Tomato Shibby's Releases

Discussion in 'Tomato Firmware' started by shibby20, Feb 26, 2011.

  1. microchip

    microchip Serious Server Member

    Can you revert back to the previous version you ran and see if it happens too?
  2. Roy2001

    Roy2001 Addicted to LI Member

    Yes I have tried to set to 0 a while ago. I just tried again, no difference on my R8000.
  3. Fab Five Freddy

    Fab Five Freddy Serious Server Member

    L2TP Server - Are we missing needed kernel modules from extras?

    I've seen various questions here but no answers. People following a guide on using xl2tpd from entware keep running into a problem with missing kernel modules. They seem to have previously been built, but now are missing from arm_extras.

    Specifically: af_key, esp4, xfrm4_mode_transport.

    I thought perhaps they were built into the kernel now, now that we can use l2tp as a client, but I just tried it, and got an error trying to start "racoon: ERROR: libipsec failed pfkey open (Address family not supported by protocol)"

    The usual googling indicates that this is a problem with af_key not being available.

    Can anyone shed some light on this please?

    @shibby20 ? :)


    ps: The reason I need this (and I assume others do too is that IOS 10 has removed pptp as a VPN client, so l2tp is basically the only option left to us).
  4. ruggerof

    ruggerof Network Guru Member

    Not really, an OpenVPN Connect app is available in the AppStore.
  5. sac7000

    sac7000 Serious Server Member

    The same problem, VLAN tagged traffic does not want to work on a version of 138. I have a router ASUS RT-AC68U, on the 132 version still works well.
    I'll have to check with the corrected vlan.asp
    Last edited: Nov 11, 2016
  6. RichtigFalsch

    RichtigFalsch Networkin' Nut Member

    Well, I really think it's opposite.
    Humility is an ornament, but I believe you are underestimating the importance of Tomato.
    From my own tests I have done in old WRT54 times, and also from performance comparisons I have seen, Tomato was always much faster in all important aspects than DD-WRT. That's WiFI speed, WAN speed and general UI speed. Also stability and feature wise Tomato has always been more attractive to me. And even regarding my experience with current current OEM firmwares, I still think, that a stable router without Tomato is generally impossible.I have yet to see another firmware, besides Tomato, that has a router in an office running for like 10 years without any single interruption or failure.
    All stock firmwares, Open-WRT amd DD-WRT havbe always been rather bad when I tested them. I don't know about enterprise grade hardware, but regarding SOHO hardware, decent networking is just not possible without Tomato in my opinion.
    Tomato is much more, than just an UI to me. And I think that's same for many people.
    Toastman, Techie007, Mercjoe and 2 others like this.
  7. rickmav3

    rickmav3 Serious Server Member

    Anyone with R8000 on latest 1.38 can confirm:
    • is Internet LED light not working, stays off?
    • is JFFS not working, not getting mounted / formatted and says Stopped?
  8. sigmaris

    sigmaris Serious Server Member

    All the modules you mentioned are in the 'ipsec' directory in the arm-extras.tar.gz for version 138, they were missing for a few builds but they're back in the latest builds. I have an L2TP+IPSec VPN running on version 138.
  9. RichtigFalsch

    RichtigFalsch Networkin' Nut Member

    Does anyone have the Netgear R7000 working in 2,4GHz WiFi client mode with the latest version?
    I just can't get mine to connect.
    Also I have big troubles in having at least a working Acces Point mode in 5GHz, as it wouldn't work without manually modifiying some region related NVRAM settings.
    Simply changing region to germany or EU using the UI will result in a bugged 5GHz support (like not using selected channel, no 80MHz bandwidth ...).
  10. simmox1

    simmox1 Reformed Router Member

    In my house I have devices from various countries, Japan, USA and Australia.
    Each of these countries have different wifi channels and frequencies that are allowed and are often hardcoded into the device for the country they are sold in.

    If you switch your country on the NVRAM settings, you still need to choose a frequency that your devices are allowed to use. Also some devices can not use 40/80 width mode.

    There is this table, that shows which frequencies you can use. You should pick one in your region and set it to 20MHz, see if you can connect, and then try 40, then 80.

    I think channels 36, 40, 44, 48 are the most compatible. Do not use Auto mode.
  11. RichtigFalsch

    RichtigFalsch Networkin' Nut Member

    I want to use allowed frequencies for germany.
    (Channel 56, 5,280GHz 80MHz) I have set Germany for region in advanced wireless options.

    I wonder about:
    What do you mean by hardcoded? Is it in the CFE? Because I have flashed the custom CFE from XVortex, so there's a recover feature. In this CFE I didn't set the region (as it would have been possible with a windows tool that modifies the CFE image) But in XMerlin for R7000 it says, that CFE region values aren't used by XMerlin at all.
    So some important questions are:

    -Does Tomato use CFE region settings at all?

    -And if it does: What region codes are supported?

    -Why do my wireless settings work near any region settings besides EU/Germany althouth they are regulatory conform?

    Thank you
  12. blackjackel

    blackjackel LI Guru Member

    running RT-AC56U with shibby 136 tomato-RT-AC56U-ARM--136-AIO-64K

    The 5ghz band won't let me set it to "AC", only Auto, A, or N.

    Does tomato not support AC for the AC56U in particular? Does tomato force you to use "Auto" to use AC? Or is there some setting I'm missing?
  13. AndreDVJ

    AndreDVJ Addicted to LI Member

    As far as I know, region settings such as Wi-Fi channels come from the wireless driver. In 2.4Ghz per example, Brazil goes up to channel 13, and USA to 11.

    Keep Auto if you want to have AC speeds. I have (finally) a TP-Link T9E card, and it is working well.

    5ghz ac.png
  14. sac7000

    sac7000 Serious Server Member

    Shibby, Bring back the old WIFI drivers The new 139 assembly.
    driver who offered AndreDVJ from Netgear
    poor, low speed.
  15. srouquette

    srouquette Network Guru Member

    You need to use a 80 channel width to reach the speed. Other features, like beamform, is enabled by default.
    If you can't select 80, change the country in advanced settings.
  16. blackjackel

    blackjackel LI Guru Member

    So there is no way to ONLY run AC? You MUST run it with N compatibility?

    I did change it to 80, but wireless network mode is still "N" "A" or "Auto". I can't select AC.
  17. simmox1

    simmox1 Reformed Router Member

    I understand that you want to use channel 56, and your router can use channel 56, the problem is that your phones/tablets/PC NIC, may be hard coded no not allow that frequency. I know for a fact my Japanese phone can not see anything other than the 4 I listed before. You should try some lower channels if they are listed as an option for Germany and see if your devices can see them then.
  18. RichtigFalsch

    RichtigFalsch Networkin' Nut Member


    Well, I can actually use and connect to the router, but only after modifying NVRAM region settings by hand. It won't work if I select the correct region in UI. If I just set Germany or EU in the UI, than the router will still offer channel 56 (and some more of course), but it will always use channel 6 and 40MHz, no matter what selection I make.

    That's the output of the region related settings I have done:

    root@tomato:/tmp/home# nvram show|grep country
    size: 41779 bytes (23757 left)

    It's working this way.
    wl0 is 2,4Ghz and it is working ok, if DE is selected.
    wl1 had to be set to rev 13 and country code US. When I start from default Tomato settings and just change region to EU or DE using the user interfacem than wl1_country_rev will stay at 12 and it won't work. Also some oother settings wasn't changed by the UI (I forgot which one).
    So I think there probably is a bug in Tomato's drivers or Tomato's defaults regarding EU / DE region. The router was completely fresh and resetted and still got these problems. Remember: Channel 56 at 80MHz is supposed to be valid in DE region.
  19. blackjackel

    blackjackel LI Guru Member

    Does anyone know if another shibby release is imminent? It looks like he releases every 2 months but the past release was 3.5 months ago... I just got a new router and my old settings are going to take a good half an hour to copy to the new router, if there's a new release imminent I'm willing to wait to get the latest release version instead of copying all the settings over only to have another release come out within a week
  20. simmox1

    simmox1 Reformed Router Member

    Try setting the region to United Kingdom, they use similar frequencies and you might not have an issue.
    You can find a list of wifi frequencies and allowed transmission power here.

    Edit: If you check this list, 56 is sllowed for "Indoors / DFS / TPC". So you may have issues. Please try setting it to one of the top 4 channels, 36, 40, 44, 48. I can't understand why you can't use one of these channels and why you must have 56.
  21. Fab Five Freddy

    Fab Five Freddy Serious Server Member

    Thanks. I thought I had downloaded all the arm-extras but I guess I'd only thought I should do that. I guess I'll have to upgrade to 138....

    Can I ask what stack you are running? As far as I can tell, I'll have to use NETKEY + raccoon + l2tp, as KLIPS needs a kernel patch.
  22. simmox1

    simmox1 Reformed Router Member

    He posted a little while back, he said he's been busy and he'll get back onto it soon.
  23. DEXTER

    DEXTER Reformed Router Member

  24. The Master

    The Master Network Guru Member

  25. microchip

    microchip Serious Server Member

    we can't predict, but since they published the datasheets we may see improved support for these chips on Linux. If Cypress follows through on what BCM did, Tomato should be in no big trouble. If they radically begin changing things, including the SDKs, we may be in trouble
  26. RMerlin

    RMerlin Network Guru Member

  27. BuTbk@

    BuTbk@ New Member Member

    Shibby, can you add support HTTPS in curl? On rt-n66u 138 It doesn't work. Thanks!
  28. koitsu

    koitsu Network Guru Member

    I don't know about Shibby's stuff (particularly offering curl -- if so, that's new to me), but Busybox wget supports SSL, including the Busybox patches for the TLS SNI header (how I know: I'm the author of said patch).

    curl requires full OpenSSL API support (i.e. the full library) for SSL to work, from compile-time. The reason Busybox wget works without the full library, and only with the openssl executable, is because it relies on the s_client sub-command (acting as a SSL/TLS wrapper around the actual HTTP payload). curl doesn't work this way.

    So in short, if you need HTTPS support in curl, I suggest installing the curl package from Entware-ng (or possibly the Optware bits in Shibby can install the same thing for you; I don't run Shibby so I'm unsure).
    Malakai and BuTbk@ like this.
  29. BuTbk@

    BuTbk@ New Member Member

  30. joksi

    joksi Serious Server Member

    Hi, I'm very curious on your setup. I have version 138 also (ARM), and have tried to setup boith L2tp with xl2tpd and/or racoon. I have also tried IPsec Strongswan site to site, but nothing seem to work.
    Racoon complained about AES missing (maybe aes.ko whiuch I cant find in extras..) and Strongswan just acts like its looping with some errors...

    I sure would appreciate somee assistance from you! :)
  31. maurer

    maurer LI Guru Member

  32. joksi

    joksi Serious Server Member

    Okey, thanks for the suggestion.
    However, I cannot seem to make it work. I have opened all ports and even tried from my phone locally on the LAN IP. It won't connect. The server is up and configured with the server manager, and the ports are open cause I've tested from a port scanner.
  33. maurer

    maurer LI Guru Member

  34. joksi

    joksi Serious Server Member

  35. eangulus

    eangulus Network Guru Member

    Just wondering what the known issues with RT-AC3200 are at the moment. Trying to decide on either 132 or 138.

    In particular, I am aware of the RT-AC68U having QoS issues on anything above 132, is this the same as the RT-AC3200.

    Also, Shibby might be a good idea to list the known issues in your changelog. May then reduce questions like mine being asked.
  36. jflash101

    jflash101 New Member Member

    Hi all, Would anyone be able to point me to docs which would help me to:
    1) multihome the wan
    2) allow dual wan with usage as follows:
    use wan 1 as passthru to allow clients on wl0 and wl1 to be public (bridged, no dhcp no nat)
    use wan 2 as vpn client (allowing anyone connected to wl2 and wl0.1 to route all traffic via the vpn)
    The only use i have for the actual ethernet ports is wan connectivity to my broadband modem.

    I would rather multihome the wan port but i do not mind using wan and an ethernet port as 2 separate connections to my broadband modem which is currently bridged to my netgear r8000.

    I have been using shibby and support him for years. previously i had this setup working but i messed up my config and I can not figure out what i did way back then to make this work. I was using multiple wan ports but the routing is evading me this time.
    Last edited: Nov 22, 2016
  37. jflash101

    jflash101 New Member Member

    As a work around I tried creating:
    BR1 has physical ports 3 and 4 in it, no DHCP. (as this is flat it should pass along any DHCP request from the ISP to wired or wireless clients)
    BR0 has physical ports 1 and 2 and is default, it has DHCP and works.
    Eth1 and eth2 are currently attached to BR0 (lan)
    Eth3 and WL0.1 is currently pointed to BR1 (lan 1)

    I have plugged my modem into physical port 4
    Port 3 connects to WAN (this works)

    The result:
    wan gets a public ip, and routes (natted ip for all lan)
    lan1 which is the initial ingress point does not seem to pass the ISP dhcp packets to the radios as lan1 connected devices are not getting an IP as I would expect them to.

    it looks like i still need to figure out how to do the routing and create a 2nd wan ( i know how to create a 2nd wan but as both wan are dynamic i do not understand how to get wan1 to route only to lan and wan2 to route only to lan1)
    The point is still to use the same isp for 2 sperate connections. 1 connection for dedicated VPN (my job is work at home with vpn to the office) and the second connection strictly for home internet use
    Last edited: Nov 22, 2016
  38. jflash101

    jflash101 New Member Member

    Also, has anyone noticed with the virtual wireless on 138 Netgear r8000 that security no longer works and windows pc's are no longer able to connect it?
  39. Fab Five Freddy

    Fab Five Freddy Serious Server Member

    Hey Joksi...I literally just got this working yesterday.

    I used this

    I basically followed it from start to end...but I was using 132 not 138 (though I don't have an AES kernel module loaded either, nor is it in the 132 arm-extras)

    It uses racoon (packaged as ipsec-tools) and xl2tpd (plus the ppp package, which it depends on)

    I too tried strongswan, openswan, racoon and xl2tpd...with all the ipsec.d/racoon/xl2tpd files and directories created with my attempts, I finally got it working by just opkg remove'ing all the packages, removing their /opt/etc/ files and directories (after backing them up), and just installing ipsec-tools and xl2tpd (which pulls in ppp), and then following the howto above from scratch again.

    I made 2 changes to the post_firewall script. The first one was that I didn't like the fact that you needed an exact match on the iptables -L output when grepping for the udp port 500 rule, so I changed it to this:

    iptables -L INPUT | grep "ACCEPT.*udp.*anywhere.*anywhere.*udp dpt:500$" > /dev/null

    The second was the part where he moves the logdrop rule. I'm not sure if this even applies anymore as my version (132) of the INPUT chain has no logdrop rule, but it may get added depending on whether you have some other feature of tomato enabled. If it's still there, the code in post_firewall will not work to move it, as it's just wrong. (It's grep string is based on the output of iptables-save, not iptables -L. We can't use iptables-save because it's not part of tomato. It looks like he tried fixing it, so he used iptables -L, but the output is entirely different from iptables-save, so the grep will always fail, even when it should be true (in the event that there is a logdrop rule there).

    Also, it's much easier to use --line-numbers for iptables -L, to get the specific rule you want to drop.

    iptables -L INPUT | grep "logdrop" > /dev/null
    if [ $? = 0 ]; then
        # Get the number of the logdrop rule in the INPUT chain
        RULENUM=`iptables -L INPUT --line-numbers |grep 'logdrop'|cut -f 1 -d ' '`
        # Delete the logdrop rule from the INPUT chain
        iptables -D INPUT $RULENUM
        # Readd the logdrop rule at the end of the INPUT chain
        iptables -A INPUT -j logdrop

    One thing to watch out for in the chap-secrets file is using some punctuation in the fields...don't use a hash (#) in your password or username, as it is interpreted as a comment. It might also not like quotes (single or double)

    One other thing: I tested it by coming from outside the network on the WAN side...not sure if it even would work coming from inside the LAN...I just set up the l2tp VPN on my iphone and turned off wifi, so I would be using the cell data only, and got it working like that.

    Hope this helps. Feel free to ask me any questions. Might be a couple of days before I can respond though as my wife is just going into labor...

    At least I'll be able to l2tp into my router while I'm at the hospital....
    Last edited: Nov 23, 2016
    koitsu likes this.
  40. marirs

    marirs Network Newbie Member

    I'm having a strange problem. When there is lan traffic, my wan traffic is severely slowed down. So I have two computers plugged into my RT-AC68, computer A is connected using 1000M, and computer B is connected using 100M. When transferring files from A to B, wan traffic on A is slowed down, and all wlan traffic is affected as well (my laptop cannot connect to A anymore). Pause the file transfer and problems go away.

    Anyone have any ideas on what's going on?

    edit: ok, so it might only be an issue with computer A, because traffic from laptop to computer C don't get affected. Perhaps some sort of qos on windows 10? Strange that A is on 1000M so a 100M transfer should not affect it at all....
    Last edited: Nov 24, 2016
  41. koitsu

    koitsu Network Guru Member

    There are several possibilities for this, including "stuff" inside of Windows (I have no experience with 10 or 8, only 7 and below), but most of the situation (I would think) would relate to NIC driver/adapter settings. Relevant settings I can think of would be Flow Control, Interrupt Moderation, as well as any kind of "power savings" (commonly called "Green Power"). If you want to rule these out, purchase an Intel Gigabit CT Desktop Adapter (PCIe version) and move over to it and see if the problems continue. Most of the "on-board" NICs tend to be garbage (Realtek and Atheros are common offenders, and another is a "gamer NIC" (a.k.a. "Killer NIC")).
  42. joksi

    joksi Serious Server Member

    I had this problem on R6250 too. For some reason, it works when changing to random MAC-adresses on the virtual wireless interface.
  43. jflash101

    jflash101 New Member Member

    Thank you. I will try that.
  44. joksi

    joksi Serious Server Member

    Thank you for your detailed answer!
    Very strange that it didn't work for me, I used the same tutorial. I can also see in the tutorial that he's using TomatoMultiWAN 132, so later version then you are.

    However, I think I have suceeded with SoftEther VPN-server now, and I like that it really does a real bridge so when I connect it's like I'm actually in the same subnet and Tomato DHCP assigns IP, comparing to PPP-interface point-to-point routing.
  45. remlei

    remlei Networkin' Nut Member

    I got the older MT based Intel NIC (PCIe version and also a PCI-X version of the card that was installed on other machine) its a dual port gigabit and it works fine on windows 10 AU 64bit, no drivers needed since windows already got one since windows 7.

    PS: bought these card used in ebay, this are server cards, not the desktop cards.
  46. koitsu

    koitsu Network Guru Member

    The 2nd sentence essentially destroys the credibility of the first, as does this and this and this (search for EXPI9301CTBLK in the latter). In other words: Intel provides native Windows 10 drivers for the EXPI9301CT and EXPI9301CTBLK (the "BLK" means "bulk") to Microsoft per WHQL and they're included in the base installation (they don't include the PROSet utilities, but those aren't needed/relevant right now). They've done this since Windows 7 (possibly Vista). Not to sound rude, but while I understand your point/concern, I don't want the thread to become "how to provide support for Windows" discussion material (call Microsoft or call Intel Support (pick Intel Network Connectivity): that's what they're there for!).
  47. mkdirect

    mkdirect New Member Member

    FYI, Just experienced sort of similar problem w/ Virtual Wireless, 138 on R7000. I tried WPA2 on new virtual wl0.1, but windows couldn't connect. Initially when tried to set WPA2 on wl0.1 page and returned to Overview, when tried to save, got some parse error for a wl_ ... environment variable. Sorry don't remember which. Can't re-produce. Erased NVRAM and tried again. Was able to set WPA2, but still couldn't connect w windows tablet. So tried WPA with TKIP+AES, and that worked. After reading this post, I set the wl0.1 encryption back to WPA2 TKIP+AUS and re-saved, and now it works. Didn't get any wl_ variable error on save.

    I had initially tried AdvancedTomato 3.3-138, but couldn't create a Virtual Wireless wl0.1 with it, so dropped back to Shibby-138 without deleting NVRAM. Took the risk thinking both versions would essentially have same vars. Guess I was wrong and should have erased NVRAM like I eventually did.... Chalking this up to not erasing NVRAM after re-flashing to Shibby-138.

    Only posted this to note that I had 138 problem connecting with WPA2 but seemed circumstantially related to NVRAM settings issue.
  48. Boki007

    Boki007 Network Newbie Member

    Hi, i need your help guys.Please.
    I have an old WRT54GL router, which i have sucessfully flashed with Tomato Shibby latest release v138 and K26. It seems to work fine. But there is something odd. I use this router as a wireless client and when i select wireless client option, the security options WPA Personal and WPA2 Personal become greyed and i am unable to select it. Only mixed mode WPA/WPA2 Personal may be selected. It seems that everything works ok, but this greyed options-are they supposed to be grayed or is this a bug? i would rather select a WPA2 Personal if it was available. any ideas?

    Thank you for your help.
  49. Wolfer

    Wolfer Network Newbie Member


    I am running Tomato Firmware 1.28.0000 -129 K26ARM USB AIO-64K
    Name TomatoUSB
    Model Netgear R6300v2 (Really a Netgear AC1450)
    Chipset ARMv7 Processor rev 0 (v7l)

    I have three (Virtual) Wireless Interfaces (wl0, wl1, wl0.1) and I would like to use MAC Filtering (or something that would accomplish the same result) in order to block access for certain clients on a particular (Virtual) Wireless Interface, but not on all of them.

    In dd-wrt, I am able to accomplish this through Wireless MAC Filtering which has a separate MAC Filtering list for each connection (ath0, ath0.1, ath0.2)

    I haven't succeeded at doing the same in Tomato

    I also tried entering the following commands in the Firewall Scripts:
    iptables -I INPUT -i wl0 -m mac --mac-source [MAC ADDRESS] -j DROP
    iptables -I OUTPUT -o wl0 -m mac --mac-source [MAC ADDRESS] -j DROP
    but that did not successfully block access to the WLAN for the particular device

    I would appreciate any advice on how to make this work in Tomato

  50. tothjsz

    tothjsz Connected Client Member

    The solution is:

    Tools - System Commands - insert this into "Command" box - Execute:

    nvram set wl0.1_macmode=disabled (it will switch off the mac filter for wl0.1)
    nvram commit

    Instead of reboot, you can use: Advanced - Wireless - Save.

    BR, Szabi
    wistlo likes this.
  51. Wolfer

    Wolfer Network Newbie Member

    Thank you so much, that worked, fantastic

    I had a few follow up questions:

    1) When I checked the NVRAM macmodes, I received the following information:
    size: 37827 bytes (27709 left)
    So I see that your command suggestion successfully disabled the MAC filter for wl0.1
    My question is what is the "wl" at the beginning of the list?

    2) Advanced > Wireless > Save ensures that the command survives a reboot?

    3) Any time I Save the MAC filter (like when I add another MAC address), it resets the settings of all the WLANs to whatever the current setting is in the MAC Filter and I lose the command bypass that I entered into Tools > Commands. Should I be entering the code:
    nvram set wl0.1_macmode=disabled
    nvram commit
    into Administration > Scripts > Firewall in order to ensure that it overrides a MAC Filter Save?

    Thank you again for your help in advance
  52. compile

    compile New Member Member

    I think I messed up. My roommate updated our RT-N66U to the latest Asus firmware and I can't install Shibby's build anymore. Is there anything I can do, should I goat punch his nuts?
  53. kille72

    kille72 LI Guru Member

    Try update from ASUS Firmware Restoration Utility.
  54. Fab Five Freddy

    Fab Five Freddy Serious Server Member

    The reason the iptables rules did not work is because you used the INPUT/OUTPUT chains instead of the FORWARD chain. The INPUT/OUTPUT chains only correspond to traffic bound for the router (a local process) or coming from the router (a local process), not passing between interfaces. The FORWARD rule applies between interfaces.

    You would have successfully stopped it from pinging the router or pinging from the router though...or accessing the web ui.

    Monk E. Boy likes this.
  55. simmox1

    simmox1 Reformed Router Member

    Download the RT-N66U tomato firmware.
    Get into recovery mode.
    On your PC, set your ethernet adapter IP to static subnet
    Connect your PC to one of the router's LAN ports.
    Open your browser, go to
    Upload the tomato firmware.
    Go away for 60 minutes, watch a movie, get out of the house, but do not interrupt it, even if you think it's failed.
    You should be able to see the tomato login prompt after that time, you can then put your ethernet adapter back to DHCP.

    *How to enter in RESCUE mode:
    Power off the router: Hold RESET button and power on router,keep holding RESET til led begin flashing slowy, release RESET button and you are now in rescue mode
    wistlo, STEVEN HOLTON and NanoG6 like this.
  56. William Clark

    William Clark Serious Server Member

    Hi everyone,

    I am using Tomato Firmware 1.28.0000 -138 K26ARM USB AIO-64K, and in the logs there are a lot of these errors:
    My router is Netgear R7000

    Nov 30 19:39:53 unknown daemon.debug dnscrypt-proxy[6837]: resolver timeout (UDP)
    Nov 30 19:40:47 unknown daemon.debug dnscrypt-proxy[6837]: resolver timeout (UDP)
    Nov 30 19:40:47 unknown daemon.debug dnscrypt-proxy[6837]: resolver timeout (UDP)
    Nov 30 19:42:01 unknown daemon.debug dnscrypt-proxy[6837]: resolver timeout (UDP)
    Nov 30 19:45:48 unknown daemon.debug dnscrypt-proxy[6837]: resolver timeout (UDP)
    Nov 30 19:45:48 unknown daemon.debug dnscrypt-proxy[6837]: resolver timeout (UDP)
    Nov 30 19:50:59 unknown daemon.debug dnscrypt-proxy[6837]: resolver timeout (UDP)
    Nov 30 19:51:01 unknown daemon.debug dnscrypt-proxy[6837]: resolver timeout (UDP)
    Nov 30 19:55:21 unknown daemon.debug dnscrypt-proxy[6837]: resolver timeout (UDP)
    Nov 30 19:57:00 unknown daemon.debug dnscrypt-proxy[6837]: resolver timeout (UDP)
    Nov 30 19:59:38 unknown daemon.debug dnscrypt-proxy[6837]: resolver timeout (UDP)
    Nov 30 19:59:59 unknown daemon.debug dnscrypt-proxy[6837]: resolver timeout (UDP)

    I am using DNSCrypt with the resolver:
    even if I change the resolver, the problem is still there!

    Any help would be great.
  57. srouquette

    srouquette Network Guru Member

    I'm getting this when I'm getting disconnected.
    I don't know yet if it's coming from my provider or the router. The local network still works, but I lose internet connection for a few minutes.
    William Clark likes this.
  58. koitsu

    koitsu Network Guru Member

    @William Clark This looks to be caused by either Internet connectivity issues (i.e. something with your WAN/uplink), general Internet problems, or load issues at wherever the resolver is. The recurring nature of the log entries is often caused by dnsmasq re-issuing queries due to its own timeouts. Scenario: dnsmasq issues a DNS lookup to dnscrypt-proxy, dnscrypt-proxy issues the request and it takes too long + logs "resolver timeout", dnsmasq notices the same timeout and re-attempts to resolve the same thing, rinse lather repeat.

    The information about this behaviour I got here -- please note the OP's description of what he/she does to induce the "resolver timeout" problem (hint: they disconnect their WAN):

    The timeout interval for both TCP and UDP in dnscrypt-proxy is 10 seconds by default. In Tomato, this default remains in effect (it is not overridden). The timeout is also non-configurable; it can only be set at compile-time, not run-time. (I verified all this by looking at the dnscrypt-proxy code).

    That said: the logging message is level LOG_DEBUG (it uses syslog), which means it may be possible to squelch by simply decreasing the verbosity of the logging level (and that CAN be done at run-time through the --loglevel or -m dnscrypt-proxy flag). I don't know what other logging information in dnscrypt-proxy might be omitted as result, however. Tomato appears to let you configure the logging level in the GUI: the Tomato default appears to be 99. A log level value of 7 or higher will result in LOG_DEBUG. The dnscrypt-proxy default for loglevel is 6 (LOG_INFO). So, in the Tomato GUI, change Log Level: 99 to Log Level: 6, Save, and then see how things look (they should look better). (Note to other Tomato devs: this 99 default is silly. We should really have chosen the dnscrypt-proxy default of 6. I understand for testing it's useful to increase it to 7 or higher, but this is what we pushed out to users! :/)

    Note that if the timeouts are in fact being caused by an ISP or WAN/uplink issue, then all this is just an effect of the real problem. We can't help you diagnose or troubleshoot that.
    William Clark likes this.
  59. jflash101

    jflash101 New Member Member

  60. Mr9v9

    Mr9v9 Serious Server Member

    Try this guide out hopefully it at least gives you something to work with?
  61. joksi

    joksi Serious Server Member

    First and foremost, to "multiihome" one wan port means either tagging two vlans on it, if your providers both deliver taggad connections, or alternately connecting a switch in between and that way create to new vlans.

    Then you would tag these vlans on your wan port, and bridge the wireless interfaces with one of the vlans. that should result in wireless clients being on the Public side of the Firewall. Further on, finish with setting up the vpn client and presumably use multiwan routing to direct the network subnets on wanted interfaces through the vpn. Unfortunately this part depends on how you connect to your vpn, so I cant really propose anything concrete.
  62. Ryogo

    Ryogo Connected Client Member

    Maybe someone could hep me with this.

    I have a home server with nginx and I've added it to DMZ in tomato.

    I can access my sites:
    WAN -> ext. ip / domain name
    LAN -> LAN
    But cannot access:
    LAN -> ext. ip / domain name

    in nginx access.log I can see my request and no errors in error.log, but request in browser just hangs until a 'connection was reset'.
    Last edited: Dec 5, 2016
  63. joksi

    joksi Serious Server Member

    You should probably Enable NAT loopback.
  64. koitsu

    koitsu Network Guru Member

    This is bad advice (recommending NAT loopback), but please read everything below. This has been discussed several times over (be sure to see the links/threads within the below posts):

    The solution for this is mentioned in those threads as well, re: configuring dnsmasq to return the LAN IP of the machine when looking up the WAN FQDN ("domain name") from the LAN. The user should not be trying to access the WAN IP from the LAN. It's done using either:

    a) address=/domain/LAN-IP-ADDR
    b) host-record=hostname,LAN-IP-ADDR the Dnsmasq Custom Configuration section of the GUI. These are dnsmasq configuration directives. You can also use address=/hostname/LAN-IP-ADDR if needed (understand the difference between an FQDN and a domain/wildcard match. This subject is not related to Tomato).

    However, the OP's problem is not related to NAT loopback. If NAT loopback was disabled, and a port forward was being used (odds are that is the case here), he would not be able to reach the WANIP and port (I cannot type WANIP-colon-PORT because the forum turns the colon-PORT into a stupid emoticon) from a LAN system -- the result would be a TCP timeout (no response to TCP SYN), and the request would never reach nginx (running presumably on the machine he is port forwarding to).

    The OP claims that LAN->WAN IP/ext domain "shows up in his nginx access logs" but then eventually returns a "connection was reset" (TCP RST) error. The problem likely has to do with something deeper in his nginx configuration, the software he's using under/behind nginx, or something with packet routing.

    My point about not using NAT loopback at all, however, still stands.
    Last edited: Dec 4, 2016
  65. joksi

    joksi Serious Server Member

    You´re completely right, this is how I have it setup (split DNS).
    I just gave him an answer on his question :)
  66. koitsu

    koitsu Network Guru Member

    You did -- and I missed the part of his post that says he's using the DMZ functionality (I failed the team! :D). The model there is "any inbound non-NAT-table-matching packet I don't know what to do with should get forwarded to LAN IP x.x.x.x", vs. a per-port mapping like with port forwarding.

    What I think you may have overlooked was the last 3 paragraphs of my post. He specifically says the machine he's forwarded packets to (DMZ destination) sees the request. I find that interesting.

    I have a theory as to what's happening, packet-routing-wise, in this scenario (use of DMZ), and if it's what I think, then solving it may be complicated. It's better to have LAN machines talk directly (i.e. use the described solution with dnsmasq) and not try to talk to the WAN IP. The whole situation/problem is then solved.
  67. Ryogo

    Ryogo Connected Client Member

    Thak you all for your help.
    I've added a dnsmasq rule so that LAN devices would be pointed to a local IP and it works like a charm. But I still find it funny that I can actually connect from LAN -> ext. ip.
    Last edited: Dec 5, 2016
  68. RBoy1

    RBoy1 Connected Client Member

    Can you please elaborate on this point (this has been the best explanation of Tomato vs DD-WRT in years). Why/how does BrianSlayer have access to this SDK and not Tomato devs? What would need to be done to get access? Also what would be challenging about porting the GUI code (backend and frontend) from Tomato to DD-WRT assuming they both are running Linux?
    If Tomato is built around the binary blobs from Broadcom why not take the "updated" binary blobs from DD-WRT and rebuild around a newer kernel with additional features such as offloading etc?
    I may be oversimplifying this and apologize but if anyone can get to the bottom it's you gurus'.
  69. koitsu

    koitsu Network Guru Member

    Warning: long-winded post due to user asking for elaboration and verbose details. Skip this post if you do not care (it's 100% OK!).

    He has a relationship with Broadcom in some manner, likely paying them for SDK access. There are several bits that are given which he can recompile from source (or abstracted source, i.e. "deep internals" of wifi drivers may be binary blobs but the surrounding controls and interfaces to the innards are in source (likely .h files with lots of externs)). Honestly, this is more a question for BrainSlayer on the DD-WRT forum -- and if you were to ask him, PLEASE be polite!

    Answering this is impossible without knowing definitely the answer to your previous question. However, I would speculate it's two things: 1) money (you often have to pay money to a company to get access to their SDK, and it's an ongoing support cost), and 2) (and this is the even more important one) the developers with SDK access need to have familiarity with what they're working with. No Tomato developer that I know of has this familiarity (they rely purely on binary blobs from other firmwares (Asus, Netgear, etc. -- companies who have SDK access and possibly more)). BrainSlayer, on the other hand, does.

    They both run Linux, however DD-WRT uses a substantially newer Linux kernel (3.x series, I believe); Tomato uses 2.6.22 for MIPS and 2.6.34 for ARM, and we cannot change that due to reliance on binary blob drivers (wireless and Ethernet switch).

    The GUI work involves understanding how the Tomato GUI is actually coded/designed -- there are basically no comments (yes I really am serious), and most of the internals use single-letter variable names and functions, so the end results are very difficult to decipher (note: it is NOT Minify'd JS -- this is literally Jon Zarate choosing to name functions things like W, E, A, _X (I think?), and some other things). Variables are the same way a lot of the time. Also, Tomato's pages are "fake ASP documents", as they support the ability to run server-side code embedded into the Tomato httpd server using <% function() %> server-parsed strings (more on that in a moment). In short: someone has to reverse-engineer everything from top to bottom (there is no documentation).

    Next comes the humongous work, the elephant in the room if you will: figuring out the details of all the DD-WRT NVRAM variables, as well as the HTML form variables and cookies (not sure if DD-WRT has the latter, but Tomato uses several). This requires deep understanding of the Tomato httpd server (it is 100% custom, written in C). I may be one of the few people who has repeatedly sifted through Tomato httpd to figure out things -- and like the JS bits, basically none of it is commented (again, Jon Zarate). I'm by no means an expert, but it is one of the code bases I "get". The JS and what not? Nope: I struggle with that every time I make a patch. I know HTML/XHTML/CSS and how to do server-side APIs (RESTful and non-REST -- Tomato is very very much non-REST, i.e. "the way from 1996", and it's the way I understand best) extremely well, but in 90% of cases where I see JS used, I want to scrap the whole thing and just generate HTML server-side (I'm a sysadmin and "kinda sorta web dev" who works on the back-end exclusively, so what can I say, I'm biased), and that makes me a bad candidate for the "front end" of the web GUI: Tomato's JS-based GUI is one of the things people love about it. Look at the AdvancedTomato project: you have a GUI that actually looks a lot more "up-to-date" than older Tomato. The AT guys know HTML/CSS/JS very, very well.

    It's a very large undertaking, and requires deep knowledge of both firmware's internals.

    My honest opinion is that someone who does the front-end (HTML/CSS/JS) on DD-WRT sit down and "reproduce" the general UI feel/behaviour from Tomato. Any of the ASP-like stuff I can explain if asked) if I remember right, DD-WRT has something similar, I just forget what model they used to implement it), but the "feel" and JS bits could be figured out by someone talented.

    I firmly believe someone could simply change all the DD-WRT UI to mimic the Tomato UI (in feel and behaviour) in most ways, just by sitting down with a DD-WRT router + dev system, and a TomatoUSB router, and getting a feel for the latter. Really.

    The "updated" binary blobs from DD-WRT are built through use of the Broadcom SDK BrainSlayer has access to. They are built for a newer Linux kernel version that is not compatible with Tomato. For us to even attempt it, we would need the SDK and documentation (thorough) on how to use it. We'd also need to know up front (before anything else) if the SDK can even work on 2.6.22 and 2.6.34. All this usually involves communication with Broadcom when negotiating if you can be given the SDK. Then there's the API/ABI aspect: Broadcom can/will change API and ABI semantics in things (and they have a right to: it's their stuff!), which means that the semantics Tomato would expect/be built from would not necessarily match that in a binary blob driver. We have seen people try to do this before, and the results are not pretty. Expanding a little more:

    In other words: You cannot just copy over the binary blobs for the wireless and switching drivers from DD-WRT into the Tomato tree and have them work for two reasons: 1) kernel version differences, and 2) API/ABI differences (I can explain to you exactly what this means if asked). The former will result in the kernel modules not loading, the latter (assuming they load) results in MAJOR MAJOR MAJOR problems: stuff that won't compile (symbol X can't be found), stuff that does compile but crashes (symbol is found during link but doesn't use the same API semantics as Tomato), stuff that does compile but crashes even worse (symbol is found during link but doesn't use the same ABI, end result is absolute chaos: this could even potentially brick your router or break the wireless chip (I am NOT kidding)).

    I'm not being modest/humble when I say this: I am not a guru. I may "appear" as one to you because of the stuff I DO know, but there are guys like @RMerlin who show up and know even more (or know the bits I don't know, or even better, have a better idea on how to implement something), and guys like @shibby20 and @Toastman who actually do the firmware building and third-party app integration and testing and <a billion other things> who do the actual heavy lifting. I do not think I am a "guru", and I don't look at any of those guys as "gurus" either. I look at them as open-source project contributors who are also developers and maintainers. Me? I'm just a guy who's been doing a LOT of things for over 25 years. I have a wiki page covering "stuff I do", and my CV/resume. So please don't call me a "guru" -- I don't believe in statures like this, especially in open-source projects.
    Last edited: Dec 5, 2016
  70. RBoy1

    RBoy1 Connected Client Member

    First up I want to thank you for such a detailed reply and would like to acknowledge all the contributors here including RMerlin, Shibby and Toastman - you're all guru's including yourself. Not to take away from anyone. I have contributed in the past and will do so again. You're all doing a great job!

    Sounds like Tomato is running on a limited lease here (as you have pointed out). So the best way forward as I see it is only to build a new GUI for DD-WRT?
    If I may, apart from the wireless drivers - what benefit would the 3.x kernel have to the 2.x as far as these home routers go? So essentially I'm asking what's makes DD-WRT on 3.x better than tomato on 2.x?
    Feature wise they both appear to be same (unless I'm missing something).
  71. Mr9v9

    Mr9v9 Serious Server Member

    I will base my opinion here on what differences I have seen in my time of using both. Guys please don't get furious with me if I'm wrong! :D


    • Has better OpenVPN support.
    • A more user-friendly graphical user interface that is faster to use.
    • A wireless survey page for mitigating interference from other channels.
    • A nice looking Bandwidth Monitor that was one of the main features for me when I switched, so you can monitor your stats by YOUR selection.
    • An update notifier that tells you when a new version is available.
    • Integrated Tor and Bittorrent Clients as well as a variety of other expandable tools.
    • Best use I have seen for the USB Port, and in my case I use it for my Master Browser share.
    • Ability to use Dual-Gateways and have both VPN and ISP running at the same time.


    • You can get a better selection of Routers to use along with updated Drivers for those devices.
    • Better Wireless Repeater modes even on other subnets.
    • Better built in options like Wifidog for Hotspots.
    • "Pro" Paid Version allows you to do more for better network reliability. Great for a Company but bad for a home user.

    If I had to compare the two using a car analogy... I would say Tomato (depending on the flavor) is like a BMW, and DD-WRT is like a Porsche. BMW loves to add more technology to their base designs without much change to the overall "look." Porsche on the other hand loves to stick to the same design even though they have the "tools" from the industry standard to make it look different, or even add more "tech" features. Both are very fast and have their similarities, but it comes down to the Manufacturer's choices on design, and the features that make you choose one over the other.
    Last edited: Dec 6, 2016
    rickmav3 and kille72 like this.
  72. RBoy1

    RBoy1 Connected Client Member

    Nice comparison, I'd love to hear why should one upgrade the kernel to 3.x for the routers? Everything you said sounded like Tomato had "more" features than DD-WRT. So why 3.x?
  73. koitsu

    koitsu Network Guru Member

    GUI-type features have nothing to do with kernel version. However, when it comes to things like driver reliability (especially relevant to wireless), the situation is different. Wireless reliability I think is probably the most nagged-about topic we have here.

    Kernel 2.6.x is often neglected. 2.6.22 (used by MIPS) came out July 2007, 2.6.34 (used by ARM) came out May 2010. Tomato has, if I remember right, some kernel patches in place, but nothing substantial. All those 2.6.x versions were maintained by one single guy (Greg Kroah-Hartman, a.k.a. GKH). Efforts of LTSI are supposed to support 2.6.x, but you can clearly see that for consumer devices (which these are) the idea is to get them onto the 3.x tree. Be aware of this: Broadcom is not part of the board (take from that what you wish).

    Another possibility, of course, is to use something like AsusWRT/Merlin, which is a firmware maintained by user RMerlin here on the forum. Asus has a relationship with Broadcom (certainly identical to that of BrainSlayer), so on occasion we can use updated binary wireless drivers provided by them, since AsusWRT is under GPL. One of the complications, though, is "importing" those drivers and their relevant changes (see above, re: API/ABI changes), seeing if they work or cause problems, etc.. They don't necessarily apply to certain models either. There's a reason the Tomato source tree is 1.3GBytes, given all the craziness over the years. Proof, if you want it:

    $ git remote -v
    origin (fetch)
    origin (push)
    upstream (fetch)
    upstream (push)
    $ git gc
    Counting objects: 355053, done.
    Delta compression using up to 4 threads.
    Compressing objects: 100% (169603/169603), done.
    Writing objects: 100% (355053/355053), done.
    Total 355053 (delta 179380), reused 351050 (delta 175466)
    Checking connectivity: 355053, done.
    $ git count-objects -vH
    count: 0
    size: 0 bytes
    in-pack: 355053
    packs: 1
    size-pack: 1.33 GiB
    prune-packable: 0
    garbage: 0
    size-garbage: 0 bytes
    RBoy1 likes this.
  74. RMerlin

    RMerlin Network Guru Member

    I'm not a kernel expert, but I'd say the biggest reasons to want a newer kernel are the networking stack improvements. Netfilter seems to have improved significantly since the 2.6 days, and the IPv6 stack seems to also be far more robust and widely tested by now. And of course, you want an LTS version that's not EOL yet. 2.6.36 is EOL afaik, so you have to rely on someone doing any security backports for you. I had two developers taking care of patching the recent Dirty COW issues in 2.6.22 (required a backport) and 2.6.36.

    But ultimately, the SoC manufacturer decides which kernel to support in their SDK. In turns, router manufacturers will want to stick to these kernel, so they can retain technical support from the SoC manufacturer. So in short: don't expect any kernel upgrade unless a new router based on a new SDK comes out. ARM brought us up to in Broadcom-land (with the Northstar plaform used for the RT-AC56/R7000/etc...). Since the first ARM-based models, there's been no kernel upgrade, even with the newer SDK 7.x as used by last year's models.
    RBoy1 and koitsu like this.
  75. RBoy1

    RBoy1 Connected Client Member

    Thanks for that RMerlin. So what you're saying is even though you have access to Broadcom it's not very helpful since they're sticking with the 2.x kernels so why even bother trying to upgrade to 3.x
    So one question here, if Broadcom is sticking to 2.x kernels (although it sounded like DD-WRT has a 3.x kernel binary or did I mis read that and it was source code that as complied against a 3.x kernel), then any reason you can't update the wireless drivers from your Asus 2.x kernel builds into Tomato? (Is it that you don't have ABI compatibility?)
  76. TTROUT

    TTROUT Connected Client Member

    I think this info is really outdated.

    DD-WRT has been shipping kernel 4.4 for some time.

    TOR/Bittorrent/Site Survey is also included in DD-WRT. DD-WRT also ships up to date software like php7 + latest lighttpd, while tomato is still comes with a vulnerable webserver+php version that does not receive any updates from upstream.

    Additional features are:

    -proxy, that does adblocking
    -zabbix monitoring client
    -radius server

    Kernel 4 gives them a lot of new small features as updated qos algos that fix bufferbloat, add support for new usb devices etc.

    And one thing is for sure, they support the latest models, e.g. routers with IPQ soc that are much faster than any broadcom right now.
  77. TTROUT

    TTROUT Connected Client Member

  78. joksi

    joksi Serious Server Member

    Okey, so after a lots of tinkering and reinstalling I have finally suceeded to get Strongswan from Entware up and running (without any Shibby extra modules loaded!). I have tunnels to other IPsec gateways, including Azure.
    However, when searching online and in the Strongswan documentation I can't really find any concrete information about the specifics of Strongswan on Tomato, apparently on Tomato Strongswan creates one new interface called "ipsec0", where all running tunnels are ingressing/egressing. It also creates automatic routes out on this interface, by default in a separate table numbered 220.

    Online I could mostly only find references to tunnels going through the WAN-interface, using IP-tables policy match module. Nothing about a separate, ipsec0 interface. While this doesn't bother me, what does bother me is how I can create a real route based tunnel. That is, instead of having to configure several subnets in Strongswan for each tunnel, just being able to put routes from whatever local subnet to whatever remote subnet and sending it out on the tunnel interface ipsec0.

    Anyone have any experiences on this?
  79. RMerlin

    RMerlin Network Guru Member

    That's because Brainslayer doesn't care about losing official tech support from Broadcom, as he's not selling any product.

    And I don't have access to Broadcom's source code. I can only use the kernel used for those binary blobs, and that means that I can't even change every kernel options that I'd want to.
  80. RBoy1

    RBoy1 Connected Client Member

    Thanks, if you don't mind me asking, what's the Kernel that ASUS uses for it's broadcom wireless blobs?
  81. rickmav3

    rickmav3 Serious Server Member

    Objective comparison. And nice analogy :)

    Tomato also has long time experienced devs. and users who are not close minded and can see both firmware as alternatives, get to know the differences to fill their view on what a consumer router can do.

    DD-WRT Guru
    Posted: Sun Dec 04, 2016

    My opinion is no on the tomato, unless it is ketchup or a finely chopped salsa. Otherwise, I can't stand the texture.

    Toast is good too, but only if you've got some really good jam and maybe a little butter to go along with it.

    DD-WRT Guru
    Posted: Mon Dec 05, 2016

    kernel wise - DD-WRT has the most decent (new) kernels, even if they are still behind....
    Future wise - Tomato has good graphic shit and DNSCypt if im not wrong...but DD-WRT has a more versatile use

    about the Toastman..., he comes early mornings only on Tuesday's, at Hoxton Market street, never had any better toasts....
  82. RMerlin

    RMerlin Network Guru Member for MIPS, for ARM. These have a number of backports applied on top of them, so it's not a "vanilla" kernel anymore.
    William Clark and RBoy1 like this.
  83. RBoy1

    RBoy1 Connected Client Member

    So I'm going to try to summarize this for posterity's sake:
    - Broadcom only provides wireless blobs that are built around the 2.x kernels even with their latest SDK's. Hence Tomato/Asus etc are always going to be stuck with 2.x kernels, unless Broadcom starts handing out the code for their wireless blobs OR someone manages to get documentation around their network architecture/cards and built custom driver code. Does anyone know if it's possible to get a hold of the Broadcom driver reference guide or register document - if so I'll be happy to whip up a driver.
    - DD-WRT managest to get it to work with 4.x because BrianSlayer has access to the Broadcom code and manages to recompile it against the 4.x kernels
    - All in all it doesn't really make a significant difference to the performance or features upgrading to 4.x kernel, sound like 2.x kernel is great for home uses and Tomato overall is killing it over DD-WRT where it matters.

    The only thing missing right now from rocking Tomato is a stable version of MultiWAN which I'm hoping doesn't have a dependency on 3.x or 4.x kernels. Frankly after using DD-WRT and being fedup of it I'm in love with Tomato.

    So @RMerlin if ASUS has a newer wireless blob built in the 2.x kernel is it not possible to integrate that into Tomato to make it rock even more?
  84. koitsu

    koitsu Network Guru Member

    This has been done several times over the years, and happens on occasion in all the different firmwares. When it happens, it is a HUGE deal given the effects. It's a cat-and-mouse game, because there's nothing that "magically makes things better for everyone". I'll try to explain, with historical references (and you can find all of this on this forum, as well as the older forum):

    I assume you know Toastman's firmwares had two "flavours" for several years: ND ("New Driver") and non-ND. The ND version had a newer Broadcom wireless driver (I can't remember where it was from, but I believe Asus). The results of that were all over the board: some users reported that ND saw big improvements in wireless reliability, throughput, and signal stability. Others reported worse performance/behaviour and were quite vocal about it. And some others (like myself) saw no real change at all. I'll repeat myself for the Nth time about wireless -- everyone's environment, setup, equipment, etc. is completely different. People "tweak" crap under the Advanced menu without even really knowing what they're doing, then simply because clicking Save can result in the wireless driver being reset internally (which can sometimes un-wedge it or rectify some internal issues), suddenly (within 30 seconds) they think that because they changed Herpderp Fruit-of-the-Loom Mode from "Off" to "Wild Stallyns" that their signals are better and their throughput is better, then start saying "tweak this setting and your stuff will magically get better!" (a common one is insisting that boosting Transmit Power is a good thing: in most cases it isn't, it just makes everyone else's wireless around you even worse).

    "Fooling around" with wireless drivers is almost a black art. As an engineer I refuse to believe things are "filled with magic smoke and require wizard-like incantations", but we're working with wireless chipset drivers which come as kernel modules in pure binary form -- and even if they came in source form, do you really think someone has the familiarity with 802.11 as a whole, and the time to reverse-engineer, a wireless driver that supports several models of ICs? -- so there is a most definite "we aren't sure what's going to happen from this" reality.

    All in all, we're thankful that there are several companies who make consumer routers that are Linux-based (hence under the GPL, thus must release the source code to the kernel -- Broadcom's wireless drivers are not part of the Linux kernel, thus they are not directly subject to release of source per GPL). For example, I for one really appreciate RMerlin's efforts because he tracks Asus's stuff and if there's something big coming down the pipe (or does come down the pipe), he can discuss that with the non-AsusWRT/Merlin F/W maintainers (Shibby, Toastman, etc.) to prepare for, say, a wireless driver change.

    Sorry I'm long-winded, but the questions you're asking mandate answers that encompass years of familiarity with the development parts of Tomato and embedded devices in general. I could talk for another 30 minutes about Broadcom and their horrible "must protect our IP at all costs, hire big lawyers too" attitude (which is nothing new, they've been like this since day one of their existence. Kinda reminds me of Rambus, actually), but that's for another time/thread.
  85. RBoy1

    RBoy1 Connected Client Member

    Appreciate it thanks. I somehow missed out on the Toastman's ND. I would love to try Shibby's ND version (baseline v132) if possible (nothing against Toastman, have contributed to him also but I liked the way I could control the ipv6 DHCP options in Shibby's version, seeing 2 IPv6 addresses, DHCP and Self Assigned was driving me nuts and was a security concern).
  86. tothjsz

    tothjsz Connected Client Member

    1. as I know, wl = WireLess
    2. yes
    3. very good question. I have never tried it.
  87. dkirk

    dkirk Network Guru Member

    Thank you for the excellent post and reminder of the Rambus fiasco. Since Broadcom is the problem here is there a consumer router out there that is more developer friendly? Wouldn't it be nice if we could port Tomato to another platform that would respect us. I would gladly pitch in and buy one for Shibby to play with if such an animal existed.
  88. microchip

    microchip Serious Server Member

    You can try the Linksys WRT line. They are supposed to be such, but I can't tell you the current status. You also pay a heavy price for that line. It's way overpriced, IMHO
  89. koitsu

    koitsu Network Guru Member

    Most people who are actual developers are simply building their own and running Linux natively on them (ex. buy a SFF PC, buy a wireless NIC that has good support/reliable drivers on Linux, buy a 4-port NIC card or just use an external switch (ex. D-Link, Netgear, etc.), then start writing up iptables rules/etc. for yourself).

    Other possibilities include OPNsense and pfSense, but these are FreeBSD-based not Linux. I can attest to the OPNsense folks being exteremly attentive to stability. I have no idea what wireless experience is like on these, however. Now you can understand why for wireless, some people are saying "screw it" and buying Ubiquiti UniFi AP devices instead (i.e. standalone devices that connect to your network and provide the wireless AP part, letting your router deal with the routing and possibly the switching (if it has an integrated switch) -- and if they're hooked up to a PoE port, they don't even need an AC adapter for power). These are black-box devices, but they handle the wireless part independently, thus letting you use whatever router/etc. you choose and not having to worry about "wireless driver support".

    There is probably a Linux "distro" that is akin to OPNsense and pfSense, i.e. a Linux distro that is about providing a web GUI + router/NAT/etc. functionality.

    But really if you want the "Tomato mess" (I say that respectfully) on something else, you're gonna have to build it yourself. Shibby has dealt with this happening -- there are a lot of folks in China who are apparently taking Shibby's Tomato code and banging on it to push it into for-sale products (and then not putting the source up online, re: GPL violation). Licensing violations and unprofessional aspects aside, these folks are in fact doing what I just described (building their own).
  90. Mr9v9

    Mr9v9 Serious Server Member

    I had a chance to read this article today and I have to say the reviewer did not have too much fun with DD-WRT.

    Then why even include it? Is this supposed to be the "control" for these tests? Shitty choice at best and you could have done better for $90!

    This sounds positive and makes me wonder if a user should switch. But how would that look on something other than the R8000?

    I think this last one is supposed to be positive?

    Though I'm glad there is a comparison of Enterprise vs Homebrew Routers in the article, I get very confused as to why there is no mention of Tomato (R7000 perhaps?) on any of the included tests?

    It's like what the hell is the whole point of the article, power consumption and throughput? It just tells everyone what we (hopefully) already knew! Screenshots of actual features being compared would have been nice. I can't wait for the "WiFi tests" article (Sarcasm).
    Last edited: Dec 7, 2016
  91. Rangaistus

    Rangaistus Reformed Router Member

    AdBlock RFE Draft:

    i've been mocking with the 138 builtin adBlock for a few days. i like it. i think it could use some improvements, as stated below.

    1. the default nitely DL is too aggressive. modify to once/twice a week.
    2. ability to modify the schedule thru the UI.
      i am aware of the cron job, (cru -l : adblockJob). a UI would be nice.
    3. capability to filter out duplicates from multiple sources,
      Code: #some_comment #tab-delim Abc.Com^M
      looking at the current code i would add
      • transition to lowercase
      • remove CR
      • remove comments
      • remove trailing white space
      • reduce multiple spaces
      • turn tabs to spaces
      -65: mv $WORK1 $WORK2 && cat $WORK2 | sort -u > $WORK1 && rm $WORK2
      +65: mv $WORK1 $WORK2 && cat $WORK2 | sed -e 's/\t/ /g' -e 's/#.*$//g' -e 's/  / /g' -e 's/[ ]*$//g' | tr -d '\r' | tr '[A-Z]' '[a-z]' | grep -v 'localhost$' | sort -u > $WORK1 && rm $WORK2
    4. remove subdomains -- since these lists are generated for use as a hosts file, they list each subdomain individually. this is unnecessary in tomato, since each entry is added as a domain,
      the entire list above can be reduced to 1 entry,
      suggested approach:
      -65: mv $WORK1 $WORK2 && cat $WORK2 | sed -e 's/\t/ /g' -e 's/#.*$//g' -e 's/  / /g' -e 's/[ ]*$//g' | tr -d '\r' | tr '[A-Z]' '[a-z]' | grep -v 'localhost$' | sort -u > $WORK1 && rm $WORK2
      +65: mv $WORK1 $WORK2 && cat $WORK2 | sed -e 's/\t/ /g' -e 's/#.*$//g' -e 's/  / /g' -e 's/[ ]*$//g' | tr -d '\r' | tr '[A-Z]' '[a-z]' | grep -v 'localhost$' | cut -f 2 -d ' ' | sort -u > $WORK2
      +66: cat $WORK2 | awk -F. '{for (i=NF; i>0; --i) printf "%s%s", (i<NF ? "." : ""), $i; printf "\n"}' | sort \
       | sed -r 'h;:b;$b;N;/^(.*)\n\1\..*$/ {g;bb;};$b;P;D;' \
       | awk -F. '{printf " "; for (i=NF; i>0; --i) printf "%s%s", (i<NF ? "." : ""), $i; printf "\n"}' \
       >$WORK1 && rm $WORK2
      NOTE: in my testing, on a RT-N66U, awk is slower than sed. however awk is faster than sed on a synology DS210j NAS.
      the sed approach would be:
      -66: cat $WORK2 | awk -F. '{for (i=NF; i>0; --i) printf "%s%s", (i<NF ? "." : ""), $i; printf "\n"}' | sort \
       | sed -r 'h;:b;$b;N;/^(.*)\n\1\..*$/ {g;bb;};$b;P;D;' \
       | awk -F. '{printf " "; for (i=NF; i>0; --i) printf "%s%s", (i<NF ? "." : ""), $i; printf "\n"}' \
       >$WORK1 && rm $WORK2
      +66: cat $WORK2 | sed -r 'G;:t;s/(.*)(\.)(.*)(\n)(.*)/\1\4\5\2\3/;tt;s/(.*)\n(\.)(.*)/\3\2\1/' | sort \
       | sed -r 'h;:b;$b;N;/^(.*)\n\1\..*$/ {g;bb;};$b;P;D;' \
       | sed -r 'G;:t;s/(.*)(\.)(.*)(\n)(.*)/\1\4\5\2\3/;tt;s/(.*)\n(\.)(.*)/0\.0\.0\.0 \3\2\1/' \
       >$WORK1 && rm $WORK2
    using the above i managed to get 101288 entries down to 75428 by eliminating duplicates, and 36484 entries after removing subdomains.
  92. TTROUT

    TTROUT Connected Client Member

    Well the writer did not actually take the time to try to findout who kong is. Not anonymous at all.

    The interesting info in the article is the fact, that network performance tests shows a significant improvement compared to netgear fw which is still based on 2.6 kernel.

    Wifi on dd-wrt is working flawless unlike tomato where you have to apply settings that do not make any sense, e.g. regulation codes.

    Regarding R8000 vs other models, I think R8000 build is pretty much the same as the other models, same soc as R7000.

    Worst thing with tomato is, that it ships outdated software, that puts the user at risk, e.g. the previously mentioned nginx php software, the normal user won't even know, that enabling these features puts them at risk.

    Same thing could be said about the 2.6 kernel, it is not just unsupported it is heavily patched, which could introduce new bugs, but mainstream kernel devs won't even look for bugs here, only the bad guys will.
  93. ghoffman

    ghoffman LI Guru Member

    i would beg to differ about the 'flawless' performance of wifi on dd-wrt. there are so many different combinations of routers, builds types, versions, that any such blanket statement should be suspect. i would submit that both the dd-wrt projects and the tomato projects are increasingly challenging the limits of their amazing but still limited human developer resources!
  94. koitsu

    koitsu Network Guru Member

    Anything which includes PHP enabled and functional out-of-the-box is subject to this, it isn't just limited to Tomato. I also don't know which Tomato firmwares include this. Shibby? Unsure. But I do know Toastman does not. Just clarifying this, because my point is "not all TomatoUSB firmwares are the same". But nobody should be writing PHP anyway (I say this as someone who does know PHP). ;-)

    You said "Linux 2.6", so I'm going to hold you to your exact words. The Linux 2.6 kernel is still actively maintained as an LTS release and the Linux Foundation's LTSI group is responsible for that (backed by a board consisting of large-name Fortune 500 companies). The releases which are being EOL'd are minor versions, one at a time.

    Tomato MIPS uses 2.6.22, Tomato ARM uses 2.6.36. So yes, MIPS's kernel is EOL'd, but Tomato cannot do anything about it because of binary blob wireless drivers from Broadcom. Some patches can be backported, but that requires someone who is extensively familiar with Linux kernel innards (to my knowledge, nobody that maintains TomatoUSB is).

    That said, newer is not always better. I'm not saying older is necessarily perfect either, but be careful what you advocate. :)

    So while what some of what you say is true (and I agree with some of it!), others parts definitely border on FUD. I would also like to ask you: this is your 3rd forum post since signing up 2 months ago. What do you bring to the table to help bring Tomato more up-to-date kernel-wise? I look forward to your answer.
  95. Campigenus

    Campigenus Networkin' Nut Member

    Aha, then how do you explain the "magic/more magic" switch from the MIT AI Lab's PDP-10?

  96. koitsu

    koitsu Network Guru Member

    Occam's razor applies.
  97. Rangaistus

    Rangaistus Reformed Router Member

    again with adBlock: release/src-rt-6.x.4708/router/others/adblock
    1. BUG:
      72: sed -i $WORK1 -e "/$i/d"
      this can whitelist too much, i.e. "" can whitelist "" or "", etc.
      i suggest:
      -72: sed -i $WORK1 -e "/$i/d"
      +72: sed -i $WORK1 -e "/$i\$/d"
      this should limit the entry to the domain & subdomains.
    2. Speed enhancement --
      running sed many times (depending on the whitelist) on the blacklist file (which could also be very large) is slow.
      i suggest compiling all the changes (from the whitelist) and then issue sed once on the blacklist.
      -71: for i in $WHITELIST; do
      -72:   sed -i $WORK1 -e "/$i/d"
      -73: done
      +71: SEDCMD=""
      +72: for i in $WHITELIST; do
      +73:   SEDCMD="$SEDCMD -e '/$w\$/d'"
      +74: done
      +75: eval sed -i $WORK1 $SEDCMD
      i've tested with a whitelist of 99 entries. there is about 5x speed increase.
      NOTE: security issue with eval?
      there's probably a limit to the size of SEDCMD before it chokes. alternatively we could create a SEDCMD file and do -f $SEDCMD, i.e.:
      -71: for i in $WHITELIST; do
      -72:   sed -i $WORK1 -e "/$i/d"
      -73: done
      +15: SEDCMD='/tmp/sed.cmd'
      +71: echo "" >$SEDCMD
      +72: for i in $WHITELIST; do
      +73:   echo "/$w\$/d" >>$SEDCMD
      +74: done
      +75: sed -i $WORK1 -f $SEDCMD && rm -f $SEDCMD
    AndreDVJ and kille72 like this.
  98. kille72

    kille72 LI Guru Member

    @Rangaistus: I looked at your comments to the code of Adblock, very interesting.

    To remove sub-domains, it is a good idea? Example: I want to block but allow

    Server:  Asus
    Server:  Asus
    Non-authoritative answer:
    Also look at: /tmp/etc/dnsmasq.adblock
    Last edited: Dec 9, 2016
  99. mgeorge

    mgeorge Serious Server Member

    Hello, I've been using tomato-K26USB-1.28.RT-N5x-MIPSR2-XXX-VPN on Asus RT-N10U till version 138. Version 138 tomato-K26USB-1.28.RT-N5x-MIPSR2-138-VPN does not fit anymore, because it's too big. @shibby20 would it be possible to reduce the size, so that it would fit on router with 8MB flash size?
  100. kille72

    kille72 LI Guru Member

    Try this one:
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice