1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomato for ARM routers

Discussion in 'Tomato Firmware' started by kthaddock, Feb 28, 2014.

  1. shibby20

    shibby20 Network Guru Member

    haha ... dreams :)
     
  2. RMerlin

    RMerlin Network Guru Member

    SDK7 still uses the 2.6.36 kernel, altho with a few additional changes from Broadcom - I haven't tested yet to see if these changes would be backward compatible with SDK6, Asus is using a separate kernel tree for SDK6 and SDK7.

    Adding support for SDK7 is certainly possible - the amount of changes is lower than the switch from SDK5 to SDK6. But it's another one of these projects that require hours of work and weeks of extended testing.

    As for whether Asus will migrate existing models to SDK7 or only the newer AC3200 (which requires it) - I don't know. I know that in the past they were planning to migrate at least the RT-AC68U and RT-AC87U to SDK7 (which brings amongst other things improvements to USB performance), but the BCM4630 support in SDK7 was broken, so Asus had to wait for Broadcom to fix it. No idea if they eventually did fix it.
     
    pharma, The Master and shibby20 like this.
  3. stuffedtiger

    stuffedtiger Reformed Router Member

    disregard this post.
     
    Last edited: Feb 9, 2015
  4. Mr.CTT

    Mr.CTT Serious Server Member

    Last edited: Feb 9, 2015
  5. Moogle Stiltzkin

    Moogle Stiltzkin Networkin' Nut Member

    can someone plz explain to me the current situation like is all routers from now on going to be arm and ralink cpus ? and did the older broadcom cpus (e.g. like E4200 get phased).

    also what exactly will be the difference between these cpus on the router e.g. features

    is arm firmware stable yet like on older based routers e.g. E4200 v1 that still use older rt-n firmware ? Or when do you reckon it will be as stable :X ? cause from what i've seen some people say that the arm tomato firmware is worse performance than the stock on the netgear R7000. not sure if thats changed yet.

    newb here so apologies upfront if some of what i said makes no sense x_x; lelz.
     
  6. shibby20

    shibby20 Network Guru Member

  7. The Master

    The Master Network Guru Member

    Uptime@R7000
    0 days, 01:39:40
    with v125 :)

    THX Shibby
     
    Last edited: Feb 10, 2015
  8. XVortex

    XVortex Networkin' Nut Member

    Thank You! Testing on WS880. Seems all OK.
    Do not forget to commit changes to your git, please.
     
  9. shibby20

    shibby20 Network Guru Member

    of course i will but first i want to be sure than all features works ok and i didnt broke something.

    if someone test new 4G/LTE feature please let me know result. Is working for you or not and which lte modem do you use. This feature should support all modems which are using cdc_ncm and cdc_ether module. For hilink modems you have to disable pin!

    Best Regards.
     
    The Master likes this.
  10. dskete

    dskete Reformed Router Member

    Any change in the 'ping' behavior on the R7000 with v125? One theory proposed in the other thread was that dnsmasq might be causing this problem. Thanks.
     
  11. myersw

    myersw Network Guru Member

    I agree. Seems like Shibby is the only one doing any work these days. I have always liked Tomato but I am running Kong's DD-WRT builds, currently 26190, on my R7000 and it just works. Things like high ping times and not having active bandwidth monitor are some of the reasons why I have moved away. Not sure at this time if Shibby by himself can get everything working on the ARM routers and do not see anyone else working actively. I used to like Victek's mods but it looks like he is not doing anything anymore judging from his web site.
    It was a nice ride though while it lasted.
    --bill
     
  12. MrDoh

    MrDoh Addicted to LI Member

    I didn't see any difference in ping time behavior when I had finished configuring v125...still random until I did some reboots. Also, IPv6 didn't work for me on v125 (first version where that was the case), but I'm not sure why at this point.
     
  13. myersw

    myersw Network Guru Member

    Where did you get v125? Only see v124 on Shibby's site.
    --bill
     
  14. MrDoh

    MrDoh Addicted to LI Member

    Try clicking on "reload" in your browser *smile*.
     
  15. ghoffman

    ghoffman LI Guru Member

    shibby tomato v 125 up on ac68u. thank you devs and the "tomato arm team"
     
  16. myersw

    myersw Network Guru Member

    Head slap!!!!
    See reports ping issue still there and do not see indication in change log that active bandwidth monitoring has been added so will stay with DD-WRT for now. Was hopping when saw a new build that things might have changed.
    --bill
     
  17. LanceMoreland

    LanceMoreland Network Guru Member

    I had issues with IPv6 as well on ver. 125. Lots of address not available errors in the log files. I am on Comcast if that matters. I reverted back to ver. 124

    Edit: Everything is working well on ver. 125 now, See post #1267 below.
     
    Last edited: Feb 15, 2015
  18. IcyTexx

    IcyTexx Serious Server Member

    Is it possible to tag VLAN ID 100 to WAN port on DD-WRT?
     
  19. godraab

    godraab Networkin' Nut Member

    v125 is the first build where IPv6 work for me.
     
  20. tvlz

    tvlz LI Guru Member

    Did you try it after you removed all of the Comcast specific scripts/workarounds, they might not be needed anymore?
    You might also need to turn off IPv6 for awhile(few hours/overnight) if you request a larger prefix(/60) for the Comcast servers to change the prefix size.

    About the pings, can somebody set wl_dispatch_mode=0 in nvram and see if that has any effect?
     
  21. LanceMoreland

    LanceMoreland Network Guru Member

    I can tell you that without the firewall script I was unable to obtain IPv6 addresses on my devices. I will play with it more this weekend.
     
  22. MrDoh

    MrDoh Addicted to LI Member

    I've already reverted the R7000 from v125, so can't do any further tests at the moment, but as I said, I didn't know what the reason for IPv6 not working on v125 was. I'm now thinking that Comcast has screwed things up, since I can't get IPv6 to work on my R7000 on any firmware, whereas IPv6 works fine on my RT-AC68P. So I think that there's something going with Comcast with that. I've been using 3 different routers and various firmware, which I think may have created a problem with Comcast mapping the /64 IPv6 prefix that they give me to what they see on my end. IPv6 has worked on the R7000 on every other Shibby version that I've tried, so I don't have any reason to believe that this is a firmware problem.
     
  23. rickmav3

    rickmav3 Serious Server Member

    DD-WRT is a total mess right now. New beta test builds coming out almost every week, every build is trying to fix and improve the firmware but it breaks even the basic features long working before. Spending hours to install, test and trying to make same settings work on the new builds, reports on newly broken features don’t get any attention from the devs. ARM support is beta in both Tomato and DD-WRT, there are some things working better on each firmware, but for MIPSR routers Tomato is superior.
     
    pharma, MrShimpy and The Master like this.
  24. Mr.CTT

    Mr.CTT Serious Server Member

    Don't forget about merlin!
     
  25. Nick G Rhodes

    Nick G Rhodes Addicted to LI Member

    DD-WRT betas are working great on my AC56U (better then stock/merlin or Tomato for my uses), are you using an R7000 (they do seem very problematic) ?
     
  26. Mr.CTT

    Mr.CTT Serious Server Member

    I believe he was talking about the R7000.

    If you prefer DDWRT, you should download Kong's version, I believe it is quite stable last i heard. I prefer Tomoto :)
     
  27. zorkmta

    zorkmta LI Guru Member

    Is the any version working "recent search " or webmonitor by ip?
    Tomato on arm is wip related. I tested in R7000 and Asus ac56u ddwrt and merlin, neither have it.


    Enviado desde mi D6653 mediante Tapatalk
     
  28. Netwet

    Netwet Reformed Router Member

    I have been testing tomato arm on the R7000 for a while, it is missing basic features like reset button support, fully working leds etc..
    Comparing DD-WRT and Tomato for arm right now is a joke. The first dd-wrt beta that I tested was way better then current tomato builds.

    If you are talking about devs not listening, then how about we talk about the ping issue, how about fixing reset button, how many people had problems after flashing because the reset button does not work. Tomato is indeed beta on arm and to me it looks like it will never get out of that stage.

    DD-WRT on ARM has been very stable from the beginning with the exception that some client hw caused random reboots. But that issue has been fixed by the "not"listening devs.
     
  29. crusher9

    crusher9 Reformed Router Member

    Recent search works on my ac56u. But you can only monitor http (no https). The feature is almost useless nowadays
     
  30. WaLLy3K

    WaLLy3K Serious Server Member

    Looks like I can finally take advantage of 5Ghz 'AC' on my ASUS RT-AC68U. Nice!
     
  31. MrShimpy

    MrShimpy Connected Client Member

    You should buid tomato, and then you should try to build dd-wrt.
    With tomato you will have success.
    With dd-wrt you will fail and ask questions which will never get answered.
     
    pharma, rickmav3 and Engineer like this.
  32. Nick G Rhodes

    Nick G Rhodes Addicted to LI Member

    I think the devs are listening, but it is hard to develop and fix the ARM builds as they are ports of Tomato, merging the kernel and modules from ASUSWRT (which has no historic compatibility like the broadcom-mips builds), the devs have done a great job to get the arm builds into their current state, and I am sure would make more progress if they could.
     
    rickmav3 likes this.
  33. Nick G Rhodes

    Nick G Rhodes Addicted to LI Member

    Yes I was using Kong, switch the beta builds late last year - seem equally as stable. With kong being a bit more experimental (trying newer SDK), I am sticking with the beta as I need a pretty stable router for when I am on call (cisco/systems support).
     
  34. Mr.CTT

    Mr.CTT Serious Server Member

    That isn't fair to @shibby20 or to Merlin, he (or they) are 1 person each supporting many different requests and devices. The ping issue sucks, I will say that, however it isn't really his fault. Netgear is not giving out the source code for the patches they did allowing him and others to patch it. DDWRT is on the 3.x kernel, Tomato is on the 2.x kernel. Any code specific things that cannot be tweaked, need to be back-ported in order to work for us even if they should give them that information... it is apples to oranges and a crap ton of work... I have been following the Tomato Firmware thread and Merlin did some back porting of stuff, but i am not sure what it includes. There was a different driver released, so that could lead to a potential fix, but as far as how it translates to tomato i am unsure yet, and i havent seen Shibby say he has an answer.

    Why fix the reset button when there is a lot more important features that are down? Seriously... If you want to reset it, go to the GUI, or Telnet... If you want to reset the NVRAM go to "Administration"->"Configuration"-> "Restore Default Configuration" -> "Erase all data in NVRAM Thorough". It works, and you don't have to time it with a watch (I generally do it twice to be safe and haven't had a problem {2x before & 2x after})

    Both of these options should by all rights be faster than using the reset button because they save you the time of walking to the router, taking it down from the high central/strategically designated place you have it so no one can easily bump, hit, touch, or break it, then push buttons and put it back to that place. You could easily use a cellphone to do this in seconds, so availability of a computer should not matter, and the normal person should have their phone on or near them at all times in the event someone in their family needs help or to contact them.
     
    Last edited: Feb 13, 2015
    rickmav3 likes this.
  35. MrDoh

    MrDoh Addicted to LI Member

    While it keeps me from using tomato, I understand that Shibby cannot reproduce the R7000 ping time issue at this point at his place, so he can't really work on it. That's one of the reasons that I got the RT-AC68P, in hopes of being able to use it with tomato ARM firmware. And yes, it is nice if the "reset" button works if you can't log into the web interface and/or the router is wedged in some way that a power-cycle doesn't clear. However, I haven't had that happen while I've been using tomato, so that isn't my top priority, either.

    But that's okay, dd-wrt is out there working well, and it was when Shibby released his first ARM version. If you like that, no reason not to use it. While I like the tomato GUI better and would rather be using it, dd-wrt is based on a later kernel, and just had a step-up in stability with new wireless drivers. The newer kernel in dd-wrt solves one of my Comcast IPv6 issues that I still need to put in an ip6tables rule on tomato deal with. Obviously not a big deal, though.

    What I'm trying to say is that if you don't like what's happening with tomato ARM firmware, there's no need to come here and run down the developer. Calling his work a joke may make you feel better, but it doesn't help anything (and isn't true, either *smile*). Just go and use the more advanced, more stable dd-wrt and be happy...developers, like all people, make a lot more progress with good morale and support than by being told how things are horrible and they'd better listen to you so that they can get things fixed. They are told about problems, and are working to fix the problems as they can with the tools that they have. No reason to make people feel bad, especially if you have an alternative that's as good as you do. Go and enjoy it!
     
    ipse, Toastman, pharma and 2 others like this.
  36. rickmav3

    rickmav3 Serious Server Member

    Not only about building. Many questions or problems reported there get's no replies or if lucky either of "yes, it's working" or "you should search". Tomato is again here vastly superior, you get many solutions even from previous threads as many knowledgeable members have already offered detailed help.
     
  37. rickmav3

    rickmav3 Serious Server Member

    Got the same non working LEDs, non working access restrictions and other maybe minor inconveniences but on DD-WRT. Still I will certainly not call any hard work of these devs free projects Tomato or DD-WRT a "joke". They give home or SOHO users high class features on their consumer routers. Calling any of them "a joke" makes at least this post of yours a... real sad joke...
     
  38. Mr.CTT

    Mr.CTT Serious Server Member

    also, unless you have a justified reason to do so, neither of you should be double posting in the manner you are(@Nick G Rhodes & @rickmav3). You can easily put both of the double posts you guys/gals did, in a single message and the edit button and reply button after highlight are there for the multiple quote reason. All you have to do is highlight what you want and hit the reply button when it pops up. If you already posted, cut it from the reply area you type in, then paste it into your post via use of the edit button. I appreciate your comments rickmav3, but if i criticize one person, I must criticize them all. I am not 100% innocent of double posting, but i try very hard not to do it and usually only do it to separate very long posts for easier reading/comprehension or to bump something if it doesn't get answered after 12-24+ hours based on urgency.

    the darn things are like weeds, you don't stop one, another pops up.
     
    Last edited: Feb 13, 2015
    rickmav3 likes this.
  39. Netwet

    Netwet Reformed Router Member

    Sure if you can reach the gui or the router via telnet that works, but not if you cannot access the router e.g. you forgot your passwort, misconfigured it etc. then you are fu***
     
  40. Netwet

    Netwet Reformed Router Member

    Not sure what router you have but on my R7000 LEDs and all buttons work. I'm using time based schedule to restrict access of my sons tablet thus access restrictions are working fine for me.
     
  41. Engineer

    Engineer Network Guru Member


    From Shibby....

    • Do this:
    • 1) run router and wait 2-3 minutes
    • 2) push and hold wifi on/off button for 25 secs - this will enable a "backdoor" access to the router.
    • 3) use putty and connect via telnet on port 233 and log in to router without password
    • 4) run command: nvram get http_password (login`s value: nvram get http_username)
    • 5) use result as password
    • 6) when you log in to tomato remember to erase nvram

    What I don't know is if you can run other commands while on the Telnet session or not (I'm assuming so).
     
  42. Nick G Rhodes

    Nick G Rhodes Addicted to LI Member

    I tend to reply separately out of habit, I only get a few minutes here and there during the day (evenings is different) and don't always have time to read and respond to more than one message at a time...

    Also, I don't know I am always going to reply to more than one message at a time, and the edit dialog does not allow to do the neat multi-reply trick you mention (or I have not discovered how to do it) :)
     
  43. Mr.CTT

    Mr.CTT Serious Server Member

    It does. You highlight the text you want to reply to, and a custom reply button will pop up at the end of the text you highlighted. when you click it, scroll to the bottom of the page. There you will find the highlighted text you want to reply to neatly written for you with all the quote work done. All you have to do is highlight it all and cut it from the box, then find your post, click edit, and paste it.

    This is also very nice if you want to reply to a specific part of someones post. Especially when they have multiple ideas that you want to reply to separately within the same paragraph. you can produce multiple quotes from one paragraph. *NOTE* Be cautious when doing this, because the reply section remembers where your cursor was and will past it at that spot in the reply section at the bottom of the page. Example below of how this can be super nice

    omg 2-3 minutes? Nuuuu!

    Some people set the buttons to do different things or disable them so that idiot's don't mess up a router accidentally hitting a button when moving the router / something near it / plugging something in via port. You need to ensure the proper script is under Administration -> "Buttons / LED

    the script is "[ $1 -ge 20 ] && telnetd -p 233 -l /bin/sh]"

    My buttons are always set in this order. Do Nothing, Do Nothing, Restart, Shutdown Telnet
    is up 100% of the time for me.

    (I use IP Tables to stop ALL unwanted access and could give a crap less about running my SSH/Telnet 24/7, because the only people that can even see it are people with the correct MAC, port #, and are on the correct VLAN. Not to mention they have to have the passwords to even get on the network. I will know if they are on my network before they get that far :) if they hack me, cudos I deserve it )

    You should mention the fact that SSH and Telnet's ports can be customized Via the Administration -> "Buttons / LED page via the Web Gui, and the ports could be different because if someone accidentally changed the script. The user should double check them before doing this if they changed the buttons or saved on that screen ever.

    @Engineer I didnt mean to be so critical of you post, I just wanted to give a good example for Nick. however #2 is one i think needed commented on to avoid confusion. #3 is unnecessary, to write as most people with this knowledge should remember if they did this or not.


    that is how using the highlight reply button is awesome.

    *edit i made a mistake and corrected it 2/13/15 3:38p EST



     
    Last edited: Feb 13, 2015
  44. Engineer

    Engineer Network Guru Member

    Mr.CTT, I don't know how Shibby coded that into the router. It was a direct quote from him on another forum for a R7000 router that was coming from DD-WRT to Tomato (and DD-WRT had password encrypted with no way to reset since PB was disabled). Shibby would have to clarify if holding it the correct length of time would override other PB settings or not.
     
  45. Mr.CTT

    Mr.CTT Serious Server Member

    your totally fine I was a little mean when i posted that and changed it after you had posted. Sorry about that. I just wanted to demonstrate the highlight Reply feature and how useful it is without spamming and trying to be somewhat helpful. Shibby was referring to the script in the custom box on the Administration -> "Buttons / LED".

    When you hold the button long enough to trigger any of the responses that say "Custom Script" you will enable the quoted text you got from shibby if the script is unchanged. This is a work around of having to leave SSH on all the time or using the GUI to enable it.

    This is especially for users that don't know what they're doing or see the potential risks of what they are doing. They do not need to understand what SSH is or need to know what it is, as you can tell them to press a button to make it all better without telling them to do this that and the other complicating the instructions, and then take the chance they leave SSH/Telnet on 24/7 without proper protection leaving an potential exploit to the CMD line of the router. Telling them to Reboot the router turns SSH back off as it is a up-time duration only script.
     
    Last edited: Feb 13, 2015
    Engineer likes this.
  46. Engineer

    Engineer Network Guru Member

    Ah, I had no idea. I thought this was hardcoded. Thanks for that! :)

    Does holding the WPS button in on this router (R7000) while powering up reset NVRAM?

    Finally, the reset button was disabled why? I seem to recall something about a boot loop.
     
  47. Netwet

    Netwet Reformed Router Member

    Are you kidding, you just have to press a button and you can login without a password?
    This means anyone can manipulate, read wireless passwords etc,without your knowledge
    I don't know what to say.
     
  48. LanceMoreland

    LanceMoreland Network Guru Member

    I have ver. 125 up and running on my AC68U's and everything seems to be working okay. I still have to use the firewall script for Comcast to make IPv6 work and I need the neighbor table overflow script to eliminate logs filling up with errors but now the logs are filling up with these errors:

    Feb 13 13:42:58 Tomato-1 daemon.info dnsmasq-dhcp[1256]: DHCPADVERTISE(br0) 00:01:00:01:19:f3:53:66:60:a4:4c:54:91:e7 no addresses available
    Feb 13 13:42:58 Tomato-1 daemon.info dnsmasq-dhcp[1256]: DHCPADVERTISE(br0) 00:01:00:01:1a:40:6d:ab:00:00:00:00:00:00 no addresses available
    Feb 13 13:42:59 Tomato-1 daemon.info dnsmasq-dhcp[1256]: DHCPADVERTISE(br0) 00:01:00:01:19:f3:53:66:60:a4:4c:54:91:e7 no addresses available
    Feb 13 13:43:01 Tomato-1 daemon.info dnsmasq-dhcp[1256]: DHCPADVERTISE(br0) 00:01:00:01:19:f3:53:66:60:a4:4c:54:91:e7 no addresses available
    Feb 13 13:43:05 Tomato-1 daemon.info dnsmasq-dhcp[1256]: DHCPADVERTISE(br0) 00:01:00:01:19:f3:53:66:60:a4:4c:54:91:e7 no addresses available
    Feb 13 13:43:13 Tomato-1 daemon.info dnsmasq-dhcp[1256]: DHCPADVERTISE(br0) 00:01:00:01:19:f3:53:66:60:a4:4c:54:91:e7 no addresses available
    Feb 13 13:43:20 Tomato-1 daemon.info dnsmasq-dhcp[1256]: DHCPADVERTISE(br0) 00:01:00:01:18:f6:10:e2:54:42:49:08:0b:99 no addresses available
    Feb 13 13:43:29 Tomato-1 daemon.info dnsmasq-dhcp[1256]: DHCPADVERTISE(br0) 00:01:00:01:19:f3:53:66:60:a4:4c:54:91:e7 no addresses available
    Feb 13 13:44:01 Tomato-1 daemon.info dnsmasq-dhcp[1256]: DHCPADVERTISE(br0) 00:01:00:01:19:f3:53:66:60:a4:4c:54:91:e7 no addresses available
    Feb 13 13:44:02 Tomato-1 daemon.info dnsmasq-dhcp[1256]: DHCPADVERTISE(br0) 00:01:00:01:1a:40:6d:ab:00:00:00:00:00:00 no addresses available
    Feb 13 13:44:08 Tomato-1 daemon.info dnsmasq-dhcp[1256]: DHCPADVERTISE(br0) 00:01:00:01:1a:40:6d:ab:00:00:00:00:00:00 no addresses available
    Feb 13 13:44:09 Tomato-1 daemon.info dnsmasq-dhcp[1256]: DHCPADVERTISE(br0) 00:01:00:01:1a:40:6d:ab:00:00:00:00:00:00 no addresses available
    Feb 13 13:44:11 Tomato-1 daemon.info dnsmasq-dhcp[1256]: DHCPADVERTISE(br0) 00:01:00:01:1a:40:6d:ab:00:00:00:00:00:00 no addresses available
    Feb 13 13:44:17 Tomato-1 daemon.info dnsmasq-dhcp[1256]: DHCPADVERTISE(br0) 00:01:00:01:1a:40:6d:ab:00:00:00:00:00:00 no addresses available
    Feb 13 13:44:23 Tomato-1 daemon.info dnsmasq-dhcp[1256]: DHCPADVERTISE(br0) 00:01:00:01:1a:40:6d:ab:00:00:00:00:00:00 no addresses available
    Feb 13 13:44:39 Tomato-1 daemon.info dnsmasq-dhcp[1256]: DHCPADVERTISE(br0) 00:01:00:01:1a:40:6d:ab:00:00:00:00:00:00 no addresses available
    Feb 13 13:45:11 Tomato-1 daemon.info dnsmasq-dhcp[1256]: DHCPADVERTISE(br0) 00:01:00:01:1a:40:6d:ab:00:00:00:00:00:00 no addresses available
     
  49. Engineer

    Engineer Network Guru Member

    If you read Mr.CTT's response above, looks like it's a script that can be removed. I think it was put in there as a way to reset the router's NVRAM while the RESET PB issue is being investigated (just a guess).
     
  50. Mr.CTT

    Mr.CTT Serious Server Member

    I do not believe so, When i try to NVRAM reset Via the buttons, it does not work, but i have only tried reset button. You could make a custom script... but that's a bad idea as someone pressing the button long enough would screw you.

    dude... if someone has access to your reset button, they would just reset your NVRAM on any router and take over your network otherwise.. Your point is invalid because they physically need to do this and it should not be in reach of someone. If someone breaks in your house, then they would steal your router again making your point invalid. This actually gives you a "Screw you theift" factor, as they will try to resell your stolen router, but when they cant put it back to factory defaults because NVRAM reset button doesn't work it becomes a brick to them unless they know you run tomato or hack into your admin web page.

    Also NO because you cannot connect to WIFI if you don't have the password. They could use a LAN cable.. but i would hope you see them doing that i mean seriously... that would be in the open and stuff or you would see a weird cable plugged in... not to mention they would need to know the IP address of the router, the port #, and have putty. Lastly, I do not believe you can view passwords unless you do nvram get with the correct identifier, or download an NVRAM dump.

    Let me reiterate that this is a UPTIME ONLY command and reboot will shut it off.
     
    Last edited: Feb 13, 2015
  51. digiblur

    digiblur Networkin' Nut Member

    Someone could also unplug my router and make it not work? Are you kidding me?

    If someone with bad intentions has physical access to your router, then you have much larger problems to deal with.
     
  52. Netwet

    Netwet Reformed Router Member

    Not in every scenario you can lock the router up and having access to the router does not mean you have access to your network, e.g. if you just use it as repeater. At work we have lots of routers that are located in a meeting room.

    But with this backdoor someone can just quickly attach a device to the ethernet port and readout nvram, e.g. wireless password, then he has access to your network.
     
  53. Mr.CTT

    Mr.CTT Serious Server Member

    At work you also have network engineers that set up the network, those engineers have administration VLANS made so people can never ever access the SSH / Telnet or even see it for that matter by any means excluding extraordinary means, a level of hacking that is so high, they could make a lot more money working for a private security firm. The network engineers also more than likely leave SSH /Telnet / other running 24/7 like I do because no one can hack a firewall unless the prior applies. Your company also does not use Tomato for their network as it cannot or rather is not supported by any network infrastructure device that could handle that much traffic at its backbone and know what they are doing. Your point is still invalid... Not to mention normally those repeaters are mounted on the ceiling, requiring a stool or a ladder... If they did use tomato for repeaters which is possible, this back door or an NVRAM reset does nothing but disconnect the repeater when DHCP starts up after reboot.

    If security or the employees don't notice someone physically touching a piece of equipment that shouldn't be, then security should be fired... as such is life. But an NVRAM reset will do nothing to a repeater except disconnect it from your companies network.

    The makers of tomato are 100% justified in what they did / how they did it. The is not a single instance in which this could possibly be a security exploit because if someone has these intentions and the access, the button function does not matter, as a 30-30-30 is much easier / effective and you should not allow someone in your house you cant trust / keep it in a place people cant get to easily to avoid theft / people being a jerk.
     
    Last edited: Feb 13, 2015
    gawd0wns likes this.
  54. Mr.CTT

    Mr.CTT Serious Server Member

    opps sorry, i hit the incorrect button. I apologize for the double post spam.
     
  55. Engineer

    Engineer Network Guru Member

    Removed
     
    Last edited: Feb 13, 2015
  56. LanceMoreland

    LanceMoreland Network Guru Member

    Further to this, I also notice that devices and their IPv6 addresses no long show up in the "Device List"
     
  57. Mr.CTT

    Mr.CTT Serious Server Member

    Let me reiterate, pressing the WPS/reset button/any button on a repeater using tomato does not affect your main router. You can unlock a repeater's CMD all you want and do whatever, but it will never give you access to the router or any of it's security. the most you could ever accomplish is disconnecting it from the network or others from it... in which case NVRAM reset would be more disruptful... taking a net engineer 5 min or less to fix using a .cfg file. Additionally, all you will do is look like a fool on a stool to the network engineer as he laughs at you and has security escort you to the police that will be waiting downstairs and you get multiple Felony charges slapped on you along with a few Misdemeanors should the company press charges to the full extent of the law. You would be better off trying to hack the firewall than this as it is useless.

    No security information from the main router is inherited nor can it be changed in this manner. The best you could do is see a VLAN number, but that doesn't mean squat because a network engineer would not be dumb enough to leave a VLAN open (will leave that at that) and if he is even a half-baked one, you'll never get any VLAN info Period.

    I am too afraid to turn IPv6 on yet for any R7000 as I do not want to mess with all the problems people have been having. IPv6 is not yet required and there isn't really a significant number of good DNS servers for it. There may be a small amount of throughput gain if your the only one connected to a network, but the moment multiple users connect and use a few mbit/s, all advantage is lost over v4. You will never physically notice a difference in ping as it is less than a 10th a second. Ill wait another 6-7 months as this translates to more calls from clients haha. But if i ever get a R7000 for personal use, I will be sure to enable it to work with it, learn, and help others. I just cant justify 200$ on a router when I have a fast AC router already :/
     
    Last edited: Feb 14, 2015
  58. Nick G Rhodes

    Nick G Rhodes Addicted to LI Member

    Aha, I was looking for something from the edit dialog... didn’t think to use the reply box as a scratchpad :)
     
  59. Engineer

    Engineer Network Guru Member

    Not sure what this has to do with my post! :D

    Anyway, I'm giving it a go on my Asus RT-AC68U (formerly Tmobile TM-AC1900 converted). First time off of Merlin's fork since just after I bought and converted it.
     
  60. TheSteve

    TheSteve Addicted to LI Member

    Recently upgraded my WL-520GU to an R7000 (big upgrade!). I have always run tomato on my Asus and installed Shibby's tomato on my R7000 within 10 minutes of opening it. It has been nice and stable but so far the transfer speed from USB has been quite poor. I have tried multiple devices(usb 2.0 and 3.0, NTFS, ext2, ext3 formats) but they all give roughly the same results. Just wondering what others are seeing for speed when ftping direct to/from the router. Also I saw mention that someone may have the LEDs working. The power/WAN LEDs work but I have no LEDs for 2.4 or 5 GHz wifi. Nothing is a show stopper so far and am thrilled to be still running a variation of tomato after so many years. Many thanks to Shibby and the other devs who provide amazing firmware.
     
  61. Connor McCaffrey

    Connor McCaffrey Networkin' Nut Member

    i can break 30MB/s up and down on usb 2.0, have usb 3 disabled.
     
  62. MrShimpy

    MrShimpy Connected Client Member

    Everybody who has physical access to the router can do with it what ever he wants to do. You lock your router probably into a save.
     
  63. WaLLy3K

    WaLLy3K Serious Server Member

    Physical access to a device negates the security of its software contents - and this is true for anything technology related, secured by software.

    Something that amused me a while back: When working as technical support for a certain giant fruit company, I remember a customer asking me about the viability of wireless backup hardware working from within safes. I had to tell him that it would be pretty much useless because of how radio signals work!
     
  64. TheSteve

    TheSteve Addicted to LI Member

    OK, more testing completed using wired gigabit lan. With a vfat file system and usb 3 enabled I do get some decent speeds, write of 39MB/sec, read of 47MB/sec. However if I use ext2 or ext3 my write speed is about 15%, sometimes only 10% of the vfat speeds. I can understand ext3 being a little slower with the journal but thought ext2 would match vfat performance. Even reading with ext2 or ext3 is slower then vfat.
    Now to work out why the wireless transfers seem so slow.
     
  65. MrDoh

    MrDoh Addicted to LI Member

    How about a safe with external antennas? *smile*
     
  66. Mr.CTT

    Mr.CTT Serious Server Member

    that could work if you run them through the air holes :)
     
  67. LanceMoreland

    LanceMoreland Network Guru Member

    It seems that enabling "Announce IPv6 on LAN (DHCP)" in the "DHCP / DNS Server (LAN)" section eliminates the errors. IPv6 is working on Comcast as it should as long as "echo 0 > /proc/sys/net/ipv6/conf/`nvram get wan_iface`/forwarding" is in the firewall script section on ver. 125
     
  68. stuffedtiger

    stuffedtiger Reformed Router Member

    Do I have to reboot after I change this option?
     
  69. Mr.CTT

    Mr.CTT Serious Server Member

    It would probably be a good idea, however I bet if you turn ipv6 off and back on it would implement it, if it hasnt already done so
     
  70. MrDoh

    MrDoh Addicted to LI Member

    In the past, IPv6 has just started working without a reboot after having the firewall scripts in place, and turning on DHCP6-PD here. However, if it doesn't *smile*, then a reboot is in order.
     
  71. greenythebeast

    greenythebeast LI Guru Member

    Is access restriction supposed to work on the AC-68R? I can't get any rules to work no matter the settings :(

    Edit: Nevermind, just had to disable CTF :)
     
    Last edited: Feb 15, 2015
  72. Netwet

    Netwet Reformed Router Member

    Well my son has physical access to the router and thus could easily press the "workaround is a feature" button in order for him to turn off access restriction. If he can only reset, then he does not gain anything, since ethernet ports don't allow to access internet and his device only knows the password to the access the restricted guest wireless.

    Looks like nowadays tomato uses security through obscurity:)

    You mix up button assignments and implement "back doors", you slow down the attacker by raising the ping. You fool your kids by not displaying correct led states etc.
     
  73. WaLLy3K

    WaLLy3K Serious Server Member

    If you're concerned, then just disable that feature (Administration > Buttons/LED) and if you know enough BASH, you could probably implement something like you've mentioned! :)
     
  74. Grimson

    Grimson Networkin' Nut Member

    This "back door" is neither a workaround nor new. It has (at least) been in Tomato since the introduction of the "Buttons/LED" page in the original Tomato, and can easily be disabled.

    So if you only discovered it now it's your own fault. If you need security you should check every part of a firmware, especially if it's a custom firmware, and every setting in it.
     
    rickmav3 and gawd0wns like this.
  75. Mr.CTT

    Mr.CTT Serious Server Member

    This isn't security by obscurity, every router with the exception of ones that cost more than like 800$ has a push button factory reset. PHYSICAL ACCESS to it removes all security unless you use custom firmware!

    NO MATTER WHAT ROUTER YOU HAVE
    running factory firmware, anyone in the world could walk up to it, hold the reset button and do a factory reset to it, then read the label on it and log in, or use Google /common sense 99% of the time to get the defaults if you removed the label. Then they just need to rename the WiFi on it to match your old one, and your screwed till you do the exact same thing, a push button factory reset... its just that simple...

    With TOMATO YOU HAVE MORE SECURITY because if someone tries to do a factory reset and holds the button for any duration stock, it wont reset to factory defaults and they are locked out of your router assuming reset button nvram wipe doesn't work in that FW & version. If it doesn't, they need to figure out you run tomato(Tomato isn't a giant bulls eye like dd-wrt is having the splash page that displays to the world it's using dd-wrt when they type in the gateway address), What port your script uses, and how long they have to hold the button for. If they cant figure that out, then they are locked out! PERIOD!!!

    All of the buttons are not hard coded! If you remove the script, they cannot use this and will never get in (exception of hacking or Serial), but should you do that, you have no way to get in if you forget the password.

    If you would like to change this to make it more difficult for someone to get in, follow the instructions below.


    if you were really smart, and wanted to teach your kid a lesson you would go to administration -> Buttons / LED and do the following.

    0-2 seconds "Shutdown"
    4-6 seconds "Shutdown"
    8-10 seconds "Run custom script"
    12+ seconds "Shutdown"

    then in the custom script box you would paste in the following.
    "[ $1 -ge 20 ] && telnetd -p 101 -l /bin/sh" <- minus quotes (port number in bold for reference)

    What this will do is if he presses the buttons, for the duration listed is shut the router down ("shut down" ones). This will show in the logs so you can see that he did it.

    If he were to hold the button for 8-10 seconds, he would start up the telnet (aka the custom script in the box), however the new custom script will change the port of the Telnet to 101. So unless he wants to sit there all day trying to figure out how long you press it for and then test all the ports or he uses a port scanner, he isn't going to get in. At least those kids cant hold the button, do a factory reset, and get in anyway using Google, the label, or just plain common sense... Then change the WIFi SSID to what it was so your locked out.

    I am sure that you could re-write the script to just turn your normal telnet on, but I haven't ventured enough into tomato to be comfortable writing such a script.


    I agree... maybe doing a little research and on the file you just uploaded to your 30-300+$ device a good idea... Then looking at every tab to see what options there are...

    The buttons/led page isn't hidden and is not like grand theft auto where you have to do some strange combination of crap to make a tank fall from the sky and squish you... you just read the tab...
     
    Last edited: Feb 15, 2015
    rickmav3 likes this.
  76. ghoffman

    ghoffman LI Guru Member

    regarding the ping issue:

    on r6300v2, using shibby's v125 R7000 build:
    ping issues cropped up after about 24 hours of use.
    when first set up - had 1-3 ms ping on lan to router.
    now: 26-150 ms, average 20-30.

    what are other people seeing?
     
  77. Mr.CTT

    Mr.CTT Serious Server Member

    you are getting that using a *good* cable? I have seen even the better brand name cables crap out when replacing them at work because people were moving and flexing them too much on the ends causing inconsistent pings / drops. what is your cpu usage running around and do you have anything intense running on the router?

    I know that Netgear has had problems with it on their firmware, but I just really haven't seen a mention of it yet in tomato. I didn't realize it was an issue with this device. I have a R6300v1 on Hyzoom's shibby firmware, but i know there is quite a lot of difference in hardware for the two.
     
    Last edited: Feb 16, 2015
  78. ghoffman

    ghoffman LI Guru Member

    mr ctt - yes, definitely good cable. same cable gives me <1ms to another router.

    nothing else running on the router. bw limiter set to 80% max, 1-2 wifi clients, 10-20 clients via lan and other ap's. no vpn samba, but little activity, not related to ping. cpu util<2%.
     
  79. Mr.CTT

    Mr.CTT Serious Server Member

    hmmm I had similar problems as you, however mine boiled down to bandwidth monitor staying on when it wasn't supposed to be and using telnet to ensure it was off when the gui said it was off fixed the issue. I did notice some inconsistent pings when that was happening, but nothing as drastic as you are seeing. If you just flashed it, is there any chance you had a bad flash that left artifacts? I am assuming you recently did it.

    I would suggest that as an immediate band-aid, trying to be helpful, that you talk to your clients (if it isn't personal use)and use the scheduler to reboot every day at like 4 am to keep it running smoother or whenever they all wont be likely to use it. The reboot sucks on these mine takes almost 3 minutes. :/
     
  80. Connor McCaffrey

    Connor McCaffrey Networkin' Nut Member

    i believe i have found a fix for the ping issue, as today i encountered it after i enabled usb 3.0 support. i can turn it on and off and every time it will create the ping issue, for anyone having the ping issue, please go into usb and nas and disable usb 3.0 support.
     
  81. ghoffman

    ghoffman LI Guru Member

    i wish it were that simple.
    if you are talking about interference from usb3 and wireless devices, this has been explorered and may be an issue for some people and some routers.

    for my r6300v2 lan ping issue - the usb 3 setting has no effect (nor does any usb service, samba, wirelss setting).
     
  82. blackwind

    blackwind Networkin' Nut Member

    So, as of v125, what's still missing from TomatoARM? And is there any regularly updated place to find that information?
     
  83. Rurik

    Rurik Network Newbie Member

    In the last two days I am experiencing strange things with my N18U. The router stops after 24hr and I need to pull the plug to restart it. I do not really understand, because nothing changed. The router was switched off for a few days as I was away but nothing else. Yesterday I tried to update to v125, but the problem is the same. Today at the same time the router stopped.
    Any ideas?
     
  84. WaLLy3K

    WaLLy3K Serious Server Member

    Aside from an update, what else have you tried? A full NVRAM wipe? (That's usually one of the first things suggested here!) Does it currently persist with stock firmware?
     
  85. Rurik

    Rurik Network Newbie Member

    I never used stock firmware so I do not know.
    I did not try the wipe yet as I would have to set everything from scratch.. and since really nothing changed on the router and it had more then a month uptime (before this incident) I am a bit clueless..
     
  86. WaLLy3K

    WaLLy3K Serious Server Member

    Well try backing up your configuration from Admin > Configuration, erase NVRAM from Admin > Debugging and try a bare basic setup - enough for you to have a working Internet connection at least. You can also dump NVRAM from that page in case you've forgotten any passwords you don't often use.
     
  87. myersw

    myersw Network Guru Member

  88. LanceMoreland

    LanceMoreland Network Guru Member

    Times out for me also.
     
  89. shibby20

    shibby20 Network Guru Member

    It`s up now.

    I have a question to users of R7000 with ping issue. do you have connected any drive to USB3.0 port?? If you do, can you make a test: unplug USB drive from USB3.0 port, reboot router and check ping?

    Best Regards.
     
  90. Rurik

    Rurik Network Newbie Member

    I hope it is not too early to say, but now I passed the 24h mark and still running.
    What I changed is that at the moment the built in transmission is running instead of the optware one.
    Something with the mounting parameters of the attached HDD might be faulty.. but for now this is only a wild guess.
     
  91. Engineer

    Engineer Network Guru Member

    I had no USB drives at all and had ping issue. I did have USB Core Support turned on (never thought to turn it off). I'm currently on DD-WRT on that router but if I have time, I'll flash back and check later with the USB core support turned off.
     
  92. shibby20

    shibby20 Network Guru Member

    ok, thanks.
     
  93. TheSteve

    TheSteve Addicted to LI Member

    I have an R7000 running your newest build (125) and have not yet experienced any ping issues with wired or wireless connections. I am sharing a USB 3.0 flash drive via samba, running an ad block program, port forwarding, static dhcp, pppoe, everything is ipv4 based. So whatever it is that triggers the ping issue has not appeared yet.
     
  94. Toastman

    Toastman Super Moderator Staff Member Member

    R7000 here is unstable with or without USB or USB3. When in a stable ping mode, even accessing a setup page can trigger the problem. But I can't see what is happening either. Nothing is repeatable.
     
  95. meazz1

    meazz1 LI Guru Member

    I skimmed thru thru thread and found some few different make and model router compatible for the ARM firmware.
    What would be the best way to find out what are the supported ARM router for tomato firmware.
    Currently, I use an Asus RT-N16 with Shibby firmware.
     
  96. Mercjoe

    Mercjoe Network Guru Member

    Same as Toastman here with my R7000. Even set up as an AP the ping issue can just happen. There is no consistent trigger.
     
  97. Mr.CTT

    Mr.CTT Serious Server Member

    my R7000's all have USB3 enabled, but i believe the usb's drives in em are rated 2.0, but i still have yet to have an irregular ping test so far. I am going to one of the establishments running one today, so I will test and update on here. They are running v124 however so take that into consideration and I probably wont move to 125 for a little while as they are not very happy about downtime ever haha.


    If it is usb related, could the read/write speeds matter? Like i use it 100% for logging. I will add adblock to it soon after i get some bugs worked out that i am having, but i am wondering if some users are using it for media vs others for low level usage like logging and if that makes a difference on the stability/pings. If someone is using the crap out of a buggy feature, it would matter right? (if they use it internally on device mostly or external purposes? if it may matter?)

    Can anyone comment that they are experiencing the ping issue in 125 out of curiosity? Whether it went away, started, or became better / worse?
     
  98. Engineer

    Engineer Network Guru Member

    Had the ping in 124 and 125. Turned Core USB service off and no change. Random ping spikes up to 200ms but always more than 1.
     
  99. Connor McCaffrey

    Connor McCaffrey Networkin' Nut Member

    there must be a combination of things that cause it, i dont imagine this problem would occur on a fresh nvram clear with no settings changed..........
     
  100. Mr.CTT

    Mr.CTT Serious Server Member

    I still am not affected by the Ping issue... so i think my results are kind of invalid. Please note my routers reboot every day via script so i will never have uptime more than 24hr.
    USB2.0 drive in for months and logging to it. I attached my usb page.
    USB.png

    Uptime 0 days, 17:58:57
    ping results attached... I have to connect via cable to a switch that is connected via cable to the router. I ran about 20 pings. a single one out of that had irregularity
    Pinging 10.10.7.254 with 32 bytes of data:
    Reply from 10.10.7.254: bytes=32 time<1ms TTL=64
    Reply from 10.10.7.254: bytes=32 time=10ms TTL=64
    Reply from 10.10.7.254: bytes=32 time<1ms TTL=64
    Reply from 10.10.7.254: bytes=32 time=2ms TTL=64

    Ping statistics for 10.10.7.254:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss).
    Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 10ms, Average = 3ms

    beyond that all of the pings in thefor the 20 times i used the ping test were
    <1ms...

    I do not understand why i have no problems, but my routers are set up with very very different from stock settings.

    I did notice something odd today however. my CPU load is abnormally high.

    "CPU Usage 2.88%
    CPU Load (1 / 5 / 15 mins) 0.00/ 0.01 /0.05
    "
    I saw it hit 10% and there is very very little usage and very little log activity. It could be someone torrenting tho, i haven't blocked it yet at this establishment.

    do people disable 3G support? I do and spin-down.

    I wish someone i knew had this issue so i could load my cfg file to see it if stopped it. =)
     

Share This Page