[Fork] FreshTomato-ARM

Discussion in 'Tomato Firmware' started by kille72, Apr 15, 2018.

  1. rgnldo

    rgnldo Serious Server Member

  2. linkiTom

    linkiTom New Member Member

    Couple of finds... I have an 68U setup in AP mode. with old tomato everything works. However, with Fresh, the ntp does not work due to dns name resolution and maybe the same reason why themes do not work. When having theme enabled, the system crashes quite often.
     
  3. bjlockie

    bjlockie Network Guru Member

    I think it is useful to share bandwidth among users.
     
  4. txnative

    txnative Networkin' Nut Member

    I usually game so it is vital for me and my network, as far as bandwidth I just use what my ISP is letting me rent since even though I pay for it i'll never own it.
     
  5. srouquette

    srouquette Network Guru Member

    is there a way to test DNS resolution speed?
    2018.4 feels super sluggish, but I'm not sure if it's my settings or the firmware.

    I'm using cloudflare (1.1.1.1 and 1.0.0.1), DNSSEC + dnscrypt on scaleway-fr, was on soltysiak before. I don't use stubby yet since it seems I was losing DoT from time to time, maybe due to adblock.
    adblock: activated - 118036 entries

    dnsmasq.conf:
    cache-size=8192
    domain-needed
    bogus-priv
    no-poll
    no-negcache
    log-async=25
     
  6. Sean B.

    Sean B. LI Guru Member

    What make arg is used for the RT-AC3200 when building the firmware? Is it a supported model under the ac68(e)(z) builds?
     
    Last edited: Oct 12, 2018 at 10:50 AM
  7. livepu

    livepu Reformed Router Member

    I don't know when to update the BCM driver. Look forward to
     
  8. Tolocdn

    Tolocdn Networkin' Nut Member

    Is there a breakdown of the settings in Tomato and what they do? Even a basic typical setup guide would be awesome! I'm sure I've overchecked too many things in my DNS setup.
     
  9. Cliffield

    Cliffield Network Newbie Member

    You could try namebench (https://code.google.com/archive/p/namebench/) or DNSBench (https://www.grc.com/dns/benchmark.htm).

    Cliffield
     
  10. BusyBoxer

    BusyBoxer Networkin' Nut Member

    So when you have "enable stubby" checked in the current version it is using a default stubby config file (stubby.yml) that includes more than just cloudflare as the dns over tsl... it has cloudflare (1111,1001) and Quad9 (9.9.9.9) and dns privacy project and SURFnet and both IPV4 and IPV6 in the config... and it just rotates around through them. It is unclear to me the mechanism for this movement... but that is likely why you are seeing initially that you are using the cloudflare resolvers... then it will eventually move on to the others. Even with this movement it is still DNS over tls, just with various resolvers. The problem I had was it would rotate through them all and land on surfnet and never move back... but only my ARM router (when testing this on my MIPS2 router it never left cloudflare but I digress).


    Next time you see that it is not on cloudflare use some dns leak testing mechanism (https://www.dnsleaktest.com works well click advanced test) and you will likely see you are on quad 9 or more likely SURFnet resolvers... they are still DNS over TLS... just not cloudflares resolvers.

    If you have the "enable stubby" checked it is not using the dns entries after it is up and running it is instead using the stubby.yml listed resolvers.

    This is only like this because they are just doing the initial testing of the stubby support... eventually there will be some interface or simple area to paste in a config file so you can set the resolvers you want.

    There is a way in this version to make your own config... and it does survive reboot and power outage shutdowns. It was suggested by rgnldo and I have been using it for weeks with my custom resolver list (only cloudflare and quad 9 and only IPv4)... the key is to modify the stubby.yml to contain only the entries you want (I just commented out the ones I didn't)... and then have the system move your custom stubby.yml over after the system is up and restart dnsmasq so it eventually re-starts stubby and presto you are now using your config instead of the default config.

    This is rgnldos post:

    https://www.linksysinfo.org/index.php?threads/fork-freshtomato-arm.74117/page-11#post-299732

    The only difference is instead of using the JFFS I keep my stubby config on my USB drive so in the WAN up script I just point it to the USB drive modifed stubby config instead of the JFFS


    tl;dr: When you have stubby checked it is ignoring your dns settings and using the resolvers in the config file... it rotates through many so you will not stay on cloudflare all the time... BUT it will still be tls wrapped to the other resolvers even when not on cloudflare.
     
  11. rgnldo

    rgnldo Serious Server Member

    After some tests, based on connection latency, the best DoT server for me was Cloudflare. You can adapt as you wish.
    Code:
    resolution_type: GETDNS_RESOLUTION_STUB
    
    dns_transport_list:
      - GETDNS_TRANSPORT_TLS
    
    tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
    
    #dnssec_return_status: GETDNS_EXTENSION_TRUE
    
    tls_query_padding_blocksize: 256
    
    edns_client_subnet_private : 1
    
    idle_timeout: 60000
    
    listen_addresses:
      - 127.0.0.1@5453
    #  -  0::1@5453
    
    round_robin_upstreams: 1
    
    upstream_recursive_servers:
    # Quad 9 IPv6
    #  - address_data: 2620:fe::fe
    #    tls_auth_name: "dns.quad9.net"
    # IPv4 addresses
    # The 1.1.1.1 Cloudflare Servers
      - address_data: 1.1.1.1
        tls_auth_name: "cloudflare-dns.com"
        tls_pubkey_pinset:
          - digest: "sha256"
            value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
      - address_data: 1.0.0.1
        tls_auth_name: "cloudflare-dns.com"
        tls_pubkey_pinset:
          - digest: "sha256"
            value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
    # Quad 9 Server
    #  - address_data: 9.9.9.9
    #    tls_auth_name: "dns.quad9.net"
    
    
    Dnsmasq Custom configuration:

    Code:
    no-negcache
    Scripts -> Wan Up

    Code:
    sleep 5
    cp /jffs/stubby.yml /etc
    sleep 5
    service dnsmasq restart
     
    BusyBoxer and geekjock like this.
  12. rgnldo

    rgnldo Serious Server Member

    This instability in Dnsmasq is being fixed in build 2018.5.

    No need for these option. Try adding only:
    Code:
    no-negcache
    Use the d0wn.is.ns2 server for Dnscrypt.
     
  13. jyan01

    jyan01 New Member Member

    Hi All:

    I have a EA6900 v2, now running FRESH TOMATO Firmware 2018.4 K26ARM USB AIO-64K. I have Verizon FIOS 1GB, seems speed is capped at around 350mb (wired connection). I have enabled cut-through forwarding and it doesnt seem to work. When I was on Advanced Tomato 3.5-140 AIO, that was working fine and non issue. Can anyone provide commentary and what settings on FRESH TOMATO, I need to change to support the Verizon FIOS 1GB speeds.
     
  14. bjlockie

    bjlockie Network Guru Member

    Try freshtomato-2018.3.
    Go back to Advanced Tomato.
    No other ideas, sorry.
     
  15. rgnldo

    rgnldo Serious Server Member

    CTF (Cut-Through Forwarding) = Enable

    WAN Port Speed = 1000 half full

    Wireless Region = United States

    Routing = Efficient Multicast Forwarding (IGMP Snooping) = Enable
     
  16. jyan01

    jyan01 New Member Member

    *****
    Hi. Wan Port Speed, I don't see 1000. I only see 100 Half/Full as highest. I have configured the other settings, it doesn't work, any other ideas? If I want to go back to 2018.3 Fresh Tomato or Advanced Tomato, do I update within the GUI or do I need to do in the CFE? For whatever reason I cant seem to invoke CFE, it doesnt come up. I hold reset, power on, while holding reset for 15-20 seconds and then the GUI IP # address...can't get CFE.
     
  17. rgnldo

    rgnldo Serious Server Member

    Yes. 100 half full.

    I'm not exactly sure what happens with the FreshTomato 2018.4 build for the EA6900 v2. I recommend trying out other firmware, suitable for your connection.
     
  18. Sean B.

    Sean B. LI Guru Member

    If the WAN port isn't showing a gigabit negotiated speed, it's not going to deliver gigabit throughput. Under Tools->System Commands run this:

    Code:
    robocfg show
    And post the output please.
     
  19. srouquette

    srouquette Network Guru Member

    @Cliffield: thanks, I tried DNSBench and the local DNS is definitely slower: https://i.imgur.com/14RIbbE.jpg

    @rgnldo: ok thanks, I'll update my settings and wait for 2018.5. About dnscrypt, I live in France, would d0wn.is.ns2 be faster than scaleway?

    edit: yeah d0wn is slower ^^;
    I re-tested soltysiak with dnsbench and it seems faster than scaleway, so I'm back to that.
     
    Last edited: Oct 14, 2018 at 6:21 AM
  20. RMerlin

    RMerlin Network Guru Member

    Resolution time is mostly meaningless, and so is DNSBench.
     
    rgnldo, koitsu and kille72 like this.
  21. srouquette

    srouquette Network Guru Member

    ok. I assumed that it was the problem because the first time I visit a website, it takes a good amount of time to load the page (reddit, youtube, something like 3-5sec).
    So what would be the root cause?
    How can I investigate this problem?

    The slow loading is only happening if I go through my router.
     
  22. RMerlin

    RMerlin Network Guru Member

    Make sure you don't have a completely dead DNS configured, that might explain such a long delay if one of the two DNS was incorrect.
     
    rgnldo likes this.
  23. rgnldo

    rgnldo Serious Server Member

    This option is in AsusWRT-Merlin, not in FreshTomato. Or I'm wrong.
     
  24. rgnldo

    rgnldo Serious Server Member

    I often use these commands to test the best latency for the DNS I want. Change the one according to the DNS provider you want to use. Should serve for Dnscrypt as well.

    Code:
    while true; do dig @1.1.1.1 www.amazon.com | grep time; sleep 2; done
    
    
    Code:
     while true; do dig @1.1.1.1 www.amazon.com | grep "Query time:" | cut -d : -f 2- | cut -d " " -f 2; s
    leep 2; done
     
  25. Sean B.

    Sean B. LI Guru Member

    It's the Broadcom driver for the switch. If the board is running Broadcom ( as all Tomato supported routers are ) it will have robocfg.
     
    pedro311 and kille72 like this.
  26. Darkbing

    Darkbing Connected Client Member

    Greetings,

    May I ask has the multi-wan feature already been fixed when running alongside with qos?

    I wasn't able to catch up with the past recent changes and updates.

    Kind Regards.

    Tomato Supporter here
     
  27. freshlysqueezed

    freshlysqueezed Network Newbie Member

    Just an FYI. I didnt want to run such an old firmware on Advance Tomato, due to the overwhelming security vulnerabilities that could put me at risk with older firmware.

    I upgraded from Advance Tomato to Fresh Tomato wiping out NVRAM first and the upgrade went smooth as could be on my R7000.

    I have AT&T 1 Gig up and down and was able to mostly cap out the connection even with Cut Through Forwarding not enabled. With it enabled made little difference. Wireless speed seems to be abut the same getting about 300Mbps on 5ghz.
     
  28. phagenauw

    phagenauw New Member Member

    Question?
    It has been a will since i changed the firmware on my EA6900 to "Asuswrt-Merlin & Xwrt-Vortex". Currently i run 380.69 on my EA6900 and i want to upgrade to the latest available FreshTomato. Just to be shure; as i run the Xwrt-Vortex version, so i have the new 64K CFE in place can i now directly upgrade from the "firmware upgrade" page in the Xwrt-Vortex WebUI to the latest FreshTomato release or do i need to; reset, go back (if possible) to the CFE mini web setup page, etc, etc.
    Thanks if anyone can make this more clear.
     
  29. monoton

    monoton Serious Server Member

    I use the "recovery web interface" and a full reset when changing from one firmware to another. works fine.
     
  30. phagenauw

    phagenauw New Member Member

    Hi and thanks. Found that to get into the recovery web interace is to hold the reset button while powering on and then release. Hopefully correct, will try!
     
  31. Mashed_Tomatoes

    Mashed_Tomatoes New Member Member

    Awesome work so far guys! I have a R7000 on Shibby's last TomatUSB fw. Can I just upgrade directly or is there a need to send the initial fw? Thanks!
     
  32. BusyBoxer

    BusyBoxer Networkin' Nut Member

    From my experience flashing a friends R7000 once it's on shibby you can go directly to FreshTomato ARM but they recommend a fresh config (in other words once the router is flashed either NVRAM clear it or check the "After flashing, erase all data in NVRAM memory" tick) then re-configure it manually (don't restore a saved config from the shibby version).
     
  33. Carmine

    Carmine New Member Member

    I wanted to thank the team for continued development of Tomato. Much appreciated!

    I did notice an issue with a firewall script that didn't occur on Shibby's last release and basically crashes my Fresh Tomato 2018.4 installation on my R7000 and blocks all web access.

    I simply reused a script from my previous Shibby version 140 to block DHCP traffic across an OpenVPN site to site bridge as I have (non-Tomato) DHCP servers on both sides. This script has worked flawlessly for years.

    The OpenVPN bridge is between two R7000's running Fresh Tomato 2018.4. Everything works great, traffic flows with no issues bi-directionally, until I apply the following script to either side of the connection:

    ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
    ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
    ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
    ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP

    When the script is applied and the R7000 restarted I lose all connectivity between both sites and local web Internet traffic stops and it is actually hard to access the router to remove the script. Once the script is removed everything goes back to normal.

    I really need to block DHCP traffic across the OpenVPN bridge as clients are receiving the wrong addresses with the wrong gateway information that leads to very slow performance. I am wondering if the script needs to be applied in a different way in Fresh Tomato.

    Thanks in advance for the assistance!

    Carmine
     
  34. Wizardknight

    Wizardknight Reformed Router Member

    I may have found a VPN/MTU bug.
    Previously my VPN Client connections were working without any issues.
    I made a change to my MTU, and then changed it back to default when I didn't see any speed improvements.
    Now no VPN client connections will work, but the the GUI gives feedback as though they were. (I get the stop now button for example) However my IP address is still my local address, and not the expected VPN address.

    I am getting a connection I think based on the info from stats tab:
    Name Value
    TUN/TAP read bytes 3034
    TUN/TAP write bytes 0
    TCP/UDP read bytes 5755
    TCP/UDP write bytes 6221
    Auth read bytes 176
    pre-compress bytes 1962
    post-compress bytes 2007
    pre-decompress bytes 0
    post-decompress bytes 0

    I would prefer not to rebuild my router from scratch, but I am not sure how to troubleshoot this.

    Edit:
    I rolled my firmware back to 2018.3 from 2018.4, and it resolved the issue.

    Edit 2:
    Spoke to soon.
    It only worked for the very first vpn connection attempt.
    If I press stop, and try to select VPN client 2 after having used client 1 they all stop working again. :(

    Edit 3:
    Found a cfg backup from my original upgrade to 2018.4, and restored my router.
    Only lost a few minor changes.
    Still can't understand why touching the MTU would damage the router's ability to route traffic over the VPN permanently.
     
    Last edited: Oct 17, 2018 at 11:36 PM
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice