[Fork] FreshTomato-ARM

Discussion in 'Tomato Firmware' started by kille72, Apr 15, 2018.

  1. Wizardknight

    Wizardknight Serious Server Member

    Sweet.
    Should this update fix the issue where having two VPN clients with the same forwarding range breaks all of the VPN clients, or is that bug to be resolved at some other time?
     
  2. Wizardknight

    Wizardknight Serious Server Member

    I think they were removed around 2018.3 or 2018.4

    Edit:
    From the change log:
    2018.4 - 2018.09.12
    - nocat: Retiring Captive Portal feature
     
  3. M_ars

    M_ars Network Guru Member

    @pedro311 @kille72 Thank you very much for the upcomming release 2018.5 (ARM & MIPS)
    everything looks very good. realy a nice christmas present :D
    Little donation from my side :)
    pedro: 12454301V3270524G
    kille: 39452710V5927684P

    BR
    M_ars
     
    kille72 and pomidor1 like this.
  4. pomidor1

    pomidor1 Networkin' Nut Member

    you also deserve our thanks for your work input
     
    tripper22 and kille72 like this.
  5. pedro311

    pedro311 Networkin' Nut Member

    tripper22 likes this.
  6. rgnldo

    rgnldo Networkin' Nut Member

    I can access the linksysinfo.org forum only by the Tor browser.
     
  7. kille72

    kille72 LI Guru Member

    Thank you very much! :)
     
    Last edited: Dec 19, 2018
  8. Berty1

    Berty1 New Member Member

    I did a little more tests with 2018-5 beta running on Tenda AC15.

    So far after over a week of tests this build is stable and I didn't see problems.
    Just to mention a strange behaviour (not specific to Tenda, it's the same on Asus RTN18U, and not specific to this release); when wireless client filtering is activated, it is not possible to start a Wireless Site Survey on the band that has a filter activated... the router just does.... nothing.
     
  9. rs232

    rs232 Network Guru Member

    @pedro311 @kille72
    For the sake of increasing the involvement in the project, would you do consider providing a preconfigured VM image for other users that wants to learn/contribute? It seems like lots of users are having issues setting up a compiling environment so getting access to a copy of what you use would actually help a lot!

    Just an idea
    Thanks
     
    Magister and kille72 like this.
  10. ls4444

    ls4444 New Member Member

    Hi all,
    I recently acquired a TP-Link Archer C5 v2 router, and am thinking of testing it with RT-AC56U-VPN (ac68e) images.
    As far as I can tell, FreshTomato is the only group that has built recent 5GHz enabled images for the related hardware <16MB.

    I can't link due to account age, but the model names on wikidevi are:
    ASUS RT-AC56U
    TP-LINK Archer C5 v2.x

    The major differences are the BCM47081A0 SoC, 16MB of flash and that WI1 and WI2 are swapped.
    According to several dd-wrt forum threads the Linksys EA6200 (which uses the BCM47081A0 but is otherwise identical to the RT-AC56U) is fully functional with images built for the RT-AC56U.

    The radio difference seems minor:
    WI1 = BCM4352 (AC56U) vs. BCM43217 (C5 v2)
    WI2 = BCM43217 (AC56U) vs. BCM4352 (C5 v2)

    In theory, could the existing RT-AC56U VPN builds successfully boot on the Archer C5 v2?
     
  11. Drift_91

    Drift_91 Serious Server Member

    My Netgear R7000 just crashed about 20 minutes ago. When I checked to see if there was an update I noticed one has just released today. Is there a chance that a bug in the update notification system may have crashed my router?

    I did notice that since I booted it back up the CPU temperature has dropped from 70°C to 60°C so I'm not sure if it overheated or if the update notification did it.
     
  12. kille72

    kille72 LI Guru Member

    Last edited: Dec 23, 2018
    btaroli, Haldi4803, Goggy and 11 others like this.
  13. usergay

    usergay Reformed Router Member

    Thank you! Merry Xmas!
     
    pedro311 and kille72 like this.
  14. rs232

    rs232 Network Guru Member

    Thank you!

    I have a minor feedback I wanted to share for long time but always forgotten.

    Can the Image Filename be in sync with:
    Current Version reported under Administration/Upgrade
    and
    First line of the About page?

    e.g. currently
    freshtomato-RT-AC56U-ARM-2018.4-AIO-64K.trx
    Current Version: 2018.4 K26ARM USB AIO-64K

    Thanks!
     
  15. rgnldo

    rgnldo Networkin' Nut Member

    Great launch. thank you very much :)
     
    kille72 likes this.
  16. pedro311

    pedro311 Networkin' Nut Member

    Current version seen on about page is that one reported also to tomatoanon project.
    So if I change it to - say it - "filename standards", it will brake tomatoanon...
     
    kille72 likes this.
  17. Magister

    Magister LI Guru Member

    I also have a R7000, I checked the homepage and saw a 2018.5 notification too, but it has no rebooted, CPU is at 61°C right now.
     
  18. cloneman

    cloneman LI Guru Member

    That webshell is pretty badass.
     
    Techie007 likes this.
  19. Boktai1000

    Boktai1000 Network Guru Member

    Hi @AndreDVJ - Just wanted to check in on your fork and ask you a quick question. First Question is can we expect an update to your fork of FreshTomato + AdvancedTomato based on the new 2018.5 FreshTomato release, and the Second Question is your fork something you're planning on updating and maintaining moving forward?

    Really appreciate that you're doing that, but also just wanted to check in to see if it's something that will continue to be updated over time. Most of the people interested in using it I imagine are people looking for an updated version of AdvancedTomato, so I thought it was a question worth asking. Thank you and have a great day! :)

    (Also lastly thank you to @pedro311 and @kille72 for the early Christmas gift!)
     
    RogueScholar and kille72 like this.
  20. ras07

    ras07 Network Guru Member

    I have a somewhat complicated configuration, with a number of VLANs, many static DHCP entries, and lots of ports forwarded hither and yon. It makes upgrading tedious and error-prone. Has anyone written scripts to write out specific NVRAM entries (as opposed to dumping the whole thing as a block) that than then be safely restored after an upgrade?

    Even just being able to write out all the settings individually (with names) - even without the ability to restore them after an upgrade - would be really useful, to be able to compare before-and-after configurations.
     
  21. eris23

    eris23 Networkin' Nut Member

    Any known problems moving from AndreDVJ build to this one? I assume erasing NVRAM memory is needed? Anything else?
     
  22. pomidor1

    pomidor1 Networkin' Nut Member

    I do not know how in this version, but in previous, if you reset your browser cache, I did not register negative events except for the lack of the ability to download the skin from the web database, I did not erase the nvram, the images are very similar
     
    eris23 likes this.
  23. joew333

    joew333 LI Guru Member

    Loaded the 2018.5 AIO release on my Asus RT-AC68U last night. I had been running Grinch Tomato AIO (10/03/2018 version), so after flashing to 2018.5 I cleared NVRAM and loaded a previously saved config file from 2018.4. The CPU load on the 2018.5 release seems much higher than on 2018.4. On the Grinch Tomato (fork of AndreDVJ) I had been running 2-5% processor load. On 2018.5, the processor load is 16-18% with the same background activities. Looking at TOP, a good part of that appears to be Stubby. What is anyone else experiencing?
     
  24. kille72

    kille72 LI Guru Member

    From #1 post:
    No problem here with 2018.5:
    htop.png
     
    Last edited: Dec 22, 2018
    pedro311 and M_ars like this.
  25. Bird333

    Bird333 Network Guru Member

    What do the 3 priority options (strict-order, no-resolv, none) mean under the stubby gui?
     
    rs232 likes this.
  26. WillyTP

    WillyTP Connected Client Member

    Hello everybody!
    Unfortunately do we have to give up about support for Asus RT-AC68U Rev. C1/E1?

    This was said to be done almost two releases ago.
    Please understand, I super appreciate your work, I'm just "sad" that my router is not supported :)

    Best regards
     
  27. rgnldo

    rgnldo Networkin' Nut Member

    I and @AndreDVJ have IP Brazil blocked by linksysinfo.org.
     
  28. Cliffield

    Cliffield Connected Client Member

    By default, dnsmasq will send dns queries to any of the upstream servers it knows about and tries to favour servers that are known to be up. Those are usually the dns servers of your internet provider or the servers you define under the 'wan settings' gui.
    If you use stubby and set the priority to 'none', dnsmasq will use stubby as a third upstream server in addition to the other twos.
    If 'no-resolv' is chosen, dnsmasq will forward all dns queries to stubby.
    Setting 'strict-order' forces dnsmasq to try each query with each server strictly in the following order : 1. stubby, 2. first upstream server, 3. second upstream server.

    So, if there is no specific reason for you to change the config just use the default setting 'no-resolv'

    Cliffield

    (Please note: The explanation above is for a user's point of view.)
     
    Severus, kille72 and Bird333 like this.
  29. Pasha_ZZZ

    Pasha_ZZZ Serious Server Member

    Long time problem (maybe even Shibby's last releases have this, not sure): I have white IP and DDNS. And there are port forward rules pointing to the PC. When I reach PC from WAN (other wired or mobile internet) all works fine. But when I in router's WiFi - there is no forwarding.
    Even if I try to reach ports from WiFi: RouterIP:<portnumber>
     
  30. Bird333

    Bird333 Network Guru Member

    So these are really options related to dnsmasq then? Thanks
     
  31. rs232

    rs232 Network Guru Member

    About Stubby:
    It seems like dnsfilter.com has not been included in the Stubby conf

    Ref: https://docs.dnsfilter.com/docs/dns-over-tls

    Code:
    upstream_recursive_servers:
    - address_data: 103.247.36.36
    tls_auth_name: "dns1.dnsfilter.com"
    - address_data: 103.247.37.37
    tls_auth_name: "dns2.dnsfilter.com"
    I do appreciate the way Stubby has been implemented in Tomato (very difficult to mess about) which is very important for a basic user but I still think that it would be good to be allowed to "add" config from the GUI like the custom-config area for dnsmasq per se. Otherwise we need to go through all the pain to create a custom config file, store it, mount -bind, restart service etc...


    Also I would suggest for any "server=" (excluding "server=\" which can be used for local internal domains delegation) in the dnsmasq to be ignored, and notified in the syslog, when Stubby is enabled.

    Finally (didn't check theconfig files) but the dnsmasq pameter:
    Use received DNS with user-entered DNS
    should not be allowed in dnsmasq

    I have to say I'm really impressed with the work done in this direction!

    @pedro311 @kille72 It seems like the Cloudflare page at some point (say after 1 hour of usage) changes the usage Using DNS over TLS (DoT) from Yes to No but nothing is logged in the syslog. Wondering is this is the Stubby deamon failing silently...?

    [Edit] Little update after further investigation: I have worked out that even if the Use received DNS with user-entered DNS is disabled (!) the ISP DNSes are added to dnsmasq. This tells me two things: that switch under dnsmasq advancedconfig doesn't work and to make Stubby working you need to manually specify NOT to accept DNS via DHCP from the ISP on the WAN interface configuration. e.g. set it to DNS manual and 0.0.0.0 for both. Failing to do so dnsmasq will have as option Stubby and the ISP DNSes choosing possibly the latter as it's perhaps a bit faster and making the Stubby verfication page failing. Finally implementing the suggested solution, considering that Stubby can take a good minute or so to come up online after a firewall restart script call is performed it means DNS might become unavailable at random time while tomato is running (Unless Stubby startup is prioritised).

    HTH
     
    Last edited: Dec 24, 2018
  32. Boktai1000

    Boktai1000 Network Guru Member

    Ah I see, I also noticed that a user by the name of Grinch22 has an updated Fork of AndreDVJ now. Does this user by chance come around these forums, or is there a discussion somewhere for the Grinch22 builds? Don't want to derail this thread too hard, but genuinely curious. Also that being said- is there a place where @AndreDVJ and other folks that got blocked now hang out?

    Found the Grinch22 builds here: https://bitbucket.org/Grinch22/advancedtomato-arm
     
  33. kille72

    kille72 LI Guru Member

    Thanks, we'll add it.

    Stubby jumps from Cloudflare to Surfnet for some reason, therefore Cloudflare shows that you are not using their service. https://www.dnsleaktest.com you can test here which one you use. We will modify DoT so that you can manually select the server, I don't know when,
    but this is on the to-do list...

    Quick workaround:
    1. Modify stubby.yml to servers you want to use
    2. Copy the modified file to eg. /opt
    3. In Administration-Scripts-Wan up, paste the following script with the right path
    Code:
    sleep 5
    cp /opt/stubby.yml /etc
    sleep 1
    service dnsmasq restart
    4. Restart your router

    Merry Christmas!
     
    Last edited: Dec 24, 2018
    Haldi4803 and rs232 like this.
  34. rgnldo

    rgnldo Networkin' Nut Member

    My stubby.yml:
    Code:
    tls_ca_file: "/rom/cacert.pem"
    
    resolution_type: GETDNS_RESOLUTION_STUB
    dns_transport_list:
      - GETDNS_TRANSPORT_TLS
    tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
    tls_query_padding_blocksize: 128
    edns_client_subnet_private : 1
    round_robin_upstreams: 0
    idle_timeout: 2000
    tls_connection_retries: 5
    tls_backoff_time: 900
    timeout: 2000
    appdata_dir: "/opt/var/cache/stubby"
    
    listen_addresses:
      - 127.0.0.1@5453
      #- 0::1@5453
    
    upstream_recursive_servers:
    # IPv4 addresses
    # Cloudflare
      - address_data: 1.1.1.1
        tls_auth_name: "cloudflare-dns.com"
      - address_data: 1.0.0.1
        tls_auth_name: "cloudflare-dns.com"
    # Quad 9 'secure' service - Filters, does DNSSEC, doesn't send ECS
    #  - address_data: 9.9.9.9
    #    tls_auth_name: "dns.quad9.net"
    # The Surfnet/Sinodun servers
    #  - address_data: 145.100.185.15
    #    tls_auth_name: "dnsovertls.sinodun.com"
    #    tls_pubkey_pinset:
    #      - digest: "sha256"
    #        value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
    #  - address_data: 145.100.185.16
    #    tls_auth_name: "dnsovertls1.sinodun.com"
    #    tls_pubkey_pinset:
    #      - digest: "sha256"
    #        value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
    # The getdnsapi.net server
    #  - address_data: 185.49.141.37
    #    tls_auth_name: "getdnsapi.net"
    #    tls_pubkey_pinset:
    #      - digest: "sha256"
    #        value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
    # IPv6 addresses
    # Cloudflare
    #  - address_data: 2606:4700:4700::1111
    #    tls_auth_name: "cloudflare-dns.com"
    #  - address_data: 2606:4700:4700::1001
    #    tls_auth_name: "cloudflare-dns.com"
    # Quad 9 'secure' service - Filters, does DNSSEC, doesn't send ECS
    #  - address_data: 2620:fe::fe
    #    tls_auth_name: "dns.quad9.net"
    # The Surfnet/Sinodun servers
    #  - address_data: 2001:610:1:40ba:145:100:185:15
    #    tls_auth_name: "dnsovertls.sinodun.com"
    #    tls_pubkey_pinset:
    #      - digest: "sha256"
    #        value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
    #  - address_data: 2001:610:1:40ba:145:100:185:16
    #    tls_auth_name: "dnsovertls1.sinodun.com"
    #    tls_pubkey_pinset:
    #      - digest: "sha256"
    #        value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
    # The getdnsapi.net server
    #  - address_data: 2a04:b900:0:100::38
    #    tls_auth_name: "getdnsapi.net"
    #    tls_pubkey_pinset:
    #      - digest: "sha256"
    #        value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
    #   - address_data: 103.247.36.36
    #     tls_auth_name: "dns1.dnsfilter.com"
    #   - address_data: 103.247.37.37
    #     tls_auth_name: "dns2.dnsfilter.com"
    
     
    rs232 and kille72 like this.
  35. rgnldo

    rgnldo Networkin' Nut Member

    Grinch22 builds FW AdvancedTomato ported from FreshTomato, with native Stubby. AndreDVJ builds FW AdvancedTomato without Stubby.
    repo Grinch22:
    https://mega.nz/#F!7WhjCRzK!H5j_JG-1a4ucpDBPBkwXQw
    We were blocked by the host who manages linksysinfo.org, a kind of Spam Bot.
     
    Boktai1000 likes this.
  36. Bobses

    Bobses Network Newbie Member

    I tried 2 hours to make the 2018.5 version to work on my Asus RT-N18U without any result. The options: downgrade to 2018.4 or original firmware from Asus. For now, I choose to install the Asus firmware and I am waiting for 2019.1 FreshTomato version.

    However, you make a good job maintaining this Tomato fork.
     
  37. rs232

    rs232 Network Guru Member

    Since you experienced issues, have you tried to clean the NVRAM while upgrading to 2018.5?
     
  38. Bobses

    Bobses Network Newbie Member

    Yes, this is the first thing. :)

    I have used FreshTomato since 2017 and I upgraded every new version without any issue - until now.
     
  39. rgnldo

    rgnldo Networkin' Nut Member

    @kille72 trying to organize a pixelserv with Nginx.
    Code:
    user  nobody;
    worker_processes  1;
    
    pid        /var/run/nginx.pid;
    
    events {
        worker_connections  1024;
    }
    
    http {
            server {
                    listen 1.2.3.4:80;
                    listen 1.2.3.4:443 ssl;
                    server_name adblocker;
    
                    ssl_certificate /opt/etc/nginx/nginx.pem;
                    ssl_certificate_key /opt/etc/nginx/nginx.key;
                    ssl_protocols TLSv1.1 TLSv1.2;
                    ssl_ciphers 'AES128+EECDH:AES128+EDH';
    
                    expires max;
                    rewrite ^(.*)$ / last;
                    location / {
                            return 204;
                    }
            }
    }
    
    
     
    kille72 likes this.
  40. rgnldo

    rgnldo Networkin' Nut Member

    @kille72 In native Stubby FreshTomato "No Stubby config file found..."
    Code:
    root@rgnldo-lan:/tmp/home/root# stubby -l
    WARNING: No Stubby config file found... using minimal default config (Opportunistic Usage)
    [13:38:45.586588] STUBBY: DNSSEC Validation is OFF
    [13:38:45.586830] STUBBY: Transport list is:
    [13:38:45.586937] STUBBY:   - TLS
    [13:38:45.587044] STUBBY:   - UDP
    [13:38:45.587147] STUBBY:   - TCP
    [13:38:45.587251] STUBBY: Privacy Usage Profile is Opportunistic
    [13:38:45.587353] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
    [13:38:45.587447] STUBBY: Starting DAEMON....
    [13:39:00.660090] STUBBY: 127.0.0.1                                : Conn opened: TLS - Opportunistic Profile
    [13:39:00.660496] STUBBY: 127.0.0.1                                : Conn closed: TLS - *Failure*
    In Stubby Entware:
    Code:
    root@rgnldo-lan:/opt/etc/init.d# /opt/sbin/stubby -l
    [13:59:05.788812] STUBBY: Read config from file /opt/etc/stubby/stubby.yml
    [13:59:05.790594] STUBBY: DNSSEC Validation is OFF
    [13:59:05.790671] STUBBY: Transport list is:
    [13:59:05.790690] STUBBY:   - TLS
    [13:59:05.790713] STUBBY: Privacy Usage Profile is Strict (Authentication required)
    [13:59:05.790733] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
    [13:59:05.790750] STUBBY: Starting DAEMON....
    [13:59:06.352828] STUBBY: 1.1.1.1                                  : Conn opened: TLS - Strict Profile
    [13:59:07.343851] STUBBY: 1.1.1.1                                  : Verify passed : TLS
    [13:59:09.859815] STUBBY: 1.1.1.1                                  : Conn closed: TLS - Resps=     2, Timeouts  =     0, Curr_auth =Success, Keepalive(ms)=  2000
    [13:59:09.859899] STUBBY: 1.1.1.1                                  : Upstream   : TLS - Resps=     2, Timeouts  =     0, Best_auth =Success
    [13:59:09.859927] STUBBY: 1.1.1.1                                  : Upstream   : TLS - Conns=     1, Conn_fails=     0, Conn_shuts=      0, Backoffs     =     0
     
  41. kille72

    kille72 LI Guru Member

    Try:
    Code:
    stubby -g -l -C /path/to/stubby.yml
     
  42. rgnldo

    rgnldo Networkin' Nut Member

    Stubby Entware
    Code:
    root@rgnldo-lan:/opt/etc/init.d# /opt/sbin/stubby -l
    [13:59:05.788812] STUBBY: Read config from file /opt/etc/stubby/stubby.yml
    [13:59:05.790594] STUBBY: DNSSEC Validation is OFF
    [13:59:05.790671] STUBBY: Transport list is:
    [13:59:05.790690] STUBBY:   - TLS
    [13:59:05.790713] STUBBY: Privacy Usage Profile is Strict (Authentication required)
    [13:59:05.790733] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
    [13:59:05.790750] STUBBY: Starting DAEMON....
    [13:59:06.352828] STUBBY: 1.1.1.1                                  : Conn opened: TLS - Strict Profile
    [13:59:07.343851] STUBBY: 1.1.1.1                                  : Verify passed : TLS
    [13:59:09.859815] STUBBY: 1.1.1.1                                  : Conn closed: TLS - Resps=     2, Timeouts  =     0, Curr_auth =Success, Keepalive(ms)=  2000
    [13:59:09.859899] STUBBY: 1.1.1.1                                  : Upstream   : TLS - Resps=     2, Timeouts  =     0, Best_auth =Success
    [13:59:09.859927] STUBBY: 1.1.1.1                                  : Upstream   : TLS - Conns=     1, Conn_fails=     0, Conn_shuts=      0, Backoffs     =     0
     
  43. pedro311

    pedro311 Networkin' Nut Member

    Could you explain, what is wrong with 2018.5 on RT-N18U (I own it), because I don't understand your post?
    You complain and you don't explain what is wrong...
     
    kille72 likes this.
  44. rgnldo

    rgnldo Networkin' Nut Member

    @kille72 Stubby Entware:
    Code:
    root@rgnldo-lan:/opt/etc/init.d# echo | openssl s_client -verify on -CAfile /rom/cacert.pem -connect 1.1.1.1:853
    verify depth is 0
    CONNECTED(00000003)
    depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
    verify return:1
    depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
    verify return:1
    depth=0 C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com
    verify return:1
    ---
    Certificate chain
     0 s:/C=US/ST=California/L=San Francisco/O=Cloudflare, Inc./CN=cloudflare-dns.com
       i:/C=US/O=DigiCert Inc/CN=DigiCert ECC Secure Server CA
     1 s:/C=US/O=DigiCert Inc/CN=DigiCert ECC Secure Server CA
       i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIFuzCCBUKgAwIBAgIQC8tbG6nCVEnHtUFDDVILSzAKBggqhkjOPQQDAjBMMQsw
    CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSYwJAYDVQQDEx1EaWdp
    Q2VydCBFQ0MgU2VjdXJlIFNlcnZlciBDQTAeFw0xODExMDIwMDAwMDBaFw0yMDEx
    MDYxMjAwMDBaMHIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYw
    FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJlLCBJbmMu
    MRswGQYDVQQDExJjbG91ZGZsYXJlLWRucy5jb20wWTATBgcqhkjOPQIBBggqhkjO
    PQMBBwNCAAR54DnLvvI1eTr0niW2C4j9zF413u+yy5I/WPY9aNxpY7mTm2WPr9hu
    nrNRs271sdCURlN9a4brd8U1b6F8hnujo4ID3jCCA9owHwYDVR0jBBgwFoAUo53m
    H/naOU/AbuiRy5Wl2jHiCp8wHQYDVR0OBBYEFBBI6AeqAD0hPLkyQKslnD9TjTmO
    MIGgBgNVHREEgZgwgZWCEmNsb3VkZmxhcmUtZG5zLmNvbYIUKi5jbG91ZGZsYXJl
    LWRucy5jb22CD29uZS5vbmUub25lLm9uZYcEAQEBAYcEAQAAAYcEop+ENYcQJgZH
    AEcAAAAAAAAAAAAREYcQJgZHAEcAAAAAAAAAAAAQAYcQJgZHAEcAAAAAAAAAAAAA
    ZIcQJgZHAEcAAAAAAAAAAABkADAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYI
    KwYBBQUHAwEGCCsGAQUFBwMCMGkGA1UdHwRiMGAwLqAsoCqGKGh0dHA6Ly9jcmwz
    LmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwLqAsoCqGKGh0dHA6Ly9jcmw0
    LmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwTAYDVR0gBEUwQzA3BglghkgB
    hv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ
    UzAIBgZngQwBAgIwewYIKwYBBQUHAQEEbzBtMCQGCCsGAQUFBzABhhhodHRwOi8v
    b2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0dHA6Ly9jYWNlcnRzLmRp
    Z2ljZXJ0LmNvbS9EaWdpQ2VydEVDQ1NlY3VyZVNlcnZlckNBLmNydDAMBgNVHRMB
    Af8EAjAAMIIBgAYKKwYBBAHWeQIEAgSCAXAEggFsAWoAdwCkuQmQtBhYFIe7E6LM
    Z3AKPDWYBPkb37jjd80OyA3cEAAAAWbVdHkqAAAEAwBIMEYCIQCIiRqVoH+Cl9K3
    akNRlgWBf3dJeu2/N/XJ5PS5G39EZgIhANc3+LT/x+QuzEmKnZfKMcVGP0MaBDDx
    xdIxna3DalJAAHYAh3W/51l8+IxDmV+9827/Vo1HVjb/SrVgwbTq/16ggw8AAAFm
    1XR5wwAABAMARzBFAiB2RD4HvhG4ePo6zA2RUiQEI/KPrn3hf+Uc/V03IKKpqwIh
    AO0mm2PqU3g6XF8H6lKKVpxKQcZU5LDuatSZ0pvTDD2bAHcAu9nfvB+KcbWTlCOX
    qpJ7RzhXlQqrUugakJZkNo4e0YUAAAFm1XR6GQAABAMASDBGAiEA4MidzvGw+Z+x
    FIKNM/7BLWVDArjzq5aYXWga+pueWiYCIQCJT9hk9aQ0mrdoGM/uBvtC2rFqtpLO
    0VK79zKABVma+DAKBggqhkjOPQQDAgNnADBkAjB66slCsVxDkGq8q7bR6N2buefr
    L8yTk99E+iflOT60izlyBDWyiAB68nEsvU7PpgQCMGi9+zOOH684YyyBq85eZlWk
    wryXDjL/HOPVz3pxCKD/743RDxDp8U94P4BBVS7lRQ==
    -----END CERTIFICATE-----
    subject=/C=US/ST=California/L=San Francisco/O=Cloudflare, Inc./CN=cloudflare-dns.com
    issuer=/C=US/O=DigiCert Inc/CN=DigiCert ECC Secure Server CA
    ---
    No client certificate CA names sent
    Peer signing digest: SHA512
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 3115 bytes and written 397 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
    Server public key is 256 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
        Session-ID: 38425D87D033C0DEEE3C86EE04323C7200E9628A10749F5B836E764682AA85C7
        Session-ID-ctx:
        Master-Key: B0335C962B65B0216D4DF540F280794E88A9B452C31A24AF8EEE8422F7BC43545C3D0A67E54C9D643AE2DA01A3CFAD05
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 21600 (seconds)
        TLS session ticket:
        0000 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
        0010 - 63 3e b2 e6 4e 7d 08 7a-ee c8 3a 10 0e 12 fb eb   c>..N}.z..:.....
        0020 - 01 30 90 60 b0 a7 d9 df-8b 0b 23 b5 83 93 38 34   .0.`......#...84
        0030 - fc af 7d 27 60 7e 9d eb-5c 90 93 c9 37 17 67 ef   ..}'`~..\...7.g.
        0040 - 34 15 22 71 b4 77 4f ed-7d fb 97 d2 d0 20 9e a9   4."q.wO.}.... ..
        0050 - 86 6c b9 61 88 dd 6e ab-02 06 51 8b 2b 95 a6 eb   .l.a..n...Q.+...
        0060 - 9e 3b 31 fa ee 88 70 28-ab 57 d6 33 ff 47 df 6c   .;1...p(.W.3.G.l
        0070 - a4 49 c9 ae e9 4f cf 9b-f8 27 95 ac c9 41 e6 7f   .I...O...'...A..
        0080 - 60 32 a1 00 a4 52 1d e8-a3 24 c7 ab ca d6 b9 a2   `2...R...$......
        0090 - 18 9d d6 14 15 66 39 85-62 17 75 d4 8b 60 39 3f   .....f9.b.u..`9?
        00a0 - c3 8b bb e9 be 08 fb b5-ab 2c 88 16 9a 2d 1d 9a   .........,...-..
        00b0 - 86 e0 6c 75 4e 82 1e d7-2a 99 8c ec 4e 95 a5 bb   ..luN...*...N...
        00c0 - ae a6 db 34 a6 e4 12 38-fa 7e e5 21 91 b3 72 fd   ...4...8.~.!..r.
        00d0 - 4d 6d fb cf b4 d3 f8 c9-f9 92 fe 86 e6 df ad 67   Mm.............g
        00e0 - ed 8b 5f 44 61 78 4d 44-a6 29 fe 5e c2 32 00 55   .._DaxMD.).^.2.U
        00f0 - 64 7c e7 f6 75 02 19 b2-f6 3f 6f 25 32 80 7d f0   d|..u....?o%2.}.
        0100 - 8b cb cd 1b dc 47 4e 94-80 ae 5b 5c e9 23 27 2d   .....GN...[\.#'-
        0110 - 09 6b f6 55 8f bf c0 31-85 f4 a8 bf 46 ee 2e 3d   .k.U...1....F..=
        0120 - f1 7c 0f 8a 14 0d 4b 40-c1 3b b9 57 37 b5 05 98   .|....K@.;.W7...
        0130 - 83 24 c1 55 2f cd 5e d2-3d 94 e6 80 30 9f ad 37   .$.U/.^.=...0..7
        0140 - 49 c1 2e f5 c3 d4 15 51-a3 4c ed 18 5e 8d 76 b1   I......Q.L..^.v.
        0150 - 51 71 92 7a a8 ed 4d 57-78 0a f9 c4 54 72 a0 dc   Qq.z..MWx...Tr..
        0160 - 74 8f c6 51 e8 be                                 t..Q..
    
        Start Time: 1545660201
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---
    DONE
    Code:
    iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"
    iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"
     
  45. Bobses

    Bobses Network Newbie Member

    I supposed that my post was self-explanatory: NVRAM cleared, same new settings as the old ones, but the router didn't connect to the internet. No settings changed compared with 2018.4, but no internet connection. I don't know why and I have no time to investigate in these days.

    After downgrade to 2018.4 everything worked good. I tried with the original Asus firmware - no issues.
     
  46. kille72

    kille72 LI Guru Member

    Instructions from post #1:
    • Include any relevant configuration details - your wan/lan/wireless/usb/etc settings, WAN connection type...
     
    pedro311 likes this.
  47. Cliffield

    Cliffield Connected Client Member

    I really appreciate the big interest in stubby and the ongoing discussion (Thumbs up!).

    In addition to my previous post the following sums up my own experience and understanding of the implementation of stubby in tomato.

    The user entered DNS servers and the DNS servers provided by ISP (if enabled) are stored in '/etc/resolv.dnsmasq'.
    In the main config file of dnsmasq ('/etc/dnsmasq.conf') is written 'resolv-file=/etc/resolv.dnsmasq'. This tells dnsmasq to get the upstream nameservers from those file.


    Enabling Stubby under the GUI does following:

    1. The line 'server=127.0.0.1#5453' get added to '/etc/dnsmasq.conf'
    This specify stubby, which will be listening at port 5453, as a upstream server for dnsmasq in addition to those servers specified in '/etc/resolv.dnsmasq'.
    At this point stubby and those other DNS servers are used by dnsmasq. This represents the 'priority' option 'none'.
    2. With the 'priority' option 'no-resolv' the line 'no-resolv' get added to the main dnsmasq config file.
    This tells dnsmasq to ignore the nameservers from '/etc/resolv.dnsmasq'. Only the upstream servers specified from command line and the main config file are used by dnsmasq.
    At this point only 127.0.0.1#5453 (Stubby) is used as an upstream server.​

    3. Stubby gets started by 'stubby -g -v 4 -C /etc/stubby.yml -F /var/log/stubby.log'
    • -g runs stubby in background
    • -v 4 specifies logging level (warning conditions)
    • -C get settings from /etc/stubby.yml
    • -F logfile
    As far as i understand the stubby/dnsmasq interaction correct,
    there should no need to ignore any "server="in the dnsmasq config when Stubby is enabled.
    It should not be necessary to set DNS manual to 0.0.0.0.

    Two tomato log files, the first with the 'priority' option 'none' (lines 5 to 10 are relevant):
    Code:
    Dec 24 12:59:14 unknown daemon.info dnsmasq[6932]: started, version 2.80 cachesize 4096
    Dec 24 12:59:14 unknown daemon.info dnsmasq[6932]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset Tomato-helper no-auth DNSSEC no-ID loop-detect inotify no-dumpfile
    Dec 24 12:59:14 unknown daemon.info dnsmasq[6932]: asynchronous logging enabled, queue limit is 5 messages
    Dec 24 12:59:14 unknown daemon.info dnsmasq-dhcp[6932]: DHCP, IP range 192.168.1.2 -- 192.168.1.51, lease time 1d
    Dec 24 12:59:14 unknown daemon.info dnsmasq[6932]: using nameserver 127.0.0.1#5453
    Dec 24 12:59:14 unknown daemon.info dnsmasq[6932]: reading /etc/resolv.dnsmasq
    Dec 24 12:59:14 unknown daemon.info dnsmasq[6932]: using nameserver 127.0.0.1#5453
    Dec 24 12:59:14 unknown daemon.info dnsmasq[6932]: using nameserver 8.8.8.8#53
    Dec 24 12:59:14 unknown daemon.info dnsmasq[6932]: using nameserver 9.9.9.9#53
    Dec 24 12:59:14 unknown daemon.info dnsmasq[6932]: using nameserver 192.168.2.1#53
    Dec 24 12:59:14 unknown daemon.info dnsmasq[6932]: read /etc/hosts - 14 addresses
    Dec 24 12:59:14 unknown daemon.info dnsmasq[6932]: read /etc/dnsmasq/hosts - 5 addresses
    Dec 24 12:59:14 unknown daemon.info dnsmasq[6932]: read /etc/dnsmasq/dhcp-hosts - 0 addresses
    Dec 24 12:59:14 unknown daemon.info dnsmasq-dhcp[6932]: read /etc/dnsmasq/hosts
    Dec 24 12:59:14 unknown daemon.info dnsmasq-dhcp[6932]: read /etc/dnsmasq/dhcp-hosts
    Dec 24 12:59:14 unknown user.info preinit[1]: Starting stubby 0.2.3 , DNS-o-TLS Proxy
    The second one with the 'priority' option 'no-resolv' (lines 3 and 6 are relevant):
    Code:
    Dec 24 13:08:47 unknown daemon.info dnsmasq[8135]: started, version 2.80 cachesize 4096
    Dec 24 13:08:47 unknown daemon.info dnsmasq[8135]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset Tomato-helper no-auth DNSSEC no-ID loop-detect inotify no-dumpfile
    Dec 24 13:08:47 unknown daemon.warn dnsmasq[8135]: warning: ignoring resolv-file flag because no-resolv is set
    Dec 24 13:08:47 unknown daemon.info dnsmasq[8135]: asynchronous logging enabled, queue limit is 5 messages
    Dec 24 13:08:47 unknown daemon.info dnsmasq-dhcp[8135]: DHCP, IP range 192.168.1.2 -- 192.168.1.51, lease time 1d
    Dec 24 13:08:47 unknown daemon.info dnsmasq[8135]: using nameserver 127.0.0.1#5453
    Dec 24 13:08:47 unknown daemon.info dnsmasq[8135]: read /etc/hosts - 14 addresses
    Dec 24 13:08:47 unknown daemon.info dnsmasq[8135]: read /etc/dnsmasq/hosts - 5 addresses
    Dec 24 13:08:47 unknown daemon.info dnsmasq[8135]: read /etc/dnsmasq/dhcp-hosts - 0 addresses
    Dec 24 13:08:47 unknown daemon.info dnsmasq-dhcp[8135]: read /etc/dnsmasq/hosts
    Dec 24 13:08:47 unknown daemon.info dnsmasq-dhcp[8135]: read /etc/dnsmasq/dhcp-hosts
    Dec 24 13:08:48 unknown user.info preinit[1]: Starting stubby 0.2.3 , DNS-o-TLS Proxy



    The Use received DNS with user-entered DNS behavior is strange indeed. Despite having 'DNS Server' under 'WAN Settings' set to 'Auto' and deactivated 'Use received DNS with user-entered DNS', i get following:
    Code:
    root@unknown:/tmp/home/root# cat /etc/resolv.dnsmasq
    # dns for wan:
    nameserver 8.8.8.8
    nameserver 9.9.9.9
    nameserver 192.168.2.1
    
    192.168.2.1 is the DNS server on the WAN side.
    I had defined 8.8.8.8 and 9.9.9.9 previously as DNS servers under WAN Settings and used 'Use received DNS with user-entered DNS' previously.
    I don't think this affects the function of Stubby, because this file gets ignored by dnsmasq (if used with the flag 'no-resolve'). But it should be investigated of course.



    By the way, here is another approach to use user-specified DNS-over-TLS servers:
    Under Administration-Scripts-Wan up:
    Code:
    sleep 5
    cp /rom/etc/stubby.yml /etc/
    sed -i '23,74d' /etc/stubby.yml
    printf '  - address_data: %s\n    tls_auth_name: "%s"\n' '46.182.19.48' 'dns2.digitalcourage.de' >> /etc/stubby.yml
    printf '  - address_data: %s\n    tls_auth_name: "%s"\n' '2a02:2970:1002::18' 'dns2.digitalcourage.de' >> /etc/stubby.yml
    printf '  - address_data: %s\n    tls_auth_name: "%s"\n' '1.1.1.1' 'cloudflare-dns.com' >> /etc/stubby.yml
    printf '  - address_data: %s\n    tls_auth_name: "%s"\n' '2606:4700:4700::1111' 'cloudflare-dns.com' >> /etc/stubby.yml
    service dnsmasq restart
    With this approach, an external storage is not needed.

    Cliffield
     
    rs232 and kille72 like this.
  48. M_ars

    M_ars Network Guru Member

    I upgraded 3 rt-n18u in the last days to 2018.5 —> PPPoE connection with DHCPv6 PD
    Running perfect here

    BR
     
    pedro311 and kille72 like this.
  49. pedro311

    pedro311 Networkin' Nut Member

    BTW: see above post...
     
  50. rs232

    rs232 Network Guru Member

    Thank you for the comprehensive investigation. This really helps.
    So essentially the output is (correct me if I'm wrong):

    Priority: "Strict" should be removed or at least default to "no-resolve". Right?

    Beside this the start-up time for Stubby really is a concern of mine so I was wondering following the no-resolve suggestion what would it be the best way to add an alternative DNS server (secondary tomato running Stubby enabled as well) to dnsmasq? Push it into the /etc/dnsmasq.conf?
     
    Last edited: Dec 24, 2018
  51. Mercjoe

    Mercjoe Network Guru Member

    Bug report:

    Router: Netgear R7000.

    Installed 2018.5 AIO.

    NVRAM cleared and manual reconfigured.

    In Administration --> CIFS client is not responding. Clicking in all other submenu works, but CFIS client is a dead link.

    Yes, browser cache cleared. Tested on 3 machines on network and all have the same behavior.
     
  52. kille72

    kille72 LI Guru Member

    Line 129:
    https://bitbucket.org/kille72/fresh...5&fileviewer=file-view-default#defaults.c-129

    Default=no-resolv
     
    M_ars and rs232 like this.
  53. Boktai1000

    Boktai1000 Network Guru Member

    Thank you for the information! I did not understand there was a difference there, I thought Grinch22 just was a more recent version. Appreciate it and hopefully the IP block gets fixed at some point!
     
  54. Bobses

    Bobses Network Newbie Member

    Router: Asus RT-N18U
    Wan: PPPoE
    NVRAM: cleared after every new install

    Here are the settings that work well from 2017.x until 2018.4:
    https://drive.google.com/open?id=1xaVtuTP_4MAff_8PradmqdB2Ag-w1I7L

    Like I said, after installing FT 2018.5 (NVRAM cleared), I made the same settings as in the old versions, but there is no internet connection.
     
    Last edited: Dec 24, 2018
  55. Cliffield

    Cliffield Connected Client Member

    Regarding the 'Priority' option:
    • 'no-resolv' should be the default and thanks to pedro311 it is (since 2018.5.083-beta).
    • 'strict-order': Well, I don't know if the statement from the dnsmasq-developer is still valid, but he does not recommend using this (some background http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2009q3/003295.html). But I think the option is still useful. For example if Stubby crashes or has some issues DNS resolution would still be possible, even it is not encrypted.
    • 'none': To be honest, I can't imagine an use case for this setting.
    Should be possible. Just add your second dns server (tomato with stubby or raspberry pi,...) to the custom dnsmasq configuration of your main router. e.g.
    Code:
    server='192.168.1.2#53'
    .

    EDIT:
    You could also add the 'all-servers' option. "By default, when dnsmasq has more than one upstream server available, it will send queries to just one server. Setting this flag forces dnsmasq to send all queries to all available servers. The reply from the server which answers first will be returned to the original requester." Source: http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
     
    Last edited: Dec 24, 2018
    pedro311 and kille72 like this.
  56. Darkbing

    Darkbing Connected Client Member

    Hi, I would like to report this bug.

    The limit for ports in multiwan routing for version 2018.5 seems to be too short. I am unable to put more than one port unlike on the previous versions.

    upload_2018-12-25_6-54-24.png
     
  57. usergay

    usergay Reformed Router Member


    Just tried this on two of my r7000's and it works fine. I updated without nvram clear and without touching my browser's cache at all.
     
    kille72 likes this.
  58. Basta2k

    Basta2k New Member Member

    @Bobses

    look at the text after the box "route modem ip".
    If this work before then you had luck, normally you cant set same ip for router and modem.
     
    Last edited by a moderator: Dec 26, 2018
    pedro311 and M_ars like this.
  59. Bobses

    Bobses Network Newbie Member

    As I previously said, I used all those settings (NVRAM cleared) every time I installed a new FreshTomato version, since 2017.
     
    Last edited by a moderator: Dec 26, 2018
  60. M_ars

    M_ars Network Guru Member

    Yes, limit 5 :)

    Code:
    maxlen: 5
     
    Last edited: Dec 25, 2018
  61. M_ars

    M_ars Network Guru Member

    Hi Bobses,

    you can not use the same modem-ip and lan-ip --> has to be different (and also different subnet, for exampel 192.168.1.X and 192.168.2.Y)
    Do you use stubby (DNS-over-TLS)? That is a new feature introduced in 2018.4

    I think you enabled/changed a few things since 2017 setup. (no further check possible, you removed your picture)

    BR
     
    Last edited by a moderator: Dec 26, 2018
    Bobses likes this.
  62. Darkbing

    Darkbing Connected Client Member

    Hi,

    Why set it to 5? Could it be increased back to the same as before as routing multiple ports such as 80, 8080, 443 and having only 5 as maxlen would mean more multiwan routing rules entries which is not efficient at all.

    Thank you and merry Christmas! :)
     
    Last edited: Dec 25, 2018
  63. Pasha_ZZZ

    Pasha_ZZZ Serious Server Member

    Only Int Port has maxlen = 5, because
    Ext Ports maxlen = 16
     
    Darkbing and kille72 like this.
  64. M_ars

    M_ars Network Guru Member

    Darkbing and kille72 like this.
  65. Mercjoe

    Mercjoe Network Guru Member

    Well.. Something is going on. My logs are full of this:

    Dec 25 09:50:42 Tomato kern.info kernel: [truncated] rror in Srror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSrror in SETFSUrror in SETFSrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSUnirror in SETFSUnrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSUrr
    Dec 25 09:50:42 Tomato kern.info kernel: rror in Srror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSrror in SETFSUrror in SETFSUrror in SETFSUnrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSUrror in SETFSrror in SETFSUrror in SETFSrror in SETFSUnixInfo = -11
    Dec 25 09:50:42 Tomato kern.err kernel: CIFS VFS: Send error in SETFSUnixInfo = -11
    Dec 25 09:50:42 Tomato kern.err kernel: CIFS VFS: Send error in SETFSUnixInfo = -11
    Dec 25 09:50:42 Tomato kern.err kernel: CIFS VFS: Send error in SETFSUnixInfo = -11
    Dec 25 09:50:42 Tomato kern.err kernel: CIFS VFS: Send error in SETFSUnixInfo = -11
    Dec 25 09:50:42 Tomato kern.err kernel: CIFS VFS: Send error in SETFSUnixInfo = -11
     
  66. pajarillo

    pajarillo Network Newbie Member

    updated, cleared nvram and running for 3 days, no issues so far. thanks and merry xmas ;)
     
    pedro311 and kille72 like this.
  67. BL10L2

    BL10L2 New Member Member

    Merry Christmas everyone,
    I've got Linksys EA6900 v1.1 with a custom CFE. I am wondering why Advanced Tomato, Shibby's and this fork don't use the second core of the CPU with the VPN client enabled? My ISP's max speed is 38 mbps. All Tomato builds can deliver circa 15 mbps over wifi with the VPN enabled. The first core goes over 90%, the second idles at around 1.5% during the speed test. I get best result from John's Merlin fork - over 36 mbps. Brian's DD-WRT over 30 mbps, Kong's DD-WRT - over 25 mbps. All checked with the same VPN configuration. All of them used both cores during the speed test. I used htop to measure CPU usage on all firmwares.
     
  68. kille72

    kille72 LI Guru Member

    OpenVPN can't at the moment support multi-threading, though that’s on the roadmap. You can read more at: https://community.openvpn.net/openvpn/wiki/RoadMap#Threading
     
  69. BL10L2

    BL10L2 New Member Member

    I am aware of it. I noticed that firmwares other than Tomato utilise both cores when VPN is used. Some processes are handled by one core, some other by the second. The second core only idles in Tomato firmware.
     
  70. kille72

    kille72 LI Guru Member

    Strange, my router uses 2 cores. Example below, downloads from Samba + VPN server at the same time:

    Annotation 2018-12-26 114421.png
     
  71. Jonas I

    Jonas I Network Newbie Member

    Merry Christmas, everyone,

    some time ago I found this thread, but never tried it:
    https://www.linksysinfo.org/index.p...to-is-not-using-both-cores-on-my-r7000.73438/

    Maybe a nice workaround
     
  72. BL10L2

    BL10L2 New Member Member

    Spot on Jonas I! Two cores are utilized after pasting it to the terminal - taskset -cp 1 $(ps w |grep vpnclient1 |grep -v grep | awk '{print $1}')
    35 mbps over wifi. Great result. Thank you!
     

    Attached Files:

    pedro311 likes this.
  73. rs232

    rs232 Network Guru Member

    @pedro311 @kille72

    A minor bug report on 2018.5. Running this on 2x different ASUS AC56u AIO both have the same issue:
    The tinc status page reports errors. Essentially any option I select is get:

    Code:
    ERROR: SyntaxError: unexpected token: identifier
    @lancethepants FYI
     
    kille72 likes this.
  74. kille72

    kille72 LI Guru Member

    Thanks. We are aware of the Tinc problem in 2018.5 (works without problems in version 2018.4 and 2018.5 MIPS). Generating certificates does not work in the newest version either. Troubleshooting in progress...If someone finds something wrong in the code, write here, thank you.
     
    rs232 likes this.
  75. Thunder44

    Thunder44 New Member Member

    I am getting error 401 unauthorized on my r7000 while upgrading it to R7000 INITAL.CHK, I am getting replies from it but I cant unbrick because I am getting connection request failed. I already factory reset it. I can't get into Web GUI. I tried root and admin.
     
  76. Thunder44

    Thunder44 New Member Member

    Never mind I found my username and password through 223 telnet.
     
  77. ohionative

    ohionative New Member Member

    Just to get clarification here... if I'm currently running AdvanceTomato 1.28.0000 -3.4-138 K26ARM USB AIO-64K on my R7000 am I able to flash this via the Admin | Upgrade, clear NVRAM and reconfigure after reboot? If not, what's the safest upgrade path?

    Thanks!
     
  78. Aladino

    Aladino Network Newbie Member

    I’m using latest version Netgear WNDR4500v2
    Internet wont work, i keep trying to connect to my college L2TP server with no luck in status i get ip, dns etc but no internet
    On the stock gene firmware l2tp connection used to work perfectly
    Thank you for your effort
     
  79. Cliffield

    Cliffield Connected Client Member

    Upgrade, clear NVRAM, wait till reboot, clear browser cache (sometimes necessary) and reconfigure
     
  80. rs232

    rs232 Network Guru Member

    Ignore
     
    Last edited: Dec 26, 2018
    cloneman likes this.
  81. Boktai1000

    Boktai1000 Network Guru Member

    Does FreshTomato UI support the ability of adding more than 3 NTP Servers at a time?

    Even though only 1 is really required, many forms of NTP documentation usually reference configuring four NTP servers for example Google Public NTP here: https://developers.google.com/time/guides and even the NTP Pool Project itself lists four when you take a look at their examples https://www.ntppool.org/en/use.html

    Traditionally, I know Tomato has only supported three in the GUI. It would be nice to either support four (or more) OR allow the ability to add additional fields as necessary (and maybe implement an upper maximum if necessary as well). Similar to how OpenWrt lets you click a (+) to add an additional line item. Either that, or instead support comma separated values.

    Just wanted to throw this in there, I know there's a lot more interesting stuff going on with Stubby and other core Tomato things going on, but it's a little nitpick of mine and would be a quality of life improvement that fits with FreshTomato is aiming to be.

    Thanks for taking the time to read my suggestion!
     
  82. rs232

    rs232 Network Guru Member

    I'm sorry but I really have to ask this: what are you trying to resolve? Is your device set with the wrong time?

    A pool as the name states is already a set of servers. The pool is automatically maintained (thumb up) all you need is a pool of choice. One if you ask me it's plenty. I personally use a geographical one from ntppool.org and it has been working great for 10 years now.

    BTW a geographical pool does point to sub pools, and the pools to other pools to servers. Example uk.pool.ntp.org is reported to have 306 (!) servers and these are served via 4 sub pools:
    server 0.uk.pool.ntp.org
    server 1.uk.pool.ntp.org
    server 2.uk.pool.ntp.org
    server 3.uk.pool.ntp.org

    Plenty.

    Finally read this from ntppool.org: In most cases it's best to use pool.ntp.org

    With all these pools all you need is a swim trunk :D
     
    Last edited: Dec 27, 2018
    kille72 likes this.
  83. Aladino

    Aladino Network Newbie Member

    Hi rs232,
    do you have a solution to my problem?, I can't get internet working on L2TP connection even though I get IP, DNS, etc
    My Router is Netgear WNDR4500v2, with the latest FreshTomato version 2018.5
    Thank you
    [​IMG]
     
  84. rs232

    rs232 Network Guru Member

    Why do you duplicate your post? That's the best way to get ignored on this forum...
    Regardless I don't know and you're not providing enough information any ways. What have you tried? What are your settings? What is in the log? etc

    Crystal ball is flat on batteries...
     
    kille72 likes this.
  85. cloneman

    cloneman LI Guru Member

    Here is a quick script I wrote for nvram backup of the values I consider most tedious . I have read Koitsu's warnings about full nvram backup from one router to the next. The rest I enter by hand when I upgrade.

    This is completely untested etc. etc. and written by someone who doesn't know code.
    Feel free to add to this, but remember the warnings about NVRam structure that can change in different versions, you are discouraged from adding stuff that is quick to be re-entered manually via webgui.

    nvram_quick_backup.sh
    Code:
    #!/bin/ash
    mkdir -p tomatoNVBackup
    cd tomatoNVBackup
    nvram get dhcpd_static > dhcp_reservations.txt
    nvram get portforward > portforward.txt
    nvram get trigforward > port_triggering.txt
    
    
    nvram get qos_orules > qos_classification.txt
    nvram get qos_orates > qos_outbound_rates.txt
    nvram get qos_irates > qos_inbound_rates.txt
    nvram get qos_classnames > qos_classnames.txt
    
    nvram get dnsmasq_custom > dnsmasq_custom.txt
    
    echo "script has been run with unknown success."

    nvram_quick_restore.sh [ *to be completed by you!*]
    Code:
    #!/bin/ash
    cd tomatoNVBackup
    
    
    if [ -e port_triggering.txt ]; then
       echo "File exists. Attempting Restore"
       nvram set trigforward="`cat port_triggering.txt`"
       else
          echo "File does not exist."
       fi
    
    #dhcp_reservations.txt
    #portforward.txt
    #port_triggering.txt
    
    
    #qos_classification.txt
    #qos_outbound_rates.txt
    #qos_inbound_rates.txt
    #qos_classnames.txt
    
    #dnsmasq_custom.txt
    
    I believe you need to nvram commit when you are finished.
     
    Last edited: Dec 27, 2018
    gschnasl, ras07 and rs232 like this.
  86. ohionative

    ohionative New Member Member

    Couple of things... the first one will show my incompetence. I accidentally installed the R8000 AIO onto my R7000 from the Advanced Tomato build I had been on and couldn't seem to even see the wireless settings. I'm guessing that was because of the wrong image. So as my "clients" were going ape-poop over loss of connectivity I pushed back to the Netgear Genie and got it up and running with their latest so I could come back here today and regroup.

    So with the correct image in hand now I can go back and try to get it right but it brought up a question. Is this based on the 2.6(ish) linux kernel as it appears when I look at the BB code page? If so, how are the known vulnerabilities of sair kernel mitigated? Are most of you using your FT WiFi boxes at your border or behind a more hardened firewall?

    Thanks,
    ON
     
  87. rgnldo

    rgnldo Networkin' Nut Member

    Last edited: Dec 27, 2018
    rs232 likes this.
  88. jith_hago

    jith_hago New Member Member

    Is the Wireless Site Survey supposed to be working? This is on a Netgear R6250.

    A couple of items that I have tried:
    • Clearing all data in NVRAM (thorough)
    • NVRAM is 42% free
    • Tried 2015.5 Beta and 2015.5
    • Wireless Survey does not work with default settings
    • Tomato fails to pick an optimal channel
    • I don't have Wireless Filter enabled --- another post suggested that enabling this feature disables the Survey.
    • Rebooted the router
    Any suggestions? Is this feature supposed to be working?

    [​IMG]
     
    Last edited: Dec 27, 2018
  89. pedro311

    pedro311 Networkin' Nut Member

    Just click "Refresh" :)
     
    kille72 likes this.
  90. Aladino

    Aladino Network Newbie Member

    I thought the other one is dead since not so many interacts in it.
    Sorry i thought that one is dead, anyway I solved the issue as I mentioned in the other one “MIPS”.
     
  91. who me?

    who me? New Member Member

    Hello, I'm trying to edit Stubby.yml to use only Cloudflare, but it is read-only. Also, I noticed when I cd /etc, I get redirected to /tmp/etc. How do I fix this? I am using FreshTomato 2018.5 AIO on an ASUS RT-AC56U. Thank you.
     
  92. PeterPann

    PeterPann New Member Member

    Hello, Sorry for the noob question as Im totally new in this. I was looking for a custom rom for mi xiaomi r1d router and this one ist the most up to date. However I can not find any info how to flash the firmware. I have downloaded the last one, but what now? freshtomato-R1D-2018.5-Custom-64K.zip Also please is there a way to flash it back to the original xiaomi rom? Thank you so much!
     
  93. Boktai1000

    Boktai1000 Network Guru Member

    I'd simply like to use all resource pools available for given services, it is usually recommended to list the individual pools for redundancy purposes instead of the root pool.ntp.org as you mentioned. It is generally advised as a best practice not use the root unless you only have one configuration option for a device. I just want the ability to list more than 3 in the GUI - don't really know what more to say regarding it :rolleyes:

    Additionally if you look back at the NTP Project as an example, they used to recommend using three nodes for NTP servers back in 2009, but in 2010 they started recommending four servers for configuration. I believe this was due to Windows 7/Server 2008 R2 being released around that time, which is somewhat dating the Tomato project to around that timeframe with similar logic in mind.

    There is also references to older versions of Windows supporting only three on the webpage https://www.ntppool.org/en/use.html as you can see some of the examples refer to only using three servers:

    --------
    at the command prompt. This will work on Windows 2003 and newer. If you use an older version of windows you can try
    Code:
    net time /setsntp:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org"
    --------

    Simply put, I am just making the suggestion that it appears that Tomato UI is somewhat dated similar to the sense made with some of these references to only using three NTP servers as two of the most popular offerings, NTP Pool Project and Google Public NTP both Recommend configuring four - and I am just trying to relay the information that being able to match their recommended configuration via GUI would be appreciated.
     
    Last edited: Dec 27, 2018
  94. abir1909

    abir1909 Network Newbie Member

    Thanks Man for the Hard work and the recent update. one request for the next update if you can look into the routing policy for the Openvpn Client. its partially working. "to Domain" works for few hours and drops. also, when entering same IP for both Clients it breaks the routing. Thanks a lot.
     
  95. jith_hago

    jith_hago New Member Member

    Ha! Thank you! If it was a snake, it would have bit me!
     
  96. ras07

    ras07 Network Guru Member

    Thanks! That will help a lot.

    Where can I find a list of all the nvram data structures? It would be handy to back up all/most of them; not to restore them, but to just do another backup after an update/reconfig and do a quick compare to see if I forgot anything.

    Thanks again!
     
    Last edited: Dec 28, 2018
  97. kille72

    kille72 LI Guru Member

    GUI
    bf698b338333685bb2b9ae8043906156.jpg
     
    Last edited: Dec 28, 2018
    M_ars likes this.
  98. rgnldo

    rgnldo Networkin' Nut Member

    @kille72 I'm liking this script, which controls the power of the Wifi. Is there a similar function in FreshTomato?
    Code:
    while true
    do
      while [ ${#cinfo} -gt 16 ]
      do
        sleep 5
        cinfo=$(wl assoclist)
      done
      logger WiFi entering low power mode
      wl txpwr 1
    
      while [ ${#cinfo} -lt 16 ]
      do
        sleep 5
        cinfo=$(wl assoclist)
      done
      logger WiFi entering high power mode
      wl txpwr 400
    done
    @Techie007 Did you manage to improve this script?
     
    Techie007 likes this.
  99. pedro311

    pedro311 Networkin' Nut Member

    No problem here, working XX days without a glitch.

    Already on TODO list. ;)
     
    Wizardknight and kille72 like this.
  100. abunene

    abunene Network Newbie Member

    does this have vpn? currently using tomatousb on my dir868l but it does not have vpn.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice