1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Enable WOL (Wake on LAN) Across Internet

Discussion in 'Tomato Firmware' started by jbaker6953, Nov 5, 2007.

  1. jbaker6953

    jbaker6953 LI Guru Member

    I struggled with this for a little bit, so I figured some others might find it useful.

    I wanted to get Wake On LAN working across the Internet, and I didn't want to do it through the Tomato GUI. I wanted it to work this way because I have a Web server running on the LAN that friends and family access infrequently, and I wanted to be able to power off my computer and still let them have access to my Web server. My solution was a CGI script hosted elsewhere that sent a magic packet to my router which then forwarded it to the Web server on my LAN. It didn't work. :thumbdown:

    The problem is that when your computer is powered off it doesn't have an IP address, so there's no address to forward the packet to. WOL requires that the magic packet be broadcast to the entire LAN's subnet, but iptables and Tomato won't let you forward packets to a broadcast address. I thought I was doomed. But wait! What about creating a static ARP entry with a bogus IP address? It works!!!! Here is the command I entered at the Tomato SSH prompt:

    ip neighbor add lladdr ff:ff:ff:ff:ff:ff dev br0 nud permanent
    This fools Tomato into thinking there is a machine on the LAN with the IP address with a MAC address of ff:ff:ff:ff:ff:ff. That is a special MAC address - a broadcast address. So, then I set up a port forwarding rule to forward UDP packets on port 9 to which causes Tomato to send out a broadcast. It works beautifully.

    So, to recap:

    1) Create a permanent ARP entry with the following command at the Tomato SSH command line:

    ip neighbor add lladdr ff:ff:ff:ff:ff:ff dev br0 nud permanent
    2) Create a port forwarding rule to forward UDP packets on port 9 to

    3) Use whatever WOL utility you have to send WOL packets to Tomato's WAN IP using UDP packets on port 9 (remembering that you have to know the LAN machine's MAC address).

    Hope that helps.
  2. davemuk

    davemuk LI Guru Member

    I've wanted this for ages but the other methods I've tried haven't worked. I shall test this in the next couple of days.

    Thanks jbaker6953.

  3. Rooki

    Rooki Network Guru Member


    Where can I find > SSH command line ?

    TNX, Regards.
  4. Macskeeball

    Macskeeball LI Guru Member

    You can enable it in the Administration section of the web interface. Using PuTTY on Windows, Terminal on Mac or Gnome, or Kterm (I think) on KDE, use SSH to connect to The username is root, and the password is the password you use for the router's web interface. If you need additional help, you should be able to find it on Google.
  5. davemuk

    davemuk LI Guru Member

    Excellent!, this worked a treat for me.

    Thanks again jbaker9653 :thumbups:

    * I added the ip neighbor command to the Firewall script startup in the administration section, no SSH required.

    I use this free little app to send the WOL packet.

  6. jeradc

    jeradc LI Guru Member

    This should be stickied, or added to a wiki, or both. Very nice.
  7. selkov

    selkov LI Guru Member

    A very interesting approach.....

    I have a wrt350n with the link sys firmware 1.05.8.

    Can I do something similar here without changing the firmware?
  8. lexluthor

    lexluthor Network Guru Member

    Sorry to bring up such an old thread today, but I was trying to set up WOL so it'd work though the internet tool here:

    Do I really need to set up this command
    ip neighbor add lladdr ff:ff:ff:ff:ff:ff dev br0 nud permanent
    through an SSH shell?

    Why can't I just enter it in the init scripts section in Tomato or is that something totally different?

    Even if I'm sitting at the router with full access, I still have to set up an SSH connection to run this command, is that correct?

    EDIT: I see someone up above put it in Administration->Scripts->Firewall, I think. Is that where it should go instead of where I had it in Administration->Scripts->Init?

    Will that work instead of SS?

    Also, would I need to enable multicast in the firewall settings for this to work?
  9. lexluthor

    lexluthor Network Guru Member

    Ok, I just got home and it works perfectly. No need for SSH.

    Just add that line to Administration->Scripts->Firewall. Set the port forward and go to the depicus online wake page, put in your PC's MAC, your IP, netmask and the udp port your forwarded.

    You do have to enable WOL for your NIC. Unfortunately, that option appears to be grayed out on the PC I wanted this to function on, so back to the drawing board there, but it is working fine on another PC that allows me to enable WOL for my NIC.

    Do not need multicast enabled. Thanks jbaker6953!
  10. scolbeck

    scolbeck LI Guru Member

    I have a similar setup but resolved it a different way. Instead of first turning the computer on via a WOL utility, I have a script that will check the Tomato log every minute and automatically turn on the web server computer when Tomato receives the web request. For this to work, you must enable logging of inbound connections if allowed by the firewall.

    If the computer is off, the browser request will most likely time out. However a retry a moment later when the computer is on will be successful.

    Here is my script I placed in 'WAN UP'. In the same script, I am also turning on the computer for Tomato to save the bandwidth history to a CIFS mount if that computer is turned off.

    # Monitor the log for CIFS/HTTP events to wake computer via WOL
    if [ ! -x /tmp/wolLogWatch.sh ] ; then
    touch /tmp/cifs.tmp /tmp/http.tmp
    cat > /tmp/wolLogWatch.sh <<EOF
    CIFS_ERR="cifs_mount failed|0xffffff6d"
    # If we get this CIFS error, the CIFS computer is not on.  Wake it via WOL.
    LAST_CIFS=\`cat /tmp/cifs.tmp\`
    CIFS_LOG=\`cat /var/log/messages | egrep "\$CIFS_ERR" | tail -1 | awk '{print \$3}'\`
    if [ "\$CIFS_LOG" != "" -a "\$CIFS_LOG" != "\$LAST_CIFS" ]; then
       /usr/bin/ether-wake \$MAC
       echo \$CIFS_LOG > /tmp/cifs.tmp
       # We have a new http request.  Make sure the target computer is on via WOL.
       # Note: Logging of inbound connections if allowed by firewall must be enabled.
       LAST_HTTP=\`cat /tmp/http.tmp\`
       HTTP_LOG=\`cat /var/log/messages | grep ACCEPT | grep "DST=\$TARGET" | grep "DPT=\$PORT" | tail -1 | awk '{print \$3}'\`
       if [ "\$HTTP_LOG" != "" -a "\$HTTP_LOG" != "\$LAST_HTTP" ]; then
          /usr/bin/ether-wake \$MAC
          echo \$HTTP_LOG > /tmp/http.tmp
    chmod +x /tmp/wolLogWatch.sh
    # Execute via cron every minute
    cru a wolLogWatch "* * * * * /tmp/wolLogWatch.sh"
  11. F157

    F157 LI Guru Member

    first of all thank you jbaker for this hint, works great for me :)

    one question came up while playing with this:
    when and how get the clients of this list deleted off the list? (http://www.abload.de/image.php?img=w3pffp.jpg) I wanted to add an static arp entry for the first client in the line (FIST), but with the code "ip neighbor add lladdr ex:am:ple:ma:ca:dd dev br0 nud permanent" it was not added to the list. I think this is because it's already in there...

    /e: now it worked, i dont know why...
    but still, if anyone knows the answer to the question (when or in what situations get clients deleted off this list), feel free to answer :)
  12. jksmurf

    jksmurf Network Guru Member

    Also a big thanks to jbaker6953, davemuk and lexluthor from me (I used the Amin, Scripts, Firewall method documented below);

    simple description, elegant solution. I now feel rather geeky having got this to work!

    Just one query, rather than having to remember the MAC address, can that WOLGui utility resolve a hostname that you set up in the Static IP page? THAT would be great. I can do that in Ultravnc when the thing is awake, so I should imagine it must be possible?

  13. bubsqueek

    bubsqueek Addicted to LI Member

    sorry to hijack an old thread but I would appreciate some help please, regarding this command
    'ip neighbor add lladdr ff:ff:ff:ff:ff:ff dev br0 nud permanent'

    should I change the ip address and mac address of the above command line to that of the pc I want to turn on or do I leave it to192.168.1.254 and ff:ff:ff:ff:ff:ff?


  14. davemuk

    davemuk LI Guru Member

    Leave as is.
  15. bubsqueek

    bubsqueek Addicted to LI Member

    thanks for reply
  16. i1135t

    i1135t Network Guru Member

    OK I have a question. I have the computer that I want to wake up hard wired to another AP that's running DDWRT. This AP is then hard wired to the my main router running tomato. I don't use the WAN port on the DDWRT AP so I figure that it would work as a simple switch, so broadcasts should be pass through, correct? I have disabled the firewall on it (ddwrt one) and it will still not wake it up. I even tried manually putting in a port forward, but then it shouldn't be necessary since the firewall is off. Will my setup work?
    Simple diagram:

    (main router running tomato)
    |(wired from LAN to LAN)
    (secondary AP running DDWRT)
    |(wired to the LAN computer I want to wake)
    |(FW disabled)
    (WOL computer)

    EDIT --

    Well, I wired the WOL computer directly into my main router and still not not working. I did use a WOL monitor app after setting up the instructions in the posts and still not getting any WOL packet. When I send it to my local subnet, I get the packet. So I guess it's a issue with my firewall. Hmm... I hate reconfiguring everything from scratch on my router, but looks like I will have to try that. :(
  17. i1135t

    i1135t Network Guru Member

    A separate question. Does the UDP packet need to be forwarded to port 9 from the outside? Can't it be any port, so as long as the software supports it? I ask because I wasn't sure if the NIC only listens on a specific port.

    Also, wouldn't it be easier to just set up a rule to port forward to X.X.X.255 so that it gets broadcast automatically without the need to setup an ARP entry?

Share This Page