opvn config for clients had the incorrect port
  - FIXED: Busybox's zcip was missing a patch from 378_4950, preventing
           it from working (and in turn preventing igmpproxy from working
           for people with PPPoE connections where their modem does not
           provide any DHCP lease to the physical WAN interface)

378.54_1 (8-June-2015)
   - Some of the builds were unstable, did a complete recompile of all
     releases.  There was no code change.

378.54 (7-June-2015)
   IMPORTANT: if you were previously using the AiProtection ad blocker, you
              will need to manually disable it over SSH after flashing this
              release, by running the following commands:

                  nvram set wrs_adblock_popup=0
                  nvram set wrs_adblock_stream=0
                  nvram commit

   - NEW: Merged with Asus GPL 378_5134.
   - NEW: OpenVPN policy rules can now be set to route matching traffic
          through either the tunnel, or to your ISP (allowing you to 
          create exceptions to your tunnelling rules)
   - NEW: Added OpenVPN server setting to let the OS manage
          socket buffers (by inserting rcvbuf 0 and sndbuf 0 in
          the server configuration)
   - CHANGED: Upgraded OpenSSL to 1.0.2a, adding new tls ciphers
              to OpenVPN and the https webui
   - CHANGED: Updated miniupnpd to 1.9.20150430
   - CHANGED: Reverted kernel backport of the parallel printer support,
              and reintroduced fix in lprng.  This should hopefully fix
              the recent printing breakage issues.
   - CHANGED: Removed AiProtection's ad blocker, as it's too buggy to
              be usable, breaking numerous mobile applications,
              and not being configurable in any way.
   - CHANGED: OpenVPN policy routing rules are now applied at boot 
              time (when WAN comes up), so clients who are blocked while 
              a tunnel is down will immediately be blocked until 
              the tunnel comes up.
   - CHANGED: Upgraded Quantenna firmware to 378_6065 release (AC87)
   - FIXED: Router DNS weren't reverted to their original values
            when shutting down an OpenVPN client with "explicit-
            exit-notify" enabled.  Now we manually clean it up
            after the user manually terminates the client - it might
            still not be cleaned up after an unexpected shutdown however.
            Ideally, users should try avoiding using this setting when 
  - FIXED: Some legitimate VPN packets could get dropped due to their
           conntrack state.  Now, only INVALID packets coming from the
           WAN interface are dropped.
  - FIXED: OpenVPN client would sometime try to connect before the clock had
           been set by NTP at boot time, preventing it from connecting.
  - FIXED: AiProtection security check would fail to load when Dual WAN is 
  - FIXED: Various fields would allow you to enter a single quote character,
           which could break the webui.  Now these fields re-validate the
           content after you deactivate the text field.
  - FIXED: Switching between All Traffic and Policy Mode OpenVPN routing while
           the option to block traffic when the tunnel goes down wasn't 
           properly removing those rules, so a tunnel going down in 
           All Traffic would still block policed clients.
  - FIXED: EMF wasn't working on ARM models (missing userspace tool)

378.53 (26-Apr-2015)
   - NEW: Merged with Asus GPL 378_4980 (with pieces from 378_4850 for AC56/AC68
          and 378_5183 beta for AC87)
   - NEW: OpenVPN policy routing.  You can select client IPs or destination
          IPs which you want to route through your VPN tunnel.  You can enter
          a single IP ( or a whole subnet in CIDR format (for 
          You can optionally block WAN access to these as well when the
          tunnel goes down.
   - NEW: Ad blocker based on Trend Micro's Web Reputation System (WRS).
          This is an EXPERIMENTAL feature implemented by Asus but that
          isn't enabled in the stock firmware.
   - CHANGED: Updated Tor to
   - CHANGED: Those providing a signed SSL certificate for httpd can now 
              provide chain certificate.  The three PEMs must be in
              that order: client, intermediate, CA.  (Patch by sasoiliev)
   - CHANGED: The setting to enable the neighbour solication filter rule
              for Comcast's request flooding was changed to "ipv6_ns_drop",
              and now defaults to "0" as this hack causes issues with
              other ISPs.
   - CHANGED: Backported dnsmasq patch that reverts a fix for Windows 8
              clients as it could cause issues with other clients.
   - FIXED: DNSFilter would fail if you had it set to "Router", and didn't
            have a DNS IP entered on the WAN page.
   - FIXED: MSS clamping wasn't applied to traffic in both direction, moved
            it to the mangle table.
   - FIXED: OpenVPN client firewall "external" mode does not exist - removed
            from the webui.
   - FIXED: PPTP account list could become corrupted after removing an entry
            on the PPTP server page.

378.52_2 (5-Apr-2015)
   - CHANGED: Updated AiCloud prebuilt binaries for MIPS models
   - CHANGED: Applied kernel patch for MIPS kernel ported from 376_3861,
              related to CTF support
   - FIXED: AiCloud would fail to start unless you had HTTPS enabled for 
            the webui (causing the key/cert to be missing)
   - FIXED: DDNS hostname would become corrupted after backing up
            your router configuration (Asus bug)

378.52 (3-Apr-2015)
   - NEW: Merged with Asus GPL 378_4608
   - NEW: Added ECDHE support to the webui (when accessed over HTTPS)
   - NEW: The DHCP server can now provide a second DNS to its clients
   - NEW: You can tell the router not to advertise itself as a DNS
   - NEW: Experimental Tor support (feature originally developed by
          Asus, but not available yet on stock firmware).  You can
          enable it in the VPN section of the webui.
   - CHANGED: Updated miniupnpd to 1.9.20150309
   - CHANGED: You can no longer disable the JFFS2 partition if
              Traffic Analyzer is enabled.  Likewise, you can
              no longer enable Traffic Analyzer if the JFFS2
              partition is disabled.
   - CHANGED: The selected refresh rate of the Wireless Clients
              page will be saved to a cookie
   - CHANGED: Removed obsolete (non-safe) ciphers such as RC4
              from the router's https webui
   - CHANGED: Updated OpenSSL to 1.0.0r
   - CHANGED: Removed Turbo button support from webui, as that feature
              doesn't work with the current bootloader everyone is
              using now (RT-AC68)
   - CHANGED: Performance optimization to the httpd, dropbear 
              and rc services
   - FIXED: 2.4 GHz and 5 GHz-1 clients were swapped on the
            Sysinfo page (RT-AC3200 only)
   - FIXED: Wifi PSK wasn't blurred until activated (regression
            from 378.51)
   - FIXED: Samba's custom config/postconf were ignoring the
            state of the global option to enable them (they
            would always be used)
   - FIXED: Samba's custom config/postconf usage wasn't logged
   - FIXED: Some services would fail on their first attempt
            to start at boot time due to the QTN subsystem
            taking too long.  Implemented patch from Asus 
            which eliminates the long QTN stall at boot  
            time.  This resolves the issue where some users 
            had trouble connecting their WAN at boot time (RT-AC87U)
   - FIXED: NAT rules could occasionally fail to be applied
            (patch by john9527)
   - FIXED: The Apply button on the Adaptive Bandwidth page
            had a clickable area so wide that it even covered
            part of the left side menu.  (Asus bug)
   - FIXED: USB menu was removed instead of Parental Control on
            DPI-enabled models
   - FIXED: QoS page was still available on the AP/RP modes on
            DPI-enabled models
   - FIXED: Error on OpenVPN Server page if using a DHCP pool for
            connected clients.
   - FIXED: UPNP would be reported as enabled on the security report
            if it was enabled on the secondary WAN even if Dual WAN
            itself wasn't enabled.  Now we check that Dual WAN itself 
            is also enabled before reporting so.  (Asus bug)
   - FIXED: mtd-erase was unable to erase the brcmnand partition, which
            is used as the JFFS2 partition starting with the RT-AC66U
             (patch by benoitm974)
   - FIXED: JFFS2 partition couldn't be formatted for all routers but
            the RT-N66U (wrong partition name).  Also resolved the case
            where a second reboot was required to mount it.
   - FIXED: RT-AC3200 port numbering was reversed on the Sysinfo page.

378.51 (6-Mar-2015)
   - CHANGED: Updated OpenSSL to 1.0.0q (no real code change)
   - CHANGED: Split the changelog into a separate file
   - CHANGED: Added logging on custom config/script execution.
              An error message will also be logged if those
              are disabled while such a file is found.
   - CHANGED: Allow pasting the password in some fields that would
              disable it (patch by gfairchild)
   - FIXED: RSSI not reported for guest clients (beta 1 regression)
   - FIXED: DM failing to install on RT-AC66U (beta 1 regression)

378.51 Beta 1 (28-Feb-2015)
   - IMPORTANT: The RT-N16 is no longer officially supported.  The increased
                number of separate router platforms is becoming too much of
                a burden for one single developer, as some features must be 
                implemented 2-3 separate times for different architectures.  
                The RT-N16 support will remain in the source code, so other
                developers can still compile their own builds, and possibly
                take over for supporting this older platform.  However, no new
                features will be implemented, and it will no longer get 
                tested.  I still welcome external contributions if 
                someone else wants to take care of testing and providing 
                fixes to new issues.
   - NEW: Added support for the RT-AC3200.
   - NEW: ARM support for Entware, using Zyxmon's Qnapware repository.
   - NEW: Re-designed Wireless Log page displaying connected wireless
          clients.  The new page uses Ajax to automatically update
          itself at a user-selected frequency, for near realtime
          monitoring of your connected wifi clients.
   - NEW: NAT loopback can now be chosen between Disable, Asus's original,
          and Merlin's own (based on Phuzi0n's original DD-WRT design).  The
          option can be found on the Firewall page.
   - CHANGED: Reverted RT-AC66U driver to previous version as some users
              were experiencing stability issues with the 3754 version.
   - CHANGED: Updated p910nd to 0.97 to resolve incomplete print jobs
              (patch by stsichler)
   - CHANGED: Updated Samba to 3.6.25
   - CHANGED: The Entware setup scripts will now backup any existing
              installation rather than remove it (patch by TeHashX)
   - CHANGED: Re-implemented our original NAT loopback code, with attempts 
              at reconfiguring it whenever the DPI engine is restarted.
              This is still experimental, as most of the DPI engine is 
              closed source, so unsure if the loopback gets re-enabled 
              in every regular DPI restart scenarios.
   - CHANGED: Disabled the offline default error page.  Clear your offline
              content in your browser to fully get rid of it.
   - CHANGED: Removed security warnings if FTP/Samba are configured to
              allow unauthenticated users.
   - FIXED: Issues when connecting with Russian ISPs relying on DHCP+VPN 
            (such as Beeline)
   - FIXED: When enabling WAN access to webui, the router would always
            forward both http and https ports regardless of if either of
            these were disabled.
   - FIXED: Shared printers over LPRng would sometime fail to 
            completely print the last page (patch by stsichler)
   - FIXED: CVE-2015-0240 security issue in Samba 3.5.8 (used by
            AiCloud).  The main Samba daemon was patched by the
            update to 3.6.25.

378.50 (7-Feb-2015)
   - IMPORTANT: You must do a factory default reset, and manually
                reconfigure your setting if coming from a version
                older than 378.50.  Failure to do so can
                lead to various issues with wifi, OpenVPN,
                and the new AC68U bootloader.

   - IMPORTANT: Please read this changelog, especially the changes
                related to jffs, user scripts/config and OpenVPN in
                the previous 378.50 betas.

   - NEW: Merged with Asus GPL 378_4129 code.
   - CHANGED: Reverted back to vsftpd 2.x, as 3.0.2 doesn't work properly
              on MIPS architectures (and possibly other particular
              scenarios as well).
   - CHANGED: Added warning to the DDNS page if you set the type
              to Custom and either JFFS or custom script support isn't
   - FIXED: A few unescaped quotes in the French dict breaking VPN pages
   - FIXED: MAC list would get corrupted when removing and re-adding
            entries on the MAC filter list
   - FIXED: AC68U CFE update wasn't written to flash due to permission
   - FIXED: Static Key field wasn't visible when using HMAC authentication
   - FIXED: syslogd was always enforcing the -S switch
   - FIXED: When setting a static DHCP from the networkmap, the user-entered
            name wouldn't be used.  Now it gets used, and we rely on the rc
            daemon to properly handle it if it's not a valid hostname (it will
            simply not provide it to dnsmasq's static name list).

378.50 Beta 2 (31-Jan-2015)
   - NEW: Added custom config and postconf support for avahi, netatalk 
          and mt-daapd (iTunes server).
   - CHANGED: Moved the AC68U CFE update process to the same location
              as in GPL 3626 to see if it works more consistently.
   - FIXED: Non-DPI build of AC56U had incompatible Tuxera modules
   - FIXED: vsftpd wouldn't start if you had IPv6 enabled.
   - FIXED: Asus had disabled the NAT loopback fix on MIPS's iptables
            in GPL 3762.  Re-enabled.
   - FIXED: Wireless clients that hadn't communicated in a while wouldn't
            be properly shown on the Wireless log (patch by pinwing)
   - FIXED: QoS rules weren't applied properly when IPv6 was enabled
            (was changed in recent GPL - reverted it)
   - FIXED: Can't apply a Custom DDNS if you don't have something entered
            in the username/password fields (shown in other DDNS services)
   - FIXED: NFS page wasn't properly loading

378.50 Beta 1 (25-Jan-2015)
   - IMPORTANT: You must do a factory default reset, and manually
                reconfigure your setting.  Failure to do so can 
                lead to various issues with wifi, OpenVPN,
                and the new AC68U bootloader.

   - IMPORTANT: Please read this changelog, especially the changes 
                related to jffs, user scripts/config and OpenVPN.

   - NEW: Merged with Asus 378_3913 GPL code.  Most notable changes:
            * Trend Micro DPI engine for RT-AC68U
            * Updated Trend Micro engine for RT-AC87U
            * Updated Quantenna firmware/driver
            * Various updates to 3G/4G support and Dual WAN

   - NEW: ddns-start user script, executed after the DDNS update 
          was launched (can be used to update additional services)
   - NEW: Custom DDNS (handled through ddns-start script)
          See the documentation for how to create such
          a script.
   - NEW: Option to enable support for custom scripts and
          config files.  This option is disabled by default, so 
          if you have a broken script that prevents the router from 
          booting, doing a factory default reset will ensure that the 
          broken script won't be executed, and recover access to the
          router.  This is necessary since the JFFS2 partition is
          now enabled by default.
   - CHANGED: Added logo to DNSFilter on the AiProtection
              homepage (contributed by Piterel)
   - CHANGED: Updated Openssl to 1.0.0p
   - CHANGED: Merged Asus's newer NTP update code, with a fix
              to prevent hourly log spam from the update process
              when in a DST enabled timezone.
   - CHANGED: Updated vsftpd to 3.0.2 (newer version used by
              Asus on their Qualcomm-based routers)
   - CHANGED: the qos-start script will be passed an argument
              that will contain "init" (when setting up tc)
              or "rules" (when setting up iptables).
   - CHANGED: JFFS2 partition is now enabled by default, to be in
              sync with Asus, who are starting to make use of this
   - CHANGED: The Local IP in an IPv6 firewall rule can now be
              left empty.
   - CHANGED: Download Master will now be downloaded at install time 
              rather than included in the firmware, to increase the
              amount of space available to JFFS - this matches
              the AC56/AC68. (N16, N66)
   - FIXED: Under certain conditions, the OpenVPN server page 
            would report an initializing state when it was 
            already running.
   - FIXED: First OpenVPN client/server instance wasn't properly
            run on the second CPU core, resulting in lower
            performance (AC56/AC68/AC87)
   - FIXED: Router IP wasn't advertised through DHCP as WINS
            server if WINS was enabled
   - FIXED: OpenVPN would crash if specifying "None" as
            the cipher (regression in OpenVPN 2.3.6)
   - FIXED: The "empty" category was removed by Asus a
            few months ago, preventing you from removing
            an assigned priority on the Adaptive QoS
            page.  Re-added it.
  - FIXED: Port triggers weren't written to the correct
           iptables chain (Asus bug)
  - FIXED: When moving from stock to this firmware, the OpenVPN
           Server 1 instance gets automatically enabled because 
           Asus hardcodes "1" into the nvram setting that handles
           start at wan.  Changed to a different nvram to resolve
           this conflict.  This means everyone must re-enable their
           OpenVPN server instance after upgrading from any version
           before 376.50.
  - FIXED: dnsmasq would run out of available leases if you had a 
           very small DHCP pool combined with many out-of-pool 
           reservations.  Now the limit will be either 253 or the 
           pool size, whichever is the largest (Asus issue)
  - FIXED: SSHD port forwarding couldn't be enabled/disabled
  - FIXED: DHCP log spam when using IPv6 with a Windows 8
           client (patch by pinwing)
  - FIXED: snmp exposes a lot of sensitive information such as
           login credentials, therefore all the custom Asus MIBs
           have been disabled.
  - FIXED: Very long SSIDs with special characters/spaces in them 
           would be shown as "undefined" in the banner.
  - FIXED: Curl would fail to access SSL sites due to lack of
           a CA bundle.

376.49_5 (9-Jan-2015)
   - FIXED: Vulnerability in infosvr (CVE-2014-9583) (Asus bug)
   - FIXED: Additional security issue in infosvr (incorrect memcpy()
            call) (Asus bug)

(older history removed - please consult the Changelog distributed with the firmware for complete history)