My Tomato experiences (plus free scripts! ;)

Discussion in 'Tomato Firmware' started by rhester72, Aug 8, 2008.

  1. rhester72

    rhester72 Network Guru Member

    My Tomato experiences (plus free scripts ;)

    (You're reading this because of the free scripts claim, right? Well, I was telling the truth. You may even find them to be pretty neat. Read on. Also, SpeedMod 1.21 has been officially released at!)

    I've had some pretty good luck with Tomato and figured I'd share some of my experiences with hope they may be of value to someone. I have read a lot of good (and some not-so-good) advice, "facts" and rumors about Tomato and wanted to take the opportunity to give something back to a community that has given me much (though perhaps without realizing it ;).

    First, a bit about my background. I've been running "alternate" operating systems on my Linksys routers for a while now, dating back to OpenWRT White Russian 0.7. I was a *very* strong proponent of WR (and later Kamikaze - both for their integrated, open package management and because I am a command-line junkie), but recently got frustrated with the near-daily restarts on my WRT54GS V2.0 and looked to DD-WRT and its newer Broadcom drivers for help.

    (Sveasoft can bite me. Never used them, never will. If you want to know why, Google is your friend.)

    (Little-known fact from the author: If you have a BCM4712 CPU revision 1 and are experiencing serious issues with random restarts that look like the power was cut when an Intel 3945ABG wireless NIC attemps to connect, the restarts *are not* a result of the wireless driver. Really. Classic Broadcom or ND, it makes no difference, nor does what revision of the Intel driver you use. Chuck it and get a WRT54GL, which is far less buggy at the hardware level and can be easily overclocked to 250MHz with no special cooling. BCM4712 revision 2+ is not affected.)

    The random restarts continued. Since DD-WRT wasn't panning out, I read about firmware called "Tomato" that also had a newer driver, but not quite the same version DD-WRT had. More importantly, Tomato had apparently earned a reputation for being stable. Stable is good.

    Long story short: I joined the Tomato crowd at 1.18 on a newly-purchased WRT54GL (see hardware woes above), and haven't looked back since. It has an extremely clean, well-laid-out interface, amazing real-time visual reporting, and offers serious functionality without clutter and bloat (yes, I'm talking to you, DD-WRT).

    (I was so impressed, in fact, that for the first time in my life I have actually come to appreciate a GUI administrative interface more than a CLI. That's saying a lot from an old-schooler who cut his teeth on Ultrix and HP-UX and whose first experience with Linux was before anyone had even thought about a "distribution", you had to download the uuencoded kernel source off of Usenet, and running a Linux system meant you not only cross-compiled the kernel yourself, but you built your own filesystem *by hand*. ext3? Bah. Minix FS rules! But I digress...)

    So, hopefully for your benefit, I offer my (random and somewhat disconnected) thoughts and experiences with Tomato thus far. Some of it will echo what you've read from others, some of it will expand on it, some of it may be new to you. None of it is guaranteed, nor is all of it Tomato-specific.

    I am currently running 1.21 SpeedMod, compiled myself. I truly don't understand why only parts of Rodney's SpeedMod were integrated into Tomato mainline by Jon, because it *truly does* make a tremendous difference when the connection count gets above 400-500. Everything I read about how much "snappier" and responsive Tomato was with SpeedMod is true, particularly if you have users running a lot of P2P apps, and applies not only to general browsing/usage but also to the Tomato UI as well. (NOTE: I think I do understand why it isn't in mainline...yet. The "Rusty's brain broke" errors that were introduced in 1.18 when some of SpeedMod was folded in caused pretty serious headaches for some, and the cache "fix" for these in SpeedMod 8502 has yet to be field-tested long-term. There is hope yet! :)

    Tomato-ND works fine on the WRT54GL unless you use Measure Noise Floor, at which point it is reported to hang the router (though I never experienced this). It gives a *measured* increase in wireless signal strength, but not a *perceived* increase in throughput. I find stability of Tomato and ND to be equal on the GL, your mileage may vary. Personally, I recommend "regular" Tomato for the GL as Jon does.

    I have never used the Victek or OpenVPN+SNMP mods, though I have borrowed from the latter. Victek just offers more than I need - what I appreciate about Tomato is the elegance and simplicity, and from what I've read about the former mod, it seems to go more in the DD-WRT "kitchen sink" direction (no offense to the author!).

    OpenVPN on a 200MHz MIPS CPU seems a painful waste to me. I did it for a long while on OpenWRT, but once you see how much faster your throughput can be on *anything* else, you won't long for it again. My recommendation: Run OpenVPN server instead on a Windows or Linux box that is up 24/7 and port forward/route your internal LAN. The Broadcom just can't hack the strain.

    Don't bother with PPTP unless you want to know pain, suffering, and being hax0red on a level heretofore unknown. Use OpenVPN.

    srelay and its brethren (like Socks Puppet for Windows) are a godsend when you want to get to the "outside world" from the workplace without being snooped upon and being unable to have connections from the outside in like DCC (and you will of course want to use Port Triggering for the latter!). Again, there is little point of doing so on the router (unless you are also running your VPN server there), since if you can't get to VPN (because your real server running OpenVPN is down), the relay won't help much. Put the SOCKS relay on whatever box you are running the VPN server on.

    CPU load is primarily affected by encrypted wireless throughput, connection count, L7 filters, and level of DNS activity, in that order of severity. Poorly-written or unoptimized scripts can also be a large contributing factor. Load averages under 1.00 are nothing to write home about, however, as it means you still have headroom. Load averages above 1.00 mean that your router is too busy to do everything it is being asked, and you should see about tweaking your configuration, overclocking, or both. (NOTE: Overclocking a PC can be risky. Overclocking a router is downright dangerous to its health if you are not careful. Trust me, I know - I stand witness to the fact that you can get one back from an extreme overclock without JTAG as long as you have patience, speed, a deep freezer and a very long CAT-5.)

    Always turn Administration/Debugging/Count cache memory as free memory "on". Linux converts cache and buffer memory to application memory as needed, so there is little value to knowing the count without it unless you are performance tuning disk I/O (and this is a fruitless waste of time with a flash-based filesystem).

    OpenDNS is goodness. There are already fine articles on implementing this in Tomato, but be sure to set "strict-order" under Advanced/DHCP-DNS/Dnsmasq Custom Configuration.

    Choose a different subnet and IP from the default if you are running a VPN server. Everyone and their brother uses (or, so if you try to VPN in from a friend's house, you are screwed. is a very good choice, with the router as, to avoid IP conflicts on other networks (both work and at the homes of others). You can do some really screwy things with masquerading to have your network *appear* as to the VPN, but it's not worth the hassle, particularly on Tomato. The KISS principle strongly applies here.

    Put your VPN subnet on the next-highest class C (e.g. and route between that subnet and your local. An example route (in Advanced/Routing/Static Routing Table) from the above examples:

    Gateway: 172.16.0.x (your OpenVPN machine)
    Subnet Mask:
    Metric: 0
    Interface: LAN

    This will, of course, require this line in your OpenVPN server configuration:
    push "route"

    Set a domain name (Basic/Identification/Domain Name) if you are running VPN so you can hit your machines with that FQDN (e.g. hostname.localdomain) no matter what domain your friend's network uses.

    Always consider using a wireless channel other than 6 for exactly the same reason - everyone else uses 6. 1 has the best range (since it has the lower frequency), but also the most conflict with consumer devices like microwave ovens. Your best bet is to do a wireless survey and pick the least of the evils. Do not take advice on picking a channel *between* 1 and 6 or 6 and 11, because that will cause your dynamic frequency range to overlap *two* common channels. Go with 1 or 11, whichever has fewer neighbors in the survey, and 1 if equal.

    If you have no B wireless devices, run a G-only WLAN. Supporting mixed actually slightly reduces the throughput of G devices, even if they are all you have.

    Don't use WDS+AP unless you have no other reasonable alternative - the speed penalty is just too much. Consider a 200mbit/HD ethernet-over-power solution to bridge your routers if available in your country - they are a bit pricey but work exceedingly well.

    DynDNS supports updating multiple hostnames at once. Just separate them with commas.

    Local DNS entries can be used without creating fixed DHCP addresses by using a MAC of 00:00:00:00:00:00 in Basic/Static DHCP.

    Wireless filtering and disabling beaconing when using WEP encryption (or none) are completely useless against wireless cracking. Don't bother.

    Do consider boosting your max connection count from 4096 to 6000 (with 16MB of RAM, 10240 if 32MB) when using SpeedMod.

    If you restart dnsmasq often (see example script below for why you may wish to do this) but want to make sure you get useful information in syslog, set "log-facility=/dev/null" in Advanced/DHCP-DNS and Mark Interval to 0 in Administration/Logging.

    You can push your wireless transmit power (Advanced/Wireless/Transmit Power) to 84 safely without burning out the radio or melting your chassis, but it won't help much. You will get a much stronger signal *to* your wireless devices (along with more noise), but you are doing nothing to improve your *router's* reception of the *device's* signal from *its* antenna unless you replace the stock router antenna(s) with 7dB or more high-gain omnidirectional. It's a two-way street. The default of 42 works just fine in 99% of the cases and anything higher merely gives the illusion of better connectivity (and only from the wireless device's POV).

    UPnP works surprisingly well. If you haven't tried it, and you use P2P or consoles, do so.

    I could write a book on QoS, but here are some fundamental basics (and should not be considered a guide or HOWTO - this is only my own advice/experience and should not be taken as gospel!):
    - DO use it, but only if you understand it. If you don't understand it, don't ignore it - learn it! It is what makes 3rd party firmware stand out from what you get out of the box!
    - It is OK to prioritize ACKs, even if you use BitTorrent. It only considers small ACK packets and not jumbo-frames-with-an-embedded-ACK, so BT clients and the like can't "cheat the system".
    - Only bother prioritizing ICMP if you want to impress your friends. It has no actual value.
    - Always set "Re-classify all packets when changing settings" if you don't wish to be confused about why your changes aren't working.
    - Set a default class of Lowest and don't try to classify P2P traffic - it is a fruitless exercise in frustration to think you can do so. This means you can throw all the default classification rules out the window.
    - Set your Outbound Max Bandwidth to slightly *below* (perhaps 95%) of your actual measured maximum bandwidth from a reliable, local speed test site.
    - DO set your Inbound Max Bandwidth, again to slightly below your actual measured maximum inbound bandwidth. Set Highest-Medium at 100% and Low- at 95%.
    - Always try to use port-based classification before L7 classification, since L7 is very CPU-intensive and slow.
    - If you run something like tor that you want to get all of your leftover bandwidth but none anyone else is using, set it (via ports *and* L7) to Class A. Make sure Class A has a ceiling of at least 95%.
    - Remember that as of 1.19+ all QoS classifications are evaluated in order, top to bottom, and the *first matching rule wins*. This means that more narrow/focused rules should appear before wider/broader ones, and those with higher priority within the focused rules should appear before those of lower priority, in general.
    - No matter what you do with ports or L7, some P2P using ports like 443 are likely to sneak through your net. Consider creating two rules for such common ports, one that sets traffic of 0-512K at a higher priority (this will be legitimate browsing/usage) and another at 512K+ at lower priority (this is likely to be P2P).
    - At minimum, prioritize DNS, NTP, and VPN to Highest (or the latter to at least High).
    - If doing heavy P2P, PFIFO will win over SFQ every time due to reduced overhead and being "more fair than fair". Administration/Scripts/WAN Up:

    [ `nvram get qos_pfifo` -eq 0 ] && (nvram set qos_pfifo=1;nvram commit;service qos restart)
    To enable this "live", you need to either reboot the router after the change or do the following from a ssh prompt:

    nvram set qos_pfifo=1;nvram commit;service qos restart
    (Technically speaking, the above negates the need to put the line in the WAN Up script, but I did it so that it would survive nvram clears.)

    If you have a wireless LAN, encrypted or otherwise, do not EVER allow telnet and ALWAYS use ssh (Administration/Admin Access) if you need CLI access...and someday, you will. In fact, follow this advice even if you don't have a wireless LAN. And for the love of all that is holy, please never check Administration/Admin Access/SSH Daemon/Remote Access. Automated password-guessing bots will descend upon you in hordes within hours of seeing port 22 open in the wild, and unless you have chosen a very secure password, all will soon be lost. Internal DNS poisoning is just the start of the fun that will await you. (NOTE: There does appear to be some possible protection against brute-force remote password cracking if you would like to expose your port 22 to the world. See for details.)

    I recommend using a CIFS mountpoint for bandwidth history (Administration/Bandwidth Monitoring), saved hourly and on shutdown. The file is super-tiny and costs little in LAN traffic. JFFS, even every two days, is not the way to go with million-write-cycle flash memory, ditto NVRAM. Yes, the file is in binary format, and no, I don't know how to decode it.


    Quickie DMZ-by-button - Administration/Buttons-LED:
    Set 4-6 seconds to "Run Custom Script", and paste the following into the Custom Script box:

    [ $1 -gt 3 -a $1 -lt 7 ] && ([ `nvram get dmz_enable` -eq 0 ] && (nvram set dmz_ipaddr=XXX;nvram set dmz_enable=1;service firewall restart) || (nvram set dmz_enable=0;service firewall restart);nvram commit)
    Replace XXX with the last octet of the IP on your subnet you want to DMZ to (probably a gaming machine). Hold down the button for 5 seconds, DMZ is on and LED will light. Repeat to disable/cycle.

    This takes effect immediately.


    All-encompassing ad-blocking solution - Look Ma, No Hands! (requires 1.21+!):

    Original ideas by others on this forum, expanded upon by my crazed brain. A completely self-contained, fully automatic, easily disabled network-wide ad blocking solution.

    Quick (<3 seconds) button hit to enable/disable ad blocking (optional):

    Set 0-2 seconds to "Run Custom Script", and paste the following into the Custom Script box:
    [ $1 -lt 3 ] && ([ -h /etc/dnsmasq.custom ] && rm /etc/dnsmasq.custom || ln -s /etc/dnsmasq_adblock.conf /etc/dnsmasq.custom;service dnsmasq restart)
    Update it daily:

    Administration/Scheduler/Custom 1 (required IMPORTANT: If you use another custom, edit the WAN Up script!):

    abc=dnsmasq_adblock.conf;tip=;wget -q -O /tmp/$abc '';[ $? -eq 0 -a `grep ^address= /tmp/$abc|wc -l` -gt 0 ] && (logger -t adblock -p 5 Server download OK;cat /tmp/$abc|sed 's/'$tip'/g'>/etc/$abc;[ ! -s /cifs1 ] && mv -f /tmp/$abc /cifs1/$abc.bak || rm /tmp/$abc;[ -h /etc/dnsmasq.custom ] && service dnsmasq restart) || (logger -t adblock -p 4 Server download failed;[ ! -s /etc/$abc -a -s /cifs1/$abc.bak ] && (logger -t adblock -p 5 Data recovered from backup;cat /cifs1/$abc.bak|sed 's/'$tip'/g'>/etc/$abc;[ -h /etc/dnsmasq.custom ] && service dnsmasq restart));unset abc tip
    Replace the IP in the tip variable ( above) in the sed with the IP running pixelserv ( If you don't have pixelserv (which means you will get ugly error code blocks in Firefox), change to:

    abc=dnsmasq_adblock.conf;wget -q -O /tmp/$abc '';[ $? -eq 0 -a `grep ^address= /tmp/$abc|wc -l` -gt 0 ] && (logger -t adblock -p 5 Server download OK;cp /tmp/$abc /etc/$abc;[ ! -s /cifs1 ] && mv -f /tmp/$abc /cifs1/$abc.bak || rm /tmp/$abc;[ -h /etc/dnsmasq.custom ] && service dnsmasq restart) || (logger -t adblock -p 4 Server download failed;[ ! -s /etc/$abc -a -s /cifs1/$abc.bak ] && (logger -t adblock -p 5 Data recovered from backup;cp /cifs1/$abc.bak /etc/$abc;[ -h /etc/dnsmasq.custom ] && service dnsmasq restart));unset abc
    Administration/Scripts/Init (required, we need a default!):

    [ ! -f /tmp/dnsmasq.chk ] && (ln -s /etc/dnsmasq_adblock.conf /etc/dnsmasq.custom;touch /tmp/dnsmasq.chk)
    If you'd rather default to not blocking ads on boot, leave the entire above line out/ignore it.

    Administration/Scripts/WAN Up (required, see above on changing sch_c1_cmd based on which Custom you used in the Scheduler):

    [ ! -f /etc/dnsmasq_adblock.conf ] && eval `nvram get sch_c1_cmd`
    Please, update no more than once a day (preferably once a week!) to conserve his bandwidth!

    Once implemented, you must either reboot your router or execute the following at an ssh prompt to start it for the first time:

    ln -s /etc/dnsmasq_adblock.conf /etc/dnsmasq.custom;eval `nvram get sch_c1_cmd`
    Again, replace sch_c1_cmd with the appropriate NVRAM variable (c1=Custom 1, c2=Custom 2, etc).


    Das Blinkenlights - if you're not doing anything better with your LED, use it as a load meter! Progresses from white to mixed to orange at the 30/70 load average thresholds, adjust to taste. Administration/Scripts/Init:

    echo '#!/bin/sh
    while sleep 3; do
    la=$(cat /proc/loadavg | cut -d" " -f1 | tr -d .)
    [ $la -gt 70 ] && led amber on white off || ([ $la -gt 30 ] && led amber on white on || led amber off white on)
    sh /tmp/ &
    Either reboot or paste the above at an ssh prompt to kick it off for the first time.


    The much maligned, much misunderstood snmpd (if you don't know what SNMP is, you can safely skip this section):

    If you are using the old binary posted to this forum, add the following to your snmpd.conf to prevent crashes during a snmpwalk (disables filesystem stats):

    view all excluded .

    You have to do this, of course, because of the lack of vfs support. The other way to stop the crash is to use a better binary, compiled by me from original modifications to Tomato 1.18 by jyavenard and available at

    Either way, here's a handy boot-time startup script for Administration/Scripts/Init (assuming you wisely placed both the binary and config file in /cifs1 rather than JFFS, but modify to taste!):

    [ ! -f /tmp/snmpd.chk ] && (
    echo '#!/bin/sh
    while [[ ! -f /cifs1/snmpd ]]; do
    sleep 1
    /cifs1/snmpd -c /cifs1/snmpd.conf -s
    touch /tmp/snmpd.chk
    rm /tmp/'>/tmp/
    sh /tmp/ &)
    For the first run, either reboot the router or execute the following at a ssh prompt:

    /cifs1/snmpd -c /cifs1/snmpd.conf -s

    That's it, folks! Below is my own wish and questions list, if anyone should like to contribute ;)

    Things I would like to see improved in Tomato:

    - Full integration of SpeedMod into Tomato mainline
    - Inclusion of basic SNMP support out of the box (it is a network device, right?)
    - Use of Static DHCP hostnames (with a MAC of 00:00:00:00:00:00) in the Device List for devices *not* ARPed locally (this would be extremely beneficial in multi-router networks)
    - Make the bandwidth graph ceiling scale to the average peak (the scale on the right as Off, 2x, 4x, etc.) rather than the absolute peak to avoid huge amounts of dead whitespace when smoothing the graph to avoid spurious spikes

    Things I would still like to know about Tomato that I have found little to no documentation on:

    - Noise floor is what, exactly, and why would I need to measure it?
    - What is the point of the WEP Passphrase box, since hitting "Generate" populates the key boxes with hex values that do *not* correspond to the passphrase, and using a passphrase alone does not seem to work?
    - What is the purpose of the lower outbound rate limit in QOS (e.g. the 80% in 80%-100%) per class? Is it a bandwidth guarantee?
    - Does setting "Save On Shutdown" under Adminstration/Bandwidth Monitoring also save on reboot? If yes, CLI and GUI or GUI reboot only?
    - How can I prevent logging like the following to syslog?

    Aug 7 20:52:17 cerberus dropbear[4006]: Child connection from
    Aug 7 20:52:20 cerberus authpriv.notice dropbear[4006]: password auth succeeded for 'root' from
    Aug 7 20:52:23 cerberus dropbear[4006]: exit after auth (root): Exited normally

    I have tried changing Administration/Debugging/Console log level to no avail (assuming it maps to the 0-7 levels from syslog).

    With hope you found it useful,

    Rodney (no, not *that* Rodney, he's the SpeedMod guy - I'm the HandBrake guy)
  2. azeari

    azeari LI Guru Member

    wow tts a pretty long post, and honestly i didn't finish reading it =X

    anyways, just to answer some qns (=

    1. Noise floor is the constant interference(noise) u get from sources around you, i.e. its the lowest level u can get a signal off without losing it permanently. think of it as background noise
    2. passphrases are for lazy people who refuse to think up a long pre-shared key, or for use with some connection-software that supports passphrases (anyway, just ignore WEP.. its close to having no security at all). if u do with to have it work, copy the random hex values as your key
    3. i'm kinda lazy to explain this since its been discussed on the forums a couple times :p anyway, its "kind" of a guarentee, but the rule ordering affects how qos works also, and if ur total outbound lower limit exceeds 100%, that isn't exactly a guarentee anymore isn't it ;)
    4 & 5. i dunno ^^;;
  3. bin_asc

    bin_asc Addicted to LI Member

    What`s the difference between your Tomato and Tomato-ND ( < what does the ND stand for ).
  4. fairuza

    fairuza LI Guru Member

    thanks! all i wanted was a simple tomato v1.21 with speedmod and none of the other added stuff. i would check here and on the speedmod homepage several times a day and kept getting disappointed.
  5. TexasFlood

    TexasFlood Network Guru Member

    Quite a post, rhester72. I've been through OpenWRT, DD-WRT, variations of HyperWRT and even Sveasoft back in it's early days. Agree with your comments about Tomato and thanks for the contributions. Question about the non-pixelserv version of the "All-encompassing ad-blocking solution" script. Should the mv statement be moving dnsmasq_noads.conf from /tmp to /etc after the wget? That part doesn't look quite right to me. Perhaps I'm reading it wrong. I'm a scripting amateur so forgive me if it's a stupid question.
  6. rhester72

    rhester72 Network Guru Member

    ND is "New Driver", one of the two standard Tomato releases that contains an updated Broadcom wireless driver. The updated driver does not work at all on very old hardware, works but has minor issues on newer hardware, and is required for the WHR-G125.

  7. rhester72

    rhester72 Network Guru Member

    Yes, it should. The logic is as follows (in pseudocode):

    1. Attempt to ownload the ads file to /tmp/dnsmasq_noads.conf
    2. Was it successful? Yes - go to step 3. No - go to step 6.
    3. Move the file from /tmp to /etc, overwriting if it already exists
    4. Does the softlink to it exist? Yes - go to step 5. No - go to step 6.
    5. Restart the dnsmasq service
    6. Exit

    So the real purpose of downloading to /tmp first is to protect the last _good_ version of the file in /etc from being clobbered should the new download fail - we use /tmp as a "staging area" and "commit" to /etc only if everything went well.

    There was a syntactical error in the "no-pixelconf" version that I have corrected - sorry about that!

    No worries about the very hard-to-read, archaic form of scripting used here...using normal, structured if/then flow would be a far better choice for readability. Unfortunately, given our limited NVRAM storage space, we have to trade readability for compactness. The syntax can become a real bear, particularly with nested if/then/else clauses.

  8. TexasFlood

    TexasFlood Network Guru Member

    Cool. Thanks for the refresher course. I would have used if, never would have occurred to me to use the abbreviated test. Saving bytes in a scripts is good so I might find a use for that "very hard-to-read, archaic form" as well, :grin:
  9. fobis

    fobis Network Guru Member

    I want to thank you for the OP, rhester72. It's been extremely informative and even got me motivated enough to tweak QoS stuff.

    And also, thanks for your SpeedMod build of 1.21. I've been using Victek's custom build, but I also thought it had much more than I wanted.

    Your ad-blocking scripts did seem to break my internet connection, though. I might've just done something wrong, but I figured I'd let you know. I didn't use PixelServ, by the way.
  10. rhester72

    rhester72 Network Guru Member

    I'd be happy to try to diagnose your problems with the ad-blocking scripts if you're still interested in trying them. PM me if you like - probably not worth tying up the thread over unless/until we know what resolves it.

  11. regular

    regular LI Guru Member

    do you have a wrt 54gl version of your speedmod?
  12. hardc0re

    hardc0re Network Guru Member

    Thanks to rhester72 for compiling a SpeedMod on 1.21 earlier. I'm glad the SpeedMod source-code is getting used well. :)

    I've finally got down to it to recompile it myself, speedmod on Tomato 1.21.

    Related thread here.
  13. rhester72

    rhester72 Network Guru Member

    From my post:

    Tomato-ND works fine on the WRT54GL unless you use Measure Noise Floor, at which point it is reported to hang the router (though I never experienced this). It gives a *measured* increase in wireless signal strength, but not a *perceived* increase in throughput. I find stability of Tomato and ND to be equal on the GL, your mileage may vary. Personally, I recommend "regular" Tomato for the GL as Jon does.

    (Translation: Either works on the GL, non-ND is recommended)

  14. Victek

    Victek Network Guru Member

    Welcome to the Tomato workshop!:biggrin:

    I have never used the Victek or OpenVPN+SNMP mods, though I have borrowed from the latter. Victek just offers more than I need - what I appreciate about Tomato is the elegance and simplicity, and from what I've read about the former mod, it seems to go more in the DD-WRT "kitchen sink" direction (no offense to the author!).
    Please use it before, I never write one opinion (in a public document, in this case in a public forum) using what I read or I heard.

    Since wireless N router dropped down the price .. the author of Tomato will need to go the next step to keep the great score of Tomato, new users are migrating to other third party firmware due to the lack of support of Tomato.

    WRT54GL is dying, you can buy the WRT160N at the same price as the WRT54GL....

    Jon are you awake? :biggrin:
  15. rhester72

    rhester72 Network Guru Member

    Does the 160N have NVRAM variables? Moving away from that configuration style to a jffs-based solution was the biggest hurdle to (and benefit of) OpenWRT Kamikaze, and is likely what is preventing Tomato from more widespread release (and adoption).

    Also, please don't misunderstand my comments from the first post - I am sure that your mods make great additions to Tomato! I just don't personally have a need for those features. =) If I did, trust me, yours would have been the first 'mod' I would have tried. ;)

    By the way, for clarification's sake - I've seen this asked before but didn't see a clear answer. Does your mod integrate the SpeedMod changes (in full)?

  16. regular

    regular LI Guru Member

    thanks for the headsup and scripts. I don't notice any difference with the ND or non-ND, but I guess I'll stick to tried and true.

    I was wondering if you had a simpler guide or resource to setting up a openvpn server on a computer behind the router? I'd like to be able to connect from school and browse the net thru my home LAN or download files from home etc.
  17. rhester72

    rhester72 Network Guru Member

    That is unfortunately a bit beyond the scope of this forum (or my ability to recite from memory), but I basically followed the directions right on the OpenVPN HOWTO on the main site. Were you having trouble following their guide? (Unfortunately, I am unaware of an OpenVPN-specific support forum site, and can't find one on the main site to direct you to. :/)

  18. regular

    regular LI Guru Member

    oh no, I was was just reading the openvpn built in to tomato thread before and was just wondering if there was something similar for setting up on a computer on the network. But I just realized there is a guide on the website too. Thanks anyways though!
  19. Victek

    Victek Network Guru Member

    *- WRT160N is a good candidate for a new firmware, people is working on it.
    *- Of course, I don't missunderstood you, I think that people who's contributing for this great firmware is doing by pleasure (at least I'm doing for it in my spare time)
    *- Yes, SpeedMod is fully integrated in 1.19/1.20 and 1.21 Victek mod (read changelog in the post for each release)

    Thanks for your comments and contribution.
  20. TexasFlood

    TexasFlood Network Guru Member

    Check for a space between the words "mime" and "type" in the wget command. If you see "mime type", remove the space and change it to "mimetype". I've seen this happen with posts before and screw up the URL.
  21. fobis

    fobis Network Guru Member

    TexasFlood, that seems to have fixed it.

    rhester72, everything works now with ad blocking. And from my quick tests from various websites, it looks like the ad blocking scripts are doing a mighty fine job of blocking ads.

    Thanks, to both of you!
  22. rhester72

    rhester72 Network Guru Member

    Good catch! I've added code blocks to prevent this in the future - thanks!

  23. rhester72

    rhester72 Network Guru Member

    Glad to hear it! I don't want to take credit for the idea - in fact, the original inspiration came from this very forum based on a script written by another individual and improved upon by a third. I simply took it and fully "Tomatoized" it the way I felt like it could be done in the most transparent, automated, foolproof way I could think of using my own original scripts. I take absolutely no credit for the concept or the very important third-party data that makes it possible...but am very pleased you found my implementation useful.

  24. scaredwitless

    scaredwitless Network Guru Member

    Thanks for the enjoyable and thought provoking read! It resulted in me tweaking a few things on my wrt fleet. I also like your implementation of the ad blocking scripts and am trying it out. So far so good. Thanks!

    I haven't played with pixel server, the sourceforge link seems to be throwing up a 404 at the moment, but in the meantime I was wondering... Couldn't the Tomato web server be used to serve up a 1x1 transparent gif itself? Maybe something it could obtain from a web address or say a CIFS share?
  25. hardc0re

    hardc0re Network Guru Member

    Hey this is interesting. Just realized that your name's Rodney too. What a coincidence! =)
  26. bokh

    bokh Network Guru Member

    rhester72: awesome post! What a way to come in to this forum! :)
    If you don't mind, I can update my SNMP-howto over here and mirror your updated SNMP-daemon and config on my hosts at too.
  27. bin_asc

    bin_asc Addicted to LI Member

    Ah darn it ... rhester, I`ve been using your firmware for the past 2-3 days since my first post here ... interesting this is, yesterday and today my internet was going down and up ( I`m on ppoe ). Is there any way to diagnose if it`s actually the ISP or the firmware ?
  28. rhester72

    rhester72 Network Guru Member

    I've updated the link to pixelserv which includes an inetd version as well.

    Unfortunately, the current Tomato httpd isn't up to the task.

    The way pixelserv works is to listen on port 80 (it must be this port, of course, since it is effectively acting as a proxy) and respond to *all* HTTP requests on that port, regardless of URL, with the 1x1-pixel GIF.

    For Tomato to do this, it would require the following:

    - A httpd daemon capable of being told to listen on port 80 on a specific address (it currently binds to all interfaces and listens on - this would require very minor code changes
    - A way of adding a fake IP address to the br0 interface so that the standard web interface continues to be exposed on the router's IP and pixelserv is on the aliased IP (this could likely be achieved by using Linux IP aliasing, that's how I do it on my Debian box)
    - A perl implementation - and that's the kicker. There isn't one. :)

    It should be possible to write a custom httpd to do this that basically does what pixelserv does (which is quite different from serving up "normal" content - we can't just point it at a webroot, because you must answer to all URIs! Apache can do this with redirects, of course, but who wants to run something as heavy as Apache just to serve up one tiny GIF over and over all day long? :) as long as we can also solve the first two problems. I agree that it would likely be the best of all solutions - unfortunately, I don't have time to dig into it at the moment. :/

  29. rhester72

    rhester72 Network Guru Member

    I had the same reaction when I saw who you were. =)

  30. rhester72

    rhester72 Network Guru Member

    Don't mind in the least.

  31. rhester72

    rhester72 Network Guru Member

    It can be a challenge, but the firmware I compiled should be essentially identical to Rodney's official release from yesterday. You can give his compile a try to see if it improves things, though I have an uptime of about a week at this point without issue as far as I can see.

    Can you paste snippets of your logs (either within the web GUI or from /var/log/messages at the CLI) showing the disconnects/reconnects to see if anything stands out? These sorts of things are invariably ISP or connectivity issues (particularly with marginal DSL signals or noisy cable lines), but I'm happy to do my best to suss out whether there could be anything going on in the firmware. I'd certainly hate to tarnish Tomato's reputation for stability! ;)

  32. bin_asc

    bin_asc Addicted to LI Member

    Nevermind my message. I was one of the lucky winners of an old ISP problem : no connection from them :)
    So now I need to wait for the gods of ISPs to give me internet.
  33. rhester72

    rhester72 Network Guru Member

    Respun adblock scripts:

    - Changed name of conf file
    - Used variable for filename in scheduler to conserve precious NVRAM
    - Made scheduled download more robust - the possibility exists that you will get an HTML code of 200 (OK), satisfying wget (RC=0), but no valid data because the SQL on the site failed...the script now checks for that as a failing condition and will not overwrite the existing adblocking set

  34. rhester72

    rhester72 Network Guru Member

    Very last changes to the adblock scripts:

    - Corrected a logic and a syntax error in the originals
    - Make backup of successful download to /cifs1 if mounted for additional resiliency (will be used if download fails and /etc/dnsmasq_adblock.conf does not exist)
    - Log successes and failures to syslog (/var/log/messages)

    As I am rapidly now violating my own KISS principles (and thus introduced errors in the last update), I will not be updating the adblock script anymore. I can't think of any way to make it more bulletproof. :)

  35. Jedis

    Jedis LI Guru Member

    Thanks! I'm using the adblocking and so far no issues. Very nice :)

    I was wondering if you knew if there is a way to run the pixelserv on Windows? I have perl installed, but not sure where to go from there. If the pixelserv cannot be reached, it would just give errors as if you weren't using it at all, correct? The availability of my computer is near 24/7, so I don't think I'd run into many issues with that.

    Any suggestions?
  36. rhester72

    rhester72 Network Guru Member

    I haven't tried running it on Windows, but I can't think of any reason why it wouldn't, so long as you have at least one LAN IP on the Windows box that isn't listening on port 80. Yes, if the pixelserv is unavailable, it will either time out (if the IP is up) or give a connection error (if the IP is down).

  37. Toastman

    Toastman Super Moderator Staff Member Member

    Rodney - welcome to the forums, and thanks for your very interesting first post.

  38. TexasFlood

    TexasFlood Network Guru Member

    Yes, Rodney, thanks for the interesting thread.

    Wish I had a button on my router but don't, :sad:.

    Even without the button, I still got something out of it. Tomato 1.21 broke the script I was using so I made a new one that is better, at least for me, than before. It's my own variation but if you look at it, you'll recognize some of your stuff there. I'm an equal opportunity thief and others posting in this forum could find familiar parts as well, :biggrin:.

    But it is my own version with some of my own ideas building on those of others, built to meet my needs. I posted my first cut yesterday so hopefully someone else can use all or part of it and continue the great script "circle of life", :grin:.
  39. rhester72

    rhester72 Network Guru Member

    I've already rewritten it three more times since the last update, but you have demonstrated that I reached my real objective, which was education and inspiration. I don't expect anyone to take canned scripts and just use them but to instead adapt them to what suits themselves and their environment best.

    But I did find adding logging to syslog useful. ;)

  40. TexasFlood

    TexasFlood Network Guru Member

    Yup, You definitely helped motivate me. I was thinking about a script that would better suit my needs but likely wouldn't have actually done it yet without that "shove me over the edge" so to speak.

    The script is working fine. I had a little startup lag before while the previous script was running which I don't notice now. Not a big deal but faster is better right? And I have more free memory in "steady state" as well.

    And if something does go wrong, I should be able to fix it quickly, :wink:.

    I also found logging to syslog useful, both for initial and ongoing verification / debugging.

    Thanks again! :thumbup:
  41. Jedis

    Jedis LI Guru Member

    Now if only someone could figure out how to get pixelserv to load onto the router to serve the 1x1 image... Maybe a rewrite of pixelserv if perl cannot be used on the router?

    Without pixelserv, I have noticed some lag upon opening some websites with 3+ ads on them. A 'notebook review' forum that I visit starts to load the page, then refreshes and reloads again before finally displaying. I'm not sure if it's because of the ad removal or not, but I just starting noticing it after adding in the ad-blocking code.
  42. TexasFlood

    TexasFlood Network Guru Member

    I didn't figure that (pixelserv on Tomato) was going to happen any time soon but did manage to get it running on one of my Windows XP boxes, so it's all good I guess. I read that using "" is faster than "" so that's what I was doing before I got pixelserv running.
  43. Jedis

    Jedis LI Guru Member

    Hello TexasFlood,

    Is there anyway you could post a guide to getting pixelserv up and running on Windows? I'm running Windows XP on my 'always on' system.

    I've tried searching Google, but cannot find any information to get it running on Windows. I have perl installed for another project I experiment with, but have no idea what I need to get pixelserv to run. I assume I need IIS or something else installed to serve the requests?

    Any help you can provide to getting this running on a computer without a webserver or httpd running would be greatly appreciated! Thanks!
  44. bogderpirat

    bogderpirat Network Guru Member

    you could use something like HFS. lightweight http fileserver.
  45. TexasFlood

    TexasFlood Network Guru Member

    Uhh, well. I didn't do anything fancy. I already had the free version of ActivePerl installed. Then I just ran Pixelserv 1.0. If you want to autorun it, you could, what, run it from the startup folder or run it from the registry, what is it HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run maybe. Also you can just turn it into an executable with perl2exe then I don't think you'd need to install perl if you didn't want to. Maybe some others have some better suggestions but that's what I did. Pixelserv may be faster, not sure. It certainly looks nicer. What I like about it is that I can go back to previous pages like normal. When you have a bunch of "page not found" errors, I often have to hit back serveral times which is a real PITA.
  46. scaredwitless

    scaredwitless Network Guru Member

    Personally I ended up using the free personal edition of the
    Abyss web server for windows: as my pixel server. It has a small enough foot print, and all you've got to do is 1) set a 1x1 pixel gif as the custom 404 error page (easily set in the web configuration interface for the web server) and then 2) set the appropriate redirection IP in the ad blocking script you're using. I was going to setup a personal web server anyway so rhis worked our for me, although it does tie up the 404 error page, hah.
  47. Jedis

    Jedis LI Guru Member

    Thanks TexasFlood!

    I didn't even need the webserver/httpd. I used perl2exe to compile the perl script into an exe and simply running the generated exe is enough to get rid of those ugly error messages. Didn't think it would be so simple; thought I would have needed a webserver to host the file and to generate the gif. That is indeed NOT the case, though.
  48. agaver

    agaver Addicted to LI Member

    Hi everyone,
    Hope I can get some help with this...
    on the original post I found under the QOS section that rhester72 wrote:

    "At minimum, prioritize DNS, NTP, and VPN to Highest (or the latter to at least High)"

    Well, I got my wrt54gl loaded with Tomato 1.19.. and I have 2 computers that use
    VPN clients (IPsec) to connect plus another 2 computers that run torrents and p2p apps. I've been reading and I think I should setup the default class to lowest, and then ports 1024 to 65335 to bulk traffic in order to "throotle" my torrents and ares.
    My question is how to give priority to vpn connections?
    I've found how to prioritize DNS, HTPP, NTP, but VPN???

    Any help with these will be greatly appreciated:confused:.
    Thanks a lot!
  49. Toastman

    Toastman Super Moderator Staff Member Member

    I can't help you with VPN prioritising. But you don't really need to throttle torrents etc with any rule or port range. Set your default to lowest (you did that).

    Address everything you want to prioritise.

    Anything you **didn't address**, inc. P2P, ares, etc will bypass your rules, and end up in "default" of lowest priority.

    That way, you don't have to make unneeded rules, which slow down the processing.
  50. agaver

    agaver Addicted to LI Member

    Thanks for your help.
  51. bokh

    bokh Network Guru Member

    Regarding VPN and QOS it depends on what kind of VPN is used.
    I use both OpenVPN (private) and Cisco (work). For Cisco both UDP-ports 500 and 4500 are being used. See attachement how I've setup a QOS-rule "High" to prioritize port UDP/4500.
    Hope this helps (a little).

    Attached Files:

  52. Nick

    Nick Networkin' Nut Member

    I’m using a WRT54GL router with tomato 1.28 firmware on it and suddenly i'm getting Unknown error (404). on the all networks,

    any help?
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice