[Fork] Tomato-ARM by @kille72

Discussion in 'Tomato Firmware' started by kille72, Mar 24, 2017.

Thread Status:
Not open for further replies.
  1. PetervdM

    PetervdM Network Guru Member

    how much total and free NVRAM do you have?
    how many bits is the certificate on your main ac15?
  2. My Name

    My Name Networkin' Nut Member

    The keys are identical on both Main Router running Toastman and Spare Router (soon to be Main Router) running latest @kille72 firmware. Both are 4096 bits which is probably a bit much but seem to recall there was a good reason when I created them back in December 2017.

    Fixed problem by placing the Server Certs, Keys and Diffey on a USB Drive and used Custom Configuration in VPN, Advanced to point to the USB drive instead of trying to save them in nvram. VPN Server starts and I can connect to it remotely.

    To give credit where due, user @kthaddock as I recall helped me when I was having similar problems in a Linksys E3200 when saving VPN Keys and Certs in nvram. In that case it killed the 5ghz radio. In this case not sure what it was doing but most likely exceeding nvram boundaries or whatever.

    Link to post about using USB Drive, second post is by @kthaddock http://www.linksysinfo.org/index.php?threads/nvram-32k-size-error-with-openvpn-use-jffs.36950/
  3. miroco

    miroco Serious Server Member


    I thought perhaps that these links could be of interest in the quest for new WiFi firmware. I have a D-link Dir-885L A2, Broadcom based AC3100 router. WiFi on LEDE/OpenWRT work for the A1 rev, but not the A2. This guide helped me fix it, but I think there is more to it.






  4. joew333

    joew333 LI Guru Member

    Interesting reading!! Thanky for posting.
  5. AndreDVJ

    AndreDVJ LI Guru Member

    M_ars, Elfew, Edrikk and 2 others like this.
  6. koitsu

    koitsu Network Guru Member

    This is awesome. That's one heck of an update, and you deserve major kudos for it.

    Several features will need testing on behalf of TomatoUSB users, especially those using ssh or scp from the router itself (so I'm talking about the client code, not the server code). Recent-ish Dropbear uses a completely different set of code, through something called dbclient, and it looks like lots of command-line flags got changed in the process too -- hopefully to be more OpenSSH-friendly.

    I'm left wondering if this long-standing problem with scp actually got fixed. I filed a GitHub issue with mkj (Dropbear author) about it some time ago, and he commented a year later stating that my fix actually looked wrong (it's probably wrong for *today's* Dropbear code, but it wasn't at the time, best I could tell). So to be clear for Andre and others: do not backport/import my fix for this, because the Dropbear code has changed a bunch since then and for all I know mkj has addressed it in newer versions (it does look like dbclient has a -y flag to automatically approve addition of an SSH host key/fingerprint, but I don't know if scp now does the right thing; I've asked mkj on GitHub).

    Edit: mkj responded: no, Dropbear 2018.76 doesn't fix the problem mentioned in the above paragraph; further code would need to be written to address this problem (i.e. my patch should not be used).
    Last edited: Mar 5, 2018
    AndreDVJ, pomidor1 and kille72 like this.
  7. drnorton

    drnorton Network Newbie Member

    Thanks... I will see if I can use it for my intention.
  8. kille72

    kille72 LI Guru Member

  9. joew333

    joew333 LI Guru Member

    Cool stuff. Thank you!!!!
  10. kille72

    kille72 LI Guru Member

    Do you think we can use RAMdisk/tmpfs to speed up the Tomato compilation process?
    Last edited: Mar 6, 2018
  11. RMerlin

    RMerlin Network Guru Member

    Doubt it. I tried it a few years ago, and it made zero difference versus the slow SSD I was using at the time.

    Linux does a great job at caching things. Bottleneck is the CPU.
    Elfew and kille72 like this.
  12. My Name

    My Name Networkin' Nut Member

    Ran into another problem of sorts today when I brought my spare TendaAC15 online as my main router running 2018.1.031 ARM beta. While every other device I have, Windows 10, Android 7 phones, Xiaomi MIBOX3 can see and connect to the 5 ghz network, my Roku Premier boxes cannot even see the 5 ghz network. All of the above and Roku Premier boxes connect to 2.4 ghz OK. To be clear, these are the same Roku Premier boxes that can and did connect to 5 ghz when I was running Toastman on what was my main router.

    I had done an NVRAM wipe on the new router but as a test, took the original AC15 running Toastman, loaded 2018.1.031 ARM beta and wiped NVRAM. After the AC15 rebooted and came online I can see Tomato24 and Tomato50 SSIDs on every device except the Roku Premeier boxes. They can only see Tomato24.

    While this may be a problem unique to the Roku Premier boxes, has anyone else had issues with 5 ghz on 2018.1.031 ARM beta?

    EDIT Update: Noticed the Roku Premier Box I am looking at can see a couple of SSIDs from the neighborhood that are labeled as 5G. All the Roku boxes are running 8.0.1.Build 4041-29 firmware and the devices say the firmware is up to date.

    EDIT Update: Problem solved under Advanced, Wireless, Changed Country / Region to ' UNITED STATES ' and now Roku Premier boxes can see and connect to 5 ghz. Odd that this only caused grief for Roku devices on 5 ghz..
    Last edited: Mar 7, 2018
  13. PetervdM

    PetervdM Network Guru Member

    not that odd. have look at the list of wifi channels here: https://en.wikipedia.org/wiki/List_of_WLAN_channels
    i don't know what the default setting was, but a lot of countries or regions have legal restrictions on which channels are allowed. the us has no such restrictions. so if the combination of the automatically chosen channel on the router can't be used by your roku due to the region it is manufactured for, they won't connect.
  14. cobrax2

    cobrax2 Serious Server Member

    hi guys, i'm now on latest toastman fw, stable as a rock (r7000)
    was thinking of switching to a newer version, and i see @kille72 's one is the only one still under development.
    thank you and to the other developers that are involved and helping for taking onto yourselves this massive task.
    if i may, just one question:
    i see that there is a lot of development going on atm. is it stable? can it replace successfully yet toastman's?
    also, is the fork based on shibby's single or multiwan version? from what i observed over the past year, since the multiwan feature, his build was somewhat less "dependable" or it had some small issues.

    thank you very much again!
  15. txnative

    txnative Addicted to LI Member

    This part i have done some investigative look into on the defaults.c and rt-ac68u_nvram.txt, with comparisons of some nvram dumps from my router that had the beta 2018 they didn't seem to have the right parameters to values but there is more to it but the nvram some reason does hold on to some values placed in from tomato during the install and after doing a nvram erase or reset with the button for the 2.4 ghz does hold on to a few of the default values. When i looked at wl_ssid=Tomato2g stayed after setting up my ssid through the gui and power settings as well, the 5 ghz didn't have no issues in nvram or with changes made for custom settings. I'm sure shibby will find a fix or solution on the 2.4 radio this caught my attention when I read this thread and had to put this here as well not sure if it's useful. Congratulations on what has been accomplished so far. Regards

    Just had a look at my linksys-e3200 with Tomato Firmware v1.28.0511 MIPSR2Toastman-RT-N K26 USB VPN installed, and had a look at the same nvram but i didn't realize that unlike in the defaults.c or rt-ac68u_nvram.txt there is no mention of using wl0_xxx= whatever value but using the same wl0_ssid= does show the custom ssid but not in wl_ssid=Tomato24 and I'll have to look at it again and try a few settings again to see there is a proper response from the 2.4?
    Last edited: Mar 7, 2018
  16. chchia

    chchia Network Guru Member

    I have question about bandwidth limiter. please see attached picture, it is saying kbits?

    so my real internet speed is 30Mb/10Mb, speedtest test show actual downloading speed is about 3.5MB/1.1MB

    so is my input number in the bandwidth limiter is correct?

    what i wanted is to maximize the bandwidth usage,but by changing the priority i want to make one PC with to have the lowest latency, but sadly i just can't make it work correctly, can anyone help me.

    Attached Files:

  17. koitsu

    koitsu Network Guru Member

    30 megabits (Mb) =~ 3.75 megabytes (mB or sometimes MB) =~ 30000 kilobits (kb). Please use this website if you're unsure how to convert between different units.

    Speed tests sites that show things in megabytes per second are depressing (these programs are made by people who try to correlate network traffic (bits) with storage/disk units (bytes) -- this tends to confuse users, case in point); network traffic (throughput/transfer rate) is always measured in bits. Here's a site with a video that can help educate and familiarise you, and here's the technical details.
  18. maurer

    maurer Network Guru Member

    I've tested it on my newly flashed ea6300v1(ea6400) and wireless survey doesn't work - no output
  19. My Name

    My Name Networkin' Nut Member

    Wireless Survey working fine on my Tenda AC15 running 2018.1.031 ARM beta. Click on Refresh to start it.

    What I can't get to work on my AC15 setup as an Access Point is time. Shows time not available no matter what I try. Have all the usual setting such as gateway set as my main router, user defined gateway when Wan is disabled is checked. I can ping 0.pool.ntp.org from the AP. Time works fine on main router.

    My setup is tagged Vlans 10 and 11 with Vids 10 and 11 (Br0 and Br1) with Cat5e through D-Link Smartswith from Lan Port 1 on main router to Lan Port 1 on AP. Everything else seems to be working, just not time on AP. Probably something I missed or have forgotten to do since it worked when running Toastman using same setup.

    Have a remote location still running Toastman with identical setup and time is good on that AP.

    @kille72 other than the AP time issue (which may still be something I have missed), everything that I use your firmware for on my two Tenda AC15 appears to be working well. Can't tell a lot of difference in 5 ghz distance but working well for my use on a couple of Android 7 phones, Roku Premier boxes, Windows 7, etc. Vlans OK, VPN OK. I did do a NVRAM wipe after upgrading to your latest and entered all my settings from that point.
    Last edited: Mar 9, 2018
  20. joew333

    joew333 LI Guru Member

    Works on my R7000 just fine. Just clicked on REFRESH. Hmmm one of my neighbors has a router called "Millennium Falcon".... must be a Star Wars fan?
  21. sandimas

    sandimas New Member Member

    I have the same problem on my Tenda AC15 running 2018.1.025 ARM beta. I ultimately was able to get the time set by using an IP address instead of a domain name for an NTP time server. I just used the time server provided by my pfSense router.
  22. Yim Sonny

    Yim Sonny Serious Server Member

    If you would like to start a new thread then we will be able to help you better. This thread is for a specific firmware and your question is a general question.
  23. My Name

    My Name Networkin' Nut Member

    Using an IP Address for time server did the trick on my AC15 as well. Time came up almost immediately. Must be a bug.
  24. koitsu

    koitsu Network Guru Member

    It's probably a "race condition" (timing thing), especially on a router reboot. DNS might not be fully available (ex. dnsmasq isn't running yet, but the DHCP client has), so when the NTP synchronisation process starts, it can't resolve the FQDN, resulting in time sync failing. The more complicated your network setup (i.e. VLANs, VPNs, etc.), the more likely this is to happen. TomatoUSB does not have an init script system (read: sysvinit, BSD rc, etc.) that has dependency-based service ordering (e.g. don't start ntp until dnsmasq is running), and there are few-to-none "wait states" implemented (e.g. "wait until the WAN is up before doing X/Y/Z").

    This is compounded by the fact that Tomato's NTP implementation is pretty awful (read: ntpd isn't used, instead it's basically a cronjob (sigh), and there's no "pool of servers", instead it's a "oh this one works, use it" "oh this one doesn't, okay I'll skip it" mentality), and this is even further compounded with lack of good troubleshooting tools (ex. ntpq) due to needing to keep the firmware small. I've ranted about Tomato's bad NTP implementation before.

    A crappy workaround might be to add to Scripts -> WAN Up some scripting bits that stop/start the ntp sync process to try and work around the problem -- how to do this depends on if you're on ARM vs. MIPS though (yes really!). If people want to know how I'd do this, I can do a write-up sometime. I could probably script auto-detection of which is being used so that you'd just need one script.

    Next: both my personal and professional experience with pool.ntp.org has been extremely poor. I've run into all sorts of issues with them: DNS FQDNs that don't resolve (tracked down to issues with their own nameservers, or network connectivity issues *to* those namservers), or (more common) NTP servers which don't actually answer/respond.

    People using pool.ntp.org need to understand something about the service that makes it difficult to troubleshoot (read: annoying):

    1. Their DNS entries return multiple A records (i.e. round-robin DNS is used); thus which server you hit is entirely dependent upon the DNS resolver *at that moment in time*. A DNS query done a few seconds later may get a completely different server. That's how RR DNS works
    2. Their DNS entries have a very short TTL -- 150 seconds -- which means you're likely going to get a different set of RR records (multiple A records) every 150 seconds

    Proof of both of those:

    $ dig a pool.ntp.org. +short
    $ dig a pool.ntp.org. +short
    $ dig a pool.ntp.org. +short
    # rndc flush
    # exit
    $ dig a pool.ntp.org.
    pool.ntp.org.           150     IN      A
    pool.ntp.org.           150     IN      A
    pool.ntp.org.           150     IN      A
    pool.ntp.org.           150     IN      A
    I generally don't like pool.ntp.org. I instead recommend picking a static list of two stratum 2 servers (one geographically near you, the other far away), followed by use of pool.ntp.org's Continental Zone FQDNs (these are usually stratum 3+ servers). The ntp.org website maintains a list of stratrum 2 servers -- you need to be respectful of which servers are open vs. restricted, and you need to READ (NOT SKIM) the Rules of Engagement before using these servers. You do not need to use stratum 1 unless you are extremely anal:


    I'm intentionally not listing which servers I use, because I don't want people just blindly copy-pasting stuff into their setups. Follow my instructions and you'll be OK. :)

    In general I always assume some NTP server on pool.ntp.org will be broken/down/whatever. I run ntpd on a FreeBSD box on my LAN, so I have a very good/reliable way to provide NTP for my LAN. My TomatoUSB router NTP syncs off of that single FreeBSD box. Tomato's implementation is incredibly "best-effort", sorry to say.
  25. joew333

    joew333 LI Guru Member

    XWRT high performance version. I am wondering if it is possible to make a "high performance" version of XWRT, similiar to the VPN builds of Tomato in terms of functionality. Aim would be to focus on core routing functions with a reduced feature set and high performance. What do you think?
  26. H48W30c0HK

    H48W30c0HK Connected Client Member

    I built a GPS disciplined PPS source for about $10 (total!) worth of stuff off Aliexpress, so I don't need to worry about hammering already over-burdened public ntp servers, while serving Stratum 1 time over my home network.

    Here's a video of how to do it:
    mmosoll, dc361, Campigenus and 2 others like this.
  27. Sean B.

    Sean B. Network Guru Member

    Very nice project. Great to see someone else that gets into the hardware and not just software.
  28. My Name

    My Name Networkin' Nut Member

    @koitsu, thanks for the information. Followed your instructions and hopefully am OK now.
  29. maurer

    maurer Network Guru Member

    one more issue i just found - ssh tunnel doesn't work either.
    I've reset twice the nvram to factory defaults
  30. My Name

    My Name Networkin' Nut Member

    Advanced, Lan Access does not appear to be working. It has the correct settings of

    Lan (br0) to Lan1 (br1) but clients on br0 cannot access devices on br1 which worked on Toastman.

    I have Iptables setup to prevent clients on Lan1 (br1) from accessing Lan (br0) and that works as expected.
  31. Sean B.

    Sean B. Network Guru Member

    Did these iptables additions include allowing traffic from br1->br0 based on related/established targets? If not, then the rules would prevent br0->br1 access by means of blocking the return traffic.
  32. My Name

    My Name Networkin' Nut Member

    The iptables are the same ones I have used for the last several years on my Linksys E3200 running Shibby and AC15 running Toastman and have never caused a problem that I am aware of. Before posting earlier I had removed them to see if they were the problem.

    Here they are for analysis. Got these somewhere over on a DD-WRT Forum several years ago.
  33. koitsu

    koitsu Network Guru Member

    Maybe problem has to do with "where" these rules are being injected into the FORWARD or INPUT chain. I don't know.

    iptables -I will inject new rules *at the top of the chain* (i.e. every command puts that rule as rule #0, all subsequent rules get pushed down by one).

    TomatoUSB (and DD-WRT too, certainly) manages its own rules in INPUT, FORWARD, etc.. So, your rules may be "trumping" something that further down could actually allow traffic to pass.

    You really have to look at iptables -L {INPUT,FORWARD,OUTPUT} -n -v --line-numbers to get a clear view of what your rule orderings are. There are major security concerns if rules are injected into the wrong parts of the chain/rule list (e.g. things being accepted too early, or trumping security-related aspects further down in the rule list). This is basic firewalling 101 type stuff, BTW, and isn't Tomato-specific.

    I would suggest providing output here, in separate code blocks, of the following commands:

    iptables -L INPUT -n -v --line-numbers
    iptables -L FORWARD -n -v --line-numbers
    iptables -L OUTPUT -n -v --line-numbers
    You can XXX out IP addresses (particularly the WAN IP, e.g. XXX.XXX.XXX.XXX) but please make a key/legend saying what XXX means (ex. "XXX = WAN IP"). Try to retain the formatting/alignment please.
  34. My Name

    My Name Networkin' Nut Member

    @koitsu, Not sure my iptables entries are the problem. No matter if my iptables are set in Firewall or removed from firewall, Lan (br0) cannot communicate with clients on Lan1 (br1) in this latest version of @kille but did work when on last version of Toastman with my personal iptables set in Admin, Scripts, Firewall.

    Right now, there are no entries under Admin, Scripts, Firewall and Lan cannot communicate with Lan1 even though it is set in Advanced, Lan Access.
  35. koitsu

    koitsu Network Guru Member

    Thanks for the clarification/information. Yeah, that's definitely something firmware-specific. Just some general ideas/thoughts on the matter (you can ignore these if you want, I won't be offended):

    You might try looking at brctl show br0 and brctl show br1 to see what interfaces (ethX and vlanX) make up the br0 and br1 bridges.

    On Toastman, by default br0 consists of eth1 (2.4GHz), eth2 (5GHz), and vlan1 (4 LAN ports).

    vlan2 is the WAN port. (Random tech FYI: the reason vlan1 are the 4 LAN ports and vlan2 is the WAN port is because these routers contain a 5-port switch; VLANs are the only way to effectively isolate a WAN port).

    There's no GUI for bridge details. The closest you can get is what's under Advanced -> VLAN. However, what's shown there is from the perspective of VLAN interfaces, not bridges. This often confuses end users (it's come up before on the forum). I've actually never used Advanced -> LAN Access; now that makes me wonder what that's for and where/how it's implemented (probably iptables rules).
  36. My Name

    My Name Networkin' Nut Member

    @koitsu, brctl show br0 and brctl show br1

    root@TendaAC15:/tmp/home/root# brctl show br0
    bridge name     bridge id               STP enabled     interfaces
    br0             8000.xxxxxxxxxxx      no              eth1
    root@TendaAC15:/tmp/home/root# brctl show br1
    bridge name     bridge id               STP enabled     interfaces
    br1             8000.xxxxxxxxxx        yes            vlan11
    vlan10 is my main subnet, vlan11 is my isolated subnet. 2.4 ghz and 5.0 ghz in br0 and 2.4 ghz and 5.0 ghz Virtual Wireless in br1. Everything appears correct other than STP enabled should be no. Will fix that.
    Yes, and on Toastman and Shibby for that matter, all I ever had to do was setup my vlans, put my iptables stuff in Admin, Scripts, Firewall and Advanced Lan Access was set by default to access Lan1 from Lan. I have had a Br2 setup in the past on Shibby and used Advanced, Lan Access to allow traffic from Lan to Lan2.
    Last edited: Mar 13, 2018
  37. koitsu

    koitsu Network Guru Member

    Yeah, with that bridge configuration, there would need to be iptables (or maybe ebtables? I haven't spent any time with this) rules to allow traffic to flow like br0 --> br1 and br1 --> br0.

    We're back to what I recommended in post #1633. I guess we might also need the additional tables viewed as well (since I don't know if there's NAT'ing going on between all of those networks), so the commands would actually become this (to see all the chains in all the tables; the first line is for the filter table (ex. -t filter)):

    iptables -L -n -v --line-numbers
    iptables -t mangle -L -n -v --line-numbers
    iptables -t nat -L -n -v --line-numbers
    iptables -t raw -L -n -v --line-numbers
    And remember: copy-pasting output from these needs to be in a code block, otherwise spacing and formatting is lost.

    I run Toastman firmware so I could always add a bridge in the GUI and see what additional rules get added, then compare those to yours with kille72's firmware and figure out what's missing.
  38. My Name

    My Name Networkin' Nut Member

    used iptables -nvL --line-numbers and noticed this in iptables under Chain FORWARD (policy DROP 0 packets, 0 bytes)

    4        0     0 ACCEPT     all  --  br0    br0  
    5        0     0 ACCEPT     all  --  br1    br1  
    6       24   960 DROP       all  --  *      *              state INVALID
    7    13644 4904K ACCEPT     all  --  *      *              state RELATED,ESTABLISHED
    8       30  1560 DROP       all  --  br0    br1  
    9        0     0 DROP       all  --  br1    br0  
    10       0     0 wanin      all  --  vlan2  *  
    11     480 39198 wanout     all  --  *      vlan2  
    12      74 17099 ACCEPT     all  --  br0    *  
    Last edited: Mar 13, 2018
  39. My Name

    My Name Networkin' Nut Member

    Code block , have seen it but never done that before.
  40. koitsu

    koitsu Network Guru Member

    Why are rules 1-3 omitted? *squints eyes* I get really peeved when people remove things from their output when asking for networking help. :) If you were to do this on nanog@ or somewhere else, network technicians would immediately stop responding to you. You can XXX out IP addresses and portions of MACs for security.

    Rules 4 and 5 I've laughed about in the past -- they literally do nothing. I've seen these on other firmwares (Shibby?). I have no idea why these get put in place. Note they have 0 for their byte and packet counters.

    Rule 6 is to ensure that packets which lack a state table entry (keep reading) are dropped.

    Rule 7 is to ensure that existing packets in the state table (conntrack, I believe) are respected, i.e. don't sever existing connections if there's a state table entry for them of ESTABLISHED or RELATED state. This rule, understandably, usually has the highest packet/byte counters. REmember that a matching rule (like this one) will trump all lower rules, so rules 8+ wouldn't get analysed if this rule matched.

    For rules 6 and 7, you can read about the different states (INVALID vs. ESTABLISHED vs. RELATED) here (see "User-land states"): http://www.iptables.info/en/connection-state.html

    Rule 8 implies packets originating from a source interface of br0, with a destination interface of br1, are dropped. The packet/byte counters indicate there's been 30 packets that have met this criteria.

    Rule 9 is similar to rule 8, but for br1 --> br0, where packets are dropped. Packet/byte counters show 0, so it hasn't been hit.

    Rule 10 references a generic chain called wanin, matching incoming packets on vlan2 (WAN). You can use the wanin chain to allow/deny things as you see fit. (I use this myself, it's convenient) This isn't an allow/deny rule, this is a chain reference, so for allow/deny you have to see the details of wanin (not just the rules in the chain, but the default state of the chain too; it might be ACCEPT or DROP).

    Rule 11 is similar to rule 10, but for outbound traffic going out vlan2 (WAN).

    Rule 12 is permits any traffic inbound traffic on br0, destined to any interface. br0 --> br1 traffic would not reach this rule due to rule 8 above.

    Edit: yeah, the forum ate the code blocks. Fixing. A code block is done like so, replacing open-brace with [ and close-brace with ]:

    your content here

    You can alternately use the forum GUI. Click the "Insert..." icon (it looks like a newspaper) and then pick Code.
    Last edited: Mar 13, 2018
  41. My Name

    My Name Networkin' Nut Member

    root@TendaAC15:/tmp/home/root# iptables -L -n -v --line-numbers
    Chain INPUT (policy DROP 93 packets, 6864 bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 ACCEPT     all  --  tun21  *  
    2        0     0 ACCEPT     udp  --  *      *              udp dpt:xxxxx
    3        1   576 ACCEPT     udp  --  br1    *              udp dpt:xxxx
    4        0     0 ACCEPT     tcp  --  br1    *              tcp dpt:xxxxx
    5      749 49493 ACCEPT     udp  --  br1    *              udp dpt:xxxxxx
    6      194  9634 DROP       all  --  br1    *              state NEW
    7       50  2192 DROP       all  --  *      *              state INVALID
    8      413 59554 ACCEPT     all  --  *      *              state RELATED,ESTABLISHED
    9        2    80 shlimit    tcp  --  *      *              tcp dpt:xx state NEW
    10       1   244 ACCEPT     all  --  lo     *  
    11     183 13392 ACCEPT     all  --  br0    *  
    12       0     0 ACCEPT     all  --  br1    *  
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 ACCEPT     all  --  tun21  *  
    2     3124 1211K            all  --  *      *             account: network/netmask: 192.168.xx.0/ name: lan
    3    27317 9487K            all  --  *      *             account: network/netmask: 192.168.xx.0/ name: lan1
    4        0     0 ACCEPT     all  --  br0    br0  
    5        0     0 ACCEPT     all  --  br1    br1  
    6       71  3320 DROP       all  --  *      *              state INVALID
    7    29264   11M ACCEPT     all  --  *      *              state RELATED,ESTABLISHED
    8       36  1872 DROP       all  --  br0    br1  
    9        0     0 DROP       all  --  br1    br0  
    10       0     0 wanin      all  --  vlan2  *  
    11    1034 73137 wanout     all  --  *      vlan2  
    12     150 28305 ACCEPT     all  --  br0    *  
    13     884 44832 ACCEPT     all  --  br1    *  
    Chain OUTPUT (policy ACCEPT 1353 packets, 219K bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    Chain shlimit (1 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1        2    80            all  --  *      *              recent: SET name: shlimit side: source
    2        0     0 DROP       all  --  *      *              recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source
    Chain wanin (1 references)
    num   pkts bytes target     prot opt in     out     source               destination
    Chain wanout (1 references)
    num   pkts bytes target     prot opt in     out     source               destination[/code/
  42. My Name

    My Name Networkin' Nut Member

    root@TendaAC15:/tmp/home/root# iptables -t mangle -L -n -v --line-numbers
    Chain PREROUTING (policy ACCEPT 49496 packets, 16M bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    1    24088   14M DSCP       all  --  vlan2  *              DSCP set 0x00
    2        0     0 DROP       all  --  vlan2  *            192.168.xx.0/24
    3        0     0 DROP       all  --  vlan2  *            192.168.xx.0/24
    Chain INPUT (policy ACCEPT 2571 packets, 219K bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    Chain FORWARD (policy ACCEPT 46505 packets, 16M bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    1     2893  133K TCPMSS     tcp  --  *      *              tcpflags: 0x06/0x02 TCPMSS clamp to PMTU
    Chain OUTPUT (policy ACCEPT 2226 packets, 355K bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    Chain POSTROUTING (policy ACCEPT 48572 packets, 16M bytes)
    num   pkts bytes target     prot opt in     out     source               destination
  43. koitsu

    koitsu Network Guru Member

    Speaking strictly about the FORWARD chain, as a follow-up to post #1640:

    Rule 1 accepts any inbound traffic on tun21 interface to anywhere. 0 packet counter.
    Rules 2 and 3 are traffic accounting rules for IPTraffic capability and do not affect traffic flow.

    And there's a new rule at the bottom vs. what was in post #1638: rule 13 is similar to rule 12, except that it applies to interface br1 rather than br0.

    I'll edit my previous post to cover rule 6 (I overlooked it).
  44. My Name

    My Name Networkin' Nut Member

    root@TendaAC15:/tmp/home/root# iptables -t nat -L -n -v --line-numbers
    Chain PREROUTING (policy ACCEPT 3774 packets, 231K bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 ACCEPT     udp  --  *      *              udp dpt:xxxxxx
    2      133  8600 WANPREROUTING  all  --  *      *        xx.xx.xx.xxx
    Chain INPUT (policy ACCEPT 1392 packets, 93464 bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    Chain OUTPUT (policy ACCEPT 402 packets, 27755 bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    Chain POSTROUTING (policy ACCEPT 2 packets, 593 bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    1     1997  128K MASQUERADE  all  --  *     vlan2  
    2        1   328 SNAT       all  --  *      br0     192.168.xx.0/24      192.168.xx.0/24      to:192.168.xx.1
    3        1   340 SNAT       all  --  *      br1     192.168.xx.0/24      192.168.xx.0/24      to:192.168.xx.1
    Chain WANPREROUTING (1 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 DNAT       icmp --  *      *              to:192.168.xx.1
    Last edited: Mar 13, 2018
  45. My Name

    My Name Networkin' Nut Member

    root@TendaAC15:/tmp/home/root# iptables -t raw -L -n -v --line-numbers
    Chain PREROUTING (policy ACCEPT 14M packets, 13G bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    Chain OUTPUT (policy ACCEPT 375K packets, 269M bytes)
    num   pkts bytes target     prot opt in     out     source               destination
  46. My Name

    My Name Networkin' Nut Member

    Not sure which one that is?

    EDIT: Sorry , misread, thought I was supposed to edit something.
    Last edited: Mar 13, 2018
  47. koitsu

    koitsu Network Guru Member

    I will need several hours to review these rules (specifically INPUT, FORWARD, and OUTPUT) properly, and provide some actual Real World Traffic Scenarios that show you how these rules work under certain scenarios. I can't promise on when I can complete this -- I have health issues and am actively interviewing for full-time work, so I have other priorities.

    I did a write-up of what the FORWARD chain rules represent in post #1640. This would be for traffic going between interfaces (ex. br0 --> br1, br1 --> br0), i.e. traffic forwarded through the router, as well as WAN-bound traffic -- and NOT for traffic directed *at* the router (i.e. a destination address of the router's IP, say, Traffic directed *at* the router would fall under the INPUT chain.

    It would help me if you could provide the exact IP addressing details for br0 and br1 (ex. br0 = or I want to use actual IP addresses and ranges that comply with those CIDRs when giving you examples, to make comprehension easier. I understand this is sensitive, but in multi-network situations like this, it's helpful (I would say critical, especially when state tracking is involved, since state tracking only contains source/destination IP addresses and not associated interfaces).

    TomatoUSB is generating some of its own rules (some through the GUI, some hard-coded) that make understanding the rules more complicated than they need to be. Add more interfaces to the mix, the situation becomes even hairier. KISS principle is quickly lost in complex networks (which this classifies as), which is where one really has to sit down and look at the rules very carefully.
  48. My Name

    My Name Networkin' Nut Member

    Br0 is
    Br1 is

    I appreciate your help. Don't spend a lot of time on it. Things will work out.

    I will probably go back to Toastman since everything worked on it. Biggest reason for upgrade was KRACK fix. All my devices that really matter have been patched for it.

    8       30  1560 DROP       all  --  br0    br1  
    EDIT: Should Rule 8 not be something like ACCEPT or whatever to allow br0 access to br1

    BTW, this network all came about when I finally understood Vlans and Tagged Vlans. It allowed me to use one cat5e cable between main router (Tenda AC15) and AP (another Tenda AC15) to get both networks to a wired PC plugged into lan port on AP and get a decent wifi signal in a troublesome wifi area. Worked well on Toastman just not on @kille72 at the present.
    Last edited: Mar 13, 2018
  49. Cliffield

    Cliffield Connected Client Member

    @koitsu @My Name
    I'm on 2017.3 from kille72 and using "LAN Acces" without problems.

    I can access certain defined computers on br1/LAN1/VLAN3 from br0/LAN/VLAN1.
    LAN Acess shows:
    On    Src        Src Address        Dst         Dst Address    
    On    LAN                           LAN1
    On    LAN                           LAN1
    On    LAN1                          LAN
    These setting insert following rules in /etc/iptables (and maybe other config-files?):
    -A FORWARD -i br0 -o br1  -d -j ACCEPT
    -A FORWARD -i br0 -o br1  -d -j ACCEPT
    -A FORWARD -i br1 -o br0  -d -j ACCEPT
    For testing purposes I allowed LAN full acces to LAN1 under "LAN Access" and after that I could access all the other computers on LAN1 ( etc) from LAN.

    In addition I insert following rules in Administration - > Scripts -Firewall and rebootet:
    iptables -I INPUT -i br1 -m state --state NEW -j DROP
    iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
    I still can reach the computers on the other subnet/vlan.
    Without the rules under "LAN Access" the LAN1 is not reachable from LAN.

    Just my observations, maybe it helps,
    Last edited: Mar 13, 2018
    kille72 likes this.
  50. My Name

    My Name Networkin' Nut Member

    @koitsu and @Cliffield
    @Cliffield , thanks that made some progress. The only thing I can make work under Advanced, Lan Access is as follows
    On    Src        Src Address        Dst         Dst Address
    On    LAN                           LAN1
    On    LAN                           LAN1
    Using that I can access those two Ip Addresses from Br0 but nothing else.

    Tried the following to no avail.
    On    Src        Src Address        Dst         Dst Address
    On    LAN                           LAN1
    On    LAN                           LAN1
    On    LAN                           LAN1
    Cannot access anything from Br0 to Br1

    What did you enter in Advanced, Lan Access to allow LAN full access to LAN1. I have never had to enter anything in the past. It worked by default.

    EDIT: Later discovered I had entered LAN and LAN1 in my previous setup. My error but it did work. Same entry does not work now on this firmware or at least I cannot get it to work.
    Last edited: Mar 13, 2018
  51. sac7000

    sac7000 Networkin' Nut Member

    Last edited: Mar 13, 2018
  52. Sean B.

    Sean B. Network Guru Member

    Not trying to be insulting, but I've seen people get confused by this several times in the past. So just to be sure, you do know the rule that initially appears in the LAN Access menu is not actually active, right? It's an example rule and is not saved into the list.

  53. Cliffield

    Cliffield Connected Client Member

    Haha, I am one of those. Happend to me more than once :D

    @My Name
    Here is a working example (tested on 2017.3 kille72)
    1. Basic - Network - Lan

    2a. Advanced - VLAN

    2b. Alternative config

    3. Advanced - LAN Access

    Administration - Scipts - Firewall
  54. My Name

    My Name Networkin' Nut Member

    @Cliffield ,I am on Tomato Firmware 2018.1.031 -beta-kille72 K26ARM USB VPN-64K and not 2017.3 kille72. Not sure that makes a difference.

    My setup is very similar to yours and I have tagged Vlans in addition to port assigned Vlans. Using this to extend br0 and br1 across my lan on one cat5e cable. Have done this here before on Toastman and at my remote location on Toastman and it works. Just looked at my remote location running Toastman and it is working and defined as I would expect. I generally do not have issues setting up Vlans and pretty much understand what has to be done.

    Nothing I can do in Advanced, Lan Access other than specify a particular IP Address in Lan1 (br1) to access from Lan (br0) and get it to work. Nothing else does on 2018.1.031 -beta-kille72 K26ARM USB VPN-64K, for me anyway.

    I always put the following in Admin, Scripts, Firewall to prevent Br1 from accessing Br0. It works. Found it long ago over on DD-WRT Forum.
    # Restrict br1 from accessing the WAN subnet (still has internet)
    iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP
    # Restrict br1 from accessing the router's local sockets (software running on the router)
    iptables -I INPUT -i br1 -m state --state NEW -j DROP
    # Allow br1 to access DNS on the router
    iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
    iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
    # Allow br1 to access DHCP on the router
    iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
    @Sean B, Yep you are right. On my remote location I do have LAN and LAN1 defined in addition to the default. It works, this one does not. Tired today. Going to give it a rest and start over tomorrow.

    To be clear, the only problem that I am aware of at this moment is I cannot access anything in LAN1 (br1) from LAN (br0). My vlans are OK and working.

    Before someone asks, I did wipe NVRAM after upgrading to 2018.1.031 -beta-kille72 K26ARM USB VPN-64K and all settings were manually entered from that point.
    Last edited: Mar 13, 2018
  55. koitsu

    koitsu Network Guru Member

    I don't know how to phrase this eloquently, so this may be confusing, and for that I apologise.

    One problem with the Scripts -> Firewall rules in post #1653 is that -m state --state NEW rule will match only packets that aren't currently in conntrack, i.e. "brand new connections" (UDP is stateless, but conntrack tracks it anyway, same with ICMP). Existing/already flowing/established/etc. connections (i.e. ones already existing in the state table) would continue to be permitted, if there were any in the state table.

    What this means is that if prior to using these rules at all (or on a fresh reboot) you had already had traffic flowing between br0 <--> br1 (there very well could be a brief period of time where this could happen), and suddenly didn't want it to flow (by adding those rules to Scripts -> Firewall), that rule *would not* suddenly block that traffic. This could lead to someone saying "I put these rules into place, but it looks like things are still working?" Remember, Tomato tends to have this near the very top of the list:

    Chain INPUT (policy DROP 3941 packets, 272K bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    1       28  1568 DROP       all  --  br0    *            {my-wan-ip}
    2     6878  331K DROP       all  --  *      *              state INVALID
    3     372K  101M ACCEPT     all  --  *      *              state RELATED,ESTABLISHED
    4        0     0 ACCEPT     all  --  lo     *  
    5     111K   17M ACCEPT     all  --  br0    *  
    Note rules #3 and #5 above.

    conntrack does have timeouts that you can define/control, but they tend to be very long (especially for TCP). I'd rather not get into a discussion about those if at all possible.

    Removing -m state --state NEW from that line would be sufficient, i.e. block all traffic unless allowed (by the subsequently inserted into the top of the chain ACCEPT rules shown, ex. allowing TCP and UDP port 53, and UDP port 67).

    This is one of the most tricky parts of conntrack and netfilter. Having a state table (conntrack) speeds up the firewall greatly (and provides some security too), but you have to understand the caveats. On normal Linux distros, there's a command called conntrack that can let you flush the state table (conntrack -F) but we do not have this on Tomato.

    P.S. -- Those rules are for the INPUT chain, which would apply to traffic being directed at the router directly (i.e. destination IP of the router), and not for packets being forwarded through the router (that would be the FORWARD chain).
    Cliffield likes this.
  56. My Name

    My Name Networkin' Nut Member

    Finally, everything is working for me on 2018.1.031 ARM beta.

    Installed 2018.1.031 ARM beta on a different TendaAC15, wiped NVRAM, entered all my settings manually and everything that I use it for appears to be good.

    Noticed in one of my earlier posts that I had inadvertently exposed the MAC address of the original TendaAC15 so that one will be relegated to testing or whatever in the future.

    Thanks to all you guys for the help.
    kille72 likes this.
  57. gazsiazasz

    gazsiazasz LI Guru Member

    My ISP provides PPPoE internet (DIGI HU) at 1000/200Mbps.
    Is there any chance to support HW PPPoE on Linksys EA6400? Because I have just flashed Tomato on my router and the WAN to LAN speed tops at ~200Mbps and the softirq in top goes to 50% (which is 100% of one core). However with stock firmware it goes above 4-500Mbps.
  58. kille72

    kille72 LI Guru Member

    Try CTF (Cut-Through Forwarding)=ON (without QOS, Bandwidth Limiter etc.)
  59. Wizardknight

    Wizardknight Serious Server Member

    I might have found a bug on the CIFS Client.
    If I use a unc like \\Systen_Name\path the GUI just sits at
    If I use an IP like \\\path I can get a connection almost instantly.

    Is this expected behavior?
    I can use a static IP on the device I am connecting to, but I would prefer to use it's name.
    Thanks. :)
  60. Sean B.

    Sean B. Network Guru Member

    Are you able to resolve the system name via other network computers? Does it resolve via DNS, or NetBT only? In the routers web interface under Tools->System commands run:

    nslookup systemname
    Systemname being the name of the system in question. What output does it return?
  61. Wizardknight

    Wizardknight Serious Server Member

    The system in question is a basic samba file share/server on a LibreELEC box.
    I access it by name from other systems on the LAN without issue, though I am not sure how to rule out DNS resolution vs NetBT resolution off the top of my head. You will have to forgive my ignorance.

    requested router nslookup:

    Address 1: localhost
    Name:      System_name
    Address 1: System_name
    Last edited: Mar 21, 2018
  62. Sean B.

    Sean B. Network Guru Member

    Did some checking.. here's from the CIFS docs:

    To my knowledge, Tomato does not include the required helper for CIFS to have name addressing functionality. Only the CIFS kernel module is included.
    Last edited: Mar 21, 2018
    Wizardknight, M_ars and kille72 like this.
  63. Sean B.

    Sean B. Network Guru Member

    I have compiled the mount.cifs helper for ARM, it can be downloaded here. It requires uclibc-opt to be installed.
    kille72 likes this.
  64. Wizardknight

    Wizardknight Serious Server Member

    Thanks. At least I know that I didn't miss something obvious.

    Am I correct in assuming that uclibc-opt is part of optware?
  65. Sean B.

    Sean B. Network Guru Member

    That is correct.
  66. Wizardknight

    Wizardknight Serious Server Member

    I am running entware on my router, and it doesn't look like uclibc-opt is a way I can go from what I have found on google.
    I fear I will have to use static dhcp as a work around.
  67. koitsu

    koitsu Network Guru Member

    Using hostnames for CIFS connectivity endpoints in a UNC path isn't smart, especially if the IP address of the endpoint can change. If the IP address of "Systen_Name" (per post #1659) ever changes, the kernel almost certainly will not "reconnect" the CIFS mount; the module will only do the DNS lookup once. You will end up with very uncomfortable behaviour otherwise -- probably any I/O to the local mountpoint stalling indefinitely, and/or possible kernel panic (in extreme cases where bugs are present (wouldn't surprise me)).

    You should either use static DHCP for "Systen_Name", or use an IP addresses in the UNC path. I would suggest the former, but you can use whatever you prefer.

    Remember: despite the CIFS/SMB protocol being used, the hostname lookup portion does not use NetBIOS -- it uses DNS. TomatoUSB uses Linux, not Windows, so NetBIOS isn't involved. :)

    BTW, underscores are not a permitted character in DNS hostnames per RFC 932 / RFC 952 / RFC 1123; only digits 0-9, a-z, and hyphen (-) are permitted, and only 0-9 and a-z are permitted as the first character (i.e. you cannot name a system "-hello" or "h#5jz!"). Readers should note: I am being very specific/pedantic when I use the word hostname. Underscores are permitted in DNS records (such as for SRV or SCTP records, ex. _http._tcp.update.freebsd.org), but they are not permitted for system hostnames.
    Last edited: Mar 23, 2018
    Yim Sonny and kille72 like this.
  68. eangulus

    eangulus Network Guru Member

    Not sure whats going on, but may have found another bug.

    Just updated to the beta and my USB Stick no longer mounts. Was mounting fine before.

    I have done a NVRAM Clear and just noticed it not mounting while resetting everything up, I was using it for logs and VPN scripts.
  69. Sean B.

    Sean B. Network Guru Member

    Anything related show up in the system log? Or did you have the syslog configured to save to USB as well?
  70. My Name

    My Name Networkin' Nut Member

    USB mounting fine on my Tenda AC15 with new beta. I have my OpenVPN keys on a USB stick since I could not save them under VPN, Keys. I think they were too big to fit in memory or whatever.

    EDIT: See post #1602 above.
  71. Wizardknight

    Wizardknight Serious Server Member

    Um, System_Name was just a generic place holder because I didn't really want to post the actual system name to the internet...
  72. Yim Sonny

    Yim Sonny Serious Server Member

    Does that little tidbit of information have any impact on the technical explanation that koitsu so kindly offered you ? Will you or will you not start using static ip addresses ?
  73. Sean B.

    Sean B. Network Guru Member

    Any insight on why there's an input box labeled "NetBIOS name" in each CIFS config section?
  74. koitsu

    koitsu Network Guru Member

    If you're talking about Administration -> CIFS Client: I would have to go look at the code to see exactly how this is being used (both what TomatoUSB does with it, as well as what the actual client uses it for). My gut feeling is that it's for networks running Windows (i.e. the SMB/CIFS server is Windows, or something that is extremely compatible with Windows, that uses NetBIOS for local host resolution), and is the NetBIOS name to look up when getting an IP address -- using NetBIOS protocol as the name-to-IP resolver, not DNS. DNS works just fine. This is akin to what smbclient(1) (part of the Samba utility suite) -- which is an SMB client to let you "browse" SMB/CIFS shares -- talks about here:

    smbclient {servicename} ...
       servicename is the name of the service you want to use on the server. A
       service name takes the form //server/service where server is the NetBIOS
       name of the SMB/CIFS server offering the desired service and service is
       the name of the service offered. Thus to connect to the service "printer"
       on the SMB/CIFS server "smbserver", you would use the
       servicename //smbserver/printer
       Note that the server name required is NOT necessarily the IP (DNS) host
       name of the server ! The name required is a NetBIOS server name, which
       may or may not be the same as the IP hostname of the machine running
       the server.
       The server name is looked up according to either the -R parameter to smbclient
       or using the name resolve order parameter in the smb.conf(5) file, allowing an
       administrator to change the order and methods by which server names are
       looked up.
    smb.conf(5) has a directive called name resolve order that controls the order of DNS vs. NIS vs. using a WINS server (oh god please no) and how NetBIOS fits into all that. It's complicated (good job, Microsoft). You can read about that here: https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#NAMERESOLVEORDER

    Please note all the above links to samba.org may be for a significantly newer version of Samba that what is in TomatoUSB. Also, the mount -t cifs command IS NOT/DOES NOT USE SAMBA! It's something different. I've talked about this before in an old thread, someone can go find it if they want. Edit: here are the posts:
    I'll add that the mount-cifs command (/sbin/mount-cifs) I mention in one of those threads is a TomatoUSB command; it's a symlink to /sbin/rc which is Tomato. I describe what that command does in one of the posts. Don't confuse this with mount -t cifs which is using the Busybox /bin/mount command with a Linux kernel module that handles CIFS network mounts.

    Nice and confusing, yes? :) Thus, when you mentioned a "helper" called mount.cifs (not the period vs. hyphen) from Optware, that's also some other/different thing.

    If you're talking about USB and NAS -> File Sharing -> Samba Custom Configuration or Workgroup Name: this is a little different, and implies the Samba daemons running on TomatoUSB are both nmbd (which is for NetBIOS) and smbd (actual SMB/CIFS server). This would be the "NetBIOS name" of the CIFS/SMB server itself running on TomatoUSB. This is needed if you have CIFS/SMB clients that can only do NetBIOS-based hostname resolution; it's a good habit to set this to something valid/correct (an all-capitals name of a machine, ex. ROUTER or TOMATO) especially if the clients are Windows-based. Windows I think can use DNS-based lookups for SMB access, but I believe it still uses NetBIOS first.

    I hate NetBIOS with a passion, in case you can't tell. It's an awful broadcast-based protocol and stupidly complicated.
    Last edited: Mar 24, 2018
    M_ars, kille72 and Sean B. like this.
  75. woody99

    woody99 Serious Server Member

    After clean install of 2018.1.031 on EA6500v2 (thorough erase and 30/30/30)
    Is there a trick or workaround to NVRAM issues?
    i.e. Radio(s) (especially 2.4ghz) disappearing after changing settings/rebooting

    the old #Clear nvram null entries that seemed to work on shib v140 doesn't do that any longer.

    The 5ghz radio remains, but its SSID becomes Tomato24. 2.4ghz radio goes dark and no longer appears in GUI.
  76. kille72

    kille72 LI Guru Member

    The new 2018.1.039 ARM beta is ready for testing.

    Downloads: https://exotic.se/tomato-arm/v2018/2018.1.039
    Changelog: https://bitbucket.org/kille72/tomato-arm-kille72/commits/all

    The most important changes vs previous public beta 2018.1.031:

    - kernel: updated drivers/net/ modules. IMPORTANT! This commit needs further tests on: pppoe, ppptp, etc.
    - tor: updated to
    - dropbear: updated to 2018.76
    - LED: Preliminary support for 2nd 5Ghz LED on R8000
    - multiwan: forgotten kernel updates for sdk7
    - nano: updated to 2.9.4
    - busybox: add CONFIG_FEATURE_NETSTAT_PRG to configuration, for netstat -p functionality
    - router/rc/services.c: fixes issues with httpd
    - GUI: Air Time Fairness support for R7000/R8000
    - router/rc/init.c: R7000/R8000: enable Air Time Fairness by default
    - RT-AC3200: invert the default order of ports
    - R8000: invert the default order of ports
    - entware: updated installation script
    - ipset: updated to 6.36
    - xl2tpd: updated to 1.3.11
    - e2fsprogs: Updated to 1.44.0
    - libcurl: updated to 7.59.0
    - libcurl: updated CA certificate bundle as of 2018-03-07
    - router/rc/services.c: Increased re-check interval to 1000msec. Enabling DNSSEC in newer versions makes dnsmasq startup slower than the previous threshold of 500ms. This was causing too many dnsmasq restarts
    - dnsmasq: updated to 2.79 final
    - nginx: updated to 1.13.10
    - watchdog: increase curl timeout from 3 to 5 seconds in ckcurl function - on heavy loaded 3G connection it could make false positives

    Work on the SDK6 and the new WL driver are in progress.
    Last edited: Mar 24, 2018
    Elfew, M_ars, kthaddock and 4 others like this.
  77. rs232

    rs232 Network Guru Member

    Can anybody verify this please?
    I have reinstalled and experiening the same issue (especially the second one)

  78. kille72

    kille72 LI Guru Member

    Issue 1:
    That is correct, Scan function is broken with the newer WL driver, @pedro311 has not managed to look at this yet. Wireless Survey works well.

    Issue 2:
    Try to change Wireless Network Mode to AUTO.

    2018-03-25_01h36_29.png Screenshot_20180325-013448.png
    Last edited: Mar 25, 2018
  79. rs232

    rs232 Network Guru Member

    about issue 1: thanks for the update

    about issue 2: no it doesn't help also AUTO in my experience is never a good idea. It does sound like a bug and it can be a big issue in densly populated residential areas.
  80. kille72

    kille72 LI Guru Member

    But what router do you have? I have multiple routers and I don't have this problem with selecting 2.4 GHz WiFi channel.

    # nvram show | grep chann
    size: 39366 bytes (26170 left)
    View attachment 5552
  81. rs232

    rs232 Network Guru Member

    ASUS ac56u AIO build (freshly reinstalled yesterday but with the same issue)
  82. kille72

    kille72 LI Guru Member

    I have 2 x Asus RT-AC56U...no problem here. Do you use Virtual Wireless? Show us your configuration please, it's impossible that it just does not work on your AC56U.
  83. rs232

    rs232 Network Guru Member

    Ok let me re-phrase this. After playing with the settings "somehow" I can see a channel change on 2.4G ... but it's not consistent, e.g. sometimes it does work on the specified channel sometime it doesn't which is very confusing. For 5G also if I set e.g. "A Only" any channel I specify my mobile tells me it goes always on 36.
    In general I have a bad taste in the mouth about all these settings, they seem to behave differently every time especially when you switch from "G only" to "Auto" or all the way around.

    Wha I am doing here is to have 2.4G and 5G broadcasting the same SSID:

  84. PetervdM

    PetervdM Network Guru Member

    thx for the new beta, seems to work OK, one exception:
    atf is not enabled by default on R8000 on neither of the 3 interfaces wl0, wl1 and wl2. also wl_atf is not populated.
    kille72 likes this.
  85. woody99

    woody99 Serious Server Member

    EA6500v2 now stable on 2018.1.039 AIO
    with 50.68% NVRAM usage

    so far so good. both radios available and working

    thank you.
    kille72 likes this.
  86. kille72

    kille72 LI Guru Member

  87. RMerlin

    RMerlin Network Guru Member

    Bad idea IMHO. I've seen a lot of compatibility issues with Airtime Fairness, especially with printers and IoT devices.
    kille72 likes this.
  88. gs44

    gs44 LI Guru Member

    Flashed my R7000 with latest Beta and so far so good

    Thanks to all here that are keeping Tomato going!!!
    kille72 likes this.
  89. Sean B.

    Sean B. Network Guru Member

    Can anyone confirm if VLAN tagging is or is not functional in MultiWAN builds?
  90. Elfew

    Elfew Network Guru Member

    Any news about these? Especially no. 2 and 3? Thank you

    P.S. Channel scan function is fixed - https://bitbucket.org/pedro311/freshtomato-arm/commits/0d6a20f433e216c53a08db110f2f06561efe24de - thx @pedro311
    pedro311 likes this.
  91. M_ars

    M_ars Network Guru Member

    Hi Sean B.
    I have VLAN tagging running with build 2017-3 (for WAN --> PPPoE)
    --> working :)
    Sean B. likes this.
  92. monoton

    monoton Serious Server Member

    Work fine over here.
    4 routers (Linksys EA6400) 3 VLANs
    Sean B. likes this.
  93. kille72

    kille72 LI Guru Member

    1. Update Nginx from Legacy version 1.10.3 to Mainline version 1.13.x: https://bitbucket.org/kille72/tomato-arm-kille72/commits/f27af4bff0453daed4a3cc998a2114b0380295bf

    2. Fixes in MultiWAN-Watchdog: https://bitbucket.org/kille72/tomato-arm-kille72/commits/8e8dc645ec854985d35b9c67b20dcdf6776dded5

    3. MultiWAN connection status in the GUI: It is Shibby's idea and his project, I don't know how far he has come with this...
  94. Elfew

    Elfew Network Guru Member

    And one feature request (which is in Asus stock fw) - add ability to add name to interfaces (LAN 1; LAN 2 etc).
  95. sesnut

    sesnut Connected Client Member

    local dns is still broken in the latest version when wan is disabled
  96. Sean B.

    Sean B. Network Guru Member

    Elaborate please. Dnsmasq not running? Clients don't receive router IP as DNS server? Logs?
    Last edited: Mar 27, 2018
  97. koitsu

    koitsu Network Guru Member

    Elfew and kille72 like this.
  98. Elfew

    Elfew Network Guru Member

    @koitsu - thank you for your report and detailed steps how to reproduce!
  99. Wizardknight

    Wizardknight Serious Server Member

    I may have found a bug in the DDNS IP updating client on the router when using a VPN connection.

    I am using FreeDNS (afraid.org) to host my DDNS domains.
    I have the IP address set to use my WAN IP address. In that drop down box it shows the local address supplied by Comcast to my cable modem. I have it set to auto update every 1 day. Comcast is assigning me a 71.x.x.x WAN address.
    I also have a VPN connection setup on the same router which connects to Windscribe. My VNP address at the moment is a 61.x.x.x address.

    The address being sent to FreeDNS for my domains is the 61.x.x.x VPN address despite having selected my 71.x.x.x address from the Dynamic DNS drop down box.
    Settings-> [​IMG] https://ibb.co/kZ90H7
    IP being reported by FreeDNS https://ibb.co/g1duc7

    It seems like that might be a bug. I would expect the router's DDNS server to send my WAN IP and not the VPN IP as the WAN IP is what was selected from the drop down box.

    Maybe the best solution would be to offer DDNS IP drop down options for WAN IPs and VPN IPs? It seems like the WAN drop down option should send the WAN IP at the minimum.

    The reason this is causing me an issue is that I can't route my server traffic over the VPN.
    I would like the server trafic to come directly to my WAN IP.
    Because the WAN IP is DHCP, it relies on DDNS for updates. Unfortunately that is being incorrectly updated with the VPN IP.

    Let me know if you want me to try other settings, or provide more information. I will be glad to give it a shot.

    Thank you.
    Last edited: Mar 29, 2018
  100. koitsu

    koitsu Network Guru Member

    One question: you say 61.x.x.x but your screenshots show 66.x.x.x. Are you sure this is actually broken?

    If you meant 66.x.x.x, then I can probably explain what's going on. It's a little complicated, but not too bad:

    Given how afraid.org works, this probably has more to do with packet routing priority on the router itself, i.e. how it decides which interface (VPN or non-VPN) to use for default outbound packets originating from itself. Rephrased: when the router issues a connection to afraid.org to submit DNS IP updates, afraid.org actually uses the address of what IP is connecting to it. In this case, the initiation is being done via your VPN interface, so from afraid.org's perspective your IP is in fact 66.x.x.x. If you look closely at the GUI, you'll see that it says "This service determines the IP address using its own method." So what's in the pulldown at the top really doesn't have any relevance. That's just how afraid.org works.

    The DDNS updater on TomatoUSB is home-grown and kind of weird. A config file is generated in /var/lib/mdu -- ddnsx0.conf and ddnsx1.conf (one for each DDNS service you use). The updater is run using a cronjob, running ddns-update 0 force at periodic intervals. This program is actually the Tomato rc/init binary itself (see router/rc/ddns.c for details). The code that is run when running ddns-update actually spawns another utility called mdu which is what does the actual communication with the DDNS service itself, specifically running (in this case) mdu --service afraid --conf /var/lib/mdu/ddnsx0.conf (for your first DDNS provider entry). That's what does the actual TCP connection to the DDNS service provider.

    What is actually needed here is a way to tell mdu what network interface to bind to -- in C, using setsockopt(SO_BINDTODEVICE) with ifr_name in an ifreq struct (this is Linux-specific!), or (more universal method, i.e. non-Linux) pre-populating the sin_addr.s_addr struct field to contain the source address of the interface you wish the packets to go out of. However, for this to operationally work, firewall rules have to set to permit both the outbound traffic (correlating with that interface) and/or response traffic inbound on that same interface. Someone would need to code this into mdu, and then make appropriate changes to the code that is used by ddns-update (it's function ddns_update_main()) to run mdu with a new flag like --interface vlan2 or --srcaddr 71.x.x.x (it depends on which of the above methods are implemented), correlating with what's in the actual .conf file's addr line.

    But this may not be what all people want! There may be some people that currently use afraid.org in the same way as you and it's working how they expect (and this would potentially break it).

    A workaround for you may be to use a different DDNS provider. nsupdate.info is one such provider that, IIRC, lets you specify an IP in the URL. You can use this provider in TomatoUSB by picking "Custom URL" and then using the string @IP to represent the IP address in the GUI pulldown at the top. They don't clearly explain how to do this in the docs, but do show you in the "Show Configuration" dialog in their website GUI. Your URL would end up being something like this:


    And that should work.
    Aardvark, pedro311 and kille72 like this.
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice