Asuswrt-Merlin - build 380.57 (24-Dec-2015)

1. Asuswrt-Merlin - build 380.57 (24-Dec-2015)
2. ===========================================
3.  
4. About
5. -----
6. Asuswrt is the name of the common firmware Asus has developed
7. for their various router models. Originally forked from
8. Tomato, it has since grown into a very different product, removing
9. some more technical features that were part of Tomato, but
10. also adding new original features such as support for dual WANs.
11.  
12. Asuswrt-merlin is a customized version of Asus's firmware. The goal is
13. to provide bugfixes and minor enhancements to Asus's firmware, with also
14. a few occasional feature additions. This is done while retaining
15. the look and feel of the original firmware, and also ensuring that
16. the two codebases remain close enough so it will remain possible
17. to keep up with any new features brought by Asus in the original firmware.
18.  
19. This project's goal is NOT to develop yet another firmware filled with
20. many features that are rarely used by home users - that is already covered
21. by other excellent projects such as Tomato or DD-WRT.
22.  
23. This more conservative approach will also help ensuring the highest
24. level of stability possible. Priority is given to stability over
25. performance, and performance over features.
26.  
27.  
28.  
29. Supported Devices
30. -----------------
31. Supported devices are:
32. * RT-N66U
33. * RT-AC66U
34. * RT-AC56U
35. * RT-AC68U
36. * RT-AC68P
37. * RT-AC87U
38. * RT-AC3200
39. * RT-AC88U
40. * RT-AC3100
41. * RT-AC5300
42.  
43. Devices that are no longer officially supported (but forked builds might
44. exist from other developers):
45. * RT-N16
46.  
47.  
48. NOTE: all the "R" versions (for example RT-N66R) are the same as their
49. "U" counterparts, they are just different packages aimed at large
50. retailers. The firmware is 100% compatible with both U and R versions
51. of the routers. Same with the "W" variants that are simply white.
52.  
53.  
54. Features
55. --------
56. Here is a list of features that Asuswrt-merlin adds over the original
57. firmware:
58.  
59. System:
60. - Based on 3.0.0.4.380_1031 source code from Asus
61. - Various bugfixes and optimizations
62. - Some components were updated to newer versions, for improved
63. stability and security
64. - User scripts that run on specific events
65. - Cron jobs
66. - Ability to customize the config files used by the router services
67. - LED control - put your router in "Stealth Mode" by turning off
68. all LEDs
69. - Entware easy setup script (alternative to Optware - the two are
70. mutually exclusive)
71. - SNMP support (based on experimental code from Asus)
72.  
73.  
74. Disk sharing:
75. - Enable/disable the use of shorter share names
76. - Disk spindown after user-configurable inactivity timeout
77. - NFS sharing (through webui)
78. - Allow or disable WAN access to the FTP server
79. - Updated Samba version (3.6)
80.  
81.  
82. Networking:
83. - Force acting as a Master Browser
84. - Act as a WINS server
85. - Allows tweaking TCP/UDP connection tracking timeouts
86. - CIFS client support (for mounting remote SMB share on the router)
87. - Layer7 iptables matching (N66/AC66 only)
88. - User-defined options for WAN DHCP queries (required by some ISPs)
89. - Advanced OpenVPN client and server support
90. - Netfilter ipset module, for efficient blacklist implementation
91. - Configurable min/max UPNP ports
92. - IPSec kernel support (N66/AC66 only)
93. - DNS-based Filtering, can be applied globally or per client
94. - Custom DDNS (through a user script)
95. - Advanced NAT loopback (as an alternative to the default one)
96. - TOR support, individual client control
97. - Policy routing for the OpenVPN client (based on source or
98. destination IPs), sometimes referred to as "selective routing")
99. - DNSSEC support
100.  
101.  
102. Web interface:
103. - Optionally save traffic stats to disk (USB or JFFS partition)
104. - Enhanced traffic monitoring: added monthly, as well as per IP
105. monitoring
106. - Name field on the DHCP reservation list and Wireless ACL list
107. - System info summary page
108. - Wifi icon reports the state of both radios
109. - Display the Ethernet port states
110. - Wireless site survey
111. - Advanced Wireless client list display, including automated refresh
112. - Redesigned layout of the various System Log sections
113. - Editable fields for some pages
114.  
115.  
116. A few features that first appeared in Asuswrt-Merlin have since been
117. integrated/enabled/re-implemented in the official firmware:
118.  
119. - 64K NVRAM for the RT-N66U
120. - HTTPS webui
121. - Turning WPS button into a radio on/off toggle
122. - Use shorter share names (folder name only)
123. - WakeOnLan web interface (with user-entered preset targets)
124. - clickable MACs on the client list for lookup in the OUI database
125. - Display active/tracked network connections
126. - VPN client connection state report
127. - DualWAN and Repeater mode (while it was still under development
128. by Asus)
129. - OpenVPN client and server
130. - Configurable IPv6 firewall
131. - Persistent JFFS partition
132. - The various MAC/IP selection pulldowns will also display hostnames
133. when possible instead of just NetBIOS names
134. - SSHD
135. - Improved compatibility with 3TB+ and Advanced Format HDDs
136.  
137.  
138.  
139. Installation
140. ------------
141. Simply flash it like any regular update. You should not need to
142. reset to factory defaults (see note below for exceptions).
143. You can revert back to an original Asus firmware at any time just
144. by flashing a firmware downloaded from Asus's website.
145.  
146. NOTE: resetting to factory default after flashing is
147. strongly recommended for the following cases:
148.  
149. - Updating from a firmware version that is more than 3 releases older
150. - Switching from a Tomato/DD-WRT/OpenWRT firmware
151.  
152. If upgrading from anything older and you experience issues, then
153. consider doing a factory default reset then as well.
154.  
155. Always read the changelog, as mandatory resets will be mentionned
156. there when they are necessary.
157.  
158. In all of these cases, do NOT load a saved copy of your settings!
159. This would be the same thing as NOT resetting at all, as you will
160. simply re-enter any invalid setting you wanted to get rid of. Make
161. sure to create a new backup of your settings after reconfiguring.
162.  
163.  
164.  
165. Usage
166. -----
167.  
168. ** JFFS **
169. JFFS is a writeable section of the flash memory which will allow you to
170. store small files (such as scripts) inside the router without needing
171. to have a USB disk plugged in. This space will survive reboots (but it
172. *MIGHT NOT survive firmware flashing*, so back it up first before
173. flashing!). It will also be available fairly early at boot (before
174. USB disks).
175.  
176. On that page you will also find an option called "Enable custom
177. scripts and configs". If you intend to use custom scripts or
178. config files, then you need to enable this option. This is not
179. enabled by default so if you create a broken config/script that
180. prevents the router from booting, you will still be able to regain
181. access by doing a factory default reset.
182.  
183. Try to avoid doing too frequent writes to this partition, as it will
184. prematuraly wear out the flash storage. This is a good place to put
185. files that are written once like scripts or kernel modules, or that
186. rarely get written to. Storing files that constantly get written
187. to (like very busy logfiles) is NOT recommended - use a
188. USB disk for that.
189.  
190. You can backup and restore the content of the JFFS2 partition,
191. from the same page you can backup/restore the router configuration.
192.  
193.  
194. ** User scripts **
195. These are shell scripts that you can create, and which will be run when
196. certain events occur. Those scripts must be saved in /jffs/scripts/ ,
197. so, JFFS must be enabled, as well as the option to use custom
198. scripts and configs. This can be configured under Administration -> System.
199. Available scripts:
200.  
201. * ddns-start: Script called at the end of a DDNS update process.
202. This script is also called when setting the DDNS type
203. to "Custom". The script gets passed the WAN IP as
204. an argument.
205. When handling a "Custom" DDNS, this script is also
206. responsible for reporting the success or failure
207. of the update process. See the Custom DDNS section
208. below for more information.
209. * dhcpc-event: Called whenever a DHCP event occurs on the WAN
210. interface. The type of event (bound, release, etc...)
211. is passed as an argument.
212. * firewall-start: Firewall is started (filter rules have been applied)
213. The WAN interface will be passed as argument (for
214. example. "eth0")
215. * init-start: Right after jffs is mounted, before any of the services
216. get started
217. * nat-start: nat rules (i.e. port forwards and such) have been applied
218. (nat table)
219. * openvpn-event: Called whenever an OpenVPN server gets
220. started/stopped, or an OpenVPN client connects to a
221. remote server. Uses the same syntax/parameters as
222. the "up" and "down" scripts in OpenVPN.
223. * post-mount: Just after a partition is mounted
224. * pre-mount: Just before a partition is mounted. Be careful with
225. this script. This is run in a blocking call and will
226. block the mounting of the partition for which it is
227. invoked till its execution is complete. This is done so
228. that it can be used for things like running e2fsck on the
229. partition before mounting. This script is also passed the
230. device path being mounted as an argument which can be
231. used in the script using $1.
232. * qos-start: Called after both the iptables rules and tc configuration
233. are completed for QoS. This script will be passed an
234. argument, which will be "init" (when QoS is being
235. initialized and it has setup the tc classes) or
236. "rules" (when the iptables rules are being setup).
237. * services-start: Initial service start at boot
238. * services-stop: Services are stopped at shutdown/reboot
239. * unmount: Just before unmounting a partition. This is a blocking
240. script, so be careful with it. The mount point is passed
241. as an argument to the script.
242. * wan-start: WAN interface just came up (includes if it went down and
243. back up). The WAN unit number will be passed as argument
244. (0 = primary WAN)
245.  
246. Don't forget to set them as executable:
247.  
248. chmod a+rx /jffs/scripts/*
249.  
250. And like any Linux script, they need to start with a shebang:
251.  
252. #!/bin/sh
253.  
254.  
255.  
256. ** SSHD **
257. The router can be accessed over SSH (through Dropbear). Password-based
258. login will use the same username and password as telnet/web access.
259. You can also optionally insert a RSA or ECDSA public key there for
260. keypair-based authentication. Finally, there is also an option to
261. make SSH access available over WAN.
262.  
263.  
264.  
265. ** Crond **
266. Crond will automatically start at boot time. You can put your cron
267. tasks in /var/spool/cron/crontabs/ . The file must be named "admin" as
268. this is the name of the system user. Note that this location resides in
269. RAM, so you would have to put your cron script somewhere such as in the
270. jffs partition, and at boot time copy it to /var/spool/cron/crontabs/
271. using an init-start user script.
272.  
273. A simple way to manage your cron jobs is through the included "cru"
274. command. Just run "cru" to see the usage information. You can then
275. put your "cru" commands inside a user script to re-generate your cron
276. jobs at boot time.
277.  
278.  
279.  
280. ** Enhanced Traffic monitoring **
281. Under Tools -> Other Settings are options that will allow you to save
282. your traffic history to disk, preserving it between router reboots (by
283. default it is currently kept in RAM, so it will disappear when you
284. reboot).
285.  
286. You can save it to a custom location (for example, "/jffs/" if you have
287. jffs enabled), or /mnt/sda1/ if you have a USB disk plugged in.
288. Save frequency is also configurable - it is recommended to keep that
289. frequency lower (for example, once a day) if you are saving to jffs, to
290. reduce wearing out your flash memory. Make sure not to forget the
291. trailing slash ad the end of the path.
292.  
293. Note that the first time you use that option, you must tell the router
294. to create the data file. Make sure you set "Create or reset data
295. files" to "Yes".
296.  
297. Also, Asuswrt-Merlin can track the traffic generated by each individual
298. IP on your network. This option is called IPTraffic. To enable this,
299. you must first set a custom location to store your traffic database
300. (see above). Once again, you must also tell it to create the new data
301. file, by enabling "Create or reset IPTraffic data files". Once done,
302. enable the IPTraffic Monitoring option. This will add three new
303. entries to the Traffic Monitor page selector (on the Traffic Monitoring
304. page).
305.  
306. You can optionally specify which IP to monitor, or exclude some IPs
307. from monitoring. Each IP must be separated by a comma.
308.  
309. It's strongly recommended that you assign a static IP to devices you
310. wish to monitor to ensure they don't get a different IP over time,
311. which would make the collected data somewhat unreliable. The
312. monitoring is done per IP, NOT per MAC.
313.  
314.  
315.  
316. ** Adjustable TCP/IP connection tracking settings **
317. Under Tools -> Other Settings there are various parameters that lets
318. you tweak the timeout values related to connection tracking for TCP and
319. UDP connections. You should be careful with those settings. Most
320. commonly, people will tweak the UDP timeout values to make them more
321. VoIP-friendly, by using smaller timeouts. Timeout values are in
322. seconds.
323.  
324.  
325.  
326. ** Mounting remote CIFS shares on the router **
327. You can mount remote SMB shares on your router. The syntax will
328. be something like this:
329.  
330. mount \\\\192.168.1.100\\ShareName /cifs1 -t cifs -o "username=User,password=Pass"
331.  
332. (backslashes must be doubled.)
333.  
334.  
335.  
336. ** Disk Spindown when idle **
337. Jeff Gibbons's sd-idle-2.6 has been added to the firmware, allowing you
338. to configure a timeout value (in seconds) on the Tools -> Other Settings
339. page. Plugged hard drives will stop spinning after being inactive
340. for that specified period of time. Note that services like Download
341. Master might be generating background disk activity, preventing it from
342. idling.
343.  
344.  
345.  
346. ** OpenVPN (client and server) **
347. OpenVPN is an SSL-based VPN technology that is provided as a secure
348. alternative to the PPTP VPN. OpenVPN is far more secure and more
349. flexible, however it is not as easy to configure, and requires the
350. installation of a client software on your computer client. The client
351. can be obtained through this download page:
352.  
353. http://openvpn.net/index.php/open-source/downloads.html
354.  
355. Explaining the details of OpenVPN are beyond the scope of this
356. documentation, and I am in no way an expert on OpenVPN.
357. Fortunately, there is a lot of available documentation and Howto guides
358. out there. I tried to stick to the same option descriptions as used by
359. Tomato, so about any guide written for Tomato can easily be used to
360. guide you on Asuswrt-Merlin. For pointers, check the Wiki on the
361. Asuswrt-Merlin Github repository.
362.  
363. You can provide your own custom client config files for the two server
364. instances. Store them in the /jffs/configs/openvpn/ccd1/ (and ccd2/)
365. directory based on which server instance they belong to, with the
366. filenames matching the client common names. See the OpenVPN
367. documentation for more details on the ccd directory.
368.  
369.  
370.  
371. ** Customized config files **
372. The services executed by the router such as minidlna or dnsmasq relies
373. on dynamically-generated config files. There are various methods
374. through which you can interact with these config files to customize
375. them.
376.  
377. The first method is through custom configs. You can append content to
378. various configuration files that are created by the firmware, or even
379. completely replace them with custom config files you have created.
380. Those config override files must be stored in /jffs/configs/. To have
381. a config file appended to the one created by the firmware, simply add
382. ".add" at the end of the file listed below. For example,
383. /jffs/configs/dnsmasq.conf.add will be added at the end of the dnsmasq
384. configuration file that is created by the firmware, while
385. /jffs/configs/dnsmasq.conf would completely replace it.
386.  
387. Note that replacing a config file with your own implies that you
388. properly fill in all the fields usually dynamically created by the
389. firmware. Since some of these entries require dynamic parameters, you
390. might be better using the postconf scripts added in 374.36 (see the
391. postconf scripts section below).
392.  
393. Also note that for customized config files to be available, you need
394. to have both JFFS and the custom config and script support options
395. enabled, under Administration -> System.
396.  
397. The list of available config overrides:
398.  
399. * adisk.service
400. * afpd.service
401. * avahi-daemon.conf
402. * dhcp6s.conf
403. * dnsmasq.conf
404. * exports (only exports.add supported)
405. * fstab (only fstab supported, remember to create mount point
406. through init-start first if it doesn't exist!)
407. * group, gshadow, passwd, shadow (only .add versions supported)
408. * hosts (for /etc/hosts)
409. * igmpproxy.conf
410. * minidlna.conf
411. * mt-daap.service
412. * pptpd.conf
413. * profile (shell profile, only profile.add suypported)
414. * radvd.conf
415. * smb.conf
416. * snmpd.conf
417. * torrc (for the Tor config file)
418. * vsftpd.conf
419. * upnp (for miniupnpd)
420.  
421. Also, you can put OpenVPN ccd files in the following directories:
422.  
423. /jffs/configs/openvpn/ccd1/
424. /jffs/configs/openvpn/ccd2/
425.  
426. The content of these will be copied to their respective
427. server instance's ccd directory when the server is started.
428.  
429.  
430. ** Postconf scripts **
431. A lot of the configuration files used by the router services
432. (such as dnsmasq) are dynamically generated by the firmware. This
433. makes it hard for advanced users to apply modifications to these, short
434. of entirely replacing the config file.
435.  
436. Postconf scripts are the solution to that. Those scripts are
437. executed after the router has generated a configuration script, but
438. before the related service gets started. This means you can use those
439. scripts to manipulate the configuration script, using tools such as
440. "sed" for example.
441.  
442. Postconf scripts must be stored in /jffs/scripts/ . JFFS must be
443. enabled, as well as the option to use custom scripts and configs.
444. This can be configured under Administration -> System.
445.  
446. The path/filename of the target config file is passed as argument to
447. the postconf script.
448.  
449. The list of available postconf scripts is:
450.  
451. * adisk.postconf (Time Machine)
452. * afpd.postconf (Time Machine)
453. * avahi-daemon.postconf (Time Machine)
454. * dhcp6s.postconf
455. * dnsmasq.postconf
456. * exports.postconf
457. * fstab.postconf
458. * group.postconf
459. * gshadow.postconf
460. * hosts.postconf
461. * igmpproxy.postconf
462. * minidlna.postconf
463. * mt-daap.postconf
464. * openvpnclient1.postconf (up to openvpnclient5.postconf)
465. * openvpnserver1.postconf (and openvpnserver2.postconf)
466. * passwd.postconf
467. * pptpd.postconf
468. * radvd.postconf
469. * shadow.postconf
470. * smb.postconf
471. * snmpd.postconf
472. * torrc.postconf
473. * upnp.postconf
474. * vsftpd.postconf
475.  
476. To make things easier for novice users who don't want to
477. learn the arcane details of using "sed", a script providing
478. support functions is available. The following dnsmasq.postconf
479. script demonstrates how to modify the maximum number of leases
480. in the dnsmasq configuration:
481.  
482. -----
483. #!/bin/sh
484. CONFIG=$1
485. source /usr/sbin/helper.sh
486.  
487. pc_replace "dhcp-lease-max=253" "dhcp-lease-max=100" $CONFIG
488. -----
489.  
490. Three functions are currently available through helper.sh:
491.  
492. pc_replace "original string" "new string" "config filename"
493. pc_insert "string to locate" "string to insert after" "config filename"
494. pc_append "string to append" "config filename"
495.  
496. Note that postconf scripts are blocking the firmware while they run, to
497. ensure the service only gets started once the script is done. Make
498. sure those scripts do exit properly, or the router will be stuck
499. during boot, requiring a factory default reset to recover it.
500.  
501.  
502.  
503. ** NFS Exports **
504. IMPORTANT: NFS sharing is still a bit unstable.
505.  
506. In addition to SMB and FTP, you can now also share any plugged
507. hard disk through NFS. The NFS Exports interface can be accessed
508. from the USB Applications section, under Servers Center. Click on the
509. NFS Exports tab.
510.  
511. Select the folder you wish to export by clicking on the Path field.
512. Under Access List you can enter IPs/Networks to which you wish to give
513. access. A few examples:
514.  
515. 192.168.1.0/24 - will give access to the whole local network
516. 192.168.1.10 192.168.1.11 - will give access to the two IPs (separate with spaces)
517.  
518. Entering nothing will allow anyone to access the export.
519.  
520. Under options you can enter the export options, separated by a comma.
521. For example:
522.  
523. rw,sync
524.  
525. For more info, search the web for documentation on the format of the
526. /etc/exports file. The same syntax for the access list and the options
527. is used by the webui.
528.  
529. You can also manually generate an exports file by creating a file named
530. /jffs/configs/exports.add , and entering your standard exports there.
531. They will be added to any exports configured on the webui.
532.  
533. Note that by default, only NFSv3 is supported. You can also enable
534. NFSv2 support from that page, but this is not recommended, unless you
535. are using an old NFS client that doesn't support V3. NFSv2 has various
536. filesystem-level limitations.
537.  
538.  
539.  
540. ** Easy Entware setup **
541. Entware is an alternative to Optware. They are both online software
542. repositories that let you easily install additional software to your
543. router (such as an Apache web server, or an Asterisk PBX). The main
544. benefit of Entware over Optware (which is used by Asus for their own
545. Download Master) is it is very actively maintained, with recent
546. software versions.
547.  
548. Entware and Optware cannot be used at the same time however, so you
549. can't use Download Master while using Entware.
550.  
551. There is now a script to make setting up Entware ware easier.
552. Access your router through SSH/Telnet, and run
553. "entware-setup.sh".
554.  
555. Note that Entware requires the JFFS partition to be enabled, and an
556. ext2/ext3/ext4 formatted USB disk (NTFS, HFS+ and FAT32 are not supported).
557.  
558.  
559.  
560. ** DNSFilter **
561. Under Parental Control there is a tab called DNSFilter. On this
562. page you can force the use of a DNS service that provides
563. security/parental filtering. This can be done globally, or on a
564. per device basis. Each of them can have a different type of filtering
565. applied. For example, you can have your LAN use OpenDNS's server to
566. provide basic filtering, but force your children's devices to use
567. Yandex's family DNS server that filters out malicious and adult
568. content.
569.  
570. If using a global filter, then specific devices can be told to
571. bypass the global filter, by creating a client rule for these,
572. and setting it to "No Filtering".
573.  
574. DNSFilter also lets you define up to three custom nameservers, for
575. use in filtering rules. This will let you use any unsupported
576. filtering nameserver.
577.  
578. You can configure a filter rule to force your clients to
579. use whichever DNS is provided by the router's DHCP server (if
580. you changed it from the default value, otherwise it will be
581. the router's IP). Set the filtering rule to "Router" for this.
582.  
583. Note that DNSFilter will interfere with resolution of local
584. hostnames. This is a side effect of having devices forced to use
585. a specific external nameserver. If this is an issue for you, then set
586. the default filter to "None", and only filter out specific devices.
587.  
588.  
589.  
590. ** Layer7-based Netfilter module **
591. Support for layer7 rules in iptables has been enabled on MIPS-based
592. routers (RT-N66/AC66). You will need to manually configure the
593. iptables rules to make use of it - there is no web interface exposing
594. this. The defined protocols can be found in /etc/l7-protocols.
595.  
596. To use it, you must first load the module:
597.  
598. modprobe xt_layer7
599.  
600. An example iptable rules that would mark all SSH-related packets
601. with the value "22", for processing later on in another chain:
602.  
603. iptables -I FORWARD -m layer7 --l7proto ssh -j MARK --set-mark 22
604.  
605. These could be inserted in a firewall-start script, for example.
606.  
607. For more details on how to use layer7 filters, see the documentation on
608. the project's website:
609.  
610. http://l7-filter.clearfoundation.com/
611.  
612.  
613.  
614. ** Custom DDNS **
615. If you set the DDNS (dynamic DNS) service to "Custom", then you will be
616. able to fully control the update process through a ddns-start user
617. script. That script could launch a custom DDNS update client, or run a
618. simple "wget" on a provider's update URL. The ddns-start script will
619. be passed the WAN IP as an argument.
620.  
621. Note that the script will also be responsible for notifying the firmware
622. on the success or failure of the process. To do this you must simply
623. run the following command:
624.  
625. /sbin/ddns_custom_updated 0|1
626.  
627. 0 = failure, 1 = successful update
628.  
629. If you cannot determine the success or failure, then report it as a
630. success to ensure that the firmware won't continuously try to
631. force an update.
632.  
633. Here is a working example, for afraid.org's free DDNS (you must update
634. the URL to use your private API key from afraid.org):
635.  
636. -----
637. #!/bin/sh
638.  
639. wget -q http://freedns.afraid.org/dynamic/update.php?your-private-key-goes-here -O - >/dev/null
640.  
641. if [ $? -eq 0 ]; then
642. /sbin/ddns_custom_updated 1
643. else
644. /sbin/ddns_custom_updated 0
645. fi
646. -----
647.  
648. Finally, like all custom scripts, the option to support custom scripts and
649. config files must be enabled under Administration -> System.
650.  
651.  
652.  
653. OpenVPN client policy routing
654. -----------------------------
655. When configuring your router to act as an OpenVPN client (for instance
656. to connect your whole LAN to an OpenVPN tunnel provider), you can
657. define policies that determines which clients, or which destinations
658. should be routed through the tunnel, rather than having all of your
659. traffic automatically routed through it.
660.  
661. On the OpenVPN Clients page, set "Redirect Internet traffic" to
662. "Policy Rules". A new section will appear below, where you can
663. add routing rules. The "Source IP" is your local client, while
664. "Destination" is the remote server on the Internet. The field can be
665. left empty (or set to 0.0.0.0) to signify "any IP". You can also
666. specify a whole subnet, in CIDR notation (for example, 74.125.226.112/30).
667.  
668. The Iface field lets you determine if matching traffic should be sent
669. through the VPN tunnel or through your regular Internet access (WAN).
670. This allows you to define exceptions (WAN rules being processed
671. before the VPN rules).
672.  
673. Here are a few examples.
674.  
675. To have all your clients use the VPN tunnel when trying to
676. access an IP from this block that belongs to Google:
677.  
678. RouteGoogle 0.0.0.0 74.125.0.0/16 VPN
679.  
680. Or, to have a computer routed through the tunnel except for requests sent
681. to your ISP's SMTP server (assuming a fictious IP of 10.10.10.10 for your
682. ISP's SMTP server):
683.  
684. PC1 192.168.1.100 0.0.0.0 VPN
685. PC1-bypass 192.168.1.100 10.10.10.10 WAN
686.  
687. Another setting exposed when enabling Policy routing is to prevent your
688. routed clients from accessing the Internet if the VPN tunnel goes down.
689. To do so, enable "Block routed clients if tunnel goes down".
690.  
691.  
692.  
693. Source code
694. -----------
695. The source code with all my modifications can be found on Github, at:
696.  
697. https://github.com/RMerl/asuswrt-merlin
698.  
699.  
700.  
701. Contact information
702. -------------------
703. SmallNetBuilder forums (preferred method: http://www.snbforums.com/forums/asuswrt-merlin.42/ as RMerlin)
704. Website: http://asuswrt.lostrealm.ca/
705. Github: https://github.com/RMerl/asuswrt-merlin
706. Email: rmerl@lostrealm.ca
707. Twitter: https://twitter.com/RMerlinDev
708. IRC: #asuswrt on DALnet
709. Download: http://asuswrt.lostrealm.ca/download
710.  
711. Development news will be posted on Twitter. You can also keep a closer
712. eye on development as it happens through the Github site.
713.  
714. For support questions, please use the SmallNetBuilder forums whenever
715. possible. There's a dedicated Asuswrt-Merlin sub-forum there, under
716. the Asus Wireless section.
717.  
718. Drop me a note if you are using this firmware and are enjoying it. If
719. you really like it and want to give more than a simple "Thank you",
720. there is also a Paypal donation button on my website.
721.  
722. I want to give my special thanks to Asus for showing an interest in
723. this project, and also providing me with support and development
724. devices when needed. I also want to thank everyone that has
725. donated through Paypal. Much appreciated!
726.  
727. Finally, special thanks to r00t4rd3d for designing the Asuswrt-Merlin
728. logo.
729.  
730.  
731.  
732. Disclaimer
733. ----------
734. This is the part where you usually put a lot of legalese stuff that nobody
735. reads. I'm not a lawyer, so I'll just make it simple, using my own words
736. rather than some pre-crafted text that will bore you to death and that
737. nobody but a highly paid lawyer would even understand anyway:
738.  
739. I take no responsibility for issues caused by this project. I do my best to
740. ensure that everything works fine. If something goes wrong, my apologies.
741.  
742. Copyrights belong to the appropriate individuals/entities, under the appropriate
743. licences. GPL code is covered by GPL, proprietary code is (c)Copyright their
744. respective owners, yadda yadda.
745.  
746. I try my best to honor the licences (as far as I can understand them, as a
747. normal human being). Anything GPL or otherwise open-sourced that I modify
748. will see my changes published to Github at some point. A release might get
749. delayed if I'm working using pre-release code. If it's GPL, it will eventually
750. be published - no need to send a volley of legal threats at me.
751.  
752. In any other cases not covered, Common Sense prevails, and I shall also make use
753. of Good Will.
754.  
755. Concerning privacy:
756.  
757. This firmware does not contact me back in any way whatsoever. Not even through
758. any update checker - the only update code there is Asus's.
759.  
760.  
761. ---
762. Eric Sauvageau