[Fork] FreshTomato-ARM

Discussion in 'Tomato Firmware' started by kille72, Apr 15, 2018.

  1. monoton

    monoton Serious Server Member

    It's weird, I couldn't reproduce this at home with exactly the same settings I used with the other routers. SSID's and passwords where the same, even the order of configuration. Strange.
    Techie007 likes this.
  2. Techie007

    Techie007 Networkin' Nut Member

    It must be a router specific issue. I've been using Virtual Wireless for well over a year with FreshTomato on Tenda AC15 routers and have never noticed this issue. The only issue I noticed is that I can only specify a custom MAC for the primary access point (wl0) and the first extended access point (wl0.1). Attempts to set a custom MAC address on the 2nd and/or 3rd extended access points (wl0.2/wl0.3) results in those access point(s) going offline or becoming unreachable. Resetting the MAC addresses back to default restores normal operation. Basically, the MAC addresses for wl0.2/wl0.3 must be nearly identical to the MAC address of wl0.1, or they will default to a MAC address of 00:00:00:00:00:00.
    monoton likes this.
  3. AndreDVJ

    AndreDVJ LI Guru Member

    I'm not a sed guru so I proposed something much "simpler" than yours.

    I tested your regex and works as expected. I'd expect someone to comment on this, but I'll jump the gun and push this into my tree any anyway. Eventually pedro311 or kille72 will pick it up.

    EDIT: Done: https://bitbucket.org/AndreDVJ/advancedtomato-arm/commits/34bc6eda1c1dda5401ff581fbd3ea5382052eeb0
    rgnldo likes this.
  4. user17600

    user17600 Serious Server Member

    AndreDJV, thanks. Total noob question: can one add this to the existing build, short of a custom re-build, or perhaps the next version?

    Koitsu, understood, except that until 2018.3 the firmware handled this more gracefully. The updates in 2018.4 (and perhaps beyond) are the first time this has become an issue.

    Pasha_ZZZ, can this be run on the dnsmasq.adblock? I read up on sed but I still don't quite understand. It would be nice to add it as a cron job immediately after an adblock refresh.

    For now I have added the offending domain to my whitelist, which has cured this specific issue. Thanks for the ISO-8859 info, I have updated my terminal program.

  5. rgnldo

    rgnldo Networkin' Nut Member

    pajarillo likes this.
  6. koitsu

    koitsu Network Guru Member

    There are 3 possibilities as I see it:

    1. What you said is correct and that "the way this is handled" in later FreshTomato causes a bigger problem,
    2. The blacklist server maintainer recently added the entry and now it's a problem, meaning this would affect 2018.3 and earlier as well,
    3. This is a blacklist server which was added to 2018.4 and thus folks are now seeing it.

    I don't have a way to verify any of these things myself. AndreDVJ may have a way to verify #1 or #3. I don't use this feature myself.

    I'm still hoping someone in this thread experiencing this problem takes the time to report the actual root cause/problem to the blacklist server maintainer. They need to be told of this problem -- Tomato is not the only thing affected by this, I guarantee it.

    As for the sed command: as I understand it, you should be able to use it against dnsmasq.adblock in the following fashion, *after* the adblock refresh is done:

    /bin/sed -i 's/\r$//;/^[ \t]*#/d;/[\t ][[:alnum:]\._-]*$/!d' /path/to/dnsmasq.adblock
    killall -HUP dnsmasq
    This will modify the /path/to/dnsmasq.adblock file itself (that's what the -i flag does; it stands for "modify in-place"), applying said sed commands to the contents of the file specified, and output written back to that file. Afterwards, dnsmasq is sent SIGHUP signal to cause it to reload all its config files.

    If you want those sed commands written out in English so that they make sense to you, I can do that -- they're not that complicated, they just look cryptic because of the regexes used. This is a good example of how to use sed properly and a good use-case for sed too.

    It's important you use /bin/sed and not just sed -- the latter could/would be susceptible to running Entware/Optware GNU sed given how $PATH behaves on Tomato, and GNU sed may not behave identically to Busybox sed. Whoever is commiting a fix for this, if using this methodology, should do the exact same (use /bin/sed).

    Be aware if implementing this from the GUI, you may run into complications stemming from the semi-colons in the command. This relates to Tomato's httpd and/or JS (I forget which), which does something weird with semi-colons. If done from the command-line you shouldn't run into problems. IMO, it's better to just wait for an updated firmware, or just remove the blacklist server from the list altogether.
    user17600, rgnldo and pajarillo like this.
  7. pajarillo

    pajarillo Network Newbie Member

    I've been running FreshTomato 2018.4 for 2 days now on my Asus RT-N18U, overclocked @1200/533 MHz. Tested VPN Server, Adblock, USB support, SMB, Bittorrent, Stubby... all working fine, rock solid.

    I thought I was stuck on Shibby v140, thinking about switching to dd-wrt, until I found this thread. Thank you very much for continuing the project!!!
  8. AndreDVJ

    AndreDVJ LI Guru Member

    Dnsmasq version 2.80test2-2018.07.09 survives after parsing that list with that "î" character. I'm running a two-month old build which has Dnsmasq that old. I think this commit changed its behavior from 2.80test3 and onwards, but I'm not willing to "backout" that change and see it for myself: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=a3bd7e73d38b78fbf86125077a916781dc4a77e4

    I don't really follow what gets included in each FreshTomato release, because I run my own "rolling" builds, but I don't think that blocklist (hosts-file.net/hphosts-partial.txt) is included by default.

    Regarding sed, I was testing with /mmc/bin/sed without realizing this (I have Tomatoware "installed"), so I think GNU sed behaves the same as Busybox. I don't think for now hardcoding the full path to sed binary (or awk) is necessary for now, unless we should do this to fool-proof adblock script.
    rgnldo likes this.
  9. Pasha_ZZZ

    Pasha_ZZZ Serious Server Member

    Entire download() procedure looks like highly inefficient. Many-many calls to sed/grep/sort/awk using cat but all utils support file name as last argument. Calls not combined and piped in chain but 2 files used in /tmp/adblock - occupied RAM = size of total list * 2. AFAIK even sed -i call also ineffective. It creates new temp file while processing old and at the end mv new to old.
  10. koitsu

    koitsu Network Guru Member

    Re: sed: that's how most UNIX programs work when modifying something "in-place". The idea is that you don't want to lose your source material if the program or machine crashes, thus a temp file is always needed, and the equivalent to mv -f (or rm && mv) is used once everything is completed successfully. There's really no way of avoiding this aside from writing actual C code that sanitises the input as it writes dnsmasq.adblock. You might be surprised to learn how BSD implements mv (see very end of DESCRIPTION section). Welcome to UNIX! :)
  11. BusyBoxer

    BusyBoxer Networkin' Nut Member

    Hey all... 2018.4 running great on an AC68U here but my current issue is configuring Stubby.

    I am in the process trying to figure out why I always landed on surfnet as my resolvers when I use 'stubby', when I would think I would be on cloudflare all the time due to network traces between all of them it is very low latency and very close path wise.

    I cleared config to make sure it wasn't anything added and re-attempted and it does seem to end up on surfnet eventually, looking at the log output from when I restart it it appears that if gets enough 'conn_shuts=' it moves on and the only one that doesn't send a connection shut is Surftnet? That seems odd.

    Anyway in this exploring I ended up building a custom stubby.yml with only the servers I wanted in it (I figured it would be a way to test) and I created a new stubby.yml on my mounted usb drive... I unchecked stubby from 'basic,network' and tried adding it to the firewall script tab... and I show it running... but it fails to resolve anything. I reboot, kill the running stubby manually and then launch it pointing to the custom yml and it does seem to work.

    When using the modified config (I simply "# commented" out all ipv4 and v6 resolvers other than,, and I do stay on even with 'conn_shuts=' increasing so I don't think that is the issue. Perhaps there is a typo or a parsing error in the rom copy of stubby.yml causing the behavior?

    stubby -g -l -C /tmp/mnt/usbdrive/stubbymod.yml
    I guess I need to build a script to find the current pid kill it and re-launch? and put it in the init section?

    Or should I just wait until it gets actually built out properly before I go messing around?

    tl;dr: Anyone know how to modify the 'stubby.yml' in such a way that it starts with the modified yml and survives reboot/restart?

    also anyone have any idea why stubby always ends up on surftnet as the resolvers?
    Last edited: Sep 17, 2018
  12. Pasha_ZZZ

    Pasha_ZZZ Serious Server Member

    I know but if we combine as many preprocessing filters as possible into single command (f.e. sed) and even pipe wget output directly to it......
    Also I think piping of this preprocessed data to gzip can greatly reduce memory occupation (at some CPU consuming cost).
  13. rgnldo

    rgnldo Networkin' Nut Member

    Try this mode:

    For efficiency in setting up DNS over TLS, for me, it looks like this:

    step 01


    step 02

    Custom configuration:

    Last edited: Sep 17, 2018
  14. monoton

    monoton Serious Server Member

    Have been using this setup for some time and this is the first time I've had this problem.

    FreshTomato's MAC Address distribution seems a bit weird.
    If I add four Virtual Wireless Interfaces (IoT and Guest on 2.4 and 5GHz) and SAVE, some of them will end up with the same MAC Address.
    If I add and SAVE them one at the time they will all have different MAC Addresses from each other.

    Somehow everything is running smooth with 2018.3 so thats what will be on those AP's. Will probably test again when 2018.5 is ready.
  15. BusyBoxer

    BusyBoxer Networkin' Nut Member

    Sorry I lost it in my edit, I tested with your suggested dnsmasq custom entries and without, in both cases (with and without the dnsmasq custom entries) it will start with cloudflare and roll through the list and stay on SurfNet until the next router restart (or restart of stubby). When using my custom stubby.yml (with and without the dnsmasq entries) it rotates around (,,, and back to etc) the default stubby.yml is the one that seems to get to surfnet and just stay there... never to rotate back around.
  16. rgnldo

    rgnldo Networkin' Nut Member

    I understood your problem. But the DoT solution is preliminary, still in development. I believe you will need the DoT server checkbox as it does on Asus-Merlin Fork.

    I recommend using the Entware package, for more control of Stubby.

    Joe A and BusyBoxer like this.
  17. Johan Van Dyck

    Johan Van Dyck New Member Member


    nano not working on router dir868l revA with freshtomato 2018.4 build. -> error "can't load library 'libstdc++.so.6'". It seems a library is missing in the build.

    how to:
    > open telnet sessions to router dir868l
    > nano
    > nano: can't load library 'libstdc++.so.6'


  18. monoton

    monoton Serious Server Member

    Something is off with MAC Address calculations or there's a bug that will not let FreshTomato save wireless interfaces with the same MAC Address.

    Below can be seen that without clicking the Default button for any of the MAC Addresses
    wl1.1 and wl0.2 will share the same MAC Address.
    That results in an error message if I click SAVE. (error messege: says Addresses must be unique).

    If I click the Default button for the MAC Addresses
    eth2, wl0.1 and wl1.1 will share the same MAC Address
    wl1.1, wl0.2 and wl1.2 will share the same MAC Address
    obviously this still can't be saved. (error messege: says Addresses must be unique).

    So either the calculations are off or the GUI should allow interfaces with the same MAC Address.

    This is after a fresh install NVRAM Reset Linksys EA6400 2018.4

    Primary(eth), IoT(wlx.1) and Guest(wlx.2)
    Router: C8.D7:19:38:7D.DB
    WAN: C8.D7:19:38:7D.DC

    eth1: C8.D7:19:38:7D.DD
    eth2: C8.D7:19:38:7D.DE Default button: CA.D7:19:38:7D.DE

    wl0.1: CA.D7:19:38:7D.DE
    wl1.1: CA.D7:19:38:7D.DF Default button: CA.D7:19:38:7D.DE

    wl0.2: CA.D7:19:38:7D.DF
    wl1.2: CA.D7:19:38:7D.D0 Default button: CA.D7:19:38:7D.DF
    Last edited: Sep 17, 2018
    Techie007 likes this.
  19. AndreDVJ

    AndreDVJ LI Guru Member

    libstdc++.so.6 gets installed when NGINX is built, so it's a matter of updating the Makefile to install if NANO is there as well. I'll have a look.
    M_ars, kille72 and rgnldo like this.
  20. rjmxtech

    rjmxtech Reformed Router Member

    @AndreDVJ Dude, I am pulling my hair out over this, I am not sure how to fix it. I will be using my network (comprised of two Netgear r7000s running your fork of advancedtomato) as normal, and suddenly after some unknown period of time it starts giving me this "Secure Connection Failed" error (also shown in the screenshot) when I try to access the configuration page over HTTPS as a normal person would do. At the beginning it tells me it is a self signed cert as usual and I say add this exception etc... but then it will begin giving this error and whenever this occurs, usually rebooting the router will fix it, but it comes back after that unknown period of time again.

    As you probably know, I posted a comment on one of the commits you had that I found had the word SSL in the title (I know you probably think I am some noob, but I am learning as best I can) and I also posted an issue on this other repo by Grinch22 https://bitbucket.org/Grinch22/freshtomato-arm/src, but the dev seemingly disabled the issues section shortly after I did so and didn't even respond to me (at least you had the decency to respond). I am not sure what else I can do at this point and I urge you to please look into this because this is just not optimal to have to reboot the router every time I want to change its settings.

  21. AndreDVJ

    AndreDVJ LI Guru Member

    Me neither. Just a screen capture won't help anyone. httpd may die, but dropbear should be alive. The only times I lost httpd service in three years was because I was doing something and it went wrong, and I crashed httpd way too many times fixing up HTTPS.
    • Do you save the SSL certificate in the NVRAM? It's literally plain text 3KB long.
    • Have you ever tried to regenerate the certificates? By doing that, you kick off gencert.sh and a new SSL key gets generated, and if that box "Save in NVRAM" is ticked, the certificate gets commited in there.
    • If you disable HTTPS, is Web Interface accessible?
    Crashing that frequently is odd. I had my router up over the entire month of May (I wasn't home) running non-stop and httpd never died. The best I can offer right now, is to have you testing an R7000 image (has newer OpenSSL) and see what happens.
    rgnldo likes this.
  22. Techie007

    Techie007 Networkin' Nut Member

    I wouldn't say that these MAC address issues are new. I've had issues with Fresh Tomato--with cleared NVRAM and over many versions--using MAC addresses on new interfaces that are different from what it would use if I hit the [Default] buttons in the Advanced -> MAC Address section, sometimes reusing MAC addresses or using radically different ones, which causes issues. Where it comes up with these addresses, I have no idea. But I would suggest that the issues some people have indicated with Guest networking could probably be resolved if they manually corrected the MAC addresses.

    Just go to Advanced -> MAC Address. Hit the [Default] button on them all, starting at the top. If all the MAC addresses are different from each other, yet close in a sequence, you're good. If not, just manually fix it. Let's say eth1 is EC:1A:59:1D:89:4A; make wl0.1 :4B, wl0.2 :4C, wl0.3 :4D. Make eth2 EC:1A:59:1D:89:5A; make wl1.1 :5B, wl 1.2 :5C, wl1.3 :5D. If WAN conflicts with any of them, just back it up to something like EC:1A:59:1D:89:3F.
    monoton likes this.
  23. geekjock

    geekjock Network Guru Member

    I observe the same behavior. I am not going to edit stubby.yml, Entware or otherwise fool with the guts. I shall live in hope of the Merlin-type options. No perfect, but I am liking the progress!
  24. pedro311

    pedro311 Networkin' Nut Member

    As said, this is preliminary support for Stubby, so guys expect that it will choose the upstream server it wants...
    kille72 and rgnldo like this.
  25. rgnldo

    rgnldo Networkin' Nut Member

    Great work with Stubby on FreshTomato. Promising future
    Joe A and kille72 like this.
  26. davis bacon

    davis bacon New Member Member

    Hi, great to see you post another updated version, but I must repeat a previous bug report that the SNMP monitoring is still broken.

    I've tried NVRAM resets and different graphing software with similar results, the SNMP information being output is causing inaccurate speed graphs etc.
  27. kyrios

    kyrios Addicted to LI Member

    Anyone know why maxthon.com no longer reachable after using Stubby (2018.4)?
    Previously used DNSCrypt (2018.3) and maxthon.com is fine.
    Or any additional DNSMasq custom configuration so maxthon will be reachable?

    Additional info :
    I just found out, I have trouble (extremely slow) accessing one of my internet banking.
    Is this Stubby code is not mature? Or Stubby tech is not implemented properly in some of websites (not widely accepted) ?
    Last edited: Sep 19, 2018
  28. BusyBoxer

    BusyBoxer Networkin' Nut Member

    thanks for the confirmation, in my edited version (which I've been running the last few days) it does roll back around and doesn't get stuck at the last entry... not suggesting you do it just saying there is something up. I haven't bothered building a script to automate it, I just manually re-start it with the new config when I reboot... if I'm not going to be around I just set it back to dnscrypt.

    I can resolve that domain no problem, but my stubby is being limited to, and so it could be an issue with getdnsapi or surfnets resolvers (I have them out of the loop to try to figure out why it would get stuck on surfnet and stay there). It could be that domain had issues with their DNS entry when you tried it early and now it's cleared up. Even with the default config I haven't run into any resolving problems... even surfnet is fast and responsive with its longer route from my connection.

    yea it just seems odd that with the default config it gets to surfnet and never leaves, while on my modified config it rotates around between them pretty often. we are just pointing out the odd behavior incase it's a bug. by the way thank you for all the effort, I dusted off my n66u and have been testing it with the MIPs version!
  29. rgnldo

    rgnldo Networkin' Nut Member

    The big challenge for solutions with Stubby is the dependence of upstream resolvers. There are country or cities where latency is very low. So far, the most efficient solution I've had in DoT was with Unbound.

    Get tested on Cloudflaire


    Stubby 0.2.3 update Entware

    # Need these for stubby.  Commented out values means the parms are already in /etc/dnsmasq.conf
    # stubby -g -v 5 -C /opt/etc/stubby/stubby.yml 2>/opt/var/log/stubby.log
    # netstat -lnptu | grep stubby
    tcp        0      0*               LISTEN      7899/stubby
    udp        0      0*                           7899/stubby
     # ps | grep stubby | grep -v grep
     7899 wizard    4892 S    stubby -g -v 5 -C /opt/etc/stubby/stubby.yml
    linkiTom likes this.
  30. kyrios

    kyrios Addicted to LI Member

    I could confirm, after changing my DNS to and, DOES solve my problem.
    maxthon.com is now reachable and my internet banking goes normal again

    EDIT :
    I spoke too soon. Seems both problem still not fixed

    EDIT #2 :
    after changing my DNS to and, it does solved the internet banking access.
    Maxthon.com still not reachable unless DoH is enabled in browser. I have tested Maxthon, Chrome, and Firefox, all of them failed to visit maxthon.com
    Only when DoH enabled (, maxthon is reachable. So for now, only Firefox can visit maxthon.com
    Coz in Firefox, we can enable TRR (DoH). I do not know how to enable TRR in Chrome and Maxthon browser.
    Last edited: Sep 19, 2018
  31. pedro311

    pedro311 Networkin' Nut Member

    Guys, remember, we don't take any responsibility for whether a given server filters DNS queries or not...
    BusyBoxer, rgnldo and kille72 like this.
  32. AndreDVJ

    AndreDVJ LI Guru Member

    "Here be dragons". Consider DNS over TLS a very early tech. I was running Stubby from Entware, and had problems browsing websites (not resolving), to the point I got pissed off and disabled it.
    Joe A and rgnldo like this.
  33. Mint137

    Mint137 New Member Member

    Hi all. I'm new to FreshTomato, been using the older AdvancedTomato based on Shibby for some time now. Has FreshTomato improved the MultiWAN to work with QoS? I have a single ISP at the moment set up with QoS, but for reliability purposes I am looking to purchase a second ISP line. I know the current build of AdvancedTomato (iirc from Nov. 2017) does not support both MultiWan and QoS at the same time, but I can't find definitive information on this for FreshTomato.
  34. rgnldo

    rgnldo Networkin' Nut Member

    I'm testing Stubby's FreshTomato solution with Unbound. He is calm so far. They live very well. Fluid navigation.

    I agree.
  35. pajarillo

    pajarillo Network Newbie Member

    Today my Tomato has crashed several times, I think it has something to do with the Adblock, since I disabled it the crashes have stopped (maybe an update of one of my lists).

    Here's the log for debug: https://pastebin.com/RMxrxB8X
  36. sac7000

    sac7000 Networkin' Nut Member

    question to -
    You laid out in the tab tests -
    Firmware with a loud name KRACK 2018.4.004 for asus ac68u (ARM) .- You managed to implement protection from the vulnerability of KRACK on sdk6 ???.
    From this it follows that we should expect new or corrected wifi-drivers ???
    Why did you remove these firmware from the tests ???
    Something did not work ??
  37. koitsu

    koitsu Network Guru Member

    Thank you so much for this. This is actually the exact kind of info that's helpful in narrowing down a problem! It's nice when a problem manifests itself in a way where you can get logs though. :) Here's the English version:

    The kernel log indicates that the Linux OOM killer was induced because of memory contention/pressure. This happened multiple times, and every time dnsmasq was deemed responsible. There's a lot of information shown, but this is the most relevant and at the very end:

    Sep 20 17:12:29 Asus-Tomato kern.info kernel: [ pid ]   uid  tgid total_vm      rss cpu oom_adj oom_score_adj name
    Sep 20 17:12:29 Asus-Tomato kern.info kernel: [ 2836] 65534  2836    11188    10926   0       0             0 dnsmasq
    Sep 20 17:12:29 Asus-Tomato kern.info kernel: [ 2878] 65534  2878    11204    10942   0       0             0 dnsmasq
    Sep 20 17:12:29 Asus-Tomato kern.info kernel: [ 2880] 65534  2880    11204    10942   0       0             0 dnsmasq
    Sep 20 17:12:29 Asus-Tomato kern.info kernel: [ 2883] 65534  2883    11204    10942   0       0             0 dnsmasq
    Sep 20 17:12:29 Asus-Tomato kern.info kernel: [ 2884] 65534  2884    11188    10926   0       0             0 dnsmasq
    Sep 20 17:12:35 Asus-Tomato kern.err kernel: Out of memory: Kill process 2880 (dnsmasq) score 171 or sacrifice child
    Sep 20 17:12:35 Asus-Tomato kern.err kernel: Killed process 2880 (dnsmasq) total-vm:44816kB, anon-rss:43768kB, file-rss:0kB
    From this we can see that dnsmasq was taking up a total of about 44MBytes of memory (the "anon-rss" field is the most useful one there in this case).

    As said, this happened multiple times -- meaning dnsmasq was killed, Tomato's init/rc restarted it (this is very normal), but even seconds after it restarting it was bloated again.

    What's very strange here is that there are 4 dnsmasq processes running. Normally there's only 1. This could be a bug in something Tomato is doing, or it could be dnsmasq forking off child processes that end up doing the exact same thing as their parent (thus have the same/similar memory allocations). Sadly the kernel doesn't print the PPID (parent PID) so I can't tell if they're children or not. I will assume they are.

    The most likely causes of dnsmasq bloating like this:

    1. Use of Adblock with tons and tons and tons of hostnames/FQDNs. dnsmasq is very memory-efficient, but people are often throwing HUGE numbers of hosts/entries at it via Adblock, and every line/entry takes up memory. The memory allocated is not just "the bytes for and the length of the FQDN", it's larger than that due to internal structures dnsmasq uses to cache/store knowledge of an FQDN. So, 44MBytes seems quite possible for a very large Adblock list.

    2. A bug in dnsmasq relating to memory allocation (i.e. some memory not being freed, or repeated mallocs over time without the process being restarted). Figuring this out is extremely difficult on a embedded device because there's no debug logs of this nature, or ways to troubleshoot/debug/analyse the daemon in real-time. It's easier on standard Linux desktops or servers.

    But if we step back a moment, we can probably assume it's not #2. Why? Because when OOM killer killed dnsmasq, and Tomato init/rc restarted it, it immediately became bloated again: probably because it started up and read/parsed the dnsmasq.adblock file, which took up lots of memory, and the situation happened again.

    One thing you didn't disclose in your problem report: what model/revision of router you're using. It matters because of how much max RAM it has. We need to know that. Tomato will tell you this on the Status -> Overview page.

    So how do you solve this problem? You have several choices:

    a) Shorten the number of Adblock servers/blacklist servers you're using -- by a lot. This will result in less memory being used overall,

    b) If your router has a USB port, install a USB flash drive, and then set up what's called swap. You can either use file-based swap (very easy to set up/manage), or a swap partition (a bit more complicated). There is no advantage of file-based over partition-based, so I always recommend file-based swap because it's very easy to do. The swap also has to be re-enabled/used every time the router reboots, and making that work requires a bit of knowledge of how Tomato works with USB devices on start-up. I can help with this -- it's not hard. Really.

    What swap gets you is basically "extra breathing room" when it comes to memory pressure. Instead of the router running out of memory, what ends up happening is that Linux offloads some of the memory the bloated program is using to disk (the USB flash drive). This guarantees that the dnsmasq process won't be killed (i.e. your router will keep working just fine), but the downside is that this can/will take up more CPU time (depends on how often the memory pages are being swapped in/out and accessed) -- so DNS lookups might take a little slower than usual in extreme situations, but dnsmasq won't be killed off.

    Let me know if you want to know how to set this up/do this.

    c) Buy a new router that offers more physical RAM.

    Circling back to the start: someone should look into if dnsmasq is now using a fork-based model for some reason, or if there are known situations where one could end up with 4 dnsmasq processes running at once. The former would be OK/acceptable behaviour, but the latter would be a bug that someone on the Tomato side needs to look into.
    pajarillo likes this.
  38. pajarillo

    pajarillo Network Newbie Member

    Thanks for the explanation. Now I have that info in my signature (Asus RT-N18U @1200/533 MHz) ;) I never saw total free RAM going under 50% (it has 256 MB), so I don't think the problem is a lack of memory.

    I have shorten the blacklist, and for now it goes well. Adblock activated with 46875 entries: Total / Free Memory 249.80 MB / 215.96 MB (86.46%)

    Unless, you say there were 4 dnsmasq processes running, 44 MB x 4... that actually could be a problem. Tell me if there is anything else I can do to help you.
  39. koitsu

    koitsu Network Guru Member

    I'm sorry, but no, it is a lack of available memory at that specific moment in time. Just because you didn't see total free RAM going below 50% in the Tomato GUI doesn't mean that's what was going on at that specific moment (microsecond granularity) in time. If it were true, this situation would have never happened! :) The kernel is seeing what's going on at much higher-resolution interval/rate than you are via Tomato's GUI. I also have no idea how the GUI is calculating what is "free memory" (I wouldn't be surprised if what it's showing/calculated is completely wrong, but I would have to look at the code). It's double-confirmed by this line shortly above the lines I pasted:

    Sep 20 17:12:35 Asus-Tomato kern.warn kernel: DMA free:4852kB min:4408kB low:5508kB high:6612kB active_anon:118100kB inactive_anon:516kB active_file:0kB inactive_file:0kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:130048kB mlocked:0kB dirty:0kB writeback:0kB mapped:0kB shmem:16kB slab_reclaimable:0kB slab_unreclaimable:3228kB kernel_stack:16kB pagetables:228kB unstable:0kB bounce:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? yes
    We can see here that the amount of actual free memory at the time the last OOM killer kicked in was only 4.8MBytes. But that's "literal" free memory, not necessarily "available" memory. If we look at active_anon and/or present, we can see those values are about 50% of total system memory on an RT-N18U (256MB RAM).

    Hopefully you can see here that there are lots of different "kinds" and "types" of memory within the kernel, which is why understanding it all is highly complicated (it's what we systems administrators (not DevOps people!) are expected to understand).

    But you said you never saw "Free Memory" in the GUI go below 50%... Hmm... that 50% value is very interesting. I'll try to explain why -- stick with me here:

    The OOM killer only kicks in when there are extreme memory contention situations -- that means "memory pressure" when another program wants more memory than can be given at the time. In fact, embedded systems are even mentioned! Understanding how the OOM killer works is complicated, and this horrible thing in Linux called "overcommit" can potentially play a role here (FreeBSD has it too, but it defaults to disabled, like any sane OS would).

    I really don't want to explain overcommit. It's very, very complicated, but it's often a cause of problems on Linux under high memory contention situations. So here are several links that explain it, and also explain why the default behaviour is a bad thing:

    * https://serverfault.com/questions/606185/how-does-vm-overcommit-memory-work
    * http://engineering.pivotal.io/post/virtual_memory_settings_in_linux_-_the_problem_with_overcommit/ -- this one is definitely worth reading, as it also explains the importance/relevance of swap!
    * https://unix.stackexchange.com/ques...ing-memory-of-vm-overcommit-ratio-goes/294651
    * https://www.etalabs.net/overcommit.html -- explains why the default value (0) is a bad idea. This page also gives a very good/simple explanation of overcommit

    overcommit is enabled on Tomato (value of 0), with an overcommit_ratio of 50 (which means 50%):

    root@gw:/tmp/home/root# cat /proc/sys/vm/overcommit_memory
    root@gw:/tmp/home/root# cat /proc/sys/vm/overcommit_ratio
    Here are what the values actually do: https://www.kernel.org/doc/Documentation/vm/overcommit-accounting

    Once you read that page, you'll understand (hopefully) why I've always held the opinion that Linux should be using /proc/sys/vm/overcommit_memory=2 as a default, because the default model is silly. However, overcommit_ratio plays a huge role too, because if you pick a value too large, you can start to "starve" the kernel of memory it might need for things like network buffers. It's a huge balancing act. Plus, everyone's situations/environments are different -- the more features you use in Tomato, the more memory gets used, yadda yadda. Let's also not forget that the situation may be very different on routers with smaller amounts of RAM (ex. 32MBytes), where pressure is quite common.

    But I've always hated overcommit for the reasons mentioned in above documents. I've always maintained that we should be using something like this:

    echo 2 > /proc/sys/vm/overcommit_memory
    echo 75 > /proc/sys/vm/overcommit_ratio
    But that's just my opinion. Others certainly have a different view.

    If you aren't sure about any of this? The easiest/safest thing to do, bar none, is to decrease your memory usage in dnsmasq by removing Adblock servers from the list, and/or to start using swap. The RT-N18U does have a USB port for a USB flash drive, and the drive does not have to be large in capacity -- even 2GB would be more than enough.

    Anyway, food for thought.

    All of that said: I definitely think someone might want to look into what dnsmasq is doing process-wise. If those are forked children, that's fine (there may be reasons -- I don't know), but it looks like each may have a full copy of RES/RSS memory (why this matters), which could be normal, but then again might not be. One would have to look at the dnsmasq source code, and/or talk to the author (Simon Kelley, who's super nice/awesome), to understand.

    If they're not children: we should not have 4 dnsmasq processes running. There should only be 1. Multiple/separate dnsmasq parent/master processes would fail badly -- 3 of them wouldn't be able to bind to port 53, wouldn't handle DHCP, etc. etc. and would waste memory. If this is what's happening (I don't have a way to be sure! I would need a full router log, which usually provides dnsmasq PID numbers, and dnsmasq behaviour), then that is definitely a Tomato bug.

    One thing we have seen in the past are cases where clicking "Save" in the GUI tries to restart a process but due to bugs, fails to actually kill off the old one before starting a new one, leaving multiples running. Where you click "Save" also matters. Isn't troubleshooting fun?
    Last edited: Sep 20, 2018
    M_ars and pajarillo like this.
  40. pajarillo

    pajarillo Network Newbie Member

    OK, got it, I'd rather clean my Adblock blacklist :p

    I know nothing about overcommit and stuff, I'm far from being a computer technician nor a developer, despite I use Debian on my desktop... I'm just a geek physician :rolleyes: but I appreciate your explanation of the problem, now I understand what happened, and hopefully it will help to improve Tomato! :D
  41. geekjock

    geekjock Network Guru Member

    I put the command "service dnsmasq restart" in the scheduler to run every 12 hours. Since then it seems that I don't lose DoT to Cloudflare at
    rgnldo likes this.
  42. rgnldo

    rgnldo Networkin' Nut Member

    every 360 minutes. Best for me
  43. CBR900

    CBR900 Network Guru Member


    I can not see the shared folder from the router in my updated win10 pc... smb enabled.

    can you help pls
  44. Joe A

    Joe A Networkin' Nut Member


    Question for you:
    Any improvement on the 5ghz radio with this build?
  45. Techie007

    Techie007 Networkin' Nut Member

    Sadly, no. It's still about 25 dB below the 2.4 GHz radio (checked just now). That's unlikely to change on its own as it's not a firmware revision issue or bug, but rather something specific the firmware is neglecting to do that the Tenda AC15 hardware needs.

    I'm pretty sure the issue is that Tomato doesn't know how to turn on the 5 GHz power amplifiers, which are three Skyworks SKY85710-11 chips. They are specced to increase the transmit power by 31 dB, which is just a little more than the 25 dB deficit we're seeing in transmit power to make 2g and 5g equal strength.
    Last edited: Sep 23, 2018
  46. Techie007

    Techie007 Networkin' Nut Member

    On your PC, open Computer Management and make sure both Function Provider/Discovery services are running and set to autostart. Microsoft broke file sharing in the last update of Windows 10 when they removed the Homegroup feature, and so this workaround has to be manually applied in order for it to work.
  47. Joe A

    Joe A Networkin' Nut Member

    Dang. At its current price I really want that model to have good 5 Ghz strength.
  48. Techie007

    Techie007 Networkin' Nut Member

    I know, right?! It's a rock solid device with great coverage at 2.4 GHz. I've bought them on eBay for as low as $30 in the past.
    Joe A likes this.
  49. BusyBoxer

    BusyBoxer Networkin' Nut Member

    thanks. I understand there are entware implementations etc... I am currently just using the default fresh tomato... appreciate the info but I am testing this firmware not entware.

    interesting... I am still just running my modified stubby config. Looking at the logs from the default config I can only assume stubby moves along to the next resolver in the list when it gets a certain number of "closed connections" from a resolver, and in the logs I never see suftnet send a close... which might explain why it lands there and never rolls back around. In my modified config (,, and IPV4only) it rolls around between them quite often.

    This is on a 68U and generally the stubby itself never crashes for me, I have not run into any resolver failures, it has been as solid as dnscrypt was in the last version of fresh tomato. I do like the multiple resolvers aspect over dnscrypt... although I used opendns with dnscrypt and rarely saw any failures... still it's a nice improvement overall.
  50. srouquette

    srouquette Network Guru Member

    After enabling stubby, and only using, the help page ( still shows that I'm not using DoT.
    Is there anything else to do than checking the checkbox?
    I don't see any log regarding stubby in tomato.

    tested on R7000, FT 2018.4, firefox latest (TRR disabled)
  51. BusyBoxer

    BusyBoxer Networkin' Nut Member

    This might help: as far as I can tell the way the current stubby config is setup you are using it OR you are using the ones you have set in the router admin... so when you say "only using" how exactly are you doing that?

    Do this: goto https://www.dnsleaktest.com/ and run an extended test... I bet you see you are using SURFnet correct? I think stubby is being used and you are indeed using DoT, just not with cloudflare... at least at the time you did the test. I bet if you did the cloudflare page test RIGHT after a reboot it would show you are on their system... but eventually, just like me, the default config is running through it's list of resolvers and landing on surfnet never to roll back around.

    The way I am forcing the change right now is I am doing it manually. I will open a SSH and kill the stubby process once the router is up and running (give it time, it appears to re-launch stubby at least twice so the PID will change at least twice) and then I am re-launching it pointing to my stubby config file that has all the other resolvers other than and an d commented out.

    We won't have to do this in normal use... it's just in the current implementation (basically a rough test) there is no defined interface for us to "select" the dns resolvers or to even paste them in via the admin page... so if 'use stubby' is checked you are using their default list at the moment (unless you modify it manually like am or bypass their test all together with entware or the like).

    Hope it helps!
    Onee-chan likes this.
  52. Onee-chan

    Onee-chan Network Newbie Member

    Disable DNSSEC and test.
    BusyBoxer likes this.
  53. srouquette

    srouquette Network Guru Member

    @Onee-chan: ok I'll try that. it doesn't work is DNSSEC is enabled?

    @BusyBoxer: I entered in Wan Settings > DNS 1, and in DNS 2
    So setting this up is meaningless if stubby is enabled, because it uses its own internal configuration? (/tmp/etc/stubby.yml I guess)

    I'll check again which DNS server it is using by default.

    edit: yeah the problem was DNSSEC.

    edit2: after changing adblock settings, I lost DoT (I guess because dnsmasq restarted). Not super reliable for now.
    Last edited: Sep 23, 2018
  54. rgnldo

    rgnldo Networkin' Nut Member

    I did an improvisation:
    1 - I backed up the rom stubby.yml file, located in the directory /etc. I edited with the intended servers.
    tls_ca_file: "/rom/cacert.pem"
    resolution_type: GETDNS_RESOLUTION_STUB
    tls_authentication: GETDNS_AUTHENTICATION_NONE
    tls_query_padding_blocksize: 256
    edns_client_subnet_private : 1
    idle_timeout: 10000
      -  0::1@5453
    round_robin_upstreams: 0
    # IPv4 addresses
    # Cloudflare
      - address_data:
        tls_auth_name: "cloudflare-dns.com"
      - address_data:
        tls_auth_name: "cloudflare-dns.com"
    # The getdnsapi.net server
      - address_data:
        tls_auth_name: "getdnsapi.net"
          - digest: "sha256"
            value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
    # IPv6 addresses
    # Cloudflare
      - address_data: 2606:4700:4700::1111
        tls_auth_name: "cloudflare-dns.com"
      - address_data: 2606:4700:4700::1001
        tls_auth_name: "cloudflare-dns.com"
    # The getdnsapi.net server
      - address_data: 2a04:b900:0:100::38
        tls_auth_name: "getdnsapi.net"
          - digest: "sha256"
            value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
    2- Basic Network

    Use Stubby (DNS-over-TLS)
    Priority -> No-resolv

    3 - In Administration -> Scritps -> Wan up :
    sleep 15
    cp /jffs/stubby.yml /etc
    sleep 5
    service dnsmasq restart
    4- Dnsmasq Custom configuration:
    Last edited: Sep 23, 2018
    BusyBoxer likes this.
  55. rgnldo

    rgnldo Networkin' Nut Member

  56. BusyBoxer

    BusyBoxer Networkin' Nut Member

    I see you are perhaps offering a solution for a modified stubby.yml to survive reboot? Thanks I'll give it a try with my modified stubby.yml. Last time I tried just doing a copy the symlink to the default one would override (which is why I ended up re-launching stubby independently and aiming it at my modified config), but I'll try it again later!

    edit: thanks seems to be working great, when I visually inspect the /etc/stubby.yml it is my modified one and so far my own dns testing shows its staying inside my list.

    for others testing: I just used the script from above only I copy my modified stubby.yml from my mounted usb drive... That is: Use Stubby checked, the script in the wan up and I keep my priority 'strict-order' and didn't make any other mods. Seems stable through a few test reboots so far... will try from a power off later and update if I see any problems.
    Last edited: Sep 24, 2018
  57. sstacks

    sstacks Reformed Router Member

    Hi. I have been running into repeated problems with my R7000 router becoming unresponsive - other than accepting pings. I am trying to troubleshoot.

    One recent crash had Transmission with very high VSZ values seen in Top.

    My router is working OK right now, and I note that the first line of top currently reads:

    Mem 242720K used, 12904K free, 2144K shrd, 20400K buff, 101676K cached

    The low free memory looks concerning. However, the FreshTomato admin page reads:

    Total / Free Memory249.63 MB / 130.16 MB (52.14%)

    Which one should I believe?

    FIWI, 'top' currently shows 5 Transmission processes, all with the same VSZ of 81980.
  58. AndreDVJ

    AndreDVJ LI Guru Member

    A common issue with transmission-daemon is that it never behaved well downloading/uploading stuff at "high" speeds. Having it unlimited is asking to crash your router. My dead WNR3500Lv2 was also like this.
  59. sstacks

    sstacks Reformed Router Member

    Thanks. I have been using Transmission on this router for a couple of years without previous incident. I cap the speeds at 1500KB/s down.

    But then last week, I had a lot of trouble downloading one specific torrent, and I noticed a slew of hashfails, and the number of connected peers dropped. (This was from a trusted, private tracker.) I have had a lower amount of hashfails on some other torrents, and sometimes none at all. Not sure if something is going wrong with either the attached hard drive, or memory, or something else.
  60. AndreDVJ

    AndreDVJ LI Guru Member

    I feel 1500KB/s is the absolute limit.

    All the five Transmission processes here weights 15260 of VSZ. Not sure why yours are so heavyweight though. I use the built-in client.
  61. sstacks

    sstacks Reformed Router Member

    I also use the built-in client.

    Hmmm, well I do appear to be sitting at 1100 torrents open, though typically only 1-2 are active at any point in time. Perhaps it is time to do clean that up - but I'm not sure if that's what is causing my recent instability.
  62. rgnldo

    rgnldo Networkin' Nut Member

    This is the stubby.xml that works for me. My network does not have IPV6. CloudFlaire has a data center in my country, with good latency. I believe adding IPV4 or IPV6 server options to DoT is interesting for FreshTomato builds with Stubby.

    tls_ca_file: "/rom/cacert.pem"
    resolution_type: GETDNS_RESOLUTION_STUB
    dnssec_return_status: GETDNS_EXTENSION_TRUE
    tls_query_padding_blocksize: 256
    edns_client_subnet_private : 1
    idle_timeout: 60000 # keep-alive for 1 min, for better performance
    round_robin_upstreams: 1
    # IPv4 addresses
    # Cloudflare
      - address_data:
        tls_auth_name: "cloudflare-dns.com"
      - address_data:
        tls_auth_name: "cloudflare-dns.com"
  63. recordman

    recordman New Member Member

    I installed version 2018.4 [freshtomato-RT-N18U-ARM-2018.4-AIO-64K-NOSMP] on my RT-N18U. Wasn't happy with wifi performance so I wanted to revert back to Merlin, however I am not able to get into rescue mode (CFE browser, Holding reset + power on) any more. I always end up with power light on for 30 sec / off for 30 sec / on for 30 sec / off for 30 sec / .... kind of very slow blinking, but definitely not what rescue mode looked like.

    I tried to load another firmware via web interface, but it always failed with "bad trx header" error:
    /tmp/flashvToB4R: Bad trx header or
    /tmp/flash9w8RKM: Bad trx header

    I tried Merlin fork and also stock Asus firmware (version, always failed with bad trx header.

    I was however able to downgrade to old tomato arm 2017.2 (tomato-RT-N18U-ARM--2017.2-kille72--AIO-64K.zip), hoping that I would be able to get back to Merlin from there. I was wrong, same error appeared.

    Any ideas? Mainly I would like to get into rescue mode again, which seems got broken after latest tomato installation.
  64. Joe A

    Joe A Networkin' Nut Member

    possibly reset the device with reset button, and try again. Assigning your computer a static IP address of while attempting to go into rescue mode may help .Using TFTP client while in rescue mode may help if you can that far.

    I'm not sure if this will help, but:

    1 reset by holding down the power cord to plug into the next button on the router, and then let go when the POWER LED begins to flash slowly
    2. Assign your computer a static IP address of subnet gateway
    3. TFTP operations (not blinking during the transfer, the POWER LED)
    louise-macbook: ASUS_RT-N18U louise $ tftp
    tftp> binary
    tftp> put tomato-RT-N18U-ARM - 122 AIO 64K.trx (for example)
    Sent 16076800 bytes in 49.2 seconds
    tftp> quit
    4. After waiting a few (5-6) minutes, the router will reboot itself ...

    Where did you get the Merlin firmware for the RT-N18U?
  65. sirius2008

    sirius2008 New Member Member

    Is Merlin firmware for the RT-N18U stable ?
  66. linkiTom

    linkiTom New Member Member

    Tomato Theme from hxxp://tomatothemebase.eu The themes do not work on the latest.
    cloneman likes this.
  67. user17600

    user17600 Serious Server Member

    I had a similar problem previously - clear the browser cache and try again.
    rs232 likes this.
  68. linkiTom

    linkiTom New Member Member

    Yeah. Nope. I have tested this with Safari, Chrome, FF, Edge and IE. All are the same. Same Red header and red menu fonts.
  69. lukychan

    lukychan New Member Member

    Hi, i am trying to build some kernel module but I am running into module.sysver problem as my build doesn't agree with installed one. Having DLINK868 i wonder if i need some special kernel config
    For example system crc for module_layout is 0x44fd24fc while module i created has it 0xdfef3c55
    I tried both pedro and kylle repos with the same result. Any idea how to continue?
  70. rs232

    rs232 Network Guru Member

    Reloading the page while pressing CTRL will bypass the browser cache.
    If it still doesn't work try to reboot the device and keep an eye on the logs.
  71. Sinopsys

    Sinopsys Reformed Router Member


    I have installed the latest freshtomato firmware (2018.4) on my box:
    Model Netgear R8000
    Chipset ARMv7 Processor rev 0 (v7l)
    CPU Frequency 1000 MHz (dual-core)
    Flash Size 128MB

    I was previously on the Tomato Shibby one that was working perfectly (for my usages).

    Freshtomato looks working pretty much the same but I recently get into troubles with my updated idevices on IOS12.

    Since this update I have Wi-Fi connection issues: connection hanging and even sometimes lost.
    I've tried all the standard known tricks on the idevice to get rid of Wi-Fi issues with no luck.

    I would normally have suspected the idevices solely but as I have another router (Archer C9 dd-wrt) with whom I don't have any connection issues I then feel like there could be an incompatibility issue.

    Now I am seeking for advice on how to investigate further and troubleshoot my case ? I've tried to tcpdump from my router then browse with wireshark but I couldn't get any preliminary piece of understanding.

    DMESG and /var/log/messages do not raise any specific error/warnings but some dhd_xxx stuff that based on my googling may not be related !?
    Oct 2 13:06:04 Nowhere kern.warn kernel: dhd_prot_flow_ring_create Send Flow create Req msglen flow ID 132 for peer d8:1d:72:e9:6c:8f prio 0 ifindex 0
    Oct 2 13:06:04 Nowhere kern.warn kernel: dhd_prot_process_flow_ring_create_response Flow create Response status = 0 Flow 132
    Oct 2 13:06:59 Nowhere kern.warn kernel: dhd_flow_rings_delete_for_peer: ifindex 0
    Oct 2 13:06:59 Nowhere kern.warn kernel: dhd_prot_flow_ring_delete sending FLOW RING Delete req msglen 40
    Oct 2 13:06:59 Nowhere kern.warn kernel: dhd_prot_flow_ring_delete sending FLOW RING Delete req msglen 40
    Oct 2 13:06:59 Nowhere kern.warn kernel: dhd_flow_rings_delete_for_peer: ifindex 0
    Anyone to help or observing the same issue ?
  72. pedro311

    pedro311 Networkin' Nut Member

    Was it clean install?

    BTW, you may suppress these messages (previously discussed) with:

    dhd -i ethX msglevel 0x0000
    where X is your active WL interface.
    koitsu likes this.
  73. Thomas Orr

    Thomas Orr Network Newbie Member

    Hi all,

    I've been using Advanced Tomato based on Tomato by Shibby however discovered that the project is effectively dead. I have come across this fork Fresh Tomato but also another by AndreDVJ for Advanced Tomato.

    Is AndreDVJ's fork based on the Fresh Tomato fork or is it different, if so what are the main differences apart form the UI.

    I much prefer the UI of AT and would rather use AndreDVJ's fork if it contains the latest changes from FT.

    Many Thanks :)
  74. xiaobb

    xiaobb Network Guru Member

    I am using the 2018.4 firmware on R7000, I noticed that when router reboot, ntpd -l is running and I get time from it.
    But after a while, the ntpd -l is gone. And other devices can't get time from the router anymore.
  75. Sinopsys

    Sinopsys Reformed Router Member

    Yes it is a clean install with nvram fully erased and new setup made manually from scratch.

    Thank you for the tips to hide dhd logs.
  76. Testing

    Testing Connected Client Member

    Last edited: Oct 3, 2018
  77. The Master

    The Master Network Guru Member

    THX i have one Question.
    Why is High "Default" lower % than Low and Medium. 15(High) -> 40 (low)

    PS: Used your Guid Yesterday and now i make a Update :)
    Testing likes this.
  78. Testing

    Testing Connected Client Member

    The High class is above the Low class, that means if the other priorities are not using much bandwidth, the High class will use that bandwidth, then High class can use up to 60%. (even if you only have 15% reserved)

    That's why I reserve 40% of the bandwidth for the Low class, that is below the High class.

    If this option does not exist "Minimum bandwidth", the priorities that are first steal all bandwidth, because the class that is higher, more priority will have over the bandwidth.
    Last edited: Oct 3, 2018
  79. Steve Lawrence

    Steve Lawrence New Member Member

    Have a N7000. I was on Shibby 1.40. I flashed Fresh 2018.4. First time I did not clear NVRAM. When I rebooted, everything worked but I could not access my Device List, Static IPs, etc.

    Then I did a flash with a clear NVRAM option. All the above options there. Then I did a restore config, and boom, same as first flash.

    Is there a work around to restore a Shibby 1.40 configuration to 2018.4. I really don't want to re-enter all that info if I don't have to.

  80. Mercjoe

    Mercjoe Network Guru Member

    You will need to re-config manually.

    Never trust a config restore to work properly between versions let alone different forks.
    kille72 likes this.
  81. Steve Lawrence

    Steve Lawrence New Member Member

    Okay, so I did a thorough NVRAM erase on my R7000 and was able to configure everything.... Well mostly. After configuring the Wifi and saving it, I cannot select Wireless Network Mode, Channel, or Channel Width in the 5G band OR Channel Width in the 2.4G band. It only let me do it once, on initial setup, now I get "The field "wl_net_mode" is invalid. Please report this problem." error.

    Any ideas on this one?

  82. user17600

    user17600 Serious Server Member

    Try changing the country/region settings under Advanced>Wireless, save and then go back? (Unrelated: I have found performance-wise that I sometimes need to go to a random country back to US to get the best performance. Might be voodoo but it works for me. I presume some sort of reset of the available options in Basic settings)
  83. Steve Lawrence

    Steve Lawrence New Member Member

    Tried that. Didn't help. Thanks though.
  84. usergay

    usergay Reformed Router Member

    You're may have to do another NVRAM Thorough erase and start over
  85. pedro311

    pedro311 Networkin' Nut Member

    And/Or clean cache in your browser.
    tripper22 likes this.
  86. Magnus

    Magnus Connected Client Member

    Hi all. And whats about usb3.0 speed? Is the speed still slow?
  87. Steve Lawrence

    Steve Lawrence New Member Member


    Didn't even think about that one. Thank you, thank you.
    tripper22 likes this.
  88. JollyRoger

    JollyRoger New Member Member

    Hi Everyone, n00b here but very excited for this new tomato fork. I am currently running DD-WRT on an RT-AC68U B2, and I know this revision is not currently supported for fresh tomato. Is there anything I can do to contribute to the development of this router?
  89. Dhaval Shah

    Dhaval Shah Network Newbie Member

    Yes MAX 30MBps, But specially when u enable bandwidth limiter it drops down to 2 MBps
  90. joew333

    joew333 LI Guru Member

    Using the AIO build and Stubby works fine for both IPv4 and IPv6 addresses for Cloudfare. Well done! Any way this can also be added to the VPN build for those of us preferring it?
  91. cafissimo

    cafissimo Reformed Router Member

    @kille72 , please I would like to know if this fork supports (or you are willing to add support):
    1) host-uniq tag parameter for PPPoE wan connections
    2) VLAN tagging

    The reason for my questions is that FTTH Vodafone connections, at least in Italy, need these 2 parameters to work.

    Many thanks in advance.
  92. joksi

    joksi Serious Server Member


    I have Tomato Firmware 1.28.0000 -2017.3-kilAIO-64K26ARM USB AIO-64K
    And need to have custom DHCP option on one WAN only, but when i set it up on the router it sends the same on all wans.
    Is there any workaround for this?
  93. tbrautaset

    tbrautaset Connected Client Member

    Know it's a little too late now, but on my TomatoUSB
    Model Asus RT-AC3200
    Chipset ARMv7 Processor Rev 0 (v7l)
    CPU Frequency 1000 MHz (dual-core)
    Flash size 128 MB

    Captive Portal Management has worked perfectly :), upgraded to the next version as usual, but not this time for 2018.4 everything was constantly looping:oops: and now I understand why. Captive Portal has been removed:(!

    Possibly I'm the only one who likes to have a nice welcome page for guests and others?


    Is it possible to get this implemented again? Or do I have to look for other third-party firmware that has this feature?
    It would have been great if you do, thank you in advance @pedro311[​IMG]

    Waiting for the 2018.5 release where @pedro311 wrote that possibly NOCAT will return!
    Last edited: Oct 31, 2018
  94. Cloudzy

    Cloudzy New Member Member

    Is it possible to add more than 4 bridges in this version (R7000) ?

    char br;

    for (br=0; br<=3; br++ ) {

  95. Haldi4803

    Haldi4803 Reformed Router Member

    The first test i made didn' work, but now it does.
    On a Netgear R6400 with 2018.4 and dnsmasq set accordingly.

    When it failed i switched DNS 2 from to but now i've switched it back and it's still working.... so whatever.

    Try the Stornur Skin. made me switch from Advanced over to fresh.

    Edit: 09.10.2018 Halp...
    So today i checked again...
    Not Connected to Cloudflare, not DNS over TSL...
    When exactly does Fresh Tomato use DNS1 and when DNS2?

    Just for testing i'veset DNS2 to and voilà it's working again.

    i kinda prefer the idea of using 2 different DNS proviers.... is that a bad idea?
    Last edited: Oct 9, 2018
    CBR900 and user17600 like this.
  96. rgnldo

    rgnldo Networkin' Nut Member

    My provider offers varied internet bandwidth service. During the day I have 15mb, at night I have 50mb. Is there a way to schedule automatic shutdown of the QOS at night? @AndreDVJ @pedro311 @kille72
  97. joew333

    joew333 LI Guru Member

    I am not sure QOS really has a place any longer as bandwidth increases at the home. Why? QOS basically works by sharing the max download capacity of your connection across your devices by priority, assuming of course that demand is simultaneous which it really is not. In rural and urban areas, 100 - 200 MB is becoming "standard". Even with just 50 MB, I am not sure QOS actually does anything useful. Further, some operators, especially using DOCSIS, dimension your download speed slightly higher than what you have purchased to reduce subscriber complaints. Is you use QOS, you don't wind of benefiting from this extra capacity. Just my $0.02 but I think QOS is a function whose time has come, and gone!
  98. Cliffield

    Cliffield Connected Client Member

    rgnldo likes this.
  99. kyrios

    kyrios Addicted to LI Member

    I just wanna update my problem. The problem was caused by Adblock. Stubby had nothing to do with my problem.
    This host URL listed maxthon.com in their blacklist.
    How did I solve my problem was using traceroute.
    I traceroute to maxthon.com inside the router, result was
    Then I traceroute using its IP (instead of maxthon.com) and the result was reachable.
    Then I realize there was strange happened inside my router, could it be Adblock?
    Then I seek which host source causing the problem.

    The reason why maxthon.com still reachable using firefox while it was being blacklisted in Adblock, must be related to DoH (https) is enabled in Firefox
  100. rgnldo

    rgnldo Networkin' Nut Member

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice