[Fork] FreshTomato-MIPS

Discussion in 'Tomato Firmware' started by kille72, Apr 26, 2018.

  1. digixmax

    digixmax LI Guru Member

    The introduction of Multi-WAN also brought in some bugs that remain until this day -- e.g., the Default Gateway and Static DNS settings became ineffective for some configurations such as with Wireless Ethernet Bridge mode.

    I too wish that there are non Multi-WAN builds.
  2. kernel-panic69

    kernel-panic69 Connected Client Member

    Then that is definitely not proper behavior, which is why I asked. It should give out static and dhcp-served IP addresses. I do know that BusyBox is an older version in FT, so that may be part of the issue. It could also be a dnsmasq / UI issue contributing as well. I am currently working on getting things ready to merge the latest BusyBox git (and hope everything still works), have had to take a break because I can't stare at source code when I am sick as a dog.

    If you are coming from another mod of Tomato, OEM firmware, DD-WRT, etc. it is a generally good practice to wipe the nvram. I have not noticed that much in changes since I have been testing FT to necessitate doing it again... but I had previously reverted my test device to stock from DD-WRT.

    Multi-WAN can be turned on or off (?) -- I am not using it, and last I recall, you *had* to do something for it to go into Multi-WAN mode. If you're not using it, then what is the problem, other than any possible bugs or glitches? I completely understand where you are coming from, though.

    As far as the wireless client situation, why would the client need to set encryption when the AP handles that? If you're worried about KRACK attacks, well, let's just say that the only attempt I have seen at fixing that issue pretty much breaks wireless and causes issues... but I am not entirely sure of any such fix in any version of Tomato at present. That would be up to @pedro311 or @kille72 or any of the other development contributors to answer...
    Last edited: Jan 28, 2019
    pharma likes this.
  3. Sean B.

    Sean B. LI Guru Member

    I noticed that about his statement as well. However, I believe it to be caused by the situation. When clicking save in the GUI the NVRAM variables used to store received DNS server IP's are cleared as part of the init process of the related services restarting, but I don't think the WAN DHCP connection is released/renewed at the same time. If he was to release/renew the WAN after enabling the "Use received DNS" option so the variables are repopulated, correct functionality would likely be seen. I may be incorrect, however with no one having reported this as an issue by now, either I'm right or no one really uses the option anyway.
    kernel-panic69 likes this.
  4. digixmax

    digixmax LI Guru Member

    I am most concerned about by-product bugs/glitches, but also the consequence of increase in flash and/or nvram size requirements for common build type (e.g., VPN) exceeding the capacity of some older router models. I have a WNR3500L with 8MB flash which I used to be able run a BT-VPN build on it in prior to Multi-WAN introduction, now the only build type I can find to fit on it is MiniIPv6.
    Last edited: Jan 28, 2019
    danielhaden and kernel-panic69 like this.
  5. Mikael Bak

    Mikael Bak New Member Member

    Yes, I know. I'm not talking about coming from stock or DD-WRT or whatever. That should be obvious from my original post, I think.

    My main Multi-WAN annoyance is basically that it drains nvram resources. It does not help to turn it off or not using it actively. It'll still use nvram since the nvram variables has to be defined and hold default values. At least this is how I understad how it works. Please correct me if I'm wrong.

    Perhaps for some targets it would be good to have builds without multiwan. If that is even possible.
    danielhaden and kernel-panic69 like this.
  6. filipedonato

    filipedonato Connected Client Member

    What is the command to turn off all the LEDs on the router?
    I need to go to the tab: ADMINISTRATION - BUTTONS / LED
    (router belkin n600)
  7. aehimself

    aehimself New Member Member

    I am aware that network delays can deny valuable information to be written to the log file, but as my (unmodified) WRT54GL does not have USB ports I don't have much choice.
    As for the instructions they are clear as water thank you very much for that! Unfortunately I have no CIFS (only JFFS) client... I guess the mini build does not include it.
  8. danielhaden

    danielhaden Network Guru Member

    I wish there was a non-multiwan option with vastly simplified QOS only 5 rules.
    In other words, De-Bloat
  9. lancethepants

    lancethepants Network Guru Member

    In what environment and workload have has this "auto" qos been tested? Toastman's rules have been in apartment complexes with dozens of clients, some of which would saturate everything with torrents. Does this hold up to this sort of environment?
    Techie007 likes this.
  10. the_tourist

    the_tourist Network Newbie Member

    It is true that your "vastly simplified QOS only 5 rules" is fast...

    I adapted your rules on my RT-N66U which runs under "Merlin LTS fork".
    I only added one "High" (2nd) priority entry for the mac address of my VOIP interface.

    I adjusted the "Up Bandwidth" to 75% of the minimum I observed (after several tests) and the "Down Bandwidth" to 85% of the minimum also observed. It is also these settings that give me (after many tests) the lowest average Bufferbloat results in ms, in the detailed results of "dslreports": http://www.dslreports.com/speedtest/45507411

    I have a constant rating of "A+" since I made these adjustments.

    I find that the reactivity of my Internet browsing has improved significantly.

    Nice work.
    danielhaden, pharma and Señor Nimda like this.
  11. danielhaden

    danielhaden Network Guru Member

    Today, mips router, apartments, 7 devices ea, 50 connections ea = 6 dozen devices = just 10 apartments.
    A model based on just 1 pc per apartment, is outdated.

    With modern use, it seems that Mips routers aren't supporting apartment complexes; so, the little 5 rule QOS meets the more modern expectation of more efficiency and much more speed.
    Since it isn't pedantic, it doesn't require continuous update labor from the developers (because it doesn't get out of date).
    Of course, the auto QOS is somewhat smaller; however, the bandwidth overhead cost is near zero--you put in your actual line rates, and you get all of the speed that you paid for.
    And, with the lighter cpu load as well as less packet loss, there's far less lag.

    Given that the little mips cpu now/currently has a higher throughput job with a smaller number of clients (opposite of Toastman's scenario), one way to make the QOS fit the new (and relevant) task is to get the job done on 5 rules. If those are efficient and generic, then they're maintenance-free, won't get out of date, won't burden the cpu or developers.

    For torrents, steam, microsoft bandwidth theft, tor and typical iot retry-runaway, there's a different tool for the job:
    iptables -I INPUT -s -m connlimit --connlimit-mask 32 --connlimit-above 260 -j REJECT
    With that protection, a wee little old mips router could support 14 clients torrenting full speed simultaneously.
    *Although slightly less transparent at lower figures, the connlimit can be lowered to 50 for supporting up to 6 dozen clients. If using a short connlimit, you'd also need short timeouts, such as 5 minutes for tcp, 45 seconds for udp.

    Meanwhile, back to QOS...
    A major factor is that all qos rules are slowdown rules, so adding enough rules to please everyone, has the most unfortunate consequences--slow down everything. That not how to use a mips cpu.

    The proposal is to have, off, auto, manual, as radio buttons. So, this doesn't mean losing the old qos. What it means is loading presets from a file rather than storing in nvram. And, for the first time, you have an auto QOS available that works by timing, not bandwidth overhead. But, the simple radio buttons are the real magic. The loading of presets prevents/reduces the error of somebody else demanding another default rule that slows down your different usage scenario.

    Also, for ending QOS rule debates/disasters, it may be necessary to outright replace the out-of-date qos with a modern version, like gargoyle's recently published auto-qos module, which features a hi-low ruleset and made for mips efficiency.

    Well, that modern system uses FQ_Codel. And we don't have that for mips. We do have vegas. After a couple of weeks effort, I was able to estimate how to do 5 rules + connlimit + vegas, And have transmissions in the correct order. For example, scroll a web page jam packed with photos, and there's no gaps while some at the top wait to come in. The same action applies for voip and games. So, that meets expectations on what QOS should do. The current defaults don't have that performance.
    Last edited: Feb 2, 2019
  12. danielhaden

    danielhaden Network Guru Member

    Thanks. And, I need your help. Just this: Could you publish the rules that you're using?
  13. the_tourist

    the_tourist Network Newbie Member

    TCP/UDP, DST port 1-65535, Transferred 0-1kb, class1, Fastlittle
    any, MAC adress (VOIP interface), class2, Launch
    TCP/UDP, DST port 1-5070, Transferred 0-64kb, class2, Launch
    TCP/UDP, DST port 1-65535, Transferred 0-512kb, class3, Medio
    TCP/UDP, DST port 1-65535, Transferred 0-1024kb, class4, Large
    TCP/UDP, DST port 1-65535, Transferred 1024kb+ class5, Stream

    1, 15%, 100%
    2, 5%, 100%
    3, 5%, 100%
    4, 5%, 100%
    5, 5%, 95% Set as Default

    (same for both outbound and inbound)
  14. Sean B.

    Sean B. LI Guru Member

    Shouldn't that be " iptables -I FORWARD -s -m connlimit --connlimit-mask 32 --connlimit-above 260 -j REJECT " ?
  15. danielhaden

    danielhaden Network Guru Member

    Possibly. I tried to write it compatible with gargoyle, dd-wrt and tomato. I also added the mask because of concerns for it to work 'per client' which, I thought was the default behavior anyway. Iptables -I adds a copy per each wan ip refresh if a firewall script, so that one is actually a startup script. And, it does not prevent adding to the connection count but rather prevents connection abuse by having the excess connections simply not work. This makes the client back off until the timeouts clean up the overdo. It could use separate commands for tcp and udp, since those timeout minimums are much different.
  16. Sean B.

    Sean B. LI Guru Member

    The INPUT chain is for packets destined for the router itself, the FORWARD chain is for packets arriving on one interface and going out another. The rule you stated using the INPUT chain would only work if the LAN clients are connecting to the router itself as the destination torrent server/client.
    danielhaden likes this.
  17. danielhaden

    danielhaden Network Guru Member

    Thanks!!! That explains the functionality being somewhat different than how I'd expected it to work. Although it did seem to work, it didn't totally prevent rising connection count. Instead of prevention, the connection overdo just didn't last very long. Indeed, if I put a very low connlimit and opened several tabs in the browser, the browser would quit working until tcp timeout period elapsed.

    When I get around to testing again, I'll try it with FORWARD to see if it is more effective at preventing the router connection count from rising.
    Last edited: Feb 2, 2019
  18. gyngy1

    gyngy1 Network Newbie Member

    Thankx for summary.
    Is there easier way how to enter this settings then clicking in GUI? Maybe edit some settings file ?
  19. the_tourist

    the_tourist Network Newbie Member

    Maybe but I'm really not an expert... I just entered the rules (made by danielhaden, slightly adapted) into the graphical interface, it's not very difficult or very long.
    danielhaden likes this.
  20. danielhaden

    danielhaden Network Guru Member

    For that fastlittle rule, you might want to end the port range with the last known control ports. I think that could be 5070. Beyond that are bulk data ports, which probably shouldn't catch a ride on class 1.
    And, on classes 4 and 5, having higher minimums could also increase bandwidth overhead by the same sum (while you're testing for that A+). That would totally make sense if you're using FQ_Codel (QOS is all about timing, so controlling it via bandwidth percentage is indirect). So, rather than lower the global bandwidth, you have the option of lowering the maximums for classes 4 and 5. Tomato has that nifty option of making the lower classes 'pay for' using QOS rather than reducing the global bandwidth.
    So, there's just a few things to try.
  21. the_tourist

    the_tourist Network Newbie Member

    Thank you, I will try these modifications and test the impact on the Bufferbloat.

    As I wrote, I don't use Freshtomato on this router, but rather [Fork] Asuswrt-Merlin 374.43 LTS releases (V37EA) from john9527.
    I'm not sure, but I don't think it implements FQ_Codel in the case of an RT-N66U, but I may be wrong, I'm anything but an expert....
  22. txnative

    txnative Addicted to LI Member

    You all should start a new discussion thread as this is off topic for freshtomato-mips.
    pharma, kille72 and Techie007 like this.
  23. danielhaden

    danielhaden Network Guru Member

    Dire need of a competitive QOS for freshtomato-mips?
    As in not defaulting to 50 somewhat outdated rules on a wee old mips cpu?
    An efficient update seems necessary.
  24. the_tourist

    the_tourist Network Newbie Member

    You're right, but my intention was not to discuss another firmware here at all. I just wanted to confirm to danielhaden that his proposal of "vastly simplified QOS only 5 rules" had worked well with my router (and its firmware which is not so far from Tomato).

    But I agree this discussion is over.
  25. ksuuklan

    ksuuklan Reformed Router Member

    Did You get stable version? As I have also WHR-HP-G54 running tomato-K26-1.28.RT-MIPSR1-128-MiniIPv6, shall I upgrade it to freshtomato-K26_RT-MIPSR1-2018.5-MiniIPv6 or not?
  26. rs232

    rs232 Network Guru Member

    I'd say nowadays FreshTomato is the most updated version. Go for it.
  27. ksuuklan

    ksuuklan Reformed Router Member

    Ok, did so, I hope that bandwidth limiter is working (it was broke on newer tomato versions). Noticed, that only 2 dns servers are available, wireless client filter behavior is changed and is very strange, mtu and bandwidth limits were also changed after upgrade.
  28. sszpila

    sszpila Serious Server Member

    You must clear nvram and configure router from scratch. There are major changes between tomato v128 and multiwan on which freshtomato base.

    Wysłane z mojego Redmi 4X przy użyciu Tapatalka
  29. ksuuklan

    ksuuklan Reformed Router Member

    I'm too lazy for that, so I just walked true every menu and and changed back some settings and that's it, so far all OK :).
  30. digixmax

    digixmax LI Guru Member

    FWIW I have 2019.1 MiniIPv6 running on my WHR-HP-G54 as well as on my WNR3500L-v1, it seems fine.
  31. ksuuklan

    ksuuklan Reformed Router Member

    Ok, but isn't this beta?
  32. aehimself

    aehimself New Member Member

    I just realized that after flashing the non-beta 2018.5 mini on my WRT54GL, port 4 failed over to 10M half duplex. Updating to the latest 2019.1.015-beta did not solve the issue. Tried swapping cables and devices around, only port 4 is affected.
    I'll try to do a full settings reset (and maybe reflashing the original firmware too) to see if it's a hardware malfunction... in the mean time, are there any logs which I can check on Tomato to get closer to the root of the problem?
  33. digixmax

    digixmax LI Guru Member

    Yes, it is still beta, I am doing my share of being a guinea pig. -)
  34. Bad_Dog

    Bad_Dog Connected Client Member

    I just upgraded my Asus RTN16 from 2018.4 to 2019-01-015 beta.

    Using Firefox in privacy mode, as to not worry about caching problems like I experienced before, and the upgrade was successful.

    One thing is, the time is not updating. I have auto update enabled, and set to US (also tried North America), and set to trigger on save. Multiple reboots and saves is not updating the time.

    The log shows nothing, and I have logging set to no maximum per minute (value is 0).

    This router is for my Guest network. The primary router is an ASUS AC3200 running 2018.4, and this upgrade on my RTN16 was my test upgrade. The AC3200 has no issues with time updating, so it's not a connectivity issue, at least that I can tell.

    Any suggestions?
  35. digixmax

    digixmax LI Guru Member

    You might find potentially helpful pointers in this thread: https://www.linksysinfo.org/index.php?threads/wireless-ethernet-bridge-no-current-time.74428/.
  36. Bad_Dog

    Bad_Dog Connected Client Member

    Thanks for that. After I upgraded I noticed there was no time, and my first thought was... has that always been an issue or did I just now notice it? ;-)
  37. aehimself

    aehimself New Member Member

    It's not a hardware fault!!!
    robocfg port 0 media auto solved the issue, now it's back to full speed again. I'm just wondering what forced one port to 10 / Half.. until some Googling I did not even know that the above command exists.
  38. railgrinder

    railgrinder Network Guru Member

    I'm not sure if this is the right place to submit a feature request, but would it be possible to include an export/import function in the Static DHCP/ARP section? It's one of the more time consuming things to input every time a full reset is done and thought this might be a helpful feature to have in the GUI.

    I know it's possible to do this via the nvram export/import command but it's bugged me that there hasn't been a gui implementation since the original tomato project.
    WaJoWi, snowman58 and digixmax like this.
  39. digixmax

    digixmax LI Guru Member

    I second this feature request -- it would be great to be able to export/import Static DHCP data to/from data file in csv format.
    Last edited: Feb 6, 2019
    Elfew and WaJoWi like this.
  40. Wolfgan

    Wolfgan Networkin' Nut Member

    Last edited: Feb 6, 2019
    Señor Nimda and snowman58 like this.
  41. WaJoWi

    WaJoWi Reformed Router Member

  42. RBoy1

    RBoy1 Serious Server Member

    What exactly was the issue in this configuration? I just updated to the Jan BETA build on my WNR3500LV2 (primarily to get support for SMB2) and I'm using this Wireless Ethernet Bridge, what should I expect to see as the issue here?
  43. Magister

    Magister LI Guru Member

    From what I saw, the problem was that on the router itself, the DNS wasn't registered, the only problem I know was that the NTP client couldn't reach the servers list and the time on the router was 1/1/1970.
    RBoy1 likes this.
  44. digixmax

    digixmax LI Guru Member

    Without Default Gateway and Static DNS settings taking effect, the Wireless Ethernet Bridge (WEB) itself (not the client devices that use the WEB router) cannot reach Internet and cannot resolve Internet host names. The one consequence observed is the WEB current-time setting which depends on resolving NTP host-names and reaching NTP servers does not work. I cannot think of any other feature one might use on a WEB router that would be similarly affected. FWIW the work-around fix is posted at https://www.linksysinfo.org/index.p...net-bridge-no-current-time.74428/#post-302295.
    RBoy1 likes this.
  45. RBoy1

    RBoy1 Serious Server Member

    Thank you all, yes I can confirm that's the side effect on the NTP
    > Time Not Available

    Would this impact the Samba Server running on the router or any other services (OpenVPN etc?)

    Is there a patch submitted for this?
  46. Magister

    Magister LI Guru Member

    It is fixed in Jan BETA build, I have it on my E3000 and NTP is working
  47. digixmax

    digixmax LI Guru Member

    I am 2019.1 beta on my WNR3500L-v1, the "current time not available" problem still there without the workaround I posted.
  48. RBoy1

    RBoy1 Serious Server Member

    I have the Jan BETA build and I'm seeing this in the summary page:
    > Time Not Available

    I don't think it's working in Wireless Ethernet Bridging Mode. I've set a static IP address, gateway and using Cloudflare DNS (, rebooted and still no time. Plus I don't see this fix in the change log.
  49. rs232

    rs232 Network Guru Member

    Read this: https://www.linksysinfo.org/index.php?threads/fork-freshtomato-mips.74145/page-6#post-300299
    solution until fixed: put this into Scripts/INIT and reboot
    echo nameserver `nvram get wan_dns` > /tmp/etc/resolv.conf
    btw i thought that code was already implemented in the latest best. Perhaps not....
  50. Magister

    Magister LI Guru Member

    On the wireless ethernet bridge, try to put so it will take the DNS from your main router
  51. RBoy1

    RBoy1 Serious Server Member

    Unfortunately this did not work. When I telneted into the router after boot up, cat /temp/etc/resolv.conf file did not exist (as in the destination link doesn't exist). Is INIT the right place to put this? nvram doesn't seem to work in INIT, where doing a static cat instead does work (from the patch above), but I see what you're trying to do and it's better way.

    Also does one need to add the default Gateway Routing patch reported by @digixmax in the Advanced -> Routing tab:

    Code: 0 LAN
    I tried this but that didn't work either. Also on the Basic config page, under Static DNS it asks for IP : port, is the port required?

    The only thing that worked so far was the patch reported by @digixmax here: https://www.linksysinfo.org/index.p...net-bridge-no-current-time.74428/#post-302295
  52. pedro311

    pedro311 Networkin' Nut Member

    kille72 likes this.
  53. RBoy1

    RBoy1 Serious Server Member

    I can confirm it's working with that patch + the default gw
  54. RBoy1

    RBoy1 Serious Server Member

    Apparently ntpc does exist and works. I telneted into the router and ran the command and this is the output
    root@OfficeBridge:/tmp/home/root# service ntpc stop
    root@OfficeBridge:/tmp/home/root# service ntpc start
    And after it ran the time showed up on the overview page:
    > Time Fri, 08 Feb 2019 12:37:00 -0500
  55. RBoy1

    RBoy1 Serious Server Member

    Okay taking from @rs232 and @digixmax, this is the patch that gets the default gateway, DNS and NTP working without hardcoding any numbers so that it takes the settings defined in the web GUI and then get it up and running when the router boots up.

    Placing this code in the Administration -> Scripts -> FIREWALL
    echo nameserver `nvram get wan_dns` > /tmp/etc/resolv.conf
    route add default gw `nvram get lan_gateway` br0
    service ntpc stop
    service ntpc start
    Reboot the router and it picks up your DNS/Gateway settings and applies them as well as gets NTP going. Again is a workaround when the router in Wireless Bridge mode to get the DNS/Gateway setup correctly.

    @pedro311 @kille72 is there a firmware patch that can be put to make the user DNS and GW settings stick on boot up when the router is in Wireless Bridge mode?

  56. pedro311

    pedro311 Networkin' Nut Member

    And what about Wireless Client mode?
  57. RBoy1

    RBoy1 Serious Server Member

    EDIT: I can't select "Wireless Client" mode, it's greyed out on the WNR3500LV2

    However there is another bug I've found in the Wireless Ethernet Bridge mode that I would like to report.
    When setting up the router after a reset, if one selects the "Wireless Ethernet Bridge Mode" directly, it doesn't disable the WAN port and DHCP on the WAN and the router keeps trying to get the WAN DHCP address which also results in connection/performance isssues. This is what I see on the overview page under the WAN section:

    If I first select Access Point, manually disable the WAN port and all the WAN related settings. Tap Save, then go back and change to the Wireless Ethernet Bridge mode and Save. After a reboot now the WAN section disappears and it stops trying to get a DHCP address for the WAN, the connections is stable and WiFi data rates are 50% higher now.

    I've replicated this issue above multiple times consistently with the same results. Why doesn't the router disable the WAN ports and WAN DHCP when one selects "Wireless Ethernet Bridge" after a fresh reset? I'm guessing it doesn't save the nvram variables correctly when this done via the GUI, do you think that's about right?
  58. digixmax

    digixmax LI Guru Member

    The build I am using on my WNR3500L WEB is 2019.1.015 MIPSR2-beta K26 MiniIPv6, unless the build id showed on my WEB router's About page (see the attached screencap) is somehow mislabeled.

    If I remove the two lines
    in my Init script, the WEB would not be able to display the current time.

    Also, if I replace "/etc/resolv.dnsmasq" with "/etc/resolv.conf" in
    the script would also fail to produce the desired result.

    Attached Files:

    Last edited: Feb 9, 2019
  59. digixmax

    digixmax LI Guru Member

    The behavior you are looking for works for me in my WEB configuration setups on my WNR3500L-v1 and RT-N16's -- whenever I selects WEB mode the WAN settings section disappears.
  60. OnkelM

    OnkelM New Member Member

    Is it possible to add a issues site to the bitbucket account of freshtomato-mips like the arm fork already have?
    I wanted to file a bug/report that firewall/iptables are broken if using a class a netmask

    (since I cannot post a url right now please lookup bitbucket > kille72 > freshtomato-arm for the posted issue -> rt-n66u-no-iptables-with-class-a-netmask )

    FreshTomato Firmware 2018.5 MIPSR2 K26 USB AIO-64K
    Linux kernel and Broadcom Wireless Driver

    Also would like to do a feature request/suggestion as in the current webif configuration port forwarding to the router itself will not work just by entering a port forwarding rule. We have to add another command e.g. in the firewall tab in the administrative webif section like: iptables -I INPUT -j ACCEPT -p tcp --dport 12345
    It would be better if this logic is built in the port forwarding webif section itself.
  61. rs232

    rs232 Network Guru Member

    What is it broken exactly? Where do you set this 10.x IP? Can I suggest you work on the English to explain what actually is not working? e.g. real life scenario, what you attempted, error message received, etc

    The other port forwarding issue you're reporting is a news to me and can confirm port forwarding does NOT require any additional command to allow traffic. Have you cleared the NVRAM before upgrading last time?
  62. OnkelM

    OnkelM New Member Member

    iptables is broken if you set your router ip to
    cat /etc/iptables
    cat: can't open '/etc/iptables': No such file or directory
    immediatly after change of netmask to the error is gone:
    cat /etc/iptables
    :OUTPUT ACCEPT [0:0]
    -I PREROUTING -i vlan2 -j DSCP --set-dscp 0
    -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
    :OUTPUT ACCEPT [0:0]
    :WANPREROUTING - [0:0]
    -A PREROUTING -i vlan2 -d -j DROP
    -A WANPREROUTING -p icmp -j DNAT --to-destination
    -A POSTROUTING -o vlan2 -d -j MASQUERADE
    -A POSTROUTING -o br0 -s -d -j SNAT --to-source
    :INPUT DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -m state --state INVALID -j DROP
    -N shlimit
    -A shlimit -m recent --set --name shlimit
    -A shlimit -m recent --update --hitcount 4 --seconds 180 --name shlimit -j DROP
    -A INPUT -p tcp --dport 10 -m state --state NEW -j shlimit
    -A INPUT -p tcp --dport 23 -m state --state NEW -j shlimit
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i br0 -j ACCEPT
    -A INPUT -p tcp  --dport 10 -j ACCEPT
    :FORWARD DROP [0:0]
    -A FORWARD -m account --aaddr --aname lan
    -A FORWARD -i br0 -o br0 -j ACCEPT
    -A FORWARD -m state --state INVALID -j DROP
    :wanin - [0:0]
    :wanout - [0:0]
    -A FORWARD -i vlan2 -j wanin
    -A FORWARD -o vlan2 -j wanout
    -A FORWARD -i br0 -j ACCEPT
    as for the port forwarding, I did not say it is generally not working. But it does not work as one would expect if you would like to open a port at the router itself (localhost). (for example asterisk or owncloud or other application running directly on the main router)
  63. Radojevic

    Radojevic Network Newbie Member

    @pedro311 @kille72

    Feature request...

    Add autonegotiation feature to wireless 'Channel Width'.
    Also, if autonegotiation becomes a 'Channel Width' feature, would it negotiate the channel width per client connection, or globally set it to the lowest common denominator?
  64. danielhaden

    danielhaden Network Guru Member

    You've got it.
    dhcp-host=A0:A1:A0:C0:C1:9D, id:*, MY_DESKTOP,, infinite
    Entries of that style can go in the dnsmasq options box (drag corner to expand for edits). It is easy to back them up via text editor, word processor or spreadsheet (sort ip's in order is cool).

    Tip: Put high priority devices grouped into a range other than auto-dhcp so that you can use ONE QOS rule (ip range) inserted just before anything less than 100%. Then those devices don't 'pay for' using QOS. Use that trick sparingly so that you don't have to lower the global bandwidth (remember, the cost of prioritizing everything, is converting QOS into only a cpu intensive bandwidth limiter). Thus, use the auto-dhcp range like a honeypot to catch the majority of less important devices so that those 'pay for' QOS.
    So, by assigning static DHCP addresses outside the auto range (but in your 'bypass' rule range), you've automagically, assigned priority too. One bit of work gets two tasks done.
    Last edited: Feb 17, 2019 at 8:26 PM
    ghoffman likes this.
  65. rs232

    rs232 Network Guru Member

    10.x IP: Anything in the log after you set the IP? Can you make more test with longer/shorter netmasks? Any other test/input that might help the troubleshooting?

    Portforwarding: this is not what port forwarding does. So what you are trying to do has no involvement in tomato port forwarding. what you're doing is opening a port on the router (INPUT chain) so the firewall script approach is correct (unless you use a service that opens the port for you like OpenVPN would do for example.)
  66. afeng11

    afeng11 New Member Member

    flashed the latest firmware on netgear wndr4500 v1,everything was ok but the leds on WAN and LAN were turned off?how to sovle this problem?thank you!
  67. kernel-panic69

    kernel-panic69 Connected Client Member

  68. minos

    minos Networkin' Nut Member

    Exact! It can save hours to config by hand everything in the GUI's fresh firmware... :)

    Or it can a cool to use always the same config variables in the previous .cfg file to import used to restore our config.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice