1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

I could use some help configuring Tomato

Discussion in 'Tomato Firmware' started by prophead, Dec 11, 2009.

  1. prophead

    prophead Addicted to LI Member

    SOLVED - I could use some help configuring Tomato

    UPDATE: the problem below has been solved, heres what I needed to do:
    1) set a static route in my cable modem/router to the tomato WAN side. (obvious in hindsight)
    2) change the network hosts' gateways to be the tomato's LAN side. (cant believe I didn't think of this earlier, and how come you guys didn't suggest it?)
    3) use the masquarade script found below (never would have found this on my own in a million years)

    I can't believe how hard this was and how many variables there were in the process. But the payoff is sweet, realtime bandwidth monitoring and reporting. I wanted to put my solution here to help someone else in future maybe. I learned a lot in process. Jesus, iptables is a monster. ipfw was so much easier. Thanks for your help community.

     
  2. prophead

    prophead Addicted to LI Member

    Can tomato even do this?
     
  3. lanmtl

    lanmtl Addicted to LI Member

    Im sure it can as iptables is pretty powerful but I dont have a clue as how to use iptables... Pretty useless comment, I know, sorry!
     
  4. mstombs

    mstombs Network Guru Member

    Have you tried the Aadvanced->Routing->Miscellaneous "Router" rather than "Gateway" mode?
     
  5. prophead

    prophead Addicted to LI Member

    Yes.
    I Can ping LAN addrs from tomato,
    I Can ping wan addr from tomato,

    but no routing, even with static routes

    I need help
    |-<:)
     
  6. mstombs

    mstombs Network Guru Member

    I have no direct experience with router mode, but this style WAN IP

    WAN 17x.13.122.221 255.255.255.255

    causes problems in gateway mode because it means whatever the gateway is set to it will not be in the network defined by by the IP and netmask, and this causes Tomato (and other similar vintage Linux firmwares) to fail to set a default route.

    see http://www.linksysinfo.org/forums/showpost.php?p=353937 for a successful fix of this in a very different setup - using commands I use for a half-bridge ADSL modem
     
  7. prophead

    prophead Addicted to LI Member

    Awesome, thank you so much, I'm sure this is the problem, but I won't be able to test until next week, I'll be sure to touch base back here and report my progress. Once again, thanks for your help!
    |-<:)
     
  8. prophead

    prophead Addicted to LI Member

    so close but no go

    I was really hoping this was going to work, but still no go.
    I can ping both sides from the tomato router, but it will not route packets to the WAN
    Also the script above when put into the init tab and rebooted did not load, I had to ssh into the cli and type the lines in manually, whats the correct way to set up an init script?
    I could really use some more help on this, thanks for your time.
    |-<:)
     
  9. mstombs

    mstombs Network Guru Member

    The init script is only for things you want to run just after boot, often commands run too early so a sleep is needed. The place for iptables and route commands is the Firewall script which runs just before the wan is brought up, and everytime. In the "gateway" mode at least the firewall and route tables are flushed and rebuilt prior to running the firewall script, but as you say the commands do not work...

    What does "route -n" tell you about the tomato Routing? I think the problem may be that the Tomato router can't differentiate between its WAN and LAN.
     
  10. prophead

    prophead Addicted to LI Member

    routing v gateway

    Thanks for your help. I've been spending way too much time on this. Tried both gateway and router modes to same effect. Can ping LAN and WAN addrs from the tomato but no wan from lan. Is this a firewall thing? Do I have to specify each and every port? Including ping? Why aren't my pings to the outside from the lan showing up in the log as firewall deny's? (logging is set to log denys) I even tried changing the WAN adddr to a private subnet between tomato and cable modem/router, once again tomato could ping addrs on the Internet, but no lan address could hit anything even the WAN interface of the tomato. I don't know what to even try at this point? dd-wrt?
    |-<:(
     
  11. prophead

    prophead Addicted to LI Member

    diag

    Thanks for the clarification, heres what it looks like from inside my router:
    # route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    17x.13.122.222 10.1.10.1 255.255.255.255 UGH 0 0 0 vlan1
    17x.13.122.216 0.0.0.0 255.255.255.248 U 0 0 0 br0
    10.1.10.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan1
    127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
    0.0.0.0 10.1.10.1 0.0.0.0 UG 0 0 0 vlan1

    After extensive reading on this I tried this often used command:
    iptables -t nat -I POSTROUTING -d 10.1.10.1 -j MASQUERADE
    iptables -I FORWARD -d 10.1.10.1 -j ACCEPT

    which gives me this (which doesn't look right to me):

    iptables --list
    Chain INPUT (policy DROP)
    target prot opt source destination
    DROP 0 -- anywhere 10.1.10.2
    logdrop 0 -- anywhere anywhere state INVALID
    ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
    shlimit tcp -- anywhere anywhere tcp dpt:ssh state NEW
    shlimit tcp -- anywhere anywhere tcp dpt:telnet state NEW
    ACCEPT 0 -- anywhere anywhere
    ACCEPT 0 -- anywhere anywhere
    ACCEPT icmp -- anywhere anywhere
    logdrop 0 -- anywhere anywhere

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    ACCEPT 0 -- anywhere 10.1.10.1
    TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN tcpmss match 1461:65535 TCPMSS set 1460

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain logdrop (2 references)
    target prot opt source destination
    LOG 0 -- anywhere anywhere state NEW limit: avg 1/sec burst 5 LOG level warning tcp-options ip-options prefix `DROP '
    DROP 0 -- anywhere anywhere

    Chain logreject (0 references)
    target prot opt source destination
    LOG 0 -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning tcp-options ip-options prefix `REJECT '
    REJECT tcp -- anywhere anywhere reject-with tcp-reset

    Chain shlimit (2 references)
    target prot opt source destination
    0 -- anywhere anywhere recent: SET name: shlimit side: source
    DROP 0 -- anywhere anywhere recent: UPDATE seconds: 60 hit_count: 3 name: shlimit side: source


    Look at the first line, Chain input policy drop. Doesn't that seem like it would drop everything? I don't know enough about iptables to make heads or tails of this, but I'm fairly certain this where my problem is. I'm hoping an expert in iptables can help me.

    Brief recap: tomato can ping everything from inside including internet addrs, but lan addresses cannot see tomato wan ip (or anything beyond)

    If there was a way to make the LAN interface monitor the bandwidth on the LAN subnet in promiscuous mode without using the WAN side at all that would be great, but I don't think that's possible, correct?

    TIA,
    |-<:)
     
  12. prophead

    prophead Addicted to LI Member

    problem has been solved. solution at top of first post. Thanks community.
     

Share This Page