Hacker News new | past | comments | ask | show | jobs | submit login
What happened with ASUS routers this morning? (downtowndougbrown.com)
736 points by zdw on May 18, 2023 | hide | past | favorite | 450 comments

Boy am I glad I replaced stock firmware with OpenWRT the moment my router came out of box last week. It was also extremely painless experience, and I'd really recommend people to buy routers with OpenWRT support, even if they cost a little more. A router is something you buy for a decade or more, and it's worth the investment. Our livelihood depends on network availability, and depending on whims of terrible router firmware is not something to rely on.

There's also this one for Asus routers, I've been using it without issues for a long time:


the best part about it is Diversion and Skynet, a set of scripts that allows you to adblock inside your router (preventing even in-app ads from loading), and an actually viable outbound firewall

seeing weird IP addesses pinging my router from the outside is normal, but when i see something _inside_ my network trying to get _out_, that's when I know it's time to start reformatting

Merlin really is the best option for Asus, as Broadcom sucks about their drivers

Seconded. I used Merlin before I switched to ubiquiti. My only issue with Merlin was intermittent problems with ipv6 router advertisements which caused connectivity issues. I’ve never had an issue since switching to an edgerouter.

Yep. I wasn't aware of this issue being more than just me yesterday; this was finally the impetus to go to merlin.

So far, no issues, and it has the ability to let me ssh in, and install third party untilites via n opkg-style interface.

My error was a complaint about a lack of disk space in the logs, fwiw. RT-AX92U.

Another vote for Merlin. It has been rock-solid for me for many years, while allowing me to get rid of annoyances with the stock firmware.

I'm also using this fork since I was having trouble with vanilla after I purchased the router; no issues today or ever.

Thanks for the link. If I want VLAN support I'm out of luck?

If your use case is you want IoT isolation, the standard advice is to just use separate SSID's.

If you are using one of the routers that has true VLAN support like the AX86U Pro, there are anecdotal reports of people getting it to work but it's hacks and workarounds.


VLAN support in the AX86U (not Pro) would be a win. But it looks very hacky.


> Boy am I glad I replaced stock firmware with OpenWRT the moment my router came out of box last week.

I have had an Asus for years and use the vendor firmware, and update it semi-regularly when I remember to, and have never had an issue.

I bought an Asus because they have decent capabilities out-of-box, but also because there is the option of using third-party firmware (which I've never bothered to do).

Even with this event I'll probably stick with the OEM firmware.

I'm like you, Asus router on stock firmware and happy. In my case I set that up after a bad experience with openwrt.

Years ago I bought a $100 gigabit Linksys router, immediately flashed it with openwrt, and set it up. I assumed my isp was the reason my download speeds were struggling to hit 100mbps (new house and network all at once), and later when I bought my first NAS I assumed hdds are just inherently slow.

I had abysmal network performance for over a year before I figured out my gigabit router was the performance bottleneck, my isp was giving me 3x what the router could handle. The reason for the terrible performance was that openwrt doesn't have the closed source binary blobs to run hardware accelerated routing, instead everything gets squeezed through the cpu, and my router couldn't do it.

So basically, many routers lose performance, in my case I got a 10x performance drop, and openwrts website is all but useless for telling you which routers to buy.

All I can say is be careful blindly installing openwrt unless your router has a CPU that's complete overkill for what you want to do...and none of the mid range consumer combined routers/access points meet that criteria.

I find it ironic that you are selling the reliability of ASUS' firmware on a post about it breaking.

> I find it ironic that you are selling the reliability of ASUS' firmware on a post about it breaking.

What in Earthly existence does not break eventually?

It's about dealing with the odds and rates of breakage.

If you read the article it was not a firmware issue, it was one of the security features it has downloaded an invalid config due to ASUS staff errors, the config caused the router to run out of available storage space and soft-brick. There was no firmware issue, any device will start crapping out when it runs out of available storage.

Even if it turns out (once this event has been fully understood) that the vendor-installed firmware "phoned home" to collect an update of sorts that led to this?

I have like 50 other pieces of software on my systems calling home whenever they want. One more for the pile I guess.

Looking at it in a shallow way I suppose one could say that. But to me there's a great distinction between a switch/router and e.g. a smartphone or desktop browser.

Switch/Router, IMO, is a bigger reason to have automatic pull/updates.

You're looking at your phone on a day to day basis. Using your desktop. The router/switch/lightbulb/etc? All stuff that sits in the background and gets forgotten. Those things should do self maintenance - especially with zero days and issues that require updates to not be pwned the instant you connect to the www.

I think it's an entirely acceptable solution for non-technical users who don't know how or cannot be bothered to improve the scenario. Personally I would never run Asus/Netgear/Zyxel/etc's all-in-one router firmware on the network's edge. Probably not even on the inside of the network.

Well depending on how you roll, I've had 2 routers - inside/outside. Guest network, IoTs, etc on the outside. Computers, Phones, Printers on the inside. Don't currently - but I also don't have many IoTs currently. Will probably return to this at some point but moved and haven't went out of my way to set it up "fancy" like.

But realistically, it's definitely better for the "masses" to have stuff that just takes care of itself. Grandma don't know how to update router firmware and people like that are why stuff like Apple's "appliance" model is better than Androids more hands on approach.

Even some of us software developers get tired of managing all of these devices. I am not opposed to “appliances“, nor do I view it in someway diminishes my or anyone else’s elite status because we don’t want to manage and optimize eight computers for life.

I do prefer Android for streaming devices, there’s just too much value added from using Android there. But I use an iPhone because I just want my phone to work. And I limit my desktop computer count to exactly one. For networking, I use Asus Merlin. I don’t use it for its flexibility or features, just for the stability which this recent news confirmed was a good idea. The only special features I even use are an OpenVPN server, and secure DNS over TLS to cover my devices that don’t support DNS over HTTPS.

The convenience of having a device that can phone home and update itself is far more valuable than the risk that occasionally one of those updates might cause a problem.

Aside from the risk of breaking things, there's the risk of data leaks and enabling surveillance through negligence or intentional back doors.

Hardware and software companies have a story of implementing anti-user features in very shady ways (ie silent update to T&C allowing the org to track and share data with third parties and/or brokers).

I don't care if my smart Philips light bulb shares all its data with god knows who. My router? that's the device that manages all connections including critical ones. I want it to be impeccable and transparent. That's why I refuse to buy from manufactures that require a could account like Eeroo or that require weird connections to work properly like Tenda (a friend had a Tenda mesh and it wouldn't work if we blocked connections to Baidu, Weibo and others)

We're definitely two different kinds of people. When it comes to network equipment I value control and security over that sort of convenience any day.

(add.: and I don't mean "different kinds of people" in a condescending way, but that we value different aspects and have different methods for going about these things)

So, you want to manually download an update, install it and brick your device on your own schedule?

> So, you want to manually download an update, install it and brick your device on your own schedule?

Yes, because I can plan for it. I can do it on a weekend or a local holiday. I can do it in the evening after work, or in the morning so that I have the whole day to go out and buy a replacement. If it's not critical, it can wait until my vacation.

And even without any risk of bricking, it should still be done on my schedule. I don't want the connection to glitch while I'm in the middle of a live stream, or an online multiplayer game, or a call with a distant relative.

I (home user) like to delay updates that aren't reported as 'critical security updates' in order to allow others to brick their devices, then I can decide if the risk is worth it. Yes, manual control.

Now you're just taking a silly defensive position by trivializing what I said using stupid rhetoric... I prefer to be in control over updates for network equipment, even the router in my home, reviewing changes and feedback, and to be "on the ready" in case the update does not work. I leave automatic updates for things like browsers.

Sounds like a lot of work for something that should happen frequently and normally not cause any problems.

It's actually not too bad in my case. All in all not that many minutes of pre-emptive effort even across a whole year. The hassle of a surprise Internet outage and having to find what/where the problem is would cost me more.

Yes. Bricking the network in the middle of a voip call, or meeting is unpleasant. Waking up to a broken network is also unpleasant, when I need to do my job, an instead have to go fixing some underdocummented mess of a gadget.

As opposed to the device automatically downloading an update, installing, and bricking my device? Yes, because I can plan for it if things go wrong.

Depends a lot on the use case, though.

Let's assume the update is bad and (soft)bricks routers like yesterday's update. Is it better to be part of the auto-update pool of users (who definitely got their routers bricked), or be a manual updater?

Normal case: You lose some features / quality of life / stability improvements for a day / week / month (whenever you get around to updating it).

Best case is that you aren't in general population of bricked routers like everyone else today.

Worst case scenario is that you're late to a zero-day exploit. Although, the tech news cycle tends to report those stories pretty well, so you'd be aware of it.

The pros definitely outweight the cons in my opinion, especially on something critical like my internet access.

Okay, but these asus routers have also silently successfully updated themselves hundreds of times.

So against the one time you win by manually updating, you are weighing hundreds of times you had to research before clicking ‘update’ to see if there were any reports of this update bricking routers?

Because if you don’t do that, you just click the update button whenever you get round to it, you are running your router in a ‘vulnerable to zero days’ configuration, AND you’re going to brick your router the one time they ship an update that goes bad.

> When it comes to network equipment I would value control and security over that sort of convenience any day.

That's great for people who are into opsec as a hobby. But with the proverbial Aunt Millie I want auto-updates so they're patched.

Asus allows the option of having auto-updates enabled or disabled (forget which is the default).

I think automatic updates for a typical all-in-one home router is totally OK, and preferrable, for people who don't have the know-how to improve on it (because I'm not an opsec professional or hobbyist). It's unfortunate that these are also the people who face extended outage when something like this does go wrong. They can't fix it themselves, and the nephew that can might not be available for days.

> Even if it turns out (once this event has been fully understood) that the vendor-installed firmware "phoned home" to collect an update of sorts that led to this?

I have auto-updates disabled.

The author claims to have had auto-updates disabled as well, surprise surprise.

Asus, the company that makes routers with paid monthly subscriptions whose trial you cannot opt out of? Go out a buy one of their newer nightshade whatever routers and see what I’m talking about. You literally cannot stop that thing from nmap’ing your home network for the first month.

/edit I might be getting mixed up with netgear!

i agree with you, but after a decade of routers and openwrt i decided to go with ubiquiti. it got to a point where the router hardware just wasn’t good enough, no matter the software. so i got myself a dream machine, a pro switch with poe and an AP and i have never looked back.

Same here. The brand isn’t necessarily important, but rather the idea that the “router” and “access point” don’t need to be bundled in the same physical box. For most people, their incoming internet line comes into their house at an atrocious point for radio transmission and reception.

By separating the router from the Wi-Fi access point, even if you only use one AP, you’re able to put the AP in the best place for full coverage. I hired an electrician to run the cable for me when I bought a house about 10 years ago- he charged a reasonable price, cut a minimum number of holes in the wall, and I was left with a cable in the center ceiling of the house which gave me excellent service throughout with a ceiling mounted AP.

Since then I’ve added on to the house and run additional wires to more ceiling mounted APs to get consistent 5ghz only access throughout the house. Rock solid and never have to think about it (although it is always tempting to tweak)

How's the range?

I have d-link mesh satellites, and needed 4 around the house just so I didn't have any blindspots. To show how bad they are, when my laptop is within a metre of the d-link main satellite, I get the full 150Mbs of my upstream, but 2 metres away but with line of sight, it drops to ~130Mbs. Leave the room, and it's about 90Mbs :(

I was hoping something like Ubiquiti would be something like the full upstream speed without the horrible dropout-per-metre I'm getting right now. Happy to get a few of them in mesh (if that's how they work) if I can get full speed from my office which is curretly 4 hops away.

i do not recommend mesh. mesh networks halve your bandwidth. if you can just use an ethernet cable to the next access point. the good news is that all their APs use power-over-ethernet, so you just need an ethernet cable, no sockets.

https://store.ui.com/products/u6-lr-us this single long range one should cover most of your home (depending on walls etc). and if it's not enough, just get another one from this list: https://www.ui.com/wi-fi#compare

of course, if you can't/won't use ethernet cables for your APs, you can try this mesh: https://store.ui.com/products/access-point-wifi-6-mesh

as a reference, a single long range AP covered a 7 bedroom house (wood), with just a couple of minor blind spots. but for a double wall brick house we needed 3x U6 lite.

> mesh networks halve your bandwidth.

This is only true for single band networks. You can use one band as backhaul, another for AP, and still get ~300Mbps.

> of course, if you can't/won't use ethernet cables for your APs, you can try this mesh

All of the latest UniFi APs support meshing. Ubiquiti is not great at naming their products, apparently.

Also, I would advise against the LR. It does output more power and has a larger antenna than the lite, but there is little to it for indoors use, compared to the Pro, which I believe is cheaper and definitely is speedier.

> All of the latest UniFi APs support meshing. Ubiquiti is not great at naming their products, apparently.

good one, this is true, i was mistaken.

Proper mesh APs have a dedicated radio for AP-to-AP traffic. Unless traffic takes multiple mesh hops, bandwidth will not be affected.

Unfortunately Ubiquiti hardware is not "proper mesh," despite their advertising. They don't have a dedicated backhaul radio.

Yeah. Unfortunately my office is 4 hops from the modem :facepalm:

> mesh networks halve your bandwidth

Oh. I actually didn't know this. Damn.

> power-over-ethernet

I used to use PoE and was getting great speeds everywhere in the house, but then I got solar panels and an inverter. Turns out, that a lot of people ended up having the same issues as me on whirlpool.net.au :(

But yeah, I've also considered getting an electrician in and wiring some rooms with CAT-6 and go wireless AP in that room. But sounds like it's still going to be the same as mesh doing this and halving my speed?

Awesome! Thank you for the links. I'll check them out!

> But yeah, I've also considered getting an electrician in and wiring some rooms with CAT-6 and go wireless AP in that room. But sounds like it's still going to be the same as mesh doing this and halving my speed?

as long as there is an ethernet cable from your switch/router to the AP, then speed will not halve. speed halves only when using mesh.

> Awesome! Thank you for the links. I'll check them out!

no problem. i started out my career in networking, and have always kept a soft spot for it even thou i'm doing software these days.

the minimum you need is:

- 1x Dream Machine (Pro or SE doesn't matter)

- 1x Access Point (could be long range, could be lite, depends on your needs)

you plug in the internet and the AP into the Dream Machine and that's about it.

from this barebones setup you can add further hardware depending your needs. for example I've added a PoE switch and another smaller non-poe switch (that funnily enough is powered by the other PoE switch).

aha! Sweet, thanks... ok, looks like this is the way to go!

Edit: to be honest, I'm actually excited to try this out now. I've been on bad wireless for at least 4 years

You might look at some of the replies in this thread. The poster you’re replying to has an outdated view of how mesh networks work with modern hardware.

Mesh networks can use Ethernet as backhaul and they can also use dedicated radios on 6GHz for backhaul. I’m using a mix of both (still have a couple I need to run Ethernet to) and it’s fantastic.

> Mesh networks can use Ethernet as backhaul and they can also use dedicated radios on 6GHz band for backhaul. I’m using a mix of both (still have a couple I need to run Ethernet to) and it’s fantastic.

I wouldn’t recommend wireless backhaul to people who have bad experience with WiFi. Some people have bad WiFi because their (older?) buildings have problems with wireless in general: I am not saying they live in a faraday cage but still their if their WiFi isn’t great, wireless backhaul won’t be either. Go wired if you have a choice.

> Go wired if you have a choice.

For sure, that's why I mentioned that I'm still in the process of switching over to pure ethernet for backhaul.

That said, if you have enough nodes, 6GHz for backhaul works pretty nice right now. My home has concrete block exterior walls with some interior concrete and plaster walls and the nodes that use dedicated 6GHz for backhaul are doing just fine as is.

I would never consider 5GHz for backhaul, though.

This has a lot to do with the construction layout and materials used.

Thus, in older houses, WiFi signal may not be great, and brick walls will make wiring the house an absolute pain.

I have seen some people dropping wire outside of the house, which is not great either (surges can and will happen).

If you happen to have existing coax cable runs in your house, you might look into MOCA. It's used by some modern cable tv boxes and similar devices to route ethernet packets over the existing coax cable.

It can be used on the same coax as is used for your cable modem, though if you can isolate the coax you want to use as an ethernet link, you might have better results.

I've used the competing standard DECA in the past, as it was significantly cheaper than MOCA about 5-8yrs ago ($25/unit vs $150/unit) but MOCA is now the much better option with it supporting GB speeds and pricing being down around ~$50/unit. I think the max speeds I saw over DECA was about 100Mbps, maybe 200Mbps on shorter runs.

FYI Power-over-Ethernet (PoE) and Powerline adapters are two entirely different things.

lol, sorry I got mixed up. Yeah, I meant to say that EoP seems to drop out and lose bandwidth on my lines. For devices rated at 300Mbps, I'm getting about 19Mbps

>i do not recommend mesh. mesh networks halve your bandwidth. if you can just use an ethernet cable to the next access point. the good news is that all their APs use power-over-ethernet, so you just need an ethernet cable, no sockets.

Mesh dropping bandwidth is less of an issue these days as we have much more bandwidth and you are unlikely to run the largest channel width anyway, then newer solutions support mu-mimo with separate backhaul.

Depends what you mean by mesh. For me, the defining characteristic is better support for roaming/fast handoff, things like 802.11k and 802.11r.

Agreed it's best to connect the access points with Ethernet.

Note that 802.11r is only useful if you’re using WPA enterprise authentication (certificates and radius and all). Most home networks use WPA personal pre shared keys (aka here’s my Wi-Fi password).

802.11r accelerates the multi step handshake that you have to perform with WPA enterprise when you roam from one access point to another. There is a much shorter handshake for WPA personal so there is no advantage to enabling 802.11r if you’re not using Enterprise auth.

Not entirely true: for WPA2 it is the case that all APs and clients use the same key, but even in that case, 11r adds mobility domain and FT-PSK and results in more devices having better roaming.

For WPA3-SAE and WPA3-OWE it is required as each client has a different (session) key.

Interesting- thanks for the correction. I’m off to read more!

Any thoughts on MoCA? I've got gigabit fttp and I need two APs for coverage. Place is already wired with coax, so hoping to utilize that.

Definitely don’t have the backhaul be over wifi as it severely impacts your speeds.

If you can’t get CAT6 where you need it, I have found MOCA to Ethernet adapters work well. Something like this. https://a.co/d/6FYGrga

If COAX is not available, I have also had a good experience with Powerline to Ethernet adapters. https://a.co/d/ddGHPOG

If you live in the US and your house was built in the past 20 years or so, check if you have old school phone jacks around. Many contractors took a “short cut” and ran dedicated cat5 cable to each of those wall ports instead of daisy chaining cat3 (probably was cheaper to buy cat5 in bulk).

Take the face plate off your phone jack and if you see a wire with four pairs of wires inside, only two connected to the jack, you may be in luck. I had rented a few townhomes which were like that, enabling me to build out a simple wired network without modifying or drilling at all.

Can confirm, this was the exact situation in my 2004-built townhome. Everything came into my bedroom closet. Learned how to terminate Ethernet, stuck a switch in there, and had a great home net.

Yeah, I've already cut all the phone lines since there was a tonne of noise when I was with ADSL. I've now got fibre into a closet which is connected straight to a modem and switch... I'll be getting an electrician to CAT6 from the switch the the rest of the house and then AP from the terminals

Are you connecting clients to the AP on 2.4 or 5 GHz? I've found 2.4 to be much more resilient over distance and through obstacles.

Yeah, most of my devices these days are 5Ghz. I suspected either interference, or that shorter waves don't penetrate obstacles as well as longer waves, or it could be that my inner walls are made from lead.

Thats just wifi dude... how it works. Very bad, prefer cable. Some new gizmo wont magically improve physics. Try homeplug if you cant pull cable.

I see you got recommended Ubiquity. That is good. Better than consumer grade shit.

*Downvoted for telling the truth about how shit WiFi is, classic HN. You are mostly programmers lol. "WiFi works lule" For some Netflix sure.

"You are mostly programmers" is not quite the insult that you think it to be.

This programmer's task for the weekend is to buy a couple of cheap second-hand Ethernet switches, by the way, as part of an on-going effort to switch to networking infrastructure that doesn't compete with at least 13 of my neighbours. (-:

Good you follow my advice! Sooner better than later! Hopefully you won't annoy people with shit wifi anymore.

Yeah, I've tried tp-link, d-link, netgear (consumer), and they're all really bad. Each time I think I've found the silver bullet, but I keep hearing how good Ubiquity is. I know they're not defying physics, but I'm sure that as they aimed at commercial then I'll hopefully be getting something way better than what I'm getting now.

I think this plus laying cable should last me another 10-20 years

In my neck of the woods (France), Ubiquity is fairly expensive. I've had good results with a cheapish (~100 €) netgear "business" access point, the wax214.

It supports poe, wifi ax (but only on 5 GHz), wpa 3 and can broadcast 4 separate networks, each on its own vlan (but it doesn't do any routing). It's been great for random iot junk that I don't want on my main network.

Routing is handled by an old HP elitedesk I've saved from the bin at work.

Yes Netgear prosafe gear is great too, even unmanaged. Anything made for business is going to be more solid than comsumer stuff.

My homeplug setup (yes, same phase) was even less reliable than WiFi for me in my small townhome. Ymmv. Got Ethernet everywhere now.

> "WiFi works lule" For some Netflix sure.

… which is about the most bandwidth intensive application most households ever use.

Latency. Latency. Video calls, gaming etc. Ethernet is best.

I actually switched away from a UDM after finding out that I could only hit 500 Mbit/s uplink (out of ~930) due to a PPPoE performance bug as there's no hardware offloading and the old Cortex-A57 cores (in a SoC from a vendor now owned by Amazon, so extremely end-of-life) just couldn't handle that.

Now I'm running a Turris Omnia with the bundled OpenWRT fork for router tasks and that seems to work fine.

Why do you need to use PPPoE? Is that an ISP requirement? It seems uncommon nowadays to need PPPoE.

Not sure about parent but here in Brazil all ISPs are still using PPPoE even under gigabit fiber, it's a miracle they can find a router that is able to push 800 Mbit under single-threaded pppoe. I've yet to find a router capable of doing proper gigabit that isn't some enteprise machine that costs me a car.

In cases like yours, the best solution is probably to get an x86-based fanless mini PC built around a laptop CPU. Those can hit quite high single-threaded speeds and have enough resources to handle not just your routing but also light duty as a home server. Chinese brands like Qotom and Topton and a bunch of others are selling them on AliExpress. They're several hundred dollars, but still cheaper than a lot of enterprise gear, and you can get them with 5 or 6 Ethernet interfaces. Getting a separate consumer WiFi access point/router with minimal CPU power of its own is usually cheaper than trying to add an AP-capable WiFi card to a mini PC.

And if you're going to do that, just run opnsense and (being essentially a distro of full blown BSD) have all the security, flexibility and scalability the machine can provide.

OPNsense security updates are delayed from FreeBSD ports by days to weeks.

Many fiber ISPs here in Europe seem to share the backend infrastructure between DSL and FTTH subscribers and that sadly also involves PPPoE encapsulation.

A major Romanian ISP uses PPPoE and I'm tempted to say that another one does it too and they're offering gigabit speed.

It's not uncommon for DSL at all.

Yeah, but DSL won't have a problem with speed, and routers having too weak cpu to handle it.

GPON does.

I’ve done the same.

It’s pretty stable but frustrations remain. Their Edge series are more powerful but the UI is painful and much must be done via the CLI. The Unifi line doesn’t support such things. For example, on an edge router it was fairly easy to make a rule saying “any port 53 traffic that isn’t coming from the Pihole, redirect back to the Pihole”.

The Dream Machine Pro isn’t 100% stable and occasionally requires the config to be reloaded. It’s support for more modern VPN types has been slow to materialise.

The UDMP has been vastly superior to my crappy IDP supplier routers.

Coincidentally I recently read somewhere that the Ubiquity firmware is actually based on OpenWRT.

The Unifi APs run OpenWRT. The Edgerouters and USGs run EdgeOS which is a fork of Vyatta 6.3. The Dream Machines run UnifiOS. I'm somewhat out of the Unifi loop these days as I only use the APs since my Edgerouter died in 2020, so am not up on what Unifi OS is based upon.

I won't say they never ran OpenWRT, but I've used several generations of Unifi AP's and every one used unifiOS which is based on Vyatta. If they did run OpenWRT, they haven't in well over a decade.

I suggest sshing to one of your Unifi APs and verifying. My APs are running firmware version bz.6.5.28 released 3 months ago. It is based upon OpenWRT 17.01.6 according to the /etc/openwrt_release file on the AP.

Below are the complete contents of the file:







DISTRIB_DESCRIPTION='LEDE Reboot 17.01.6 r3979-2252731af4'

DISTRIB_TAINTS='no-all mklibs busybox'

Edited: Added newlines for file content. I originally posted this from mobile in a hurry. Copy/pasting from the ssh session on my phone resulted in newlines being lost.

At least ac lite and nanohd are openwrt-based, so definitely less than a decade.

I thought the Ubiquiti stuff used VyOS (fork of Vyatta)?

No, it's Vyatta-based.

Or, if you're in Germany, get a FRITZ!Box. It's been my favorite product purchase ever[1]. Solid performance, and the software is a bliss. Here are some niceties available out of the box:

- Traffic prioritization (real-time, prioritized, background), and access profiles (per-device data budget, filters, max online time).

- Per device statistics on max data rate, current throughput, Wi-Fi standard, encryption, signal properties (e.g. MU-MIMO or not), etc.

- Special LAN port for guests, without access to the rest of the network (good for that ad filled smart TV).

- Extra LED with customizable function (can light up if there's anybody in the guest network, or a device plugged in the USB, or data cap is exceeded, etc).

- Energy consumption graphs for each major component (CPU, Wi-Fi, USB devices, etc).

- More information about my DSL cable than I know what to do, including spectrum graphs, line attenuation, latency, and even approximate line length.

- Security diagnostics with provider info, firmware status, login credentials type, open ports, egress filters, Wi-Fi security, etc.

- Also has features for smarthome, telephony, NAS, and media center, but I've never tried those.

[1] https://avm.de/produkte/fritzbox/fritzbox-7530-ax/

Yeah these are great pieces of software and hardware, and AVM is a decent company as well. Although I personally prefer to hang up a Ubiquiti WAP.

I wanted to say there used to be Freetz which was neat but they ensured this wouldn't work anymore. But I learned it is continued in form of Freetz-NG!

My ISP (Freedom Internet) allows me to rent a modem for 2 EUR per month. A steal.


I had one of these things and wouldn't recommend it to my worst enemy

it kept adjusting the settings I had configured after some period of time

e.g. set up a hole for SSH. I then tested it to ensure that it worked

then a few days later, trying to use it for real... finding out the device had decided to change the DNAT target ip

I replaced it with a mikrotik box that cost 1/6th as much and has functioned perfectly ever since

or in the UK - the preferred router on Zen Internet, who sell them to customers at cost price (about half retail)

I have a 7530-AX and on the whole it's been good - but for some reason the 5GHz service keeps switching off; wondered if you'd had any similar experience?

No, can't say I have. Does your SSID disappear for some time, or is the 5GHz setting turning off permanently?

I've read about routers disabling 5GHz when they detect RADAR, because 5GHz can interfere with that use, and RADAR has higher priority. Here's an article on this, official from the manufacturer and for your specific model (another point for them in my book):


Thanks! This might be the clue I need - looks like the channel I’m using might be more prone to RADAR interference. Trying out a few changes now to see what effect it has.

It could also be a client issue; I configured my access point to choose the best channel for 5GHz and sometimes when it picks a DFS channel, some devices just can't connect.

I would also recommend OpenWRT - to anyone who's tech-savvy enough to upload a new firmware file and go through a web interface to set up the network. I was used to setting up things like Mikrotik or OpenBSD+pf (which while great, are not exactly intuitive), and was surprised it's really no more difficult (often less difficult) than using whatever stock web UI these SoHo routers usually come with.

I've given up on trying to find one with perfect openwrt support. Something is always broken, mostly hardware offloading, so speeds suck.

The kind of hardware offloading included in consumer router hardware is fundamentally broken by design. Relying on the ethernet switch to handle NAT instead of the CPU makes it impossible to do software-based QoS (eg. the SQM module's cake or fq-codel) or any other packet processing that said ethernet switch isn't equipped for.

The router I have right now is the best one I've ever had, it's an APU4D4 from teklager.se.[1]

> APU router is the most open-source network device you can buy. It comes with open-source BIOS, open-source operating system of your choice and open hardware schematics. It's not locked down in any way.

I bought mine with opnsense pre-installed and it has been absolutely rock solid. For wi-fi, I've just used an old router with wifi in "ap-mode" connected to my APU router -- interestingly it turns out that the throughput bandwidth for wi-fi increased by orders of magnitude as soon as the poor Asus box didn't have to perform any logic on the packets passing through.

[1]: https://teklager.se/en/products/routers/apu4d4-open-source-r... -- I have no affiliation with the company, just a happy customer.

Sadly pcengines, the original manufacturer of the APU boards, is EOL: https://news.ycombinator.com/item?id=35635900

Yeah that really sucks, but I hope the many other options for opnsense routers are decent too when this one decides to break.

It should be possible to e.g. use the Turris router: https://www.turris.com/en/ I heard a 10G option is in the pipeline.

I would recommend installing opnsense on any old desktop PCs you have lying around. Get an intel LAN card with two ports (or more) and you'll be golden.

OpenWRT is fine but I've found that if you're shopping around for devices it's hard to find ones that will do 1gbps with traffic shaping enabled for an affordable price.

Most desktops I've come across tend to be louder and draw more power than consumer routers. That could be important for some.

ServeTheHome has been doing a series on fanless mini desktops that are perfect for the role of router (most don't have WiFi though, you'd need a separate AP).

Honestly, not such a bad thing. Routers are normally located far from the ideal location in most houses/apartments for good wireless coverage. Usually in the corner of the basement where the coax/fibre/phone lines come in, not exactly a good place to put an AP.

I've been running separate APs for awhile and IMO it's the way to go if you're at all interested in running anything like openwrt/opnsense.

Modern routing appliances are like a vcr/tv combo. You will have a better time if you split the functionality apart. It allows you to change/upgrade pieces of your network infrastructure more easily.

FYI: OpenWRT is just Linux and will run fine on x86 hardware as well.

For sure - I casually looked at OpenWRT on x86 and it seemed (on the surface at least) to be more fiddly than opnsense. Updates and handling storage/partitions appeared to be more unclear to me. But that was probably just me, I didn't dig too deep into it.

There is two way of installing OpenWrt on x86:

1. Use the ext4 image and extend the main partition to the full size of the disk. This requires a lot of "fiddling" later in case of upgrade (as parent wrote).

2. Use the combined squashfs image and don't touch the image layout (no resizing, keep the ~100 MB free default / partition). Easy upgrade experience like other embedded devices (get image, open ui or ssh, upload, flash, reboot, done). Oddly, this isn't made clear by the official Wiki at all and the simplest option.

IMO, the best configuration is running your x86 box with Proxmox and run the squashfs OpenWrt in a VM. There is no need for more than 100 MB of space and if you need to install so many packages or apps, better create another VM and use a standard Linux distro. It will also be more standard for many apps to be installed on a full fledged OS instead of the custom OpenWrt layout.

You only need 2vcpu and 256 MB of ram to run standard OpenWrt at 1 Gbps (SQM included if you have a recent CPU). The rest of your box ressource can be used for anything you want.

I used to run OPNsense but I switched to Debian because of https://news.ycombinator.com/item?id=34839161 . I wouldn't recommend OPNsense any more for anyone who cares about security.

> wouldn't recommend OPNsense any more for anyone who cares about security.

Can you elaborate? I wasn't a fan, but it's an option compared to pfSense CE.

There is a link in the comment you replied to.

If you're running a 100+ watt desktop for a router, you're kind of fucking up.

OpenWRT is a bliss to setup a router. We configured a lot of little customed subnetworks at work and it made everything so much easier.

Can't reccommend OpenWRT enough, really solid.

When I went shopping for a router I had a lot of trouble finding one.

I basically don't care about "features," but I wanted the latest WIFI standards because of reception issues in my house, and at least 4 wired ethernet ports. (I don't want to have to buy dongles / extenders for wired ethernet ports.)

It was surprisingly hard to find an OpenWRT router that supports the latest WIFI features, so I just went with a proprietary router.

I recently picked up a Linksys e8450 (twin sibling of the Belkin RT3200) and flashed it with openWRT and it's been great; WIFI-6 speeds on a router that is actually configurable

Something I learned first-hand from empirical testing is that Intel cards are quantifiably better at receiving frames than cards with Realtek/Mediatek/Ralink chipsets, specifically in congested environments.

In the presence of a collision, the Intel cards are able to successfully receive the stronger signal of the two as long as there's enough of a difference in signal strength.

The cards with Realtek chipsets on the other hand, are only able to receive the stronger of the two frames if the stronger frame started being transmitted first.

It's as if Intel's receiver is always looking for frame preambles even when a valid preamble has been heard and the radio is in the middle of receiving a frame. The other receivers stop looking for preambles while in the middle of receiving a frame.

If you live in an urban environment and have wifi problems, you'll likely have an observable improvement if you upgrade.

I don't know how well Qualcomm and Broadcom chipsets perform, but I wouldn't be surprised if at least Qualcomm works as well as Intel.

What year is this, there are no collisions in full duplex ethernet with switches, which is the overwhelming majority of cases

Has anyone tried Mikrotik routers? The one I tried a while ago was fantastic.

I've been using a Mikrotik for about 2 years now, switched from an Ubiquiti EdgeRouter X when I upgraded to 1gig at home. It works great and has been rock solid since setting it up. I even have 4 port bonding setup to my main switch because neither has SFP+.

However, it was kind of a bear to get all setup. In terms of setup difficulty it goes Mikrotik -> EdgeRouter - any consumer focused router. I've been putting off setting up VLANs for about a year and a half because I just know I'm going to break everything.

I've used them for years and have had no major issues, and the wiki is good enough to follow along for most any normal setup you might have.

It is certainly a step up from "plug in and it works" consumer routers/APs but the setup has gotten much easier since the early days.

Recommended. And if you check you can even find some of their hardware can run OpenWRT so you have that as a backup.

I have it. It's nice. But a lot of boxes to check to get it working.

We have Rukus unleashed (AP) + PfSense at one of my hotel

But I prefer Aruba Instant on APs. Most easist and simple.

I really liked the Tomato firmware for these things a while back... Been using OpnSense currently, with a dedicated AP mounted centrally in my home. It's a shame that the FCC rules have pretty much guaranteed that routers will only allow signed firmware updates, though the companies could do it differently. In the end, I miss the plethora of home hardware that can be consumer maintained and upgraded. I've avoided most "smart home" stuff for that reason.

More of a Tomato fan myself (used multiple ASUS routers), but using a router with stock firmware always seemed not worth the risk when there are so many great alternatives.

Couldn't reccomend OpenWRT as opposed to any stock vendor firmware enough. Simple-adblock is a godsend


1. Reboot the router via pulling and reconnecting the power cord

2. Log in to WWW interface

3. Go to Administration > System. Enable SSH (enable login/password as well, choose a port of your taste)

4. SSH to your router: ssh admin@ -p 2424 (assuming your user name is admin, the IP is and you chose port 2424 for ssh). Password is the same as for the web UI

5. In SSH session, type: rm /jffs/asd/chknvram20230516

6. In SSH session, type: reboot

Seems to have done the trick for me.

I mean, this might work for me, but how do we deal with the fact that if I were my wife ASUS has basically turned my very expensive router into a very expensive brick?

Agreed. I had enough issues with my router yesterday I purchased a different brand router and decommissioned my ASUS. I was not aware of this wide-spread issue until today. Much like HP printers, I will think twice about recommending or purchasing an ASUS.

>I will think twice about recommending or purchasing an ASUS.

With the recent ASUS motherboard over voltage, emergency BIOS update, warranty void if update used then reverse that threat.... the insanity of it all. Many people are saying that.

Then purchase what? From what I understand most consumer router manufacturers do push automatic updates. Usually installed when the router is power cycled.

The Net Gear one that I have done as well.

Something that runs openWRT.

Set up and forget.

Set up and forget is a often a bad idea. Keyword: Security Updates

At worst, most troubleshooting guides online (one's phone probably has Internet) and probably even in the manual end with "if all else fails, here's how to factory reset". Someone in the comments of the article said a factory fixed it for them.

I understand the frustration, but after some initial anger, people will eventually get there.

For 99% of the non technical people I know, "get there" is to buy a new router. Or call their ISP and wait for a visit.

Plus, if you cannot get online, you cannot get the instructions to fix it.

Less than a brick. You can break windows and drive nails or stakes with a real brick. ASUS has created landfill.

Deleting a file without understanding what or why... That's a good way to cause bigger problems

Bigger problems that my entire home internet connection essentially being gone?

The router is a brick now, the worst that can happen is that it’ll be a brick after.

In fairness, it's not really a brick. You can reboot it and use the internet for tens of minutes at a time, and during that time, you can log into the web UI and click "install upgrade" to permanently fix the issue.

My last router was an Asus. It was the best one I'd ever had, not counting an old 25MHz 386 that booted Linux off a floppy disk. The new one (PC Engines + OpenBSD) is better, though, starting two days ago, something keeps kicking my Mac off my unifi wifi networks (full WiFi signal, no connection, all other devices work, and the mac can talk to the starlink WiFi).

There's no upgrade available for my AP (ASUS ZenWiFi AC Mini CD6) and "upgrading" manually using the current FW from ASUS webpage didn't fix the issue.

The latest version available is from 2022/07/21.

Source: https://www.asus.com/pl/networking-iot-servers/whole-home-me...

>an old 25MHz 386 that booted Linux off a floppy disk.

inquiring minds want to know...how long did that boot take?

My spare MacBook Air (2011) had recently started to drop off one of the WiFi after 10-15 seconds. It works fine on another WiFi and all the other devices seem to be fine on both.

In this case yes, but don't forget that there are much worse things routers can be than a brick. They can be a man-in-the-middle, botnet node for ddos, etc.

If the router is not usable by the person who bought it, it is not likely to remain connected to the internet for a theoretical botnet attack.

Wow! You just reminded me that our Roku stick is still plugged in after 3-6 months of being forgotten.

I wonder how many TB of "family isn't watching television; advertise funeral homes to relatives and travel insurance packages to primary user" it has sent home in that time.

I'd be interesting to know what percentage of internet routers are plugged in and forgotten on a disused internet connection at any given time. I'd guess ~ 1%, and that the percentage will increase as wireless broadband gets more popular.

Home routers can be disconnected from thr Net if there is no payment for the services. There were a bunch of ES47, DS20, DS15 along with HP MSA1000 and some others I don't remember, which were still connected and running the last time I saw them, which was in 2018. At least they were on the LAN.

If there's a fix, then it's not really a brick.

The file in “/jffs/asd” can be named differently depending on your SKU, in my case (ASUS ZenWiFi XD4) it was “blockfile<date>”. Just delete the one with the date appended to it.

I’d recommend renaming the file instead of straight up deleting it.

Given the error they had in the log was no space left on device, then the fix probably does require the removal of the file.

It was no space left on the tmpfs, since the bug causes some kind of memory leak. It's not a matter of disk usage.

It’s still used by asd next time it launches, so you have to at least move it out of that folder.

Do we know if this file is something downloaded from ASUS, rather than a bogus file created on the router itself? If the former, it might be interesting to make a backup copy in case someone can see what it is they did wrong.

Worked on two routers for me. Went from the cpus being maxed to ~%2-3.

I don't have an ASUS router, but three things leap out at me: a string being logged over and over, running out of space on a filesystem, and rotated log files named something.1.

It is trivially easy to blow right past the size capping on systems that use the old "newsyslog" style of external logfile rotation from the 20th century, and something that is logging a short string "[chknvram_action] Invalid string" over and over very fast is exactly how to do this.

For those interested in investigation, therefore, I would suggest looking at logfile sizes, and seeing whether it was logs eating all of the free space on /jffs and /var .

The underlying cause would be whatever is logging "[chknvram_action] Invalid string" thousands of times over, but the mechanism would be log files filling the tmpfs that the article mentions, which would explain why the system had no memory for forking new processes.

My wild speculation about "[chknvram_action] Invalid string" is that something somewhere in whatever "chknvram" is, the name being suggestive of something checking non-volatile RAM, has either bad data or a broken parser, and the recovery semantics are to retry immediately, incessantly, as fast as possible.

It turns out that chknvram is one part of the asd service, and it regularly downloads signature files looking for malwares.

* https://www.snbforums.com/threads/what-is-asd-process.76242/...

So some somewhat more informed speculation is that the new signature file either yesterday or today either broke a parser or was itself corrupt. The error-handling path for this is still poor.

Love that thread. In typical SNB fashion everybody piles on OP for wanting to disable the scan that keeps his drives awake for days on end.

They argue that he doesn't understand and he's stupid to want to be part of a botnet and that Asus obviously know what they're doing.

An extra fun part is that about 2/3rds of the way through in pops someone else pointing out that the closed source ASUS proprietary malware scanner decided that all of xyr /usr/lib/crt*.o files on a mounted disc volume were malwares and promptly deleted them. (-:

Why are people mounting discs?

When I was a broke college student sharing my neighbors open WiFi (with permission) I convinced him to attach a HD to his router. I ripped all our DVDs, Blu-ray’s, and put our torrents on the HD. We could watch videos from our laptops connected to TVs.

The sea gate drive failed soon after and I lost tons and tons of files. Not to mention it silently corrupted almost every file before biting the dust, videos stopped playing suddenly.

Many of the ASUS routers have a built in feature to use a usb drive's space as FTP/SMB share on the network. Can be handy, although slower than an actual NAS.

Probably they want to share files or to install extra software on the router?

Why not just put the drive on the network? I'm getting downvoted but I'm just trying to understand how a router is able to delete things on an external disc.

Some routers can also double as a budget NAS by plugging a USB hard drive into it. I've seen some that also double as print servers.

How would you put the drive on the network? Attaching it to an always-on computer, or buy a nas device or something? It seems easier to plug it into your router if the firmware supports it.

You can use a lot of routers as low cost NASs.

> it regularly downloads signature files

Why does a router need malware signature files? It has no business monitoring my traffic, except in accordance with the firewall rules that I set myself.

From the article:

> not keeping my firmware up to date

I've had this (non-Asus) router for three years. I've never updated the firmware.

> I've had this (non-Asus) router for three years. I've never updated the firmware.

Botnet operators are very grateful for your cooperation, you are helping them a lot

I've never updated the firmware on any of my routers, and I'll be happy to give you a million dollars if you can prove that it's part of a botnet. This pathethic holier than thou attitude is obnoxious, you really think 95% of routers are part of a botnet? Or that they're even accessible from the internet?

> you really think 95% of routers are part of a botnet? Or that they're even accessible from the internet?

It's probably not 95%, but it's certainly significant. And yes, most consumer routers are obviously accessible from the internet, that's how they work (they're generally not behind a firewall, they are a firewall, and can have vulnerabilities). You might want to read up on it [1, key quotes below], and I know I certainly wouldn't be willing to wager my consumer router wasn't infected, because how would I ever have any idea?

> Out of the box, most routers suck when it comes to security. Vulnerable firmware is an easy target. Backdoors have been discovered in just about every brand of router... It's possible you will never even know your device is infected...

> When we're talking about routers, these aren't the enterprise-level gear made by the likes of Cisco, Sonicwall, or Palo Alto... We're talking about what you would get off the shelf at Wal-Mart or Best Buy — the D-Links, Netgears, and Linksyses of the world.

> The problems start with the cheap, antiquated MIPS architecture used by a lot of these devices' processors... One substantial problem comes from a security flaw that goes back to 2001. Per one deep yet fascinating paper, the chips lack basic defensive abilities against malicious code execution. Combine this with manufactures commonly implementing out-of-date, vulnerable Linux kernels in their devices, and then putting this device on the edge of your network completely exposed to the internet.

But to sum up -- not updating your router's firmware is a terrible idea. It's not something to be proud of.

[1] https://www.cbtnuggets.com/blog/certifications/security/your...

As 100% of Asus routers are part of the Asus botnet so I'll take my chances on that 5% with my custom, libre, hand-rolled breadboard router.

Don't think so. The management interfaces are only exposed on the local network. If you could hack into my local network some other way (e.g. through Apache), you could probably attack the web interface on the router; but in fact no local network services are exposed to the internet.

It's a device that's directly exposed on the public Internet. Anyone in the world can send any package they want to it. It's not that uncommon for people to find bad bugs in network protocol stacks. An attacker wouldn't have to go through a web interface.

There are a multitude of ways to trick consumer routers into letting an external request log into the web interface. That's also ignoring the multitude of ways to botnet them without using the web portal, as manufacturers suck at their job and often ship known exploited libraries and utilities. Some have had genuine back doors even.

If you don't expose any external services of the router then it's a bit hard for botnets to take advantage of your router.

Most of these routers are likely becoming part of the botnet for enabling external web management and/or using default creds (especially if SSH is exposed externally).

Security isn't exceptionally hard, if you actually put some effort into it.

There have been plenty of router exploits that begin with a pivot from a web browser to a poorly secured admin panel on the local network. Firewalling incoming traffic from the Internet to the router's management interface is no security panacea.

Again, as I mentioned, the bulk of those rely on default creds.

Many of the big manufacturers have been tackling that issue by forcing a password change at setup and not allowing an insecure default to be chosen.

> a poorly secured admin panel on the local network

Why is the web interface left on? Just turn that off, there shouldn't be much to do with that.

Not sure you'll see this, with HN's lack of notifications, and so much time elapsed but here's the answer:

Most consumer routers do not support disabling the web interface on the local network, as it's the primary (only?) means of administration for them. This attack relies on getting users to browse to an address with default creds by some means, with a URL prepended that will cause the desired action to occur. More often than not a popular action is to modify the DNS servers used, so that DNS traffic can then me manipulated to point to malicious servers used for the ultimate attack.

Don't forget the biggest botnet being ASUS who didn't disclose the scanning... or whatever else they happen to be doing without the explicit consent of the owner.

Issues like this don't happen across such a wide area by accident.

Basic professional practices have any updates tested beforehand on physical hardware at multiple stages before any push happens, and they leave it up to the user because pushing an update without the owner's explicit consent to a device they own, runs afoul of the same hacking abuse laws. The legal exposure is massive.

It also doesn't account for the fact that firmware was attempted to be updated on devices which were set to not update. ASUS has a lot to explain. They didn't release any kind of statement so the lawyers and computer forensics people will likely need to get involved to get to the bottom of it.

I look forward to eventually hearing about what really happened.

Botnet operators are careful to not mess with my internet connection. If they want to use my router for other stuff while it’s not in use by me, who am I to complain.

Well, for starters here is an article about malware specifically targeting ASUS routers.


Hopefully that clears up the first question of "why does it need malware signature files?"

As for your router firmware? You should seriously update that. New exploits get found all the time.

Hackers use compromised routers as parts of a botnet, a intermediary route, or as an access point with which to steal data with Man in the Middle attacks.

> Hopefully that clears up the first question of "why does it need malware signature files?"

Not really. The article doesn't mention signature files. It describes the operations of a certain malware once it has been executed on a router. But first it has to get onto the router; and the only way new software can get onto this router is via a firmware update.

>the only way new software can get onto this router is via a firmware update.

That has never been the case. Software from consumer routers is often still in the "a trivial buffer overflow lets a malformed packet insert a payload into ram and convince the PC to jump to it." phase of software security. They are very much still wormable systems, like Windows 2000 style. Ever have your router glitch out and stop working and you have to reboot it? That's probably an exploitable bug.

That’s an attack on the router itself, not the network traffic it carries.

Signature files are only useful to scan network traffic.

This was literally a discussion about the firmware of a router.

How is it not relevant? This person has not updated their router's firmware in over 3 years.

The viral traffic needs to get to the router in the first place. I assume that the means of reaching the router is literally via network traffic?

What am I missing?

When I hear “signature file” I think of a list of signatures of known viruses and malware.

These types of signature files aren’t meant to guard against exploits, SSH brute forcing, etc, even if the router applies them to inbound traffic in addition to forwarded traffic. To do that, you typically need a WAF or some clever fail2ban-like filtering rules. Even up-to-date signatures won’t prevent a router from getting 0wn3d if the ssh daemon has a security hole for example.

As sites move to HTTPS, routers can’t even really filter networking traffic anymore. I don’t see why a router needs signature lists at all

Thankyou for the insight.

> Hopefully that clears up the first question of "why does it need malware signature files?"

The malware signature files really don't help prevent your router joining a botnet.

Firmware updates, maybe, maybe not. It is quite possible for other routers with less generally sloppy and advertised-feature-rich firmware to actually be more secure even without updates for 3 years. It's quite possible that they have no api endpoints available for super-easy mobile app integration remote management etc, just ssh from local subnet or physical serial console.

There have been multiple cases of market-leading antivirus engines (symanted, mcaffee, etc) having sloppy code running with the highest possible privilege, parsing any files appearing on the system anywhere, and e.g. crashing a mail server that would otherwise be unaffected by the PoC samples being emailed through it by researchers.

So, I also take some issue with people who have no understanding of how all this software around us is designed and built (in routers, in windows, on web servers) and thinking that just updating everything all the time and running antivirus is the best you can do. You really can do a lot better if you know what you're doing.

Re: firmware updates, there is stuff like these remotely exploitable kernel wifi stack issues not that long ago:


There can be driver specific remotely exploitable issues that might not be widely communicated. Until operating systems are written more robustly, just having admin level stuff set up robustly isn't always enough. Of course, updates can add bugs too.

A parsing error due to a signature-based malware definition file update is a totally plausible suspect!

It would explain why the router is downloading “updates” but not firmware upgrades.

Also, these signature files contain tons of hex strings and unusual characters used to identify the actual malware (IOCs).

We rollback these updates all the time when a bad malware signature update pegs the AV scan daemon. They are released several times per month depending on the vendor.

Someone more knowledgeable about ASUS asd can probably confirm/deny.

In the comments of the article someone mentions that deleting the file solved the issue without a firmware update. Too bad they didn't save it before, a comparison with the newer working version would be nice.

I guess Asus quickly discovered their mistake and removed the faulty file from their servers, but affected devices never got to the point where they'd look for a newer file but just choked on the local one.

The most annoying part is that security scanning is opt-in (I have it off) but I guess the service auto starts and auto downloads definitions anyway.

What's your recommended alternative to the newsyslog style of external logfile rotation? I'm not much of a sysadmin but it might be useful to know at some point. Thanks in advance!

The one that people came up with in the 1990s. There are quite a number of implementations to choose from. The shame of this hitting ASUS in 2023 is that this is a long-known problem and a long-since solved one. I have vague memories of grumpy posts on Usenet about this. It's that old a problem; and it has been solved for nigh on a quarter of a century.

See https://jdebp.uk/FGA/do-not-use-logrotate.html for everything from Bryan Cantrill to comments in GNU source code. (-:

Awesome, thanks! I am in fact guilty of using logrotate but thankfully I haven't been burned yet. Although perhaps with the advent of containers piping logs to streams I've unknowingly absolved myself.

Also, you have an amazing website. Looking forward to reading more.

Weird how syslog doesn't de-duplicate these identical log messages. Or maybe it does, but not enough.

Respectfully, logs shouldn't be "smart", they should just log, that's it.

BSD syslogd definitely does, perhaps whatever stripped down one ASUS is using doesn't. e.g.

  Dec  2 01:09:41 hostname syslogd: last message repeated 10 times
The threshold's pretty low and most of the "repeated" messages say "repeated 1 times" however.

Does it store timestamps for those repeated occurrences? I wouldn't want my logs to "helpfully" coalesce multiple identical messages into a single one. For example, if I saw the equivalent of the text below in a program/OS while facing some issues, I'd be remarkably pissed.

  [2023-05-18 07:12:21] [E] Invalid event 0x1AF2 received from ...
  [2023-05-18 09:44:01] [I] Last message repeated 10 times
I care less about how many times the message was repeated - I care about timestamps, which I might want to correlate to other activities.

No, it's just a plain syslogd dating back to the 4.2 days. It aggregates at 30, 120, and 600 second intervals according to the source. Within that threshold I wouldn't care too much. If I really needed timestamps with more than thirty second precision I probably wouldn't be using syslogd.

In any new-ish production system I'd probably want to use anything other than syslogd anyways.


That's... good to know. I never realized anyone is doing something like this, ever. It breaks my trust in software logs in general - I'll be sure from now on to understand how any given program handles logging, before making assumptions relevant to troubleshooting.

In many cases, logs are asynchronous so depending on many factors among which are utilization of the host, you might get them with a delay and the ordering of events might not make sense because of that when read from the logs. If you need that precision you can surely engineer/ configure your system for that.

If I'm running my own distributed system for some business reasons, sure.

If I'm dealing with equipment failures, bugs in third-party software, or other such random tech bullshit, as an individual or a team, then I don't know in advance when and what precision I'll need.

In a reasonable system, you might be able to change some function in one place, perhaps even in the running system and get the precision or detail you need. You might take out the big guns like e.g. dynamic tracing using BPF to attach probes at the right places.

If your logs are being spammed with the same message, while nothing else logworthy is happening, how many timestamps do you need in one hour?

Most of the time, I'd assume all of them I can store (deduplication is fine, if I can recreate the raw data afterwards). Which is a lot, because they should compress well (in the limit, approaching the same size as deduplication solution).

Sometimes those data points don't matter - like if they're generated by some program stuck in an infinite loop. But in other cases, they do - like e.g. if each message is caused by some event, like another program doing some processing, or user pressing a key, etc. - then timestamps will be useful to identify the exact cause (e.g. logs only happen when process X is processing mouse input, or when user presses one of 20 specific keys on their keyboard, or only when my microwave oven is running).

It helps to know exactly at what interval things are occuring, and you lose fidelity with this style of logging.

> BSD syslogd definitely does

…by default, but it can be disabled:

     -c      Disable the compression of repeated instances of the same line
      into a single line of the form "last message repeated N times"
      when the output is a pipe to another program.  If specified
      twice, disable this compression in all cases.
* https://man.freebsd.org/cgi/man.cgi?query=syslogd

It seems that the binary in question just writes the logfile directly and does not use syslog.

This seems to be related to “ASUS Healing System” which I don’t even know if I have enabled or not.

That name already sounds creepy enough, but searching for that string (with the quotes) currently returns only 4 results, of people asking what it is. My guess is some sort of hidden backdoor, disguised as an ostensibly useful feature.

I'm going to take a wild guess that the "ASUS Healing System" periodically checks system health and reboots a Daemon or the whole system if stuff breaks.

That seems to be the way to keep consumer grade routers from requiring the user walk over and reboot them once a week...

What is it with these routers and the need to get rebooted so frequently? Is it just poor firmware?

They’re underpowered devices with almost no RAM, being asked to push traffic for ever faster internet connections. It’s a miracle consumer grade routers as well as they do.

The configuration space of any complex system diverges exponentially with respect to time. This is as true for computers as it is for you. Biologically, you start life with one set of genes and end life as a chimera, full of mutations.

In this particular case, the set of states that the device is in when it boots is relatively small compared to the set of states that device may be in a week later. More generally, all individual complex systems need to be "restarted" periodically, it's just a question of how often.

A lot of times its software errors caused by powerline ingress from poor electrical isolation at the plug. If the wrong bits get flipped from EM interactions, only quick way to fix it is to reboot and reload.

The software is on the same quality level as IoT devices and shitcoin projects

Hardware people can't write software

> Hardware people can't write software

Domestic routers, in particular, are infamous for their web interface and management daemons often calling command line programs through system() to configure the network (and other system management tasks), instead of directly using the APIs these command line programs use. Not only is this inefficient and fragile, it also not rarely leads to being vulnerable to shell injection attacks (if you're lucky, only exploitable by authenticated users of the web interface).

A lot of routers have this healing system built in. I had a netgear at close to the end of life which was two years After I bought it (I think), would reboot every hour. It was ok for the most part until my uncle came from elsewhere and was working remotely on a video call. It drove him bonkers.

Yeah, sounds like a supervisor.

So what exactly is the Asus Healing System? I can't find any details about it online.

I assume that ASUS routers are based on Linux, so shouldn't the source for these routers be readily available? I am able to find custom third party mods (asuswrt-merlin) but I can't actually find a clear copy of the original sources!

This is very common when I look to find source for embedded devices like this. What I expect is the next step is that you will find (or be given) a borderline useless blob of source that doesn't explain any of it's build process, which is absurd because the GPL clearly defines the build "glue" as part of the source.

Is ASUS another company that is doing a poor job of GPL compliance in this space?

Is it intentional?

Userspace programs do not have to be GPL to comply with a GPL-licensed kernel or even with other GPL-licensed userspace programs that they interact with.

Why would ASUS release the source code for its router firmware? It doesn't have to be GPL.

> AsusWRT is a derivative of Tomato which is itself one of the descendants of HyperWRT, a Linux distribution for low-end network appliances such as routers.

I Just looked at it, I remember that the original source was available from the support page(don't remember if you had to have the product registered though), but I can no longer find it. Maybe they switched to a manual request process?

To me that sounds like some sort of adaptive signal conditioning/denoising/filtering system just by the name of it.

So DSP magic?

The power of blogging and HN. Asus or my ISP didn't tell me why my router/internet went out twice today. I honestly thought thieves stole my copper again:


I love when thieves are trying to steal copper, but all they get is a broken fiber optic ;)

My dad works as a network engineer, and he told me a story that one of the banks in Poland lost one of the internet providers. They investigated and found out that thieves stole hundreds of meters of a fiber cable, because they thought that it's copper.

Don't they typically have co-extruded copper in the conduit/pipes for Utility Locators to use, even if it's just fiber inside?

that sounds like so much fun for all involved

and brought it back in between? :D

Maybe they were spotted by the police and had to pretend they're there installing the wires so they don't get caught.


I have the same device, didn’t notice any issues, possibly because I’m using Asuswrt Merlin https://www.asuswrt-merlin.net/

Oddly, I'm also running Merlin but I did have a problem where my laptop thought it was connected to the AP but couldn't get local network traffic routed to it. Easiest solution turned out to be to just reconnect, so I don't actually know the deeper problem.

I don't think it has any relation, but since it's the first time it's happened, it was kind of a freaky coincidence!

Did not experience any issues with my RT-AX86U running Asuswrt-Merlin either.

Ditto, RT-AC68U running merlin with no issues.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact