Discussion in 'Tomato Firmware' started by shibby20, Feb 26, 2011.
I think you wanted the MIPSR1 build not the MIPSR2
Ah, I understand now.
Is there any easy way to unbrick it?
I think you maybe needed MIPS1, not MIPS2; tomato-K26-1.28.RT-MIPSR1-140-Mini.zip
PFSense on a nano box (for constant updates) for front end and routers/switches behind it along with a RADIUS server on a another nano
I've historically ran Toastman builds. I recently (past month) switched to kille72 (based on Shibby). This is on an RT-AC56U.
I'll most likely be switching to a Ubiquiti EdgeRouter 6P (model ER-6P) and running their native firmware alongside a Ubiquiti UAP-AC-LITE solely for 2.4GHz and 5GHz wireless (which I already own/use since wireless on my RT-AC56U is horrible and unstable; had to disable both interfaces). I've said this in the past -- and even tried it (I wasn't impressed with the MikroTek router I bought, returned it) -- so I probably sound like a broken record to some.
But one thing is for certain: by switching to a completely separate AP that provides wireless, I have a lot more firmware choices (ex. OpenWRT/LEDE), or other hardware/router choices (see above), since I'm no longer "locked down" by Broadcom binary blob wireless drivers. And while I'm definitely not a big fan of the UAP-AC-LITE's Java+MongoDB-based UniFi software, I rarely have to launch it (the AP is insanely stable, even despite the high amounts of 2.4GHz interference where I live). I'd also like having a router that offers a 24V PoE port since I could power the UAC-AC-LITE directly via an Ethernet cable rather than a PoE injector + wall wart. Having other firmware options also means I could run something with a recent Linux kernel, not 2.6.xx. I suppose I could run OpenWRT/LEDE (found bugs and wasn't particularly impressed with its GUI, but CLI and overall architecture was excellent), or AsusWRT/Merlin (I really can't stand Asus's GUI, feels like it's designed for gamer kids).
Anyway, everyone's needs are different. I feel like TomatoUSB has taken a pretty severe plunge for the worse with the introduction of MultiWAN, which made an absolute mess of many things + introduced way too many bugs, but worse, made it impossible for Toastman to backport the [non-MultiWAN-related] changes into his firmware. There's little recourse; kille72 and pedro's work is the only stuff that's going on right now, and I'm not so sure I like the direction that's going either. Things are kind of in a state where literally starting over makes more sense. The original Tomato project was awesome back in the WRT54G/54GL days, but it's become filled with too much junk and not enough good development (hacking yes, development no).
could not have said it better i was also running Toastman and i have switch to wrt (kong) now but would like to and update of Toastman or something like that. MultiWAN is not worth all the bugs and problems.Untill Tomato make a complete turm around i will hive to stay with WRT.
Really two options. Roll your sleeves up or as I’ve said before, don’t let the door...
Slapping MultiWAN on top of the old Tomato code base was a recipe for disaster. Asus also went down the same route with their Dual WAN support, and it's also highly unreliable even after 4 years of development.
MultiWAN support is something that would have required to be considered during the initial design time. Retrofitting it causes too many issues.
I recently switched to pfSense running in a Qotom Q355G4. My plan included flashing my 3 routers to DDWRT or Asuswrt-Merlin to use them as AP. I tried yesterday both firmwares in my AC68U just to find out that both DDWRT and Asuswrt-Merlin won't allow me to change the country it broadcasts. I need the AP to broadcast the correct country information otherwise my MacBookPro finds out a Spotify cast device that broadcasts "China", sets itself to "China" and misbehaves.
I am now considering the Ubiquiti UAP-AC lineup, still studying them and already missing Tomato.
Does anybody know if Shibby's builds are vulnerable to VPNFilter?
I have yet to see an adequate description of how to test a firmware for vulnerability to VPNFilter, so the only ones at this point who likely know are either security researchers or the malware authors. Its known to afflict routers running on busybox with MIPS CPUs, but may depend on versions that haven't been patched by the OEM firmwares in years. At this point I don't think there's enough information published to test. You're welcome to read through the current writeup and confirm or deny my analysis:
ASUS pushed at least a couple new firmwares today containing in the release notes "Fixed CVE-2018-8877, CVE-2018-8878, CVE-2018-8879" which as of right now aren't showing on official CVE sites. These may correlate to VPNFilter, we'll have to wait and see.
Oddly the firmware check on the router alerted me to the new version faster than ASUS updated their website, although I was able to download it from their site by modifying the link to the old firmware with the new version number (e.g. changed 8228.zip to 8291.zip).
Two of them are minor information leaks that require access to the webui, and the third one is a webui-related security issue that I fixed a few weeks ago in my own firmware. That's all I can say for now.
The update server is totally separate from their support site, so it's always a matter of which one they update first (plus, their support site takes time to propagate throughout all their regional servers).
I retired Tomato (Shibby) as my primary gateway / firewall about a year ago (Netgear R7000). I'm using a somewhat old PC, set up as a PFSense box at the moment, which is still much more powerful than Tomato was.
I have 4 AP's connected to the PFsense box (wired), all broadcasting the same SSID to provide optimal wireless coverage throughout my house. 3 of them are running FreshTomato, and one running OpenWrt-LEDE (because it doesn't support Tomato). They are all configured very simply to only act as dumb AP's, with PFsense doing all the NAT, firewalling, etc.
R7000 lost password. I just reloaded a R7000 from stock to 138. All running fine. Set it up as an access point only behind a pfsense box. All working great, but I forgot the admin password. Actually dont remember even setting one up after I flashed to 138.
Tried the Wifi on/off for 25 sec on port 223, no joy. Did a 30/30/30 and still can't get in.
Fixed it - just used the default Netgear admin/password combo. Next time I'll follow the directions.....
Funny - I could not get the wifi on/off port 233 access to work. It would connect, but now prompt.
To follow up on the security question is there a firmware based on tomato that patches KRACK vuln and dnsmasq vulns? I believe I asked this 8 months ago and nobody had an answer then. I would like to get some version of Tomato on my router that is not susceptible to these vulnerabilities. Thanks
The last release of Shibby was v140, which is from March 2017. No commits have been done since then.
Let's start with the dnsmasq CVE concern.
Those CVEs -- CVE-2017-14491 CVE-2017-14492 CVE-2017-14493 CVE-2017-14494 CVE-2017-14495 CVE-2017-14496 -- are from 8 months ago (roughly October 2017). Thus, you know the answer: the fixes are not available in native Shibby firmwares (i.e. firmwares released by Shibby). However...
Did you review the dnsmasq commit history to see if they had been addressed? Did you Google information about those CVEs, to find information like this, which clearly shows dnsmasq 2.78 or newer fixes them? Did you then review other forks of Shibby, such as FreshTomato-ARM (previously known as Tomato-ARM by kille72; it got renamed), and do some simple digging to find out that it uses dnsmasq 2.80test2, hence those CVEs are fixed in said firmware? But wait, there's more...
In both your post here and the one you linked, you didn't list what model of router you're running, so if you're using MIPS you may end up having to consider FreshTomato-MIPS from pedro311 (kille72 and him work together on both projects) which is using dnsmasq 2.79 thus immune.
As for KRACK: see my first line, and this Bitbucket Issue. You can consider other firmwares -- see above paragraphs for some -- which in those threads discuss the KRACK concern, and potential wireless driver updates from Broadcom. The FreshTomato-ARM thread, and the older the Tomato-ARM by kille72 thread has several posts in it about KRACK. Within the latter, you will find this post which should answer your question directly about ARM. As for MIPS: vendors are no longer caring too much about older MIPS routers -- Broadcom basically isn't caring, so no driver updates in a lot of cases -- and so you may be SOL there. If so, I'd suggest disabling the wireless interfaces on your router + buying a Ubiquiti UAC-AP-LITE and using it to provide WiFi capability while attached to your existing router.
Oh, it seems I did the work for you, in about 20 minutes... sorry about that.
The short of it: it's good you're concerned about security issues, but when it comes to Tomato, you really need to follow what goes on in the community regularly (re: firmwares) to get an idea of what all is going on. The situation is not particularly good right now, as there's only two forks (see aforementioned paragraphs) actively being maintained.
KRACK is a client-side vulnerability. If you run your router in AP/router mode, then the things that require patching are all of your clients, not your router.
Routers require patching only when running in STA mode (for instance, as a repeater).
Thanks so much. I have WRT54GL, WRT54GS and Buffalo WHR-G54S. I will ask in the FreshTomato-MIPS thread if it is vulnerable to any known CVEs.
I have two RT-AC66R routers set up as a router and access point - both running Shibby 1.40. I'm not sure if I'm dealing with a bug in the firmware or something else. The issue I'm having is that no matter what channel I set the 2.4 GHz wireless to on either router, it is only broadcasts on channel 1. I rebooted after the setting change and even turned one of them completely off but get the same results. I've verified the channel 1 broadcasting with at least two different scanners.
I have a two story house and need good coverage without overlap and needless to say, without being able to change the channel, that's not working out so well.
Thanks for any help.
True, but others firmwares have been shipping AP side fixes for this issue, as it is nearly impossible to update every client.
Tomato simply cannot do anything about it. Tomato is pretty much dead, when was the last time a new model was added
@Toastman and @shibby20 they work in ASUS.
Those don't resolve the issue. One of those "fixes" is actually a workaround that doesn't always work, and can also introduce compatibility issues (which was why OpenWRT made that workaround optional).
The only 100% reliable fix has to be done at the client level.
Yeah, they note that. But I haven't see any device yet, that suffers from it nd I have >20 different devices that work fine and several of these device have no fix for krack, e.g. security cam, android phones, internet radio, tv
Nonsense. It's entirely possible to either update or retire every client. The AP side changes introduce problems with clients because even fully patched clients are going to periodically send the combination of packets that triggers the "protection." The AP side changes are a hack and work like a hack. Update your clients that can be updated and retire the clients that can't. KRACK is going to be the absolute least of your problems when using an old unpatched client.
Tomato can't do anything about it because the changes have to be implemented in the wireless driver, which means Broadcom would have to write the AP side changes. And then this would then introduce problems with fully patched and updated clients.
Tomato-ARM has added quite a few models. MIPS hasn't added models in ages because there haven't been any new Broadcom MIPS routers released in ages.
I'm using /cifs1 to store logs.
Today I've updated the NAS where it's stored, from debian 8 to debian 9.
Before it was ok, now Tomato Shibby is trying to mount forever the network share...
Same settings on another debian 8 share, it's ok.
Am I alone with this problem ?
I recently flashed Shibby 1.40 onto Netgear R7000. Everything seems working fine, except Wifi 5GHz will not work unless I disable security. I did erase NVRAM (thorough) after flash, and did all settings manually (except static DHCP list imported thru the system command page as Toastman suggested.
I have tried different combination of security settings (WPA, WP2, AES, TKIP), and none worked except I completely disable security (which I cannot do).
Anyone knows how to solve this?
Also, I have another more general question. Some time ago (probably a couple of months ago), my SSH port forwarding using putty no long work. I use the SSH tunnel to access the web when I am at a public Wifi.
The tunnel would work very briefly (not enough to even pull one page), and then It gives me this error:
putty fatal error: network error software caused connection abort
At that time, the tunnel obviously broke.
I did not change any settings. Initially, I thought my old router (ASUS RT-N16) was dying. However, my new Netgear R7000 I just installed, gave me the same issue.
I also tried an old Win 7 machine I have not used for months (thus I cannot possibly changed any putty settings). (Also I am not sure if recently Win 10 update on my daily laptop caused the issue.) However, I ran into the exact same issue.
Now, just for the sake of it, I create the tunnel from LAN side (with the computer actually on LAN), and it works fine. (Of course, that is not very useful of the tunnel.)
Then, if I establish a VPN connection (with the computer NOT on LAN), and create the tunnel using LAN IP, and it also worked.
I have the "Remote Forwarding" checked. Uncheck it seems to disable forwarding, and even will not work briefly.
It may be an issue in the middle, not at the ends. IE: A routing or hardware failure a long the way between wherever you were remotely and your home connection.
I tried a friend's home wifi, and my cell phone hotspot, both have the same issue. These are two different carriers.
Try using a different port #.
Try changing the Country under Advanced/Wireless to something like Singapore
Tried and did not work.
I tried both change the router SSH server port, and the putty dynamic forwarding port. Still the same problem. I did not try the default SSH 22 though, however I doubt that is the issue. As if I create a VPN connection first, then SSH using LAN IP, it works just fine. For now, I am using the VPN+tunnel as a workaround.
Strange problem AFAIK. Hope some network guru can help?
Tried. Did not work. Tried 2.4G with EU/US, 5G with EU/Singapore/US in different combinations, with or without reboot. Did not work. Only works when security is disabled (which is not a solution).
Any one has similar problem? I read from another forum one folk has the same problem with Advanced Tomato, however the firmware default to Malaysia, and once he changes to EU, it worked. I am not sure why it is not working for me.
What happens when you try from the LAN but connect to the WAN IP? IE: phone has IP 192.268.1.5 ssh to WAN IP 188.8.131.52.
It works. As long as I do not tunnel web traffic, the connection stays. If I open a dynamic port forwarding, then as soon as I start to tunnel traffic, the connection abort.
I did a hard reset (more than 15 sec), and for multiple times (just to be sure), and 5G seems working now.
However, I think I might have found the real issue. In the shibby video of flashing the R7000, there is step to set default MAC address for WAN/wireless eth1 (2.4G)/wireless eth2(5G). I just noticed that set the incorrect MAC for eth2 (5G wifi). (I do not want to test this hypothesis, as I do not want to reset and reconfig the router all over again.)
Found one more issue with the 5G wifi. Regardless I sent the channel width as 40 MHz or 80 MHz, the overview screen shows as 40 MHz. I changed the 5G county setting to Singapore, and still the same problem.
Any one has any insights?
nvram export --set
does not work on ARM routers?
If so, what is the equivalent to export the settings on ARM routers (such as Netgear R7000)? I tried:
however, the output is different (and seems less comprehensive)
What do you mean by "web traffic? I take web traffic to mean tcp traffic on port 80/8080/443 and I don't see the relation. And what are you referring to by "dynamic" port forward? Tomatos port forwarding is static, while port triggering and NATupnp are dynamic, which are you using?
Does the system log show anything relivent at the time an SSH connection drops? Please configure the router as usual for WAN SSH access and run:
iptables-save > /tmp/iptsave
Then via USB drive or network share, pull the /tmp/iptsave file from the router and post. Note that it will contain identifiable IP addresses. Redact them if you wish, but leave enough of each IP intact so they can be followed across all tables/chains/rules without confusion.
iptables-save > /tmp/iptsave
What I meant was, if I just create the SSH tunnel and do not do anything, then it seems to stay up. As soon as I push traffic thru the tunnel, such as browser the web thru this tunnel as a web browsing proxy, the tunnel aborts.
Additionally, if I create the tunnel using the router's LAN IP (either from LAN or using VPN), then it seems working just fine.
"dynamic port forwarding":
This is refer to putty port forwarding setting to create a tunnel, so that I can use the tunnel as a proxy to browse the web thru my home router
"iptables-save > /tmp/iptsave"
Do I execute this from the Tools -> System ->execute system commands?
Thanks a lot!
What leads you to believe this is an issue with the router or Tomato? I assume you're running Putty on a LAN computer and not the router itself. And if that's the case, your two above statements point at an issue with the computers firewall/configuration or putty's. As you stated, the connection becomes established ( router forwards external port of incoming SSH connection to internal port of LAN computer ) and remains so until the part handled by Putty and computer ( forwarding web traffic ) occurs.
Yes. Or an SSH/telnet shell.
I understand what you saying. And yes, putty was running on a computer. However, I am puzzled the tunnel only broke if the tunnel is established thru WAN side. If the tunnel is established from LAN side, either from actually inside LAN, or VPN from outside and using LAN IP, the tunnel works just fine. In the two cases, the firewall/putty setting are the same. Moreover, the WAN side tunnel always worked until recently. So I am quite confused.
Will do this weekend.
So kille72 FORK does not include MultiWAN?
And if I want to switch from Shibby to Kille72, can I just flash from the Shibby interface?
While I don't use putty and am not familiar with how exactly it handles its version of "dynamic forwarding" but I get the feeling it's not playing nice with the router. For testing purposes, I'd put the computer running Putty into the routers DMZ, unset any port forward lines that were added and try again from the WAN.
The purpose of using a tunnel for me is to route web traffic through a secure tunnel back to my home router when I am using a public wifi, for example. So put the computer running putty in DMZ would not be possible. Additionally, as I said earlier, if I create a VPN connection, and establish the tunnel using the LAN IP of the router, the tunnel works just fine. This problem also started a couple months ago without me changing any settings. So I am really confused. I have update my putty version, and also upgraded Tomato firmware version, and still having the same issues. So maybe it is the Windows Firewall? As when connecting to the router LAN IP thru VPN would not be filtered by the firewall? I am going to try disable firewall to see what happens.
I did say for testing purposes, not as a solution. Putting the computer in the DMZ eliminates port forwarding as an issue... for testing. As you've stated several times, it works when on the same LAN.. there's no port forwarding between a WAN and LAN when there's only LAN IP's involved. If Putty operates on the computer as if the computers IP is the WAN, it will start working when placed in the DMZ.
Hi Sean, I understand that. However, putting in DMZ only works when the computer running putty is on the LAN. However, when the computer is on LAN, there is no problem. Unless I am missing something, I do not see how I can test the issue by putting the computer in DMZ when I try to establish the tunnel from WAN.
Apparently we are not on the same track. I was under the impression the computer on the LAN side was what was being connected to from the WAN side, not what was being used on the WAN side. When you're operating remotely, are you connecting only to the router via WAN? If so, exactly what "SSH server" are you speaking of that would be running on the router?
The SSH server runs by Tomato firmware on the router.
Administration->Admin Access , did you check the box for remote forwarding?
Yes. If that is not checked, then even tunnels created with LAN IP would not work.
Additionally, if the tunnel is established on the WAN IP, the tunnel would work very briefly (not even enough to load one page), and then crash. While if I use VPN + LAN IP tunnel, the tunnel works just fine. (This is currently my workaround.)
I am on Fresh Tomato 2018.5, and have some issues. I would like to try to stable Shibby 1.32. Can I flash Shibby 1.32 directly from Fresh Tomato? Or do I need to go back to factory first?
You can flash directly. Just be sure to perform the "thorough" NVRAM clear option.
thanks a lot. Plan to do a "thorough" NVRAM clear, plus a hard reset