1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomato Toastman's Releases

Discussion in 'Tomato Firmware' started by Toastman, Dec 18, 2011.

  1. brainz

    brainz Networkin' Nut Member

    Aw, but especially devices without USB need JFFS :(
    Can't you rip out something else?
  2. Noxolos

    Noxolos Addicted to LI Member

    Of course I could do this, but if there's a way to do this in the configuration, I would prefer it.

    This works. Thanks a lot!
    I don't understand why I have to set one LED to "off" and one to "on" and the result is that the main LED is off.
    But the important thing is that the light is off.

    Is there a similar way for the LEDs on the back?
  3. vjbalex

    vjbalex Networkin' Nut Member

    have you tried


    (in Advanced DHCP/DNS > DnsMasq Custom Configuration) ?

    I use this on eth0 for an access point I have. Documentation indicates other interfaces should work too.
  4. kthaddock

    kthaddock Network Guru Member

    Thank you !!!!
    No I haven't, but I should do it !
  5. kthaddock

    kthaddock Network Guru Member

    NOPE doesen't work, still geting DHCP-request from other subnet.
  6. eahm

    eahm LI Guru Member

    Toastman, do you use the latest RT-N drivers on the 7495? I'd like to test something with my wife's laptop if the drivers are different than Shibby 083V.
  7. kthaddock

    kthaddock Network Guru Member

    RT-N driver are in 0495 builds. Shibby use RT- driver in his builds.
  8. kthaddock

    kthaddock Network Guru Member

    I have loaded latest wlan-0495-nocat and it's running with no problem so far.
    I have noticed som minor things: "Previous WAP" ip is gone and Upnp you can't turn it on without assign to a LAN bridge.
    Then you can't use "Show In My Network Places" as is should, poor mans upnp.

    Is previous WAN-IP hidden until that changes ?

    First test with wl0.1 wpa2+aes can't connect to this wifi. (after some trying it come up!)

    Thank you Toastman, Teaman and others !!!
  9. Noxolos

    Noxolos Addicted to LI Member

    Is it possible that the LEDs (LAN ports) on the back of the E4200 are hardwired?
  10. Cumulonimbus

    Cumulonimbus Networkin' Nut Member

    Shiby hast Builds with RT-N (5GHz) too, but the same are in Toastmans Build at moment.
    eahm likes this.
  11. eahm

    eahm LI Guru Member

    My bad, I wanted to say that one.
  12. Elfew

    Elfew Addicted to LI Member

    Thank you for your new release...

    Can you add support for memory cards like Shibby?

    And is there any way how to disable or modificate LEDs on ASUS RT-16N?
  13. lancethepants

    lancethepants Network Guru Member

    This is what I use to block dhcp over the VPN. Only if your build supports ebtables.

    ebtables -A INPUT --in-interface tapX --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
    ebtables -A INPUT --in-interface tapX --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
    ebtables -A FORWARD --in-interface tapX --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
    ebtables -A FORWARD --in-interface tapX --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP

    Replacing X with your Tap interface number.
  14. kthaddock

    kthaddock Network Guru Member

    Thank you !
    If I want block both way then I have to put in both side of openvpn. I gone try it soon.

  15. lancethepants

    lancethepants Network Guru Member

    Those rules will block any incoming and outgoing DHCP. It's sufficient to put them in one place, but I would go ahead and put them in both like you said. My second router for my site-to-site vpn setup does not have ebtables, but it works fine with this in just the one router.
  16. lando

    lando Networkin' Nut Member

    I have a E4200 and would like to know how to enable the activity lights in the rear. I just have the solid amber link light.
  17. alfred

    alfred Networkin' Nut Member

    I also have the same issue of wanting to block dhcp over the TAP-OpenVPN like kthaddock does.
    Appreciate to the ebtables script from lancethepants, and this is the testing result on my two RT-N16s.

    server side: 7494.3-VLAN-USB-VPN-NOCAT (tap21); client side: 7495-USB-VPN (tap11), I didn't put these ebtables both sides.

    By reading the syslogs both side, it works fine when I put ebtables in the client(tap11); the dhcp messages are not going to the other side any more(both directions).

    but when I put the ebtabless in the server(tap21), The DHCPDISCOVER/DHCPOFFER/DHCPREQUEST/DHCPACK messages come from the server side still can be seen in the client syslog. So, it seems not work while only put these ebtables in the server. Strange.... I prefer to put it in the server side.

    The client is not very busy, I'll keep on watching to confirm.

    --- Edit (1)
    I'll erase nvram of the server, and confirm again later.
    --- Edit (2)
    Confirmed. Still doesn't work in server side after NVRAM erasing. The result is the same as before.
    The ebtables rules only works in client side. (for me only? Any idea?)
    --- Edit (3)
    I had mistaken something, please refer to my next post #324 below to clarify.
  18. teaman

    teaman LI Guru Member

    I think we might need a small clarification is about having option "Ignore DHCP requests from unknown devices" enabled: it requires you to register/have all MAC addresses of all machines that will use DHCP listed on the Basic -> Static DHCP page (DHCP requests from any devices not on that list... will be ignored). Therefore, before enabling that option, make sure you have configured a MAC/IP/hostname in there ;)

    By using TAP, you're effectivelly bridging that 'other side' of the VPN to your (primary) LAN bridge (br0). Therefore, there's no 'easy' way of telling dnsmasq to ignore requests from that interface since... it doesn't actually 'see' requests on that (TAP) interface as a 'different' interface, but as requests arriving as on br0 :/

    If you were using TUN instead, you could pehaps try something like this (on Advanced -> DHCP/DNS -> Dnsmasq Custom Configuration):
    Other than that... you might still have other choices, such as (from dnsmasq-man.html):
    -4, --dhcp-mac=set:<tag>,<MAC address>
        Map from a MAC address to a tag. The MAC address may include wildcards. For example --dhcp-mac=set:3com,01:34:23:*:*:* will set the tag "3com" for any host whose MAC address matches the pattern.
    The tag in question could be 'known' ;)

    Hope this helps!
  19. Cumulonimbus

    Cumulonimbus Networkin' Nut Member

    Hi Toastman,

    Idea: Can you put newer changelogs in the readmefile on the top, not on bottom? :)
  20. kthaddock

    kthaddock Network Guru Member

    Thank you Teaman !

    I will test what you suggested.
    I have tested with no success, problem is that I want to se my other networks computers.
    Therfore I choose TAP-TCP "TAP device is a virtual ethernet adapter", rather then" TUN device is a virtual point-to-point IP link".
    I can use TUN if I can get my network computers in list.

  21. Toink

    Toink Network Guru Member

    +1 this saves us time to scroll down to the latest changelog :)
  22. lancethepants

    lancethepants Network Guru Member

    I put the firewall rules only in the server side only. Have you confirmed that the computers are actually being assigned by the wrong DHCP (and as result directing internet traffic over the VPN)?
  23. kthaddock

    kthaddock Network Guru Member

    Is Previous WAN IP hidden until that changes ?

  24. alfred

    alfred Networkin' Nut Member

    I had made the conclusion too early in my post #317.
    Obviously, the observation was insufficient, sorry for this, because the client router was not busy enough for the earlier observation. Everything is clear when everybody come home in the evening.

    I want that the DHCPDISCOVER/DHCPOFFER/DHCPREQUEST/DHCPACK dhcp messages caused by the local devices only can be seen in the syslog of local router; I don't want to see them in the router syslog of the other place. So to assure that the local devices will not get the IP/DNS Server/gateway from the other place.

    After the testing last night, I found:
    If put the ebtables rules only in one place(local), the dhcp messages still appear in the syslog of the other place. And, yes, dhcp messages come from the other place will not appear in the local syslog.
    Put them in one place is insufficient. I have to put the rules in both places, then I am satisfied.

    It seems the rules only block the incoming DHCP, but not the outgoing?
  25. lancethepants

    lancethepants Network Guru Member

    See if this will take care of your syslog issue and let me know.

    ebtables -A INPUT --in-interface tapX --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
    ebtables -A INPUT --in-interface tapX --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
    ebtables -A FORWARD --in-interface tapX --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
    ebtables -A FORWARD --in-interface tapX --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
    ebtables -A OUTPUT --out-interface tapX --protocol IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
    ebtables -A OUTPUT --out-interface tapX --protocol IPv4 --ip-protocol udp --ip-source-port 67:68 -j DROP

    I think I better understand now what you were saying. A little explanation. DHCP requires a 4 step handshake. The previous set of rules pretty much blocked all incoming DHCP packets, which would then stop the handshake from ever being completed. With the additional rules, this will prevent the initialization of any handshake from the device containing the ebtables entries. In other words, the handshake may have started (as evident in the logs), but never would have been competed. Thanks for the astute observation. I believe these rules will achieve what you want if you'll test them for me.

    edit: There also appears to be a bug with how the firewall scripts are being executed. Immediately after bootup, checking ebtables rules using 'ebtables -L' shows the correct amount of rules. After a bit longer, it appears the scripts are executed an additinal 3 times, resulting in 4 sets of entries for every rule.
  26. alfred

    alfred Networkin' Nut Member

    Thank you very much, please tell me, which router should I put the rules in? server, client or both?
    OK, server side only, the first test. I delete the rules form the client router. Both routers are then rebooted.
    the first test is here:

    I think the firewall scripts is executed fine.
    I can see this line in server syslog (before the time is correctly updated):
    Jan 1 08:00:54 RT-N16 user.notice kernel: Ebtables v2.0 registered

    Immediately after bootup, ebtables -L checking:

    root@RT-N16:/tmp/home/root# ebtables -L
    Bridge table: filter

    Bridge chain: INPUT, entries: 2, policy: ACCEPT
    -p IPv4 -i tap21 --ip-proto udp --ip-dport 67:68 -j DROP
    -p IPv4 -i tap21 --ip-proto udp --ip-sport 67:68 -j DROP

    Bridge chain: FORWARD, entries: 2, policy: ACCEPT
    -p IPv4 -i tap21 --ip-proto udp --ip-dport 67:68 -j DROP
    -p IPv4 -i tap21 --ip-proto udp --ip-sport 67:68 -j DROP

    Bridge chain: OUTPUT, entries: 2, policy: ACCEPT
    -p IPv4 -o tap21 --ip-proto udp --ip-dport 67:68 -j DROP
    -p IPv4 -o tap21 --ip-proto udp --ip-sport 67:68 -j DROP

    yes, the 4 sets of entries for every rule were seen after a longer time.

    Result: not works.
    I can read the dhcp messages come from server side in the client syslog.
  27. lancethepants

    lancethepants Network Guru Member

  28. teaman

    teaman LI Guru Member

    I'm aware this thread is about Toastman Releases, not exactly about OpenVPN... but it still seems worth mentioning: if you're not actually depending on broadcasts (i.e. if we are talking about computers seeing each other as in Windows Networking), you might be able to get away with TUN by means of configuring WINS (as some of the many different builds out there do have a Samba server included):

    Anyways - there's no silver bullet...
    So, best of luck!
    eahm likes this.
  29. Nolik

    Nolik Networkin' Nut Member

    Hi Toastman and everybody ))

    Sorry for my "bad" english language ((

    I try new firmware 7495 on asus rt-n 16 (tomato-K26USB-1.28.7495MIPSR2-Toastman-VLAN-RT-BETA-VPN) and find some problems...

    I made basic setup and vlan from teatman tutorial - http://code.google.com/p/tomato-sdhc-vlan/wiki/ExperimentalMultiSSID
    1. Create open guest wifi network - work!
      : After create open network, cannot change open to encrypt wireless lan (wep, wpa) - always error - field wl_auth...
      Resolve: clear nvram and create new encrypt network.
    2. Create wpa guest network - network create and up, but not connected (unable join)
      Problem: not connected... Resolve from manual > change mac address wl0.1,
       ifconfig wl0.1
       wl -i wl0.1 bssid
       # use mac from wl > tools > system >
       ifconfig wl0.1 down
       ifconfig wl0.1 hw ether xx:xx:xx:xx:xx:xx <- from wl -i wl0.1 bssid 
       ifconfig wl0.1 up
      ... but it's work only enter this command in tools > system... after start router. I try add automatic change mac
      • command's to adm > script > wan up...
      • _unset hwadrr..
      • change mac from adm - mac adress page
        ... also not worked. after reboot mac adresses mismatch (( i cannot automatic change mac adress on start (( i need help :confused:
    3. Create wpe guest network - network create and up, but not connected
      Problem: not connected... password or key not corrected. Passphrase - not work's.. hmm..
      Info: If copy key from keys field and paste into connected window - connection accepted ))
    Also i try change br0 and br1 -> br1 (lan) and br0 (for work qos and limit speed in guest network) < котяр tips from tomatousb.ru(screenshots in attachments).
    Issue: After create wireless guest lan and reboot.. information from wireless virtual page not displayed (( only displayed top menu wl.01.. wl.xx.

    Information not displayed but qos and limiter work for open guest network on interface br0 in guest network ))

    For br0 & br1 limiter, try this is solution, later.

    May be this is information useful for tomato team ))

    Attached Files:

  30. kthaddock

    kthaddock Network Guru Member

    Thank you for your help Teaman.
    You are right, I'm posting in a new thread !

  31. bucher

    bucher Networkin' Nut Member

    I cannot seem to disable IP Traffic Monitoring, even thought I've unchecked it in admin section.
  32. psyubl

    psyubl Networkin' Nut Member

    I found a minor bug on admin-access.asp or tomato.cgi page.
    My firmware is Tomato Firmware v1.28.7495 MIPSR2-Toastman-VLAN-RT-BETA K26 USB VPN

    When I access my router remotely (e.g. https://domainname:8000/, not through port 80), and press Save button on admin-access.asp page, it first redirects to tomato.cgi page. (https://domainname:8000/tomato.cgi). After a while, it tries to redirect to the default HTTP or HTTPS port regardless of whichever port I assigned. (e.g. redirection to https://domainnaame/admin-access.asp, not https://domainnaame:8000/admin-access.asp)

    During these two steps of redirection, however, it saves all settings correctly.

    EDIT: While I try to reboot my router, this happens, too. However, when I save settings on QoS classification page, it redirects correctly.

    EDIT2: Web GUI's sshd Start button doesn't work. Running "service sshd start" on console doesn't work either.
    Anyone who has this problem too?
  33. distantcoder

    distantcoder Network Guru Member

    Awesome Work on SSID's
  34. teaman

    teaman LI Guru Member

    Just like its 'Bandwidth Monitoring' counterpart, the 'Real-Time' pieces are always active and cannot be 'disabled' (only the 'keeping track of history' parts on each of them).
  35. Morac

    Morac Network Guru Member

    I'm having a problem with Toastman Tomato version 1.28.7495 dropping incoming ping packets that come in too quickly on my E3000. I posted the issue in a separate thread since it's been happening since at least 1.28.7486 and may not be restricted to the Toastman builds.

    Any idea what's going on?
  36. bucher

    bucher Networkin' Nut Member

    I am able to successfully disable bandwidth monitoring. :/ hmm

    I actually reflashed to 7483.2, the old tried and true. Not that I was really having any known issues with latest version, I just wanted to strip some things down and could not disable the IP monitor. I honestly don't know if I even need tomato features, it's just more fun than running the old boring stock firmware.
  37. Danation

    Danation Networkin' Nut Member

    I'm really liking this firmware so far.

    I have a question about the print server. Can it be configured to be accessible remotely? I've tried to figure it out myself and I've tried searching, but I haven't had much luck.
  38. Nolik

    Nolik Networkin' Nut Member

    7495 (Asus RT-N16), bug in status > device list: Noise Floor - undefined dbm.
  39. kthaddock

    kthaddock Network Guru Member

    You have probably forget to do a NVRAM reset when you upgrade FW.
    - NVRAM reset and reconfigure by HAND, don't use backup-filen.
  40. Morac

    Morac Network Guru Member

    I have a quick question about the IP Traffic stats. I use this script to backup and restore the Bandwidth stats to a FTP server. I'm assuming that won't back up and restore the IP Traffic stats.

    Can I simply modify the script and copy all the "rstats" stuff and do the same thing for "cstats"?

    Would it be possible to add a GUI option to back up to a FTP server?
  41. brainz

    brainz Networkin' Nut Member

    Mr. Toastman, I've recently upgraded both my routers to your .7495 builds.

    Main router: Netgear WNR3500v2 (no USB)
    Second router purely for AP+WDS functionality: E2000

    Before the upgrade I was using 7487 @ WNR3500 and 7493 @E2000.
    WDS was running perfectly stable, but since the upgrade the WDS link drops randomly within 2 days and it never reconnects anymore, until I reboot router 1.
    7495 @ router 1 + 7493 @ router 2 gives the same problem.
    I am still using the same settings as before and I did nvram erase both routers and reconfigure them by hand.

    When the problem occurs, I can't ping or access router 2 at all. It does show router 2 in the device list of router 1 under wds0.1, with an updated quality rating and tx/rx rate.
    After rebooting router 1, they synch up again and the logs of router 2 show:

    Feb 1 07:54:48 unknown user.info kernel: br0: neighbor 8000.LAN_MAC_Address_of_router_1 lost on port 3(wds0.1)
    Feb 1 07:54:48 unknown user.info kernel: br0: topology change detected, propagating

    Any ideas?

    This is really strange... I just rebooted router 2 and router 1 just crashed and auto-rebooted? Yes, I am certain I did not touch router 1.
  42. Nolik

    Nolik Networkin' Nut Member

    kthaddock, teaman, toastman
    Thanks for support ))

    I can configure all services on firmware 7495 (guest ssid, qos, optware)

    Last problem for me... captive portal on interface br0 ((

    if br0 private interface, wl0.1(br1) guest interface... how change captive portal to wl0.1(br1)?

    I try change this settings in nocat.conf, but after restart service splashd... options reset to default br0 (((

    May be you have ideas? Thanks!
  43. kthaddock

    kthaddock Network Guru Member

    Do this after you have edit nocat.conf:
    Then it persist a reboot.

  44. pendetim

    pendetim Addicted to LI Member

    Sorry if this is a dumb question, but what is the meaning of "RT" in the file name? Such as: tomato-K26USB-1.28.7494.3MIPSR2-Toastman-RT-VPN.trx
  45. bucher

    bucher Networkin' Nut Member

    Maybe came from the RT in RT-N16, probably short for Router.
  46. _NemO_

    _NemO_ Networkin' Nut Member

    @ Toastman
    It would be nice to add nls_utf8.ko and udf.ko !
  47. bucher

    bucher Networkin' Nut Member

    What does this mean? "daemon.err miniupnpd[9801]: ioctl(s, SIOCGIFADDR, ...): Cannot assign requested address"
  48. bagu

    bagu Network Guru Member

    Can i know wich utilities are in EXT version please ?
  49. Nolik

    Nolik Networkin' Nut Member

    Its not worked.. service splashd on start regenenerate file notcat.conf (( rewrite manual changes from me...

    i try add nvram var - NC_InternalDevice=br1... but after strart service in nocat.conf var InternalDevice=br0 ((

    @toastman help... )))
  50. kthaddock

    kthaddock Network Guru Member

  51. Nolik

    Nolik Networkin' Nut Member

    i use ssh connection and mc )

    file /tmp/etc/nocat.conf

    after reboot in file default nocat.conf > InternalDevice=br0

    i change InternalDevice=br1, after send command > service splashd restart...

    see notcat.conf and see... again.. InternalDevice=br0 ((

    may be cannot change this varibles.... may be need change nocat source code?..
  52. bucher

    bucher Networkin' Nut Member

    new version up: 7495.1

    "fix dhcp options for non-VLAN builds"
    I wonder what that means?
  53. teaman

    teaman LI Guru Member

    I haven't used/tested that script myself... but it might be 'as simple as that' :)

    Please don't take me wrong with this/my following/next comment! Just trying to help us all out by encouraging each and every one of us to help ourselves ;) I don't mean to sound/be rude (or anything!)

    That being said: I wonder if... perhaps... did you (at least once) try (you/yourself) to do such thing (i.e. before posting this question)? :) How did it go? If that went just fine, great! (please let us know!). However... if it's not working, please do open/create a new thread and I'm pretty sure we'll figure something out! ;)

    Anyways - you might wanna take a look at this thread/post, as it might be useful (although, I do acknowledge that particular post may be classified as 'too much information'):

    It might be at some point in the future... but for now, there are only 2~3 alternatives currently supported:
    * save to RAM (aka: don't actually 'save' anywhere)
    * save to JFFS (aka: don't save too often!)
    * save to custom path (aka: CIFS share, USB mount or some other 'custom' path...)

  54. teaman

    teaman LI Guru Member

    Unfortunately, we haven't been able to patch/make/hack every single feature available on Tomato... to be MultiLAN-aware just yet.... And as you could probably guesss, one of those would be... NoCatSplash :( (there are other features still in the same situation, I'm afraid). As a rule of thumb, we should assume that if a particular feature hasn't been explicitly advertised/announced as 'MultiLAN-aware', it will only work 'correctly' on your primary LAN (br0).

    One possible workaround could be... how about 'switching' roles? I mean: what if you change br1 into your 'primary' LAN and consider br0 to be your 'guest' network?

    I'm aware this is not a perfect solution... but... it still might be a valid suggestion for some deployments ;)

  55. teaman

    teaman LI Guru Member

    Basically: non-VLAN-GUI-enabled builds will support/allow you to have/configure only one LAN bridge, which is based on it's own set of 'rules' and some 'assumptions' throughout Tomato sources, whereas VLAN-GUI-enabled builds... usually require a few extra things to be configured and runtime in order to run/behave as expected.

    Well, there was one of those extra thingies that were added to the code of both non-VLAN-GUI as well as VLAN-GUI-enabled builds... that seem to break and/or cause some headaches when people were trying to set up things like these:

    Therefore... commit 9384d3aa3017eb4b6897c5b9f7ec13a04e3e2641 comes by:

    It's main purpose? To skip/ignore a particular Dnsmasq runtime option/setting that (seems to be only required/needed on MultiLAN-aware builds, but sometimes) could cause undesired issues/problems when building/running non-VLAN-GUI-enabled builds ;)

    Hope this help - cheers!
  56. FlashSWT

    FlashSWT LI Guru Member

    Haha, of course that posts right after I finish setting up a new router! The thought of retyping all my static DHCP entries makes me sleepy...

    EDIT: Hmmm, I just updated and my router still reports as 7495. Is the ".1" not showing for anyone else in the GUI?
  57. Toastman

    Toastman Super Moderator Staff Member Member

    You don't need to bother, unless you use the "DHCP options" box for anything, for example, allocating a second gateway by DHCP.
  58. bucher

    bucher Networkin' Nut Member

    Any word on the IP Traffic feature not able to be disabled? I can disable the bandwidth monitor but not the IP Traffic. What's the most up to date and stable version that does not have IP Traffic? I'm just trying to strip out all features I don't really use.
  59. Pioneer

    Pioneer LI Guru Member

    Sure, under "Administration/IP Traffic Monitoring" you can disable it...
  60. bucher

    bucher Networkin' Nut Member

    Unless I'm missing something, it did not disable it for me. I uncheck the box, but it's still running. Can anyone else confirm?
  61. LanceMoreland

    LanceMoreland Network Guru Member

    Toastman, What is new in today's 1.28.0495.1 builds?
  62. dailyglen

    dailyglen Networkin' Nut Member

    (LanceMoreland, for latest features see here: http://repo.or.cz/w/tomato.git/shortlog/refs/heads/Toastman-RT)


    I get an issue with using the latest build (maybe earlier too, I'm not sure) where the iptables rules seem to not take effect. On the Port Forwarding page I get the error message:

    iptables-restore: line 39 failed

    I found out that /etc/iptables.err seems to be the place to look:

    :OUTPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :WANPREROUTING - [0:0]
    -A PREROUTING -i vlan2 -d -j DROP
    -A WANPREROUTING -p icmp -j DNAT --to-destination
    :upnp - [0:0]
    -A PREROUTING -d -j upnp
    -A POSTROUTING -o br0 -s -d -j SNAT --to-source
    :INPUT DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    -A FORWARD -m account --aaddr --aname lan
    -A INPUT -m state --state INVALID -j DROP
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i br0 -j ACCEPT
    -A INPUT -p udp --sport 67 --dport 68 -j ACCEPT
    :FORWARD DROP [0:0]
    -A FORWARD -i br0 -o br0 -j ACCEPT
    -A FORWARD -m state --state INVALID -j DROP
    -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
    :wanin - [0:0]
    :wanout - [0:0]
    -A FORWARD -i vlan2 -j wanin
    -A FORWARD -o vlan2 -j wanout
    -A FORWARD -i br0 -j ACCEPT
    :upnp - [0:0]
    -A FORWARD -i vlan2 -j upnp
    This happens when I change the LAN network to I've found this on:


    I'm currently trying to switch to the network...to avoid this issue.

  63. ghostknife

    ghostknife Addicted to LI Member

    Hi, I tried to update a router thats running Tomato Firmware v1.28.7628 -Toastman ND Std to tomato-ND-1.28.7630-Toastman-IPT-ND-Std.trx but it fails with message "File contains an invalid header" and then reboots. Router is identified as a:

    Model - Buffalo WZR-G54
    Chipset - Broadcom BCM4704 chip rev 8 pkg 0

    It's actually a WHR3-G54 but previously had older tomato and dd-wrt with no problems, I tried several times and re-downloaded several times, any ideas?
  64. Elfew

    Elfew Addicted to LI Member

    Hey Toastman can you add please support for memory cards (SD,...) like Shibby has? It would be amazing, thank you for your answer
  65. Morac

    Morac Network Guru Member

    Not sure why, but on my E3000 the CPU frequency is listed as 480 on the overview status page, but 188 on the advanced misc page. I didn't think to dump out the clkfreq value before I changed the misc page to 480, but the /proc/cpuinfo file contained the following:

    system type		: Broadcom BCM4716 chip rev 1 pkg 10 
    processor		: 0 
    cpu model		: MIPS 74K V4.0 
    BogoMIPS		: 239.20 
    cpu MHz   		: 480 
    wait instruction	: no 
    microsecond timers	: yes 
    tlb_entries		: 64 
    extra interrupt vector	: no 
    hardware watchpoint	: yes 
    ASEs implemented	: mips16 dsp 
    shadow register sets	: 1 
    VCED exceptions		: not available 
    VCEI exceptions		: not available 
    unaligned_instructions	: 0 
    Any idea, why the discrepancy?
  66. teaman

    teaman LI Guru Member

    See post#334 - previous page on this very same thread ;):

    I've been working on a way of disabling completely IP Traffic monitoring/accounting at runtime. When ready, it should be pushed to git, here:

  67. bucher

    bucher Networkin' Nut Member

    I saw your post, but what I was trying to say is that bandwidth monitoring can be disabled by unchecking it in the administration tab. When unchecking the similar box for IP Traffic Monitoring, it does not do anything.
  68. kthaddock

    kthaddock Network Guru Member

    Wireless Interfaces Details (Click here to hide)
    Interface wl0 (2.4 GHz / eth1)
    Virtual Interfaces wl0 wl0.1 (max 16) <<<== This is a bagatel but shoul'd it be 4 ?
    teaman likes this.
  69. DanielCoffey

    DanielCoffey Networkin' Nut Member

    Hello folks - I am having trouble with severe interference and poor wifi performance running Tomato Firmware v1.28.7494 MIPSR2-Toastman-RT K26 Std on my E3000 and I wondered if some of you could help me diagnose where the issue is.

    Firstly some background...

    I am on a Virgin Media 30Mb Cable Broadband connection coming into the current generation SuperHub which is running in Cable Modem Only mode. Its wifi is therefore disabled. My Cisco E3000 is wired into port 1 and is sitting on the desk. My 2010 Mac Pro is wired to the E3000 and routinely gets 30.64Mb/s down, 1.06Mb/s up at 20ms ping. The wireless devices that I have are a Brother printer which is one room away and uses 802.11g. There is a Sony blu ray player which checks for firmware updates on 802.11n in the same room and I have an iPad2 which uses either the 2.4GHz or 5GHz bands depending on which is strongest. The internal walls of the building are brick so the wifi signal drops off significantly. In the same room as the router the iPad2 gets 3 bars. One room away I get 2 to 3 bars and two rooms away I get 1 bar with frequent loss of signal. I am in an urban area with a significant number of wifi routers in the area (around 20 according to the Toastman Wireless Site Survey). There is one upstairs which shows as two bars most of the time and one downstairs and the other side of the building which only rarely crops up. I have a wired keyboard and mouse but bluetooth trackpad. There is a cordless 2.4GHz landline phone in the same room but the transmitter is in the opposite corner. The only large electrical device nearby is the UPS (APC SMT1000I) next to the Mac Pro.

    All Toastman Firmware settings are default except for Advanced - Wireless - Country/Region EU. I am using the DHCP server.

    Now I have been noticing that I get frequent drop-outs of the wifi when more than one room away from the router and at these times the Toastman Status - Overview page frequently shows Severe Interference and low values for Rate on both the 2.4 and 5GHz bands. I would say that most times when I look at the Overview I will see reduced values for Rate like this (of course when I took the screenshot it showed Acceptable - doh!)...


    As soon as I go to the Basic - Network page and force the router to Scan the channels, the reported Rate seems to jump back up to the expected values of 144Mbps since I am using 20MHz channel widths. Occasionally it will show 65Mbps but more often than not it will show the full 144.

    If I come back later and have another look, it will usually have dropped down to a lower rate. It never seems to revert to a higher rate - it always seems to be downhill over time.

    How does the Toastman firmware work out the Interference level and Rate fields? Is it a "worst case" or is it some sort of "rolling average"?

    To show how congested this area is, here is the result of the Wireless Site Survey...


    I would appreciate any pointers in working out what is going on here. Is it just my brick walls causing the dropouts? Is my area just too congested? Is there some interference in the area that needs investigating?

    NOTE : the AmesJ and scottmail77 routers are 802.11g WEP. I hate to think what sort of signal they are getting with all the 40MHz width 802.11n VirginMedia SuperHubs around!


  70. Toastman

    Toastman Super Moderator Staff Member Member

    Looking at your scan chart, most of the 19 AP's you are seeing are quite strong signals. Most of them are using 40MHz "N" mode. And they are not even on channels which would enable them to hear each other and back off, they are all jamming each other. That doesn't even take into account the clients, which don't show, or the interference from bluetooth and phones. There may be hundreds of devices on the band affecting you. Basically, you haven't a snowball in hell's chance of getting decent throughput. Your best plan is to use 5GHz as much as possible, but if that is also suffering from dropouts then there isn't much option until one day maybe someone will come up with a proper dedicated solution to data access by wireless. I rather doubt that will happen for many years though.

    You may actually find that mode B or G only would give you better throughput. It would be interesting to try.

    Basically, speaking as an RF engineer and not someone who believes that software can fix broken legs, Wifi is a complete pile of crap.
  71. tstrike2000

    tstrike2000 Network Guru Member

    I've had a WRT54G-TM for a long time, but would like to make the jump to a gigabit/N router. I've read different things about the E3000/E42000 2.4/5 Ghz simultaneous radios. If I used one of the Toastman Beta builds and had 2.4 and 5 running simultaneously, would they both run under the same AP name should the radios have different AP names? Perhaps I'm confused, I thought I read something like that.
  72. DanielCoffey

    DanielCoffey Networkin' Nut Member

    Thanks for the quick reply, Toast - I wondered if the signal two rooms away was getting lost in the background noise. The annoying thing is that there is interference in the 5GHz band too. I know 5GHz doesn't travel as well but that tends to be the one that the Router reports the most severe interference on (yet neither the router or inSSIDer under bootcamp reports any strong signals in that band).

    Ah well - no more reading Skyrim forums while in the bathroom.
  73. jsmiddleton4

    jsmiddleton4 Network Guru Member


    You can do it either way, separate names, same name.
  74. Toastman

    Toastman Super Moderator Staff Member Member

  75. spicoli

    spicoli LI Guru Member

    Man I have been out of the Tomato game for years. Can someone give me a quick run-by of whether or not K2.6 is worth putting on the GL? Buggier? Slower? Prettier? Less Stable?

    Sorry if I am noobed out again but the game has changed. So many builds. Toastman is a reputable man and Victek doesn't seem to be updating so I came here first.
  76. tstrike2000

    tstrike2000 Network Guru Member

    So no real issues running the same SSID on both 2.4/5 Ghz simultaneously?
  77. dc361

    dc361 LI Guru Member

    You can choose the same SSID if you'd like -but- then there would not be a way of connecting to the one you want (most clients would just connect to the 'strongest' not necessarily the one on the band you want). I'd suggest the scheme that I use My-Net and My-Net-5
  78. LanceMoreland

    LanceMoreland Network Guru Member

    This is the way I do it. The 5 Ghz signal is not quite as strong as the 2.4 GHz. My clients switch seamlessly between the two depending on signal strength. Atheros cards are very good about preferring the 5 Ghz signal but there is an option in the Intel drivers (if you have an intel card) that you should select to prefer 5 GHz bands otherwise it will automatically connect to the 2.4 GHz signal. As you move away from the router and the 5 GHz signal gets weaker it will switch over to the 2.4 GHz channels.
  79. teaman

    teaman LI Guru Member

    That would be the HW limit/absolute max number of VIFs supported for a given wireless interface - obtained at runtime from the wireless driver. Anyways - the MultiSSID web UI currently limits/allows you to configure up to 4 VIFs per physical wireless interface available - specially since the MultiLAN/VLAN GUI also has a similar limit (up to 4 LAN bridges can be configured, etc...).

  80. Porter

    Porter LI Guru Member

    Please read the first and second post of this thread.

    There is no recent K26 build for the old wrt54 and according to Toastman it's slower anyway. The recent K24 builds (2.4.37) seem to be slower than pure Tomato 1.28 (2.4.20) but the new features are worth it in my oppinion.

    Don't forget to clear the nvram.
  81. spicoli

    spicoli LI Guru Member

    Well the thing is I did. There's nothing about the differences between Kernel 2.6 and 2.4, but thanks for the input on the performance of the newer K2.4 builds. I'll have a peek once I dust off my GL and amuse myself with what travesty of a QoS I had in comparison to Toastman's elaborate setup.
  82. Nitro

    Nitro Networkin' Nut Member

    I just thought I would add a little something i discovered on my home network.

    People using Google+ Hangouts (live video chat/voip) would have their UDP traffic classified as P2P/Crawl and would prevent the service from working as it requires quite a bit of bandwidth, the service runs on ports UDP 19300-19310 so i added a basic rule in the QoS that states any UDP service with dst Port 19300-19310 class as VOIP/Game however this still wasnt enough bandwidth for me on the default settings as the gaming/voip class does not get a high enough percentage of the total bandwidth, so for me Increased the percentage, but you could just class google+ as fileXfer instead but that would spoil the point of having classes in the first place.
  83. brainz

    brainz Networkin' Nut Member

  84. nobugme

    nobugme Network Guru Registered

    I'm probably going to upgrade my glassfiber internet connection from 20Mbit to 50 or 100 Mbit.
    Becausse of that, I see a problem appearin: when I'm downloading full speed with the current 20Mbit connection, the cpu-usage of my E2000 @ 354 is about 55%. So that means that the max speed I will be able to get with this router will be about 45 Mbit.
    So I'm wondering about two things:
    1. Is there any way to free some CPU usage? The current Toastman fw requires quite some power to provide all functionality. I've read that in a future version, it might be possible to turn off IP traffic. Will this free up enough cpu power, or is there other functionality that can be turned off to save cpu power?
    2. If the ideas under point 1 aren't enough, I need to switch to a faster router. Because mhz doesn't say it all, can you tell more about the routing performance -with toastman fw- of an e2000 vs e3000 vs E4200 (or maybe another high performance router)?
  85. pharma

    pharma Network Guru Member

    While this review does not use Tomato, he does evaluate different routers using official firmware. You can probably see which router provides the routing performance you need and see if it is compatible with flashing Tomato firmware.
  86. bucher

    bucher Networkin' Nut Member

    Overclock the E2000 to 400, run version 7483.2 (no ip traffic) and disable bandwidth monitor. See how that works.
  87. LanceMoreland

    LanceMoreland Network Guru Member

    I just upgraded my internet to Comcast Extreme 50 this morning and have been running some speed tests. I am getting 62 Mbps down and 12 Mbps up on an E4200 v1 through a wireless connection that is two rooms away. This is on a 5 GHz channel that is 40 MHz wide. This is the same exact speed I am getting on an ethernet wired device (actually for some unknown reason the wireless is slightly faster). I have not checked the 2.4 GHz connection yet which are set up to be 20 MHz wide but will do so later today. This is with Toastmans non vlan builds for the E4200.

    Wired ethernet:

    5 GHz 40 MHz wide wireless:

    2.4 GHz 20 MHz wide wireless:
  88. nobugme

    nobugme Network Guru Registered

    I'm a bit reluctant to go back in version number. Don't really like to keep flashing my router :)
    As I understood from this thread, it isn't really possible to shut off IP and Bandwith monitoring. You can turn it off in th UI, but it just keeps running in the background. Does anyone know if adding all IP addresses to the 'Excluded IPs' effectively turns the monitoring it off?

    About the graphs at Smallnetbuilding: do these speeds directly translate to the routing speed with Toastman fw? So if a router is twice as quick at SNB, it's twice as quick in routing with Toastman fw?
    In that case, the 3200 look really interesting. Although, there isn't any specific Toastman fw for it, does it just work with the e3000 fw?
  89. ntest7

    ntest7 Network Guru Member

    The graphs aren't meaningless, but you can't assume a 1-1 relationship since these tests are with the vendor's firmware. A router that shows twice as fast on this graph is very likely still fast with tomato, but maybe not 2x faster.

    Unfortunately, the E3200 uses a different chipset and is not compatible with any version of tomato, nor is it likely to be compatible in the future. Same situation with the E4200v2.
  90. bucher

    bucher Networkin' Nut Member

    I am able to shut off bandwidth monitoring, and this build does not have and IP traffic. I think I have been falling victim to my own OCD compulsions to constantly update the firmware to the latest version instead of just finding a build that works well and sticking with it. I'm constantly trying to tweak stuff. 7483.2 has all the features I need, and is very stable, so I'm sticking with it. It's the last build I believe that does not have IP traffic.
  91. Toastman

    Toastman Super Moderator Staff Member Member

    Future versions will be a little different - turning off IP Traffic monitor will really stop it - completely.
  92. nobugme

    nobugme Network Guru Registered

    But the question I hope to get answered without flashing to an old version again: do bandwidth and ip monitoring actually use a lot of cpu?
    Which features of the toastman fw are the cpu persormance 'eaters'.
  93. kthaddock

    kthaddock Network Guru Member

  94. biatche

    biatche Network Guru Member

    I've just upgraded from tomato-K26-NVRAM60K-1.28.7495.1MIPSR2-Toastman-RT-VPN to tomato-K26USB-NVRAM60K-1.28.7495.1MIPSR2-Toastman-RT-VPN

    basically just adding USB. is it necessary to reset nvram thoroughly? everything appears to work.. but ya know, just making sure. please advice. thanks!
  95. Mercjoe

    Mercjoe Network Guru Member

    On the objective reproducable observations:

    Updated to 7495.2 from 7494.2 and found that WDS speeds went into the toilet. I had decided to skip one or two versions to let the multiSSID bugs get ironed out.

    Before I had absolutely rock sold 54/54 connection. Now I am at 18/36 as read from the remote router. If I flash back to 7494.2 it comes back to 54/54.

    The one thing I did different this round of flashing was to manually configure the main router due to all the recent changes. I also manually reconfigured the 7494.2 reflash to make sure I was not introducing some kind of tweak into the configuration.
    Other observations:

    Streaming video is laggy. I used the default QOS rules set in both versions. I did not see any changes to video classifications. I could not pin it down, but overall it seems laggy as observed by my wife and myself when changing to 7495.2

    Also, there is a slight drop on broadband speed when testing the two versions against a common broadband speed test site. All tests were made against the same remote server. Each time I ran the test a dozen times and the 7495.2 version is a consistant 300K behind in speed and about 15ms in ping time. I am on a 6M/512k ADSL connection.

    One thing to note as well; A long standing recurrant issue I have had with long open web pages being refreshed is gone. Before, if a webpage refreshed after a 20 or so minute wait, the page would not reload and I would get a DNS error. No amount of tweaking would get rid of it. Now it is gone in 7495.2, but comes back when I go back to 7494.2
  96. jsmiddleton4

    jsmiddleton4 Network Guru Member

    For the most stable and fastest WDS performance 7483.2 is about the best.
  97. Toastman

    Toastman Super Moderator Staff Member Member

    February 12 2012 - 1.28.7495.2

    MultiSSID: fix saving settings for non-WPAx VIFs (open/WEP)
    IP Traffic: when/if set to 'disabled', we 'really' mean it

    • when set to 'disabled' on page admin-iptraffic.asp, not a single iptables rule should be generated/created/loaded on rc/firewall.c (re: ipt-account rules)
    • also, there should be consistency throughout the web UI - therefore, any/all pages under the 'IP Traffic' menu on the web UI should behave accordingly:
    • a: show a warning about this particular feature being currently disabled and...
    • b: show the user a link to IP Traffic 'main' settings page (similar to what happens on most of the pages inside the 'Bandwidth' group/submenu)

    Teaman's site: http://code.google.com/p/tomato-sdhc-vlan/

  98. gutsman7

    gutsman7 Networkin' Nut Member

    Hey Toastman I just upgraded to the latest tomato-K26-1.28.7495.2MIPSR2-Toastman-VLAN-RT-Tiny.trx and I noticed something weird my bandwith is 3down and 78k up and the ip bandwith monitor is acting up I have pictures to show and I did perform a a full erase nvram check it out.
    and this is ip traffic
    its way off.
  99. bucher

    bucher Networkin' Nut Member

    I thought it was just me.
  100. Elfew

    Elfew Addicted to LI Member

    Is there any way how to modificate or disable LEDs on my ASUS RT-16N? Thank you!!!

Share This Page