1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Fork] Tomato-ARM by @kille72

Discussion in 'Tomato Firmware' started by kille72, Mar 24, 2017.

  1. PetervdM

    PetervdM Network Guru Member

    how much total and free NVRAM do you have?
    how many bits is the certificate on your main ac15?
  2. My Name

    My Name Serious Server Member

    The keys are identical on both Main Router running Toastman and Spare Router (soon to be Main Router) running latest @kille72 firmware. Both are 4096 bits which is probably a bit much but seem to recall there was a good reason when I created them back in December 2017.

    Fixed problem by placing the Server Certs, Keys and Diffey on a USB Drive and used Custom Configuration in VPN, Advanced to point to the USB drive instead of trying to save them in nvram. VPN Server starts and I can connect to it remotely.

    To give credit where due, user @kthaddock as I recall helped me when I was having similar problems in a Linksys E3200 when saving VPN Keys and Certs in nvram. In that case it killed the 5ghz radio. In this case not sure what it was doing but most likely exceeding nvram boundaries or whatever.

    Link to post about using USB Drive, second post is by @kthaddock http://www.linksysinfo.org/index.php?threads/nvram-32k-size-error-with-openvpn-use-jffs.36950/
  3. miroco

    miroco Reformed Router Member


    I thought perhaps that these links could be of interest in the quest for new WiFi firmware. I have a D-link Dir-885L A2, Broadcom based AC3100 router. WiFi on LEDE/OpenWRT work for the A1 rev, but not the A2. This guide helped me fix it, but I think there is more to it.






  4. joew333

    joew333 LI Guru Member

    Interesting reading!! Thanky for posting.
  5. AndreDVJ

    AndreDVJ Addicted to LI Member

    M_ars, Elfew, Edrikk and 2 others like this.
  6. koitsu

    koitsu Network Guru Member

    This is awesome. That's one heck of an update, and you deserve major kudos for it.

    Several features will need testing on behalf of TomatoUSB users, especially those using ssh or scp from the router itself (so I'm talking about the client code, not the server code). Recent-ish Dropbear uses a completely different set of code, through something called dbclient, and it looks like lots of command-line flags got changed in the process too -- hopefully to be more OpenSSH-friendly.

    I'm left wondering if this long-standing problem with scp actually got fixed. I filed a GitHub issue with mkj (Dropbear author) about it some time ago, and he commented a year later stating that my fix actually looked wrong (it's probably wrong for *today's* Dropbear code, but it wasn't at the time, best I could tell). So to be clear for Andre and others: do not backport/import my fix for this, because the Dropbear code has changed a bunch since then and for all I know mkj has addressed it in newer versions (it does look like dbclient has a -y flag to automatically approve addition of an SSH host key/fingerprint, but I don't know if scp now does the right thing; I've asked mkj on GitHub).

    Edit: mkj responded: no, Dropbear 2018.76 doesn't fix the problem mentioned in the above paragraph; further code would need to be written to address this problem (i.e. my patch should not be used).
    Last edited: Mar 5, 2018
    AndreDVJ, pomidor1 and kille72 like this.
  7. drnorton

    drnorton New Member Member

    Thanks... I will see if I can use it for my intention.
  8. kille72

    kille72 LI Guru Member

  9. joew333

    joew333 LI Guru Member

    Cool stuff. Thank you!!!!
  10. kille72

    kille72 LI Guru Member

    Do you think we can use RAMdisk/tmpfs to speed up the Tomato compilation process?
    Last edited: Mar 6, 2018
  11. RMerlin

    RMerlin Network Guru Member

    Doubt it. I tried it a few years ago, and it made zero difference versus the slow SSD I was using at the time.

    Linux does a great job at caching things. Bottleneck is the CPU.
    Elfew and kille72 like this.
  12. My Name

    My Name Serious Server Member

    Ran into another problem of sorts today when I brought my spare TendaAC15 online as my main router running 2018.1.031 ARM beta. While every other device I have, Windows 10, Android 7 phones, Xiaomi MIBOX3 can see and connect to the 5 ghz network, my Roku Premier boxes cannot even see the 5 ghz network. All of the above and Roku Premier boxes connect to 2.4 ghz OK. To be clear, these are the same Roku Premier boxes that can and did connect to 5 ghz when I was running Toastman on what was my main router.

    I had done an NVRAM wipe on the new router but as a test, took the original AC15 running Toastman, loaded 2018.1.031 ARM beta and wiped NVRAM. After the AC15 rebooted and came online I can see Tomato24 and Tomato50 SSIDs on every device except the Roku Premeier boxes. They can only see Tomato24.

    While this may be a problem unique to the Roku Premier boxes, has anyone else had issues with 5 ghz on 2018.1.031 ARM beta?

    EDIT Update: Noticed the Roku Premier Box I am looking at can see a couple of SSIDs from the neighborhood that are labeled as 5G. All the Roku boxes are running 8.0.1.Build 4041-29 firmware and the devices say the firmware is up to date.

    EDIT Update: Problem solved under Advanced, Wireless, Changed Country / Region to ' UNITED STATES ' and now Roku Premier boxes can see and connect to 5 ghz. Odd that this only caused grief for Roku devices on 5 ghz..
    Last edited: Mar 7, 2018
  13. PetervdM

    PetervdM Network Guru Member

    not that odd. have look at the list of wifi channels here: https://en.wikipedia.org/wiki/List_of_WLAN_channels
    i don't know what the default setting was, but a lot of countries or regions have legal restrictions on which channels are allowed. the us has no such restrictions. so if the combination of the automatically chosen channel on the router can't be used by your roku due to the region it is manufactured for, they won't connect.
  14. cobrax2

    cobrax2 Serious Server Member

    hi guys, i'm now on latest toastman fw, stable as a rock (r7000)
    was thinking of switching to a newer version, and i see @kille72 's one is the only one still under development.
    thank you and to the other developers that are involved and helping for taking onto yourselves this massive task.
    if i may, just one question:
    i see that there is a lot of development going on atm. is it stable? can it replace successfully yet toastman's?
    also, is the fork based on shibby's single or multiwan version? from what i observed over the past year, since the multiwan feature, his build was somewhat less "dependable" or it had some small issues.

    thank you very much again!
  15. txnative

    txnative Networkin' Nut Member

    This part i have done some investigative look into on the defaults.c and rt-ac68u_nvram.txt, with comparisons of some nvram dumps from my router that had the beta 2018 they didn't seem to have the right parameters to values but there is more to it but the nvram some reason does hold on to some values placed in from tomato during the install and after doing a nvram erase or reset with the button for the 2.4 ghz does hold on to a few of the default values. When i looked at wl_ssid=Tomato2g stayed after setting up my ssid through the gui and power settings as well, the 5 ghz didn't have no issues in nvram or with changes made for custom settings. I'm sure shibby will find a fix or solution on the 2.4 radio this caught my attention when I read this thread and had to put this here as well not sure if it's useful. Congratulations on what has been accomplished so far. Regards

    Just had a look at my linksys-e3200 with Tomato Firmware v1.28.0511 MIPSR2Toastman-RT-N K26 USB VPN installed, and had a look at the same nvram but i didn't realize that unlike in the defaults.c or rt-ac68u_nvram.txt there is no mention of using wl0_xxx= whatever value but using the same wl0_ssid= does show the custom ssid but not in wl_ssid=Tomato24 and I'll have to look at it again and try a few settings again to see there is a proper response from the 2.4?
    Last edited: Mar 7, 2018
  16. chchia

    chchia LI Guru Member

    I have question about bandwidth limiter. please see attached picture, it is saying kbits?

    so my real internet speed is 30Mb/10Mb, speedtest test show actual downloading speed is about 3.5MB/1.1MB

    so is my input number in the bandwidth limiter is correct?

    what i wanted is to maximize the bandwidth usage,but by changing the priority i want to make one PC with to have the lowest latency, but sadly i just can't make it work correctly, can anyone help me.

    Attached Files:

  17. koitsu

    koitsu Network Guru Member

    30 megabits (Mb) =~ 3.75 megabytes (mB or sometimes MB) =~ 30000 kilobits (kb). Please use this website if you're unsure how to convert between different units.

    Speed tests sites that show things in megabytes per second are depressing (these programs are made by people who try to correlate network traffic (bits) with storage/disk units (bytes) -- this tends to confuse users, case in point); network traffic (throughput/transfer rate) is always measured in bits. Here's a site with a video that can help educate and familiarise you, and here's the technical details.
  18. maurer

    maurer LI Guru Member

    I've tested it on my newly flashed ea6300v1(ea6400) and wireless survey doesn't work - no output
  19. My Name

    My Name Serious Server Member

    Wireless Survey working fine on my Tenda AC15 running 2018.1.031 ARM beta. Click on Refresh to start it.

    What I can't get to work on my AC15 setup as an Access Point is time. Shows time not available no matter what I try. Have all the usual setting such as gateway set as my main router, user defined gateway when Wan is disabled is checked. I can ping 0.pool.ntp.org from the AP. Time works fine on main router.

    My setup is tagged Vlans 10 and 11 with Vids 10 and 11 (Br0 and Br1) with Cat5e through D-Link Smartswith from Lan Port 1 on main router to Lan Port 1 on AP. Everything else seems to be working, just not time on AP. Probably something I missed or have forgotten to do since it worked when running Toastman using same setup.

    Have a remote location still running Toastman with identical setup and time is good on that AP.

    @kille72 other than the AP time issue (which may still be something I have missed), everything that I use your firmware for on my two Tenda AC15 appears to be working well. Can't tell a lot of difference in 5 ghz distance but working well for my use on a couple of Android 7 phones, Roku Premier boxes, Windows 7, etc. Vlans OK, VPN OK. I did do a NVRAM wipe after upgrading to your latest and entered all my settings from that point.
    Last edited: Mar 9, 2018
  20. joew333

    joew333 LI Guru Member

    Works on my R7000 just fine. Just clicked on REFRESH. Hmmm one of my neighbors has a router called "Millennium Falcon".... must be a Star Wars fan?
  21. sandimas

    sandimas New Member Member

    I have the same problem on my Tenda AC15 running 2018.1.025 ARM beta. I ultimately was able to get the time set by using an IP address instead of a domain name for an NTP time server. I just used the time server provided by my pfSense router.
  22. Yim Sonny

    Yim Sonny Reformed Router Member

    If you would like to start a new thread then we will be able to help you better. This thread is for a specific firmware and your question is a general question.
  23. My Name

    My Name Serious Server Member

    Using an IP Address for time server did the trick on my AC15 as well. Time came up almost immediately. Must be a bug.
  24. koitsu

    koitsu Network Guru Member

    It's probably a "race condition" (timing thing), especially on a router reboot. DNS might not be fully available (ex. dnsmasq isn't running yet, but the DHCP client has), so when the NTP synchronisation process starts, it can't resolve the FQDN, resulting in time sync failing. The more complicated your network setup (i.e. VLANs, VPNs, etc.), the more likely this is to happen. TomatoUSB does not have an init script system (read: sysvinit, BSD rc, etc.) that has dependency-based service ordering (e.g. don't start ntp until dnsmasq is running), and there are few-to-none "wait states" implemented (e.g. "wait until the WAN is up before doing X/Y/Z").

    This is compounded by the fact that Tomato's NTP implementation is pretty awful (read: ntpd isn't used, instead it's basically a cronjob (sigh), and there's no "pool of servers", instead it's a "oh this one works, use it" "oh this one doesn't, okay I'll skip it" mentality), and this is even further compounded with lack of good troubleshooting tools (ex. ntpq) due to needing to keep the firmware small. I've ranted about Tomato's bad NTP implementation before.

    A crappy workaround might be to add to Scripts -> WAN Up some scripting bits that stop/start the ntp sync process to try and work around the problem -- how to do this depends on if you're on ARM vs. MIPS though (yes really!). If people want to know how I'd do this, I can do a write-up sometime. I could probably script auto-detection of which is being used so that you'd just need one script.

    Next: both my personal and professional experience with pool.ntp.org has been extremely poor. I've run into all sorts of issues with them: DNS FQDNs that don't resolve (tracked down to issues with their own nameservers, or network connectivity issues *to* those namservers), or (more common) NTP servers which don't actually answer/respond.

    People using pool.ntp.org need to understand something about the service that makes it difficult to troubleshoot (read: annoying):

    1. Their DNS entries return multiple A records (i.e. round-robin DNS is used); thus which server you hit is entirely dependent upon the DNS resolver *at that moment in time*. A DNS query done a few seconds later may get a completely different server. That's how RR DNS works
    2. Their DNS entries have a very short TTL -- 150 seconds -- which means you're likely going to get a different set of RR records (multiple A records) every 150 seconds

    Proof of both of those:

    $ dig a pool.ntp.org. +short
    $ dig a pool.ntp.org. +short
    $ dig a pool.ntp.org. +short
    # rndc flush
    # exit
    $ dig a pool.ntp.org.
    pool.ntp.org.           150     IN      A
    pool.ntp.org.           150     IN      A
    pool.ntp.org.           150     IN      A
    pool.ntp.org.           150     IN      A
    I generally don't like pool.ntp.org. I instead recommend picking a static list of two stratum 2 servers (one geographically near you, the other far away), followed by use of pool.ntp.org's Continental Zone FQDNs (these are usually stratum 3+ servers). The ntp.org website maintains a list of stratrum 2 servers -- you need to be respectful of which servers are open vs. restricted, and you need to READ (NOT SKIM) the Rules of Engagement before using these servers. You do not need to use stratum 1 unless you are extremely anal:


    I'm intentionally not listing which servers I use, because I don't want people just blindly copy-pasting stuff into their setups. Follow my instructions and you'll be OK. :)

    In general I always assume some NTP server on pool.ntp.org will be broken/down/whatever. I run ntpd on a FreeBSD box on my LAN, so I have a very good/reliable way to provide NTP for my LAN. My TomatoUSB router NTP syncs off of that single FreeBSD box. Tomato's implementation is incredibly "best-effort", sorry to say.
  25. joew333

    joew333 LI Guru Member

    XWRT high performance version. I am wondering if it is possible to make a "high performance" version of XWRT, similiar to the VPN builds of Tomato in terms of functionality. Aim would be to focus on core routing functions with a reduced feature set and high performance. What do you think?
  26. H48W30c0HK

    H48W30c0HK Network Newbie Member

    I built a GPS disciplined PPS source for about $10 (total!) worth of stuff off Aliexpress, so I don't need to worry about hammering already over-burdened public ntp servers, while serving Stratum 1 time over my home network.

    Here's a video of how to do it:
  27. Sean B.

    Sean B. LI Guru Member

    Very nice project. Great to see someone else that gets into the hardware and not just software.
  28. My Name

    My Name Serious Server Member

    @koitsu, thanks for the information. Followed your instructions and hopefully am OK now.
  29. maurer

    maurer LI Guru Member

    one more issue i just found - ssh tunnel doesn't work either.
    I've reset twice the nvram to factory defaults
  30. My Name

    My Name Serious Server Member

    Advanced, Lan Access does not appear to be working. It has the correct settings of

    Lan (br0) to Lan1 (br1) but clients on br0 cannot access devices on br1 which worked on Toastman.

    I have Iptables setup to prevent clients on Lan1 (br1) from accessing Lan (br0) and that works as expected.
  31. Sean B.

    Sean B. LI Guru Member

    Did these iptables additions include allowing traffic from br1->br0 based on related/established targets? If not, then the rules would prevent br0->br1 access by means of blocking the return traffic.
  32. My Name

    My Name Serious Server Member

    The iptables are the same ones I have used for the last several years on my Linksys E3200 running Shibby and AC15 running Toastman and have never caused a problem that I am aware of. Before posting earlier I had removed them to see if they were the problem.

    Here they are for analysis. Got these somewhere over on a DD-WRT Forum several years ago.
  33. koitsu

    koitsu Network Guru Member

    Maybe problem has to do with "where" these rules are being injected into the FORWARD or INPUT chain. I don't know.

    iptables -I will inject new rules *at the top of the chain* (i.e. every command puts that rule as rule #0, all subsequent rules get pushed down by one).

    TomatoUSB (and DD-WRT too, certainly) manages its own rules in INPUT, FORWARD, etc.. So, your rules may be "trumping" something that further down could actually allow traffic to pass.

    You really have to look at iptables -L {INPUT,FORWARD,OUTPUT} -n -v --line-numbers to get a clear view of what your rule orderings are. There are major security concerns if rules are injected into the wrong parts of the chain/rule list (e.g. things being accepted too early, or trumping security-related aspects further down in the rule list). This is basic firewalling 101 type stuff, BTW, and isn't Tomato-specific.

    I would suggest providing output here, in separate code blocks, of the following commands:

    iptables -L INPUT -n -v --line-numbers
    iptables -L FORWARD -n -v --line-numbers
    iptables -L OUTPUT -n -v --line-numbers
    You can XXX out IP addresses (particularly the WAN IP, e.g. XXX.XXX.XXX.XXX) but please make a key/legend saying what XXX means (ex. "XXX = WAN IP"). Try to retain the formatting/alignment please.
  34. My Name

    My Name Serious Server Member

    @koitsu, Not sure my iptables entries are the problem. No matter if my iptables are set in Firewall or removed from firewall, Lan (br0) cannot communicate with clients on Lan1 (br1) in this latest version of @kille but did work when on last version of Toastman with my personal iptables set in Admin, Scripts, Firewall.

    Right now, there are no entries under Admin, Scripts, Firewall and Lan cannot communicate with Lan1 even though it is set in Advanced, Lan Access.
  35. koitsu

    koitsu Network Guru Member

    Thanks for the clarification/information. Yeah, that's definitely something firmware-specific. Just some general ideas/thoughts on the matter (you can ignore these if you want, I won't be offended):

    You might try looking at brctl show br0 and brctl show br1 to see what interfaces (ethX and vlanX) make up the br0 and br1 bridges.

    On Toastman, by default br0 consists of eth1 (2.4GHz), eth2 (5GHz), and vlan1 (4 LAN ports).

    vlan2 is the WAN port. (Random tech FYI: the reason vlan1 are the 4 LAN ports and vlan2 is the WAN port is because these routers contain a 5-port switch; VLANs are the only way to effectively isolate a WAN port).

    There's no GUI for bridge details. The closest you can get is what's under Advanced -> VLAN. However, what's shown there is from the perspective of VLAN interfaces, not bridges. This often confuses end users (it's come up before on the forum). I've actually never used Advanced -> LAN Access; now that makes me wonder what that's for and where/how it's implemented (probably iptables rules).
  36. My Name

    My Name Serious Server Member

    @koitsu, brctl show br0 and brctl show br1

    root@TendaAC15:/tmp/home/root# brctl show br0
    bridge name     bridge id               STP enabled     interfaces
    br0             8000.xxxxxxxxxxx      no              eth1
    root@TendaAC15:/tmp/home/root# brctl show br1
    bridge name     bridge id               STP enabled     interfaces
    br1             8000.xxxxxxxxxx        yes            vlan11
    vlan10 is my main subnet, vlan11 is my isolated subnet. 2.4 ghz and 5.0 ghz in br0 and 2.4 ghz and 5.0 ghz Virtual Wireless in br1. Everything appears correct other than STP enabled should be no. Will fix that.
    Yes, and on Toastman and Shibby for that matter, all I ever had to do was setup my vlans, put my iptables stuff in Admin, Scripts, Firewall and Advanced Lan Access was set by default to access Lan1 from Lan. I have had a Br2 setup in the past on Shibby and used Advanced, Lan Access to allow traffic from Lan to Lan2.
    Last edited: Mar 13, 2018 at 12:47 PM
  37. koitsu

    koitsu Network Guru Member

    Yeah, with that bridge configuration, there would need to be iptables (or maybe ebtables? I haven't spent any time with this) rules to allow traffic to flow like br0 --> br1 and br1 --> br0.

    We're back to what I recommended in post #1633. I guess we might also need the additional tables viewed as well (since I don't know if there's NAT'ing going on between all of those networks), so the commands would actually become this (to see all the chains in all the tables; the first line is for the filter table (ex. -t filter)):

    iptables -L -n -v --line-numbers
    iptables -t mangle -L -n -v --line-numbers
    iptables -t nat -L -n -v --line-numbers
    iptables -t raw -L -n -v --line-numbers
    And remember: copy-pasting output from these needs to be in a code block, otherwise spacing and formatting is lost.

    I run Toastman firmware so I could always add a bridge in the GUI and see what additional rules get added, then compare those to yours with kille72's firmware and figure out what's missing.
  38. My Name

    My Name Serious Server Member

    used iptables -nvL --line-numbers and noticed this in iptables under Chain FORWARD (policy DROP 0 packets, 0 bytes)

    4        0     0 ACCEPT     all  --  br0    br0  
    5        0     0 ACCEPT     all  --  br1    br1  
    6       24   960 DROP       all  --  *      *              state INVALID
    7    13644 4904K ACCEPT     all  --  *      *              state RELATED,ESTABLISHED
    8       30  1560 DROP       all  --  br0    br1  
    9        0     0 DROP       all  --  br1    br0  
    10       0     0 wanin      all  --  vlan2  *  
    11     480 39198 wanout     all  --  *      vlan2  
    12      74 17099 ACCEPT     all  --  br0    *  
    Last edited: Mar 13, 2018 at 3:23 AM
  39. My Name

    My Name Serious Server Member

    Code block , have seen it but never done that before.
  40. koitsu

    koitsu Network Guru Member

    Why are rules 1-3 omitted? *squints eyes* I get really peeved when people remove things from their output when asking for networking help. :) If you were to do this on nanog@ or somewhere else, network technicians would immediately stop responding to you. You can XXX out IP addresses and portions of MACs for security.

    Rules 4 and 5 I've laughed about in the past -- they literally do nothing. I've seen these on other firmwares (Shibby?). I have no idea why these get put in place. Note they have 0 for their byte and packet counters.

    Rule 6 is to ensure that packets which lack a state table entry (keep reading) are dropped.

    Rule 7 is to ensure that existing packets in the state table (conntrack, I believe) are respected, i.e. don't sever existing connections if there's a state table entry for them of ESTABLISHED or RELATED state. This rule, understandably, usually has the highest packet/byte counters. REmember that a matching rule (like this one) will trump all lower rules, so rules 8+ wouldn't get analysed if this rule matched.

    For rules 6 and 7, you can read about the different states (INVALID vs. ESTABLISHED vs. RELATED) here (see "User-land states"): http://www.iptables.info/en/connection-state.html

    Rule 8 implies packets originating from a source interface of br0, with a destination interface of br1, are dropped. The packet/byte counters indicate there's been 30 packets that have met this criteria.

    Rule 9 is similar to rule 8, but for br1 --> br0, where packets are dropped. Packet/byte counters show 0, so it hasn't been hit.

    Rule 10 references a generic chain called wanin, matching incoming packets on vlan2 (WAN). You can use the wanin chain to allow/deny things as you see fit. (I use this myself, it's convenient) This isn't an allow/deny rule, this is a chain reference, so for allow/deny you have to see the details of wanin (not just the rules in the chain, but the default state of the chain too; it might be ACCEPT or DROP).

    Rule 11 is similar to rule 10, but for outbound traffic going out vlan2 (WAN).

    Rule 12 is permits any traffic inbound traffic on br0, destined to any interface. br0 --> br1 traffic would not reach this rule due to rule 8 above.

    Edit: yeah, the forum ate the code blocks. Fixing. A code block is done like so, replacing open-brace with [ and close-brace with ]:

    your content here

    You can alternately use the forum GUI. Click the "Insert..." icon (it looks like a newspaper) and then pick Code.
    Last edited: Mar 13, 2018 at 2:53 AM
  41. My Name

    My Name Serious Server Member

    root@TendaAC15:/tmp/home/root# iptables -L -n -v --line-numbers
    Chain INPUT (policy DROP 93 packets, 6864 bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 ACCEPT     all  --  tun21  *  
    2        0     0 ACCEPT     udp  --  *      *              udp dpt:xxxxx
    3        1   576 ACCEPT     udp  --  br1    *              udp dpt:xxxx
    4        0     0 ACCEPT     tcp  --  br1    *              tcp dpt:xxxxx
    5      749 49493 ACCEPT     udp  --  br1    *              udp dpt:xxxxxx
    6      194  9634 DROP       all  --  br1    *              state NEW
    7       50  2192 DROP       all  --  *      *              state INVALID
    8      413 59554 ACCEPT     all  --  *      *              state RELATED,ESTABLISHED
    9        2    80 shlimit    tcp  --  *      *              tcp dpt:xx state NEW
    10       1   244 ACCEPT     all  --  lo     *  
    11     183 13392 ACCEPT     all  --  br0    *  
    12       0     0 ACCEPT     all  --  br1    *  
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 ACCEPT     all  --  tun21  *  
    2     3124 1211K            all  --  *      *             account: network/netmask: 192.168.xx.0/ name: lan
    3    27317 9487K            all  --  *      *             account: network/netmask: 192.168.xx.0/ name: lan1
    4        0     0 ACCEPT     all  --  br0    br0  
    5        0     0 ACCEPT     all  --  br1    br1  
    6       71  3320 DROP       all  --  *      *              state INVALID
    7    29264   11M ACCEPT     all  --  *      *              state RELATED,ESTABLISHED
    8       36  1872 DROP       all  --  br0    br1  
    9        0     0 DROP       all  --  br1    br0  
    10       0     0 wanin      all  --  vlan2  *  
    11    1034 73137 wanout     all  --  *      vlan2  
    12     150 28305 ACCEPT     all  --  br0    *  
    13     884 44832 ACCEPT     all  --  br1    *  
    Chain OUTPUT (policy ACCEPT 1353 packets, 219K bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    Chain shlimit (1 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1        2    80            all  --  *      *              recent: SET name: shlimit side: source
    2        0     0 DROP       all  --  *      *              recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source
    Chain wanin (1 references)
    num   pkts bytes target     prot opt in     out     source               destination
    Chain wanout (1 references)
    num   pkts bytes target     prot opt in     out     source               destination[/code/
  42. My Name

    My Name Serious Server Member

    root@TendaAC15:/tmp/home/root# iptables -t mangle -L -n -v --line-numbers
    Chain PREROUTING (policy ACCEPT 49496 packets, 16M bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    1    24088   14M DSCP       all  --  vlan2  *              DSCP set 0x00
    2        0     0 DROP       all  --  vlan2  *            192.168.xx.0/24
    3        0     0 DROP       all  --  vlan2  *            192.168.xx.0/24
    Chain INPUT (policy ACCEPT 2571 packets, 219K bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    Chain FORWARD (policy ACCEPT 46505 packets, 16M bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    1     2893  133K TCPMSS     tcp  --  *      *              tcpflags: 0x06/0x02 TCPMSS clamp to PMTU
    Chain OUTPUT (policy ACCEPT 2226 packets, 355K bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    Chain POSTROUTING (policy ACCEPT 48572 packets, 16M bytes)
    num   pkts bytes target     prot opt in     out     source               destination
  43. koitsu

    koitsu Network Guru Member

    Speaking strictly about the FORWARD chain, as a follow-up to post #1640:

    Rule 1 accepts any inbound traffic on tun21 interface to anywhere. 0 packet counter.
    Rules 2 and 3 are traffic accounting rules for IPTraffic capability and do not affect traffic flow.

    And there's a new rule at the bottom vs. what was in post #1638: rule 13 is similar to rule 12, except that it applies to interface br1 rather than br0.

    I'll edit my previous post to cover rule 6 (I overlooked it).
  44. My Name

    My Name Serious Server Member

    root@TendaAC15:/tmp/home/root# iptables -t nat -L -n -v --line-numbers
    Chain PREROUTING (policy ACCEPT 3774 packets, 231K bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 ACCEPT     udp  --  *      *              udp dpt:xxxxxx
    2      133  8600 WANPREROUTING  all  --  *      *        xx.xx.xx.xxx
    Chain INPUT (policy ACCEPT 1392 packets, 93464 bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    Chain OUTPUT (policy ACCEPT 402 packets, 27755 bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    Chain POSTROUTING (policy ACCEPT 2 packets, 593 bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    1     1997  128K MASQUERADE  all  --  *     vlan2  
    2        1   328 SNAT       all  --  *      br0     192.168.xx.0/24      192.168.xx.0/24      to:192.168.xx.1
    3        1   340 SNAT       all  --  *      br1     192.168.xx.0/24      192.168.xx.0/24      to:192.168.xx.1
    Chain WANPREROUTING (1 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 DNAT       icmp --  *      *              to:192.168.xx.1
    Last edited: Mar 13, 2018 at 3:50 AM
  45. My Name

    My Name Serious Server Member

    root@TendaAC15:/tmp/home/root# iptables -t raw -L -n -v --line-numbers
    Chain PREROUTING (policy ACCEPT 14M packets, 13G bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    Chain OUTPUT (policy ACCEPT 375K packets, 269M bytes)
    num   pkts bytes target     prot opt in     out     source               destination
  46. My Name

    My Name Serious Server Member

    Not sure which one that is?

    EDIT: Sorry , misread, thought I was supposed to edit something.
    Last edited: Mar 13, 2018 at 3:21 AM
  47. koitsu

    koitsu Network Guru Member

    I will need several hours to review these rules (specifically INPUT, FORWARD, and OUTPUT) properly, and provide some actual Real World Traffic Scenarios that show you how these rules work under certain scenarios. I can't promise on when I can complete this -- I have health issues and am actively interviewing for full-time work, so I have other priorities.

    I did a write-up of what the FORWARD chain rules represent in post #1640. This would be for traffic going between interfaces (ex. br0 --> br1, br1 --> br0), i.e. traffic forwarded through the router, as well as WAN-bound traffic -- and NOT for traffic directed *at* the router (i.e. a destination address of the router's IP, say, Traffic directed *at* the router would fall under the INPUT chain.

    It would help me if you could provide the exact IP addressing details for br0 and br1 (ex. br0 = or I want to use actual IP addresses and ranges that comply with those CIDRs when giving you examples, to make comprehension easier. I understand this is sensitive, but in multi-network situations like this, it's helpful (I would say critical, especially when state tracking is involved, since state tracking only contains source/destination IP addresses and not associated interfaces).

    TomatoUSB is generating some of its own rules (some through the GUI, some hard-coded) that make understanding the rules more complicated than they need to be. Add more interfaces to the mix, the situation becomes even hairier. KISS principle is quickly lost in complex networks (which this classifies as), which is where one really has to sit down and look at the rules very carefully.
  48. My Name

    My Name Serious Server Member

    Br0 is
    Br1 is

    I appreciate your help. Don't spend a lot of time on it. Things will work out.

    I will probably go back to Toastman since everything worked on it. Biggest reason for upgrade was KRACK fix. All my devices that really matter have been patched for it.

    8       30  1560 DROP       all  --  br0    br1  
    EDIT: Should Rule 8 not be something like ACCEPT or whatever to allow br0 access to br1

    BTW, this network all came about when I finally understood Vlans and Tagged Vlans. It allowed me to use one cat5e cable between main router (Tenda AC15) and AP (another Tenda AC15) to get both networks to a wired PC plugged into lan port on AP and get a decent wifi signal in a troublesome wifi area. Worked well on Toastman just not on @kille72 at the present.
    Last edited: Mar 13, 2018 at 3:36 AM
  49. Cliffield

    Cliffield New Member Member

    @koitsu @My Name
    I'm on 2017.3 from kille72 and using "LAN Acces" without problems.

    I can access certain defined computers on br1/LAN1/VLAN3 from br0/LAN/VLAN1.
    LAN Acess shows:
    On    Src        Src Address        Dst         Dst Address    
    On    LAN                           LAN1
    On    LAN                           LAN1
    On    LAN1                          LAN
    These setting insert following rules in /etc/iptables (and maybe other config-files?):
    -A FORWARD -i br0 -o br1  -d -j ACCEPT
    -A FORWARD -i br0 -o br1  -d -j ACCEPT
    -A FORWARD -i br1 -o br0  -d -j ACCEPT
    For testing purposes I allowed LAN full acces to LAN1 under "LAN Access" and after that I could access all the other computers on LAN1 ( etc) from LAN.

    In addition I insert following rules in Administration - > Scripts -Firewall and rebootet:
    iptables -I INPUT -i br1 -m state --state NEW -j DROP
    iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
    I still can reach the computers on the other subnet/vlan.
    Without the rules under "LAN Access" the LAN1 is not reachable from LAN.

    Just my observations, maybe it helps,
    Last edited: Mar 13, 2018 at 3:54 PM
    kille72 likes this.
  50. My Name

    My Name Serious Server Member

    @koitsu and @Cliffield
    @Cliffield , thanks that made some progress. The only thing I can make work under Advanced, Lan Access is as follows
    On    Src        Src Address        Dst         Dst Address
    On    LAN                           LAN1
    On    LAN                           LAN1
    Using that I can access those two Ip Addresses from Br0 but nothing else.

    Tried the following to no avail.
    On    Src        Src Address        Dst         Dst Address
    On    LAN                           LAN1
    On    LAN                           LAN1
    On    LAN                           LAN1
    Cannot access anything from Br0 to Br1

    What did you enter in Advanced, Lan Access to allow LAN full access to LAN1. I have never had to enter anything in the past. It worked by default.

    EDIT: Later discovered I had entered LAN and LAN1 in my previous setup. My error but it did work. Same entry does not work now on this firmware or at least I cannot get it to work.
    Last edited: Mar 13, 2018 at 10:58 PM
  51. sac7000

    sac7000 Reformed Router Member

    Last edited: Mar 13, 2018 at 7:10 PM
  52. Sean B.

    Sean B. LI Guru Member

    Not trying to be insulting, but I've seen people get confused by this several times in the past. So just to be sure, you do know the rule that initially appears in the LAN Access menu is not actually active, right? It's an example rule and is not saved into the list.

  53. Cliffield

    Cliffield New Member Member

    Haha, I am one of those. Happend to me more than once :D

    @My Name
    Here is a working example (tested on 2017.3 kille72)
    1. Basic - Network - Lan

    2a. Advanced - VLAN

    2b. Alternative config

    3. Advanced - LAN Access

    Administration - Scipts - Firewall
  54. My Name

    My Name Serious Server Member

    @Cliffield ,I am on Tomato Firmware 2018.1.031 -beta-kille72 K26ARM USB VPN-64K and not 2017.3 kille72. Not sure that makes a difference.

    My setup is very similar to yours and I have tagged Vlans in addition to port assigned Vlans. Using this to extend br0 and br1 across my lan on one cat5e cable. Have done this here before on Toastman and at my remote location on Toastman and it works. Just looked at my remote location running Toastman and it is working and defined as I would expect. I generally do not have issues setting up Vlans and pretty much understand what has to be done.

    Nothing I can do in Advanced, Lan Access other than specify a particular IP Address in Lan1 (br1) to access from Lan (br0) and get it to work. Nothing else does on 2018.1.031 -beta-kille72 K26ARM USB VPN-64K, for me anyway.

    I always put the following in Admin, Scripts, Firewall to prevent Br1 from accessing Br0. It works. Found it long ago over on DD-WRT Forum.
    # Restrict br1 from accessing the WAN subnet (still has internet)
    iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP
    # Restrict br1 from accessing the router's local sockets (software running on the router)
    iptables -I INPUT -i br1 -m state --state NEW -j DROP
    # Allow br1 to access DNS on the router
    iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
    iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
    # Allow br1 to access DHCP on the router
    iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
    @Sean B, Yep you are right. On my remote location I do have LAN and LAN1 defined in addition to the default. It works, this one does not. Tired today. Going to give it a rest and start over tomorrow.

    To be clear, the only problem that I am aware of at this moment is I cannot access anything in LAN1 (br1) from LAN (br0). My vlans are OK and working.

    Before someone asks, I did wipe NVRAM after upgrading to 2018.1.031 -beta-kille72 K26ARM USB VPN-64K and all settings were manually entered from that point.
    Last edited: Mar 13, 2018 at 11:03 PM
  55. koitsu

    koitsu Network Guru Member

    I don't know how to phrase this eloquently, so this may be confusing, and for that I apologise.

    One problem with the Scripts -> Firewall rules in post #1653 is that -m state --state NEW rule will match only packets that aren't currently in conntrack, i.e. "brand new connections" (UDP is stateless, but conntrack tracks it anyway, same with ICMP). Existing/already flowing/established/etc. connections (i.e. ones already existing in the state table) would continue to be permitted, if there were any in the state table.

    What this means is that if prior to using these rules at all (or on a fresh reboot) you had already had traffic flowing between br0 <--> br1 (there very well could be a brief period of time where this could happen), and suddenly didn't want it to flow (by adding those rules to Scripts -> Firewall), that rule *would not* suddenly block that traffic. This could lead to someone saying "I put these rules into place, but it looks like things are still working?" Remember, Tomato tends to have this near the very top of the list:

    Chain INPUT (policy DROP 3941 packets, 272K bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    1       28  1568 DROP       all  --  br0    *            {my-wan-ip}
    2     6878  331K DROP       all  --  *      *              state INVALID
    3     372K  101M ACCEPT     all  --  *      *              state RELATED,ESTABLISHED
    4        0     0 ACCEPT     all  --  lo     *  
    5     111K   17M ACCEPT     all  --  br0    *  
    Note rules #3 and #5 above.

    conntrack does have timeouts that you can define/control, but they tend to be very long (especially for TCP). I'd rather not get into a discussion about those if at all possible.

    Removing -m state --state NEW from that line would be sufficient, i.e. block all traffic unless allowed (by the subsequently inserted into the top of the chain ACCEPT rules shown, ex. allowing TCP and UDP port 53, and UDP port 67).

    This is one of the most tricky parts of conntrack and netfilter. Having a state table (conntrack) speeds up the firewall greatly (and provides some security too), but you have to understand the caveats. On normal Linux distros, there's a command called conntrack that can let you flush the state table (conntrack -F) but we do not have this on Tomato.

    P.S. -- Those rules are for the INPUT chain, which would apply to traffic being directed at the router directly (i.e. destination IP of the router), and not for packets being forwarded through the router (that would be the FORWARD chain).
    Cliffield likes this.
  56. My Name

    My Name Serious Server Member

    Finally, everything is working for me on 2018.1.031 ARM beta.

    Installed 2018.1.031 ARM beta on a different TendaAC15, wiped NVRAM, entered all my settings manually and everything that I use it for appears to be good.

    Noticed in one of my earlier posts that I had inadvertently exposed the MAC address of the original TendaAC15 so that one will be relegated to testing or whatever in the future.

    Thanks to all you guys for the help.
    kille72 likes this.
  57. gazsiazasz

    gazsiazasz LI Guru Member

    My ISP provides PPPoE internet (DIGI HU) at 1000/200Mbps.
    Is there any chance to support HW PPPoE on Linksys EA6400? Because I have just flashed Tomato on my router and the WAN to LAN speed tops at ~200Mbps and the softirq in top goes to 50% (which is 100% of one core). However with stock firmware it goes above 4-500Mbps.
  58. kille72

    kille72 LI Guru Member

    Try CTF (Cut-Through Forwarding)=ON (without QOS, Bandwidth Limiter etc.)

Share This Page