Tomato RAF Releases

Discussion in 'Tomato Firmware' started by Victek, Dec 28, 2012.

  1. RonV

    RonV Network Guru Member

    Based on what I have read about Cubic and other congestion algorithms both endpoints must support it. I just wish AT&T, Comcast, etc. would define these protocols in their endpoints publically.
  2. alexlau

    alexlau LI Guru Member

    Another paper on the topic:

    Is there anyway to know whether my ISP is using CUBIC?
  3. Victek

    Victek Network Guru Member

    Difficult to know, it depends on the OS used, Cisco routers series >2800 use cubic but as always it can be changed by the IT admin, cubic is the default network congestion mechanism for linux >2.8 .... more paper and some exercises to degrade the quality in your connection to test the method ...

    A comment; If your Ethernet line is 56Kbps then you are limited by the modem capabilities.. not by the router.. we are talking about high bandwidth connection speed.
  4. RonV

    RonV Network Guru Member

    Scratch this issue. Found out that the 404 or other error HTML must be more that 12 lines or IE will display it's friendly error page vs. the web site's ...I am good....
  5. Victek

    Victek Network Guru Member

    Again IE .... dam browser :rolleyes:
  6. RonV

    RonV Network Guru Member

    Not just IE...Chrome does the same...Darn Google!
  7. BlaSTiWi

    BlaSTiWi Network Guru Member

    Ahh ... that's what I thought ... the existence of JFFS section in the admin & 64K available in the JFFS section kinda threw me off ... tkx for confirming lefty!
  8. koitsu

    koitsu Network Guru Member

    Your ISP should not have any bearing on the congestion mechanism/model used by two endpoints (client (you) and server (someone else on the Internet) -- or vice-versa if the roles are reversed). Your ISP, as well as all routers on the Internet, should only be paying attention to the IP header portion of the packet and forwarding it along with the unmodified payload (TCP portion, etc.) to the next relevant hop/router along the path from source to destination. Routers generally do not pay attention to the TCP payload portion of packets**. The TCP portion of the packet, along with its payload, is not rewritten by Internet routers, nor is it rewritten by ISPs**.

    Meaning: your ISP does not "need to use Cubic". What matters is whether or not you (client) and server (someone else, or you if you own the system) are using that congestion mechanism.

    Things like hop-to-hop latency caused by an infinite number of possibilities/reasons (which could affect internal behaviour/responsiveness of the congestion mechanism depending on how it's implemented) are something completely separate/unrelated.

    Politely and respectfully, no insult intended (honest!): I would recommend spending some time learning more about how IP and TCP actually work, as well as the OSI model, before partaking in a discussion about TCP congestion control. These sorts of topics should commonly be left to network administrator-type folks, or at least folks who have extensive familiarity with TCP/IP in general, including all its nuances (ex. RFC1323 features, RFC2018/2883 selective ack, Nagle algorithm, etc.).

    ** -- And yes I am well aware of the ISPs with devices (ex. Sandvine) which do layer 7 inspection and/or falsify/rewrite portions of the packet. I am not talking about those environments. I am talking about the majority which do not do such things, and how actual routers -- not "man-in-the-middle" throttling or manipulation devices -- behave. I'm also excluding ISPs which use NAT themselves and delegate reserved IP space to their customers (I know of a couple ISPs in Norway which do this, for example), because NAT involves rewriting most parts of the packet.
  9. RonV

    RonV Network Guru Member

    I think a lot of folks here understand what TCP/UDP and circuit paths and values that control traffic and that the software running on the ISP network plays into the performance. Here in the US it is well known that most of the big providers (AT&T, Comcast, Verizon) all do deep packet inspections and can/do rewrite headers, shape traffic, etc.

    I once got a letter from AT&T about using my home internet service for business purposes because I was working from home for a week and had to use a corporate VPN which of course is encrypted. When I was a Comcast subscriber 4 years ago I received a DMCA (Digital Millennium Copyright Act) warning letter due to the secure VPN's I was using along with beta testing of VOD services. It is well known that Comcast did and still does traffic shape services like Netflix and Amazon to restrict bandwidth to lower quality experience since they completes with their core services.

    Going back to the premise that the ISP must support congestion control due to the policies implemented by the ISP still holds true at least here in the US.

    I really like the idea of Cubic and TCP Vegas as algorithms to reduce congestion. It just seems the more the little guys invest into these methods the more the big guys try to keep us down.
  10. koitsu

    koitsu Network Guru Member

    No, most folks here do not understand "circuit paths" and do not understand how IP actually works. I have only encountered a handful of people here who actually do packet analysis and have extensive familiarity with tools like Wireshark (and not just "running it and capturing packets and saying "okay that's cool"").

    Here in the US, as of this writing, all three major ISPs you listed off -- AT&T, Comcast, and Verizon -- do not do any kind of packet rewriting. The only one which has had a history of such is Comcast and their Sandvine device, which was not rewriting packets, but instead injecting falsified TCP RST back to the client, as a form of rate limiting. They haven't done that for years now.

    I would love for you to post your DMCA story, with photos/scans of the documents you received, over on the Comcast HSI forum on There are tons upon tons of people who use VPNs and encrypted traffic at all times (myself included) who have never received such notices. Be sure to disclose that it was 4 years ago, but I still urge you to do it.

    Finally, I will reiterate my point, because it's a technical one: an ISP's routers have no bearing/effect/role with regards to the congestion control mechanism chosen by the client (in this case, a Tomato router, using Cubic or Reno or any other model) and the server (remote end). More clearly written: your ISP does not need to use Cubic, or "support Cubic", for Cubic to work. The same goes with any other TCP congestion control mechanism.
  11. Marcel Tunks

    Marcel Tunks Networkin' Nut Member

    Koitsu, I'm one of those people who doesn't understand TCP, so I'm going to ask a stupid question (trying to learn):

    Will the matching of ISP and end-user congestion control algorithm affect efficiency of communication with the ISP's DNS servers or with speed tests?
  12. shibby20

    shibby20 Network Guru Member

    @Vic - string module for IPv6 is missing.

    If youy have ipv6 enabled and try add new access restriction rule (or you already have one) then you`ve got ip6tables error.

    i made my own string-ipv6 module and it`s working. I will push module to git soon. If you want earlier i can send you via email.

    Best Regards.
  13. Victek

    Victek Network Guru Member

    You're right, forgot to add. I have a workaround for ctf... disables principal features (too many) but it works. ditto... ;)
    Elfew likes this.
  14. shibby20

    shibby20 Network Guru Member

    working ctf is a really good information. Even with disabled few features like QoS, BW Limiter, cstats, rstats ... If someone has that huge bandwidth, then he no needs QoS etc :)

    Many users (asus users) back to OFW because tomato is limited to ~100-120Mbps.
  15. Elfew

    Elfew Network Guru Member

    Good work, both of you guys!
  16. JAC70

    JAC70 Addicted to LI Member

    Would love a full-speed version. When you have 150/10, you don't need QoS. ;)
  17. Elfew

    Elfew Network Guru Member

    Yes, I have 150/100 and I dont use QoS, only BW limiter for some devices on my network...

    Odesláno z mého GT-I9000 pomocí Tapatalk 4 Beta
  18. koitsu

    koitsu Network Guru Member

    No (and I've covered this twice already, so this now makes a third). Most/majority of ISPs routers forward packets based on IP header, and this has no effect/control/etc. over whatever TCP congestion algorithm you (client) and the remote end (server) chooses.

    If you're instead asking "will a TCP congestion control algorithm affect** DNS lookup performance and/or speed tests on places like", then the answer is yes, however it's all highly dependent upon the an almost infinite number of variables/conditionals. I imagine in most cases you will find no real difference, but that's also speculative because as I said, the number of variables/conditionals are extreme and they vary per every person and will even vary for an individual one day vs. the next (e.g. increased latency caused by some intermediary backbone provider that wasn't there the night before, etc.).

    There are official white papers written on most of the major algorithms and I urge folks interested in learning to read them in full. Yes they are highly technical and extremely "math-oriented" and require existing knowledge of networking. But that should go without saying.

    Worth reading:

    Should note 2nd URL contains a page/slide listing off bugs found in the different algorithms (since been fixed in relevant Linux kernel updates).


    ** - Note that affect here is intentionally chosen: the effects could be positive or they could be negative, depending -- like I said above -- on an almost infinite number of variables/conditionals.
    Marcel Tunks likes this.
  19. Marcel Tunks

    Marcel Tunks Networkin' Nut Member

    Thanks Koitsu!

    I had long suspected that the congestion control fanatics eke out marginally better numbers on and mistakenly think it will translate into better performance with real world applications. Your explanation and links were very helpful.
  20. koitsu

    koitsu Network Guru Member

    Yeah, the issue is as I said -- most people do not understand how congestion control mechanisms work, and those same people end up using things like bandwidth testers (like across the Internet to determine "if things are better". This is not how you actually test stuff, especially congestion algorithms, because to do proper testing you need control over both the client and the server.

