[Fork] FreshTomato-ARM

Discussion in 'Tomato Firmware' started by kille72, Apr 15, 2018.

  1. AndreDVJ

    AndreDVJ LI Guru Member

    From my testing, enabling tee just adds a symlink to busybox binary, and did not increase image size.
    kille72 likes this.
  2. pomidor1

    pomidor1 Networkin' Nut Member

    @Jacky444 colleague @pedro311
    is going to compile a tomato for the mipsel platform. According to me, a very good move for the development of a tomato would be the support of your Adwanced Tomato in images @ kille72 and @ pedro311.
    Maybe Shibby will come back to the project one time, but probably not like that in 1.5-2 years ago
  3. Jacky444

    Jacky444 LI Guru Member

    I don't know about that. I'm very busy my self. Advanced Tomato is not standing still just because of Shibby's absence. Its also because I'm super busy for last year. I spend about 50 hours a week for work, rest I dedicate to learning new coding languages/technologies and spend time with my girl friend. Lately I also started some extra sports so time is an issue.
  4. pomidor1

    pomidor1 Networkin' Nut Member

    ok, but it would be nice if several thousand - tens of thousands of users of your Adwanced Tomato got safety updates, and in the near future you can only get a job @pedro311 and @kille72 if you based on their work on your Adwanced Tomato
  5. Edrikk

    Edrikk Network Guru Member

    I’m also of the mindset that while great for its time, modernizing the Tomato UI (ie using AT’s UI) across the board will be a very “fresh” thing to do. :)
    StefanoS and pomidor1 like this.
  6. kille72

    kille72 LI Guru Member

    Done and comes in the next release. No difference in size :)
  7. usergay

    usergay Network Newbie Member

    Has anyone been able to create more than 1 guest network? I have a VLAN + Virtual wireless profile created (on wl0.1) and it works fine but the moment I attempt to create additional profiles, I can do so but the wireless driver always reports BSSID as 00:00:00:00:00:00 and the SSID won't broadcast nor do anything else.

    Also i've noticed that once you create a virtual wireless profile, there is no way to delete it, I always have to restore an NVRAM backup in order to clear it and start over. Any ideas / suggestions? Thanks

    EDIT: I've figured out the issue after quite a bit of troubleshooting. It appears that it didn't like apostrophes in the SSID Name (ex. Jason's Guest Wifi). Once I removed it, all was well and I was able to create additional virtual wireless profiles with ease. This also fixed the issue I had with deleting profiles etc.

    Thank you Sean B. for your input!
    Last edited: Apr 23, 2018
  8. j.m.

    j.m. Network Guru Member

  9. Sean B.

    Sean B. LI Guru Member

    The amount of virtual interfaces that can be created per radio is determined at the hardware level, so it will vary by router. Have you been able to create more functional interfaces with other versions/builds of firmware?
  10. usergay

    usergay Network Newbie Member

    Well I am using an r7000. If I load dd-wrt, I can create more than 1 virtual interface so I figured this was some sort of issue with the tomato firmware. I what have not tried is attempting to create them on a pre-multiwan version of tomato FW.

    EDIT: Problem Solved
    Last edited: Apr 23, 2018
  11. wallyg8r

    wallyg8r Reformed Router Member

    Hi, I'm new to Fresh Tomato and am having trouble formatting the jffs partition. I keep getting the error:
    Error formatting JFFS. Check the logs to see if they contain more details about this error. I checked the log but there's nothing there to help. Any suggestions? Running on an R7000.
  12. Sean B.

    Sean B. LI Guru Member

    Create the virtual interfaces, then under Tools->System commands run:

    Post the output for the virtual interface that isn't working, and the output for its parent interface.
  13. eahm

    eahm LI Guru Member

    SNR, koitsu and kille72 like this.
  14. Mihai Olimpiu-Cristian

    Mihai Olimpiu-Cristian Networkin' Nut Member

    Hi, I know this has been asked already some time ago, but, I would kindly ask for a build for the Xiaomi R1D.

    I'm currently running Shibby 140 and it works a treat. Only mentioned this as probably doing a build for this machine is probably already supported just not enabled.
    In the past I tried builds from other routers on my old Belkin Play Max (mainly ASUS builds) and it worked, but The Xiaomi R1D is kind of finicky and a bad build will brick the router without a Custom CFE (Which I did't had time nor the knowledge at the time I did the Tomato conversion).

    This is not an urgency, just a kind plea to the developers. Thank you in advance!
  15. kille72

    kille72 LI Guru Member

    Thanks! Soon, the project will have a website then we will change it again :)

    WildFireSG, The Master and eahm like this.
  16. usergay

    usergay Network Newbie Member

    EDIT: Virtual Interface Issue Solved!
    Last edited: Apr 23, 2018
  17. usergay

    usergay Network Newbie Member

    Separate issue from the ones mentioned previously....

    I currently use VSFTP with ssl and it worked fine with v132 (pre-multiwan). Any version afterwards wouldn't allow me to connect to the FTP unless I specified a manual pasv ip address and added a manual port forwarding (FTP pasv ports to own gateway address) as well as a scripts - > firewall entry (iptables -I INPUT -p tcp --dport 60000:60100 -j ACCEPT). Using just one or the other wouldn't work, almost as if it wouldn't get applied to the proper NAT routing tables necessary to allow communications through.

    A connection to the ftp server could be made but the Directory listings would fail. After adding everything in, it works as intended. It's just weird to have to set up a MANUAL port forward rule from the outside to a service running on the router itself. I'm ok with it for now but I am not sure if this poses a security risk to my network.
  18. oby-1k

    oby-1k Network Newbie Member

    @AndreDVJ after further testing, it seems the rules are hitting the Default class rather than using the allocation set up in the current class.

    That is, if my download hits the class WWW which uses 100% of inbound bandwidth, the actual bandwidth used is the one set by the default class which in my case is CRAWL. In the GUI the class details displayed is WWW but the real bandwidth is the one set by the CRAWL rule (which is my default rule).

    I made a test:

    Download settings:
    WWW 5%-100%
    CRAWL 1% - 3%

    With default class set to: CRAWL my download speed is 20kbps
    While the download is happening I changed the default class to WWW and the download speed went up to Max.

    So despite the fact the rules are displayed correctly in the GUI and the details page, it seems like somehow all the rules are ignored and only the default class is used.

    That may explain the reason I have to multiply x100 my Inbound and Outbound settings to achieve normal speeds.
    Last edited: Apr 22, 2018
  19. AndreDVJ

    AndreDVJ LI Guru Member

    I was able to reproduce the issue in the way you described (by setting CRAWL as default class), and adding back the rules fixes the issue.

    Also removing these rules, it seems that Inbound QoS no longer works, with the default class winning over all remaining QoS rules.

    Outbound QoS still works fine.

    I'll unfortunately have to revert that commit, as it is not working as intended. While packets are getting classified, traffic shapping isn't done correctly.

    The interim fix is by having the following code in the firewall script:
    iptables -t mangle -A OUTPUT -o vlan2 -m connmark ! --mark 0 -j CONNMARK --save-mark
    iptables -t mangle -A FORWARD -o vlan2 -m connmark ! --mark 0 -j CONNMARK --save-mark
    ip6tables -t mangle -A OUTPUT -o vlan2 -m connmark ! --mark 0 -j CONNMARK --save-mark
    ip6tables -t mangle -A FORWARD -o vlan2 -m connmark ! --mark 0 -j CONNMARK --save-mark
    oby-1k likes this.
  20. SNR

    SNR Addicted to LI Member


    While going about fixing QoS, perhaps you or @kille72 or @pedro311 can address this issue?

    "enabling then disabling QoS deletes traffic control rules for vlan2 interface" in the Bandwidth Limiter


    This is still happening in FreshTomato-ARM v2018.2 ...

  21. SNR

    SNR Addicted to LI Member

    Agreed, thanks guys! I just donated "10-50" :cool:

    Should keep you in pizza and beer for a few days...
    eahm and kille72 like this.
  22. AndreDVJ

    AndreDVJ LI Guru Member

    I honestly don't know if they can be fixed, but at glance, they shouldn't co-exist.

    Bandwidth Limiter and QoS are sort of distant cousins, because they set rules in iptables, and rely on Linux's traffic control, but they don't really cooperate with each other. In fact they clash badly.

    The only thing they really have in common, is the maximum bandwidth limiter.

    One feature breaks the other. Enabling Bandwitdth Limiter breaks QoS, and vice-versa.

    To co-exist, both qos.c and new_qoslimit.c should be rewritten from the ground up, which I don't think anyone here can do that.
    kille72 likes this.
  23. SNR

    SNR Addicted to LI Member

    From a user perspective, presenting options on one page that have the ability to silently affect options on anther page is a bad thing.

    Without trying to make the two features coexist, perhaps the checkbox handlers on the QoS and Bandwidth Limiter pages can be tweaked to actually prevent them from being enabled at the same time? And looking closely at the two feature's pages, that seems to be the original intent of the current design (even if not strictly necessary from a technical standpoint). But some of the old timers here may have a different understanding of this...

    In any case, the checkbox handlers for both pages could be tweaked to first check to see if the opposite feature is enabled, and if so, put up a dialog notifying the user that it will be necessary to disable the opposite item first. If the user consents to that, then go for it. If not, then you've probably saved them (and yourself) further troubleshooting effort trying to decipher what went wrong by enabling or disabling one while the other was already enabled...

    I am not an ASP programmer and really can't contribute to fixing this in the firmware itself. But it seems the issue could probably be addressed with a script? But first users would need to be made aware of the potential issue, which means that devs would probably need to agree on the intent behind the current design. Hopefully someone else with more insight on that can chime in here.
    kille72 likes this.
  24. kille72

    kille72 LI Guru Member

    I will compile a test version to you, it is in the SDK6 list:
    $ make help
    ASUS ARM Builds - RT-N18U, RT-AC56U, RT-AC68U, RT-AC68R, RT-AC68P
    ac68e         RT-N18U/AC56U/AC68U(R/P) build VPN
    ac68z         RT-N18U/AC56U/AC68U(R/P) build AIO
    n18e          RT-N18U/AC56S without SMP build VPN
    n18z          RT-N18U/AC56S without SMP build AIO
    TENDA ARM Builds
    ac15          Tenda AC15
    DLINK ARM Builds
    dir868l       DLINK DIR868L
    NETGEAR ARM Builds
    r7000e        R7000/R6300v2/R6250 build VPN
    r7000z        R7000/R6300v2/R6250 build AIO
    r6400e        R6400 build VPN - 128K NVRAM
    r6400z        R6400 build AIO - 128K NVRAM
    r7000init     R7000 init build
    r6250init     R6250 init build
    r6300v2init   R6300v2 init build
    r6400init     R6400 init build
    Xiaomi ARM Builds
    r1do          R1D custom build
    HUAWEI ARM Builds
    ws880e        WS880 build VPN
    ws880z        WS880 build AIO
    BUFFALO ARM Builds
    wzr1750e      WZR-1750DHP build VPN
    wzr1750z      WZR-1750DHP build AIO
    LINKSYS ARM Builds
    ea6700e       EA6700/EA6400/EA6500v2/EA6900 build VPN
    ea6700z       EA6700/EA6400/EA6500v2/EA6900 build AIO
    Last edited: Apr 22, 2018
  25. kille72

    kille72 LI Guru Member

  26. sac7000

    sac7000 Serious Server Member

    New wireless driver for SDK6 (Fixed KRACK vulnerability)
    When it will be???
  27. Mihai Olimpiu-Cristian

    Mihai Olimpiu-Cristian Networkin' Nut Member

    kille72 likes this.
  28. wallyg8r

    wallyg8r Reformed Router Member

    Donation sent. Thank you for your hard work and this great software.
    kille72 likes this.
  29. kille72

    kille72 LI Guru Member

    If everything goes according to plan, I get half-done source code (Fixed KRACK vulnerability in SDK6) from Shibby tomorrow, we'll see if we can make it ready with common forces here on the forum...

    Just want to point out that SDK7 is ready, @pedro311 fixed it quite a while ago.
    WildFireSG and sac7000 like this.
  30. Ed____

    Ed____ New Member Member

    Client mode does not work on my AC3200. It connects for a second, then drops, over and over. The device list shows ETH3 for a second, then its gone. The system log is full of dhd_prot_ioctl and other dhd errors.

    I need client mode. Is this likely to be fixed? Should I get another router? Does this work for anyone on any router FreshTomato supports?

    Bridge mode works on AsusMerlin, so its not a hardware problem. I created an issue on bitbucket. The forum software wont let me link to it, so here's a portion of the log.

    Jan  1 01:10:14 unknown kern.warn kernel: CONSOLE: 000610.427 wl2: link up (wl2)
    Jan  1 01:10:15 unknown kern.warn kernel: CONSOLE: 000611.428 pciedev_send_ltr:Giving up:0x302
    Jan  1 01:10:15 unknown kern.warn kernel: dhd_prot_flow_ring_create Send Flow create Req msglen flow ID 133 for peer ff:ff:ff:ff:ff:ff prio 1 ifindex 0
    Jan  1 01:10:15 unknown kern.warn kernel: dhd_prot_process_flow_ring_create_response Flow create Response status = 0 Flow 133
    Jan  1 01:10:17 unknown kern.warn kernel: dhd_flow_rings_delete_for_peer: ifindex 0
    Jan  1 01:10:17 unknown kern.warn kernel: dhd_prot_flow_ring_delete sending FLOW RING Delete req msglen 40
    Jan  1 01:10:17 unknown kern.warn kernel: dhd_bus_flow_ring_delete_request :Delete Pending
    Jan  1 01:10:17 unknown kern.warn kernel: dhd_prot_ioctl: status ret value is -17
    Jan  1 01:10:19 unknown kern.warn kernel: CONSOLE: 000615.448 wl2: link up (wl2)
    Jan  1 01:10:20 unknown kern.warn kernel: CONSOLE: 000616.428 pciedev_send_ltr:Giving up:0x302
  31. Hermes Romero

    Hermes Romero Connected Client Member

    Hi guys! Thanks again for your efforts!
    I want to report 2 issues im having:
    1. I cannot enable JFFS. "Error formatting JFFS. Check the logs to see if they contain more details about this error."
    2. Cannot mount a CIFS folder on a QNAP, I tried with dd-wrt and its working fine. This used to work some time ago but in the latest versions is not working.

    Is someone else having these issues? Any Clue?


    PD, a beer for you guys 4S139949RB3022602
    Last edited: Apr 22, 2018
    kille72 likes this.
  32. pedro311

    pedro311 Networkin' Nut Member

    Client mode does not work since the multiwan wan introduced and I see a rather small opportunity to fix it.
    kille72 likes this.
  33. kille72

    kille72 LI Guru Member

    1. Only klick Enable + Save. Works here:
    # df -hT
    Filesystem           Type            Size      Used Available Use% Mounted on
    /dev/root            squashfs       21.9M     21.9M         0 100% /
    devtmpfs             devtmpfs      124.8M         0    124.8M   0% /dev
    tmpfs                tmpfs         124.8M      3.5M    121.3M   3% /tmp
    devfs                tmpfs         124.8M         0    124.8M   0% /dev
    /dev/sda1            ext4            1.8G     89.6M      1.7G   5% /opt
    /dev/sda2            ext4           71.5G      7.5G     60.3G  11% /nas
    /dev/mtdblock5       jffs2          64.0M      1.6M     62.4M   3% /jffs
    2. Anyone else using CIFS? More info, logs?
  34. Hermes Romero

    Hermes Romero Connected Client Member

    That made the trick, it worked! thanks!
    kille72 likes this.
  35. Ed____

    Ed____ New Member Member

    Can you provide a non-multiwan build? Please take whatever opportunity you do see to attempt to fix it. As far as I can tell, no firmware for this router can do this. Its a huge feature to have.
  36. kille72

    kille72 LI Guru Member

    You can try Tomato by Shibby SingleWAN v132 or Tomato by Toastman.
  37. AndreDVJ

    AndreDVJ LI Guru Member

    I understand and it's actually terrible. Even I want to have both enabled, but I don't know if Linux's packet scheduler plays well when we have both.

    Currently, I'm messing around with Bandwidth Limiter, even though I'm pretty bad with Linux's networking stack, specially tc+iptables. I make no promises I'll be able to progress, because it's incredibly time-consuming (1 test every two hours).
    pedro311 and kille72 like this.
  38. usergay

    usergay Network Newbie Member

    132 works great but it's outdated in terms of KRACK & other vulnerabilities. There isn't a way to convert your latest work into SingleWAN? Thanks
  39. koitsu

    koitsu Network Guru Member

    No there is not. Toastman attempted to do exactly that at some point with his firmware. He gave up because the amount of stuff Shibby had changed all over the place was tremendous, and a lot of it was done in very large sweeping commits (i.e. too much stuff touched in one commit), while others were spread across several tiny non-linear commits (i.e. made it very hard to tell what got changed and why and what the "correct" method/thing was); commit messages were abysmal. It was because of this that he gave up trying to import (backport) the changes.

    MultiWAN created a multitude (pun intentional) of problems. The changes were so vast and serious that other maintainers of forks basically gave up. It basically killed the whole "let's work together and communicate things so that all forks benefit from positive changes" thing that had (kind of) existed prior (an approach that is much more akin to how standard open-source software projects operate, ex. how FreeBSD + OpenBSD + NetBSD + DragonflyBSD communicate regularly and share fixes and implementation of fixes). Users are now "stuck" with MultiWAN as a result.
    Last edited: Apr 22, 2018
    Hermes Romero likes this.
  40. usergay

    usergay Network Newbie Member

    Thanks for your response. Bummer but oh well, we must appreciate what we still have today even if its somewhat problematic!
  41. Elfew

    Elfew Network Guru Member

    I disagree, because everybody can create an own project and continue it in an own way... so multiwan was a great addition even it has brought a lot of issues and bugs - but a lot of them were fixed, the remaining ones must (should) be documented on one place and try to fix them (or write a list of known issue with multiwan). @kille72 @pedro311 @AndreDVJ and others.
    pomidor1 and kille72 like this.
  42. xips_

    xips_ Networkin' Nut Member

    2018.2 on R7000. CIFS working here using IP as UNC. Only niggle found is Bandwidth & IP Traffic calendar dates on 24 hour graph indicate a day ahead (tomorrow). Also on Real-Time graph. No biggie there. Everything else is good so far.
    pomidor1 and kille72 like this.
  43. Orwell's George

    Orwell's George Network Newbie Member

    I'd check your clock, you probably have it pointed to a NTP server that's not in your time zone.
  44. xips_

    xips_ Networkin' Nut Member

    Looks good...

    Edit: I found it! Yesterday after install, somehow my computers clock was set ahead by something like 6 hours. I thought I adjusted it correctly but now looking at my computers clock, it's is a day ahead. So NVM on the niggle.

    Edit²: Upon further examination it appears my Windows time sync services hung. Router NTP access works and any non connected box at FW install has NTP access. Reboot on hung NTP service box fixed issue.
    Last edited: Apr 23, 2018
  45. rgnldo

    rgnldo Networkin' Nut Member

    @kille72 version 2018.3 Transmission-bt start paused downloads. WiFi very good.
  46. The Master

    The Master Network Guru Member

    did i miss something? .3? Maybe with DNS over TLS? YEAH.
  47. kille72

    kille72 LI Guru Member

  48. The Master

    The Master Network Guru Member

    Sorry missed that he used this beta :). Have to wait for the real one :). Keep up the good work.
    kille72 likes this.
  49. Hermes Romero

    Hermes Romero Connected Client Member

    Which NAS are you using??
  50. AndreDVJ

    AndreDVJ LI Guru Member

    The main issue I'm facing now, is with "Outbound" QoS and/or Bandwidth Limiter.

    Being pretty brief:
    • While Inbound QoS & BWL can co-exist, and they seem to work "fine".
    • Outbound QoS & BWL is a completely different scenario. They won't work together at all.
    Actually, Outbound QoS is what really matters. The strategy to keep latency and jitter under control is essentially to not request more than you can receive. The differences between them, I'm not really able to explain at the moment, as I don't have time to run tcpdump and analyze packets going in and out of br0/vlan2/ifb0 interfaces.

    I'd need to fully understand Linux's traffic control to even say whether it's possible for Outbound QoS and Outbound BWL to co-exist.

    So I could only implement something rather half-baked (though I haven't tested this yet, and I hope I still can do).
    • Outbound QoS (global) is far better than Outbound BWL (per device), as we can prioritize which traffic/protocol is most important.
    • We can de-prioritize and limit traffic of what is not important at all (e.g. Torrent)
    • While with Inbound QoS and BWL, sorta best of both worlds.
    • Usually we download far more than we upload.
    While this approach works for me, I'd rather not push this for everyone else, unless thoroughly tested and agreed.
    Last edited: Apr 24, 2018
    Elfew and kille72 like this.
  51. xips_

    xips_ Networkin' Nut Member

    No NAS. Using CIFS with rstats & cstats.
  52. srouquette

    srouquette Network Guru Member

    does anyone else happen to have problem with DNS?

    Since I updated to 2018.2, sometimes I can't resolve a website until I refresh multiple times. It seems like dnsmasq cache is full and doesn't refresh, or something like that.

    I'm using some OpenNIC DNS (,, DNSSEC enabled, dnscrypt-proxy enabled on soltysiak.

    I'll try to use again Google's DNS and see if it's a problem with my OpenNIC DNS.

    edit: also a bit annoying to have the DNS settings on the same page as WAN settings. It kicks you out once you save the changes ^^;
  53. kille72

    kille72 LI Guru Member

    It would be good to see in syslog that Stubby has started. I'm just testing Cloudflare because we have no way to choose server yet, so I changed description:

    Cliffield likes this.
  54. Tomato Mike

    Tomato Mike Network Newbie Member

    Dude! You are describing the exact problem I mentioned last week (which went away on its own the next day, because no matter how many times I tried fixing it the day it happened, nothing worked). I wrote:

    "As of today (I upgraded to 2018.2 yesterday - and it was fine all day and night), DNS is having a hard time resolving using 'Exclusive' DNS mode on my VPN (it will work for about 10 seconds), and when the VPN is off - I can only get DNS servers like Cloudflare, Quad9, Google, etc... to resolve for a little while, and then the same web pages that were just resolving will suddenly stop for a minute. If I use my ISP's DNS, it works a little better, but the same issue happens. I have an extremely fast internet connection, and never had an issue resolving DNS before. Clearing NVRAM does not solve the problem.

    No matter what settings I choose, DNS will only resolve for 1-5 minutes, and then stop working for a while. Once I change a setting, it immediately starts working again for X amount of minutes. It's almost like a process is hanging somewhere, and me changing a setting is starting it up again - if that makes any sense.

    Also, I'm still trying to wrap my head around 'how' these websites have issues resolving after they resolved properly a minute prior. Isn't the point of dnsmasq that it caches the IP addresses, and doesn't require an external DNS server to convert the webpage to the IP, after it happens the first time? Why isn't it resolving these webpages after they resolved properly just before? Between the websites not resolving after some time, and the router all of a sudden not wanting to accept the 'Exclusive' DNS mode with my VPN (it works fine on my phone, so I know the VPN isn't 'down'), it seems as if something is very wrong with my router's DNS capabilities, all of a sudden.

    (I am using popular webpages like Reddit, Google, YouTube, Netflix, etc... to test, so I know all of these sites did not go down at the same time...)

    EDIT: This problem has seemed to resolve itself today. This isn't the first time that this has happened with Tomato, though (but usually I can fix it by switching from one DNS resolver to another). Very strange. In any case, so happy it's not happening today!!!"

    @kille72 - now that it isn't just me, is this something that you can look at? This has happened to me once or twice before, on previous firmware. It always only lasts for a day or so, and there is nothing that can be done to solve it whenever it happens, other than waiting.
  55. AndreDVJ

    AndreDVJ LI Guru Member

    Client caches DNS queries as well. Sometimes Windows' DNS client is acting up and I'm forced to issue ipconfig /flushdns. DNS cache persists across reboots.
  56. koitsu

    koitsu Network Guru Member

    Browsers also have their own DNS resolver and cache. Don't believe me? chrome://net-internals/#dns -- and Firefox has its own too -- enjoy. (And yes, it is possible to turn all this stuff off, but it's obviously on a per-system basis, which has nothing to do with Tomato)
    kille72 likes this.
  57. Tomato Mike

    Tomato Mike Network Newbie Member

    It's a Tomato problem, because the issue wasn't relegated to one computer. It happened with multiple devices on my network (my desktop, cell phone, Smart TV, and somebody else's phone). When the issue happens, it effects every device connected to the router. I even bypassed my router and connected directly from my modem to the computer (without resetting any settings on the computer), and everything worked fine. I connected back to the router, and the problem was still there. A few minutes later, it goes away for a few minutes, and then comes back, etc...

    This hasn't happened again since the day after I updated to 2018.2, but it's certainly a Tomato issue.
  58. AndreDVJ

    AndreDVJ LI Guru Member

    I'd enable Debug Mode checkbox in advanced-dhcpdns page, add log-facility=path/to/logfile.log to dnsmasq custom configuration box, and hopefully it'll capture the issues. Also having Intercept DNS port checked guarantees iptables will intercept all DNS queries going to TCP/UDP port 53, so dnsmasq will serve everyone in the LAN.

    Maybe that's the price of attempting to run bleeding-edge software in some platform not so bleeding-edge. I had my share of problems with dnsmasq recently.
    kille72 likes this.
  59. AndreDVJ

    AndreDVJ LI Guru Member

    @SNR (and whomever this may concern), would you like to test what I proposed so far?
    • Inbound QoS+BWL should work together.
    • Outbound QoS takes precedence over Outbound BWL (i.e. will overwrite).
    • If QoS is disabled while BWL is enabled, there's a warning suggesting to restart BWL by clicking "Save".
    For now I tried to keep changes as minimum as possible.
    edusodanos and kille72 like this.
  60. srouquette

    srouquette Network Guru Member

    Thanks, I'll grab those logs and will report back.
    I already have "intercept dns" enabled.

    I don't think it's a problem with the browser, because an unvisited page will fail to resolve, unless I refresh multiple times. But after resolving, it works. I didn't have this problem with 2017.3.
  61. sszpila

    sszpila Serious Server Member

    Do you use dnscrypt-proxy? I had similar problem. DNS stops working at all. When this happened, my log is flooded with "dnscrypt-proxy: (UDP) resolver timeout". To quick fix, I had to switch to another DNS resolver. I use torrents, maybe connections from torrent client kills dnscrypt-proxy or flood resolver...

    Then I switched to DNS over TCP with stubby and all my DNS problems are gone.

    Wysłane z mojego Redmi 4X przy użyciu Tapatalka
    srouquette likes this.
  62. srouquette

    srouquette Network Guru Member

    yeah I also had this problem with 2017.3, I thought it was my ISP because I also lost connection.
    Is there a plan to integrate stubby officially? (I read there was a beta build floating around)
  63. kille72

    kille72 LI Guru Member

    I think that resolver timeout is due to problems with dnscrypt-proxy servers, when i used dnscrypt + ipredator, I experienced no problems.

    Yes, we plan to implement DNS-over-TLS in Tomato. Everything is almost done, what we have to fix is being able to choose servers, so far I'm testing Cloudflare and it works well! Some ideas how this can be done? Code:

    Last edited: Apr 25, 2018
    Joe A and koitsu like this.
  64. kille72

    kille72 LI Guru Member

    @Cliffield, you are a programmer I see, hihi :p Good job!
    Last edited: Apr 25, 2018
  65. Cliffield

    Cliffield Network Newbie Member

    Does not work completely! The main part need to be done. :(

    I had an idea but due to my lack of coding knowledge it doesn't work. Maybe we can get it done,or find another solution, in cooperation.

    Inspired by the dnscrypt solution i tried following:

    - comment out everey dns resolver in stubby.yml
    ## service
    #  - address_data: ...
    #     tls_auth_name: ...
    ## service 2
    during build process:
    - www/stubby-helper.sh parses stubby.yaml for /^## / and add all found services to www/basic-network.asp (substitute '_stubby_resolvers_') like dnscrypt-helper.sh does. This works so far.

    on router: if nvram variable stubby_proxy == 1 do:
    - during startup of dnsmasq ' rm /etc/stubby.yml' and copy /rom/etc/stubby.yml to /etc/stubby.yml (rc/services.c)

    - do somethink like:
    "sed -i '/^## service/^##/ s/^#//' /etc/stubby.yml"
    (for service use nvram variable "stubby_resolver". This will remove the beginning #'s from every line starting with the line with the defined service (stubby_resolver e.g. Cloudflare) till the next line starting with ## . (rc/services.c)

    The 'sed' commant work on the shell, but i dont know how to implement somethink like this in rc/service.c.
    Maybe the idea to use 'sed' is bad, but i dont know C, just some low end bash scripting and scripting languages.

    Last edited: Apr 25, 2018
    kille72 likes this.
  66. kille72

    kille72 LI Guru Member

    I'll talk to @pedro311 and see if he has any ideas.
    Cliffield likes this.
  67. Sean B.

    Sean B. LI Guru Member

    Don't copy, just symlink it:

    Shell version:
    ln -s /rom/etc/stubby.yml /etc/stubby.yml
    Tomato code version:
    symlink("/rom/etc/stubby.yml", "/etc/stubby.yml");
    Code the function so that it first unlinks the file, then add's the changes, then creates the link. Then any time it's edited and saved in the GUI, rc will unlink-change-relink.
    Cliffield likes this.
  68. Tomato Mike

    Tomato Mike Network Newbie Member

    I was not using dnscrypt-proxy this last time that it happened. In the past (last year), I was, and I had to turn it off to fix the issue. This time, I wasn’t using it and even turning it on did not help. I had seriously tried every combination of things, but nothing solved the problem except turning the router off and waiting until the next day. If it happens again, I will try to enable debug mode and capture the issue better.

    I am VERY much looking forward to Stubby being included on the build for the R8000. I think this may solve my problems entirely.
  69. Cliffield

    Cliffield Network Newbie Member


    Just an idea, dont know if better or even posible :D

    Instead of altering stubby.yml we could create the file from scratch during start of dnsmasq and ship an additional file with the upstream resolvers.
    This approach seems more flexible for future introductions of config parameters, like stubby_port or stubby_authentification_method.

    - stubby-resolvers.xyz has all the possible resolvers stored
    - read desired resolver info from stubby-resolvers.xyz
    - empty stubby.yml getting created during start of dnsmasq if stubby_proxy == 1
    - write config to stubby.yml
    - write desired resolver to stubby.yml​
    - start stubby

    if ( nvram_match("stubby_proxy", "1")) {
           // insert code for getting desired upstream server from additional file; but that's over my head :-(
           f = fopen("/etc/stubby.yml", "w");  // open stubby.yml for write
           frpintf(f, "tls_authentification: GETDNS_AUTHENTIFICATION_%s", nvram_safe_get("stubby_authentification") ); // stubby_authentification = NONE or REQUIRED
           frpintf(f, "listen_adresses:"
                      "  -", nvram_safe_get("stubby_port")); // stubby_port = 5453 or defined in GUI
           // write other configurations to file
           // write desired upstream server to file
           eval("stubby", "-g", "-C", "/etc/stubby.yml");
    But it does not solve the current problem.

    Elfew likes this.
  70. sszpila

    sszpila Serious Server Member

    And how about using more than one resolver? For example I use two cloudflare resolvers: and for a backup and option to round robin between all configured upstream servers. Stubby can use more than one resolver.

    Wysłane z mojego Redmi 4X przy użyciu Tapatalka
  71. pedro311

    pedro311 Networkin' Nut Member

    Guys, just to let you know:

    FreshTomato-MIPS Changelog
    2018.1.064-beta 2018-04-27
    - kernel: patch kernel against CVE-2016-10229
    - kernel: disable router anycast address for /127 and /128 prefixes
    - kernel: resolve force_igmp_version ignored when a IGMPv3 query received
    - kernel: igmp: add a missing spin_lock_init()
    - kernel: igmp: acquire pmc lock for ip_mc_clear_src()
    - kernel: proc/sysctl: fix the int overflow for jiffies conversion
    - kernel: net: ipv4: fix multipath RTM_GETROUTE behavior when iif is given
    - flac: update to 1.3.2
    - libxml2: update to 2.9.3
    - libpng: update to 1.2.57
    - libcurl: update to 7.59.0
    - pcre: update to 8.42
    - nano: update to 2.9.5
    - libsodium: update to 1.0.15
    - Tor: update to
    - OpenVPN: update to 2.4.5
    - dnscrypt-proxy: update to 1.9.5
    - dnsmasq: update to 2.79
    - adminer: update to 4.6.2 2018-02-20 (only English)
    - uqmi: updated to uqmi-8ceeab6
    - lzo: update to 2.10
    - libcurl: update CA certificate bundle as of 2018-03-07
    - libexif: update to 0.6.21
    - libogg: update to 1.3.3
    - libvorbis: update to 1.3.6
    - libusb: update to 1.0.22
    - pptpd: update to 1.4.0
    - rp-pppoe: update to 3.12
    - ntfs-3g: update to 2017.3.23
    - sqlite: update to 3.23.1
    - GUI: OpenVPN: add LZ4, NCP and auth digest support
    - GUI: IP Traffic and Bandwith monitors: add possibility to change unit of displayed speeds (kbit/KB and Mbit/MB)
    - GUI: QoS/BW Limiter: increase the maximum number of digits in speed fields to 8
    - GUI: add possibility to select LTE band and roaming on 4G/LTE connection
    - libcurl: size optimization (disable proxy and libcurl output options)
    - OpenVPN: change configuration option 'tls-remote' to 'remote-cert-tls', because 'tls-remote' is deprecated or even removed in newest openvpn version
    - OpenVPN client: fixed issue #136: added 'route-noexec' to client configuration to prevent DNS leaks
    - OpenVPN: change default client's remote/local IPs, so each is different
    - OpenVPN: change default remote/local IPs/subnet for servers, so each is different
    - switch3g/4g, watchdog: fix modem recognition, logic of watchdog
    - switch4g: improved/fixed QMI modem support
    - busybox: drop modules.dep path hack, it doesn't required
    - busybox: add hostname applet, required by some Entware packages
    - minidlna: add persistent uuid based on router's mac
    - Miniupnpd: [PATCH] Tomato Specific: Enable Miniupnpd portinuse check
    - Makefile: disable RAID (mdadm binary) on AIO (z) and Mega-VPN (o) targets
    - router/Makefile: remove dependencies from various install recipes, to reduce the amount of double (and triple) recompile duing build
    - flac: fix compilation on Mint x64
    - nfs-utils: PATCH exportfs: getexportent interprets -test-client- as default options
    - rc/ppp.c: typo
    - rc/pptp_client.c: add pptp-client user/pass quotation (fix issue #148)
    - rc/services.c: [PATCH] REVERT: Do not write out 'no-dhcp-interface' in dnsmasq.conf
    - rc/services.c: SIGINT seems to be issued too soon against dnsmasq - wait one second before doing so
    - rc/services.c: correct val for unlink 
    - rc/services.c: avoid concurrent connections
    - rc/tor.c: removed deprecated option from config (AllowUnverifiedNodes)
    - rc/tor.c: add localhost ports and .onion support; disable IPv6 names resolution for onion domains by default;
      enable LAN pool for clients; add AvoidDiskWrites option to config
    - rc/wan.c: fix typos, redial period for pppd
    - rc/wan.c: move l2tp route fix to preset_wan
    - rc/wan.c: don't terminate xl2tpd on every ppp start
    - rc/wan.c: dnsmasq process was receiving a second SIGINT signal. Instead of triggering another DNSSEC time checking, it was killing process
    - rc/wan.c: start adblock only when wan is up
    - rc/wan.c: fix boot with only secondary/etc wan active (assume current wan is primary if previous is not up)
    - rc/wan.c: adblock improvments, just start once
    - rc/wan.c: cleanup
    - rc/watchdog.c: changed one of connection checkers from wget to curl; now this is a recommended method for LTE connections
    - fix "Enable DSCP Fix", and make it MultiWan aware *
    - fix ntpc for mwan
    - ipv4: Resolve force_igmp_version ignored when a IGMPv3 query received
    - upnp: external and internal port arguments are swapped in miniupnpd's config file
    - Code cleanup/improvements
    - Make igmpproxy MWAN-friendly (It flooded logs when only secondary wan was connected)
    - Improve vpnrouting and switch3g script logic, other small changes
    - tinc: Add daemon poll option to check if the daemon is running, Similar to OpenVPN
    - Revert: GUI: fix problem with passing Tagged/UNtagged on same port when using default vlan (Not working as intended/has problems)
    2018.1.010-beta 2018-04-15
    not public
    - dnsmasq: update to 2.78
    - nano: update to 2.8.1
    - ncurses: update to 6.1
    - transmission: update to 2.93
    - php: update to 5.6.33
    - GUI: fix issue with too short field for DNS 1/DNS 2
    - GUI: fix problem with passing Tagged/UNtagged on same port when using default vlan
    - E2500/3200: change nvram size to 32kB, to prevent the 5GHz radio from disappearing
    - sqlite: update to 3.23.1


    Attached Files:

    Campigenus, M_ars, maurer and 9 others like this.
  72. pomidor1

    pomidor1 Networkin' Nut Member

    would not connect matters? maybe it's justifie to call a new thread for freshtomato mipsel ?
    Dhaval Shah likes this.
  73. txnative

    txnative Addicted to LI Member

    I agree with starting a new thread on freshtomato-mipsel, for obvious reasons of course.
  74. Elfew

    Elfew Network Guru Member

    @pedro311 - thats great news for MIPS users :) thank you! I still have one RT-16n device in my drawer, maybe I will use it again :)
  75. somms

    somms Network Guru Member

  76. eangulus

    eangulus Network Guru Member

  77. eangulus

    eangulus Network Guru Member

    Will the MPSR1 work with RT-N16?
  78. koitsu

    koitsu Network Guru Member

    RT-N16 is MIPSR2.
  79. txnative

    txnative Addicted to LI Member

    I always found it easier to use Qos to do such a task as BWL, dd-wrt has it done almost the same except without using another GUI to go through basically on the same page but it does work as well as intended. I guess since BWL is part of the code there probably not much to do about removing it and using Qos as part of limiting bandwidth per ip or mac or range.(i suppose)On a different subject, on the advancedtomato-arm you(AndeaDVJ) are maintaining, my question is on the qos part where as in freshtomato-gille72 the qos shows the increment values when adjusting calculates when numbers values are placed in outbound and inbound, is this same on your advancedtomato-arm? If not what directory to find and adjust the code? Regards
    Last edited: Apr 26, 2018
  80. WildFireSG

    WildFireSG Addicted to LI Member

    Hi. Thank you for the MIPS work!! Unfortunately, I don't see the bits for 2018.1.064-beta 2018-04-27 on your site. Have they been uploaded?
  81. pedro311

    pedro311 Networkin' Nut Member

    Patience, please ;)
    WildFireSG and Elfew like this.
  82. monoton

    monoton Serious Server Member

    Well, the bandwidth limiter is way more useful than QoS in my opinion, especially when dealing with a bunch of people downloading Torrents.

    Each VLAN can have its own Download rate, Download Ceil, Upload rate, Upload Ceil and priority.

    Here's some words from Victek from 2008:

    Dl Rate . Here we enter the desired minimum downlink speed of the PC when all other PCs on the list are also downloading. The router will try to ensure that the PC gets at least this much bandwidth allocated.
    What does this mean? It means that the sum total of this column for all PCs on the list should not overcome the total "Download Bandwidth."
    If the amount exceeds this "Download Bandwidth", the entered data will serve no purpose when all the PC's are downloading data.
    Also take into account that if you entered an IP which is connected via wifi, due to the conditions of propagation and signal quality, is possible that the PC will be unable to reach the speed entered in this box. For example, writing a speed of 10000kbps in this box when the wireless connection only allows a maximum (theoretical) speed of 5000kbps.

    Dl Ceiling This will be the maximum download speed that the PC is going to achieve when extra bandwidth is available because other PC's on the network are inactive or not utilizing their own bandwidth figures.

    Example 1

    Speed downlink connection = 16000 kbps.

    PC1 Dl Rate 4000 Dl ceil 7000kbps
    PC2 Dl Rate 4000 Dl ceil 9000kbps

    Behavior (assuming that the conditions are suitable to achieve maximum speed)

    PC1 begins to download and as yet has not begun PC2 reaches a maximum speed of 7000kbps download.
    PC2 starts downloading and reaches a speed of 9000kbps.

    The amount of download Ceil for both PCs = 16000kbps.

    Example 2

    Speed downlink connection = 16000 kbps.

    PC1 Dl Rate 4000 Dl ceil 7000kbps
    PC2 Dl Rate 4000 Dl ceil 9000kbps
    PC3 Dl Rate 8000 Dl ceil 9000kbps

    PC1 begins to download and as yet has not begun PC2 and PC3 reaches a maximum speed of 7000kbps download.
    PC2 starts after downloading and reaches a speed of 9000kbps.
    PC3 begins to download ... and the speed of PC1 to drops to 4000, the speed of PC2 drops to 4000 and speed of PC3 will settle at 8000kbps, total = 16000kbps.

    Example 3

    Speed downlink connection = 16000 kbps.

    PC1 Dl Rate 4000 Dl ceil 7000kbps
    PC2 Dl Rate 4000 Dl ceil 9000kbps
    PC3 Dl Rate 4000 Dl ceil 9000kbps

    PC1 begins to download and as PC2 has not yet started downloading, reaches a maximum speed of 7000kbps download.
    PC2 starts downloading and reaches a speed of 9000kbps.
    PC3 begins to download ... and the speed of PC1 goes down to 1/3 of the maximum speed, PC2 also to 1/3 of the maximum speed and the speed of PC3 is also 1/3, Total = 16000kbps. Why? - because the amount of drop ceilings exceeds the maximum download ceil rate and Dl Rate is the same for all three PCs.


    UL Rate - Like DL Rate but to upload.
    UP Ceiling - Like the Dl Ceiling but to upload.

    Behaviour for UL and UL Rate CEIL, will be the same as the download settings.

    Priority - This is a very important function. It affects the position of the rule in the router’s netfilter, therefore the higher the priority the PC over the rest in DNS traffic, http, games ... (mainly). It improves ping times, but only because it is earlier than other PCs in the netfilter, not because of other circumstances.

  83. kille72

    kille72 LI Guru Member

    Elfew, Aardvark and txnative like this.
  84. txnative

    txnative Addicted to LI Member

    That is a 10yr old thread, setting up bwl isn't the problem and when using qos, priority doesn't pertain to just a single pc or user. everyone benefits from qos when implemented correctly.
  85. monoton

    monoton Serious Server Member

    Yes, that thread is 10yrs old but from my testing the bandwidth limiting still seems to work as explained in that thread. If not I would very much like to know what differs.

    Then there's the ease of use. Say you got a 100000kbit/s connection in a household with 20 devices, just set Download rate to 5000kbit/s and Download Ceil to 100000kbit/s on that network and all devices will have atleast 5000kbit/s each, no need for QoS unless I'm missing something and the bandwidth limiter works completely different.

    This seems to work over here atleast, I start a bunch of torrents that takes up all the bandwidth by itself on the PC and the other devices will still get the minimum of 5000kbit/s each if they need it by lowering the bandwidth of the PC with the torrents.
  86. koitsu

    koitsu Network Guru Member

    Yes, the short of it is this: Bandwidth Limiter != QoS. There are pros and cons to both. They cannot be used together, and they do not do the same thing. QoS is also a lot more complicated and intensive (CPU-wise). The user must know exactly what their goal and needs are to decide which of the two to choose.
  87. AndreDVJ

    AndreDVJ LI Guru Member

    Essentially, Inbound QoS and BWL, they are applied against different network interfaces (ifb0 and br0, respectivelly).

    Outbound QoS and BWL, rules are applied against vlan2 or whatever interface received from wan_iface variable in nvram.

    To truly fix this, someone must be very familiar with Linux's traffic control, qdiscs, classes, etc. which I am not, and so far all my attempts to make them co-exist did not work. Typing the rules by hand doesn't do anything.

    So there must be a different strategy if QoS and BWL is to co-exist. I don't know if the kernel we have is helping at all.

    Script for QoS is generated from line 510 in ~/release/src-rt-6.x.4708/router/rc/qos.c, and for BWL from line 334 in ~/release/src-rt-6.x.4708/router/rc/new_qoslimit.c. They are different binaries.

    I ran out of time, and will be away for 2 months or so. I can't look into this anymore for the time being.
  88. txnative

    txnative Addicted to LI Member

    Thanks Andre for that information and for the record I know bwl works, it just doesn't work together with qos at the same time. My apologies if i implied to remove it. I agree with you koitsu and I been using tomato qos for a few yrs now, i had used openwrt/lede, dd-wrt and ofw but come back to tomato for it natural feel for it unlike having scripts in place and all a user is to do is set the upload and download speeds kinda to easy how do you learn from that?
  89. txnative

    txnative Addicted to LI Member

    ooops made a double post. Forgive me
  90. WildFireSG

    WildFireSG Addicted to LI Member

    My apologies. Plenty of patience over here ;) I thought maybe I was missing something.

    Thanks again!
  91. AndreDVJ

    AndreDVJ LI Guru Member

    I'm compiling right now, as I'm running something less than ideal build on my R7000 at the moment, and updated some components with the latest and greatest (miniupnpd/dnsmasq/openvpn) and I hope they don't act up as I won't have time to extensively test these builds.
  92. txnative

    txnative Addicted to LI Member

    I don't know exactly what to call it, but its when a user places the upload or download value in and the increment numbers automatically change to like 5% 100% 34 - 700kbits Do you have your advancedtomato done the same?

    If you can share the directory maybe I can figure it out on what to change. Have a good away time, regards
    Last edited: Apr 27, 2018
  93. AndreDVJ

    AndreDVJ LI Guru Member

    I don't recall anything changing dynamically in Tomato. QoS should be the same as Kille72's builds.

    To actually get started, copy the scripts QoS and BWL generates to a USB drive:
    • /etc/wan_qos
    • /etc/qoslimit
    Are the files created by QoS and BWL when enabled, respectively.

    They're shell scripts, and you can execute them any time you want, so you may modify them to get a grasp how traffic control is called.
    NotVeryClever likes this.
  94. txnative

    txnative Addicted to LI Member

    I've been wanting to ask about the qos since I used jackies e3200 build the qos didn't have that function, however the build did work very well. Great that you done what you did so far, investigating into a fix for BWL, currently using a r6300v2ch build and has the same hardware and specs as the r6300v2, anyways i can troubleshoot a test build for that model whenever you might have one ready just drop a link to download it. Maybe find a fix and get them to coexistence. regards
  95. AndreDVJ

    AndreDVJ LI Guru Member

    @txnative Uploaded all Netgears and Asus' builds I was asked. R7000 is all I have for SDK6 builds, but should work.
    txnative and pomidor1 like this.
  96. oby-1k

    oby-1k Network Newbie Member

    This build is working as a charm @AndreDVJ . I've enabled QoS again with no issues. Thank you!!!

    Will keep you in the loop in case I've found something on my R7000.

    Amazing job you and the other guys are doing. Appreciate everyone's effort on keeping Tomato alive (and updated)!
  97. txnative

    txnative Addicted to LI Member

    I'll also do some testing on a R6300v2 as well.
  98. Magnus

    Magnus Connected Client Member

    What about the speed of usb 3.0 and LAN 1000? Still slower than the stock one from Asus? Anyone can connect hdd to usb 3.0 port of router and download file from this hdd to windows desktop? What is the download speed?
  99. lignicolos

    lignicolos Network Guru Member

    Hello, quick question. Does this firmware allow me to use my iPhone via USB tethering as the WAN source?
  100. pegasus123

    pegasus123 Addicted to LI Member

    Looks like there was a QOS bug with the 2018.2 version, the inbound always defaults to default. i have reverted back to 2017.3 version for now.

    to replicate just enable QOS in default settings and observe the classification
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice