1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Official Tomato v1.13.1252 Released

Discussion in 'Tomato Firmware' started by frode3, Dec 5, 2007.

  1. frode3

    frode3 Network Guru Member

    http://www.polarcloud.com/tomato

    Tomato 1.13.1252

    * Fixed problem with L2TP, PPPoE, PPTP.


    Changes in 1.12 in case you missed it:

    * Added WHR-HP-G54 transmit amplifier and enhanced receive options in Advanced/Wireless.
    * Added DNS-O-Matic and eNom DDNS support.
    * Added/fixed WBR-G54 support thanks to John M.
    * Updated South Australia TZ.
    * NAT loopback (Advanced/Firewall) now has more options: Enabled, Forwarded Only and Disabled.
    * Removed obsolete Telstra/heartbeat/bpalogin support.
    * Updated to l7-protocols-2007-11-22.
     
  2. jeradc

    jeradc LI Guru Member

    Quickest update... ever.
     
  3. Macskeeball

    Macskeeball LI Guru Member

    You might want to correct the version number in the thread title by editing the first post, if this forum will let you.
     
  4. frode3

    frode3 Network Guru Member

    sorry cant edit title
     
  5. M_ars

    M_ars LI Guru Member

    gooooooood job :)
     
  6. der_Kief

    der_Kief Super Moderator Staff Member Member

    Done :biggrin:

    der_Kief
     
  7. jsmiddleton4

    jsmiddleton4 Network Guru Member

    * NAT loopback (Advanced/Firewall) now has more options: Enabled, Forwarded Only and Disabled.


    How do we use these options?
     
  8. Low-WRT

    Low-WRT LI Guru Member

    Been running smooth for about 8 hours now:smile:
    Thanks!
     
  9. adlerfra

    adlerfra LI Guru Member

    Tomato is the Best

    Upgrade went smooth as butter on my WRT54GL.
     
  10. j.m.

    j.m. LI Guru Member

    Check the Advanced | Firewall options page. I recommend that you set it to forwarded only, as "enabled" (which was the default in previous versions) can break SMB browsing and UPnP discovery.
     
  11. pharma

    pharma Network Guru Member

    Thanks for the update -- as usually there were no issues!
    Many thanks for the official Tomato releases!! :biggrin::biggrin:

    Pharma
     
  12. MiseryQ

    MiseryQ Network Guru Member

    Another Flawless Upgrade.

    Thanks!
     
  13. jsmiddleton4

    jsmiddleton4 Network Guru Member

    I recommend that you set it to forwarded only, as "enabled" (which was the default in previous versions) can break SMB browsing and UPnP discovery.


    Thanks. But what do these settings do? What does enabled tell the router to do, forwarded only? I understand what turning it off does.
     
  14. ziddey

    ziddey Network Guru Member

    I assume this only applies to the dmz? Since wouldn't it be forwarded only for non dmz clients anyway?

    I haven't installed 1.13 yet, but my idea of this is for example, if you have a web server on port 80 on your dmz machine. You don't forward port80 on the router. But when you access the wan ip from the lan, via http :80, it'll still pull up your own web server again via the nat loopback.
     
  15. szfong

    szfong Network Guru Member

    I'm still having some issues with latest Tomato 1.13. On one of my router, WRT54G v2 rev:XH, 4MB/32MB. I get random reboots. Even dropping it back to 4MB/16MB and/or overclocking to 216MHz do not help. Uptime lasts only days, at most. Restarting wl drivers on the router every few hours or so with a script fixes this issue, but is a terrible workaround. Thibor 15c has almost exact same basic features as Tomato, but has over 2 month worth of uptime. I just wish I could update to Tomato on this problematic router. I realize some don't check their uptimes often, but in Tomato, if I don't save to nvram, all bandwidth data is lost during a random reboot.

    Before trying, does anyone know if there will be issues with replacing the wl drivers in Tomato with that of the older drivers in Thibor 15c and recompiling?
     
  16. unicorn02

    unicorn02 LI Guru Member

    Smooth Update as always. Although I would also like to know what the new NAT loopback options exactly mean.
     
  17. LLigetfa

    LLigetfa LI Guru Member

    I just made a copy of the TRX to BIN and loaded it ritht from the DD-WRT Eko-RC5 GUI. It just needed a long reset afterwards to clear the nvram.

    I had hopes maybe wireless association logged might have been an undocumented addition. :(
     
  18. szfong

    szfong Network Guru Member

    Just found another issue. I updated a WRT54GS v1 from dd-wrt v24 rc-3 to Tomato 1.13. Did 30s reset and thorough erase of nvram. Running "Site Survey" a half dozen times, in AP+WDS mode caused it to lose wireless connectivity and freeze, even wired connections stopped responding.
     
  19. kripz

    kripz LI Guru Member

    What were these problems, i dont seem to experience these so if this is the only change then i might not upgrade just yet.
     
  20. GhaladReam

    GhaladReam Network Guru Member

    Smooth upgrade, as usual (to 1.13) :)
     
  21. jsmiddleton4

    jsmiddleton4 Network Guru Member

    what the new NAT loopback options exactly mean.


    Or how we would use them, what do we accomplish with the settings, etc. Some times I can find what a thing "means", but have no idea how to apply it, or what I can accomplish with the setting.
     
  22. j.m.

    j.m. LI Guru Member

    "NAT Loopback" is also known as "Destination NAT onto the same network." You can find out more about how it works and why it may be needed here:
    http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-10.html
    and here (Section 10.5 on p. 110):
    http://www.fwbuilder.org/UsersGuide.pdf
    also here:
    http://www.idallen.com/oclug/2004_nat/dnat.txt

    Basically, NAT Loopback allows one PC on your LAN to communicate with another PC on the same LAN by its NAT'ed public IP (or domain name). E.g., say you run a web server on your LAN and that the server can be accessed via the Internet at www.server.com. Without NAT loopback, if you tried to access www.server.com from another PC on your LAN, it would fail.

    Previous versions of Tomato provide two options for NAT Loopback: "Disabled" or "Enabled." "Disabled" turns off NAT Loopback all together (or, at least it is supposed to--it didn't in 1.11, not sure about older versions). "Enabled" configures iptables to loop back all traffic as I described in my reply here:
    http://www.linksysinfo.org/forums/showthread.php?t=55538
    In my experience, this causes problems with SMB and UPnP.

    This new version of Tomato adds a third option for NAT Loopback: "Forwarded Only." Setting this configures iptables to loop back only traffic destined for ports that you have forwarded (i.e. made open to the Internet) in the manner I described in the above reply. I do not see any real reason to set NAT Loopback to anything other than "Forwarded Only." Unless you have made a server Internet-accessible (forwarded a port), there seems to be little reason to try to access it from your LAN using its NAT'ed public IP (or domain name). The one exception I could see is if you have a server in the DMZ that you want to be able to acess from your LAN using its public IP (or domain name). I am not sure the "Forwarded Only" setting currently accounts for such a scenario such that NAT Loopback would work for the DMZ server. This could be changed I guess, but it is of little concern because rarely should a server be in the DMZ anyway.
     
  23. Macskeeball

    Macskeeball LI Guru Member

    Hey, thanks for that informative explanation, j.m.!

    I'm still on Tomato 1.10 since I haven't yet seen a reason for me to upgrade. Could this be one? Is there a benefit to using "Forwarded Only" in 1.13 as opposed to "Enabled" in older firmware such as 1.10? I do use SaMBa on my LAN, and I do have a port-forwarded web server. From your post, it sounds like I should upgrade.
     
  24. jsmiddleton4

    jsmiddleton4 Network Guru Member

    Thanks for taking time to explain the settings so fully. I understand NAT loopback in general and how to use it on a LAN that are all connected together as "common" clients, if you will, and a NAT router. So I understood it in regards to "on" of "off" as was the previous firmware.

    I am still not sure about this: "Setting this configures iptables to loop back only traffic destined for ports that you have forwarded"

    Do we have to manually forward them in setup screens? How do the ports get "seen" as forwarded? UPNP?

    So for the optioni in NAT to "fowarded ports" do I have to manual enter the clients in my "system" to be forwardable? If that's a word?

    Are they automatically forwarded because they are connected to the router getting their IP's from the rotuer? If so, how is the option, "forwarded" any different than simply on and off?

    I'm also thinking decaf maybe a good idea......
     
  25. guest

    guest Network Guru Member

    enabled = one device on lan can connect to another device on lan through NAT loopback on ALL ports
    forwarded = one device on lan can connect to another device on lan through NAT loopback ONLY on ports that are forwarded (all other ports are blocked from loopback)
    disabled = NAT loopback turned off

    To use "forwarded" you add rules to "Port Forwarding" tab in Tomato GUI
     
  26. jsmiddleton4

    jsmiddleton4 Network Guru Member

    So you have to manually forward ports in order to use the NAT Forward option?

    Other than the defaults I have not manually forwarded ports for any client on my network. I set NAT to Forwarded. We can all see and access eachother's shared folders via the router.

    Jim
     
  27. guest

    guest Network Guru Member

    My understanding was that "forwarded" option for NAT Loopback only was intended to pass through ports that were listed in port forwarding rules. All other ports would be blocked by the firewall.

    Maybe someone else or Jon can clarify if this is the intended function.
     
  28. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    [delete me]
     
  29. jsmiddleton4

    jsmiddleton4 Network Guru Member

    guest,

    Thanks again for sticking with this. I have no ports manually configured other than UPNP just default, etc. Never have gone into port forwarding and setup ports.

    If I use "Forwarded" all my clients, all 7 of us, can see eachother's computers, share files, access the network drive I have for us to use as common storage, etc.

    If I use "Enabled" of course that works.

    I guess I could try disabled but I'd rather not break my little network.

    Jim
     
  30. mstombs

    mstombs Network Guru Member

    My understanding of [WAN IP] NAT Loopback is as follows

    It only applies if you try to connect to the WANIP (ISP given) IP address held by the router.

    If you have no port forwards the request hits the router ( web GUI if port 80 etc), if Loopback enabled the router is allowed to reply - so you can successfully address the router by its WAN address.

    By default the router treats this access exactly the same way as if the request comes from the internet port and applies any port redirections eg to a web server on your LAN. If Loopback is forwarding only you will able to connect to your LAN webservers etc using the WANIP address but not the router itself.

    I do not know exactly why Loopback enabled affects dhcp or samba etc, but can only guess udp broadcast messages somehow get replies from the router during the discovery stages and things get confused.

    It should have no effect on direct connections between LAN clients as these should go via the switch directly and not be routed via the OS.
     
  31. Sunspark

    Sunspark LI Guru Member

    Let me make it really simple for everyone regarding NAT loopback.

    Setup:

    Internet<->Router<->Your PC1 @ local lan ip 192.168.1.2 & Your PC2 @ http://www.youtube.com/ at local lan ip 192.168.1.3

    the www WAN IP (cablemodem, DSL) address is updated with dyndns. the router is set up so that if an inbound port 80 request comes in to the WAN IP, it gets sent to PC2 and not PC1.

    Scenario:

    PC1 wants to access the web server at PC2 using the domain name and not the local ip.

    Using local IP will work, but if you are a big organization you don't want to issue a local IP to the staff, you'd rather they just use the 'english' domain name.

    Result:

    NAT Loopback- Disabled: PC1 can't access PC2 using www.*
    NAT Loopback- Enabled: PC1 can access PC2 using www.* as well as any other port on the machine that might be open locally on the lan also
    NAT Loopback- Forwarded: PC1 can access PC2 using www.* ONLY on port 80, or any other additional ports you have set up for forwarding manually.

    If you are a big organization, the reason you might want to care about forwarding only is because if all your ports are open on your local machine, it's a security risk because there are hundreds of people, all of whom could be evil.

    If you are at home and both PC's belong to you, then you don't need to care because you're not going to crack your own PC.

    As far as UPNP goes, dunno, but logically if the web server uses upnp to open the port 80 to the IP of PC2 on the lan, then the port is open and as such, NAT Loopback should work fine in forwarding mode also. The comment about possible breaking of upnp and smb might relate to a possible scenario where both PC1 and PC2 use upnp to open port80 on the WAN IP (Router) which would be a big conflict.

    I have both UPNP and a manual port forward turned on for bittorrent on this end because the torrent clients always seem to have trouble with the implementation. They fix it on one setup, and it breaks on another. UPNP because the rest of the stuff tends to work and it's less work for me.
     
  32. Macskeeball

    Macskeeball LI Guru Member

    Do not follow the first link in Sunspark's post. Although I haven't seen it, from what little I've read about it on YouTube and Digg, it is a rather nasty shock video.

    Edit: Apparently a mod has followed through on my report and edited said link. Thanks.
     
  33. dontbotherme

    dontbotherme Network Guru Member

    This is my problem:


    I have a FTP Server running which is configured correctly (yes - for shure - both active and passive mode from outside works).


    I want to set the behavior of NAT Loopback like it was in v1.11 so i choosed 'Forwarded only'.

    However im not able to connect to my FTP Server. Only the 'Enabled' mode works.

    the logfile says:
    Code:
    (000003) 12.12.2007 00:46:31 - (not logged in) (192.168.0.5)> Connected, sending welcome message...
    (000003) 12.12.2007 00:46:31 - (not logged in) (192.168.0.5)> 220-                   This is a private ftp server!
    (000003) 12.12.2007 00:46:31 - (not logged in) (192.168.0.5)> could not send reply, disconnected.

    note that my ftp server is running on port 21 on 192.168.0.5, but the external FTP Port ist much higher (65521).


    This problems occurs only with NAT Loopback (it was working correctly in v1.11 iirc). The FTP Server works correctly with both external and internal Clients (passive and active mode)!



    I guess this is a bug, or am i doing something wrong?


    cheers!
     
  34. paped

    paped LI Guru Member

    As far as I was aware the "default mode" in 1.11 was the now "enabled" setting in 1.13 as I seem to be able to get to any port on my second PC via the loopback when it was just on in 1.11 or set to "enabled" in 1.13. So set it to "enabled" in 1.13 and ftp should work just as it did before....
     
  35. tstrike2000

    tstrike2000 Network Guru Member

    Darn you, I was Rick Rolled!! The best part is 2:08.
     
  36. paped

    paped LI Guru Member

    great firmware, upgraded like a charm..... thank you!!!!!
     
  37. j.m.

    j.m. LI Guru Member

    This is correct.
     
  38. j.m.

    j.m. LI Guru Member

    This is a bug, unfortunately. It is my fault, not Jon's, as I was the one who asked him to consider making this change and tested it when he graciously did so. The current "Forwarded Only" mode will not work with port translation (e.g. you have forwarded Ext. port 65521 to Int. port 21). I do this myself and, thus, should have caught it. The problem is that currently with a setup like yours, "Forwarded Only" uses the following iptables rule:
    Code:
    iptables -t nat -I POSTROUTING 1 -p tcp --dport 65521 -d FTP_SERVER -s 192.168.1.0/24 -j SNAT --to-source 192.168.1.1
    
    when it should instead use:
    Code:
    iptables -t nat -I POSTROUTING 1 -p tcp --dport 21 -d FTP_SERVER -s 192.168.1.0/24 -j SNAT --to-source 192.168.1.1
    
    In other words, the rule should use the internal port of the forwarding rule you set up for your FTP server rather than the external one. Otherwise, as you have discovered, the rule does not work. I will let Jon (Tomato author) know so that he can hopefully fix that in a future release. My apologies.

    In the mean time, as noted above, you can set NAT Loopback to "Enabled" to have it work just as it did in 1.11.

    BTW, thank you for bringing this to my attention.
     
  39. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    This is the part that doesn't make sense to me. How would the router decide which local pc to forward the other ports to?

    Let's say I have the following forwarding rules:
    myDynamicDNSaddress.com:8080 -> 192.168.0.10:80
    myDynamicDNSaddress.com:8088 -> 192.168.0.20:80
    myDynamicDNSaddress.com:8888 -> 192.168.0.30:80

    Now, from inside the lan, 192.168.0.40 tries to connect to myDynamicDNSaddress.com:21. With NAT loopback at enabled, you're telling me that will get routed to one of the local PCs? Which one?

    I always assumed NAT loopback always worked as you describe "forward only" does now. With all of the hub-bub, I'm obviously wrong; I'm just trying to understand "enabled" mode.
     
  40. Sunspark

    Sunspark LI Guru Member

    Read the message I wrote again, it should be clear.

    As for the rule example you gave, the PC it will get routed to is whichever one of the 3 external ports you called. If it's 8080, then it'll go to *.10 and not *.20 or *.30

    The difference was that enabled allowed someone to access all the ports, not just one or a few.

    However, as mentioned a few posts up there's a bug, and port translation doesn't currently work. So if you're using port translation where you have 23423 external port on 192.168.0.10 using internal port 123 or whatever, then that will break currently, in which case you should use enabled until the bug is fixed. After that you can continue to use forwarded and it will work fine.
     
  41. mstombs

    mstombs Network Guru Member

    I do not follow this, if the port is not forwarded the request will hit the router, not PC2.

    From reviewing the code I am also concerned that "not enabled" is not the same as "disabled" or Linksys "Filter Internet NAT redirection" was before, the router may try to reply with incorrect source address, not explicitly dropped as before.
     
  42. tstrike2000

    tstrike2000 Network Guru Member

    Thanks for the explanation, it makes sense. Not to repeat what you said in your first post but, in even simpler terms, it sounds like:

    NAT Loopback - Enabled: Access to all ports on all computers in the internal network.

    NAT Loopback - Disabled: All ports are blocked to all computers in the internal network.

    NAT Loopback - Forwarded Only: Only ports to IP Addresses specified in the Port Forwarding
    section are accessible in the internal network, just like if we were accessing them from the internet.
     
  43. mstombs

    mstombs Network Guru Member

    NO! this only applies to requests to the external WAN IP address from the LAN. The request will go to the router if no port forwards enabled.
     
  44. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Actually, I think you need to read my message again. There are rules for WAN ports 8080, 8088, and 8888. You try and access WAN port 21 from LAN side (there are no forwarding rules for that port). Where does it go in enabled mode? Your comments indicate that it gets routed to one of the local PCs ("enabled allowed someone to access all the ports"), but I don't see how the router would even determine which local PC to route it to.
     
  45. tstrike2000

    tstrike2000 Network Guru Member

    Ok, I think I understand what you're saying. Thanks for the clarification.
     
  46. jsmiddleton4

    jsmiddleton4 Network Guru Member

    While I appreciate everyone taking time to respond I am pretty much confused at this point.

    Still have no idea how to use this feature/option in the real world......

    It actually looks like for the typical at home user with small networks, this setting doesn't really mean a whole lot and unless you are running a web server, which for many of us we can't do as it violoates our user agreements with our providers, you can probably turn the thing OFF.

    Jim
     
  47. Sunspark

    Sunspark LI Guru Member

    It doesn't go anywhere. It gets dropped.
     
  48. Sunspark

    Sunspark LI Guru Member

    I was trying to keep things simple by leaving port numbers out of it. Especially the bit about when sometimes you want to do translation. People were having trouble seeing a topology using words.

    Can you do a test in any way to try and duplicate the incorrect source address reply?
     
  49. wahur1

    wahur1 LI Guru Member

    Can anyone please tell me the settings, so that i can run torrents and browsing at the same time ?

    Currently i have limit my torrent speed, so that i can browse at the same time but i'm looking for some other method like, When i browse torrent speed drop and browsing get the full speed as soon as page loads torrents gets back to its normal speed...

    Is this thing possible in Tomato firmware? or anyother firmware?

    Router:WRT54G v3
    Firmware: Tomato 1.13
     
  50. Sunspark

    Sunspark LI Guru Member

    Read all the threads on this forum about QoS and how to use/set it up properly.
     
  51. mstombs

    mstombs Network Guru Member

    Well it clearly doesn't matter about incorrect source - "disabled" does not work any more!

    With Nat Loopback disabled if I navigate to

    http://myname.homeip.net

    I get the router GUI

    same if I try telnet

    telnet myname.homeip.net

    I can login the router.

    I'm pretty sure this is caused by this code change in firewall.c, if not enabled it no longer actively drops packets routed from lan to lan.

    Code:
    		switch (atoi(nvram_safe_get("nf_loopback"))) {
    		case 1:		// 1 = forwarded-only
    		case 2:		// 2 = disable
    			break;
    		default:	// 0 = all (same as block_loopback=0)
    			ipt_write("-A POSTROUTING -o %s -s %s/%s -d %s/%s -j MASQUERADE\n",
    				lanface,
    				lanaddr, lanmask,
    				lanaddr, lanmask);
    			break;
    		}			
    		
    /*		
    	struct in_addr ia;
    	char *addr;
    		// -A POSTROUTING -o br0 -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j MASQUERADE
    		ia.s_addr = inet_addr(nvram_get("lan_ipaddr")) & inet_addr(lanmask);
    		addr = inet_ntoa(ia);
    		ipt_write("-A POSTROUTING -o %s -s %s/%s -d %s/%s -j %s\n",
    			lanface, addr, lanmask, addr, lanmask,
    			nvram_match("block_loopback", "0") ? "MASQUERADE" : "DROP");
    */
    Note not an issue for me - I was happy before with "enabled"...
     
  52. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Okay, that is exactly how I thought things work. Now, what do you mean by "PC1 can access PC2 using www.* as well as any other port on the machine that might be open locally on the lan also"? Sounds to me like port 21 in my scenario would fall in that category.

    Maybe it would be easier if you gave a scenario that would behave differently when in enabled mode and forward only mode (ignoring the current bug). Sorry if I'm being hard-headed here, I'm just trying to understand.
     
  53. j.m.

    j.m. LI Guru Member

    The NAT Loopback setting has generated a lot of discussion. Please be aware that most people probably shouldn't be concerned about it. It only applies in narrow circumstances (using one PC on your LAN to access a server on another PC on the same LAN by its WAN IP/domain name).

    The bottom line is that most people should set NAT Loopback to "Disabled" or "Forwarded Only" (at least once the port translation issue is fixed). If NAT loopback is set to "Enabled," you will have problems reliably browsing a Windows peer-to-peer SMB Workgroup with wireless clients (i.e. browsing for files you have shared on another Windows PC on your LAN). You will likely also have problems with UPnP discovery of wireless devices. In fact, anything that uses broadcasts will probably be broken. Understanding why requires more knowledge of iptables than most people have or need to know.

    In short, I believe the problem is that when a wireless client sends a NetBIOS broadcast, it ends up going through the router before getting sent out to the other clients in the peer-to-peer Workgroup. With NAT loopback "Enabled," iptables changes the source address of the broadcast packet to the IP of the router. Thus, when other clients respond to the broadcast, they respond to the router rather than the client that really sent the broadcast. The router drops the responses. I am no iptables expert, so this is just my guess. In any event, "Enabled" does break Workgroup browsing by wireless clients. I and many others have noted this effect, and it has long been recommended to fix it by disabling Loopback (aka Filter Internet NAT Redirection in the original Linksys firmware). See:
    http://hardware.mcse.ms/showthread.php?s=&postid=290749
    http://www.linksysinfo.org/forums/archive/index.php?t-32022.html
    Note that the "Enabled" setting apparently also breaks PPTP.

    Once the problem with port translation gets fixed, there is little reason not to use "Forwarded Only." It is the best way to do loopback without breaking other things and is the way recommended in the iptables documentation.

    By the way, for ther poster who noted that the "Disabled" setting appears to be broken in 1.13, it was also broken in 1.11 in my experience (though perhaps in a different way).
     
  54. Sunspark

    Sunspark LI Guru Member

    It was fun to learn something new. I didn't know what 'Loopback' was prior to 1.13.

    Thanks for educating us.
     
  55. jsmiddleton4

    jsmiddleton4 Network Guru Member

    j.m.

    But if disabled is broken why are we setting NAT to disabled?

    Is there a command we can use via telnet access to disable it?
     
  56. mstombs

    mstombs Network Guru Member

    Note: From the source-code I cannot explain how my LAN PC could communicate with the router using its WAN IP with NAT Loopback disabled - I now wonder if that will still be true if I rebooted (maybe the enabled rule doesn't get flushed?).

    I also cannot explain why enabling NAT Loopback seemed to help some users who couldn't get LAN dhcp (which works using udp) to work, see

    http://www.polarcloud.com/tomatofaq#why_cant_my_computer_get_an_ip

    and various threads where enabling nat loopback has worked.

    seems counter to what others say about upnp and device discovery.

    Are the problems related to the iptables/netfilter "hidden" issue - which I recall from years ago to do with arp responses from multiple interfaces.

    Someone needs to do some proper testing with wireshark (was called Ethereal when I last used it) or tcpdump...

    Can anyone point out threads where upnp and netbios browsing were broken before? Certainly upnp worked for me before with nat loopback enabled. Netbios browsing has been an issue that I put down to windoze updates/firewalls!
     
  57. j.m.

    j.m. LI Guru Member

    I can. The packets hit the iptables firewall then traverse the iptables PREROUTING chain where no rule matches. The default policy there is to ACCEPT, so it moves on to either INPUT (if destined for the host/router itself) or FORWARD (if destined for a device on the LAN). Since the destination is the IP of the WAN interface of the router, the packet apparently is routed through the INPUT chain, which contains an ACCEPT rule for all traffic coming in from br0 (LAN+WLAN). This rule matches the request from your LAN PC, and it is ACCEPTed.

    FWIW, I suspect that "Disabled" has been broken in the manner you note for quite some time. It was definitely broken in 1.11.

    I am guessing these problems were a result of the DROP rule that was inserted with loopback disabled using the old code (the part you noted was commented out in 1.13). That DROP rule was not an effective way to block loopback from what I can tell and may have had unintended side effects.

    I cited some threads regarding NetBIOS browsing being broken by loopback above. At one time or another, this problem has existed in the Linksys firmware and most/all of those based on its source code. I have personally been involved with threads discussing it with Sveasoft and DD-WRT. Both have fixed it using the "Forwarded Only" method, which again is how the iptables documents suggest doing it.

    UPnP has worked for me as far as dynamically opening ports, but device discovery has always been problematic with loopback enabled. The problem is that the iptables rule used with the "Enabled" setting causes, under certain circumstances (perhaps only when wireless clients are involved), the router's IP to be used in the UPnP discovery response. This was a big problem years ago with a program called DVArchive, which used UPnP to discover all ReplayTVs (a DVR similar to Tivo) on a LAN.
     
  58. mstombs

    mstombs Network Guru Member

    OK,

    I'm very interested in the netbios issue - will look further into that. I don't have extra upnp devices so not seen that problem - but it looks to me like the NAT Loopack "enabled" could be breaking the broadcast discovery messages by forwarding & retransmitting the same udp broadcasts with MASQd source address? which would be a bug not a feature!

    And if the "disabled" DROP command was breaking dnsmasq dhcpd replies then LAN dhcpc shouldn't have worked for anyone with NAT loopback not enabled so FAQ comment should be stronger!

    Edit: Should anyone want to block access to the router using the WAN IP address from the LAN then this command seems efective:

    Code:
    iptables -I INPUT -i br0 -d ! 192.168.0.1 -j DROP
    where 192.168.0.1 is the IP address of your router
     
  59. Sunspark

    Sunspark LI Guru Member

    Don't disable NAT loopback in this version.. forwarded only, or enabled.

    My mom was trying to attach some images to her gmail webmail w/ Google and it wasn't working with NAT loopback set to 'disabled'.. turning it to forwarded (and enabled would work too) allowed the attachments to be uploaded to the email.

    I didn't do further testing, but given that she had this problem 2+ days in a row and it worked when I changed the setting makes me go hmmm.
     
  60. ivo_1985

    ivo_1985 LI Guru Member

    Jonathan Zarate
    Excellent work! Thanks a lot! This is firmware No.1 for me! :) Go ahead!
     
  61. wahur1

    wahur1 LI Guru Member

    Using this firmware for 4 to 5 days and i'm really disappointed when this thing restarted for almost 7 to 8 times :thumbdown:..

    Anyone facing this issue? or i'm the only one?

    If i'm the only one than please tell me the solution?
     
  62. cgondo

    cgondo Network Guru Member

    looks like it is your specific issue. Been rock stable since the first time the firmware is released. (I am one of those early adopters)
     
  63. Elbart

    Elbart LI Guru Member


    What are your settings, when is it rebooting, what version do you have, what router, etcetcetc. No info, no help. :(
     
  64. szfong

    szfong Network Guru Member

    You DO NOT specify what sort of router + version, do you own! I've narrowed it down somewhat.

    It's a driver issue causing random reboots, minus any power related issues. Use an older broadcom based firmware with older drivers, eg. Thibor 15c OR a newer broadcom based firmware, eg. dd-wrt v24 RC. This will only affect some older bcm4712 cpu WRT54G revisions such as some models of WRT54G v2, eg. WRT54G rev:xh.

    Solution (cheapest): Buy a new WHR-HP-G54 (if you still can find them) OR a WRT54GL, then flash with Tomato.

    Good Luck!

    -Simon
     
  65. MadPriest

    MadPriest LI Guru Member

    up and running
    Thanks!
     
  66. Vindicator

    Vindicator LI Guru Member

    The best firmware i have ever used. Rock solid until now :)
     
  67. jsmiddleton4

    jsmiddleton4 Network Guru Member

    Anyone know if there is a fix coming for what has been posted about some of the NAT loopback stuff not working exactly right?
     
  68. j.m.

    j.m. LI Guru Member

    Yes, it is coming whenever the next release is ready. Jon may be working on some other features/fixes before he releases it.
     
  69. Mercjoe

    Mercjoe Network Guru Member

    Been rock solid for me, till 2 days ago.

    I have a linksys WRT54G v2.2.

    I normally do not use the wireless functions but I have some friends over for the holidays with laptops and I decided to turn on the wireless for them.

    Ohhh boy. What a freaking nightmare. The last time they were here I had the 1.11 version on the router and things were ROCK steady. Now? They drop out several times a day. Not only that, but the router itself will randomly glitch, drop the internet connection, then regrab it after a few seconds. When I am on the control panel when this happens the web pages are unavailable. The uptime does not reset, but the connect time does.

    I have had about a dozen of these resets in the last two days. I will be flashing back to the older version tomorrow at this rate.

    Until I turned on the wireless I had absolutely NO problems.

    Yes, I have already reflashed it.. Same problem still exists.

    I cleared NVRAM and reentered the setting. It crashes MORE after I did that.
     
  70. jsmiddleton4

    jsmiddleton4 Network Guru Member

    Thanks j.m. Just curious....
     
  71. TucknDar

    TucknDar LI Guru Member

    Hi, just upgraded from 1.11 and everything seems good so far :) Very easy procedure! had uptime of 27 days with 1.11, which was the 27 days since I first installed Tomato, obviously ;)
     
  72. Mercjoe

    Mercjoe Network Guru Member

    Well, I flashed back to 1.11 soon after my last post and now things are rock steady again with absolutely NO wireless dropouts since then. I did not even have to reset anything. I just flashed and rebooted and everything is back to normal.

    Were there any changes to the wireless part of the firmware in 1.13? Any ideas on what may be causing this issue?

    It is only with the wireless enabled that any problems occured.
     
  73. j.m.

    j.m. LI Guru Member

    Please telnet into the router and enter the following command:
    nvram show | grep boardtype

    Post the output here.

    Also, with wireless enabled, please telnet into the router and run the following command on both 1.11 and 1.13:
    lsmod

    Post the output from each version here.
     
  74. Mercjoe

    Mercjoe Network Guru Member


    Here you go. I have the boardtype under the 1.11 telnet.

    --------------------------------------------------------------

    Tomato v1.11.1217


    BusyBox v1.2.2 (2007.10.29-21:46+0000) Built-in shell (ash)
    Enter 'help' for a list of built-in commands.

    # nvram show |grep boardtype
    boardtype=0x0708
    # lsmod
    Module Size Used by
    cifs 190960 1
    tomato_ct 1136 0 (unused)
    wl 423640 0 (unused)
    et 28088 0 (unused)
    ip_nat_ftp 3712 0 (unused)
    ip_conntrack_ftp 4936 1
    ip_nat_rtsp 6656 0 (unused)
    ip_conntrack_rtsp 6344 1
    ip_nat_h323 2904 0 (unused)
    ip_conntrack_h323 2888 1
    ip_nat_pptp 2668 0 (unused)
    ip_conntrack_pptp 3452 1
    ip_nat_proto_gre 1888 0 (unused)
    ip_conntrack_proto_gre 2776 0 [ip_nat_pptp ip_conntrack_pptp]
    #

    -------------------------------------------------------------------

    Tomato v1.13.1252


    BusyBox v1.2.2 (2007.12.05-10:35+0000) Built-in shell (ash)
    Enter 'help' for a list of built-in commands.

    # lsmod
    Module Size Used by
    cifs 190960 1
    tomato_ct 1136 0 (unused)
    wl 423640 0 (unused)
    et 28088 0 (unused)
    ip_nat_ftp 3712 0 (unused)
    ip_conntrack_ftp 4936 1
    ip_nat_rtsp 6656 0 (unused)
    ip_conntrack_rtsp 6344 1
    ip_nat_h323 2904 0 (unused)
    ip_conntrack_h323 2888 1
    ip_nat_pptp 2668 0 (unused)
    ip_conntrack_pptp 3452 1
    ip_nat_proto_gre 1888 0 (unused)
    ip_conntrack_proto_gre 2776 0 [ip_nat_pptp ip_conntrack_pptp]
    #
     
  75. j.m.

    j.m. LI Guru Member

    Thanks. There are two wireless drivers in Tomato--old and new. Some model routers work best with the new driver, others with the older one. I had a hunch that maybe 1.11 was loading one wireless driver for your router and 1.13 was loading another. However, it appears that both versions are loading the same wireless driver, so that must not be it.

    FWIW, I have no problems with wireless on a WRT54G 3.0, which is supposedly the same as a 2.2 other than the addition of the SES button.
     
  76. LLigetfa

    LLigetfa LI Guru Member

    Has anyone noticed that on the Buffalo WHR-HP-G54, the Advanced setting Enhanced RX Sensitivity actually makes it worse, not better? I get better RSSI and better Quality with it disabled (0x2758).
     
  77. Talon88

    Talon88 LI Guru Member

    :::

    (0x2758) means enable Enhanced RX Sensitivity
    as I remember.... Correct me if i am wrong.........!

    :::

     
  78. LLigetfa

    LLigetfa LI Guru Member

    Well... the Tomato GUI says Disabled. What does your GUI say?

    There is an ongoing discussion (debate) over at DD-WRT whether 2758 or 3758 enables it and I think Jon got caught up in the hype.
     
  79. apelete

    apelete LI Guru Member

    True, I have just noticed the same thing: getting better RSSI (thus better signal Quality) with Enhanced RX Sensitivity set to Disable.
    Jon must have got it wrong with the labels...
     
  80. Talon88

    Talon88 LI Guru Member

    :::

    Here is Mine :

    [At Tomato GUI]
    HP
    Amplifier - Enable
    Enhanced RX Sensitivity - Enable

    [At Telnet]
    # nvram show | grep boardflags
    boardflags=0x3758

    [WiFi Output Power]
    # wl curpower
    User Target: 10.00 dB
    Regulatory Local Max: 63.00 dB
    Regulatory Local Constraint: 0.00 dB
    Antgain used in Channel Max: No, channel is Conducted
    Regulatory Channel Max: 30.00 dB
    Min of User & Reg Limit: 30.00 dB
    CCK Power Boost: Off
    Srom limit B/G - CCK: 13.50 dB
    Srom limit G - OFDM: 13.50 dB
    Srom antgain B/G: 0.00 dB
    Last B phy CCK target power: 10.00 dB
    Last B phy OFDM target power: 10.00 dB
    Last B phy CCK est. power: 10.00 dB
    Last B phy OFDM est. power: 9.50 dB
    Srom limit A: 0.00 dB
    Srom antgain A: 0.00 dB
    Last A phy target power: 0.00 dB
    Last A phy est. power: 58.00 dB
    #

    These are the Data pull from my Buffalo_WHR-HP-G54_Router
    with Tomato v1.13. But I don't understand Some of the
    data means. So, don't ask me, Some experts may explain...! :smile:

    But as far as I know, the Flag of [Enhanced RX Enable] should be
    0x2758, not 0x3758 which is not a right value.

    Correct me if I am wrong.

    :::
     
  81. apelete

    apelete LI Guru Member


    That's exactly what LLigetfa and I were saying.
    When you enable [Enhanced RX Sensitivity] the boardflags got set to 0x3758, but it should be set to 0x2758, which is acheviable by disabling [Enhanced RX Sensitivity] setting.
    That's why we were saying that something went wrong here...
     
  82. bazzaho

    bazzaho LI Guru Member

    QOS throughput lower on 1.13

    I have been running 1.13 for a few days now but noticed that throughput of this firmware compared with 1.11 when QOS is enabled is lower :(

    I have a 20Meg connection and found 1.11 could reach pretty much upto 20 meg on 1.11 with QOS enabled but 1.13 can only get upto 13 meg with QOS enabled.
    Have some rules changed or driver in the build that could have caused this.

    Downgraded back down 1.11 as the throughput was important hopefully this will be fixed on the next build as this is the best firmware by far at the moment.

    Keep up the good work

    Baz
     
  83. szfong

    szfong Network Guru Member

    Tomato v1.13 Spontaneously Reboots in AP+WDS Mode

    I have a WHR-HP-G54, up for almost a week uptime. I added an additional AP+WDS to the mix and the WHR-HP-G54 lost wireless connection (spontaneously rebooted) and uptime was verified to be a few minutes. The setup mirrors the Tomato FAQ exactly. I have another AP+WDS network using Tomato 1.0X, and it has never rebooted on its own, that's very strange, so I swapped out the rebooting WHR-HP-G54 with another one (I have several), upgraded it to Tomato 1.13 and it also rebooted as soon as I repeated the procedure.

    Tomato 1.13 just seems to have introduced some instability compared to previous versions.

    -Simon
     
  84. apelete

    apelete LI Guru Member

    It seems Tomato 1.13 isn't stable at all, at least compared to 1.11.

    I've recently flashed a WHR-HP-G54 and Tomato has already rebooted two times in 4 days. I don't know what causes the reboots, but free memory available was 2.5MB a couple hours before I noticed the router did restart itself...
    I previously had a WRT54GL running 1.11 for 34+ days without even slowing down. I'm thinking of reflashing with 1.11, but are the internal HP and enhanced sensitivity turned on in that version ?
     
  85. sheerspt

    sheerspt LI Guru Member

    I have a ASUS WL500G Premium and installed the latest version of the Tomato Firmware 1.13 and noticed the following problem.

    -- Port Forwarding stops working with the other pc's that are linked to the router.


    I hope to make improvements on the section of the "PORT FORWARD" on this router ASUS WL500G Premium.

    Regards to all who made this firmware.
     
  86. szfong

    szfong Network Guru Member

    The other day, I added two fonera (dd-wrt rc-6) routers as WDS to my net, main router flashed once again with Tomato 1.13 as a test. Tomato spontaneously rebooted again. However afterwards, ran stable for more than 1 day, and now uptime is back to a couple of hours. Downgrading to Tomato 1.07 fixed the issue and is running stable so far.

    -Simon
     
  87. apelete

    apelete LI Guru Member

    Finally I flashed back to 1.11.
    It seems the boardflag is already set to 0x2758: HP On and Enhanced Sensitivity goodness by default :biggrin:.

    Tomato rocks.
     
  88. szfong

    szfong Network Guru Member

    Tomato 1.13 just seems to be more unstable than previous releases. So, upgrade with caution, test it on a spare router before using it on your main network. I sure wasted alot of time on it :-(
     
  89. Talon88

    Talon88 LI Guru Member

    :::

    For my case, v1.13 is same as Stable as before,
    But it fix the bug of broken "NVRAM Commit"
    at the GUI!

    :::
     
  90. szfong

    szfong Network Guru Member

    I guess I'll be waiting for the next release, before doing any more upgrading. Overall it's better than most any other router I have.
     
  91. pharma

    pharma Network Guru Member

    Version 1.13 has been very stable since it first came out in my home network. No wireless or rebooting issues .... :)
     
  92. szfong

    szfong Network Guru Member

    Tomato v1.13 Crashes Under Large number of Wireless Clients

    I just noticed that Tomato v1.13 will freeze/lockup if a large # of wireless clients are connected, even though the clients are simply browsing the internet, nothing bandwidth intensive is used. I searched around for similar occurrence and checked the version of Broadcom WL driver being used. It seems Jon still uses a relatively old version of the Broadcom Ethernet Controller & Wireless Controller Drivers. They are version 3.90.xx.0, I believe. Alot of issues that relates to stability under large # of users & heavy load are solved by the Broadcom 4.80.xx.0 drivers.

    Linksys has not upgraded their Broadcom drivers for a very long time in their GPL source code. They'd rather you buy one of their newer routers of course.

    Does anyone know if Jon is going to update the Broadcom drivers to 4.80.xx.0?

    -Simon
     
  93. JPorter

    JPorter LI Guru Member

    Excellent question.

    From what I understand, a lot of the improved performance in some of the newer router products is due to this driver change rather than any hardware design improvement.

    Jon, any thoughts? Or any from the peanut gallery?
     
  94. szfong

    szfong Network Guru Member

    On a couple of my WRT54G v1-v3, there Wireless Drivers are the following:

    Tomato v1.13.1252
    ------------------
    Broadcom BCM4320 802.11 Wireless Controller 3.90.38.0

    KAMIKAZE (7.09)
    ----------------
    Broadcom BCM4320 802.11 Wireless Controller 4.80.53.0

    DD-WRT v24 RC-6.1 (12/29/07) std (SVN revision 8727)
    -----------------------------------------------------
    Broadcom BCM4320 802.11 Wireless Controller 4.150.10.5

    The 4.80.xx.0 drivers, from the site indicates that they were upgraded because of stability & performance issues with the older 3.90xx.0 drivers. Does anyone know if the 4.80.xx.0 or the 4.150.xx.0 updated drivers are a drop in replacements for the older 3.90.38.0 driver, as a simple re-compile will suffice?

    -Simon
     
  95. szfong

    szfong Network Guru Member

  96. mstombs

    mstombs Network Guru Member

    Re driver versions

    Interesting - I've only just noticed the similarity of chipset/ drivers with those used in my Broadcom 43XX PC-card (WPC54GSv1), which suggests Broadcom will also now be up to 4.175...
     
  97. DeCex

    DeCex LI Guru Member

    Lets hope Jon will update the driver to latest stable version for his new build.
     
  98. Mercjoe

    Mercjoe Network Guru Member

    We need to be careful what we are asking for with our suggestions here.

    As I understand it Tomato is just a cleanup/otimization of code and adding a few new features to the stock code. I know the graphs and such were nice but if we are to start asking major driver updates and re-writes due to those updates, then we are going to be another DD-WRT or other custom firmware.

    We are going to stop having this fast and lean firmware and start bloating ourselves into things that we LEFT when we found this project.
     
  99. szfong

    szfong Network Guru Member

    Driver updates won't necessarily add any new features, it just will make it more compatible when deployed in an environment where clients with different chipsets and various wireless driver versions can cause Tomato to freeze or spontaneously reboot. I had an 802.11b pcmcia card that will cause Tomato to lockup every time it is connected. I've since replaced it. I just hope the next WRT54GL GPL sources will include newer wireless drivers, which will probably not happen. For example my Broadcom-based Linksys PCI card drivers has not been updated by Linksys for more than 3 years, yet I upgrade it using Dell & HP drivers. With the old Linksys/Broadcom drivers I was getting random disconnects and consistently connects at 18-24Mbps, newer drivers allowed me to get 36-48Mbps connectivity from two floors away, of course actual speed is about slightly more than half of connected speed.

    -Simon
     
  100. jsmiddleton4

    jsmiddleton4 Network Guru Member

    Any word on the fix for the NAT loopback thingy?
     

Share This Page