Tomato and a ton of questions

Discussion in 'Tomato Firmware' started by haarp, Feb 1, 2009.

  1. haarp

    haarp LI Guru Member

    Greetings. I'm the owner of a brand-new WRT54GL. Heard a lot about those devices and decided to get myself one.
    After a few runs with the stock firmware and DD-WRT, I finally settled on Tomato. Small, fast, and clearly laid out, that's what I like.

    It's working pretty well so far, but great things are to come for that little router. On top of that, problems arise. I'm hoping that you guys can help me with at least some of those :)
    Here we go:

    a) My machine is running proftpd with masquerading as my WAN IP address. Since that address can and -will- change quite often, It needs to be updated (simply reloading proftpd's config will do). Is there a way so Tomato tells my machine to do that when it gets a new address? I know about the WAN-up script section. Does it get executed everytime the WAN is renewed or only once on first connect? Has this ever been done or do I have to hack up my own script to do that? Which way of communicating with my machine would you use?

    b) P2P needs some ports forwarded, but I don't want them forwarded all the time, only when the P2P client is running.
    When I forward ports in Tomato's Web GUI, what is the command run in the background? If I manually execute those commands in the backend, say, per SSH, will the web interface be aware of it?
    Once again, I need to communicate between my machine and the router, this time the other way around. Ideas? I was thinking passwordless SSH (-of course- with key authentication) and scripting

    c) Wireless Radio is enabled at boot, but I configured the Cisco button at the front to be able to toggle it. I would like it to be disabled at boot, but I can't completely disable Wireless since I want the button to still work. DD-WRT offered that option.

    d) QoS detail view should display the classification rule that is applied to a connection. That would really help with troubleshooting.

    e) Device List often decides not to show hostnames, especially for non-DHCP clients. I think those names should be resolved anyway and be shown. With many clients on the network it becomes confusing to make out who is who.

    f) I QoS'ed a MAC address. The machine behind it opens a lot of UDP connections to machines all over the world on various ports (P2P? no idea) which are -not- caught by this rule. I need the same filter for the IP aswell to catch those. Yes, they were all at the top of the QoS rules. Do I smell a bug?

    g) Similarily, those UDP connections are not blocked by Access Restrictions. Even when I block all of the Internet for it everday all day, there are still new connections established.

    h) There are a bunch of Mods for Tomato. Why don't the authors release source patches for their works? This way, everyone could (if they want to bother) compile their own firmware with the stuff they want, and not the stuff they don't want, but the Mods change aswell :)
    For instance, I would appreciate a patch that enables you to overclock your WRT. Victek's mod can do that, but I don't want all the other stuff in it (no offense :) )

    i) I was planning to add temperature logging to my WRT with lm_sensors, an I2C bus and 2 sensors on that bus. That will require me to add some hardware components. Opinions? Is it feasible? I know that flash space is critical.

    Thanks for any help you can give me ;)
  2. samuarl

    samuarl Addicted to LI Member

    b) under port forwarding try triggered ports
    d) under view details in QOS the last colum shows which class a connection fall into

    hope this helps.
  3. haarp

    haarp LI Guru Member

    Cool idea. But it doesn't work properly. The port gets opened once when the Bittorrent client starts, but closes again after a few minutes and stays closed. Sometimes it opens again occasionally, but most of the time it is closed

    I know. But I'd like to know which classification rule was responsible for the connection to fall in that class in first place.
  4. phuque99

    phuque99 LI Guru Member

    Get a torrent client that supports upnp and turn that on in your router.
  5. haarp

    haarp LI Guru Member

    Changing the client is not an option.
  6. mstombs

    mstombs Network Guru Member

    a) The WAN-UP script runs every time the wan reconnects - the Firewall runs every time as well, slightly before the wan comes up.

    Put this in your WAN-UP script to log each new IP that appears

    logger "WAN Up: New IP address is $(nvram get wan_ipaddr)"
  7. Eiríkr

    Eiríkr Addicted to LI Member

    I understand your concern, but how do you propose that Tomato should find out the hostnames for non-DHCP clients? A DHCP client basically says to the DHCP server, "hi, I'm XXX, can you give me an IP?" This allows Tomato's DHCP/DNSMasq daemon to find out hostnames -- but only for DHCP clients.

    If you want to hard-code specific addresses on the DNS side of things, that should conceivably be do-able, provided you're familiar with DNS config files and what DNSMasq might do with them. I personally have no real idea how DNSMasq is configured, but ostensibly this site should help:


    -- Eiríkr
  8. haarp

    haarp LI Guru Member

    I am aware of that. However, the hostname can still be resolved afterwards, just by asking the machine. I highly doubt that this would mean much additional load on the network/CPU, and it could even be done on a manual basis, just like the QoS detail viewer does right now.

    Thanks for the info. I guess all kinds of things can be queried by using the nvram command.
    The logger itself seems unneeded. pppd already logs the new IP. Since I'm sending the router's syslog to my machine already anyways, it should be trivial to monitor it for this line. Great idea tho, thanks.
  9. Planiwa

    Planiwa Network Guru Member

    DDNS lets you associate a domain name with your router, such as "". Just refer to it that way and forget IP addresses. Tomato has a DDNS client that auto-updates at WAN-Up.

    I like No-IP.Com -- easy to set up, and doesn't want to run your life.

    Look at /etc/iptables about port-forwarding.

    wl radio off

    Most users are oblivious of what connections are, and the crucial role they play in the well-being of a router and local network users. Tomato's QoS has simple, attractive, plausible, easy-to-use, but imperfect tools for visualizing connections. There is a huge problem with "unclassified", and the difference between "source/destination" and "local/distant" in the connection/flow.

    This *may* give you some of what you want:

    iptables -nvL QOSO -t mangle

    I convert all hosts to static IP, but some have "*" or some other nondescript "name". Even after I assign a name and it appears in dnsmasq, some hosts somehow override it, so it doesn't show up in Device List. But it does show up in iptables.

    Yes. I'm in the process of learning more about the specifics of this problem so that I can describe it clearly.

    Also, there are gaps in the iptables rules that have been offered for limiting connections. This relates to my comments in (d). (Quoting Mash's Radar: Incoming!)

    For some reason, even though everyone always talks about P2P, port forwarding, and UPnP, there seems to be a blind spot about reverse flows! (more on this latter)

    Some of these things are just simple one liners that may not be obvious. Perhaps we should have a Tomato wiki? (BTW, serious flaw in dd-wrt wiki on connection counting.)

    I'll pass on that one. But I like the mod that adds 1GB of NVRAM on Victek's site.

    Some facts about connections:

    1. Most connections are stale.
    2. Connection storms last only a few seconds.
    3. Connection counting is buggy and poorly understood.
    4. The common rules to limit connections are incomplete.
    5. There are issues with connections displayed in QoS. (And Adv>CT/NF).
  10. haarp

    haarp LI Guru Member

    Big answer. Thanks for taking your time to reply :)

    I'm already using The problem is not WHAT my new IP is, but WHEN it updates. But I think I got it solved by monitoring the syslog...

    Cool, I put that in the init script (+ sleep 3) and it works pretty well. It's still kind of dumb to enable Wlan just to disable it again, but it works. :)

    What's that last problem (with source/destination)? Never heard of it. Could you elaborate?

    That's interesting, but essentially the same as the Web interface. What I meant was in the connection tracker for QoS, display the rule (which can be shown, for instance, with above command or in the GUI) so I can troubleshoot WHY a certain connection fell into a class. I know, it's more of a wishlist-type request, but let me dream... :D

    Mhh. If you ask me, this could be considered a bug then.

    Sorry, I kind of mis-asked that question. My Tomato is currently overclocked already. The command for that itself is nor problem. But what I'd like to have is an entry in the web interface for it. The same goes for a lot of other things. A simple source code patch should be enough for almost all of those.
    Yes, I'm a perfectionist :)
    For instance, I would also like a patch that shows the status of Port-triggering. So you can actually see in the web interface whether it is triggered atm. Or show the time when the connection was established in the QoS connection viewer. I am aware that most of that is possible by using the cLI, but that's not the point

    Sounds cool, but I can only find a Youtube link. More infos please

    Got one more question: Is it possible to set one port of the switch to receive all traffic on the net, even if the destination is NOT on that port? The goal is to run a packet sniffer on that to monitor the traffic itself (including packet contents)
  11. Planiwa

    Planiwa Network Guru Member

    OK. I actually have this in the WAN-Up script:

    echo "GET /FOO-$(date '+%Y-%m-%d.%H:%M')-BAR-Start" |nc 80 >/dev/null

    Then on the distant system it gets extracted from the error_log. :)

    Conversely, the other side could ping every minute and note the change.

    What the QoS View Details list calls "Source" isn't. Similarly in the Classification, if you specify "Dst IP", it's mistranslated. But, as I said, I'd rather make some precise statements for the developers than confuse people here. After all, there's been 2.5 years of confusion about "Unclassified", started with someone asking "this looks wrong", and pretty much putting his finger on it. Then almost everyone else insisted on denying and detracting from the real problem. Perhaps I should add that a CONNTRACK entry for a connection includes two flows, two sources, two destinations. And, while on a SOHO network, ordinarily source==local, "it ain't necessarily so".

    For troubleshooting I would suggest separating your rules into separate classes.
    You may have to collapse other classes while probing, of course. Another thing you can do -- I do this -- is to make iptables rules to mirror what QoS does. Just to get the counts.

    QUIZ:, do you know how many connections your router made in the last hour? day? minute? Where in Tomato would you get that information?
    Or even a connection-high-water-mark?

    I'd rather have developers focus on important fixes/changes that I cannot easily do myself with minimal effort.

    As in -- make it work right before making the wrong answer look fancier. But even saying this much is saying too much. :)

    In any case -- make a wishlist and let the developer(s) decide. :)
  12. phuque99

    phuque99 LI Guru Member

    Is this the official forum and feedback discussion with the developer(s) of the original Tomato firmware?
  13. rhester72

    rhester72 Network Guru Member

    No. His contact e-mail address is available from his official site.

  14. haarp

    haarp LI Guru Member

    True. I just noticed that people can't download stuff anyway when masquerading is on. So this essentially becomes irrelevant for me

    Meh. that's far too much work and fiddling for something that I don't think should be too hard. But I understand that the dev is busy with other things and wants to keep this small.. :)

    Well, that's exactly my point! If we had a decent patch repository for Tomato, Everybody could submit patches for things they deem important/useful and others could build their own builds that perfectly suit their needs. Overclocking was just an example. What I had in mind was making all the custom Tomato builds unnecessary by converting their added functionality into patches allowing everybody to use just what they really need. Those responsible for the custom builds could also focus their efforts on patches instead of making full builds, thus freeing their time (which they can use to improve the patches, for instance) We would have no need for our main dev to work on it. Of course the builders would still be able to build their own custom versions -and more- if they wish to do so.
  15. mstombs

    mstombs Network Guru Member

    So what's wrong with the Git repository? Seems Ideal for anyone to roll their own, but not sure if the sole developer of unmodified Tomato (jon) uses it yet. As I am not flash challenged I'm not too bothered with non-intrusive mods that can easily be disabled! Tomato should never become a competing offering to OpenWRT or dd-wrt, should stick with its slick web gui and fast/stable operation.
  16. haarp

    haarp LI Guru Member

    That's actually a good idea. I was thinking of something more user-friendly tho...
    Kind of making the whole Tomato firmware modular with those patches. This way, those that don't need some functionality could easily just leave it out and get the fastest and smallest firmware possible :)
    Only wired network? Leave out Wireless-core and wireless addons. No need for QoS? Leave its core and the addons out. Want overclocking support? Add the OC patch that allows you to overclock via the web interface. Something like this...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice