1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomato RAF Releases

Discussion in 'Tomato Firmware' started by Victek, Dec 28, 2012.

  1. Victek

    Victek Network Guru Member

    Ok, updated, and I added tagged feature for e3200 switch in Advanced/VLAN. Thanks for the heads up ;)
     
  2. Lorenceo

    Lorenceo Networkin' Nut Member

    After rebooting it a few times and trying 48 and 64 prefix lengths it still reports destination unreachable for v6 hosts, on both the router and clients.
    The router gets its v6 IP, and it is sending router advertisements. The router advertisements still show the MTU as 1500.
     
  3. Victek

    Victek Network Guru Member

    Thanks Lorenceo, I'm waiting more help from 'experienced' people.
     
  4. Lorenceo

    Lorenceo Networkin' Nut Member

    If there's any more info you need from it let me know.
     
  5. Victek

    Victek Network Guru Member

    No, thanks, just suggest your ISP to use standard configurations for their customers ...
     
  6. Elfew

    Elfew Addicted to LI Member

    Yes, this is the easiest solution... why to use IPv6 in home network? Just set your modem to get IPv6 from provider and translate it to IPv4 for your home network clients (including router with Tomato)
     
  7. Lorenceo

    Lorenceo Networkin' Nut Member

    I don't think a single customer can have much influence over what an ISP does. :(
    Is PPPoE not a standard method of connecting to the internet? :p
     
  8. Elfew

    Elfew Addicted to LI Member

    DSL connection is a step back...
     
  9. Victek

    Victek Network Guru Member

    I have pppoe also with ftth connection and 3 different vlan tag for each type of service (weird too), I was talking about ipv6 prefix 48 and mtu 1492. This problem is solved in ipv4 by automatic packet reassembly, not in ipv6.
     
    Last edited: Sep 30, 2013
  10. AmyGrrl

    AmyGrrl LI Guru Member

    Not sure I will play around with the beta builds this time. But just wanted say the stable 1.2 build for my Asus RT-N66U has been running great. 27 Days Uptime so far. Can't wait for the stable 1.3 build! Thanks Victek!
     
  11. Lorenceo

    Lorenceo Networkin' Nut Member

    Does your PPPoE have an MTU higher than 1492?
    I've read online that if you can get FTTH here you can use jumbo frames on the WAN and have 1500 byte PPPoE packets. I've no way to test that though.
    As for the /48.. yep. Seems silly to me too, but it should work with /64, since it's smaller than the /48 I get allocated. I've read that some ISPs give out /56's too.
    FWIW the stock Asus firmware announces a /64 to the LAN, and it works.

    Edit: Just thinking about it, the only reason I've not tried 1500 MTU is because of the 1492 PPPoE limit. It might work on my connection but Tomato doesn't allow it unfortunately.
     
    Last edited: Sep 30, 2013
  12. Victek

    Victek Network Guru Member

    After last 1.2i version ... the stable v1.2 was the most unstable version ;), almost of bugs except ipv6 (common for all tomato versions with dnsmasq alone) has been solved.

    @Lorenceo , talking with experts now ... ;) about your comment 'FWIW the stock Asus firmware announces a /64 to the LAN, and it works.' .. ASUS and most of known third party firmware still uses radvd ....
     
  13. Victek

    Victek Network Guru Member

    @Lorenceo switch to 6to4 and tell me if it works please.
     
  14. nurofen

    nurofen Serious Server Member

    Hi guys!
    how to remove the logs in the router?
     
  15. Elfew

    Elfew Addicted to LI Member

    Turn them off in administration ;)
     
  16. nurofen

    nurofen Serious Server Member

    @Elfew You do not understand correctly how to clean them without turning off :)
     
  17. Elfew

    Elfew Addicted to LI Member

    I understood but you question is wrong ;)
     
  18. nurofen

    nurofen Serious Server Member

    You can not clean up?
     
  19. koitsu

    koitsu Network Guru Member

    In general the answer is "you can't". You can kill klogd and syslogd if you want (init will probably restart it eventually), then remove /var/log/messages, but on next reboot you'll be forced to do all this again. And none of this deletes/clears the kernel message buffer (via dmesg) -- that would require a custom kernel.

    A better question is: why are you trying to remove the logs? What are you trying to accomplish? Please expand/explain.
     
  20. nurofen

    nurofen Serious Server Member

    @koitsu The official firmware asus there is a button to clear logs. Conveniently deleting old logs ;)
     
  21. zapoqx

    zapoqx Networkin' Nut Member

    ok, maybe even I'm confused about it. Wouldn't it be best to change the file size to keep internally if you're trying to shorten it or change the internal rotated logs from 1 to 0 so it keeps only the current log?
     
  22. jerrm

    jerrm Network Guru Member

    If that's all you want then from the command line or tools->system in the web ui:
    Code:
    rm /var/log/messages*
     
  23. nurofen

    nurofen Serious Server Member

    Thank you very much! With button would be more convenient :)

    like this:

    log.png
     
    Last edited: Sep 30, 2013
  24. koitsu

    koitsu Network Guru Member

    Please re-read what I said, slowly, and in full. You can rm /var/log/messages, kill syslogd + klogd all you want, but the kernel message buffer is still there. This is a kind of "log", given the information it contains.

    And politely: you also didn't answer my question. :/ It would help if you would answer that, because if I knew what you were trying to hide and why, I could tell you whether or not the kernel message buffer would contain something relevant or not.
     
  25. Victek

    Victek Network Guru Member

    There is a button .. simply disable it ... and rm /var/log/messages once you did and save.. that's all.
    In case of @nurofen all logs are sent directly to NSA ... :)

    Screenshot from 2013-09-30 23:23:19.png
     
    Elfew and koitsu like this.
  26. koitsu

    koitsu Network Guru Member

    Also, footnote for anyone who wants to try and take up the "clear the logs" feature: you are going to need to restart syslogd and klogd (or possibly just HUP them; I do not know about klogd) after you nuke the log files. Failure to do so will result in a filehandle that remains open (remember: /var/log is RAM!) indefinitely, taking up space (disk space, although again, this is RAM) until the daemons close and reopen the fh.
     
  27. Victek

    Victek Network Guru Member

    Just a note to close it, @nurofen your logs and all your activity are stored in many sites, stop paranoia's please.
     
    Elfew likes this.
  28. nurofen

    nurofen Serious Server Member

  29. Lorenceo

    Lorenceo Networkin' Nut Member

    I don't have any 6to4 services at the moment to test with sorry.
     
  30. Victek

    Victek Network Guru Member

    pity ... ok .. we'll continue the research ..
     
  31. RonV

    RonV Network Guru Member

    Victek,

    Still have the same issue with the v1.28.9013 MIPSR2-RAF-v1.2i K26 USB build N66U. All my settings worked except for enable QOS. Same problem as yesterday as soon as I turned on QOS I lost routing off my network to the internet with IPv6. Attaching a zip file with all the normal configuration stuff in two folders QOS and No_QOS which is self explanatory.

    Let me know if you need anything else for this one..as usual my IPv6 config is:


    IPv6 Service Type: DHCPv6 with Prefix Delegation
    Prefix Length:64
    Static DNS:2620:0:ccc::2
    2620:0:ccd::2
    Accept RA from [x] WAN [ ]LAN
     

    Attached Files:

  32. vlads

    vlads Serious Server Member

    This time around it looks good. USB/NAS is back. I'll start testing VLANs and IPV6 as soon as I get my hands on a pure bridge VDSL2 modem to use with the local provider.

    On another topic, I just got a new Netgear WNR3500Lv2 and gave your 1.2 build a try. Overall it runs ok, but there some some glitches:
    1. No JFFS support. This router has 128MB of flash. Is there a technical reason preventing JFFS from being enabled on it?
    2. No web server is available. Again, the router is not limited when it comes to flash or RAM (both 128MB).
    3. On the WAN section of the Basic>Network page the dynamic page shows the 3G modem settings all the time no matter which interface type you select.
    victeck_wnr3500lv2.jpg
     
    Last edited: Oct 1, 2013
  33. Elfew

    Elfew Addicted to LI Member

    New version without problem. IPv6 will be difficult to config for every exotic provider, maybe just test this with users with "normal, common" IPv6 connection and after that (when it will be fine,working) focus on others... Because there are so many variants, it is really hard for Victek
     
  34. nurofen

    nurofen Serious Server Member

    This is a mistake or do not pay attention to it?
    Excuse me for asking :)
     
  35. Victek

    Victek Network Guru Member

    It's OK, thanks for the question, the message appears first time after you flash new version and your connection settings are unconfigured, once configured the file is created and message is gone. Evidences:

    Code:
    Jan  1 01:00:52 unknown daemon.warn dnsmasq[497]: failed to access /etc/resolv.dnsmasq: No such file or directory
    
    after you have entered the settings for your connection:
    
    Oct 1 11:44:04 RT-N16 daemon.info dnsmasq[1973]: reading /etc/resolv.dnsmasq
    Oct 1 11:44:04 RT-N16 daemon.info dnsmasq[1973]: using nameserver 80.xx.xx.xx#53
    Oct 1 11:44:04 RT-N16 daemon.info dnsmasq[1973]: using nameserver 80.xx.xx.xx#53
    Oct 1 11:44:04 RT-N16 daemon.info dnsmasq[1973]: read /etc/hosts - 2 addresses
    


    a) E3200. Good, the build compilation settings are fixed once forever.
    b) 3500Lv2. Thanks for testing, no problem to add webserver if flash is wide.
    c) 3500Lv2. Weird GUI with modem settings always...since the code is the same for all models... need to investigate.

    Thanks for testing.

    Thanks a lot for the information @RonV I'll check.

    Resume: It seems that ipv6 support for all Tomato needs a deep investigation, unfortunately I don't have ipv6 connection. I apologize all inconvenience appearing now, it's the moment to solve but my access to ipv6 is 'null'.
     
    Last edited: Oct 1, 2013
    Elfew likes this.
  36. Elfew

    Elfew Addicted to LI Member

    According to latest news about IPv6 - only 2,2% of all connections to Google are from IPv6... so IPv6 is not the biggest problem in Tomato now... we just need somebody who knows Tomato code, have IPv6 connection and can make changes in Tomato for IPv6.

    Keep good work Victek!
     
  37. MatteoV

    MatteoV Serious Server Member

    Hi guys.
    I'm testing IPv6 with the E4200 since we all like it so much here lol.
    My ISP gives me anonymous connections to a 6to4 tunnel and that assigns me a random IP(v6) AND authenticated connections with a static IP I can request.
    Is the authenticated connection available in the firmware atm?

    Thanks!
     
  38. RonV

    RonV Network Guru Member


    I agree that IPv6 for full functionality needs to be fully researched. There is a post in the TomatoUSB site that states the IPv6 in Tomato was only tested with IPv6 tunnels and not native access. Their analysis seems to be correct. When I get time I will try to sort out the IPv6 tables and routing tables with QOS turned on but my ability to code any changes are slim. If I find anything I will let you know...

    Isn't this fun :)
     
    Last edited: Oct 1, 2013
  39. Victek

    Victek Network Guru Member

  40. Lorenceo

    Lorenceo Networkin' Nut Member

    Just flashed 1.2j. While there seems to be some progress with it, it is still rather temperamental.

    It seemed to work at first with /64 under the v6 GUI, but no router advertisements were sent to clients.
    Code:
    traceroute ipv6.google.com
      traceroute to ipv6.google.com (2404:6800:4006:805::1011), 30 hops max, 16 byte packets
      1  2406:e000:97:1::1 (2406:e000:97:1::1)  18.931 ms  55.473 ms  6.775 ms
      2  2405:a400:2de5:b002::2 (2405:a400:2de5:b002::2)  55.422 ms  55.243 ms  5.278 ms
      3  23655.syd.equinix.com (2001:de8:6::2:3655:1)  81.799 ms  71.273 ms  59.510 ms
      4  2406:e000:400::3 (2406:e000:400::3)  62.787 ms  64.284 ms  61.857 ms
      5  2001:4860::1:0:9f7 (2001:4860::1:0:9f7)  57.453 ms  76.023 ms  50.027 ms
      6  2001:4860:0:1::5f (2001:4860:0:1::5f)  69.037 ms  121.172 ms  73.867 ms
      7  2404:6800:8000:2a::b (2404:6800:8000:2a::b)  52.585 ms  51.516 ms  66.809 ms
      cat /etc/dnsmasq.conf
      pid-file=/var/run/dnsmasq.pid
      resolv-file=/etc/resolv.dnsmasq
      addn-hosts=/etc/dnsmasq/hosts
      dhcp-hostsfile=/etc/dnsmasq/dhcp
      expand-hosts
      min-port=4096
      stop-dns-rebind
      rebind-localhost-ok
      interface=br0
      dhcp-range=tag:br0,192.168.1.2,192.168.1.53,255.255.255.0,1440m
      dhcp-option=tag:br0,3,192.168.1.1
      dhcp-lease-max=255
      dhcp-authoritative
      enable-ra
      dhcp-range=tag:br0,2406:e000:e268::, slaac, ra-names, 64 
    I then tried with /48 under the v6 GUI. Router advertisements were sent to the LAN with the correct prefix and the incorrect MTU.
    Both clients and the router reported destination unreachable when trying to ping/traceroute ipv6.google.com.

    I've put it back to /64 in the GUI and now there are both no router advertisements being sent to the LAN and the router is reporting v6 hosts are unreachable.

    With both /48 and /64 the router does obtain its IPv6 address on its WAN.
     
    Victek likes this.
  41. Victek

    Victek Network Guru Member

    ;) You have a temperamental router ? it's extra cost? .. I sent PM with interesting information to test. I think we need 100 test more and it will work! amazing!
     
  42. Lorenceo

    Lorenceo Networkin' Nut Member

    After entering the line you suggested under Advanced, DNS/DHCP, Dnsmasq custom configuration I get the following:
    Code:
    traceroute ipv6.google.com
    traceroute: can't connect to remote host: Network is unreachable
    cat /etc/dnsmasq.conf
    pid-file=/var/run/dnsmasq.pid
    resolv-file=/etc/resolv.dnsmasq
    addn-hosts=/etc/dnsmasq/hosts
    dhcp-hostsfile=/etc/dnsmasq/dhcp
    expand-hosts
    min-port=4096
    stop-dns-rebind
    rebind-localhost-ok
    interface=br0
    dhcp-range=tag:br0,192.168.1.2,192.168.1.53,255.255.255.0,1440m
    dhcp-option=tag:br0,3,192.168.1.1
    dhcp-lease-max=255
    dhcp-authoritative
    enable-ra
    dhcp-range=tag:br0,2406:e000:e34b::, slaac, ra-names, 64
    dhcp-range=tag:br0,::1,::ffff,constructor:br0,ra-names,1440m 
    The router obtains its v6 address, but no router advertisements are sent out. As you can see above the router cannot reach v6 addresses either.

    I'm not sure if I've done it correctly. Do I need to edit the dnsmasq.conf via SSH + vi and remove the first dhcp-range line?
    In the past when trying to edit radvd.conf on the router I had no success, as the router would always revert to the default one baked into the firmware.

    You mention 100 more tests. How many writes can the flash used in the routers take before it starts to fail? I'd rather not brick a brand new RT-N66U. :eek:
     
  43. Victek

    Victek Network Guru Member

    We'll die before router flash will die.. don't worry... ok, I follow contacts with 'experts'
     
  44. khris972

    khris972 Networkin' Nut Member

    Ipv6 native does not work with 1.2j. I had to use "Other (Manual Configuration)" and i got a IP but gives Me a /64 Prefix

    My ISP use a /56 Prefix , i do not know if it should be an issue
     
  45. Victek

    Victek Network Guru Member

    Yes .. indeed, it's the problem. It's not standard configuration, but at least in your case it works using 'other configuration' right? or am I missing something?
     
  46. vlads

    vlads Serious Server Member

    @Victek - I noticed another issue with all major Tomato builds (yours, Shibby's and Toastman's) for the E3200: the 5GHz radio induces a latency of 3-8ms.

    The latency is not present when using the E3200 2.4GHz radio, when using an E2000 in 5GHz mode or when using stock firmware.

    Since the E3200 5GHz radio is USB based, is it possible that the latency is somehow induced by the USB stack?!
     
    Victek likes this.
  47. khris972

    khris972 Networkin' Nut Member

    Wtf

    I flashed 1.21.j , Native ipv6 not works , i switched on other manual configuration worked (i got ipv6) fews minutes later i lost Ipv6
    Now I back to Native ans it works , sorry about misunderstanding
     
  48. Elfew

    Elfew Addicted to LI Member

    Maybe I am totally wrong but interface for IPv6 in Tomato is detailed and has all what we need, or not? (in compare with stock firmware) - so tell me how it is fixed od set in stock firmwares (linksys, asus, ...) and it works from the box
     
  49. jerrm

    jerrm Network Guru Member

    Too much is made of wearing out the flash. The chips are generally rated for something like a hundred thousand cycles.

    I'm not sure I would write my multi-megabyte logs, multiple writes per second to something like flash jffs in real time, but an erase/write procedure a few times a day is not going to do any harm.
     
  50. Victek

    Victek Network Guru Member

    Could be ... I think your thought is right, but if it happens with stock firmware then we can't investigate nothing
    I receive components catalogs where write-erase operations for flash goes from 500K for consumer till 20Millions. for military specs....
    .
     
  51. vlads

    vlads Serious Server Member

    My initial post might not have been clear enough. The latency spike doesn't present itself with stock firmware.

    Further testing with build 1.2i shows a significant increase in CPU activity when traffic gets pushed through the 5GHz radio. Max LAN-WLAN large packet throughput is roughly 95-100Mbit/sec with the CPU maxing out at 100%.
     
  52. eahm

    eahm LI Guru Member

    Victek, is WDS automatic working with your firmware? It doesn't work on any other. Tomato sucks for WDS, if you link few routers together and one restarts, you have to synchronize the restart of both or something. Too much work, too much pain. This should be fixed...
     
  53. Elfew

    Elfew Addicted to LI Member

    WDS is well known problem in Tomato... I think it is not easy to fix.

    @Victek - I can help you with IPv6 testing in 3weeks - my provider send me a message that IPv6 will be available and activated
     
  54. Victek

    Victek Network Guru Member

    It's same CPU load as you have with WAN-LAN traffic, not bad, it's a E3200. I read wrong what you said about stock firmware.

    Yes ... as you said it sucks in ALL third party firmwares? ;) Let's ask Santa Claus, not really, WPS is not a priority for me since I can't get 100MB sustained in wireless for LAN ...

    Great! I'm receiving help from dnsmasq creator, hope to sort it ...
     
  55. Marcel Tunks

    Marcel Tunks Networkin' Nut Member

    Would be nice. Reboot parties are not fun with more than 2 nodes. Unfortunately none of the current devs use WDS, so it's not likely to happen any time soon, if ever.

    As problematic as Tomato WDS is, though, it's infinitely better than dd-wrt WDS on the same hardware (at least with WRT54G series and E4200v1's... haven't tried it with others).
     
  56. ilovejedd

    ilovejedd Addicted to LI Member

    The NAND used in the RT-N66U is rated for 100,000 P/E cycles.
     
  57. nurofen

    nurofen Serious Server Member

    @Victek, Older logs are deleted after rebooting the router?

    Explain why these settings?



    thank you
     

    Attached Files:

    • 1.png
      1.png
      File size:
      35.8 KB
      Views:
      21
    Last edited: Oct 2, 2013
  58. RMerlin

    RMerlin Network Guru Member

    I've seen Asus struggle with that as well over the past 18 months. Supporting Comcast for instance required their engineers to get in touch with Comcast's engineers to eventually get it to work.
     
    Elfew likes this.
  59. RMerlin

    RMerlin Network Guru Member

    Nano takes about a megabyte. vi takes a few dozen kilobytes. In a router that can have between 4 MB and 32 MB of flash space, this is a huge difference.

    Setup Optware or Entware on a USB disk, and install nano from there. That's how I roll here.
     
    Elfew likes this.
  60. nurofen

    nurofen Serious Server Member

    @RMerlin, Thanks for the explanation :)
     
    Last edited: Oct 2, 2013
  61. MatteoV

    MatteoV Serious Server Member

    I'm testing with you and having problems too with ipv6 mode "IPv6-in-UDP-IPv4 Tunnel (NAT Traversal)", gogoclient works but I can't figure out how to make the tomato work!
    I would like to bump my question of some posts ago: what about authenticated tunnels, are them possible with dnsmasq?
    Are you releasing for E4200 too?

    Thanks
     
  62. Elfew

    Elfew Addicted to LI Member

    Iptraffic - enable iptraffic recording for this device
    Bound to-this device will have only this IP
     
  63. nurofen

    nurofen Serious Server Member

    Many thanks for the explanation!

    @Elfew,Older logs are deleted after rebooting the router?
     
    Last edited: Oct 2, 2013
  64. Elfew

    Elfew Addicted to LI Member

    @nurofen - so many question, use internet! It depends on your settings in Administration -> Logging - you can set your own path (USB device) etc... just do not ask and try it yourself
     
    Goggy likes this.
  65. RonV

    RonV Network Guru Member

    I love the term Exotic IPv6 implementation. When IPv6 day arrived I thought the days of NATed access to the internet were going to be long gone. We would all have our own address blocks and native access without all the issues assocated address translation, etc. But the ISP's with their wanting to control every aspect of our internet experances decided the implement all sorts on unsual requiremnts to connect. Vlan Tagging, Private IPv6 Tunnels, unusual prefix delegation schemes. The list goes on and on. This is not what the IPv6 IETF imagnined the migration to IPv6 would look like.
     
    Last edited: Oct 2, 2013
  66. Victek

    Victek Network Guru Member

    The main 'thing' is Tomato 'IS' the only third party firmware using dnsmasq, others use radvd and dnsmasq. It provokes some 'exotic' behavior in users handling ipv6... it's a question of time to sort issues, meanwhle we have other alternatives... I'm doing it. ;)
     
  67. konax

    konax Reformed Router Member

    One month after.. any news for the Speedtest version for Asus RT-N16? :D Thanks!!
     
  68. Victek

    Victek Network Guru Member

  69. nurofen

    nurofen Serious Server Member

    Speedtest version you can configure ppoe + vlan? And see screenshots of the admin panel :)
     
  70. Victek

    Victek Network Guru Member

    no
     
  71. konax

    konax Reformed Router Member

    Yes, i have this firmware since 5th or 6th september. i'm waiting for any new version with all features of normal tomato firmware.
    You told me that you take one month, more or less, for a new version.
     
  72. Marcel Tunks

    Marcel Tunks Networkin' Nut Member

    It's going to take longer than a month. It is a large undertaking on the part of Victek, and is being developed in parallel with refining the mainstream RAF mod and his work on porting Tomato to ARM. A team of developers would have difficulty achieving this at all. We are fortunate that Victek is so persistent.
     
    Armand1234 likes this.
  73. Victek

    Victek Network Guru Member

    And now after all captured information for ipv6 issues with 'exotic' ISP's we discover that internal routing for ipv6 in Tomato is broken for dhcpv6pd ... @konax your're lucky to have one Speedtest version but now priorities changed to sort bugs in tomato mainstream, the problems affects all tomato mods, the problem began in: http://tomatousb.org/forum/t-492301/how-about-dhcpv6-pd-that-works-with-comcast-ipv6 ... http://www.linksysinfo.org/index.php?threads/shibby-109-ipv6-tunnel-broken.68559/

    I know everything is important for all of you but I follow my list (and I don't have ipv6 so....).
     
    Last edited: Oct 2, 2013
  74. konax

    konax Reformed Router Member

    okey, no problem. i'm waiting patiently.
    Lucky with IPv6 Problems :D
     
  75. Daky

    Daky Network Guru Member

    Victek,

    Object Not Found
    The requested URL '/9013.html' was not found on the RomPager server.
    Return to last page

    I just tried to access your download section.

    Are you working on ur webserver?
     
  76. Victek

    Victek Network Guru Member

  77. Daky

    Daky Network Guru Member

    Doesnt work for me
     
  78. RMerlin

    RMerlin Network Guru Member

    I can confirm the same here - your signature link requests a username/password, and the 9013.html link returns a 404.
     
  79. lancethepants

    lancethepants Network Guru Member

    I tried during the time between the last two posts, and it worked and works for me.
     
  80. Victek

    Victek Network Guru Member

    Ok, I stop test with he,com for ipv6 .. ready and sorry
     
  81. Lorenceo

    Lorenceo Networkin' Nut Member

    After some testing with 1.2j3 (which has radvd) it seems that IPv6 is working again. :D
    Unfortunately the issue with the incorrect MTU is still present.
    I've tried putting the radvd.conf file into nvram as below, but when radvd launches it still uses the stock config, as can be seen when I cat it.

    nvram export --set |grep FILE
    Code:
    nvram set FILE:/etc/radvd.conf="\\A4\\81~~p\\17\\16\\12interface br0\\0A{\\0A IgnoreIfMissing on;\\0A AdvSendAdvert on;\\0A AdvLinkMTU 1492;\\0A MaxRtrAdvInterval 60;\\0A AdvHomeAgentFlag off;\\0A AdvManagedFlag off;\\0A prefix ::/48 \\0A {\\0A AdvOnLink on;\\0A AdvAutonomous on;\\0A };\\0A RDNSS 2406:e000::100 {};\\0A };\\0A" 

    cat /etc/radvd.conf
    Code:
    interface br0
    {
    IgnoreIfMissing on;
    AdvSendAdvert on;
    MaxRtrAdvInterval 60;
    AdvHomeAgentFlag off;
    AdvManagedFlag off;
    prefix ::/64
    {
    AdvOnLink on;
    AdvAutonomous on;
    };
    RDNSS 2406:e000:XXXX:0:ae22:bff:fe31:XXXX {};
    };
    Without the line AdvLinkMTU 1492; many IPv6 services don't work properly, or in some cases at all. Basic things such as pings do work though, which is a definite improvement.

    Edit: It seems that this version is a bit buggy, so I wouldn't recommend it for long term use. When using it there is a lot of packet loss with both IPv6 and IPv4. The packet loss seems to get worse when browsing through the HTTP GUI, especially on pages that auto refresh such as the connected device list.
    It also seems that enabling QoS makes the internet connection unreliable, which I suspect is the same issue @RonV was having.
     
    Last edited: Oct 3, 2013
  82. Victek

    Victek Network Guru Member

    It's a test version only for your case Lorenceo (it sounds excessive.. but it's).. Tomato RAF is not having problems with other ipv6 connection modalities (native ipv6 for instance) so I think it's a question of maturity for dnsmasq development to solve the issue with concrete modalities. Since other firmware distributions and official firmware still use radvd it means that Tomato was entrepreneur in this subject. ;)

    I'm not the developer of dnsmasq integration and QoS (unfortunately) so any change done is unknown for me, hope you and all understand that it's not easy to solve problems or understand code wrote by others that are not answering your problems .... (I'm little bothered about it) but as always I like to help others...

    By the way, did you sent me latest wireshark ra capture file? I'll pass to dnsmasq author for investigation.

    Thanks!

    Edit: ONLY the versions linked with model list are the official ones, you can see other builds in my repository, use at your own risk.
     
    Last edited: Oct 3, 2013
    Elfew likes this.
  83. RonV

    RonV Network Guru Member

    Found that access restrictions aren't working in v1.28.9013 MIPSR2-RAF-v1.2i K26 USB on my RT-N66U. I have rules to keep the kids devices from hitting youtube and other sites. The rule is defined in nvram as this:

    Code:
    nvram set rrule5="1|-1|-1|127|192.168.10.122>192.168.10.123>192.168.10.124>192.168.10.57>192.168.10.58||.youtube.com\$
    m.youtube.com\$
    i.mgur.com|0|Blocked Sites-Cell-Netbook"
    
    And the iptables are coded as this:

    Code:
    Chain rdev05 (1 references)
    pkts bytes target    prot opt in    out    source              destination         
        0    0 rres05    all  --  *      *      192.168.10.122      0.0.0.0/0          [goto] 
      17  1672 rres05    all  --  *      *      192.168.10.123      0.0.0.0/0          [goto] 
        0    0 rres05    all  --  *      *      192.168.10.124      0.0.0.0/0          [goto] 
      220 22915 rres05    all  --  *      *      192.168.10.57        0.0.0.0/0          [goto] 
      212 22788 rres05    all  --  *      *      192.168.10.58        0.0.0.0/0          [goto] 
    Chain restrict (2 references)
    pkts bytes target    prot opt in    out    source              destination         
    73094 4303K rdev05    all  --  *      *      0.0.0.0/0            0.0.0.0/0           
    Chain rres05 (5 references)
    pkts bytes target    prot opt in    out    source              destination         
      24  3770 rstr05    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          multiport dports 53,80,443 
      12  859 rstr05    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp dpt:53 
    Chain rstr05 (2 references)
    pkts bytes target    prot opt in    out    source              destination         
        0    0 REJECT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          STRING match "i.mgur.com" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable 
        0    0 REJECT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          STRING match "i.mgur.com" ALGO name bm FROM 1 TO 600 reject-with tcp-reset 
        0    0 REJECT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          STRING match "m.youtube.com$" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable 
        0    0 REJECT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          STRING match "m.youtube.com$" ALGO name bm FROM 1 TO 600 reject-with tcp-reset 
        0    0 REJECT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          STRING match ".youtube.com$" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable 
        0    0 REJECT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          STRING match ".youtube.com$" ALGO name bm FROM 1 TO 600 reject-with tcp-reset 
    
    You can see that the chain that matches the IP address doesn't goto rstr05 but goes to rres05....strange...
     
  84. Victek

    Victek Network Guru Member

    it works in my unit using the GUI.

    Code:
    Chain rstr00 (2 references)
    target    prot opt source              destination       
    REJECT    udp  --  anywhere            anywhere            STRING match "youtube.com" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable
    REJECT    tcp  --  anywhere            anywhere            STRING match "youtube.com" ALGO name bm FROM 1 TO 600 reject-with tcp-reset
    
     
  85. RonV

    RonV Network Guru Member

    The rule it looks like you put in was for all access to youtube.com...my rule lists 5 specific IP addresses where it should be blocked. And it results in a rule chain that I put in the previous post. I wonder if this has something to do when I enabled the IPv6 for testing and then turned it off?

    I did put in always block youtube and it generated these rules:

    Code:
    Chain restrict (2 references)
    pkts bytes target    prot opt in    out    source              destination         
    2009  105K rres01    all  --  *      *      0.0.0.0/0            0.0.0.0/0           
    Chain rres01 (1 references)
    pkts bytes target    prot opt in    out    source              destination         
    1998  103K rstr01    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          multiport dports 53,80,443 
        3  200 rstr01    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp dpt:53 
    Chain rstr01 (2 references)
    pkts bytes target    prot opt in    out    source              destination         
        0    0 REJECT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          STRING match ".youtube.com$" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable 
        0    0 REJECT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          STRING match ".youtube.com$" ALGO name bm FROM 1 TO 600 reject-with tcp-reset  
     
    Last edited: Oct 4, 2013
  86. jerrm

    jerrm Network Guru Member

    I don't think the STRING module is matching the $ token like the web module did. It's a match of the entire packet now and not just the url.

    Try removing the $ from the rule and retest.

    One of the many idiosyncrasies of the string module I'm sure koitsu will chime in on.
     
  87. Victek

    Victek Network Guru Member

    If you want to use ipv6 then change IP address by MAC address, just tested few minutes ago, it works.
     
  88. Victek

    Victek Network Guru Member

    First test with he.com and v2.67rc3 few minutes ago.

    Code:
    vicente@vicente-K53SJ:~$ traceroute ipv6.google.com
    traceroute to ipv6.google.com (2a00:1450:4003:804::1014), 30 hops max, 80 byte packets
    1  RT-N16.SPARROW (2001:470:1f09:dd8::1)  0.566 ms  0.755 ms  0.730 ms
    2  Victek-1.tunnel.xxxxxxxxxxxxx (xxxxxxxxxxx)  41.913 ms  46.181 ms  49.409 ms
    3  gige-g4-8.core1.lon1.he.net (2001:470:0:67::1)  50.037 ms  50.030 ms  50.300 ms
    4  2001:7f8:4::3b41:1 (2001:7f8:4::3b41:1)  49.636 ms  50.254 ms  49.588 ms
    5  2001:4860::1:0:3067 (2001:4860::1:0:3067)  50.182 ms 2001:4860::1:0:15f (2001:4860::1:0:15f)  49.807 ms  49.779 ms
    6  2001:4860::8:0:2dde (2001:4860::8:0:2dde)  50.076 ms  63.516 ms  63.433 ms
    7  2001:4860::8:0:3df4 (2001:4860::8:0:3df4)  53.934 ms  45.320 ms  45.026 ms
    8  2001:4860::1:0:1070 (2001:4860::1:0:1070)  68.022 ms  75.275 ms  68.002 ms
    9  2001:4860:0:1::62d (2001:4860:0:1::62d)  68.962 ms  69.617 ms  70.173 ms
    10  2a00:1450:8000:27::3 (2a00:1450:8000:27::3)  68.426 ms 2a00:1450:8000:27::1 (2a00:1450:8000:27::1)  69.303 ms 2a00:1450:8000:27::c (2a00:1450:8000:27::c)  69.258 ms
    vicente@vicente-K53SJ:
    In my case it works fine, lan devices auto-create ipv6 and running...
    Code:
    Oct  4 02:38:53 RT-N16 daemon.info dnsmasq-dhcp[1983]: RTR-SOLICIT(br0) f4:6d:04:4b:ed:49
    Oct  4 02:38:53 RT-N16 daemon.info dnsmasq-dhcp[1983]: RTR-ADVERT(br0) 2001:470:1f09:dd8::
    Oct  4 02:45:20 RT-N16 daemon.info dnsmasq-dhcp[1983]: RTR-ADVERT(br0) 2001:470:1f09:dd8::
    Oct  4 02:46:52 RT-N16 daemon.info dnsmasq-dhcp[1983]: RTR-ADVERT(br0) 2001:470:1f09:dd8::
    Oct  4 02:46:53 RT-N16 daemon.info dnsmasq-dhcp[1983]: RTR-SOLICIT(br0) f4:6d:04:4b:ed:49
    Oct  4 02:46:53 RT-N16 daemon.info dnsmasq-dhcp[1983]: RTR-ADVERT(br0) 2001:470:1f09:dd8::
    Oct  4 02:46:57 RT-N16 daemon.info dnsmasq-dhcp[1983]: SLAAC-CONFIRM(br0) 2001:470:1f09:dd8:f66d:4ff:fe4b:ed49 vicente-K53SJ
    Oct  4 02:47:01 RT-N16 daemon.info dnsmasq-dhcp[1983]: RTR-ADVERT(br0) 2001:470:1f09:dd8::
    I close ipv6 for Tomato, next hobby, go to sleep. ;)
     
    Last edited: Oct 4, 2013
  89. RonV

    RonV Network Guru Member

    Wow...removed the $ as you stated and it's now working....I guess the old sample template should be updated to reflect the removal of the expressions from the patterns...

    Fixed all my access restriction rules and they all are working now...thought we had a bug showing up....thanks again Victek
     
    Last edited: Oct 4, 2013
  90. koitsu

    koitsu Network Guru Member

    :)

    The strings module does not support regular expressions or wildcards. It does exactly what its name implies: it matches a raw string anywhere in the packet (you can limit start/end of the payload using the --from and --to flags, as well as other things). The strings module also has a very high chance of either missing a packet (twitter is known to cause problems with this, since its SNI is further than 600 bytes into the payload), or a very high chance of falsely matching a packet you didn't want it to.

    There are no plans to support this. TomatoUSB does not maintain the module; the nefilter/iptables folks do.

    The older method of Access Restrictions used a custom module/feature written by the Tomato author himself, which did support basic regex and did a clean job of analysing the payload only within the HTTP headers area. However, it cannot match HTTPS SNI by design.

    Not all the TomatoUSB firmwares use the "new" strings module, and for this very reason/fact.

    Bottom line: trying to filter SSL is basically like fighting a battle uphill. There are other ways to do this, mainly by using a (transparent if desired) proxy, but the management aspect is very high and the speed impact is equally tremendous.

    I could talk about 4 or 5 methods of blocking Youtube (HTTP or HTTPS, doesn't matter which) in an efficient manner, but they would require other firewall rules on the network (i.e. forcing nobody to be able to use their own DNS server, and running your own DNS server with a youtube.com DNS zone or use of zone blackholing (I'm speaking in BIND terms here, not unbound), where you could make exceptions).

    ...but I won't. Why? Because I choose not to. I'm really sick and tired of people mucking about with this module without fully understanding how TCP/IP works and how the module works. The only people using it should be those who understand the full repercussions of what they are doing. I'm sorry, I'm just a hard ass about this, and I've put a lot of time (I feel) into the project already, I'm not going to write a book on "how to manage your home network". I'm a UNIX SA, my time is spent elsewhere.

    In general though, I tend to recommend people solve social problems like "don't look at Youtube" via social means, i.e. "if you are caught doing this, your network access will be rejected". Do not try to solve social problems with technology -- Steve Jobs himself even advocated this (WRT software piracy being a social problem).
     
    Toastman and mito like this.
  91. jerrm

    jerrm Network Guru Member

    Yeah, I have reservations with how the string module is being used. It's a good tool, and I like the option, not sure about it being the default. A check box or something to choose the method would be nice.

    Safest (short of a custom module) would probably be a something like default to using the web module and if an "attempt to match https" checkbox is ticked add an additional port 443 rule using the string module. GUI should probably throw up a warning if there are characters that look like a regex when https is ticked.

    Risk of false positives would be greatly reduced if only matching ssl traffic.

    Haven't looked at it enough (at all) to know if the checkbox could be accomodated without adding a column to the nvram rules table, or how involved it would be to fix up the code if you had to add a column.
     
  92. nurofen

    nurofen Serious Server Member

  93. Victek

    Victek Network Guru Member

    No idea of RT-N12 D1 switch mapping and revision board, I can't help, but may be you can try doing it from command instead of gui...
     
    Elfew likes this.
  94. nurofen

    nurofen Serious Server Member

    The firmware can not be corrected? To operate a tagged? (((

    And I can not sell ((( I do not know what does not work tegged(((
     
  95. Elfew

    Elfew Addicted to LI Member

    It is difficult when you know nothing about code ;) try it by yourself and share your results :D

    It is only hobby, not comercial project. Send this unit to Victek and he could fix it.
     
  96. Victek

    Victek Network Guru Member

    @nurofen, cheap things cost money ;) .. post this information needed, but remember LOW priority.

    root@RT-AC56U:/tmp/home/root# nvram show | grep board
    boardflags2=...............
    boardflags=..........
    boardnum=........
    boardrev=..........
    boardtype=.........
    and any other line related to this grep...

    OR send me the CFE.bin, you can extract in Administration/debugging .. Download CFE
     
    Last edited: Oct 4, 2013
  97. nurofen

    nurofen Serious Server Member

    My friend and I wish you and your family health and happiness!

    I did not know that the firmware does not work with tegged((((( Excuse me!

    Thank you for your help :)

    Tomato v1.28.9013 MIPSR2-RAF-v1.2 K26
    root@unknown:/tmp/home/root# nvram show | grep board
    boardflags2=0x0
    boardflags=0x80001710
    boardnum=45
    boardrev=0x1101
    boardtype=0x054D
    sb/1/boardflags2=0x0
    sb/1/boardflags=0x80001710
    root@unknown:/tmp/home/root#
     

    Attached Files:

    • cfe.zip
      File size:
      97.7 KB
      Views:
      4
  98. RonV

    RonV Network Guru Member

    Victek,

    Any testing you want done this weekend? I received my replacement RT-N16 and also can do some work on the RT-N66U.

    The good news is that I am getting an additional RT-N66U to prototype for a client that wants to use the router to distribute video to 4 displays in his shop. Told him that he needs to move from "G" to "N" networking for it to be reliable. So I was thinking while I am prototyping for him I can test for you also.
     
  99. Victek

    Victek Network Guru Member

    Still working with ipv6..;) .. amazing, learning ...
     
  100. Victek

    Victek Network Guru Member

    It's not a firmware fault, the router model was not ported to Tomato ... don't play with routers or something unless you know how to handle..., go to see.

    info for other devs... RT-N12D1

    Code:
    boardtype=0x054D
    boardrev=0x1101 
    vlan0ports=1 2 3 4 5*
    vlan1ports=0 5
     
    Last edited: Oct 5, 2013

Share This Page