[buy advice] New router to replace wrt54g with Tomato

Discussion in 'Tomato Firmware' started by Dinges28, Jul 31, 2012.

  1. Dinges28

    Dinges28 Serious Server Member

    Hi there,

    I'm trying to find a good answer to my upgrade question whom did rise after a provider upgrade.

    *present config*
    I'm now using 1 linksys WRT-54G v2 with Tomato v1.28.1816 to route all my traffic to the internet. Maximum lan<->wan speed 23 Mbps.
    A second WRT-54G (also Tomato v1.28.1816) is used as an access-point to provide wireless access on another part of the building (both have a small overlap to provide a seamless wifi access to mobile devices.

    The new VDSL router gives me access to 55 Mbps down and 6 Mbps upload speed.

    *future config*
    -I want to upgrade my router to get me more use of my download speed and future fiber connection 100-100
    -I want to use Tomato as firmware because of the port forwarding rules (ip-filtered port forwarding)
    -I want a router that is still available in stores (location Holland/The Netherlands)
    -I want a router with 2.4 and 5 Ghz simultaneous capabilities
    -Router speed Lan<->Wan >100 Mbps

    I thought of the Linksys 4200, but the V1 is not available in stores anymore, and the V2 is not compatible (as far as I can find out).

    Does anybody have some good advice which router I can/should buy???

  2. koitsu

    koitsu Network Guru Member

    I can tell you that at least on my Asus RT-N16, using Comcast's "Extreme 50" tier (which uses "PowerBoost" to temporarily increase my downstream/upstream to something like 70mbit / 20mbit), I'm able to achieve those speeds. I also use port forwarding, but I do not use layer 7 filtering (neither do you apparently, but just letting you know it will greatly impact your I/O rates).

    The RT-N16 does not offer simultaneous dual-band wifi, so I don't think the N16 will work for you, but regardless, this was my last speed test, done via Windows XP client with some TCP stack tuning (not needed on Windows 7), and my LAN and WAN interfaces are all gigE:


    I'm using this as an example to show that at least in the case of the RT-N16, I could probably get 100mbit speeds assuming I bought the absolutely absurd (and outrageously expensive) highest Comcast connection/tier, but I cannot justify that monthly cost (I already pay US$119/month for the current setup I have. Highway robbery if you ask me...)

    Your FTTH or FTTN connection will probably be symmetrical vs. my Comcast asymmetrical connection, but it doesn't really matter in this case (upstream vs. downstream; it's treated the same I/O-wise).

    I guess if I had to recommend you a good, high-end consumer router that is known to work with TomatoUSB, and will provide the features you want for the future, I believe the Asus RT-N66U "Black Knight" will be able to handle what you need. You will need to run either Toastman or Shibby firmwares (vs. the official TomatoUSB firmware) for this to work -- those firmwares are pretty much stable so don't worry, and even if you have any issues both firmware maintainers reside here on the forum. Expect to pay about US$170 for the router -- I think this is a reasonable price given all the features/things you need.

    Before going out and buying it, however, I strongly recommend you wait for others to post here and give you more feedback or other product recommendations. There may be something that works better than what I've recommended.

    Otherwise if you want something right now that easily surpasses the very old WRT54G and GL series routers, the RT-N16 is well-supported and decent. But you'll have to end up buying another router in the future when you get fibre or want simul. dual-band, etc... Thus, choose wisely. :)
  3. Dinges28

    Dinges28 Serious Server Member

    Forgive me, what is layer 7 filtering?

    I want to be able to port forward ports, but also be able to configure: coming from a specified ip-adres to allow port forwarding, and from other ip-adresses, deny access.

  4. koitsu

    koitsu Network Guru Member

    Layer 7 filtering is data packet inspection / forensics to try and determine what "kind" of packet something is and thus allow/deny it. Things like URL filtering (e.g. "I want to block any outgoing requests to a site called idontlikesnakes.com without having to block things based on DNS or assume certain IP addresses"), or anything that involves looking at the actual payload (data) portion of the packet. This is very time-consuming and CPU intensive because of packet fragmentation as well as many other things.

    Normal IP routing and IP filtering only looks at the source/destination addresses in the IP header, and/or things like protocol (TCP vs. UDP) and port numbers. These are always available given the nature of the underlying protocols thus the payload doesn't have to be examined. Port forwarding is not layer 7 filtering.

    Layer 7 filtering would be things under the Access Restriction section. URL filtering is actually done via a 100% proprietary iptables module (written by the company Linksys/Cisco subcontracts to do their coding; I believe the company is called CyberTan?), but standard layer 7 filtering is very, very time consuming.

    If you're not using anything under the Access Restriction section, then you have nothing to worry about.

    Does this answer your question?

    P.S. -- Many of your port forwarding rules are a bit crazy; you should really be specifying either TCP or UDP protocol and not Both (unless you TRULY do not know, in which case, go find out! :) ). The more specific your port forwards, the better the performance. Here are some answers for you (I'm professionally a UNIX SA and do a multitude of NA-related things, hence my familiarity with these):

    RDP (Remote Desktop, port 3389) is completely TCP-based.

    FTP (both both Active and Passive), for FTP servers (which you obviously are running), are completely TCP-based; this would be port 21, as well as your 51000-51050 port ranges (which are for Passive only). BTW, for folks who are reading this post: you might think you need to forward TCP port 20 as well -- that is incorrect. In Active mode, the server itself opens up a connection to the client on TCP port 20 (yes really!), and by default the outbound firewall on Tomato is to ALLOW. Below is a firewall example from a public FTP server I've run for years (on FreeBSD), but the comments I've put in my pf.conf should help explain:

    # Punch holes for FTP.  The rule looks complex, so here it is explained:
    # - Make sure pass rule only applies to my.dedicated.ftp.server.wan.ip
    # - Permit incoming connections to port 21 (main FTP service)
    # - Permit incoming connections to ports 49152-65535 (FTP passive mode)
    # - TCP port 20 is actually for **outbound** connections in FTP active mode,
    #  but since we permit all outbound traffic, we don't need a rule for it.
    # - TCP ports 49152-65535 come from ftpd(8) and ip(4) manpages; there are
    #  sysctl(8) knobs for these, but we shouldn't mess with them.
    pass in quick on $ext_if proto tcp from any to my.dedicated.ftp.server.wan.ip port { 21, 49152:65535 }
    Continuing on...

    POP3, IMAP, and SMTP are all completely TCP-based. This would be for your port 995, 110, 25, and 465 forwards.

    PPTP VPNs (referring to your port 1723 forward) are all completely TCP-based. For IPsec, this forward won't work, because IPsec uses its own GRE protocol (meaning it's not TCP or UDP -- it's GRE, a.k.a. protocol 47. It's not "port 47", it's protocol 47. TCP = protocol 6, UDP = protocol 17, GRE = protocol 47).

    Anything HTTP ("web")-oriented is TCP-based, so that would include your port 80 forward, as well as your HTTPS forward (port 443).

    The other things I'm not sure about, but I imagine most things are TCP. I don't see anything there that necessarily indicates UDP, but the ones I've listed above I'm 100% certain about.
  5. Dinges28

    Dinges28 Serious Server Member

    YES!!! it does answer my question....

    And also the other explanations did gave me the attention to my configuration it had to have!!!
    My config was once made, and I just added the same for other connections without even thinking about it :S Bad bad admin to myself ;-)

    Thank you for all the tips and extra info!! It is really simple if you dig into it... but i never did the digging... trial and error was my way of getting it to work...

    There are some "bogus" ports used, to transfer the same ports to other machines from the "outside"-world and yes... also all of them should be TCP....

    I'll wait on buying to some other user suggetions!!!

    (do you know if firmwares you suggested works on the RT-N66U with both 2.4 and 5? otherwise I'll check the sites)

  6. koitsu

    koitsu Network Guru Member

    Glad I could be of help.

    I'm not completely familiar with simultaneous dual-band use, but I would recommend searching this forum for RT-N66U and see what other people have experienced. AFAIK people tend to like the unit, but as I said before, don't be hasty in your purchase.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice