Using QOS - Tutorial and discussion

Discussion in 'Tomato Firmware' started by Toastman, Dec 24, 2008.

  1. Mojonba

    Mojonba Network Guru Member

    No I am not sure. I am including three screenshots. The first is my bandwidth distribution screen while idle (some web browsing). The second one is after maxing out my download with usenet. The third is the highest connection details. I believe it is DNS because there is no GTalk or Voip traffic at that time.

  2. rhester72

    rhester72 Network Guru Member

    Is "Prioritize small packets with these control flags" checked?

  3. Mojonba

    Mojonba Network Guru Member

    Yes ACK was checked. I unchecked it and tried and now it is being classified correctly as class e, outbound port 563, secure news. Thanks
  4. Toastman

    Toastman Super Moderator Staff Member Member

    A lot of people want to try a kernel 24 build of IPV6 on their older MIPSR1 routers. ipv6 on K24 isn't really working and may never be fully implemented. Look on for information and a test build, but be warned, it isn't really a great idea.

    New version 7441 for MIPS R2 (RT-N16 etc) built from latest code as of 26 January 2011 except for NVRAM Size detect function. NB - The IPV6 may have broken IP/MAC Limiter, this will (hopefully) be fixed in 7442!



    From Wes - who did many of these mods

    WES has now posted a small K26 build that should keep you happy!
  5. nordberg

    nordberg Guest

    heck, i want to check it out on my router (k26, has it in the GUI), but I have no idea what settings to use with a Hurricane Electric tunnel.

    Is there a good guide somewhere?
  6. Toastman

    Toastman Super Moderator Staff Member Member

  7. Toastman

    Toastman Super Moderator Staff Member Member

    Updated build 7444 posted with all latest additions from git repository. Feedback welcome!
  8. nordberg

    nordberg Guest

    Build 7444 installed, no problems. IPv6 functioning through Hurricane Electric.

    Awesome. Thanks everyone!
  9. Toastman

    Toastman Super Moderator Staff Member Member

    Perhaps people would find it useful if you would post your setup details here - several people wrote to me and said they'd like to try it too. If you have time, of course!
  10. princeamd

    princeamd Networkin' Nut Member

    everything seems to work fine EXCEPT for the qoslimit, it seems on start up it actually starts, but the iptables rule gets "flushed" so just tc config remains, so later if u tried service start qoslimit asus rt-n16 crashes, i'm messing around in services.c to see if i can fix it, this problem was not in 7440 , i like the 7444 because the ctf works great with blackberry and youtube rtsp
  11. Toastman

    Toastman Super Moderator Staff Member Member

    Yes, something is wrong, but I don't get the same as you. It starts and runs ok, but here the upload limit isn't working - the download is OK. In 7440, (which is a K26 build) the reference to qoslimit.c ipt_IMQ was changed to xt_IMQ - I thought this had fixed things.

    Thanks for the feedback on CTF !
  12. shibby20

    shibby20 Network Guru Member

    Toastman, i forgot to tell you: i my modification of qoslimit IMQ i no need. Upload is set directly on WAN interface.

    Did you try my qoslimit?

    BTW: xt_IMQ is only in tomato k2.6. In k2.4 is still ipt_IMQ.
  13. nordberg

    nordberg Guest

    Okay, here are my details...

    first make sure your router is pingable from outside and then create a regular tunnel at

    IPv6 Service Type : 6in4 Static Tunnel
    Interface name: just left it as six0
    Assigned IPv6 prefix: from Hurricane Electric tunnel details the number behind "Routed /64" but do not include /64
    Prefix length: 64
    Router IPv6 Address: from HE page use number from field "Server IPv6 address", again, do not include /64
    Static DNS: = value of "Anycasted IPv6 Caching Nameserver"
    Enable Router Advertisements: checked
    Tunnel Remote Endpoint: Your current ipv4 address
    Tunnel Client IPv6 Address: from HE use "Client IPv6 address", 64 in second box

    Left all other boxes alone.

    When my ipv4 address changed I had to go to HE and tell them of my new endpoint.


    When I go to I get 10/10 and 9/10 marks for my connection.
  14. Toastman

    Toastman Super Moderator Staff Member Member

    Thanks nordberg !
  15. Toink

    Toink Network Guru Member

    Currently downloading your latest Build 7447. For some reason it's at 4.36KB/sec :biggrin: some 18mins to download :biggrin:

    My FTP server was not working well with Build 7445... I'm not quite sure what's wrong. It keeps timing out. Never had FTP problems with build 7441..

    Will test drive build 7447 as soon as the download is done. Thanks, Toast! :)
  16. Toink

    Toink Network Guru Member

    Toast, I've been having trouble with my FTP using this latest build as well as the other builds after 7440; You can check my post in for the log files.

    Flashing back to build 7440 for the time being.. I need the Synology's running for the business..

    BTW, does having these in the Firewall script in build 7448 a default feature:

    Restrict number of TCP connections per user #iptables -t nat -I PREROUTING -p tcp --syn -m iprange --src-range -m connlimit --connlimit-above 100 -j DROP  # Restrict number of non-TCP connections per user #iptables -t nat -I PREROUTING -p ! tcp -m iprange --src-range -m connlimit --connlimit-above 50 -j DROP  # Restrict number of simltaneous SMTP connections (from mailer viruses) #iptables -t nat -I PREROUTING -p tcp --dport 25 -m connlimit --connlimit-above 5 -j DROP
    Also, I see NAT-PMP enabled by default in the same build?

    Thanks, Toast! :)
  17. Toastman

    Toastman Super Moderator Staff Member Member

    I just put the scripts there as an example, disabled by default I hope. Also enabled UPnP and NAT-PMP because experienced users will turn it off if they don't want it, inexperienced users will not turn it on and get no ports opening.

    The FTP - don't know what is wrong there. Explain what is wrong exactly, FTP from the router? If so, mine is running fine here, I see many many people downloading from the server, so it's strange. I'll look at changes to 7440 and see if I can spot anything, but may have to wait until the next Teddy Bear release.
  18. Toink

    Toink Network Guru Member

    Toast, the scripts are already there upon flashing/clearing NVRAM. I am also boggled by the FTP server not working. All clients cannot log in to the NAS when using the newer builds. Nothing's changed in the Synology settings as far as I know. Thanks!
  19. Toastman

    Toastman Super Moderator Staff Member Member

    Ah, thinking - maybe you need to change the NAT Loopback setting in Advanced - firewall to ALL, check if it's set to Forwarded Only. This has changed since some of the ipv6 support was added. Probably not that though.

    I also find that I need to set a port forward to the ftp server on port 21 to the router's LAN IP address. Others say it isn't necessary, but I find it so.
  20. Toink

    Toink Network Guru Member

    Ok. Forwarding ports 55536-55663 to my server did the trick for build 7448. I don't know why not forwarding those in build 7440 worked just fine... My server's now working...

    By the way I just check your server and there's a build 7449 in there. What changed from 7448? Thanks, Toast! :)
  21. Toastman

    Toastman Super Moderator Staff Member Member

    Just a few cosmetics, nothing to get excited about - but since I compiled it for myself, it's there. There's also a newer version 7450 since Fedor has made some new upgrades to the source code. I stress that there's no particular need to keep reflashing, if anything particularly juicy comes out, I'll point it out. The best way to see what has changed is to look at the commits at

    A few people have asked if I am going to drop the feature to change clock frequency from the GUI. No, I will keep it, those that want to use it can, and those that don't needn't. The choice is up to the user :smile:
  22. Toink

    Toink Network Guru Member

    Agree! Keep it. Thanks Toast! :)
  23. richardtaur

    richardtaur Addicted to LI Member

  24. Toink

    Toink Network Guru Member

  25. Toastman

    Toastman Super Moderator Staff Member Member

    I'm sorry, that was completely my fault! I seem to have accidentally upgraded the router with latest STD version - no USB/FTP support :oops:

    The web server has also been offline because I'm using the PC in Linux a lot, messing around with Tomato.
  26. richardtaur

    richardtaur Addicted to LI Member

    Cool! Thank you. I checked your firmware daily just for fun. ^_^

    Thank you very much.
  27. Toink

    Toink Network Guru Member

    Toast, is it by design in Build 7451 that when naming devices in Static DHCP, the underscore "_" becomes a dash "-" after saving?

    In the Wireless Filter, the underscore "_" is possible, which is the same in the lower builds.

  28. Toastman

    Toastman Super Moderator Staff Member Member

    It is now possible to enter two names in the box separated by a space. Hence the space can't be part of a hostname.
  29. richardtaur

    richardtaur Addicted to LI Member

  30. Toastman

    Toastman Super Moderator Staff Member Member

    I don't consider these releases to be worthy of inclusion in the wikis, there's very little originality here, it's just a release of what I find useful, what people request, and with some carefully chosen names for the QOS classes. I don't have time to be updating it, but if anyone wants to include it, feel free.... a mention and a link is sufficient :biggrin:

    The big problem with wikis is that they are never kept up to date and are full of glaring inaccuracies. We don't have the time to keep visiting and updating stuff which we never put there in the first place, often don't know about, and in the end the wiki does a lot of harm rather than fulfill it's original purpose. The tomato wikis are mostly long out of date and full of rather misleading information.

    EDIT: I am posting builds using various code by several developers., we are working together on QOS ingress (and having great fun and learning a lot!) - at first these developments may only be in my releases but hopefully others will also adopt them later.
  31. richardtaur

    richardtaur Addicted to LI Member

    For the latest version of firmware with transmission.

    Hi Toastman:

    It seems like the password for Bitt Torrent Client under USB and NAS section can't be changed. It is always using the default one as admin11.

    Additional Future: Can RT-N16 can have guest Wifi connection (like virtual Wifi with different SSID broadcasting)

    Mansy Thanks
  32. Toastman

    Toastman Super Moderator Staff Member Member

    Password save seemed to work for me now, I changed it and saved (I think I did, anyway - I don't use BT). Problems due to different web browsers has been fixed - and new build posted v7453.

    I won't be including BT in future versions. It makes the router slow and unstable, as a torrent client it's too slow and as far as my usage is concerned, almost completely useless. My opinion is that it doesn't belong on a router which doesn't have enough resources to do it justice.

    NB - Files with OCN in the version=Original Class Names, and BT = Bit Torrent.

    RT-N16 may get second SSID one day but it isn't a priority, one day it will just appear, like everything else, again, it's one of those things that isn't particularly useful, but does have many ramifications when implementing it.
  33. richardtaur

    richardtaur Addicted to LI Member

    Thank you Toastman... :biggrin:
  34. peyton

    peyton Network Guru Member

    can't log on ftp.:eek:
  35. richardtaur

    richardtaur Addicted to LI Member

    That happens very often. Either he is tweaking tomato or on the Linux. :)
  36. bkmo

    bkmo LI Guru Member

    I loaded the BT version of this on my RTN-16 but ran into problems with transmission. After a reboot transmission web gui would not let me in. It spit out a not authorized page telling me that I should add my IP to the RPC Whitelist, or disable the RPC whitelist. Well it is disabled in the settings.json by default. If I disable/re-enable transmission then when restarted all is fine. If I revert back to Shibby's build all is OK again.
  37. Toastman

    Toastman Super Moderator Staff Member Member

  38. Toastman

    Toastman Super Moderator Staff Member Member

    I am moving the ftp server to another site, please be patient!
  39. peyton

    peyton Network Guru Member

    Great, i will ! :)
  40. Toastman

    Toastman Super Moderator Staff Member Member

    Okay, done it. DDNS seems to be working more reliably now :halo:

    I screwed up the "about" page in last compile, not too bothered about fixing it though, press on to the next one!

    Just a note to people about the IP-Range limiter. It is what it says. All IP's entered into the range box will share the assigned bandwidth. If you want to give an individual IP a fixed amount, he must be entered as a single IP or MAC.
  41. Toastman

    Toastman Super Moderator Staff Member Member

    bkmo and others, don't despair if you keep changing from one firmware to another just to try, and the prospect of entering all of your config from scratch seems daunting. The method described here is very easy:

    I just use the Tools/System command box to list the contents of NVRAM in this special format, and cut and paste it either directly into another router's system box or into a text file. You can copy your QOS rules etc. in seconds like this! After you've cherry picked the important bits out, don't forget to "nvram commit".

    **** VERY IMPORTANT***

    Many people will find they can regain a lot of NVRAM space by doing this occasionally to flush their NVRAM of dross.
  42. bkmo

    bkmo LI Guru Member

    I bit the bullet and cleared nvram and reset everything on your latest and all is ok now. The backup link you posted is a 404 Thanks

    EDIT: The 403 problem crept up again after a reboot. Only happens after a reboot. I have changed some settings that have worked fine for a long time, and it seems ok now. Adding

    "rpc-whitelist-enabled": true,
    "rpc-whitelist": "*.*.*.*",
    "rpc-authentication-required": false,

    to the custom config. settings seems to have stabilized things for me. Maybe they should be default? Thanks
  43. Toastman

    Toastman Super Moderator Staff Member Member

    bkmo - I expect Shibby has read this, thanks for the feedback.

    New version coming up, 7454, most bugs with IP Range Limit have been fixed.
  44. miracle2k

    miracle2k Networkin' Nut Member

    I just want to add my vote for QoS ingress - that would be so totally awesome and useful.

    It'd also like to see a way to customize the QoS class names. I'll hopefully find the time to implement this at some point.
  45. Kcolyhs

    Kcolyhs LI Guru Member

    Any firmware for WRT160N v3?

    Toastman do you have any firmware for the WRT160n v3?
    There was a version posted on Victek's site, but has since been removed.
    I tried running your firmware: tomato-K26-1.28.7454MIPSR2-Toastman-Mini, but it is very flaky and after spending 2 hours configuring my settings it locked-up and needed a hard reset.
    I really like the versions with your labelled classes.
  46. Toastman

    Toastman Super Moderator Staff Member Member

    Kcolyhs, Look at the tomatoUSB and RT threads, and on the tomatoUSB site for information on the WRT160n V3. This version is based on that one.

    Thanks for the feedback on 7454. Not sure what that is due to, hopefully it will be resolved later.

    Soon - a new version 7455 with an improvement to the Static ARP binding based on the idea from Victek's RAF and coded by Phykris.

    Static ARP binding is implemented on most enterprise-level routers as a security feature, and is generally considered to be an essential and standard feature of such routers. In a condominium it should cure the problems we often experience caused by a resident allocating himself various IP's (including those already issued to someone else) in order to gain access to the network (such as genuine users being locked out). In a small business environment, these problems become even more serious.
  47. Toastman

    Toastman Super Moderator Staff Member Member

    What is Static ARP or ARP Binding, and how is it used?


    by "Phykris"

    On Ethernet (either wired or wireless) all communication between devices goes via physical layer data packets that contain the physical address of the source of the message and the physical address of the destination of the packet. We call this physical address MAC address.

    Besides MAC addresses devices also have IP addresses. These are higher level addresses. The source and destination IP address off data sent on the network in put the header IP packets. The IP packets of the devices on a LAN are encapsulated in the physical layer packets.

    When the router wants to send data to a client with a certain IP-address (either obtained via DHCP or set manually as a static IP address) the router needs to know what the MAC address of that client is. Therefore the router send an ARP request on the LAN, which is a broadcast. The ARP request basically asks all devices that are on the network "if you're the one with IP address 'X', could you tell you tell me what your MAC address is?". One client should reply: "Yes I have IP address 'X' and my MAC address is 'Y', please send your data to this MAC address".

    Now the router knows how to fill in header of the physical layer packet and it can start sending data to the client.

    ARP spoofing.

    Suppose there's somebody with bad intention on the network that want to intercept data of client with MAC address X and IP address Y. This malicious client could give himself the same static IP address Y, his MAC address is Z. When the router would ask "Are you the one with IP address Y", this malicious client would reply : "yes, I am the one, please send your data to MAC address Z". So, data that was meant to go to MAC address X will go to the wrong client with MAC address Z.

    Static ARP binding.

    Static ARP binding is a way to ignore ARP spoofing attempts. On the router static DHCP page you can enable Static ARP binding. When enabled the router will ignore all ARP replies. The router will instead look in the static DHCP tables for finding out the MAC address that belongs to a certain IP address. Because this table is filled in by the administrator it is assumed to be correct and data will always be sent to the listed MAC address.

    Limiting unlisted devices.

    Clients that that have assigned themselves a static IP address which in not in the DHCP table normally can get Internet access if they fill in the router IP address for the gateway and router IP address for the DNS-server (when their MAC address is not restricted from entering the network).

    When they try to get Internet access they will send an ARP request to the gateway and the router will reply "yes, I have this gateway IP address, my MAC address is Q". The data can now be sent to the router (with MAC address Q) and when receiving the data the router manages to fill in the ARP table by inspecting the data. So, the router will know the clients MAC address and IP address and it can sent messages back to the client. In other words: the client will have full Internet access.

    But in some networks we want to avoid that unlisted clients can get Internet access. We can do this with static ARP binding. All clients within the same subnet that are not listed will get assigned to MAC address 00:00:00:00:00:00, which is an invalid MAC address. So, all other IP addresses besides those listed will not be able to receive any data. Moreover, the IP that are listed will not be vulnerable to ARP spoofing.

    Is this useful?

    This might be useful for distributing Internet services in a network where you can not trust every client, for instance if you offer Internet access in a condominium.

    When using checking "limit unlisted machines" option all unknown IP addresses will be banned from the network and it will not be possible for a malicious client to hijack the IP address of another (paying) user.

    Also, there's no need anymore to fill in MAC addresses in the access restriction page. All administration for the network/condominium can be done in a single page.

    How should I use this?

    This new feature which will be added to some versions of Tomato needs a little explanation.

    1) The DHCP service with a dynamic range tends to overwrite the static ARP entries in the table. Therefore you should set the DHCP range to issue only one static IP addresses in the static DHCP table (preferably the administrators IP address). e.g.

    2) You MUST enter your (admin) IP address and MAC in the table, or you may be locked out of the router.

    2) Static ARP only supports one MAC address per IP address.

    3) If you have access points connected to the LAN ports of your router and you use "limit unlisted machines", you should add their IP and MAC address to the static DHCP table.

    4) All listed machines will now show as "active" in the WOL page, because they are in the ARP table.

  48. peyton

    peyton Network Guru Member

    Useful explaination. Thank you again Toastman ! :)
  49. Toastman

    Toastman Super Moderator Staff Member Member

    I'm using this now, and it seems to work well. So I am posting 7455 today - remember it's very much a beta test!
  50. shibby20

    shibby20 Network Guru Member

    You cant use these options in custom configuration. These options are forced by start-scripts. You should see errors like:
    Cannot set "rpc-authentication-required" option here. Authentication is always required


    Cannot set "rpc-whitelist-enabled" option here. Whitelist is always disabled
  51. Kcolyhs

    Kcolyhs LI Guru Member

    Thank you very much for the latest release.

    I successfully installed: tomato-K26-1.28.7455MIPSR2-Toastman-Mini.trx on the Linksys WRT160N v3.
    It is working well, except that status overview indicates CPU Freq as 133MHz.
    Attempting to set cpu to 300MHz does not change the status page.
    I love the integration of ARP binding and access restrictions within the static DHCP list, that simplifies my setup of 80 clients dramatically.

    Just thought to mention that on the previous release 7454, selecting "static wan" would crash the router and require a hard reset.
  52. Toastman

    Toastman Super Moderator Staff Member Member

    Kcolyhs, thank you for the feedback. I can't imagine why you had a problem with 7454 but I'm glad it's now OK.

    The new code to detect the CPU frequency may not be working for the WRT160nV3 I guess. I've mentioned it to Victek. He asks, can you post the output of "cat/proc/cpuinfo" ? Thanks!

    Some questions about ARP Binding and how it's done are addressed here:
  53. Kcolyhs

    Kcolyhs LI Guru Member

    Tomato v1.28.7455 MIPSR2-Toastman K26 Mini
    root@unknown:/tmp/home/root# cat /proc/cpuinfo
    system type : Broadcom BCM47162 chip rev 0 pkg 2
    processor : 0
    cpu model : MIPS 74K V4.9
    BogoMIPS : 66.35
    cpu MHz : 133
    wait instruction : no
    microsecond timers : yes
    tlb_entries : 64
    extra interrupt vector : no
    hardware watchpoint : yes
    ASEs implemented : mips16 dsp
    shadow register sets : 1
    VCED exceptions : not available
    VCEI exceptions : not available

    unaligned_instructions : 0
    dcache hits : 2147483648
    dcache misses : 4125362271
    icache hits : 2147483648
    icache misses : 307806958
    instructions : 2147483648
  54. animus144

    animus144 Networkin' Nut Member

    Transfer Rates

    Hi Toastman and others in the know,

    I have just flashed "tomato-ND-1.28.7617-Toastman-K24-Std.trx" onto my WRT54GL v1.1 and it's working really well. I was really excited to use the per-connection transfer rate mod, but unfortunately, all I see is a blank table. Is there some feature I needed to enable elsewhere to get this working, or is this feature just not working with certain routers or setups?

    Thanks. :smile:
  55. Toastman

    Toastman Super Moderator Staff Member Member

    It's a long time since I did that build, but it worked OK here on my GL's. Did you erase your NVRAM? Can't think of anything else.
  56. animus144

    animus144 Networkin' Nut Member

    Is there a more recent build you've done that is preferable to use on GL's? Or are the builds that work on the GL's old news now that the hot topic for SOHO routing is the RT-N16?
  57. Toink

    Toink Network Guru Member

    Toast, anyway to get a guest username and password to your FTP site? It's now asking or a user/password.. I need build 7454 for a WRT320N. BTW, is your still up and running coz it's no longer 'accessible' for a couple or so weeks now? Thanks!
  58. richardtaur

    richardtaur Addicted to LI Member

    Hi Toastman:

    Does 1.28.7456 come with BT?
  59. animus144

    animus144 Networkin' Nut Member

    Thanks for the reply, Toastman. I'm not too concerned about adding more features. Everything in the tomato-ND-1.28.7617-Toastman-K24-Std.trx is great except for the fact that I can't get the "Transfer Rates" table to show up under QOS. Cleared the nvram and everything, and even tried the mini version to no avail.

    The rates table shows up when I use Victek's "Tomato_RAF-K26-1.28.8602MIPSR1", but then I lose all your cool class labels and handy default rules. I know K26 is the new kernel, but his K24 doesn't include the per-IP transfer rates table (I don't think your K26's do either).
  60. Kcolyhs

    Kcolyhs LI Guru Member

    Problem with "tomato-K26-1.28.7457MIPSR2-Toastman-Mini.trx" + static DHCP

    Toastman, thanks for your latest release.
    I am using "tomato-K26-1.28.7457MIPSR2-Toastman-Mini.trx" on two WRT160N v.3 routers.
    The first is connected to a DSL modem using PPPoE, serving 40 clients and is working very smoothly.
    The second is connected via "Static WAN" to a HSPA+ modem/router that has NAT enabled, but DHCP disabled. It is serving 80 clients.
    This router is behaving very strangely, GUI is sluggish after a few minutes, if more than one client connects there is almost no throughput for other clients.
    The configuration parameters being used are almost the same as a previous Buffalo router which was running "Tomato RAF 1.28.8515 ND" very well.
    I have reset NVRAM several times and reconfigured from scratch, without improvement.
    Has anyone encountered issues with Static WAN?
    Any suggestions on resolving this issue?
  61. Toastman

    Toastman Super Moderator Staff Member Member

    Sorry, I have nothing to suggest. Like your first router, all my installations are simple PPPOE ADSL. Maybe someone else has an explanation?

    richardtaur - no, I am leaving the BT area to Shibby's branch. That way, it is easier for him to support it. I personally don't believe torrents should be a function of a router. A router's job is to route.

    If you want to use his BT branch with Toastman QOS you can use this easy method to add it:
  62. gtamaster

    gtamaster Networkin' Nut Member

    Hi Toastman, I'm getting a WRT54GL router in the next couple of days and I have not flashed a router before. I want to use your firmware and I'm just wondering if I should use the kernal 2.4 or kernal 2.6 version? Thank you.
  63. Toastman

    Toastman Super Moderator Staff Member Member

    K24 is much more trouble free and faster running on a WRT54GL.
  64. gtamaster

    gtamaster Networkin' Nut Member

    Thank you for the reply Toastman! I will give it a try!
  65. Toastman

    Toastman Super Moderator Staff Member Member

    K24 MIPSR1 Toastman Build 7619 + ipv6


    I just had a crack at a new K24 build 7619 K24 MIPSR1 for older router owners. Sizes down to 3.1MB. The rates display works here on my WRT54GL.

    I did a quick test to see how it looks, seems OK but I am not going to worry too much about K24 nowadays. It's a bit difficult to list what is in each version, best to flash them until you find what you need.

    Try if you wish, no guarantees given though.

    [IPv6 has been withdrawn for K24 builds - it doesn't work - because it was never intended for the smaller K24 builds].

    I'm uploading it to this url:
  66. gtamaster

    gtamaster Networkin' Nut Member

    sorry I'm new at this flashing thing but how do I flash the wrt54gl? Do I just flash it using the trx file or do I have to change the trx file to another extension before flashing? Thanks.
  67. animus144

    animus144 Networkin' Nut Member

    Toastman, I really appreciate you taking the time to look at the old kernel version. I'm out of town right now but will definitely let you know how it works when I get back in a couple days.


    gtamaster, as far as I understand it, if you are using the stock firmware, you need to flash a .bin 3rd party firmware. Once you have successfully installed a .bin of some 3rd party firmware, you should then be able to flash with a .trx file of the version you actually want to use. You may have to start with a .bin of the main branch of tomato.

    I think .bin files just have some extra header information (image size?) on top of the firmware image, whereas .trx is just the image. Someone please correct me if I'm wrong.
  68. callous

    callous Network Guru Member

    I got a problem with uTorrent and QOS in tomato 1.28. So I put default QOS class of E, and never placed bittorrent ports in a rule so that by default, all bt traffic and any program not in QOS goes into Class E, the lowest of the low priorities.

    Now looking at my Tomato 1.28 graph, I see that some clever bastard on the internet has managed to place their bt port as port 53 (it appears as "DPort on my end on tomato View Chart/details".

    This means they have fooled me and the router into thinking bt traffic is now at the highest priority instead of Class E. This unusual port numbering by several of these folks sometimes cause up to 15-20% of my available bw to be used for bt at the highest priority on par with DNS.

    Short of creating a class listing all my bt ports at Class E(which doesnt work well and causes extreme lag when gaming), what can be done?
  69. rhester72

    rhester72 Network Guru Member

    You can tell uTorrent not to connect to any port or range.

  70. callous

    callous Network Guru Member

    How do i do this?
  71. callous

    callous Network Guru Member

    Should the DNS be port 53 source, or should it be destination? I know by default it is destination, but i see both source and destination being used for port 53
  72. callous

    callous Network Guru Member

    Also, if you put 2 things in the Medium QOS category, will the first Medium QOS listed first have a bit more priority than the subsequent Medium QOS listings?
  73. Toastman

    Toastman Super Moderator Staff Member Member

    Destination port 53 is used for DNS lookups. These connections are very fast and don't take long or pass much information. Therefore you can discriminate against torrents by making the DNS rule only apply to connections with less than say 10k transferred. Anything above that will again drop into class E. You can experiment with that 10k figure if you wish to see if you can find a better setting.

    A class is a class. Everything in that class is treated the same. If you were designing your own QOS system you could create sub-classes, but that's a different issue and in any case 10 classes is sufficient.

    You will always get *some* P2P bleed into another class, don't worry too much about it, it usually won't ruin the effectiveness of the system taken as a whole. For this reason you will see connections in the wrong class for a short time before they drop into the default class. New connections are continually opening with P2P applications, so most rogue connections last a short time only. When P2P is finished with a section of download it often does not close connections, and also the servers at the other end may continue to try to open connnections to your own uTorrent to try to download parts of your files. However, those ports may have been close by uTorrent, so incoming connections often STOP at the ROUTER and show up as unclassified.
  74. callous

    callous Network Guru Member

    Ok thank you

    Actually there are only 6 classes. The priorities for A-E are exactly the same, but just different labelling. I think 6 classes is enough though
  75. Toastman

    Toastman Super Moderator Staff Member Member

    No, that's quite wrong. You are still thinking those labels mean what they say. They don't. Internally, they are 0 to 9 - in that order.

    The priorities are "hard coded" in Tomato. HIGHEST is what it says, E has the lowest priority. So all things being equal, those in class "HIGHEST" will be dealt with FIRST. That is the whole point of a QOS system. Since you are using only 6 out of the 10, the ones you aren't using are irrelevant, but the priority still exists in the same order HIGHEST to E (i.e. top to bottom, if your classes have different names).

    The NAMES don't mean anything. They are just labels. You can call the classes Pooh Bear down to to Eyore if you like.

    The amount of BANDWIDTH you assign to each class is a different issue.
  76. Toastman

    Toastman Super Moderator Staff Member Member

    I am playing around with QOS rules, nothing much different except I split them up into more rules. Reason - since we now have a means of identifying what rule was responsible for a classification (see the QOS-Details page), it makes it much easier for people to see what is happening and to tailor rules.

    If anyone wants to try this, just cut and paste this into your tools/system command execution box, if you like it, don't forget to save or commit.

    nvram set qos_orules="0<<-1<d<53<0<<0:10<0<DNS>0<<-1<d<37<0<<0:10<0<Time>0<<-1<d<123<0<<0:10<0<Network Time (NTP)>0<<-1<d<3455<0<<0:10<0<RSVP>0<<-1<x<9<0<<<0<SCTP, Discard>0<<-1<x<135,2101,2103,2105<0<<<0<RPC (Microsoft)>0<<6<x<23,992<0<<<0<Telnet>0<<-1<d<22<0<<<3<SSH>0<<17<x<3544<0<<<3<Teredo port>0<<6<s<80,8080<0<<<3<Remote Router Access>0<<6<x<3389<0<<<3<Remote Assistance>0<<-1<a<<0<flash<<2<Flash Video,(Youtube)>0<<-1<a<<0<httpvideo<<2<HTTP Video,(Youtube)>0<<-1<a<<0<shoutcast<<2<Shoutcast>0<<-1<s<6970:7170,8554<0<<<2<Quicktime/RealAudio>0<<-1<d<1220,7070<0<<<2<Quicktime/RealAudio>0<<6<x<6005<0<<<2<Camfrog>0<<-1<d<1220,1234,5100,6005,6970<0<<<-1<VLC>0<<-1<x<554,5004,5005<0<<<2<RTP/RTSP>0<<-1<x<1755<0<<<2<MMS (Microsoft)>0<<-1<x<1935<0<<<2<RTMP>0<<-1<d<3478,3479,5060:5063,5070<0<<<1<SIP, Sipgate Stun Services>0<<-1<d<1718:1720<0<<<1<H323>0<<-1<a<<0<skypetoskype<<1<Skype>0<<-1<a<<0<skypeout<<1<Skypeout>0<<-1<d<80<0<<0:512<4<HTTP>0<<-1<d<443<0<<0:512<4<HTTPS>0<<6<d<8080<0<<0:512<4< HTTP Proxy / Alternate>0<<-1<d<25,587,465<0<<<5<SMTP, Submission>0<<-1<d<110,995<0<<<5<POP3 Mail>0<<-1<d<119,563<0<<<5<NNTP>0<<-1<d<143,220,585,993<0<<<5<IMAP Mail>0<<-1<a<<0<irc<<6<IRC>0<<-1<d<1493,1502:1503,1542,1863,1963,3389,5061,5190:5193,7001<0<<<6<Windows Live>0<<-1<d<1071:1074,1455,1638,1644,5000:5010,5050,5100,5101,5150,8000:8002<0<<<6<Yahoo Messenger>0<<-1<d<194,1720,1730:1732,6660:6669,22555<0<<<6<MSG R 2 - Chat Services>0<<-1<d<5000:5010,5050,5220:5223,5298,8000:8002<0<<<6<MSGR3 - Chat Services>0<<6<d<20,21,989,990<0<<<7<FTP>0<<-1<x<6571,6891:6901<0<<<7<WLM File/Webcam>0<<6<d<80,443,8080<0<<512:<7<HTTP,SSL File Transfers>0<<17<x<1:65535<0<<<-1<P2P (uTP, UDP)"

    nvram set qos_orates="5-20,5-20,5-25,5-70,20-100,20-80,10-80,20-80,10-50,0-0"

    nvram set qos_irates="10,20,40,70,0,70,70,70,60,1"

    Last changed 6/5/2011

    This is just a first attempt at tidying up the rules, it isn't quite finished and no doubt some of them will be amended in due course.

    VOIP users may find an extra L7 filter for SIP will make their lives better!
  77. bkmo

    bkmo LI Guru Member

    Toastman, can you please post the settings for your stock limits and basic settings too? I am running Shibby's build because of BT, but I want to try your QOS setup.
  78. rhester72

    rhester72 Network Guru Member

    It's somewhere in the advanced settings in uTorrent - I don't have it installed anymore, but the uTorrent docs should give some hints.

  79. callous

    callous Network Guru Member

    Tomato doesnt have a Tools>system thing. Do you mean under the script section of tomato?
  80. bkmo

    bkmo LI Guru Member

    Tools > System > execute system commands is where you need to enter this.
  81. occamsrazor

    occamsrazor Network Guru Member

    Hi Toastman, by chance I've just re-flashed my E3000 and am in the process of re-entering all the settings, so figured I might try your recent rules versus my previous setup (based on your previous ones but with some VOIP-friendly modifications). Two questions...

    1. Is entering the large block of commands you posted exactly equivalent to entering the same information manually via QoS rules? I'm trying to keep my NVRAM "clean" and reversible, having had a few problems that required NVRAM erase before.

    2. Is it possible to easily generate a block of system commands as you posted, from existing rules? This would help with easily restoring QoS setup after an NVRAM erase. If so, how?

  82. bkmo

    bkmo LI Guru Member

    This will overwrite what you have currently in nvram. If you do not do an nvram commit it will not survive a reboot, and you will be back to where you were. If you want to save your qos settings you can telnet into the router and do an:
    nvram export --set | grep qos >
    to get a shell script of all your qos settings in the current directory.
  83. Toastman

    Toastman Super Moderator Staff Member Member

    These rules are the same as the old ones, more or less, but expanded into more rules. When you've done this, change to the QOS configuration page and you'll see the rules. If you are happy with them, click SAVE.

    Backup your old settings first in the usual way, for safety, and then try the method outlined above and here:

    The system command box is very useful. Instead of messing about, it's much easier to just cut and paste from this box. For example, to clean up a router's config, open a browser and list all settings with export command. Then open another browser to the router, erase NVRAM, then cut and paste the appropriate lines from the other window.
  84. callous

    callous Network Guru Member

    Im feeling confused here: tomato 1.28 has no Tools>System

    Instead, it has Tools>Ping, Trace, Wireless Survey, WOL
  85. Toastman

    Toastman Super Moderator Staff Member Member

    Are you using original, Jon Zarate Tomato? We were all assuming you had a modern Tomato compile, apologies.
  86. callous

    callous Network Guru Member

    The original Polarcloud version of tomato 1.28

    Was there a better version???
  87. mau108

    mau108 Addicted to LI Member

    wrong thread..delete me
  88. mstombs

    mstombs Network Guru Member

    @Toastman are your QOS rules specific to one of your mods? They don't work on TB K24 build, nothing gets loaded in QOS classification page - the first entry looks strange - certainly would need to change that to an address in use here!

    my default starts with

  89. yo_adrian_eh

    yo_adrian_eh Addicted to LI Member

    You said you've made "some VOIP-friendly modifications" ? Any chance you'd share them? I'm having a hell of a time with my VoIP traffic (posted a new thread to try and get some help, just wondering what you've done.

  90. yo_adrian_eh

    yo_adrian_eh Addicted to LI Member

    Tried to load the rules and received the following error on the Classifications page:

    iptables-restore v1.3.8: invalid portrange specified
    Error occurred at line: 69
    Try `iptables-restore -h' or 'iptables-restore --help' for more information.

    I broke everything down using a plain text editor but I'm not sure how/where the line breaks need to be so a bit like finding a needle in a hay stack for me.

  91. Toastman

    Toastman Super Moderator Staff Member Member

    I found a bug in the original error checking somewhere in Tomato - it doesn't allow a range of two ports e.g. 1907-1908 to be reinstated although it accepted them in the original configuration. You need 1907,1908 instead. I had a few like that after cutting the ranges back to a minimum. Here is a revision, I just cut and pasted it into my own RT-N16 and also a WRT54GL AP and it worked OK.

    mstombs, the odd first entry that you mention is a disabled rule to give admin priority. I deleted it.

    Yo!Adirian - there are no line breaks - this is all one line.

    nvram set qos_orules="0<<-1<d<53<0<<0:10<<0<DNS>0<<-1<d<37<0<<0:10<<0<Time>0<<-1<d<123<0<<0:10<<0<Network Time (NTP)>0<<-1<d<3455<0<<0:10<<0<RSVP>0<<-1<x<9<0<<<<0<SCTP, Discard>0<<-1<x<135,2101,2103,2105<0<<<<0<RPC (Microsoft)>0<<6<x<23,992<0<<<<0<Telnet>0<<-1<d<22<0<<<<3<SSH>0<<17<x<3544<0<<<<3<Teredo port>0<<6<s<80,8080<0<<<<3<Remote Router Access>0<<6<x<3389<0<<<<3<Remote Assistance>0<<-1<a<<0<flash<<<2<Flash Video, (Youtube)>0<<-1<a<<0<httpvideo<<<2<HTTP Video, (Youtube)>0<<-1<a<<0<shoutcast<<<2<Shoutcast>0<<-1<s<6970:7170,8554<0<<<<2<Quicktime/RealAudio>0<<-1<d<1220,7070<0<<<<2<Quicktime/RealAudio>0<<6<x<6005<0<<<<2<Camfrog>0<<-1<d<1220,1234,5100,6005,6970<0<<<<-1<VLC>0<<-1<x<554,5004,5005<0<<<<2<RTP/RTSP>0<<-1<x<1755<0<<<<2<MMS (Microsoft)>0<<-1<x<1935<0<<<<2<RTMP>0<<-1<d<3478,3479,5060:5063<0<<<<1<SIP, Sipgate Stun Services>0<<-1<d<1718:1720<0<<<<1<H323>0<<-1<a<<0<skypetoskype<<<1<Skype>0<<-1<a<<0<skypeout<<<1<Skypeout>0<<-1<d<80<0<<0:512<<4<HTTP>0<<-1<d<443<0<<0:512<<4<HTTPS>0<<6<d<8080<0<<0:512<<4<HTTP Proxy / Alternate>0<<-1<d<25,587,465<0<<<<5<SMTP, Submission>0<<-1<d<110,995<0<<<<5<POP3 Mail>0<<-1<d<119,563<0<<<<5<NNTP>0<<-1<d<143,220,585,993<0<<<<5<IMAP Mail>0<<-1<a<<0<irc<<<6<IRC>0<<-1<d<1493,1502:1503,1542,1863,1963,3389,5061,5190:5193,7001<0<<<<6<Windows Live>0<<-1<d<1071:1074,1455,1638,1644,5000:5010,5050,5100,5101,5150,8000:8002<0<<<<6<Yahoo Messenger>0<<-1<d<194,1720,1730:1732,6660:6669,22555<0<<<<6<MSGR2 - Chat Services>0<<-1<d<5000:5010,5050,5220:5223,5298,8000:8002<0<<<<6<MSGR3 - Chat Services>0<<6<d<20,21,989,990<0<<<<7<FTP>0<<-1<x<6571,6891:6901<0<<<<7<WLM File/Webcam>0<<6<d<80,443,8080<0<<512:<<7<HTTP,SSL File Transfers>0<<17<x<1:65535<0<<<<-1<P2P (uTP, UDP)"
  92. callous

    callous Network Guru Member

    Toastman, are you all firmware compatible with the Linksys WRT54GS version 3.0?

    I dont see the descriptions for the firmware on teh page so I wasnt sure :)
  93. Toastman

    Toastman Super Moderator Staff Member Member

    You need a K24 build. The latest one there should work fine as far as I know - I never had a GS.

    I've had a lot of PM's about QOS "not working".

    As I have continually tried to remind people in this thread, you do need to understand QOS and implement it yourself to control your system. Only you know what that needs, and asking for someone else to give you a "magic cure" isn't going to work in all cases. The "Toastman" rules are intended as a basis to get you going, to examine, to learn from, and to change if necessary to suit your own requirements. I can't do that for you - nobody can. I am getting upwards of 10 mails a day asking for this, and it gets somewhat tedious, so I am ignoring most of them.

    Almost NONE of the people who mail me have even tried to use QOS. Most of them have the (useless) default rules and have added a couple of rules from my own setup, have nice looking but totally un-thought-out little rows of settings labelled 100%, 99%, 98%, 97%, and so on. Probably take from certain well known forum articles that are almost totally WRONG and written by people (usually journalists) with absolutely no idea how QOS works.

    Sorry guys, this isn't going to work. RTFM !!


    There are many QOS "tutorials" around and indexed on google. Most of them kind of half-work - sometimes - depending on the direction the wind blows .... maybe. Is that what you want?

    It seems that people who installed Tomato last week and think they know how the QOS works have the uncontrollable urge to make tutorials. And the ones who do it with Youtube manage to waste everyone's time is spectacular fashion.

    Here's how to tell if the article is useful or not - if you see the following, leave quickly before the article confuses you too much:

    Rates and/or limits all nicely set according to class - 100% / 99% / 98% /97% - etc. as if this were some exact science!

    A port range defined to classify P2P.

    No incoming limits on any of the classes.

    Classes Highest to Lowest used and the rest ignored when they would have been useful.

    Any reference to setting the incoming maximum bandwidth to 999999999.

    Any reference to "Incoming QOS".

    And especially, outgoing maximum limit set to the ISP's full stated speed.​
  94. callous

    callous Network Guru Member

    ok Thank you toastman!

    There has always been 1 question that has been bothering me - I've heard that the ND version is better than non-ND, provided your router's cpu is fast enough. Now I've done that command and my router can run ND.

    What really is optimized about ND that makes it better than non-ND?
  95. rhester72

    rhester72 Network Guru Member

    ND is a much newer driver that also fixed a lot of bugs in the non-ND driver, particularly with Intel wireless client chipsets.

  96. callous

    callous Network Guru Member

    Excellent ty!
  97. My internet speed is 4 Mbit/s, but provider have "local zone" (33 ip ranges) with speed limit 20 Mbit/s. Its impossible to create rules for this "local zone" because number of qos rules is limited. Its possible to use several ip ranges in one qos rule, or create internet zone and use it instead of ip ranges?
  98. cdanime

    cdanime Networkin' Nut Member

    Robert hrsho

    When I use this, it clears out my classifications then I have to refer back to this one to restore it.
  99. mstombs

    mstombs Network Guru Member

    Hi Toastman - can you post your recommended up and down class rate limits to go with your class assignment above. I understand its only a starting point and each much tune to their own liking - perhaps you could update the tutorial ?

    Apparently my last tweak along these lines killed a steam valve powered game "Team Fortress 2" which didn't like its use of ports in 27000 range defaulting to P2P crawl!
  100. yo_adrian_eh

    yo_adrian_eh Addicted to LI Member

    Same here and the original rule set loads without issue. Using Notepad I more or less figured out where things go and I can't see anything significantly different.

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice