[Fork] Tomato-ARM by @kille72

Discussion in 'Tomato Firmware' started by kille72, Mar 24, 2017.

Thread Status:
Not open for further replies.
  1. Wizardknight

    Wizardknight Reformed Router Member

    Yes.
    61.x.x.x V.S. 66.x.x.x was a typo on my part.
    I will try another DDNS provider, and see if I can get the behavior I expect.

    Thank you.


    Update:
    Used DNS-O-Matic via my router's ddns clent to update my domains at FreeDNS / afraid.org.
    No scripting/url mods needed. Just dropped my keys into the DNS-O-Matic web interface, updated my router to point to DNS-O-Matic rather than FreeDNS, and it worked auto-magicaly.
    DNS-O-Matic grabbed my local WAN IP off the router GUI and forwarded it correctly.

    Upside is I can have more than 2 domains updated now if I like, downside is adding an extra step something can break.

    Now I have my FTP server hosting via my local WAN IP/connection, and the rest of my LAN traffic exits via my VPN. This is good.
     
    Last edited: Mar 29, 2018
  2. M_ars

    M_ars Network Guru Member

    Hi kille72,

    wanted you to give a short feedback with version 2017-3.
    I do use it on three Asus RT-N18U with the provider German Telekom and IPTV Entertain (VDSL2 with 50-100 MBit/s)
    - LEDs are working (Power, WAN up/down, LAN, WLAN) --> very nice! even if i dont see them often ;-)
    - VoIP working (i had to disable "SIP" NAT Helpers at Advanced otherwise some persons were not able to call, with Toastman 511 no problems at all)
    - IPTV working (IGMP Proxy Enabled for Lan AND also "Efficient Multicast Forwarding" Enabled --> maybe it would be a good idea to call that Label "Efficient Multicast Forwarding (IGMP Snooping)" like Asus ?
    - VLAN tagging working
    - OpenVPN working (site-site and some clients)
    - IPv6 working (DHCPv6 with Prefix Delegation)
    - and and and

    best regards & thx
    M_ars

    P.S. Maybe it would be a good idea to supply only the "*-NOSMP" Files for the RT-N18U and other single core units (RT-AC56S ...) ? --> because with the normal file you will have a permanent high cpu load of >2,x

    (I know there is a newer version, but right now i dont want to update, everything is just working and no complaints from the family :D...)
     
    Elfew and kille72 like this.
  3. koitsu

    koitsu Network Guru Member

    Can we clean up the repository a bit, specifically WRT router/gmp (GNU gmp)? There are incredibly questionable symlinks present which are not present in other branches (ex. official shibby-arm and Toastman-ARM do not have them):

    Code:
    .../release/src-rt-6.x.4708/router (shibby-arm) $ grep -r sfdsdf .
    grep: ./gmp/doc/texinfo.tex: No such file or directory
    grep: ./gmp/doc/mdate-sh: No such file or directory
    grep: ./gmp/INSTALL: No such file or directory
    grep: ./gmp/test-driver: No such file or directory
    grep: ./gmp/install-sh: No such file or directory
    grep: ./gmp/missing: No such file or directory
    grep: ./gmp/ltmain.sh: No such file or directory
    grep: ./gmp/ylwrap: No such file or directory
    grep: ./gmp/compile: No such file or directory
    
    .../release/src-rt-6.x.4708/router (shibby-arm) $ ls -l ./gmp/doc/texinfo.tex ./gmp/doc/mdate-sh ./gmp/INSTALL ./gmp/test-driver ./gmp/install-sh ./gmp/missing ./gmp/ltmain.sh ./gmp/ylwrap ./gmp/compile | sort -k9
    lrwx------    1 jdc       users     32 27 Mar 18:35 ./gmp/compile -> /usr/share/automake-1.15/compile
    lrwx------    1 jdc       users     33 27 Mar 18:35 ./gmp/doc/mdate-sh -> /usr/share/automake-1.15/mdate-sh
    lrwx------    1 jdc       users     36 27 Mar 18:35 ./gmp/doc/texinfo.tex -> /usr/share/automake-1.15/texinfo.tex
    lrwx------    1 jdc       users     35 27 Mar 18:35 ./gmp/install-sh -> /usr/share/automake-1.15/install-sh
    lrwx------    1 jdc       users     32 27 Mar 18:35 ./gmp/INSTALL -> /usr/share/automake-1.15/INSTALL
    lrwx------    1 jdc       users     35 27 Mar 18:35 ./gmp/ltmain.sh -> /usr/share/libtool/config/ltmain.sh
    lrwx------    1 jdc       users     32 27 Mar 18:35 ./gmp/missing -> /usr/share/automake-1.15/missing
    lrwx------    1 jdc       users     36 27 Mar 18:35 ./gmp/test-driver -> /usr/share/automake-1.15/test-driver
    lrwx------    1 jdc       users     31 27 Mar 18:35 ./gmp/ylwrap -> /usr/share/automake-1.15/ylwrap
    
    These are symlinks in the repository that link to system binaries; the system I use for editing source code etc. is a FreeBSD box, which is why these symlinks point to invalid things. These types of symlinks usually shouldn't be in an actual git repository.

    I looked at the official gmp-6.1.1 tarball and most of these are actual files, not symlinks:

    Code:
    $ tar -jptvf gmp-6.1.1.tar.xz | egrep 'gmp-6.1.1/(compile|doc/mdate-sh|doc/texinfo.tex|INSTALL|install-sh|ltmain.sh|missing|test-driver|ylwrap)$'
    -rw-r--r--  0 tege   wheel    2489 18 Jun  2016 gmp-6.1.1/INSTALL
    -rwxr-xr-x  0 tege   gmp      7333  5 Sep  2015 gmp-6.1.1/compile
    -rwxr-xr-x  0 tege   gmp     14675  5 Sep  2015 gmp-6.1.1/install-sh
    -rw-r--r--  0 tege   gmp    324089  5 Sep  2015 gmp-6.1.1/ltmain.sh
    -rwxr-xr-x  0 tege   gmp      6872  5 Sep  2015 gmp-6.1.1/missing
    -rwxr-xr-x  0 tege   gmp      4640  5 Sep  2015 gmp-6.1.1/test-driver
    -rwxr-xr-x  0 tege   gmp      6858  5 Sep  2015 gmp-6.1.1/ylwrap
    -rwxr-xr-x  0 tege   gmp      6047  5 Sep  2015 gmp-6.1.1/doc/mdate-sh
    -rw-r--r--  0 tege   gmp    323102  5 Sep  2015 gmp-6.1.1/doc/texinfo.tex
    
    They're actual files in shibby-arm and Toastman-ARM too.

    Maybe some part of the configure and/or make phase is doing this? I don't know -- if that's the case, boy, that's pretty awful software design. I found a GitHub repo of a modified GNU gmp that has some of them present as symlinks too (ex. compile, test-driver), but not all.

    I don't think this is a case where we can use .gitignore (ideally router/.gitignore) to exclude these because they're likely used in the build process thus removal of them would break fresh git clone copies from working. I simply don't know. What's surprising me though is that the official tarball has actual files/scripts while what's in the repo are symlinks.

    Someone should probably try to figure out why it's happening and fix it.
     
    kille72 likes this.
  4. Sean B.

    Sean B. LI Guru Member

    I believe this is the commit responsible. The files you noted show type changed.

    **EDIT** Confirmed. Source tree in the commit previous to this one, a08a4b6, does not contain the symlinked files.

    Here's a diff of test-driver between the commits:

    Code:
    diff --git a/release/src-rt-6.x.4708/router/gmp/test-driver b/release/src-rt-6.x.4708/router/gmp/test-driver
    deleted file mode 100644
    index 8e575b0..0000000
    --- a/release/src-rt-6.x.4708/router/gmp/test-driver
    +++ /dev/null
    @@ -1,148 +0,0 @@
    -#! /bin/sh
    -# test-driver - basic testsuite driver script.
    -
    -scriptversion=2013-07-13.22; # UTC
    -
    -# Copyright (C) 2011-2014 Free Software Foundation, Inc.
    -#
    -# This program is free software; you can redistribute it and/or modify
    -# it under the terms of the GNU General Public License as published by
    -# the Free Software Foundation; either version 2, or (at your option)
    -# any later version.
    -#
    -# This program is distributed in the hope that it will be useful,
    -# but WITHOUT ANY WARRANTY; without even the implied warranty of
    -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    -# GNU General Public License for more details.
    -#
    -# You should have received a copy of the GNU General Public License
    -# along with this program.  If not, see <http://www.gnu.org/licenses/>.
    -
    -# As a special exception to the GNU General Public License, if you
    -# distribute this file as part of a program that contains a
    -# configuration script generated by Autoconf, you may include it under
    -# the same distribution terms that you use for the rest of that program.
    -
    -# This file is maintained in Automake, please report
    -# bugs to <bug-automake@gnu.org> or send patches to
    -# <automake-patches@gnu.org>.
    -
    -# Make unconditional expansion of undefined variables an error.  This
    -# helps a lot in preventing typo-related bugs.
    -set -u
    -
    -usage_error ()
    -{
    -  echo "$0: $*" >&2
    -  print_usage >&2
    -  exit 2
    -}
    -
    -print_usage ()
    -{
    -  cat <<END
    -Usage:
    -  test-driver --test-name=NAME --log-file=PATH --trs-file=PATH
    -              [--expect-failure={yes|no}] [--color-tests={yes|no}]
    -              [--enable-hard-errors={yes|no}] [--]
    -              TEST-SCRIPT [TEST-SCRIPT-ARGUMENTS]
    -The '--test-name', '--log-file' and '--trs-file' options are mandatory.
    -END
    -}
    -
    -test_name= # Used for reporting.
    -log_file=  # Where to save the output of the test script.
    -trs_file=  # Where to save the metadata of the test run.
    -expect_failure=no
    -color_tests=no
    -enable_hard_errors=yes
    -while test $# -gt 0; do
    -  case $1 in
    -  --help) print_usage; exit $?;;
    -  --version) echo "test-driver $scriptversion"; exit $?;;
    -  --test-name) test_name=$2; shift;;
    -  --log-file) log_file=$2; shift;;
    -  --trs-file) trs_file=$2; shift;;
    -  --color-tests) color_tests=$2; shift;;
    -  --expect-failure) expect_failure=$2; shift;;
    -  --enable-hard-errors) enable_hard_errors=$2; shift;;
    -  --) shift; break;;
    -  -*) usage_error "invalid option: '$1'";;
    -   *) break;;
    -  esac
    -  shift
    -done
    -
    -missing_opts=
    -test x"$test_name" = x && missing_opts="$missing_opts --test-name"
    -test x"$log_file"  = x && missing_opts="$missing_opts --log-file"
    -test x"$trs_file"  = x && missing_opts="$missing_opts --trs-file"
    -if test x"$missing_opts" != x; then
    -  usage_error "the following mandatory options are missing:$missing_opts"
    -fi
    -
    -if test $# -eq 0; then
    -  usage_error "missing argument"
    -fi
    -
    -if test $color_tests = yes; then
    -  # Keep this in sync with 'lib/am/check.am:$(am__tty_colors)'.
    -  red='[0;31m' # Red.
    -  grn='[0;32m' # Green.
    -  lgn='[1;32m' # Light green.
    -  blu='[1;34m' # Blue.
    -  mgn='[0;35m' # Magenta.
    -  std='[m'     # No color.
    -else
    -  red= grn= lgn= blu= mgn= std=
    -fi
    -
    -do_exit='rm -f $log_file $trs_file; (exit $st); exit $st'
    -trap "st=129; $do_exit" 1
    -trap "st=130; $do_exit" 2
    -trap "st=141; $do_exit" 13
    -trap "st=143; $do_exit" 15
    -
    -# Test script is run here.
    -"$@" >$log_file 2>&1
    -estatus=$?
    -
    -if test $enable_hard_errors = no && test $estatus -eq 99; then
    -  tweaked_estatus=1
    -else
    -  tweaked_estatus=$estatus
    -fi
    -
    -case $tweaked_estatus:$expect_failure in
    -  0:yes) col=$red res=XPASS recheck=yes gcopy=yes;;
    -  0:*)   col=$grn res=PASS  recheck=no  gcopy=no;;
    -  77:*)  col=$blu res=SKIP  recheck=no  gcopy=yes;;
    -  99:*)  col=$mgn res=ERROR recheck=yes gcopy=yes;;
    -  *:yes) col=$lgn res=XFAIL recheck=no  gcopy=yes;;
    -  *:*)   col=$red res=FAIL  recheck=yes gcopy=yes;;
    -esac
    -
    -# Report the test outcome and exit status in the logs, so that one can
    -# know whether the test passed or failed simply by looking at the '.log'
    -# file, without the need of also peaking into the corresponding '.trs'
    -# file (automake bug#11814).
    -echo "$res $test_name (exit status: $estatus)" >>$log_file
    -
    -# Report outcome to console.
    -echo "${col}${res}${std}: $test_name"
    -
    -# Register the test result, and other relevant metadata.
    -echo ":test-result: $res" > $trs_file
    -echo ":global-test-result: $res" >> $trs_file
    -echo ":recheck: $recheck" >> $trs_file
    -echo ":copy-in-global-log: $gcopy" >> $trs_file
    -
    -# Local Variables:
    -# mode: shell-script
    -# sh-indentation: 2
    -# eval: (add-hook 'write-file-hooks 'time-stamp)
    -# time-stamp-start: "scriptversion="
    -# time-stamp-format: "%:y-%02m-%02d.%02H"
    -# time-stamp-time-zone: "UTC"
    -# time-stamp-end: "; # UTC"
    -# End:
    diff --git a/release/src-rt-6.x.4708/router/gmp/test-driver b/release/src-rt-6.x.4708/router/gmp/test-driver
    new file mode 120000
    index 0000000..7810c7c
    --- /dev/null
    +++ b/release/src-rt-6.x.4708/router/gmp/test-driver
    @@ -0,0 +1 @@
    +/usr/share/automake-1.15/test-driver
    \ No newline at end of file
    
    Can't say what happened to cause this. Other than perhaps the upgrade of source was done from a tree that was linked into the system, @kille72 ? I'll make a patch to reverse this and post.
     
    Last edited: Mar 31, 2018
    kille72 and koitsu like this.
  5. kille72

    kille72 LI Guru Member

    @koitsu @Sean B. I have updated to clean source code for gmp, is it enough?

    https://bitbucket.org/kille72/tomato-arm-kille72/commits/67ba9967aebd1b672c4482b2d93a0c4dbe2d6a1e

    Code:
    kille72@debian:~/tomato-arm-kille72/release/src-rt-6.x.4708/router$ ls -l ./gmp/doc/texinfo.tex ./gmp/doc/mdate-sh ./gmp/INSTALL ./gmp/test-driver ./gmp/install-sh ./gmp/missing ./gmp/ltmain.sh ./gmp/ylwrap ./gmp/compile | sort -k9
    -rwxr-xr-x 1 kille72 kille72   7333 Sep  5  2015 ./gmp/compile
    -rwxr-xr-x 1 kille72 kille72   6047 Sep  5  2015 ./gmp/doc/mdate-sh
    -rw-r--r-- 1 kille72 kille72 323102 Sep  5  2015 ./gmp/doc/texinfo.tex
    -rw-r--r-- 1 kille72 kille72   2489 Dec 16  2016 ./gmp/INSTALL
    -rwxr-xr-x 1 kille72 kille72  14675 Sep  5  2015 ./gmp/install-sh
    -rw-r--r-- 1 kille72 kille72 324089 Sep  5  2015 ./gmp/ltmain.sh
    -rwxr-xr-x 1 kille72 kille72   6872 Sep  5  2015 ./gmp/missing
    -rwxr-xr-x 1 kille72 kille72   4640 Sep  5  2015 ./gmp/test-driver
    -rwxr-xr-x 1 kille72 kille72   6858 Sep  5  2015 ./gmp/ylwrap
    I have tested compilation after this change and it works without a problem.
     
    koitsu and Elfew like this.
  6. Sean B.

    Sean B. LI Guru Member

    I was just about to post a patch, but you're already done. You're quick my friend.
     
    koitsu likes this.
  7. kille72

    kille72 LI Guru Member

    Can't sleep today... Thanks for being here too @koitsu & @Sean B. :)
     
  8. koitsu

    koitsu Network Guru Member

    Elfew, M_ars and kille72 like this.
  9. DLDKox

    DLDKox New Member Member

    My ip camera can not upload pictures to my ftp server. This is the router log.
    kern.notice kernel: nf_ct_ftp: dropping packetIN= OUT=vlan2 SRC=x.x.x.x DST=x.x.x.x LEN=65 TOS=0x10 PREC=0x00 TTL=63 ID=29416 DF PROTO=TCP SPT=2221 DPT=47712 SEQ=2486201204 ACK=3119633065 WINDOW=227 RES=0x00 ACK PSH URGP=0 OPT (0101080A1BFE8AB20028EDAE)
    What is the problem?
     
  10. Edrikk

    Edrikk Network Guru Member

    Out of curiosity, I setup and ran OpenVAS against my WAN IP to see how my internal and external views stacks up.
    Tomato came out great, with only a minor item (2.6/10 severity):



    Summary
    The remote host implements TCP timestamps and therefore allows to compute the uptime.

    Vulnerability Detection Result
    It was detected that the host implements RFC1323.

    The following timestamps were retrieved with a delay of 1 seconds in-between:
    Packet 1: 55555195
    Packet 2: 55555311
    Impact
    A side effect of this feature is that the uptime of the remote host can sometimes be computed.

    Solution
    Solution type:
    Mitigation

    To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to /etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime.

    To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled'

    Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled.

    The default behavior of the TCP/IP stack on this Systems is to not use the Timestamp options when initiating TCP connections, but use them if the TCP peer that is initiating communication includes them in their synchronize (SYN) segment.

    See also: http://www.microsoft.com/en-us/download/details.aspx?id=9152

    Affected Software/OS
    TCP/IPv4 implementations that implement RFC1323.

    Vulnerability Insight
    The remote host implements TCP timestamps, as defined by RFC1323.

    Vulnerability Detection Method
    Special IP packets are forged and sent with a little delay in between to the target IP. The responses are searched for a timestamps. If found, the timestamps are reported.​
     
    kille72 likes this.
  11. koitsu

    koitsu Network Guru Member

    If you want to disable TCP timestamps on the router, you can do so by placing this in Scripts -> Init + run it once manually via CLI:

    Code:
    echo 0 > /proc/sys/net/ipv4/tcp_timestamps
    This impacts the entire IPv4 stack on the router itself. You really have to think hard about what all that encapsulates: traffic directed at the router itself (either LAN IP or WAN IP), or any traffic originating from the router itself. It does not affect traffic going between devices on the LAN (i.e. through the switch). I'm not sure about traffic being forwarded through the router (i.e. NAT'd traffic). I could go both ways on that one, but my inclination is to say it does not affect forwarded/NAT'd traffic given how the NAT implementation is done in Linux; tcpdump should be able to answer that one pretty quickly. (Let me know if you want me to check, it's not hard to do)

    Disabling TCP timestamps means you are making yourself susceptible to PAWS (protection against TCP sequence number wrapping) and more efficient RTTM (round-trip-time management). You really have to read the whole RFC to understand it, and even then it assumes you're generally a network administrator: https://tools.ietf.org/html/rfc1323

    I take issue with how these "results" are phrased. The wording implies that RFC1323 is bad, and that it's entirely about TCP timestamps -- that's wrong. RFC1323 is actually a very good thing, and has been for over 20 years!

    RFC1323 is about TCP performance, and contains two features, one of which is very relevant to high-speed downloads of large content. It contains support for for TCP window scaling and TCP timestamps. Linux separates toggling of these two features (/proc/sys/net/ipv4/tcp_window_scaling for the former, /proc/sys/net/ipv4/tcp_timestamps for the latter).
     
  12. koitsu

    koitsu Network Guru Member

    It looks like this might not be enough:

    Code:
    .../release/src-rt-6.x.4708/router (shibby-arm) $ grep -r sdfdf .
    grep: ./gmp/.libs/libgmp.la: No such file or directory
    .../release/src-rt-6.x.4708/router (shibby-arm) $ ls -l gmp/.libs/
    total 783
    -rw-------    1 jdc       users       1692 27 Mar 18:35 assert.o
    -rw-------    1 jdc       users       1488 27 Mar 18:35 compat.o
    -rw-------    1 jdc       users       1740 27 Mar 18:35 errno.o
    -rw-------    1 jdc       users       1196 27 Mar 18:35 extract-dbl.o
    -rw-------    1 jdc       users       1024 27 Mar 18:35 invalid.o
    -rw-------    1 jdc       users     957940 27 Mar 18:35 libgmp.a
    lrwx------    1 jdc       users         12 27 Mar 18:35 libgmp.la -> ../libgmp.la
    -rw-------    1 jdc       users        932 27 Mar 18:35 libgmp.lai
    lrwx------    1 jdc       users         16 27 Mar 18:35 libgmp.so -> libgmp.so.10.3.1
    lrwx------    1 jdc       users         16 27 Mar 18:35 libgmp.so.10 -> libgmp.so.10.3.1
    -rwx------    1 jdc       users     403198 27 Mar 18:35 libgmp.so.10.3.1
    -rw-------    1 jdc       users       2580 27 Mar 18:35 memory.o
    -rw-------    1 jdc       users       1040 27 Mar 18:35 mp_bpl.o
    -rw-------    1 jdc       users        758 27 Mar 18:35 mp_clz_tab.o
    -rw-------    1 jdc       users       1366 27 Mar 18:35 mp_dv_tab.o
    -rw-------    1 jdc       users       1240 27 Mar 18:35 mp_get_fns.o
    -rw-------    1 jdc       users       1039 27 Mar 18:35 mp_minv_tab.o
    -rw-------    1 jdc       users       1404 27 Mar 18:35 mp_set_fns.o
    -rw-------    1 jdc       users       1980 27 Mar 18:35 nextprime.o
    -rw-------    1 jdc       users       2360 27 Mar 18:35 primesieve.o
    -rw-------    1 jdc       users       1448 27 Mar 18:35 tal-reent.o
    -rw-------    1 jdc       users       1028 27 Mar 18:35 version.o
    
    Correlates with: https://bitbucket.org/kille72/tomat...c-rt-6.x.4708/router/gmp/.libs/?at=shibby-arm

    If these come back every time you build gmp (very likely!), then keeping them out of the repository during a git commit is pretty easy. The trailing slash in the .gitignore entry is needed:

    Code:
    cd tomato-arm-kille72/release/src-rt-6.x.4708/router
    echo "gmp/.libs/" >> .gitignore
    chmod 644 .gitignore
    git rm -r --cached gmp
    git add gmp
    git add .gitignore
    git commit -am "Remove gmp/.libs from repo + add .gitignore"
    
     
    kille72 likes this.
  13. kille72

    kille72 LI Guru Member

    Done:
    https://bitbucket.org/kille72/tomat...36d8f200a9ef4b570903bb161b71eb0?at=shibby-arm

    Thank you!
     
  14. sesnut

    sesnut Network Newbie Member

    I dont actually know what the specific cause is or where to look, but if you disable wan and use the router as a ethernet bridge and try to ping something from telnet it just returns as bad address.
    no setting in the gui fixes this.
     
  15. Sean B.

    Sean B. LI Guru Member

    Ethernet bridge mode is simply a forwarding mechanism for whatever configuration is running on the AP you're connecting it to. If DNS is not working, it's a configuration error. Either with the network itself on the AP you're connecting it to, or settings used to configure the Tomato router for ethernet bridging. Not a bug/issue with the firmware.
     
    kille72 likes this.
  16. sesnut

    sesnut Network Newbie Member

    did you actually try it? and the problem actually has to do with disabling wan
    It doesn't happen before version 2017.3
     
  17. Sean B.

    Sean B. LI Guru Member

    There's nothing to try, DNS services are not run on the router in Ethernet Bridge modes. However, I can attempt to assist you in determining what is not properly configured and preventing DNS traffic from crossing the bridge.

    By this comment:

    Are you telneting into the Tomato router and trying to ping? If so, telnet in and run:

    Code:
    cat /etc/resolv.conf
    cat /etc/dnsmasq.resolv
    ip route show
    iptables -t filter --list-rules
    iptables -t nat --list-rules
    and post the output please.

    What is your DNS configuration for the network? IE: Are you using local DNS? If so, what is the IP address for the DNS server?

    Have you tried running nslookup from the telnet shell and seeing what it does?

    If so, did you also try specifiing a different server and seeing if there's any change? IE: " nslookup yahoo.com 8.8.8.8 "
     
  18. sesnut

    sesnut Network Newbie Member

    root@ASUSAC:/tmp/home/root# cat /etc/resolv.conf
    cat: can't open '/etc/resolv.conf': No such file or directory
    root@ASUSAC:/tmp/home/root# cat /etc/dnsmasq.resolv
    cat: can't open '/etc/dnsmasq.resolv': No such file or directory
    root@ASUSAC:/tmp/home/root# ip route show
    192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.7
    127.0.0.0/8 dev lo scope link
    default via 192.168.1.1 dev br0
    root@ASUSAC:/tmp/home/root# iptables -t filter --list-rules
    -P INPUT DROP
    -P FORWARD ACCEPT
    -P OUTPUT ACCEPT
    -N shlimit
    -A INPUT -m state --state INVALID -j DROP
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j shlimit
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i br0 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 7777 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT
    -A shlimit -m recent --set --name shlimit --rsource
    -A shlimit -m recent --update --seconds 60 --hitcount 4 --name shlimit --rsource -j DROP
    root@ASUSAC:/tmp/home/root# iptables -t nat --list-rules
    -P PREROUTING ACCEPT
    -P INPUT ACCEPT
    -P OUTPUT ACCEPT
    -P POSTROUTING ACCEPT
    -N WANPREROUTING
     
  19. Sean B.

    Sean B. LI Guru Member

    DNS will fail. There is no server configured for local processes ( IE: ping ) to use for resolving DNS queries. Try this:

    Code:
    echo "nameserver 8.8.8.8" > /etc/resolv.conf
    nslookup yahoo.com
    ping yahoo.com
     
  20. sesnut

    sesnut Network Newbie Member

    root@ASUSAC:/tmp/etc# echo "nameserver 8.8.8.8" > /etc/resolv.conf
    root@ASUSAC:/tmp/etc# nslookup yahoo.com
    Server: 8.8.8.8
    Address 1: 8.8.8.8 google-public-dns-a.google.com
    Name: yahoo.com
    Address 1: 72.30.35.10 media-router-fp2.prod1.media.vip.bf1.yahoo.com
    Address 2: 72.30.35.9 media-router-fp1.prod1.media.vip.bf1.yahoo.com
    Address 3: 98.137.246.7 media-router-fp1.prod1.media.vip.gq1.yahoo.com
    Address 4: 98.138.219.231 media-router-fp1.prod1.media.vip.ne1.yahoo.com
    Address 5: 98.138.219.232 media-router-fp2.prod1.media.vip.ne1.yahoo.com
    Address 6: 98.137.246.8 media-router-fp2.prod1.media.vip.gq1.yahoo.com
     
  21. Sean B.

    Sean B. LI Guru Member

    Ping should now be working as well.

    **EDIT** To use local hostnames, you will need to use a local server. IE: if you want to ping desktop.your.domain or a shortname such as desktop

    Code:
    echo "nameserver X.X.X.X" > /etc/resolv.conf
    Where X.X.X.X is the IP address of your local DNS server.
     
  22. sesnut

    sesnut Network Newbie Member

    ok, but shouldn't all this be set when I check off the box that says use internal dns?
     
  23. Sean B.

    Sean B. LI Guru Member

    No. You have no internal DNS in Ethernet Bridge mode. Uncheck that option, and set the DNS server IP in Basic->Network Static DNS box.
     
  24. sesnut

    sesnut Network Newbie Member

    its already set
     
  25. Sean B.

    Sean B. LI Guru Member

    Uncheck "Use internal DNS".
     
  26. sesnut

    sesnut Network Newbie Member

    I unchecked it and rebooted, resolv.conf still isnt being created
     
  27. Sean B.

    Sean B. LI Guru Member

    Hmm. Check the box for "Use user entered gateway if WAN is disabled" and save. Don't bother rebooting, just check for resolv.conf.
     
  28. sesnut

    sesnut Network Newbie Member

    still not there
     
  29. Sean B.

    Sean B. LI Guru Member

    For now, under Administration->Scripts firewall tab put:

    Code:
    echo "nameserver X.X.X.X" > /etc/resolv.conf
    Where X.X.X.X is the IP of your DNS server. Save and reboot. That should get you functional for the time being while I investigate.
     
  30. kille72

    kille72 LI Guru Member

  31. Sean B.

    Sean B. LI Guru Member

    Possibly stunnel:

    Code:
    Package: stunnel
    Version: 4.26-4
    Depends: uclibc-opt, openssl, zlib, psmisc
    Status: unknown ok not-installed
    Section: net
    Architecture: arm
    Maintainer: NSLU2 Linux <nslu2-linux@yahoogroups.com>
    MD5Sum: 7f2723b4f71afc40ae9a1ecf25d1dc07
    Size: 43982
    Filename: stunnel_4.26-4_arm.ipk
    Source: http://www.stunnel.org/download/stunnel/src/stunnel-4.26.tar.gz
    Description: SSL encryption wrapper for all kinds of servers
    Does both SSL an TLS.
     
  32. kille72

    kille72 LI Guru Member

    https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status
    They don't write anything about stunnel, why? Can stunnel DNS over TLS? They write about getdns (Stubby), which is also available in Entware.
     
  33. Sean B.

    Sean B. LI Guru Member

    Stunnel is a wrapper, not a service program itself. You can run pretty much whatever you want through it. You just have to configure it with the proper settings.
     
    kille72 likes this.
  34. Sean B.

    Sean B. LI Guru Member

    @sesnut , when you have a chance would you telnet into your router and run:

    Code:
    cat /rom/etc/resolv.conf
    And post output please.
     
  35. sesnut

    sesnut Network Newbie Member

    root@ASUSAC:/tmp/home/root# cat /rom/etc/resolv.conf
    nameserver 127.0.0.1
     
  36. Sean B.

    Sean B. LI Guru Member

    Would you confirm under Advanced->DHCP/dns that the box for "Use internal DNS" is UNchecked please?
     
  37. sesnut

    sesnut Network Newbie Member

  38. Sean B.

    Sean B. LI Guru Member

    @sesnut , Uncheck "Use received DNS with user-entered DNS" . You cannot receive DNS servers from the WAN when WAN is disabled. Not sure if this will cause a problem, but it won't do good things if anything.
     
  39. koitsu

    koitsu Network Guru Member

    Regarding /etc/resolv.conf: this file is normally a symlink to /etc/resolv.dnsmasq. Tomato's own rc/init code, and thus service program as well, manipulates this. The code is in router/rc/services.c.

    Underlying C function stop_dnsmasq() will remove /etc/resolv.conf followed immediately by making a symlink that points /etc/resolv.conf --> /etc/resolv.dnsmasq.

    service dnsmasq stop calls stop_dnsmasq().

    Underlying C function start_dnsmasq() will set up /etc/dnsmasq.conf to contain the content resolv-file=/etc/resolv.dnsmasq and all the other fun bits that go into /etc/dnsmasq.conf. This is just for dnsmasq itself though. The system resolver and related C functions (ex. gethostbyname(), etc.) will still use /etc/resolv.conf like any normal OS; uClibc is responsible for that.

    service dnsmasq start calls dns_to_resolv() followed by start_dnsmasq().

    Underlying C function dns_to_resolv() writes content into /etc/resolv.dnsmasq. This specifically includes nameserver x.x.x.x lines, as well as the # dns for XXX entries that precede those. (Those comment lines, as I mentioned either in this thread or some other thread, are bad. There's no guarantee a system resolver will ignore those; it may try to parse them and fail).

    Underlying C function clear_resolv() does nothing but zero out /etc/resolv.dnsmasq (not /etc/resolv.conf). Code that calls clear_resolv() is as follows:

    - rc/services.c: the general routine stop_services() which is used by Tomato if "wanting to stop all services".
    - rc/services.c: if service stop wan is ever run.
    - rc/services.c: if service stop net is ever run.
    - rc/wan.c: the general routine stop_wan() which is used by Tomato if the WAN link is to be shut down -- also potentially used if no WAN link is configured (i.e. disabled)
    - rc/init.c: if SIGTERM is sent to Tomato's init process (to induce a reboot)

    The more I look through this code, the more I realise how MultiWAN created a horrible, horrible mess.
     
  40. Sean B.

    Sean B. LI Guru Member

    I believe there's a section based on the inverted match for do_dns that removes the symlink of /etc/resolv.conf->/etc/dnsmasq.resolv and recreates it as /etc/resolv.conf->/rom/etc/resolv.conf .. I'm so upside down in the damn MultiWAN code though I can't really say where it was at. But at this point I'm rather suspect of:

    Code:
     stop_dnsmasq();
    
            if (foreach_wif(1, NULL, is_wet)) return;
    
    And the few other conditionals that seem to sidestep DNS functions in rc/services.c based on wan# in combination with ethernet bridge mode.
     
  41. Cliffield

    Cliffield Network Newbie Member

    I use stubby for dns-over-tls with following setup:

    Install stubby
    Code:
    opkg install stubby
    To start stubby automatically on boot
    Create /opt/etc/init.d/S10_Stubby with following content:
    Code:
    #!/bin/sh
    
    ENABLED=yes
    PROCS=stubby
    ARGS="-g"
    PREARGS=""
    DESC=$PROCS
    PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    
    . /opt/etc/init.d/rc.func
    and chmod +x /opt/etc/init.d/S10_Stubby

    Under Advanced Settings - DHCP/DNS - Dnsmasq add:
    Code:
    server=127.0.0.1#5453
    no-resolv
    Configurate stubby
    Here is my full config file (/opt/etc/stubby/stubby.yml):
    Code:
    #NOTE: See '/etc/stubby/stubby.yml.default' for original config file and descriptions
    
    resolution_type: GETDNS_RESOLUTION_STUB
    
    dns_transport_list:
      - GETDNS_TRANSPORT_TLS
    
    tls_authentication: GETDNS_AUTHENTICATION_NONE
    
    tls_query_padding_blocksize: 256
    
    edns_client_subnet_private : 1
    
    idle_timeout: 10000
    
    listen_addresses:
      - 127.0.0.1@5453
    #  -  0::1@5453
    
    round_robin_upstreams: 0
    
    upstream_recursive_servers:
    # Quad 9 IPv6
    #  - address_data: 2620:fe::fe
    #    tls_auth_name: "dns.quad9.net"
    # IPv4 addresses
    # The 1.1.1.1 Cloudflare Servers
      - address_data: 1.1.1.1
        tls_auth_name: "cloudflare-dns.com"
        tls_pubkey_pinset:
          - digest: "sha256"
            value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
      - address_data: 1.0.0.1
        tls_auth_name: "cloudflare-dns.com"
        tls_pubkey_pinset:
          - digest: "sha256"
            value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
    # Quad 9 Server
      - address_data: 9.9.9.9
        tls_auth_name: "dns.quad9.net"
    

    I made following changes to the default config:
    Under "dns_transport_list" I changed "GETDNS_AUTHENTIFICATION_REQUIERED" to "GETDNS_AUTHENTIFICATION_NONE" for opportunistic usage. I also added the cloudflare DNS-Server.

    I am using opportunistic mode because i could not get strict mode working after a reboot. Probably due to wrong router date/time.

     
    Onee-chan and kille72 like this.
  42. koitsu

    koitsu Network Guru Member

  43. zokstar

    zokstar Network Newbie Member

    Just came across this! thought tomato was dead. Thank you for your hard work! I'll be sure to give it ago
     
    kille72 likes this.
  44. kille72

    kille72 LI Guru Member

    Works very well, thanks! The only change I made is:

    1. Installed sudo, "opkg install sudo"
    2. Run stubby as nobody, like dnsmasq (comment if you don't think it's necessary):

    S10_Stubby:
    Code:
    #!/bin/sh
    
    ENABLED=yes
    PROCS=stubby
    ARGS="-g"
    PREARGS="sudo -u nobody"
    DESC=$PROCS
    PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    
    . /opt/etc/init.d/rc.func
     
    Last edited: Apr 5, 2018
  45. Magister

    Magister LI Guru Member

    IP monitoring (cstats) saving too often? I set them to save on a USB key, mounted at /mnt/data/stats/ every hour. But I connect via ssh to my router and doing a simple "ll" I can see the timestamp change every minute or so, meaning the info in .gz format are continuously saved.

    Is this a bug?

    I am running 2017.3, installed a few days ago with a clean erased NVRAM.
     
    kille72 likes this.
  46. kille72

    kille72 LI Guru Member

    Yes you are right! It is saved every 2 minutes, it's a bug. We will look at this.
     
  47. M_ars

    M_ars Network Guru Member

    Same problem on my side, changed cstats save location to RAM for now
    rstats is doing it right
     
  48. ruggerof

    ruggerof Network Guru Member

    The same with me on my AC68U running Tomato Firmware 1.28.0000 -136 K26ARM USB AIO-64K

    If it is a bug, it comes from a long time........
     
    M_ars and kille72 like this.
  49. RMerlin

    RMerlin Network Guru Member

    Try stopping then manually running cstats over SSH. If I remember correctly, it will send a lot of debug output over SSH (I just can't remember if that output is enabled by default or not - been a few years since I've worked on that code...)
     
  50. koitsu

    koitsu Network Guru Member

    I can help here.

    cstats is compiled with #define DEBUG_NOISY (per router/cstats/cstats.h), which means underlying _dprintf() calls will actually use cprintf() rather than a no-op (see router/shared/shared.h for that).

    cprintf() is in shared/shutils.c. Reminder: when reviewing router/shared/shutils.c, the #ifdef DEBUG_NOISY's you see here will always prove false (shutils.c isn't built with #define DEBUG_NOISY, cstats is).

    Thus, for cprintf() to output anything, one must control the behaviour using two NVRAM variables independent of one another. These two NVRAM variables default to 0:

    debug_cprintf -- set to 1 for cprintf output to go to the console (see: dmesg)
    debug_cprintf_file -- set to 1 for cprintf output to be written/appended to file /tmp/cprintf

    With regards to debug_cprintf_file: don't forget that /tmp is tmpfs (thus RAM), so don't let the file get too large. One could symlink /tmp/cprintf --> /opt/cprintf (assuming /opt is a filesystem on a USB stick, etc.) in advance of setting the NVRAM variable.

    P.S. -- Because it'll probably come up: get_uptime() is a function in shared/misc.c which is pretty easy to understand (see sysinfo(2) syscall for details):

    Code:
    long get_uptime(void)
    {
            struct sysinfo si;
            sysinfo(&si);
            return si.uptime;
    }
    
     
    kille72 likes this.
  51. koitsu

    koitsu Network Guru Member

    Skimming the cstats code -- wow, what a mess, I can't even get my brain around why half of this code even exists -- it looks like INTERVAL (per cstats.h) is set to 120. That's a "kind of" sleep interval in the main while(1) {} loop of the program.

    However, I think I may see the problem -- @RMerlin let me know what you think:

    There's a function called get_stime() that looks questionable, but it really depends on how it's used. I haven't sat down and fully debugged this code -- in a way, it's something you almost have to debug in real-time because of how complicated it is. Apologies for line numbers:

    Code:
     85 static int get_stime(void) {
     86 #ifdef DEBUG_STIME
     87         return 90;
     88 #else
     89         int t;
     90         t = nvram_get_int("cstats_stime");
     91         if (t < 1) t = 1;
     92                 else if (t > 8760) t = 8760;
     93         return t * SHOUR;
     94 #endif
     95 }
    
    Here's the rub: DEBUG_STIME is in fact defined per cstats.h, which means this function always returns a value of 90, rather than relying on the cstats_stime NVRAM variable multiplied by SHOUR (which is 60*60). cstats_stime is what's in Administration -> IP Traffic Monitoring -> Save Frequency. The NVRAM variable is an integer, representing the save interval in hours. The default is 48 (i.e. 172800 seconds).

    get_stime() is used in both the load() and calc() functions. calc() is used in main() as part of the whole while(1) loop.

    calc() can conditionally call save(0) based on some interval/conditionals based on timesetamps. save() is what does the writing of data (to NVRAM, to disk, whatever). The argument of 0 means to actually write data out to disk in full, rather than just update /var/lib/misc/cstats-stime (don't ask me what that file is about; load() uses it too. Whatever).

    I have a feeling if this line was commented out in cstats.h, the problem would go away:

    Code:
    #define DEBUG_STIME
    
    Sounds easy, yes? Sure, but there might be a catch (I'm simply unsure at this point): I think people saving cstats data to JFFS, CIFS, or a custom path, may need to erase their old data. The GUI can do this through the Create New File checkbox (check it + click Save). Failure to do that might result in inaccurate cstats data -- again, I'm unsure, but my gut feeling is to do this.
     
    kille72 and M_ars like this.
  52. koitsu

    koitsu Network Guru Member

    I took the time to compare the cstats.h details to other Tomato branches. Here's what I've found:

    Toastman-ARM -- has DEBUG_STIME enabled: https://github.com/tomatofirmware/t...elease/src-rt-6.x.4708/router/cstats/cstats.h

    Toastman-ARM7 -- has DEBUG_STIME enabled: https://github.com/tomatofirmware/t...elease/src-rt-6.x.4708/router/cstats/cstats.h

    Toastman-RT-AC -- has DEBUG_STIME disabled: https://github.com/tomatofirmware/tomato/blob/Toastman-RT-AC/release/src/router/cstats/cstats.h

    Toastman-RT-N -- has DEBUG_STIME disabled: https://github.com/tomatofirmware/tomato/blob/Toastman-RT-N/release/src/router/cstats/cstats.h

    Toastman-NRT (I think this was his "WIP" branch of some sort) -- has DEBUG_STIME disabled: https://github.com/tomatofirmware/tomato/blob/Toastman-NRT/release/src/router/cstats/cstats.h

    So when did things change? Between MIPS and ARM? If so, why and by whom? git blame can help. Looking at Toastman-ARM:

    https://github.com/tomatofirmware/t...elease/src-rt-6.x.4708/router/cstats/cstats.h
    Code:
    .../src-rt-6.x.4708/router/cstats (Toastman-ARM) $ git blame cstats.h
    ...
    caa9070ef7f release/src-rt-6.x.4708/router/cstats/cstats.h (Shibby 2014-11-19 13:44:19 +0100 22) #define DEBUG_CSTATS
    caa9070ef7f release/src-rt-6.x.4708/router/cstats/cstats.h (Shibby 2014-11-19 13:44:19 +0100 23) #define DEBUG_NOISY
    caa9070ef7f release/src-rt-6.x.4708/router/cstats/cstats.h (Shibby 2014-11-19 13:44:19 +0100 24) #define DEBUG_STIME
    ...
    
    Okay, so let's look at the history:

    Code:
    .../src-rt-6.x.4708/router/cstats (Toastman-ARM) $ git log caa9070ef7f
    commit caa9070ef7febff3fb4f49defa7f9ddf81622f58
    Author: Shibby <shibby@openlinksys.info>
    Date:   Wed Nov 19 13:44:19 2014 +0100
    
        fix iptraffic
    
    commit 13ad5b2b5b63aeaba6142a74ee27a03bd5dbcc78
    Author: Shibby <shibby@openlinksys.info>
    Date:   Mon Nov 17 10:56:58 2014 +0100
    
        OpenVPN: update to 2.3.5
    
    
    Let's see what Shibby changed about 3 years ago: https://github.com/tomatofirmware/tomato/commit/caa9070ef7febff3fb4f49defa7f9ddf81622f58

    Yup, it looks like while "fixing iptraffic", he enabled DEBUG_STIME -- probably as part of his debugging efforts -- but then forgot to revert that before committing.

    Anyone who imported this work (ex. Toastman and probably everyone else) would be impacted by this as well.

    Sigh.

    While looking at this, I saw DEBUG_CSTATS as well and tried to figure out if that should be enabled or disabled. This is bleh to talk about:

    Node_print() and Node_printer() function both write directly to a passed filehandle.

    Tree_info() uses _dprintf/cprintf (see post #1750 for details), but it also TREE_FORWARD_APPLY() (probably a macro) which would run Node_printer(). One of the arguments to TREE_FORWARD_APPLY() is stdout, which implies the filehandle/stream is stdout -- but I haven't checked. Tree_info() also has some _dprintf/cprintf calls. In other words: you can't get TREE_FORWARD_APPLY() to use _dprintf/cprintf.

    Tree_info() is used within calc() -- but only if DEBUG_CSTATS is enabled.

    So my guess is that by leaving DEBUG_CSTATS enabled, cstats is probably outputting a bunch of debugging info to stdout, which is /dev/null but is still wasting CPU time presumably iterating over a linked list or binary tree of data + dumping it. I could see this becoming a problem on a network with a lot of network I/O, especially if there are a large number of clients.

    That said: cstats debugging is helpful -- IP Traffic Monitor has historically been a source of problems for a lot of people. Disabling the debugging capability at compile-time has the downside that it makes it hard for developers to assist users in debugging it. So...

    I think maybe a better approach would be to make cstats have a command-line flag that enables debugging, ex. -d, rather than it being done at compile-time. That way, by default the daemon would not run with debugging enabled, but it could be manually killed + rerun with -d for troubleshooting. Code to do that is not hard to implement (I could probably throw it together this weekend).
     
    user17600, Elfew and kille72 like this.
  53. Magister

    Magister LI Guru Member

    As always, thanks for the great debugging! 3 years *sigh* I hope people were not saving to nvram / jffs...
    I'm glad to have reported the bug
     
    koitsu likes this.
  54. RMerlin

    RMerlin Network Guru Member

    I spent a lot of time debugging rstats and cstats about 3-4 years ago. I know some of my fixes made it to Tomato at the time (and other devs provided further fixes on top of that after that).

    The worst to debug was cstats. Its use of those datatree macros to manipulate and store the data... This is horrible. Felt like the dev wanted to experiment with something new and shiny for no good reason, leaving the code far more difficult to debug when trying to track down data inconsistencies. Even an sqlite db would have made more sense.

    Let's say that I was more than happy to move on to other portions of the code once I was done messing with it.

    If you want more code to compare, here's mine.

    Legacy code (up until 380.70):
    https://github.com/RMerl/asuswrt-merlin/commits/master/release/src/router/cstats

    Current code (its continuation):
    https://github.com/RMerl/asuswrt-merlin.ng/commits/master/release/src/router/cstats

    I suspect at a quick glance that this was a debug change by Shibby that accidentally made it to the repo, breaking things at the time. I don't have that debug define enabled on my own repo.
     
    kille72 likes this.
  55. KyleS

    KyleS LI Guru Member

  56. koitsu

    koitsu Network Guru Member

    Thanks for the AsusWRT-Merlin links as a comparison base. The differences vs. Tomato ARM aren't too bad (I get the gist of all of them). The big/relevant part is that DEBUG_CSTATS, DEBUG_NOISY, and DEBUG_STIME are all commented out. I too think Shibby accidentally left this stuff in when working on caa9070. The one that's doing excessive I/O I'm fairly sure is DEBUG_STIME.

    I've pretty much finished my version for kille72 (including doing a proper branch/fork + pull request on Bitbucket), just working on getting a build box/VM building the firmware correctly. *grumbles angrily* :)
     
    Elfew, kille72 and M_ars like this.
  57. someburner

    someburner New Member Member

    If you're running Ubuntu (or maybe Windows with subsystem), you should look into LXD. For Ubuntu it's as easy as sudo su + snap install lxd --devmode. 10x faster than "real" VMs such as virtualbox and miniscule memory footprint. My entire container with all the buildtools installed + my fork of kille77s build compresses to a 5GB tarball. And that can be uploaded/copied onto any x86_64 machine (that is also running lxd). I've tested this actually and it works like a charm. I backup snapshots of my build image via lxd copy <mycontainer>/<mysnapshot> remote:newcontainer.

    I'm working on a script so that anyone can build the firmware from scratch, reliably, using this method, but not quite there yet. But since you mentioned your frustration I had to comment since running on my main ubuntu was far too risky and vbox was a resource hog/overkill, and docker.. I just dont like docker/lxd is better. This made all the difference for me cause I was about to give up on tomato firmware until I figured this out.

    Also, I've been a lurker for a long time and your posts have helped me numerous times now. If you're interested I could help you get set up. It also works on servers BTW as no GUI is necessary. I've uploaded my builds to vultr boxes and it also works the same.
     
    Wizardknight and rs232 like this.
  58. koitsu

    koitsu Network Guru Member

  59. M_ars

    M_ars Network Guru Member

    oooohhhh no - so if all debug variables are active (DEBUG_CSTATS, DEBUG_NOISY, and DEBUG_STIME) , it is maybe the best to turn off cstats until the next release
     
  60. koitsu

    koitsu Network Guru Member

    The easy/short fix I went with for cstats: https://bitbucket.org/koitsu2018/tomato-arm-kille72/commits/e4cff6554d370e7738217fa4cc3f8fc62fd7f5c6 -- this one should be imported into kille72 for sure. I believe it will solve the problem described in post #1745 (cstats not honouring Save Frequency in GUI).

    I also did a minor update to README.md that includes mention of the AC56R (same as AC56U), and a minor Markdown fixup: https://bitbucket.org/koitsu2018/tomato-arm-kille72/commits/aca7a8c740b9a90e8d1f841ebb3c9b16b8ff3962

    As for making cstats debuggable at runtime...

    I made a separate branch for that (cstats-debug-runtime). I do not recommend importing this because it's more of a "wouldn't this be nice?" thing and changes the code a lot, plus the binary grows by about 3.8KBytes (I could probably get this down by not using getopt_long(3) + removing the usage syntax). For those wondering what that looks like, here you go: https://bitbucket.org/koitsu2018/to...17dba0f9893a53d9dfa59?at=cstats-debug-runtime
     
    kille72, Elfew and M_ars like this.
  61. kille72

    kille72 LI Guru Member

    I can confirm that cstats fix works (±62 minutes). Thanks @koitsu!.

    Code:
    # nvram show |grep stime
    rstats_stime=1
    cstats_stime=1
    Code:
    root@Asus:/nas/log# date
    Sat Apr  7 16:20:41 CEST 2018
    root@Asus:/nas/log# ls -la
    drwxr-xr-x    2 root     root          4096 Apr  7 16:17 .
    drwxr-xr-x    9 root     root          4096 Dec 10 17:41 ..
    -rw-r--r--    1 root     root         21044 Apr  7 15:27 tomato_cstats_xxxxxxxxxxxx.gz
    -rw-r--r--    1 root     root           297 Apr  7 15:27 tomato_rstats_xxxxxxxxxxxx.gz
    root@Asus:/nas/log# date
    Sat Apr  7 16:37:04 CEST 2018
    root@Asus:/nas/log# ls -la
    drwxr-xr-x    2 root     root          4096 Apr  7 16:29 .
    drwxr-xr-x    9 root     root          4096 Dec 10 17:41 ..
    -rw-r--r--    1 root     root           399 Apr  7 16:22 messages
    -rw-r--r--    1 root     root         21484 Apr  7 16:29 tomato_cstats_xxxxxxxxxxxx.gz
    -rw-r--r--    1 root     root           298 Apr  7 16:29 tomato_rstats_xxxxxxxxxxxx.gz
     
    Last edited: Apr 7, 2018
    Elfew likes this.
  62. CBR900

    CBR900 Network Guru Member

    Hi
    When to excepct to have this fix in a new release?
    thx
     
  63. kille72

    kille72 LI Guru Member

    It may be one more beta version before 2018.1 final, maybe next week, @pedro311, @AndreDVJ and @koitsu will surely come with more fixes ;)
     
    pedro311, The Master, CBR900 and 3 others like this.
  64. Onee-chan

    Onee-chan Network Newbie Member

    Can fix the Rule section in QoS View Details, do not show the number of the rules.

    Suggestion
    I would like to have support added for the Cake shaper (https://www.bufferbloat.net/projects/codel/wiki/Cake/). This shaper is working well for me with Smart Queue Management on LEDE 17.01 to eliminate bufferbloat (https://www.bufferbloat.net/projects/) and fairly share bandwidth per LAN IP address rather than per connection. I have "dual-dsthost nat" set for the ingress queueing discipline and "dual-srchost nat" set for the egress queueing discipline.



    sch_cake kernel module:
    https://github.com/dtaht/sch_cake



    Patch to add cake support to iproute2:
    https://raw.githubusercontent.com/l...ils/iproute2/patches/950-add-cake-to-tc.patch



    QoS scripts:
    https://github.com/tohojo/sqm-scripts/blob/master/src/layer_cake.qos

    https://github.com/tohojo/sqm-scripts/blob/master/src/piece_of_cake.qos



    Documentation for iproute2 cake support in tc command:
    https://github.com/dtaht/tc-adv/blob/master/man/man8/tc-cake.8



    Cake is substantially faster for bandwidth shaping per instruction than htb+fq_codel due to htb being very heavy, while the integrated shaper inside cake is very fast.
    https://www.bufferbloat.net/projects/codel/wiki/CakeTechnical/


    ....................
    Usage (Cake):
    HTML version of Cake's man page HERE you can refer to for descriptions of Cake's parameters:
    https://dl.lochnair.net/Bufferbloat/Cake/tc-cake.8.html

    @pedro311, @AndreDVJ, @koitsu, @Sean B., @RMerlin and @kille72
     
    Last edited: Apr 8, 2018
    Testing, txnative and Elfew like this.
  65. koitsu

    koitsu Network Guru Member

    The lack of Rule Number is a thing that has been discussed before. I just can't find the thread/post. It's somewhere. Or maybe Toastman sent me a PM about it some time ago. I don't remember. But I know it's come up before. Problem is all that code pertaining to said details is incredibly hairy.

    Edit: I found it. It's in a PM between Toastman and I from January 2017. I did some extensive debugging on it in the PM. In Toastman's reply, he referenced some commits and PMs with someone named Tvlz, as well as a potential explanation. I cannot in good faith post an entire PM conversation publicly without Toastman's approval, and he's been gone/MIA for some time now. I know this sounds like a cop-out, but it's about proper netiquette. I can of course post what I wrote, but not what he wrote.

    I've included the brunt of my analysis from that PM session below.

    ========================================

    You mentioned to me in a different PM the following:

    I'm looking into that presently. However, I think I'm going to have problems testing/reproducing this:

    I do not understand QoS implementation very well (I don't use it)

    My RT-AC56U (192.168.1.22) for development is hooked up via LAN port to my main router also on a LAN port. WAN on the RT-AC56U is therefore disabled/not used. Default gateway on RT-AC56U is 192.168.1.1 (main router), so it can talk to the Internet. It's basically just like a normal PC on the LAN, duh.

    What I did was enable QoS on the RT-AC56U, then made a rule for ICMP traffic, moved it to rule #1, and issued a ping from the RT-AC56U to 4.2.2.1. The traffic shows up under View Details, but it's labelled "Unclassified", which makes me think that the QoS bits only work correctly/apply to the actual WAN interface. This would make sense, but I need someone familiar with QoS to tell me if that's the case. If so, it makes troubleshooting this difficult for me.

    You don't have to worry about anything I say below this line. :) Answering the above is sufficient. The below is just the research I've done so far.

    JavaScript once again will be the bane of my existence, its like the code never ends. The way the View Details page gets the data for its table is by doing a POST to update.cgi with arguments exec=ctdata&arg0=XXX where XXX is an integer representing the class (or something; I see it as arg0=-1 which might mean "any/all classes").

    What this returns is a multi-dimensional JavaScript array called ctdump like so:

    Code:
    ctdump = [ [2,596,'224.0.0.1','0.0.0.0','','','','',0,0],[1,29,'192.168.1.22','4.2.2.1','','','','',0,0]];
    
    The function that generates this data is asp_ctdata() in router/httpd/ctnf.c. The source data for this comes from reading /proc/net/nf_conntrack and parsing the data there. This is the netfilter/iptables conntrack module, which basically "keeps track" of all the packet flows going on (including NAT bits). I'm talking about Linux 2.6 here (I don't care about 2.4 at this point). Here's an example:

    Code:
    root@unknown:/tmp/home/root# cat /proc/net/nf_conntrack
    ipv4     2 udp      17 21 src=192.168.1.50 dst=192.168.1.255 sport=138 dport=138 [UNREPLIED] src=192.168.1.255 dst=192.168.1.50 sport=138 dport=138 mark=0 use=2
    ipv4     2 tcp      6 299 ESTABLISHED src=192.168.1.51 dst=192.168.1.22 sport=54092 dport=23 src=192.168.1.22 dst=192.168.1.51 sport=23 dport=54092 [ASSURED] mark=0 use=2
    ipv4     2 icmp     1 29 src=192.168.1.22 dst=4.2.2.2 type=8 code=0 id=53256 src=4.2.2.2 dst=192.168.1.22 type=0 code=0 id=53256 mark=0 use=2
    ipv4     2 unknown  2 523 src=0.0.0.0 dst=224.0.0.1 [UNREPLIED] src=224.0.0.1 dst=0.0.0.0 mark=0 use=2
    ipv4     2 udp      17 0 src=192.168.1.50 dst=255.255.255.255 sport=17500 dport=17500 [UNREPLIED] src=255.255.255.255 dst=192.168.1.50 sport=17500 dport=17500 mark=0 use=2
    ipv4     2 udp      17 0 src=192.168.1.50 dst=192.168.1.255 sport=17500 dport=17500 [UNREPLIED] src=192.168.1.255 dst=192.168.1.50 sport=17500 dport=17500 mark=0 use=2
    
    nf_conntrack actually has a "variable number of arguments" depending on all sorts of fun stuff, including what modules or features you're using, including some stuff you can turn on/off in /proc. Notice how the ICMP entry has extra fields like type=X, code=X, id=X, compared to the others? Yeah, lots of fun parsing all this (not!).

    So, the ctdump array has data in the following format -- I'll focus on the 2nd data entry {in the ctdump JS array} I listed above:
    Code:
    1,                // Network protocol (1=ICMP, 6=TCP, 17=UDP, etc.)
    29,               // Time (internal expiry by nf_conntrack)
    '192.168.1.22',   // src or dst (depends on direction)
    '4.2.2.1',        // src or dst (depends on direction)
    '',               // src port or dst port (depends on direction)
    '',               // src port or dst port (depends on direction)
    '',               // bytes in or bytes out (depends on direction)
    '',               // bytes in or bytes out (depends on direction)
    0,                // mark # (a.k.a "class")
    0                 // rule #
    
    The bytes in/out are only present if one has /proc/sys/net/netfilter/nf_conntrack_acct set to 1. Reference: http://serverfault.com/questions/540760/what-does-nf-conntrack-acct-really-do -- and and Tomato's code only parses/cares about this for TCP and UDP packets.

    Back in JavaScript land (i.e. GUI), if the rule number is 0, it prints nothing (empty cell). This is done in the weird grid.dataToView = function(data) method.

    I'd rather not explain it, but I will say this: the best part about this code is how the JavaScript array passed in uses different offsets/indexes than what's in ctdump. Example: in ctdump array, index 8 is mark # (class) and index 9 is rule # -- but the data is manipulated before grid.dataToView is used, so in that context, mark #/class is index 5, and rule # is index 6. No confusion whatsoever! Sigh.

    So given all this info, we then ask: why is the rule number 0? How is this rule number calculated?

    The answer is in ctnf.c when it generates the ctdump array. We have this code:

    Code:
    240         findmark = atoi(argv[0]);
    ...
    280                         if ((p = strstr(s, " mark=")) == NULL) continue;
    281                         mark = atoi(p + 6);
    282                         rule = (mark >> 20) & 0xFF;
    283                         if ((mark &= 0xFF) > 10) mark = 0;
    284                         if ((findmark != -1) && (mark != findmark)) continue;
    
    In English:

    Assign variable findmark to the integer value of the first entry in the argv[] array passed to the asp_ctdump() function. I think this is what arg0=-1 would represent, e.g. argv[0] would be -1 in that case. I believe this is the "per class" filter/limiter (and can save CPU).

    Now, when reading each line of /proc/net/nf_conntrack:

    If the line doesn't contain the string " mark=" (space followed by mark=), then move to the next line of nf_conntrack. Otherwise:

    Assign variable mark the integer value shown after the equals (ex. if mark=12345 then the variable mark will contain 12345). mark is a signed integer (32-bit), so values can range from -2147483648 to 2147483647. I get the impression mark is probably an "encoded" number of some sort (based on the next line of code).

    Assign variable rule the value of mark/1048576 (mark >> 20 shifts the value 20 bits to the right, which is the same as a division operator; 2^20 = 1048576), and limits the value to 0-255 (that's what the AND operation & 0xFF does).

    Now modify the mark variable to be between 0-255 (same method), and if the value is > 10, then assign mark = 0. I don't know what this is about. No clue what's special about 10 or higher.

    Finally, if findmark isn't -1 and mark doesn't equal findmark, then move to the next line of nf_conntrack.

    So what's all this tell us?

    It tells us that to fully analyse the situation, there has to be lines in /proc/net/nf_conntrack that have mark=XXX in them. That's how the "rule" is calculated, which then gets fed all the way back into the GUI in some manner. I haven't looked at the JS for that yet, but I'd bet money it correlates it somehow.

    The thing about "marked" packets: I only know this as something that pertains to netfilter/iptables, but Linux has several places where this "marking" can be done. I've seen it mentioned in ip route ("fwmark" I think it's called), as well as in iptables. iptables bits (if relevant, not sure!): http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.netfilter.html

    So to further analyse this, I really do need to have some kind of way to utilise QoS given my above test topology.
     
    Last edited: Apr 8, 2018
    Testing and Elfew like this.
  66. AndreDVJ

    AndreDVJ LI Guru Member

    More I look into rule number missing, I get even more confused. Not to mention I'm no good with iptables.

    The quick fix:
    Code:
    iptables -t mangle -D OUTPUT -o vlan2 -m connmark ! --mark 0 -j CONNMARK --save-mark
    iptables -t mangle -D FORWARD -o vlan2 -m connmark ! --mark 0 -j CONNMARK --save-mark
    ip6tables -t mangle -D OUTPUT -o vlan2 -m connmark ! --mark 0 -j CONNMARK --save-mark
    ip6tables -t mangle -D FORWARD -o vlan2 -m connmark ! --mark 0 -j CONNMARK --save-mark
    I seriously need to actually learn iptables. So deleting stuff from the mangle table makes it work.

    What I understand so far, is that these rules are added by qos.
    Code:
        ipt_write(
            "-A FORWARD -o %s -j QOSO\n"
            "-A OUTPUT -o %s -j QOSO\n"
            "-A FORWARD -o %s -m connmark ! --mark 0 -j CONNMARK --save-mark\n"
            "-A OUTPUT -o %s -m connmark ! --mark 0 -j CONNMARK --save-mark\n",
            qface, qface, qface, qface);
    But i don't understand the purpose of this at all.
     
    Last edited: Apr 8, 2018
    Testing and Elfew like this.
  67. tvlz

    tvlz LI Guru Member

    Here are the links that were mentioned.
    http://www.linksysinfo.org/index.php?threads/qos-view-details-missing-rule-number.73969/#post-293624
    http://linksysinfo.org/index.php?threads/tomato-for-arm-routers.69719/page-20#post-266955

    The purpose:
    As the first new connection packet passes thru the QOS chain it hits the --restore mark rule ,(nothing to restore) so it continues down the chain until it finds a qos rule that applies to it (and always gets a rule # for the GUI to display ), then with the --save-mark rule the mark gets saved for the next packet.

    The next connection packet (+ all others in that connection) comes along passes thru the QOS chain it hits the --restore mark rule, this time if finds that a saved mark exists, and it is restored, stopping the packet from continuing down the QOS chain not getting a rule # for the GUI to display.

    When those QOS iptable rules are removed the packets always pass thru the QOS chain getting rule # for the GUI to display.
     
  68. Onee-chan

    Onee-chan Network Newbie Member

    That's great! @tvlz, @AndreDVJ, @koitsu and @kille72
    I hope you add this fix in the next beta.

    And I hope that maybe you will try my suggestion about Cake.
    I would like to have support added for the Cake shaper (https://www.bufferbloat.net/projects/codel/wiki/Cake/). This shaper is working well for me with Smart Queue Management on LEDE 17.01 to eliminate bufferbloat (https://www.bufferbloat.net/projects/) and fairly share bandwidth per LAN IP address rather than per connection. I have "dual-dsthost nat" set for the ingress queueing discipline and "dual-srchost nat" set for the egress queueing discipline.



    sch_cake kernel module:
    https://github.com/dtaht/sch_cake



    Patch to add cake support to iproute2:
    https://raw.githubusercontent.com/l...ils/iproute2/patches/950-add-cake-to-tc.patch



    QoS scripts:
    https://github.com/tohojo/sqm-scripts/blob/master/src/layer_cake.qos

    https://github.com/tohojo/sqm-scripts/blob/master/src/piece_of_cake.qos



    Documentation for iproute2 cake support in tc command:
    https://github.com/dtaht/tc-adv/blob/master/man/man8/tc-cake.8



    Cake is substantially faster for bandwidth shaping per instruction than htb+fq_codel due to htb being very heavy, while the integrated shaper inside cake is very fast.
    https://www.bufferbloat.net/projects/codel/wiki/CakeTechnical/


    ....................
    Usage (Cake):
    HTML version of Cake's man page HERE you can refer to for descriptions of Cake's parameters:
    https://dl.lochnair.net/Bufferbloat/Cake/tc-cake.8.html


    [​IMG]
     
    Last edited: Apr 9, 2018
  69. Nathan Ellsworth

    Nathan Ellsworth Reformed Router Member

    Perhaps I missed some announcement, but I want to thank and welcome @koitsu back to these threads. Retirement was too boring? Never found a fun-enough router replacement?

    :):)
     
  70. Nathan Ellsworth

    Nathan Ellsworth Reformed Router Member

    Speaking of resolv.dnsmasq, I reported an issue with kille22 (hey, new name, Fresh Tomato!) build wherein that file is NOT created when no WAN interfaces exist at all, making local name resolution difficult when Tomato is being just being used as an access point. Following the commit history, this "bug" was introduced by d3c6a87

    resolv.dnsmasq issue

    I get around this "feature" by creating a resolv.dnsmasq pointing to my main router in my Admin/Scripts/Init.

    There have been no comments or action taken on this issue so far. Anything I can do to help?

    Thanks
     
    maurer, koitsu and Aardvark like this.
  71. Sean B.

    Sean B. LI Guru Member

    http://linksysinfo.org/index.php?th...roblem-dhcp-clients-get-no-dns-servers.74095/
     
  72. koitsu

    koitsu Network Guru Member

    For the issue in post #1770 / #1771 -- is the concern that software on the router itself cannot do DNS lookups (this is a legitimate concern, depending on what you run/do on the router), or is the concern that dnsmasq isn't delegating DNS servers to DHCP clients (i.e. DHCP clients get an IP but no DNS servers)?

    If it's the former: the workaround would be to do exactly what you do in Scripts/Init. I see no harm in this (as a workaround), but agree it should be fixed properly in code if possible.

    If it's the latter: the workaround is to do what I did in post #14 there: http://linksysinfo.org/index.php?th...clients-get-no-dns-servers.74095/#post-295738
     
  73. Nathan Ellsworth

    Nathan Ellsworth Reformed Router Member

    It is definitely the former case. As an AP only, not serving DHCP.

    Thanks

    PS: My setup is actually one main AC56R as a router doing DHCP & DNS but not doing Wifi plus several other ARM-based ethernet-connected "routers" acting as WiFi access points (no WAN configured, no DHCP). All are running latest production Tomato Firmware 1.28.0000 -2017.3-kille72- K26ARM USB AIO-64K. Without the above fix, these APs cannot resolve any names, local or Internet-based, for doing things like ping tests, traceroutes, Entware updates, etc.
     
    maurer and koitsu like this.
  74. koitsu

    koitsu Network Guru Member

    Yeah, your setup is a good/proper way to essentially do "pure AP" (effectively using no-WAN routers as range extenders in a manner of speaking), and the fact that your router itself needs DNS (queries through which are done over the LAN) is 100% legit. Your workaround is correct as well. Thumbs up :)
     
    Nathan Ellsworth likes this.
  75. tvlz

    tvlz LI Guru Member

    Cake (and anything more recent than 5 years?) is a NO GO, the linux kernel is to old (2.6.36.4 ARM, 2.6.22 MIPS).
    Before you ask, NO IT CAN'T Upgraded to a more recent kernel.
     
  76. KyleS

    KyleS LI Guru Member

    I mean, anyone could do what I did with codel/fq_codel.... people were saying the same thing about that.

    Re: the GUI breakage, wouldn't it be better to fix the GUI then remove the throughput optimization? Just a thought. I'd do it but my Linux VM doesn't exist anymore.

    EDIT: read the lineage, it sounds like the saves or restores on the marks have an incomplete mask.

    Edit2:
    Code:
    -A PREROUTING -i vlan2 -j CONNMARK --restore-mark --nfmask 0xff --ctmask 0xff
    -A PREROUTING -i vlan2 -j RETURN
    -A PREROUTING -d 10.24.96.0/24 -i vlan2 -j DROP
    -A PREROUTING -d 10.100.200.0/22 -i vlan2 -j DROP
    -A PREROUTING -d 10.24.80.0/24 -i vlan2 -j DROP
    -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
    -A FORWARD -o vlan2 -j QOSO
    -A FORWARD -o vlan2 -m connmark ! --mark 0x0 -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
    -A OUTPUT -o vlan2 -j QOSO
    -A OUTPUT -o vlan2 -m connmark ! --mark 0x0 -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
    -A QOSO -j CONNMARK --restore-mark --nfmask 0xff --ctmask 0xff
    -A QOSO -m connmark ! --mark 0x0/0xf00 -j RETURN
    -A QOSO -m connmark ! --mark 0x0/0xff000 -j QOSSIZE
    Yup, if someone adds the remaining bits all will be well. I think this is from shibby? maybe?
     
    Last edited: Apr 14, 2018
  77. kornerz

    kornerz New Member Member

    Hi everyone,

    I've found a small bug in traffic stats display in the latest few versions of this firmware:
    Traffic counters on interfaces do not work: they do not update when IPv4 traffic passes.

    More details:
    • Hardware: RT-AC56U
    • Firmware: 2018.1.039 -beta-kille72 K26ARM USB AIO-64K
      (Also tested at 2018.1.031, 2017.1 and 2017.3 - all show same behavior)
    • Firmware has been cleanly flashed after NVRAM clear.
    Steps to reproduce:
    • Reboot router to clear interface counters
    • Download large file on your PC
    • Watch that interface counters in ifconfig output only increased at eth0 interface (and not on br0 or vlan2 as expected):
      Code:
      eth0       Link encap:Ethernet  HWaddr BC:EE:7B:8F:A1:C8
                 UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
                 RX packets:1121839 errors:0 dropped:0 overruns:0 frame:0
                 TX packets:1120699 errors:0 dropped:0 overruns:0 carrier:0
                 RX bytes:1166232906 (1.0 GiB)  TX bytes:1157619892 (1.0 GiB)
                 Interrupt:179 Base address:0x4000
      ...
      vlan2      Link encap:Ethernet  HWaddr BC:EE:7B:8F:A1:C9
                 inet addr:176.192.49.40  Bcast:176.192.49.255  Mask:255.255.255.0
                 inet6 addr: fe80::beee:7bff:fe8f:a1c9/64 Scope:Link
                 RX packets:6428 errors:0 dropped:0 overruns:0 frame:0
                 TX packets:5350 errors:0 dropped:0 overruns:0 carrier:0
                 RX bytes:5575115 (5.3 MiB)  TX bytes:512013 (500.0 KiB)
      
    • As a result, "Bandwidth monitoring" graphs in the GUI do not show data, and data gathered via SNMP is also obviously wrong.

    As an interesting note, if 6in4 static tunnel is set up and file is downloaded over IPv6, everything works as expected: Traffic goes in at vlan2 and out at br0, which is visible both in ifconfig -a output and web UI.

    There was a similar Linux kernel bug at (bug 579858 at Red Hat Bugzilla)
    but it's not it, as hardware is different.

    The issue is minor, but it definitely was OK in the original Shibby firmware.

    UPDATE: It disappears if CTF (Cut-Through Forwarding) is disabled, so that may be the cause.
     
    Last edited: Apr 14, 2018
  78. kille72

    kille72 LI Guru Member

    Last edited: Apr 15, 2018
    RichtigFalsch likes this.
  79. thewaywardgeek00

    thewaywardgeek00 Network Newbie Member

    Hi new to this fork, would like to ask if it's alright to upgrade my router to this firmware as Shibby has been silent for quite a while already. And if it is, is it possible to restore backed up settings from Shibby FW to FreshTomato FW after NVRAM Clear?

    Router
    DIR-868L Rev. A
    Firmware
    Shibby Tomato v140 ARM

    Thanks!
     
  80. gs44

    gs44 Addicted to LI Member

    Read the post right above yours....
     
    thewaywardgeek00 likes this.
  81. Toxic

    Toxic Administrator Staff Member

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice