Hi, I would really like to get fwknop working as it seems to offer superior security over other methods of opening external ports. Basically you have fwknopd running on Tomato and use a fwknop client which sends a packet to tomato with the port forwarding instructions. The ports will open for 30 seconds by default to allow new connections from your client's IP address (or any that you specify). The client is available for Unix, Windows, Andrioid, etc. The beautiful part is fwknopd can listen for the port knock while the port is closed (eg DROPed traffic) and the packet is encrypted with a shared key. So defeating this is very difficult. To install download the binary from https://www.multics.minidns.net/tomato/PRECOMPILED-static/fwknop/fwknopd and put it on your router (thanks to rhester72 for compiling this). Create a fwknopd.conf file on tomato: Code: ACCESS_FILE /tmp/mnt/router/apps/fwknopd.access PCAP_INTF vlan2 PCAP_FILTER udp dst port 62201 With ACCESS_FILE set to the location of fwknopd.access. The fwknopd.access file on tomato looks like: Code: SOURCE ANY KEY mysecretpassword FW_ACCESS_TIMEOUT 30 Then start fwknopd on tomato like so: Code: ./fwknopd -v -c fwknopd.conf To see documentation go to http://cipherdyne.org/fwknop/docs/manpages/index.html Then from your computer from outside your WAN use the fwknop client like so: Code: fwknop -R -D <your-tomato-IP> -v -A tcp/2222 --nat-access=192.168.1.6:22 This will allow new incoming connections for 30 seconds from the IP of your client (with "-R") to connect to tomato's port 2222 which will forward to port 22 of the internal computer 220.127.116.11. But when I do this I get an error that iptables doesn't support '-m comment --comment blah'. Thinking the comments might not be required I removed them from the source code but it doesn't work correctly because the iptables comments are used find the iptables to close the ports. Does anyone know how to get 'iptables' to support '-m comment'? Or is there some other way to get this working? Please share. Thanks.