Firmware update: Asuswrt-Merlin 386.2

Asus uses a Tomato-derived firmware called Asuswrt for its routers, such as the RT-AC68 and RT-AX88. This firmware is, with the exception of a few drivers, open source, whereby the closed binaries are included. Asuswrt-Merlin, in turn, is a modified version of Asus’ original firmware. It includes bug fixes and minor improvements, but still tries to stay close to the original, so that it remains possible to add new features that Asus introduces to the code. The changelog for version 386.2 looks like this:


  • Due to changes in how custom device icons are handled, first time you boot with 386.2 you need to either shift-reload the main index page, or clear your browser cache.


  • Added support for the GT-AX11000. Note that VPN Fusion, as well as the ROG-specific features such as the custom UI are not supported.
  • Added support for the RT-AX68U.
  • Added jitterentropy-rngd daemon to HND routers. This will ensure sufficient entropy is generated early on at boot time, reducing boot stalls caused by insufficient entropy for the kernel’s random number generator, and also generally improves security related to crypto operations by the router.
  • Added Cake QoS for HND routers. Note that just like Traditional QoS, this is not compatible with hardware acceleration, and therefore might not be usable on connections faster than around 350 Mbps (may vary based on router models).


  • Merged GPL 386_42095.
  • Openssl to 1.1.1k.
  • OpenVPN to 2.5.1.
  • iproute2 to 5.11.0 (HND models).
  • root certificate bundle to March 9th 2021.


  • qos-start “init” user script now runs in blocking mode to ensure it’s able to complete any changes it may apply to qos configs before these configs get applied.


  • Router could get stuck at boot time after the user migrated from stock firmware, or just erased his JFFS partition, requiring a factory default reset.
  • ATM checkbox could not be enabled on QOS page.
  • DST not getting applied to some timezones (snauton)
  • Traditional QoS was broken in 386.1 (dave14305)
  • Connected IPSEC clients weren’t shown on the VPN Status page.
  • Userspace conntrack tool was no longer working
  • Traffic Monitor spikes for HND models. (Asus backport)
  • webui incorrectly complaining about mismatched timezone between browser and webui for some timezones (dave14305)


  • SSH Brute Force Protection option (already handled by Asuswrt’s protect service daemon)

Version number 386.2
Website Asuswrt-Merlin
License type GPL