    In fact I even encountered somewhat recently a Slashdot thread talking about MIT's Remy TCP congestion control algorithm -- which is still "partially a mystery" to them as to why it works/how it works -- where someone referred to Remy, Reno, Cubic, etc. as a type of QoS. Bzzzt, wrong. QoS is not a type of congestion control -- they're completely different and unrelated things that solve completely different problems in completely different ways. There's just too many people online these days who don't have a good understanding of how things work under the hood, but instead have too much familiarity with "click and install and press a button and omg magic". I see it in the PC enthusiast crowd all the time -- too many waiters (generic end users) or bosses (managers) and not enough chefs (engineers). :)

    I say all this with the opinion that Tomato probably should, universally, look into including Cubic in the kernel as a congestion control choice. Whether or not it should be made default is a different matter. Tomato uses Linux 2.6.22, which should have the well-known bugs in Cubic fixed, but possibly not all of them -- someone on LKML or actively familiar with the kernel networking code would be an ideal candidate to review stuff between 2.6.22 and 2.6.39 (the latest) to see if there have been any other changes that may affect things. Moving to 3.x is not an option unless Asus, Linksys, etc. make the migration -- and it's a massive undertaking (and they probably won't, barring those new-ish ARM-based routers coming out, which I do look forward to).
  21. RMerlin

    RMerlin Network Guru Member

    The Northstar platform is based on No idea if Broadcom also supports other kernels in their SDK, I suspect they don't if Asus ended up going with that kernel (same with Netgear - no idea about Linksys or DLink).
  22. gffmac

    gffmac Networkin' Nut Member

    Hey Guys, My speed has just been upgraded from 100Mb/5Mb to 120/10Mb as you can see from my download is pretty much as it was. Do you think thats the limit of my e3000's processor?


    Using latest beta.
  23. Elfew

    Elfew Network Guru Member

    I think it could be.... because with my RT-16n and latest beta build from Victek I have about 138Mbit/95Mbit (my internet connection is 150/100Mbit, but with original modem from provider I get same speeds=138/95)
  24. macgyver

    macgyver Reformed Router Member

    Are you running your processor at stock speed or 532/266/133? I have been running all E3000 at 532/266/133 for years without issue and 10% increase in clock speed should help out...keep in mind theres not much difference between 532 and 600MHz(like RTN-66U) especially when it comes to BOGOMips but the max clock for E3000 is 532/266/133 compared to stock clocks of 480/240/120
  25. gffmac

    gffmac Networkin' Nut Member

  26. Victek

    Victek Network Guru Member

    Great!!!, good finding.
  27. zavar

    zavar Networkin' Nut Member

    Wow that's really strange. Any idea why a gig switch would be limiting things?
  28. Elfew

    Elfew Network Guru Member

    Buggy firmware in switch, and poor hw... Just switch for the lowest price manufactured by Chinese kid in the basement during the night ;)
    It is sad but it is true
  29. Victek

    Victek Network Guru Member

    Tenda it's observed as good design devices (externally), latest models W1800R it's a RT-AC66U inside and other models are very similar to average manufacturer ....
    gffmac likes this.
  30. Toastman

    Toastman Super Moderator Staff Member Member

    I would agree with Vic. I've used quite a few Tenda devices and have always found them to be well engineered and functional, without the stupid price tag. I have recommended them to many people and have never had anyone say they were disappointed.


    Many problems experienced by people with regard to incorrect operation of 1Gbps ethernet on their routers are caused by fake cable. It is very very common for 4 of the wires used for 100Mbps connections to be fine, but the other 4 which are used to expand the functionality to 1Gbps are made of high resistance wire and will only work for a few metres on length. Also, there is always a percentage of failed connectors, I think most of us experience around 5%.
  31. eahm

    eahm LI Guru Member

    Victek do you have a changelog for x? Thanks.
  32. Victek

    Victek Network Guru Member

    eahm likes this.
  33. eahm

    eahm LI Guru Member

    Forgot about that file, sorry and thanks.
  34. Elfew

    Elfew Network Guru Member

    Sorry for my last comment but I have bad experiences with tenda devices... 2 of them gone after few weeks... Maybe quality is better bow or I didnt have luck...who knows.

    Thank you for your new build, I am going to flash it
  35. gffmac

    gffmac Networkin' Nut Member

    Goodie a new beta to try out :)

    The Tenda switch was fine in the end (sorry Tenda!), it was the sub standard cable that was between the switch and my pc, silly me :p
    Elfew likes this.
  36. Victek

    Victek Network Guru Member

    As usual the forum it's one space to share opinions and ask for help when something is wrong with your device. Few users post in forums when the unit or firmware works OK (except Tomato users.. Thanks!). Tenda says they produce 80.000 units every day .. and we read 3 negative comments (now 2 after gffmac solving), not bad !.

    If I had to buy one router after I read ASUS, Linksys, Netgear forums negative comments I'll not buy any.... The happy users don't post if the unit works ... ;) it's the crude reality in the world for any event.
    cap2549 and Elfew like this.
  37. were55

    were55 Addicted to LI Member

    Hi Victek,

    I upgraded my Rt-N16 from beta-k version to beta-x version, but SAMBA was not working fine, it was not mapped correctly the path, that means, when I opened explorer then open mapped disc, I have to change the directory to the next folder level, this was not happen with k-version.

    I compared nvram and found:

    this is for k-version:
    and this for x-version:
    Any clue? I had not much time to make more tests, my kids where upset (to see their movies), so I had to rollback, but I will test on Monday again.

  38. Victek

    Victek Network Guru Member

    I did not change anything in samba.. would you test again?
  39. gffmac

    gffmac Networkin' Nut Member

    My samba share to cifs is working as it was.
  40. Elfew

    Elfew Network Guru Member

    I think there is no problem on my RT-16n... but I will test it again in the evening.

    Did you erase NVRAM and set by hand everything?
  41. RonV

    RonV Network Guru Member

    I put up the "x" version last night and samba is working fine also. So far it's been up for 12 hours and have been stressing the router overnight with two wireless video cams just pumping there streams to a Blue Iris camera DVR on the wired network. The real test comes today with daily usage by the family and I.
  42. were55

    were55 Addicted to LI Member


    thanks...I tested again and found the problem, is was with "Auto-share all USB Partitions" option, I had to changed to "disabled", now is working as expected.

    thanks again :confused:
  43. Victek

    Victek Network Guru Member

    were55, thanks for reporting the finding. In this version (x) the target is testing WAN-LAN multiple connections performance using the CUBIC congestion algorithm. The module is updated, you can check in the log file that Reno is registered at the boot and 27 lines later Cubic takes the control.
  44. zapoqx

    zapoqx Networkin' Nut Member

    Well I have been testing it since X has released. I can say that it has been really great. I hit 139/25 (considering I can get up to 150/20, that is nice) which is the closest I've ever obtained (previous to W, it was barely 100 no matter the day). I did also take some advice from an earlier post by increasing clock frequency (not the 532 option, just 500).
    The only thing I have had issues with is 2 moments where the router got stuck on reboot and once again, I don't know why. This was during all my settings changes (one point was after setting guest networks and making sure everything was set by clicking reboot, another was deactivating IPv6 and getting stuck) after nvram erasing. It kinda reminded me of the reboot issue on scheduled reboot, but that one was already stated that it did not happen to anyone else (under W), so I wouldn't be surprised if with this version, no one else had the reboot issue.
  45. Victek

    Victek Network Guru Member

    These reboots are normal since it has to create new interfaces again reboots two times .. and then becomes operational .. I think you see a message about rebooting .. not?
  46. RonV

    RonV Network Guru Member

    Found a great use of the web server in Tomato RAF. Set it up as a pixelserv and pointed my poisoned DNS address to it. Now when I throw a url at it a two pixel GIF is sent back to the browsers on my network. It's fast you won't believe how much faster web sites paint now since they don't load all that AD overhead.
  47. plgvie

    plgvie Networkin' Nut Member

    Having installed x-Version today, I can confirm the router's getting stuck on reboot: Once manually initiated after configuration - LAN connection
    Now again after swapping ports' order - VPN-connection. Router by no means locally or remotely accessible and the only solution is turning it off and on again.

    This refers to: E4200v1, PPTP, OpenVPN-Client, WiFi 2,4+5GHz with WPA+WPA2 Enterprise, external logging, everything else disabled;

    All others - RT-N66U (Static, OpenVPN-Server, both WiFi-bands WPA+WPA2-Enterprise), E4200v1 (AP, both WiFi-bands WPA+WPA2-Enterprise, 1 virt.WLan WPA2 personal) and 2 E3000 (AP, both WiFi-bands WPA+WPA2-Enterprise) - have been working fine since yesterday.

    Kind rgds
  48. Victek

    Victek Network Guru Member

    That's a great finding, not? I think you can open a thread with the setup guide for other users since pixelserver it's one of the headaches for some users in the forum...

  49. Victek

    Victek Network Guru Member

    Peter, thank you for your comment, it's curious you didn't no issues with the other E4200v1 configured as AP..., I tested the last release in one E4200v1 also but the configuration was basic (no VPN). In some cases I found that after many changes (example, enter 10 MAC address in DHCP static) the browser was not responding after saving data and I had to refresh the local IP, first time it happened I did same as you ON/OFF .. but now I perceive that changes affecting DHCP (or VPN in your case) might 'confuse' the network card... please try this method next time instead of ON/OFF switch.

    Kind Regards
    Thanks! ;)
  50. RonV

    RonV Network Guru Member

    Yes put something together tonight click here.
    Elfew likes this.
  51. zapoqx

    zapoqx Networkin' Nut Member

    Ah, you musunderstand.
    What I meant was in a previous comment somewhere in this thread, I had the issue where the reboot itself would freeze randomly as it had no fixed method as to why it did so (mentioned sometime as well after I tried installing and seemed running fine under W with the exception of that 1 scheduled reboot not rebooting all the way).
    So a good example to understand where I'm coming from and how it makes it harder for me to report at all (mind you, it is random):
    • Push Reboot on web browser. Click yes. New page comes up for the router rebooting.
    • During that time, the (now) 90 second countdown commences. Router is doing its reboot process.
    • 3+ minutes later, router power light is blinking as if its still doing a bootup process.
      • Cannot access GUI. Wired connections seem to be still waiting for a full communication with router.
    • Another 5+ minutes later, still blinking. Maybe the numbers have done its blink once sometime in there, but otherwise, the power is still blinking. Bootup still hasn't finished.
    • Turn off router. Turn Router back on. Boot up process starts.
    • Does normal bootup process, takes about 1 minute or less, router finishes, no issue. Any changes were still saved. Any shutdown sequences needed to be done were still complete.
    See why its difficult? I can't produce a log if there is no log to obtain to help track down as to WHY it does it. And nothing in the logs during bootups report that there would be an issue. It just happens.
    Once I had my settings all placed to order and such, it works with like a less than 1% chance to do like what I stated above for the chance of not booting up after scheduled reboot.
    If anyone can reproduce it, I'd love to know what you did and how you tracked the problem, but I just can't find it.
  52. plgvie

    plgvie Networkin' Nut Member

    Most probably I woudn't have even written about this issue if zapoqx hadn't reported about the same problem; due to his report and given the fact that it's the very first time that something like this has happened since using your RAF-firmware (January 2012 on 2 E4200 and 2 E3000), I considered it important.

    A few more details:
    I did several manual reboots and changes on the other APs (E4200, both E3000): no issues at all!
    Same with RT-N99U (OpenVPN-Server, more than 45 static DHCP entries): no issues at all!

    Regarding the affected E4200 (OpenVPN-Client with approx. 15 static DHCP entries): it behaves exactly as zapoqx has described it.
    It does not appear anymore at the status-page of OpenVPN-Server and cannot be reached anymore via VPN; Same for all of it's clients (NAS, several IP-Cameras) which can't be reached anymore. For emergency reasons remote access via https has been activated for the router and as a forwarded port to the DSL-Modem but no response either. Right now it's still stucked but I will be on site later today, so I can try whatever you want me to do, but I'd guess that refreshing IP won't help.

    Kind regards
  53. macgyver

    macgyver Reformed Router Member

    initial testing with build 'x' on E3000
    lost connectivity with router at least 5x during router config; never seen this before...lost wireless signal on both bands and took a couple minutes to come back up after making changes in config...also seems to take much longer than usual to boot..using OpenVPN server in config if that has anything to do with things...the router just doesn't feel right during boot...will test more in morning...thx for the new build :D
  54. zapoqx

    zapoqx Networkin' Nut Member

    well, to add since others reporting about it:
    I do not use OpenVPN, so that takes that portion out of the equation on my end.

    I figured I should mention that since the 2 of you mentioned using OpenVPN.
  55. martinqiu

    martinqiu Addicted to LI Member

    Cisco - E3200 VLAN-VPN-NOCAT-NGINX

    Thanks, Victek. great works!
    Is there anybody used this build on E3200? I have used on RT-N16 (

    and it works very well,but when I use the build Cisco - E3200 VLAN-VPN-NOCAT-NGINX on E3200 there are some problems:

    1. There is no "USB" on left list items.
    2. 5G wireless sometimes drop connection.

    I do not know why, but I am sure have erased NVNAM at all after every flashing build. I have all tested v1.1w and v1.1x. They are the same.

    I like this build! Sorry for my poor English.
  56. Victek

    Victek Network Guru Member

    You must use specific version for E3200 .. the build for RT-N16 is not compatible for E3200 ...(lost USB menu, wireless driver wrong, nvram size wrong...) ... did you?
  57. plgvie

    plgvie Networkin' Nut Member

    Just arrived there:
    Router ledwise looks totally normal, both WiFi-bands are visible - but no way to connect, neither by Lan nor WiFi, neither static nor static by DHCP nor dynamic IP, neither WIN7-Notebooks nor Android-Clients, neither Squeezebox nor Qnap-NAS,...

    Kind rgds
  58. Victek

    Victek Network Guru Member

    Did you got any log ?
  59. plgvie

    plgvie Networkin' Nut Member

    Unfortunately no log but perhaps the reason:

    As I mentioned before, both WiFi-bands seemed to be up and WifiAnalyzer showed them as expected with 2,4 and 5GHz.
    Having turned off and on again, I had a look at the basic network page in order to see wether the last action (swapping ports' order) before it got stuck had been executed. Well it was but I saw something quite weird: For whatever unexplainable reason eth2 showed 2,4GHz instead of 5GHz and Channel setting Auto instead of 48. Put it back as it was supposed to be, and the "stuck on reboot/restart services"-issue seems to be gone.

    Kind rgds
  60. martinqiu

    martinqiu Addicted to LI Member

    Yes, I do use the specific version for E3200.

    By the way, how do you think about add "CTF Cut through Forwarding Feature"?
  61. zapoqx

    zapoqx Networkin' Nut Member

    Seems we may be getting somewhere with all the talks. That said, The router did it again last night so its been on reboot process for 5.5 hrs.

    Mine in all cases showed up just fine. Of course, the only ones that can see the 5GHZ signals is the ipads here. But the point being on my GUI, nothing like that is happening. Also, on Device list, those that are connecting to 5GHZ are indeed appearing to eth2 which should be normal. And Network page is also not showing that.
    So swapping ports order... so you're saying for the connection info, you used swap orders so you can have WAN, 1,2,3,4 instead of WAN, 4,3,2,1? Well... hmm... I do have that also. But I thought that is only for visual effect and nothing more?
  62. plgvie

    plgvie Networkin' Nut Member

    That's just been the last thing I could do yesterday before it got frozen. Most probably it could have been anything else - just whatever needs some services to be restarted.

    Two reboots and a couple of changes with restarting services went well, but unfortunately on another last reboot (just to be absolutly sure that everything is working fine now before confirming it here right now), same symptoms, same problem: absolutely unreachable and no log entry made it to the Syslog-Server.:(

    Kind rgds
  63. Vindicator

    Vindicator Network Guru Member

    Hi Victek!

    Could you please have a look at this post? I think this issue also affects your builds. It was introduced on commit 757b8de78297a5e31bcd3a10175b14a4691340c6 and (at least on Shibby builds) it prevents the router from making DNS queries on its own (e.g., the internal NTP service can't resolve the pool's FQDN).

  64. Edrikk

    Edrikk Network Guru Member

    Running 'X' on E3000 with no problems... Using both bands, qos, and VPN.
  65. zapoqx

    zapoqx Networkin' Nut Member

    Sounds about right. Hmm.
    Btw, your issue is on 1 of the 2 E4200v1 if I'm not mistaken, correct?
  66. plgvie

    plgvie Networkin' Nut Member

    You are right, but they are configured differently:
    1 (the working one) : AP only, no other LAN-clients, external logging within local network, everything else turned off with exception of both WiFi-bands
    2 (the affected one): WAN PPTP (no DHCP), DHCP-Server, OpenVPN-Client, DDNS, 15 static DHCP-entries, 1 forwarded port, all Lan-ports and both WiFi-bands used, external logging to Syslog-Server at OpenVPN-Server-site; remote access over https allowed, everything else disabled!

    Kind rgds
  67. Victek

    Victek Network Guru Member

    Peter, question, did you erased nvram in E4200 after upgrade to x release? I see some inconsistencies in default values (the wireless status) and I don't know if you changed manually or restored from previous config. Beta 'x' have updated modules from 'w' version...
  68. Victek

    Victek Network Guru Member

    Thanks for the hands up Vindicator, good finding and worst effect ;) I patch now... EasyTomato guys... hands up!
    Vindicator and shibby20 like this.
  69. plgvie

    plgvie Networkin' Nut Member

    AFAIR I've never failed erasing nvram with every firmware-update/change since my very first WRT54 (HperWRT-Tibor IIRC);
    Configuration was made manually with exception of static DHCP-entries - identical practice for all 5 routers!

    I'll be there again today in the early afternoon to 30/30/30 reset, reflash, reset again and manually configure everything from scratch.

    It's a great excuse to escape the city's 39ºC and enjoy the lakesite (water:23ºC), my hammock under the birchtrees and some piña coladas:D
  70. zapoqx

    zapoqx Networkin' Nut Member

    Just trying to narrow down here. Just interesting that its happening on what sounds like 2 E3000s and 1 E4200v1 which the only thing really in common on all 3 is linksys devices and even that is more of a farfetch link considering Peter is using 2 E3000s and another E4200v1 that all has no issues.

    Also, just to mention, I did do an NVRAM erase, but I also did restore only few things from script which I checked with. That was:
    Static IP for LAN connections, DDNS entrees, and forwarded ports. Everything else was done from scratch. And initially, it restarted just fine.
  71. Victek

    Victek Network Guru Member

    OK, then I can understand some inconsistencies ... do it before piña coladas!!! :D
  72. Victek

    Victek Network Guru Member

    It's Ok, these settings don't affect the related issues. Thanks
  73. Elfew

    Elfew Network Guru Member

    OK, I had a reboot this night... Uptime was over 3days yesterday and now it only in few hours in status window when I checked this today.... I dont have problems with long reboot time, I think it depens on the configuration and services.

    Good luck with fixing ;)
  74. shibby20

    shibby20 Network Guru Member

    Thx Vic. I`ll wait for your patch in git.
    Victek likes this.
  75. Victek

    Victek Network Guru Member

    ... The problem with a reboot is when you have no clue what happened... do you log it externaly or do you have any idea what's wrong/service provoked it? Thanks!

    shibby, I posted a message in EasyTomato git about the bug.. I have one solution but it's tricky since we have to create the same rule for each new br(x) the user creates... not?
  76. Getting fed up with my E3200, I broke down and got an Asus RT-N66R from Best Buy. Loaded Victek's RT-N66U build and it runs great. :)
  77. Vindicator

    Vindicator Network Guru Member

    @Victek and Shibby

    There may be other possible solutions for this. For example:

    • Adding two lines: one that allows the loopback interface for udp port 53 (line 1) followed by the line that restricts all other inbound traffic for this port (on line 2);
    • Adding the '-i ! lo' operator, which would exempt the loopback interface from analysis;
    [!] -i, --in-interface name
                  Name of an interface via which a packet was received  (only  for
                  packets  entering  the  INPUT,  FORWARD  and PREROUTING chains).
                  When the "!" argument is used before  the  interface  name,  the
                  sense  is  inverted. (...) 
    • Or adding the '-i br+' operator, which would match any brx interface;
    [!] -i, --in-interface name
                  (...)  If the interface name ends in a "+", then
                  any interface which begins with this name will match.
    I haven't personally tested these solutions, but the second one (i.e., '-i ! lo') seems the most appropriate, don't you think? (if it works :))

    Edit: Changed '-i !lo' to '-i ! lo'
    PeterFalk likes this.
  78. Victek

    Victek Network Guru Member

    Congrats! ... Just a curiosity Jeffry in the bottom label what version shows, B1 or B2? ...

  79. Vindicator

    Vindicator Network Guru Member

    OK, just confirmed that both '-i ! lo' and '-i br+' solutions are viable:

    root@router:/tmp/home/root# iptables -I INPUT 1 -p udp --dport 53 -j restrict
    root@router:/tmp/home/root# ping
    root@router:/tmp/home/root# iptables -D INPUT -p udp --dport 53 -j restrict
    root@router:/tmp/home/root# iptables -I INPUT 1 -i ! lo -p udp --dport 53 -j restrict
    root@router:/tmp/home/root# ping
    PING ( 56 data bytes
    64 bytes from seq=0 ttl=58 time=5.990 ms
    64 bytes from seq=1 ttl=58 time=3.976 ms
    --- ping statistics ---
    2 packets transmitted, 2 packets received, 0% packet loss
    round-trip min/avg/max = 3.976/4.983/5.990 ms
    root@router:/tmp/home/root# iptables -D INPUT -i ! lo -p udp --dport 53 -j restrict
    root@router:/tmp/home/root# iptables -I INPUT 1 -i br+ -p udp --dport 53 -j restrict
    root@router:/tmp/home/root# ping
    PING ( 56 data bytes
    64 bytes from seq=0 ttl=57 time=7.432 ms
    64 bytes from seq=1 ttl=58 time=4.707 ms
    --- ping statistics ---
    2 packets transmitted, 2 packets received, 0% packet loss
    round-trip min/avg/max = 4.707/6.069/7.432 ms
  80. Victek

    Victek Network Guru Member

    I think in order to make it 'understandable' for tomato mods will prefer to use ! lo solution because it uses less lines in CPU .... shibby, your thoughts? line 284 will look like this..

    // Only mess with DNS requests that are coming in on INPUT
    ip46t_write("-I INPUT 1 -i ! lo -p udp --dport 53 -j restrict\n");
    Vindicator, are you thinking the same? ... thanks a lot for your help.
    Vindicator and roadkill like this.
  81. Vindicator

    Vindicator Network Guru Member

    Good question :confused:

    '-i br+' has the advantage of only being applied to the br[n] interfaces, although it may be less efficient.

    On the other hand, '-i ! lo' could be more efficient, but it also gets applied (not sure!) to other interfaces such as vlan[n], etc...

    Considering the current bottlenecks in tomato without Broadcom's CTF binary blob, '-i ! lo' does seems more attractive. I'm just not sure if it doesn't have impacts on configurations out there running a DNS server on the WAN side...

    PS: Glad I could give something back to the Tomato community :).
  82. roadkill

    roadkill Super Moderator Staff Member Member

    hopefully by the time we'll be running a DNS server on the wan side we'll have a better solution tailored specifically (TODO)...
  83. Thanks. :) The label shows B1.
  84. Victek

    Victek Network Guru Member

    Thanks, I was expecting if the new modification ran fine for new flash chip in RT-N66U labeled B2.
  85. Victek

    Victek Network Guru Member

    Vindicator and shibby20 like this.
  86. martinqiu

    martinqiu Addicted to LI Member

    Do you also have some problems with E3200?
  87. plgvie

    plgvie Networkin' Nut Member

    Reset, reflashed, reset and completely manually configured, nada de Piña Colada, but nothing has changed: rebooting from LAN o WLan works well, meanwhile reboots initiated from outside (https-remote access or VPN) terminate catastrophically :(

    Well sounds much more dramatic than it is: Hadn't it been reported here, most probably I wouldn't ever have noticed. At least I can't remember when if ever I have used the reboot-option.

    Kind rgds
  88. Victek

    Victek Network Guru Member

    Ok, I understood the action and... (rules in iptables are flushed and not restored) I know the reason ;) but till now I never did reboots from outside 'using https' (risky desperate measure as you mention since the unit alive in 'another world' status...). I'll try the patch and release a new beta (already with some other features and patches included in the git now).
    A) Question, when you said 'reboot from outside' do you perform the reboot via cli or just pressing Reboot label in the gui?
    B) Did you try to perform Reboot from outside BUT in http remote access? it will confirm my 'hunch'.
    C) Your public IP is renewed either (local/remote) when you reboot the router? then you use a noip service to connect again?

    p.s--->//Nevertheless I think users stress Tomato to limits that a commercial firmware will not support, I like it ...;)

  89. Elfew

    Elfew Network Guru Member

    Victek, I saw your post about new ethernet driver - it means that you stop developement no more adding new features (nodog and ipsec, etc.) and you start working on porting new driver? :(
  90. Victek

    Victek Network Guru Member

    Hehe, no I'll do in a separate branch.. just internally ;), about ipsec... we're waiting a new package to be release for all 'secure networking' it will save a lot of headaches in know already what I'm talking about.
    Elfew likes this.
  91. plgvie

    plgvie Networkin' Nut Member

    Just from GUI
    https remote access
    Yes, but not exclusively. Please note that connections are not even locally available after those reboots;
    eg Reboot initiated from third-party-network (wired or 3G) by https-remote means that all local LAN- and WiFi-clients loose their connection and none of them can reconnect again, new local clients can't connect either. The router's OpenVP-client looses the connection to its server which neither can be rebuilt. So the routers being stuck is not limited to remote WAN clients.

    Same for reboots initiated from third-party-networks over OpenVPN or from a local computer situated at the OpenVPN-server-site. I guess I've tried all modes by now:rolleyes:

    kind rgds
  92. Victek

    Victek Network Guru Member

    Ok, I'm doing a new beta patched .. try it when available. I understand that all issues are generated when you reboot unit remotely. By the way, last question, your Internet connection is under IPv4 or IPv6? which one? in case of IPv4, are you addressing internal network in IPv4 or IPv6?
  93. zapoqx

    zapoqx Networkin' Nut Member

    could your hunch be related to mine as well? Though I don't use https and technically, mine is internal as opposed to outside. Mine is IPv4 as IPv6 via ISP has yet to make its availability.
  94. Victek

    Victek Network Guru Member

    Is related to Port 53 DNS services restriction... internally you can't obtain IP because no Internet DNS are retrieved and externally you can't refresh services to VPN by NTP FDQN ..

    Refresh your browser to update contents...


    Release 1.28.9013-RAF-v1.1y is refreshing the Beta section...
  95. plgvie

    plgvie Networkin' Nut Member

    Before you invest too much work: at least for me it's no issue at all! My routers usually stay untouched and unrebooted for a very long time. These remote reboots were just for testing due to zapoqx' comment.
    All IPv4

    Kind rgds

    PS: Did I mention that my RT-N66U (only difference:static IP vs. PPTP, VPN-Server instead of -Client) doesn't show this behaviour?
  96. Victek

    Victek Network Guru Member

    Good info and makes sense then the relation with dns service... I think.

  97. Elfew

    Elfew Network Guru Member

    Thank you for the fix!
  98. mrQQ

    mrQQ LI Guru Member

    hello, Victek,

    with your Tomato, when downloading torrents @ 10mb/s, all other requests (admin access, web browsing etc) timeout. This is because CPU usage jumps to 100%. This does not happen with Linksys firmware, or very old Tomato's.

    E4200 here, NVRAM cleared, stock settings.

    Do you know how I could troubleshoot this?
  99. zapoqx

    zapoqx Networkin' Nut Member

    @mrQQ: Do you mean 10mb/s as in 10 Megabytes? If so, the only time I managed to get 10MB/s is through Steam. But then again, I have an E3000, not E4200.

    @Victek: I'll update when I have a chance. Net Access is in heavy use due to others. After update, if no issues come up during the configurations, I'll continue monitoring and post results after scheduled reboot time on Sunday.

    Edit: Just went to the website to get Y, GEEZ man. Never had my speakers on while on your website. The music scared the crap out of me. What the heck is it running under? Html5?
  100. gffmac

    gffmac Networkin' Nut Member

    Im getting the same when I max out my connection, 100% cpu and unresponsive. Going to upgrade to Y and see if its the same.

    Edit: Same with Y branch.
    If I set my download speed to 75% in software my e3000 cpu is at about 80% but more responsive. Limit of my router I suppose.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice