Tomato drops everything whenever it renews the DHCP lease

Discussion in 'Tomato Firmware' started by theymos, Jul 22, 2009.

  1. theymos

    theymos Addicted to LI Member

    My router (WRT54GL with Tomato 1.25) is connected through DHCP with a 10-minute lease. Whenever Tomato needs to renew this lease, all of my current connections are dropped, resulting in permanently-broken downloads and pages that will never load. How do I fix this?

    I'm connected like this (U-Verse):
    Phone -> 2Wire RG -> WRT54GL -> Computers

    I've tried resetting both the RG and the router, with no success. This configuration has worked before; the problem only started within the last few months.

  2. mrap

    mrap LI Guru Member

    Not a direct answer, but consider a static IP or a longer lease.
  3. theymos

    theymos Addicted to LI Member

    Neither is possible with my configuration.
  4. Planiwa

    Planiwa Network Guru Member

    So, let's see if I understand this:

    1. Your problem is how the 2Wire connects to Tomato -- not a Tomato problem.
    2. You seem to say that you can't change the way the 2Wire connects to Tomato.

    Did I get that right? :)

    Seems like the 2Wire is misconfigured. Lease Renewal should not affect any connections at all.

    Are you getting different WAN IP addresses, with these "lease renewals"?
    If so, that would confirm that the 2Wire is misconfigured.

    (Might also try to connect a computer directly to the modem and see if the same problem arises. That should confirm that it's not a Tomato thing. (Or otherwise. :))

    Update: Might find some answers here:

    Further Update: Is the following accurate?: "Whenever Tomato needs to renew this lease"
  5. theymos

    theymos Addicted to LI Member

    I'm not sure if it's a 2Wire or Tomato problem. However, since it works fine when I am connected directly to the RG, I suspect that Tomato is at least partially responsible.

    The WRT54GL is always assigned the same IP address with DHCP (99.x.x.x). It is not assigned a private IP. Telling Tomato to use a static IP doesn't work.

    [Removed] will resolve to my IP, if you want to see how it looks from the outside. And I'll host a large file at [Removed] so you can see the disconnection problem.

    AT&T technical support is useless no matter where you talk to them. I've already tried the DSLReports U-Verse forum.

    "Whenever Tomato needs to renew this lease" is accurate. Every 10 minutes, when the DHCP lease expires, all of my connections suddenly stop with no error. Everything works seconds after the lease is renewed, but the stopped connections do not restart.
  6. Planiwa

    Planiwa Network Guru Member

    Ah, I didn't see that in your original post. :)

    Possibly Tomato detects a dreaded "topology change"? (And restarts Wan and FW?)

    Time to post the Tomato log from the time of the disconnect ... :)
  7. mstombs

    mstombs Network Guru Member

    If you watch the lease time in the Tomato GUI and the dhcp messages in the log - does it renew cleanly at half-time? If it fails to renew and times-out it will do a full "Discover" and even though it gets the same IP it will probably restart the WAN.
  8. theymos

    theymos Addicted to LI Member

    That seems to be the problem, mstombs. How can I fix it? I'm sure this has worked before.

    The RG is at The router is at These log entries repeat on a 10-minute cycle, as you would expect.

  9. acollado

    acollado LI Guru Member

    I'm wondering why isn't the DHCP server responding at the 1/2 way point when the Tomato DHCP client starts asking for a renew? or is the sever responding? There should be ACK or NAK messages from the DHCP server either way if the communication path is good.

    It looks like the router isn't getting ANY renewals until the lease expires, even though it is requesting them. The router is doing the right thing by disconnecting when the lease expires though...
  10. theymos

    theymos Addicted to LI Member

  11. mstombs

    mstombs Network Guru Member

    Good link - I wonder if it would have fixed the dualwan dhcp problem I encountered here:-

    Well you can just try adding this

    iptables -I INPUT -p udp --sport 67 --dport 68 -j ACCEPT
    to the firewall script through the Tomato (administration->scripts), but there are many differences between Tomato and dd-wrt in this area, so a subtly different solution may be needed.
  12. theymos

    theymos Addicted to LI Member

    Putting the iptables command in the "firewall" script area fixed it. Thanks for all of your help! :biggrin:
  13. mstombs

    mstombs Network Guru Member

    Good result - definitely a candidate for FAQ since it seems to affect any router with an SPI firewall - and only 3rd party ones with optional firewall scripts will be able to be fixed.

    Can't help but think the dhcp server in the gateway is broken - replies are lost because they appear to originate from a different IP the requests were sent to?
  14. zeteticApparat

    zeteticApparat Addicted to LI Member

    'iptables -I INPUT -p udp --sport 67 --dport 68 -j ACCEPT' (entered manually at the ssh prompt at least) has not solved the issue for me.

    I have verified the problem in the following way:
    Begin a reasonably large wget on a LAN computer, and then run 'dhcpc-renew' on the router. The wget promptly stalls(, and does not recover.)

    As the DHCP lease provided by the modem is 30 seconds (and this does not appear to be changeable), this is most frustrating.

    Any suggestions to alleviate this problem, even if only partially*, would be appreciated.

    (Is it possible for example to force the router to only DHCP renew on a much longer interval? I realise this would be a bad idea in many ways, but it would help for the time being; my WAN IP isn't changing every 30 seconds…)
  15. vanhh

    vanhh Network Guru Member

    Yup, it fix it. @ mstombs: Do we need to put a source ip in the script? If so, the source ip should be the modem ip, right? Thanks.
  16. mstombs

    mstombs Network Guru Member


    30 or 60 second leases are typical of adsl routers running half-bridge, if you can use PPPoE you should be able use a full bridge mode, if PPPoA you are stuck.

    Do you see the same pattern of failures to renew in the log? If not could be another problem (I don't like D-Link ZIPB for example, but recent firmwares have improved things).


    But what modem IP do you use? You can use "-i $(nvram get wan_iface)", wan_iface is usually "vlan1" for dhcp. This makes the rule more specific, less opportunity for abuse.
  17. vanhh

    vanhh Network Guru Member

    Thanks for your reply. I was thinking about using my standard modem ip as 192.x.x.x. I have dsl with dynamic ip not static ip. So using vlan1 (cause it's different from the standard modem ip) might not be possible, because it changes anytime the modem reboot. How do you go about for the script to obtain the vlan1 automatically? It would be great if we can have something like that, because like you said 'less opportunity for abuse'. By the way I am a linux noob :) . Thanks again mstombs.
  18. zeteticApparat

    zeteticApparat Addicted to LI Member

    I am, indeed, stuck.

    I believe that I am not see those renew failures. PasteBin of a bit of my log. (If I need to run at a non-default debug level, please say.)

    For the time being, I'm just killing udhcpc. Obviously this prevents my IP address updating when it needs to, but at least it means I can keep connections open.

    (My modem is a Voyager 220V by the way, which I believe is something like rebadged Dynalink RTA1320. Edit: Actually, I may be wrong on that.)
  19. mstombs

    mstombs Network Guru Member

    "vlan1" is the name of the Linux WAN interface, $(nvram get wan_iface) looks it up. Im not sure that allowing dhcp reply packets from the all interfaces, including the LAN is a big issue - dhcp is an old protocol with no inherent security.
  20. mstombs

    mstombs Network Guru Member

    Is there now a checkbox to enable dhcpc log messages? - because the dnsmasq (lan dhcp and dns) is clearly being restarted. jan.n also has this problem:-

    which pretty much confirms the issue is dhcp renewals, but whether it the modem rejecting the requests, or the router the replies I can't tell.

    That's Broadcom, and they have usually have their own IP extension method of half-bridge. What style IP address/Gateway/Netmask does the Tomato router get? ZIPB gives the gateway address same as IP and as netmask, and the router doesn't get a proper default gateway. I strongly suspect this is the heart of your problem - in half-bridge mode the modem has a local lan IP but serves up the real WAN IP, the authors of the Linksys/Tomato equivalent of dhcpc accept script seemed to assume the isp gateway is in the network defined by IP address/netmask. I still have to use a firewall script with my half-bridge modem, basically still the same as here
  21. zeteticApparat

    zeteticApparat Addicted to LI Member

    Looking at the WAN section in the overview:
    IP Address == Gateway, and the Subnet Mask is
    So it certainly seems possible that this is my problem.

    Edit: I'll try your scripts.
  22. zeteticApparat

    zeteticApparat Addicted to LI Member

    Okay, with my firewall script looking like this, the problem is not solved. (However, it may well be that I'm being blindly ignorant in my copy-pasting.)

    A more useful log, hopefully.

    Edit:Noting that the netmasks are different in the suggestion you made and mine. I apologise for being so stupid about this. Nor is the situation with the router IP and gateway the same. I guess I was clutching at straws. It appears more that my modem is acting more like the D-Link zipb case?
  23. mstombs

    mstombs Network Guru Member

    Do you get lots of entries in the "device list" from the arp table?

    Note my situation is different - the gateway is the ISP gateway the other side of the modem. In your case I would try a Firewall script that just sets the default route through the modem

    MIP='your modem IP'
    IF=$(nvram get wan_iface)
    route add -host $MIP dev $IF
    route add default gw $MIP
    I'm pretty sure the clean-up commands are not needed with Tomato - it clears the route table for you on wan reconnect - but do check what normally gets into the route table through web gui or "route -n" - multiple default routes breaks things.
  24. zeteticApparat

    zeteticApparat Addicted to LI Member


    Tried your script (after inserting my modem IP, and prefacing with the iptables rule). Still no luck. It seems to insert the rule as expected, but is followed by a second default rule:
    I don't know if this is expected, (getting the Firewall script to remove this route makes no difference.) Edit: Apologies, you did say two default rules is a bad idea.

    Thank you for your assistance so far. :)
  25. mstombs

    mstombs Network Guru Member

    Just checking - you can normally access the modem web gui? This will confirm that the routing allows bidirectional comms. The modem local network range is different to the router LAN range?

    The old ZIPB code I don't like fills the device list with entries - linking any internet IP address with the same modem MAC address, it leads to "Neighbourhood table full" or similar errors as the Linux arp table is limited to 256 entries I recall. See
    for more info on that issue (a Linux router - but not Tomato referenced)
    This is inefficient but shouldn't break the dhcp renews!
  26. zeteticApparat

    zeteticApparat Addicted to LI Member

    Modem-LAN: #Web interface is accessible.

    IP Address: 86.133.x.y
    Subnet Mask:
    Gateway: 86.133.x.y

    The firewall script I was using:
    This does seem to solve the Device List table filling with internet addresses linked to the modem MAC address. (Which is a definite advantage, thank you.) (Also I confirm that internet access does work with the resulting routes.)

    It doesn't solve the connection dropping on DHCP renewal (manual or on lease end). Nothing new in the logs as far as I can see. I'll try to get a 'clean' log of a dhcpc-renew (when I won't irritate any other users.) and further confirm to myself that I'm not losing my sanity.
  27. mstombs

    mstombs Network Guru Member

    You do now seem to have the same problem I had when attempting to use a second dhcp WAN. To analyze fully you need to use something like Wireshark, attached to a hub between router and modem with some expert filters to just capture the dhcp traffic. There must be something different between the broadcast "dhcp discover" packet and the direct "dhcp renew" - suggest the modem is now simply not replying to the renew request. You can do similar analysis with custom iptables log messages, or there are binaries of tcpdump around - but these will be a biased 'tomato' view. Clearly some modem firmwares are less fussy. But even if you can identify the problem - it may not be easy to fix - the messages are triggered by udhcpc executed via kernel calls. udhcpc is part of BusyBox so it 'might' be worth trying a victek or teddy_bear build with later BusyBox versions, just incase it has been fixed upstream.
  28. DannyMac

    DannyMac Guest

    Having the same issue...

    Well, I'm having the same issues as theymos on my WRT54G v2, but these issues ONLY arose when I updated to version 1.25 from 1.23.

    To test this, I watched as the lease expired (my WRT54G is connected to a 2wire DSL modem) during a download. When the timer hit zero and the new lease was issued, the download froze. I wouldn't have gotten the idea to watch the lease time if it wasn't for this thread! :)

    My WRT54G is the only device connected to the 2Wire and I have a static IP... I think I'll just hardcode the WRT54G's IP and skip DHCP all together.

    Now that I think of it, DD-wrt must have been doing the same thing when I had it installed! If it wasn't for this bug, I would have switched to Tomato in the first place, LOL! Sadly, it's resurfaced, this time in Tomato. :\
  29. mstombs

    mstombs Network Guru Member

    Good information - I believe BusyBox (and therefore udhcpc) was upgraded between these versions. I have a production router still running 1.22, I'll check carefully sometime.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice