[Fork] FreshTomato-ARM

Discussion in 'Tomato Firmware' started by kille72, Apr 15, 2018.

  1. rgnldo

    rgnldo Serious Server Member

  2. linkiTom

    linkiTom New Member Member

    Couple of finds... I have an 68U setup in AP mode. with old tomato everything works. However, with Fresh, the ntp does not work due to dns name resolution and maybe the same reason why themes do not work. When having theme enabled, the system crashes quite often.
     
  3. bjlockie

    bjlockie Network Guru Member

    I think it is useful to share bandwidth among users.
     
  4. txnative

    txnative Networkin' Nut Member

    I usually game so it is vital for me and my network, as far as bandwidth I just use what my ISP is letting me rent since even though I pay for it i'll never own it.
     
  5. srouquette

    srouquette Network Guru Member

    is there a way to test DNS resolution speed?
    2018.4 feels super sluggish, but I'm not sure if it's my settings or the firmware.

    I'm using cloudflare (1.1.1.1 and 1.0.0.1), DNSSEC + dnscrypt on scaleway-fr, was on soltysiak before. I don't use stubby yet since it seems I was losing DoT from time to time, maybe due to adblock.
    adblock: activated - 118036 entries

    dnsmasq.conf:
    cache-size=8192
    domain-needed
    bogus-priv
    no-poll
    no-negcache
    log-async=25
     
  6. Sean B.

    Sean B. LI Guru Member

    What make arg is used for the RT-AC3200 when building the firmware? Is it a supported model under the ac68(e)(z) builds?
     
    Last edited: Oct 12, 2018
  7. livepu

    livepu Reformed Router Member

    I don't know when to update the BCM driver. Look forward to
     
  8. Tolocdn

    Tolocdn Networkin' Nut Member

    Is there a breakdown of the settings in Tomato and what they do? Even a basic typical setup guide would be awesome! I'm sure I've overchecked too many things in my DNS setup.
     
  9. Cliffield

    Cliffield Network Newbie Member

    You could try namebench (https://code.google.com/archive/p/namebench/) or DNSBench (https://www.grc.com/dns/benchmark.htm).

    Cliffield
     
  10. BusyBoxer

    BusyBoxer Networkin' Nut Member

    So when you have "enable stubby" checked in the current version it is using a default stubby config file (stubby.yml) that includes more than just cloudflare as the dns over tsl... it has cloudflare (1111,1001) and Quad9 (9.9.9.9) and dns privacy project and SURFnet and both IPV4 and IPV6 in the config... and it just rotates around through them. It is unclear to me the mechanism for this movement... but that is likely why you are seeing initially that you are using the cloudflare resolvers... then it will eventually move on to the others. Even with this movement it is still DNS over tls, just with various resolvers. The problem I had was it would rotate through them all and land on surfnet and never move back... but only my ARM router (when testing this on my MIPS2 router it never left cloudflare but I digress).


    Next time you see that it is not on cloudflare use some dns leak testing mechanism (https://www.dnsleaktest.com works well click advanced test) and you will likely see you are on quad 9 or more likely SURFnet resolvers... they are still DNS over TLS... just not cloudflares resolvers.

    If you have the "enable stubby" checked it is not using the dns entries after it is up and running it is instead using the stubby.yml listed resolvers.

    This is only like this because they are just doing the initial testing of the stubby support... eventually there will be some interface or simple area to paste in a config file so you can set the resolvers you want.

    There is a way in this version to make your own config... and it does survive reboot and power outage shutdowns. It was suggested by rgnldo and I have been using it for weeks with my custom resolver list (only cloudflare and quad 9 and only IPv4)... the key is to modify the stubby.yml to contain only the entries you want (I just commented out the ones I didn't)... and then have the system move your custom stubby.yml over after the system is up and restart dnsmasq so it eventually re-starts stubby and presto you are now using your config instead of the default config.

    This is rgnldos post:

    https://www.linksysinfo.org/index.php?threads/fork-freshtomato-arm.74117/page-11#post-299732

    The only difference is instead of using the JFFS I keep my stubby config on my USB drive so in the WAN up script I just point it to the USB drive modifed stubby config instead of the JFFS


    tl;dr: When you have stubby checked it is ignoring your dns settings and using the resolvers in the config file... it rotates through many so you will not stay on cloudflare all the time... BUT it will still be tls wrapped to the other resolvers even when not on cloudflare.
     
  11. rgnldo

    rgnldo Serious Server Member

    After some tests, based on connection latency, the best DoT server for me was Cloudflare. You can adapt as you wish.
    Code:
    resolution_type: GETDNS_RESOLUTION_STUB
    
    dns_transport_list:
      - GETDNS_TRANSPORT_TLS
    
    tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
    
    #dnssec_return_status: GETDNS_EXTENSION_TRUE
    
    tls_query_padding_blocksize: 256
    
    edns_client_subnet_private : 1
    
    idle_timeout: 60000
    
    listen_addresses:
      - 127.0.0.1@5453
    #  -  0::1@5453
    
    round_robin_upstreams: 1
    
    upstream_recursive_servers:
    # Quad 9 IPv6
    #  - address_data: 2620:fe::fe
    #    tls_auth_name: "dns.quad9.net"
    # IPv4 addresses
    # The 1.1.1.1 Cloudflare Servers
      - address_data: 1.1.1.1
        tls_auth_name: "cloudflare-dns.com"
        tls_pubkey_pinset:
          - digest: "sha256"
            value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
      - address_data: 1.0.0.1
        tls_auth_name: "cloudflare-dns.com"
        tls_pubkey_pinset:
          - digest: "sha256"
            value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
    # Quad 9 Server
    #  - address_data: 9.9.9.9
    #    tls_auth_name: "dns.quad9.net"
    
    
    Dnsmasq Custom configuration:

    Code:
    no-negcache
    Scripts -> Wan Up

    Code:
    sleep 5
    cp /jffs/stubby.yml /etc
    sleep 5
    service dnsmasq restart
     
    kyrios, BusyBoxer and geekjock like this.
  12. rgnldo

    rgnldo Serious Server Member

    This instability in Dnsmasq is being fixed in build 2018.5.

    No need for these option. Try adding only:
    Code:
    no-negcache
    Use the d0wn.is.ns2 server for Dnscrypt.
     
  13. jyan01

    jyan01 New Member Member

    Hi All:

    I have a EA6900 v2, now running FRESH TOMATO Firmware 2018.4 K26ARM USB AIO-64K. I have Verizon FIOS 1GB, seems speed is capped at around 350mb (wired connection). I have enabled cut-through forwarding and it doesnt seem to work. When I was on Advanced Tomato 3.5-140 AIO, that was working fine and non issue. Can anyone provide commentary and what settings on FRESH TOMATO, I need to change to support the Verizon FIOS 1GB speeds.
     
  14. bjlockie

    bjlockie Network Guru Member

    Try freshtomato-2018.3.
    Go back to Advanced Tomato.
    No other ideas, sorry.
     
  15. rgnldo

    rgnldo Serious Server Member

    CTF (Cut-Through Forwarding) = Enable

    WAN Port Speed = 1000 half full

    Wireless Region = United States

    Routing = Efficient Multicast Forwarding (IGMP Snooping) = Enable
     
  16. jyan01

    jyan01 New Member Member

    *****
    Hi. Wan Port Speed, I don't see 1000. I only see 100 Half/Full as highest. I have configured the other settings, it doesn't work, any other ideas? If I want to go back to 2018.3 Fresh Tomato or Advanced Tomato, do I update within the GUI or do I need to do in the CFE? For whatever reason I cant seem to invoke CFE, it doesnt come up. I hold reset, power on, while holding reset for 15-20 seconds and then the GUI IP # address...can't get CFE.
     
  17. rgnldo

    rgnldo Serious Server Member

    Yes. 100 half full.

    I'm not exactly sure what happens with the FreshTomato 2018.4 build for the EA6900 v2. I recommend trying out other firmware, suitable for your connection.
     
  18. Sean B.

    Sean B. LI Guru Member

    If the WAN port isn't showing a gigabit negotiated speed, it's not going to deliver gigabit throughput. Under Tools->System Commands run this:

    Code:
    robocfg show
    And post the output please.
     
  19. srouquette

    srouquette Network Guru Member

    @Cliffield: thanks, I tried DNSBench and the local DNS is definitely slower: https://i.imgur.com/14RIbbE.jpg

    @rgnldo: ok thanks, I'll update my settings and wait for 2018.5. About dnscrypt, I live in France, would d0wn.is.ns2 be faster than scaleway?

    edit: yeah d0wn is slower ^^;
    I re-tested soltysiak with dnsbench and it seems faster than scaleway, so I'm back to that.
     
    Last edited: Oct 14, 2018
  20. RMerlin

    RMerlin Network Guru Member

    Resolution time is mostly meaningless, and so is DNSBench.
     
    rgnldo, koitsu and kille72 like this.
  21. srouquette

    srouquette Network Guru Member

    ok. I assumed that it was the problem because the first time I visit a website, it takes a good amount of time to load the page (reddit, youtube, something like 3-5sec).
    So what would be the root cause?
    How can I investigate this problem?

    The slow loading is only happening if I go through my router.
     
  22. RMerlin

    RMerlin Network Guru Member

    Make sure you don't have a completely dead DNS configured, that might explain such a long delay if one of the two DNS was incorrect.
     
    rgnldo likes this.
  23. rgnldo

    rgnldo Serious Server Member

    This option is in AsusWRT-Merlin, not in FreshTomato. Or I'm wrong.
     
  24. rgnldo

    rgnldo Serious Server Member

    I often use these commands to test the best latency for the DNS I want. Change the one according to the DNS provider you want to use. Should serve for Dnscrypt as well.

    Code:
    while true; do dig @1.1.1.1 www.amazon.com | grep time; sleep 2; done
    
    
    Code:
     while true; do dig @1.1.1.1 www.amazon.com | grep "Query time:" | cut -d : -f 2- | cut -d " " -f 2; s
    leep 2; done
     
  25. Sean B.

    Sean B. LI Guru Member

    It's the Broadcom driver for the switch. If the board is running Broadcom ( as all Tomato supported routers are ) it will have robocfg.
     
    Monk E. Boy, pedro311 and kille72 like this.
  26. Darkbing

    Darkbing Connected Client Member

    Greetings,

    May I ask has the multi-wan feature already been fixed when running alongside with qos?

    I wasn't able to catch up with the past recent changes and updates.

    Kind Regards.

    Tomato Supporter here
     
  27. freshlysqueezed

    freshlysqueezed Network Newbie Member

    Just an FYI. I didnt want to run such an old firmware on Advance Tomato, due to the overwhelming security vulnerabilities that could put me at risk with older firmware.

    I upgraded from Advance Tomato to Fresh Tomato wiping out NVRAM first and the upgrade went smooth as could be on my R7000.

    I have AT&T 1 Gig up and down and was able to mostly cap out the connection even with Cut Through Forwarding not enabled. With it enabled made little difference. Wireless speed seems to be abut the same getting about 300Mbps on 5ghz.
     
  28. phagenauw

    phagenauw New Member Member

    Question?
    It has been a will since i changed the firmware on my EA6900 to "Asuswrt-Merlin & Xwrt-Vortex". Currently i run 380.69 on my EA6900 and i want to upgrade to the latest available FreshTomato. Just to be shure; as i run the Xwrt-Vortex version, so i have the new 64K CFE in place can i now directly upgrade from the "firmware upgrade" page in the Xwrt-Vortex WebUI to the latest FreshTomato release or do i need to; reset, go back (if possible) to the CFE mini web setup page, etc, etc.
    Thanks if anyone can make this more clear.
     
  29. monoton

    monoton Serious Server Member

    I use the "recovery web interface" and a full reset when changing from one firmware to another. works fine.
     
  30. phagenauw

    phagenauw New Member Member

    Hi and thanks. Found that to get into the recovery web interace is to hold the reset button while powering on and then release. Hopefully correct, will try!
     
  31. Mashed_Tomatoes

    Mashed_Tomatoes New Member Member

    Awesome work so far guys! I have a R7000 on Shibby's last TomatUSB fw. Can I just upgrade directly or is there a need to send the initial fw? Thanks!
     
  32. BusyBoxer

    BusyBoxer Networkin' Nut Member

    From my experience flashing a friends R7000 once it's on shibby you can go directly to FreshTomato ARM but they recommend a fresh config (in other words once the router is flashed either NVRAM clear it or check the "After flashing, erase all data in NVRAM memory" tick) then re-configure it manually (don't restore a saved config from the shibby version).
     
    thewaywardgeek00 likes this.
  33. Carmine

    Carmine New Member Member

    I wanted to thank the team for continued development of Tomato. Much appreciated!

    I did notice an issue with a firewall script that didn't occur on Shibby's last release and basically crashes my Fresh Tomato 2018.4 installation on my R7000 and blocks all web access.

    I simply reused a script from my previous Shibby version 140 to block DHCP traffic across an OpenVPN site to site bridge as I have (non-Tomato) DHCP servers on both sides. This script has worked flawlessly for years.

    The OpenVPN bridge is between two R7000's running Fresh Tomato 2018.4. Everything works great, traffic flows with no issues bi-directionally, until I apply the following script to either side of the connection:

    ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
    ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
    ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
    ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP

    When the script is applied and the R7000 restarted I lose all connectivity between both sites and local web Internet traffic stops and it is actually hard to access the router to remove the script. Once the script is removed everything goes back to normal.

    I really need to block DHCP traffic across the OpenVPN bridge as clients are receiving the wrong addresses with the wrong gateway information that leads to very slow performance. I am wondering if the script needs to be applied in a different way in Fresh Tomato.

    Thanks in advance for the assistance!

    Carmine
     
  34. Wizardknight

    Wizardknight Reformed Router Member

    I may have found a VPN/MTU bug.
    Previously my VPN Client connections were working without any issues.
    I made a change to my MTU, and then changed it back to default when I didn't see any speed improvements.
    Now no VPN client connections will work, but the the GUI gives feedback as though they were. (I get the stop now button for example) However my IP address is still my local address, and not the expected VPN address.

    I am getting a connection I think based on the info from stats tab:
    Name Value
    TUN/TAP read bytes 3034
    TUN/TAP write bytes 0
    TCP/UDP read bytes 5755
    TCP/UDP write bytes 6221
    Auth read bytes 176
    pre-compress bytes 1962
    post-compress bytes 2007
    pre-decompress bytes 0
    post-decompress bytes 0

    I would prefer not to rebuild my router from scratch, but I am not sure how to troubleshoot this.

    Edit:
    I rolled my firmware back to 2018.3 from 2018.4, and it resolved the issue.

    Edit 2:
    Spoke to soon.
    It only worked for the very first vpn connection attempt.
    If I press stop, and try to select VPN client 2 after having used client 1 they all stop working again. :(

    Edit 3:
    Found a cfg backup from my original upgrade to 2018.4, and restored my router.
    Only lost a few minor changes.
    Still can't understand why touching the MTU would damage the router's ability to route traffic over the VPN permanently.
     
    Last edited: Oct 17, 2018
  35. Mashed_Tomatoes

    Mashed_Tomatoes New Member Member

    10-4. Thanks buddy!
     
  36. Adriel

    Adriel Network Newbie Member

    Stupid question, but is there somewhere/thing that I can subscribe to so I will get an alert/email when the new versions of this firmware come out?
     
  37. pedro311

    pedro311 Networkin' Nut Member

    How did you change that MTU?
     
  38. Canopus

    Canopus New Member Member

    It looks like Linksys EA6400 5GHz radio does not work properly (at least two recent versions of FreshTomato). I did not test 2GHz.
    Router drops connection pretty often - character time 10 min.
    I went back to DD-WRT (version of 13 May 2018) and problems have gone.
    Anybody else has such problem?
     
  39. monoton

    monoton Serious Server Member

    I have four EA6400 up and running with freshtomato 2018.3, and have no problems with either of the bands.
    Have you flashed the CFE and if so did you set:
    0:macaddr (same as MAC Address +2)
    1:macaddr (same as MAC Address +4)
     
  40. Wizardknight

    Wizardknight Reformed Router Member

    Side menu>Basic>Network>MTU>Dropdown box (default) and value text box.
     
  41. Canopus

    Canopus New Member Member

    Yes, I've done that (CFE and MACs).

    I have couple of android and windows AC devices connected to router.
    Symptoms are:
    1. Android clients get disconnected immediately when they start sleeping. I've checked androids' options - wifi is always active.
    2. Windows machine gets disconnect after some time network inactivity. Even though they do not sleep.

    Everything start working fine when I flashed DD-WRT without making any changes to clients configuration.
     
  42. PetervdM

    PetervdM Network Guru Member

    you might need to disable APSD under advanced, wireless on a per radio basis. the default is enabled.
     
  43. Canopus

    Canopus New Member Member

    Thanks a lot for your reply.

    Unfortunately I cannot check APSD right now. I already flashed DD-WRT.
    I have couple of questions:
    1. Why Windows machines get disconnected?
    2. Is there something similar to APSD in DD-WRT? I could play with this option if yes.

    Thanks.
     
  44. txnative

    txnative Networkin' Nut Member

    It is mostly likely on, you can check by using telnet or ssh running nvram get wl_wme_apsd then notice the output.
    Did you by chance clear the nvram before installing freshtomato?

    edit: use wl0 or wl1 or wl2 when running the above command since I'm not sure the way wl is on this particular board and driver for 2.4 and 5ghz.
     
    Last edited: Oct 19, 2018
  45. kyrios

    kyrios Networkin' Nut Member

    Hi rgldo,

    I tried this method, it said curl can't create the file.
    /opt is read only.
    And may I know why we should use this?
    Isn't in Adblock we can just type it there? in Blacklist URL.
    It said
    Code:
    Autoupdate will be randomly launch between 2:00-2.59 AM every day
     
    Adriel likes this.
  46. joew333

    joew333 LI Guru Member

    Stubby is using Surfnet for me too. Would be a great improvement if Stubby used the IPV4 and IPV6 set on the Network and IPV6 setttings instead of being hardcoded.
     
  47. rgnldo

    rgnldo Serious Server Member

    The blacklist I reported is great, there was a delay in the Adblock firmware. This way the list gets local using Nginx, and the FreshTomato Adblock script does the job much faster.. I improvised. Nothing prevents you from adding directly to the Freshtomato adblock settings.
     
  48. rgnldo

    rgnldo Serious Server Member

    Look at this post:
    https://www.linksysinfo.org/index.php?threads/fork-freshtomato-arm.74117/page-12#post-300157

    Do the procedure of my post with this Stubby configuration

    Code:
    resolution_type: GETDNS_RESOLUTION_STUB
    dns_transport_list:
      - GETDNS_TRANSPORT_TLS
    tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
    tls_query_padding_blocksize: 128
    edns_client_subnet_private : 1
    round_robin_upstreams: 0
    idle_timeout: 2000
    tls_connection_retries: 5
    tls_backoff_time: 900
    timeout: 2000
    appdata_dir: "/opt/var/cache/stubby"
    listen_addresses:
      - 127.0.0.1@5453
      - 0::1@5453
    
    upstream_recursive_servers:
    # Quad 9 Secure Primary
    #  - address_data: 9.9.9.9
    #    tls_auth_name: "dns.quad9.net"
    # Quad 9 Secure Primary
    #  - address_data: 2620:fe::fe
    #    tls_auth_name: "dns.quad9.net"
    # Cloudflare Primary IPv4
      - address_data: 1.1.1.1
        tls_auth_name: "cloudflare-dns.com"
    # Cloudflare Secondary IPv4
    #  - address_data: 1.0.0.1
    #    tls_auth_name: "cloudflare-dns.com"
    # Cloudflare Primary IPv6
      - address_data: 2606:4700:4700::1111
        tls_auth_name: "cloudflare-dns.com"
    # Cloudflare Secondary IPv6
    #   - address_data: 2606:4700:4700::1001
    #     tls_auth_name: "cloudflare-dns.com"
    Dnsmasq custom configuration:

    Code:
    no-resolv
    server=127.0.0.1#5453
    server=0::1#5453
     
  49. Peldor

    Peldor Networkin' Nut Member

    Hi,

    For someone using Shibby's last build and happy with its functionality on R7000, is there any valid security reasons to update to FreshTomato? I don't need any new features but I do want to stay up to date with important security fixes. Thanks,
     
  50. rgnldo

    rgnldo Serious Server Member

    FreshTomato Builds counts software updates and security patches. I recommend updating your firmware.
     
  51. TheMaskedOnion

    TheMaskedOnion New Member Member

    Is FT 2018.4 affected by CVE-2018-10933?

    "A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access."
     
    rgnldo likes this.
  52. AndreDVJ

    AndreDVJ LI Guru Member

    It doesn't apply. We use dropbear.
     
    rgnldo, pedro311 and kille72 like this.
  53. maurer

    maurer Network Guru Member

  54. pedro311

    pedro311 Networkin' Nut Member

  55. Wizardknight

    Wizardknight Reformed Router Member

    I am hoping a more experienced person can chime in on my issue.
    I have my router running a FTP server.
    I also have my router setup with a VPN client.
    When the VPN client is enabled WAN access to the FTP server is broken.
    LAN access continues to work as expected.
    Disabling the VPN connection restores WAN access.

    I tried using the VPN routing policy to allow access to only 1 IP (Rule- From Source IP 192.168.15.xxx), but that did not resolve my FTP access issue.

    Can anyone chime in here, and make a suggestion on how I might tweak the settings to allow for FTP WAN access and having a VPN connection?
     
  56. withforesight

    withforesight New Member Member

    Hi,

    I found the following ip6tables command failed with the message.

    # ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    ip6tables: Protocol wrong type for socket.

    the inserted rule is not applied in ip6tables -vL

    # ip6tables -vL
    Chain INPUT (policy ACCEPT 14928 packets, 1171K bytes)
    pkts bytes target prot opt in out source destination

    Chain FORWARD (policy ACCEPT 2623K packets, 3024M bytes)
    pkts bytes target prot opt in out source destination

    Chain OUTPUT (policy ACCEPT 16541 packets, 1845K bytes)
    pkts bytes target prot opt in out source destination

    How can I build robust IPv6 firewall in FreshTomato?
     
  57. Yim Sonny

    Yim Sonny Serious Server Member

    Yes indeed. Invest $85 in an i5 computer that is very capable of running all of these services and stop trying to convert yer router into a Swiss army knife.
    https://www.pcliquidations.com/p74793-lenovo-thinkcentre-m92p-3209
     
  58. usergay

    usergay Network Newbie Member

    I had a similiar problem and the only solution I could find was to revert back to shibby's v132 firmware. Something having to do with multiwan caused the issue for me. Since the downgrade, everything has been really stable for me with regard to FTP & VPN.
     
  59. M_ars

    M_ars Network Guru Member

    Last commit for ftp
    https://bitbucket.org/kille72/freshtomato-arm/commits/8de41f886c45ce7451d89e2921124fd66bf53901

    Sounds similar to what you are saying. What freshtomato Version do you use? Port?
    Have you tried to disable „Tracking / Nat helpers“ at advanced —> conntrack/netfilter ?
     
  60. Chrispy

    Chrispy New Member Member

    First Post!

    For anyone with a R8000 router, upgrading to 2018.4 results in a boot loop so don't upgrade. I was running stock firmware and tried the upgrade today. The initial rom worked without issue, but the final rom just causes the boot loop (doesn't matter if anything is plugged into the ports or not)

    Just ordered a rs232 adapter, so hopefully I can resolve in a few days

    P.S. genuine thanks to the devs that have worked on this rom, no luck for me, but still appreciate the work.
     
  61. Wizardknight

    Wizardknight Reformed Router Member

    I hardly think that 2 features working at the same time qualifies as a Swiss army knife.

    The downsize of the shibby's rom is that the FTP server didn't work right unless it was set to port 21. The devs here fixed that issue a few versions back.

    I have tried 2018.3 and .4 with the same results.
    I am using port 2121 for my ftp servers.
    I tried disabling the FTP Nat helper under conntrack/netfilter, but there was no change.
    Thanks for the suggestion however.
     
  62. Sean B.

    Sean B. LI Guru Member

    Have you tried stopping, and then restarting the FTP server after the VPN is connected?
     
  63. Wizardknight

    Wizardknight Reformed Router Member

    Yes. It does not seem to make any difference if the FTP server is online and then I bring the VPN up or if I restart the FTP server after the VPN is on line.

    I am guessing that the GUI is doing some scripting that may be breaking the WAN FTP routing unintentionally.


    Logs don't show anything hitting the ftp server from the wan side at all when the VPN is online.


    Looking at the logs:
    Code:
    Bringing the VPN online:
    Oct 28 00:24:07 dd-wrt daemon.notice openvpn[4303]: post-decompress bytes,666
    Oct 28 00:24:07 dd-wrt daemon.notice openvpn[4303]: END
    
    Connection to the FTP server from the LAN (working):
    Oct 28 00:24:44 dd-wrt ftp.info vsftpd[4539]: [Wizardknight] OK LOGIN: Client "192.168.xx.xx2"
    Oct 28 00:24:44 dd-wrt ftp.info vsftpd[4541]: [Wizardknight] FTP response: Client "192.168.xx.xx2", "230 Login successful."
    Oct 28 00:24:44 dd-wrt ftp.info vsftpd[4541]: [Wizardknight] FTP command: Client "192.168.xx.xx2", "FEAT"
    Oct 28 00:24:44 dd-wrt ftp.info vsftpd[4541]: [Wizardknight] FTP response: Client "192.168.xx.xx2", "211-Features:"
    
    Connecting to the FTP server from the WAN:
    -nothing-
    Kill VPN:
    Oct 28 00:33:04 dd-wrt daemon.info dnsmasq[4992]: exiting on receipt of SIGTERM
    Oct 28 00:33:04 dd-wrt daemon.info dnsmasq[5139]: started, version 2.80test2-2018.06.12 cachesize 4096
    Oct 28 00:33:04 dd-wrt daemon.info dnsmasq[5139]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset Tomato-helper auth DNSSEC loop-detect inotify dumpfile
    Oct 28 00:33:04 dd-wrt daemon.info dnsmasq[5139]: asynchronous logging enabled, queue limit is 5 messages
    Oct 28 00:33:04 dd-wrt daemon.info dnsmasq-dhcp[5139]: DHCP, IP range 192.168.xx.2 -- 192.168.xx.xx, lease time 12h
    Oct 28 00:33:04 dd-wrt daemon.info dnsmasq[5139]: reading /etc/resolv.dnsmasq
    Oct 28 00:33:04 dd-wrt daemon.info dnsmasq[5139]: using nameserver 1.1.1.1#53
    Oct 28 00:33:04 dd-wrt daemon.info dnsmasq[5139]: using nameserver 1.0.0.1#53
    Oct 28 00:33:04 dd-wrt daemon.info dnsmasq[5139]: read /etc/hosts - 2 addresses
    Oct 28 00:33:04 dd-wrt daemon.info dnsmasq[5139]: read /etc/dnsmasq/hosts - 11 addresses
    Oct 28 00:33:04 dd-wrt daemon.info dnsmasq[5139]: read /etc/dnsmasq/dhcp-hosts - 0 addresses
    Oct 28 00:33:04 dd-wrt daemon.info dnsmasq-dhcp[5139]: read /etc/dnsmasq/hosts
    Oct 28 00:33:04 dd-wrt daemon.info dnsmasq-dhcp[5139]: read /etc/dnsmasq/dhcp-hosts
    
    Connect to FTP server from WAN (working w/no VPN):
    Oct 28 00:33:10 dd-wrt ftp.info vsftpd[5146]: [Wizardknight] OK LOGIN: Client "172.56.42.146"
    Oct 28 00:33:10 dd-wrt ftp.info vsftpd[5148]: [Wizardknight] FTP response: Client "172.56.42.146", "230 Login successful."
    Oct 28 00:33:10 dd-wrt ftp.info vsftpd[5148]: [Wizardknight] FTP command: Client "172.56.42.146", "FEAT"
    
     
    Last edited: Oct 28, 2018
  64. sac7000

    sac7000 Serious Server Member

    Thanks, it works for me.
    Checking the operation of stubby - https://1.0.0.1/help The connection is stable.
    The only problem I can not enter Site - https://bitbucket.org/kille72/freshtomato-arm After applying this method, it comes to the site only after using vpn in the browser.
     
    Last edited: Oct 28, 2018
  65. Sean B.

    Sean B. LI Guru Member

    Compare the iptables rules with FTP server active and VPN down, and with FTP server active and VPN up.
     
    M_ars likes this.
  66. thyestes

    thyestes New Member Member

    And to what IP address are you connecting? The 'normal' WAN address or the VPN address?
     
  67. PetervdM

    PetervdM Network Guru Member

    Hmm,
    i'm running a R8000 on which i have installed tomato-R8000-1.28.ARM--134-initial-64K and subsequently have updated starting with tomato-R8000-ARM--136-AIO-64K upto freshtomato-R8000-ARM-2018.4-AIO-64K and never had a bootloop. did you wait long enough after the initial flashing before updating? i suggest you leave the R800 alone for at least half an hour after the initial flashing.
     
    kille72 likes this.
  68. M_ars

    M_ars Network Guru Member

    Can you start a new thread and summarize what your setup/findings are right now ? I think its better to solve the problem :)
     
  69. Sean B.

    Sean B. LI Guru Member

    You quoted the wrong post.
     
  70. Chrispy

    Chrispy New Member Member

    Thanks for the reply PetervdM, I did wait between the flashes etc. but I went straight from the initial flash to freshtomato, without flashing tomato-R8000-ARM--136-AIO-64K inbetween.

    232 cable should arrive tomorrow, so I'll try flashing tomato-R8000-ARM--136-AIO-64K from tftp.
     
  71. Wizardknight

    Wizardknight Reformed Router Member

    I am afraid that is beyond my skill level.
     
  72. Wizardknight

    Wizardknight Reformed Router Member

    I am trying to connect to the non-vpn WAN address of the router.
     
  73. kyrios

    kyrios Networkin' Nut Member

    rgnldo, please check this code with your router? It seem I can't connect with internet with this setting.
    Yes, I can connect to the internet, but for 5s only. After that, dnsmasq seems hang/ not responding.
    Coz in browser it just try to resolve the DNS after 5s.

    I must add digest and value in order to work properly (this is from your previous post).
    Code:
      - address_data: 1.1.1.1
        tls_auth_name: "cloudflare-dns.com"
        tls_pubkey_pinset:
          - digest: "sha256"
            value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
      - address_data: 1.0.0.1
        tls_auth_name: "cloudflare-dns.com"
        tls_pubkey_pinset:
          - digest: "sha256"
            value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
    BTW, now it's better to remove no-negcache from Custom configuration?
     
  74. thyestes

    thyestes New Member Member

  75. sac7000

    sac7000 Serious Server Member

    kyrios
    Do not write there Scripts -> Wan Up, then everything will work and will not hang
     
  76. rgnldo

    rgnldo Serious Server Member

    Are you Stubby native to FreshTomato? If so, in basic network, choice for no-resolv.

    Add this configuration to the tip I posted, with stubby.conf in the /jffs partition:

    Code:
    resolution_type: GETDNS_RESOLUTION_STUB
    
    dns_transport_list:
      - GETDNS_TRANSPORT_TLS
    
    tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
    
    #dnssec_return_status: GETDNS_EXTENSION_TRUE
    
    tls_query_padding_blocksize: 256
    
    edns_client_subnet_private : 1
    
    idle_timeout: 60000
    
    listen_addresses:
      - 127.0.0.1@5453
      -  0::1@5453
    
    round_robin_upstreams: 1
    
    upstream_recursive_servers:
    # IPv4 addresses
    # The 1.1.1.1 Cloudflare Servers
      - address_data: 1.1.1.1
        tls_auth_name: "cloudflare-dns.com"
        tls_pubkey_pinset:
          - digest: "sha256"
            value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
      - address_data: 1.0.0.1
        tls_auth_name: "cloudflare-dns.com"
        tls_pubkey_pinset:
          - digest: "sha256"
            value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
    
    Dnsmasq custom configuration:

    Code:
    cache-size=0
     
  77. sac7000

    sac7000 Serious Server Member

    Stubby is not working according to your method, even though the website https://1.0.0.1/help shows that Using DNS over TLS (DoT) is used - https://d.radikal.ru/d42/1810/2b/86075387ef37.png
    But I made an analysis of dns traffic and Wireshark shows that I have all my dns queries - https://d.radikal.ru/d05/1810/8f/025ae6112597.png
    It should be - https://hsto.org/webt/xj/vg/h2/xjvgh2psrj9rypvkvkrpnochkhi.png

    How to change network settings network DNS to direct requests to 127.0.0.1 (localhost). ?
     
    Last edited: Oct 30, 2018
  78. thewaywardgeek00

    thewaywardgeek00 Network Newbie Member

    Hi new to this fork, would like to ask if it's alright to upgrade my router to this firmware as Shibby has been silent for quite a while already. And if it is, is it possible to restore backed up settings from Shibby FW to FreshTomato FW after NVRAM Clear?

    Router
    DIR-868L Rev. A
    Firmware
    Shibby Tomato v140 ARM

    Thanks!
     
  79. rgnldo

    rgnldo Serious Server Member

    I believe you will have to disable the Dnsmasq DNS service, leaving only with DHCP server. In FreshTomato, I usually use Dnsmasq as a cache.

    Try to disable the Local DNS option, not the FreshTomato DNS/DHCP section.

    Not so easy firmware changes shipped
     
    Last edited: Oct 30, 2018
  80. sac7000

    sac7000 Serious Server Member

  81. rgnldo

    rgnldo Serious Server Member

    [​IMG]

    Scripts -> Wan Up

    Code:
    sleep 5
    cp /jffs/stubby.yml /etc
    sleep 5
    service dnsmasq restart
    Code:
    resolution_type: GETDNS_RESOLUTION_STUB
    dns_transport_list:
      - GETDNS_TRANSPORT_TLS
    tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
    tls_query_padding_blocksize: 128
    edns_client_subnet_private : 1
    round_robin_upstreams: 0
    idle_timeout: 2000
    tls_connection_retries: 5
    tls_backoff_time: 900
    timeout: 2000
    appdata_dir: "/opt/var/cache/stubby"
    listen_addresses:
      - 127.0.0.1@5453
      - 0::1@5453
    
    upstream_recursive_servers:
    # Quad 9 Secure Primary
    #  - address_data: 9.9.9.9
    #    tls_auth_name: "dns.quad9.net"
    # Quad 9 Secure Primary
    #  - address_data: 2620:fe::fe
    #    tls_auth_name: "dns.quad9.net"
    # Cloudflare Primary IPv4
      - address_data: 1.1.1.1
        tls_auth_name: "cloudflare-dns.com"
    # Cloudflare Secondary IPv4
    #  - address_data: 1.0.0.1
    #    tls_auth_name: "cloudflare-dns.com"
    # Cloudflare Primary IPv6
      - address_data: 2606:4700:4700::1111
        tls_auth_name: "cloudflare-dns.com"
    # Cloudflare Secondary IPv6
    #   - address_data: 2606:4700:4700::1001
    #     tls_auth_name: "cloudflare-dns.com"
    Dnsmasq Custom Configuration:
    Code:
    cache-size=0
    server=0::1#5453
    I'm considering that you use native Stubby in FreshTomato
     
  82. sac7000

    sac7000 Serious Server Member

    rgnldo
    Stubby в FreshTomato
    I tried this option,the requests did not go directly to 192.168.1.1, And go to 1.1.1.1 -
    https://a.radikal.ru/a36/1810/b1/ff73a53d6e6e.png
    But still the dns queries are in open form. And the site https://1.0.0.1/help shows - Using DNS over TLS (DoT) - NO.
    You could show a screenshot (photo) of Wireshark or dig to make sure That this method works for you, and the traffic is encrypted.?
    You are already close to the correct settings, I'll wait for the working version.
     
    Last edited: Oct 30, 2018
  83. rgnldo

    rgnldo Serious Server Member

    [​IMG]

    Code:
    tls_ca_file: "/rom/cacert.pem"
    
    resolution_type: GETDNS_RESOLUTION_STUB
    
    dns_transport_list:
      - GETDNS_TRANSPORT_TLS
    
    tls_authentication: GETDNS_AUTHENTICATION_NONE
    
    tls_query_padding_blocksize: 256
    
    edns_client_subnet_private : 1
    
    idle_timeout: 10000
    
    listen_addresses:
      - 127.0.0.1@5453
      -  0::1@5453
    
    round_robin_upstreams: 0
    
    upstream_recursive_servers:
    # IPv4 addresses
    # Cloudflare
      - address_data: 1.1.1.1
        tls_auth_name: "cloudflare-dns.com"
      - address_data: 1.0.0.1
        tls_auth_name: "cloudflare-dns.com"
    [​IMG]
     
  84. sac7000

    sac7000 Serious Server Member

    I do not finish the test process. - https://c.radikal.ru/c36/1810/f0/1876749e14fa.png
    And it does not say that you are protected from heat.
    There are other dns tests that say that I use Cloudflare, but they write - your DNS queries are not protected!
    Check yourself - http://dnsleak.com
    - https://www.expressvpn.com/ru/dns-leak-test

    It shows me DNS IP 162.158.83.24 Cloudflare Germany
    DNS IP 162.158.180.124Cloudflare Sweden

    That's the question judging by these tests, my requests can see the provider?
     
  85. rgnldo

    rgnldo Serious Server Member

    Weird. Something wrong with your network. Some implementation you did on the network.

    Here normal for me.
     
  86. sac7000

    sac7000 Serious Server Member

    My provider uses blocking - performed by the domain name (IP address) of the entire site.
    DPI provider intercepts requests from subscribers and sends bogus responses from the server
    Without VPN or proxy can not do.
    Therefore, I also want to hide dns requests.
    I also can not reach the site - https://1.1.1.1/help
    only opens - https://1.0.0.1/help
    Thanks for the help and
    I apologize for the trouble, I will look for a solution.
     
    Last edited: Oct 30, 2018
  87. mauriga

    mauriga Reformed Router Member

    Sorry to be so newbie, but where I’ve to insert this code?
    Tnx in advance

    mau——
     
  88. Chrispy

    Chrispy New Member Member

    Does anyone use the IGMPProxy on 2018.4?

    I've tried using the auto config with the check boxes, and tried writing my own config, but I always get the error:

    Code:
    igmpproxy[29439]: select() failure; Errno(4): Interrupted system call
    Is there a way to turn on debug logging. I've had a quick look at the source for igmpproxy and tried a few different flags for defaultdown etc. but no luck.
     
  89. M_ars

    M_ars Network Guru Member

    Yes, i do (with Telekom Entertain IPTV) and everything is working perfectly :)

    sometimes you will see that warning, but everything is working. Right now i have it one time after start-up
    Code:
    user.warn igmpproxy[1276]: select() failure; Errno(4): Interrupted system call
    you will find some stuff about that warning at google, dd-wrt, openwrt, ...
    --> nothing freshtomato specific

    What is not working for you?
     
  90. Chrispy

    Chrispy New Member Member

    Hmmm, I'm trying to use igmpproxy to so that Sonos devices on one vnet can be seen on another vnet. It wasn't working initially, and then saw the Errno(4) so assumed that was the issue. Maybe it's just some other config then.

    Seeing as igmpproxy is widely used (as you said, dd-wrt etc.) I had found this error a few times on google, and according to the git logs, the issue was fixed in one of the versions.

    I'll check tonight again.
     
  91. Sinopsys

    Sinopsys Reformed Router Member

    Hello,

    little update on that behaviour: seems that activating IPv6 solved somehow the issue !??? At least no more freeze/lag while internet browsing.

    Now I would like to raise two other issues:

    - While having whatsapp calls via wifi close to the AP I get after few minutes recurrent re-connections (peers keeps hearing me) which do not happen when calling through 4G !? Any people having the same ?

    - I tested throughput with iperf3 and I have very slow results (consistent with external speedtest):
    over wifi (5G channel):
    [SUM] 0.00-60.00 sec 1.02 GBytes 146 Mbits/sec sender
    [SUM] 0.00-60.00 sec 1.02 GBytes 146 Mbits/sec receiver​
    with a not null number of packets loss in UDP: could it be an explanation for whatsapp behaviour ?
    [ 4] 0.00-10.00 sec 119 MBytes 100 Mbits/sec 0.670 ms 34/15255 (0.22%)​

    over ethernet (1G):
    [SUM] 0.00-60.00 sec 2.96 GBytes 424 Mbits/sec 71 sender
    [SUM] 0.00-60.02 sec 2.95 GBytes 422 Mbits/sec receiver​

    Performances where not that low on 1.40 Firmware with same setup but Afterburner auto/disable): 295 Mbits dl/273 Mbits ul
     
  92. kyrios

    kyrios Networkin' Nut Member

    Yes, I use native Stubby from FreshTomato. Above Stubby works for me.
    It should be stubby.yml not subby.conf BTW.
    ----
    While this Stubby code from your other post (posy #1181) does not work for me.
    I want to highlight this code
    Code:
    appdata_dir: "/opt/var/cache/stubby"
    There's no /var dir in /opt dir. In /opt dir, it's just empty.
    Or... wait. This is for entware?
    You shall write in every of your post, which one is for native and which one is for Entware.
    So people will not confuse.
    ---

    BTW, you also posted difference stubby.yml in post #1183
    This time I do not understand this code
    Code:
    tls_ca_file: "/rom/cacert.pem"
    I do not see /rom dir in My EA6900 router.

    This post is written is not to attack you, just criticize you.
    In fact, I thank you coz I'm able to use Stubby becoz of your 1st Stubby code in above.
    I just wanna people not confuse reading your post and able to use Stubby based on your suggestion.
     
    Last edited: Nov 2, 2018
    rgnldo likes this.
  93. B Tung

    B Tung New Member Member

    dir-868l rev.a
    fresh tomato 2018.4

    Hi, I like to report the ethernet ports will be misidentified after you change wan to pppoe and vlan/vid settings changed and irreversible, unless full factory reset

    this is the same problem with my RT-N12 D running 2018.3 2018.4

    Thanks
     
  94. rgnldo

    rgnldo Serious Server Member

    Truth. I recognize my mistake. I am optimistic about your positioning.
    Yes, you will have to create this directory. It is useful for both the native Stubby or Entware.
    It is useful for both the native Stubby or Entware.
     
  95. rgnldo

    rgnldo Serious Server Member

    For Entware:

    /opt/etc/init.d/S10Stubby

    Code:
    #!/bin/sh
    logger -t S61stubby "Starting Stubby DNS over TLS $0"
    
    # set environment PATH to system binaries
    export PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
    
    ENABLED=yes
    PROCS=stubby
    ARGS="-g -v 5 -C /opt/etc/stubby/stubby.yml 2>/opt/var/log/stubby.log"
    PREARGS="nohup"
    DESC=$PROCS
    PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    . /opt/etc/init.d/rc.func
    
     
    Last edited: Nov 2, 2018
  96. B Tung

    B Tung New Member Member

    Pppoe working at wan port, just the port info showing as port 4
     
  97. thewaywardgeek00

    thewaywardgeek00 Network Newbie Member

    Sorry for reposting this again, hope someone can help, thanks!
     
  98. thyestes

    thyestes New Member Member

    Just read other posts in this thread.
     
    thewaywardgeek00 likes this.
  99. ElementOmicron

    ElementOmicron Network Newbie Member

    What is the chance that a whitelist could added to the access restrictions? Right now we can allow all websites EXCEPT a certain website, can we do the reverse? I think some people would prefer this on a schedule type of thing as well (saw other posts about that) but just a static whitelist at first would be amazing. In the meantime I'm going to look and see what the iptables rules are for doing this on a specific vlan are. Thanks for the great software!
     
  100. M_ars

    M_ars Network Guru Member

    @kille72 @pedro311 wanted to ask when you plan the next release? Lots of fixes/updates in the last two month :)
    BR
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice