Is this a bug?

Discussion in 'Tomato Firmware' started by zforum69, Aug 2, 2009.

  1. zforum69

    zforum69 Addicted to LI Member


    I'm running tomato firmware v1.25 on a WRT54GL. I have set up a VLAN on the WAN port so that I can mange manage my modem. Furthermore in order to get properly time stamped event logs on my modem, I also allowed it connectivity to the internet to sync with some NTP servers, and point it to to the linksys router for its DNS server so that the NTP servers can be resolved by name. The exact details of what I did is documented (before I knew these forums existed).

    Recently I noticed that my modem no longer had correctly time stamped event logs. I isolated the problem to the modem not getting any response from the DNS server (Linksys). I tested the modem by hard coding DNS server address to my ISP's, and it worked. This confirms that the Linksys is not responding to the DNS queries. This is the same symptom when I did not put "interface=vlan1" in Dnsmasq Custom Configuration to make dnsmasq listen for DNS request from the WAN VLAN.

    I decided I needed to restore to factory defaults and re-enter each configuration parameter one at a time with a DNS test to see which command caused the failure. I know may have to rollback the firmware and do the test on each firmware as well.

    As it turns out is not the firmware but a totally unrelated part: logging. I have set my inbound connections to be logged. If I log blocked inbound connections (either by setting it to "if blocked by firewall" or "both"), I have the DNS failure. That is, the modem will not get any response from the linksys to any DNS query.

    Can somebody shed some light on this? Can anybody else repeat my observations? Is there a way to fix this or is it a bug?

  2. pfoomer

    pfoomer LI Guru Member

    Please clarify incorrect timestamps, where they differing by seconds or larger?

    I would suggest, if your modem allows it, to connect to the default timeserver for your location, and also let the modem connect to the ISP's or OpenDNS dns servers.

    The only reason to get the time from your router is if you have a time server (ntpd) on your LAN.

    For logging I send syslog or snmp from my modem to the router and on to the syslog / snmp deamons.

    I hope you resolved your other issue regarding the modem access, it was all in the thread I referred to, ie the modem and router need to be on different subnets.

  3. zforum69

    zforum69 Addicted to LI Member

    Incorrect is probably the wrong word, the time stamps become an offset from boot time because it can't get to an NTP server to get the right time (because the router is not responding to DNS queries).

    Slight misunderstanding, I do get the time server from my location, however I point the modem to the router ( for the DNS server, just like the PC's on the lan via DHCP (except its That way I have a central point where I can control DNS, i.e if I want to change the DNS for all devices I simply do it in the router. For example instead of defaulting to my ISP's I could point to OpenDNS, and I could add local network names that do not resolve in the internet.

    I send tomato logs to a remote system running a syslog daemon, but I didn't know I could send the modem logs to tomato when can then send all the logs (tomato and modem) to the remote system. Do you have to do anything special on tomato to do that?

    That wasn't me having the problem, it was nightsp. As implied by my original post I could always connect to the modem, and even got the modem to connect to the internet to sync time with an NTP server. My issue is if I turn on logging for blocked inbound connections, the router does not respond to DNS queries from the modem. I cant' even work out why the symptoms are related.

  4. jan.n

    jan.n LI Guru Member

    Wait - your MODEM resolves dns queries using your ROUTER? Do I get that right?
  5. pfoomer

    pfoomer LI Guru Member


    Sorry for confusion re modem access, to get logging to work I did this
    on the port forward page, where is the modem IP address.

    On Both 514 9514 syslog

    and this on the router syslog page

    Log to Remote System 9514

    The router then forwards the combined logs to the syslogd. listening on 9514

    Re your ntp problem, perhaps a port forward is needed for DNS?

  6. zforum69

    zforum69 Addicted to LI Member

    That's right. My modem has NTP server entries,, and and relies on my router to reslove them to IP addresses.

    For testing I telnet into the modem and from there there is an nslookup command where I can try to resolve anything I want from the modem ( for example).

  7. zforum69

    zforum69 Addicted to LI Member

    I never thought of doing that ... port forwarding the logs. si there any reason why you have change the port number from its default, i.e. would it still work if you port forward port 512 from the modem to port 512 on the server.

    I'm not sure what you had in mind, what would I port forward and to what since the destination in DNSMASQ in the router itself? I can't see why just logging a type of inbound connection event stops resolving DNS queries. If I didn't log the blocked inbound connection attempts it resolves DNS queries without any issue.

    I think I should just send the details to jon and report it as a possible bug.

  8. pfoomer

    pfoomer LI Guru Member

    Security, the syslogd does not run as root, so I used a port > 1024.

    Re dns forward, just a wild guess, I have never set it up the way you describe.

  9. jan.n

    jan.n LI Guru Member

    Why doesn't your modem ask your providers' DNS for resolving? It's just about time-sync, I understand if you want to use alternative DNS servers for everything else, as your country - just like mine - censors the internet. Or is there another reason your modem can't resolve on its own?
  10. zforum69

    zforum69 Addicted to LI Member

    That definitely works, and that is one work around option I can use, however I'd prefer not to do that. I want the router to be the DNS server because it automatically gets the DNS from the ISP, so if the ISP changes its DNS servers all my devices (including modem) do not need reconfiguration.

  11. jan.n

    jan.n LI Guru Member

    Hmm - doesn't your modem get its DNS from your ISP, too? If it's "intelligent" enough to be manageable it should as well be possible to get its DNS settings from your ISP.

    What connection are you on? Cable or DSL? Do you have control over the settings of your modem or is it locked?
  12. zforum69

    zforum69 Addicted to LI Member

    yes but I have it in bridge mode and terminate the PPP in the tomato router. All the modem does is sync the DSL, and minimal config so that I can manage it.

    DSL, yes, and no it is not locked.

    The issue is with tomato, because if I don't turn on logging for blocked inbound connections it is all OK.

  13. zforum69

    zforum69 Addicted to LI Member

    Ok I thought I'd just update the thread. I sent an email to Jon (Tomato developer) with details about my bug. He told me to add the following to the firewall scripts and see what happens:

    iptables -D INPUT -j logdrop
    iptables -A INPUT -j logdrop
    ... and guess what it worked!! What the above does is to move that entry to the end (by initially deleting it wherever it is and adding it in). That logdrop entry was coming in before the entry that accepted network connections from the modem network (i.e the DNS queries), and thus the DNS query failure.

    I've given Jon the dumps of the iptable entries so I'll leave it to him to as to if/when he incorporates it into the next version.

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice