Access Restriction for Tomate Firmware

Discussion in 'Tomato Firmware' started by BitHelp25, May 10, 2008.

  1. BitHelp25

    BitHelp25 Addicted to LI Member


    I am currently using DD-WRT firmware on my WRT54GS router but I am thinking to give tomato a try. My only concern is if tomato firmware can provide what I need regarding access restrictions.

    Can someone please provide a screenshot of the Access Restriction page os the tomato firmware to have an idea, or perhaps provide a comparison between the two firmwares regarding the Access Restriction capabilities? This will help me a lot in my research prior to moving to the new firmware.

    Thanks a lot,

  2. averylinden

    averylinden LI Guru Member

  3. BitHelp25

    BitHelp25 Addicted to LI Member

    Hi averylinden,

    Thanks for the reply. I am afraid it does not tell me much. I already have seen this video. What I want to do is to block all p2p programs. Is this possible and how can it be done please? Does anybody knows?


  4. LLigetfa

    LLigetfa LI Guru Member

    It is not possible to block ALL P2P unless you also block port 443 since P2P can and will use it. Probably the best you can do is manage it.
  5. BitHelp25

    BitHelp25 Addicted to LI Member

    What do you mean manage it? Is it possible to block anything else except port 443 at least. The DD-WRT firmware allows me to block torrents and there is also an option to "Catch all p2p protocols" in the access restriction page. Is there is something similar to the tomato firmware?


  6. LLigetfa

    LLigetfa LI Guru Member

    As Dr. Phil would say, "and how's that working for you?". If you don't want to install Tomato to try it, maybe you should just stay with dd-wrt.
  7. BitHelp25

    BitHelp25 Addicted to LI Member

    Hi LLigetfa,

    I do not suggest that the DD-WRT firmware does block p2p altogether. I am only asking because at least the ability to block or at least limit (at least some) p2p is essential to me.

    I have just installed tomato to give it a try as you suggested. Under Access Restrictions there is an option to block "All IPP2P Filters". Is this the corresponding feature that the DD-WRT and other firmwares have?


  8. averylinden

    averylinden LI Guru Member

    You can apply all IPP2P filters, which block most major protocols. I've never tried this so I don't know how effective it is. I would imagine it doesn't block encrypted bittorrent, for instance.
  9. vexingv

    vexingv LI Guru Member

    this is an example of how many people are using DDWRT without actually understanding what is going on inside that firmware (myself included in some regards). DDWRT may have an advanced feature set, but tries to "dumb things down" by having options such as "catch all p2p" or "optimize for games." i'm only guessing here but looking at the access restrictions options offered by DDWRT v24 rc7 that i have installed on a whr-125, it seems DDWRT employs L7 filters to catch traffic. that check mark for "catch all p2p protocols" probably selects all the p2p L7 protocols because the blocked services section of ddwrt only provides for 4 choices (far less than the number of p2p protocols out there).

    i think if you really want to manage p2p, you should try to learn more about the protocols themselves (for example, the ports they use) and apply that to creating rules in tomato. tomato offers you far more flexibility, in terms of management, than DDWRT. tomato does offer access restrictions based on L7, IPP2P, and ports, but you'll have to pick them out individually instead of hitting that "easy button" like in DDWRT. if that's not something you want to do, then stick to DDWRT.

    for me, at least, i moved from ddwrt to tomato and have really enjoyed it. it's a much better interface with nice graph/monitoring options and advanced outbound qos. the only thing i find lacking in tomato is the inbound qos (or lack thereof) as DDWRT somehow magically managed to throttling incoming traffic appropriately according to class priorities. however, the fact that DDWRT has been in RC for over a year from its last stable release (while tomato is regularly updated) is strange. the fact that ddwrt has taken GPL sources and applied them to a commercial undertaking is also questionable. the one thing DDWRT does have going for it are the some of the advanced functions such as multiple virtual SSID's and repeater functionality. but again, these are only useful for those who need it, which is why i keep ddwrt on a secondary router for such functions.

    there's a virtual tomato interface (of an older 1.07 firmware) if you want to check it out:
  10. BitHelp25

    BitHelp25 Addicted to LI Member

    Hi averylinden,

    Thanks I have tried it. You are right this must basically be the same thing that DD-WRT does. I am able to block a lot of the p2p programs that I have tried but I am unable to block encrypted torrents. But this is ok for now. I will keep blocking what I can and I will keep monitoring for the machines in my network to note any abnormal use of the network.

    Hi vexing,

    When I first install the DD-WRT firmware the first thing I tested was if it did actually blocked any p2p program at all, and the answer of course was that it DID NOT. And although in fact it did actually have the ability to block all the few p2p programs that I have tried at that time, it could not block any encrypted p2p (such as torrents that use encryption). This of course is very reasonable since an encrypted communication gives no room for a third party to actually understand what that communication is all about, let alone be able to classify it as being from p2p applications and therefore block it.

    But at least the ability to block some p2p programs without having to do much work is better than nothing and this is what I wanted to hear. I am really sorry if I did not explain things clearer.

    I agree. In fact this is the reason that I become interested in other firmwares such as tomato. Lately I was trying to block an application using the Access Restrictions of DD-WRT, but I noticed that it lack a certain ability. Although that I could be mistaken and the feature might already be there and I just could not find it, the ability to select to block either local or remote ports does not exist. Instead the DD-WRT firmware allows you to block ports but it does not say if those ports are local or remote.

    This feature does exist in tomato and is one of the features that I like the most!

    I do enjoy it myself. It seems to be a very good firmware will a lot of promises :). All that a simple but also an advance home/small office user might need is actually here. However one good feature that I would enjoy seeing is the ability to create VLANs using the GUI interface. DD-WRT does has such a feature but it does not work at all.

    Do not know what those feature are, never used them and probably never will.

    Thanks but I already have installed it. But this would have been very helpful in the beginning. Keep it running. It might help others in the future.

    That’s it. Thank you all for your help. I do have another question regarding the ability to save the logs on an external samba share after you mount it but I will create another post for that.


  11. Toastman

    Toastman Super Moderator Staff Member Member

    The best way to block all P2P is not to...

    What you do is set rules to prioritise everything you do want to pass, let P2P fall through the net into the "default class" and then set that to lowest, throttle it, or whatever you want to do with it. If you try to use IPP2P or L7 filters, you'll quickly find that most of them don't work with 100% effectiveness and what they do pass is often sufficient to take all your bandwidth. And they are slow - especially L7. If you use a lot, you can start to reduce your throughput and run out of memory resulting in a reboot.

    By the way, I gave up very quickly with DD-WRT because the QOS did not do what it was supposed to do. I went to Tomato, and can wholeheartedly recommend it.
  12. JPorter

    JPorter LI Guru Member

    Why not just use the full configurability of the Access Restriction system?

    Here's a screenshot:


    Set your range of IP addresses, then create as many restriction rules below as you need to control the P2P traffic.

    For example, create one rule for IPP2P (All), and one for each of the common P2P port ranges. It should work pretty well, generally. Mine picks up on Azureus traffic and can throttle it (in QoS) or kill it as needed (in Access Restriction) even with RC4 encryption, lazy bitfield, etc enabled in the client.

    You could also create one for each of the client apps you're trying to block using the Layer7 rules, but I haven't tested it myself so I'm not sure if it works well or not. It's my understanding that it slows the router down pretty significantly.

    Best of luck.
  13. BitHelp25

    BitHelp25 Addicted to LI Member

    Hi all,

    Thanks a lot. I will try all that you suggested and get back if I still can not do anything about it.

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice