Using QOS - Tutorial and discussion

Discussion in 'Tomato Firmware' started by Toastman, Dec 24, 2008.

  1. Toastman

    Toastman Super Moderator Staff Member Member

    I'm rather intrigued about the reports. This rule (copied from the earlier post exactly as it is on the page) just pasted into 10 WRT54GL's, An ASUS WL500gPv2, And 3 Asus RT-N16's, before being pasted into this page. All routers accepted the rules and all of them working now.

    Could be that it is browser dependent - some browsers are screwing things up?

    In and out rates added below

    nvram set qos_orules="0<<-1<d<53<0<<0:10<<0<DNS>0<<-1<d<37<0<<0:10<<0<Time>0<<-1<d<123<0<<0:10<<0<Network Time (NTP)>0<<-1<d<3455<0<<0:10<<0<RSVP>0<<-1<x<9<0<<<<0<SCTP, Discard>0<<-1<x<135,2101,2103,2105<0<<<<0<RPC (Microsoft)>0<<6<x<23,992<0<<<<0<Telnet>0<<-1<d<22<0<<<<3<SSH>0<<17<x<3544<0<<<<3<Teredo port>0<<6<s<80,8080<0<<<<3<Remote Router Access>0<<6<x<3389<0<<<<3<Remote Assistance>0<<-1<a<<0<flash<<<2<Flash Video, (Youtube)>0<<-1<a<<0<httpvideo<<<2<HTTP Video, (Youtube)>0<<-1<a<<0<shoutcast<<<2<Shoutcast>0<<-1<s<6970:7170,8554<0<<<<2<Quicktime/RealAudio>0<<-1<d<1220,7070<0<<<<2<Quicktime/RealAudio>0<<6<x<6005<0<<<<2<Camfrog>0<<-1<d<1220,1234,5100,6005,6970<0<<<<-1<VLC>0<<-1<x<554,5004,5005<0<<<<2<RTP/RTSP>0<<-1<x<1755<0<<<<2<MMS (Microsoft)>0<<-1<x<1935<0<<<<2<RTMP>0<<-1<d<3478,3479,5060:5063<0<<<<1<SIP, Sipgate Stun Services>0<<-1<d<1718:1720<0<<<<1<H323>0<<-1<a<<0<skypetoskype<<<1<Skype>0<<-1<a<<0<skypeout<<<1<Skypeout>0<<-1<d<80<0<<0:512<<4<HTTP>0<<-1<d<443<0<<0:512<<4<HTTPS>0<<6<d<8080<0<<0:512<<4<  HTTP Proxy / Alternate>0<<-1<d<25,587,465<0<<<<5<SMTP, Submission>0<<-1<d<110,995<0<<<<5<POP3 Mail>0<<-1<d<119,563<0<<<<5<NNTP>0<<-1<d<143,220,585,993<0<<<<5<IMAP Mail>0<<-1<a<<0<irc<<<6<IRC>0<<-1<d<1493,1502:1503,1542,1863,1963,3389,5061,5190:5 193,7001<0<<<<6<Windows Live>0<<-1<d<1071:1074,1455,1638,1644,5000:5010,5050,5100,5 101,5150,8000:8002<0<<<<6<Yahoo Messenger>0<<-1<d<194,1720,1730:1732,6660:6669,22555<0<<<<6<MSGR 2 - Chat Services>0<<-1<d<5000:5010,5050,5220:5223,5298,8000:8002<0<<<<6 <MSGR3 - Chat Services>0<<6<d<20,21,989,990<0<<<<7<FTP>0<<-1<x<6571,6891:6901<0<<<<7<WLM File/Webcam>0<<6<d<80,443,8080<0<<512:<<7<HTTP,SSL File Transfers>0<<17<x<1:65535<0<<<<-1<P2P (uTP, UDP)"
    nvram set qos_orates="5-20,5-20,5-25,5-70,20-100,20-80,10-80,20-80,10-50,0-0" 
    nvram set qos_irates="10,20,40,70,0,70,70,70,60,1" 
    These settings were for a nominal 1Mbps UP 16Mbps DOWN PPPoE ADSL line.

    A lot of people query why these rules are necessary. Let me explain. A few rules to make sure your VOIP gets priority might work for you. Than one day your kid starts with P2P and it dies. You make sure this gets sorted by creating a P2P (choked) class and setting it as default. Then a few days later someone's machine does a Windows Update - and the same happens. Your wife divorces you. Next, it's someone's VIDEO application (maybe YouTube). You address these. Then another day, some different streaming AUDIO causes mayhem. You add a rule. Then it's an FTP download which started without your knowledge within your web browser. Then it's a webcam or Messenger application. Or maybe a secure HTTPS transaction.

    And so it goes on.

    All of the above rules address problems that have occurred commonly in the apartment blocks here. All of the rules have a purpose. Even the rather strange "discard" rule for TCP port 9. I wanted to split them up as much as possible to serve as examples. At your site, some of these rules may seem to be unnecessary. Often that's true, but If there's no application running that needs one of them, then no harm done. But delete that rule, and you may find that in a month's time you have to reinstate it when your wife starts using camfrog video. So remember - before you start trimming down. It's often better to disable rather than delete rules.
  2. Toastman

    Toastman Super Moderator Staff Member Member

    1.28.7460 with Configurable Class Names

    Next up - later today - Toastman v 1.28.7460 will be my first attempt at configurable class names. This has been tested with RT-N16 only. There's one small detail not yet sorted - the mouse "hover" over pie chart segments will return "Class 1" etc. instead of your chosen names. ( I can't find how to use an NVRAM variable in the SVG page. Anyone?) [ EDIT thanks to Teddy Bear for helping me here! ]

    Flash this with "erase nvram" option ticked and you'll get the default Toastman QOS rules and conntrack timeouts etc. loaded. So I would recommend that you do a fresh install if possible and reconfigure.

    If you change the class names don't forget to refresh your browser to see the new classnames.

    Have fun ...!
  3. cdanime

    cdanime Networkin' Nut Member

    Well I'm using Tomato RAF Firmware v1.28.8515 _RAF ND Std of victek. Maybe something is different internally? or maybe the forum is altering the format.
  4. peyton

    peyton Network Guru Member

    Hi there and thanks again Toastman for your mod !

    I recently lost my config and i realize that sometime i try to start and stop the VPN service it freeze the web access. I have to unplug my router. Does anyone has the same thing ?
  5. callous

    callous Network Guru Member

    Is there any notable differences between the Qos of your firmware, and that of the original Tomato? Are there more Qos classes for example, or more effective implementation of Qos?
  6. zavar

    zavar Networkin' Nut Member

    Hi All. I've been using Tomato for a long time, but just recently changed over to using Victek's version. Really liking some of the additional features.

    I just recently enable QOS and configured my router based on Toastman's recommended setup. For my situation, I had to add some extra ports into the classification list for Cisco VPN, Lotus Notes and for Remote Desktop Access. I've attached screenshots of my Conntrack, QOS Basic & Categories setup.

    Internally, QOS seems to be working pretty good. The one issue that I have been experiencing is when I have uTorrent running, my Remote Desktop access (from outside of my home network) is extremely slow and/or disconnects. This is the same behaviour that I previously had without running QOS... Is there anything in my setup that might be causing this?

    Comments would be appreciated for this issue, or if there are other items that I should really be tweaking further.

    Thanks in Advance!


    Attached Files:

  7. randyoo

    randyoo Addicted to LI Member

    firewall script causes rebooting loop

    Hello, Toastman!

    First, allow me to express my profound gratitude for your contributions on this forum. I've spent many hours reading and benefiting from your posts, especially in this thread.

    I just wanted to inform you that I've run into some difficulties while trying to implement some of your suggestions. The firewall script (above), which was supposed to fix the rebooting issue, causes a rebooting problem for me.

    I'm running "Tomato Firmware v1.28.7619 -Toastman-USB ND Std" on a WRT54GL. I had already made some customizations, like simplifying some of your built-in QoS rules, overclock to 250 Mhz, and enabling the bandwidth-limiter. After reverting all of those other changes, the router kept on rebooting itself, until I removed the firewall script. I saw some messages in the log warning of a tainted kernel...

    The connection is extremely slow (700kbps downstream ADSL, shared by at least 20 people at a time), and I have no control over the clients' behavior. One of them was definitely running bittorrent software, and opening over 100 combined TCP + UDP connections, which is why I wanted to use those rules to begin with.

    I'm also trying to implement an ad-blocking script to eek out every last bit of performance possible from this connection, but I'm getting a kernel "oops" and reboot triggered by the re-loading of dnsmasq at the conclusion of the script.

    Is there a known issue with the stability of this build, or can you suggest one of your builds (with bandwidth-limiting capability) that's known to be stable?

    Once again, thanks for all your contributions and assistance, on behalf of everyone who's benefited from this thread. I'd be even more grateful for any advice you can offer.
  8. Toastman

    Toastman Super Moderator Staff Member Member

    zavar, you have the "prioritize ACKS" box checked. That will effectively put P2P in the highest class, since P2P sends mostly ACKS. Unchecking it may do the trick. Although you may need to lower the limits too.

    randyoo, I don't know, in a word. I use that build here and didn't get those troubles. However, you might try 7616 which was rather older, and much of the source code was quite different to what it is nowadays. If that works, go to 7617 etc.

    To be honest, most of the development is going into rather better hardware these days. It's my guess that the older compiles may well be more stable on the GL. But if you have 20+ users and can afford it, I'd upgrade your router.
  9. zavar

    zavar Networkin' Nut Member

    galeases Jurgen

    Thanks Toastman... I believe I had tried it with ACKS set and not set... I'll try again to confirm. As far as lowering the limits, which ones would you try first as a starting point?
  10. Toastman

    Toastman Super Moderator Staff Member Member

    There have been reports of people not being able to connect to the internet, it appears related to the dnsmasq resolve file not being created on startup. There was a commit in tomato-RT on 26 March that *may* have been the cause, so I am making a new build 7466 for people to try, with that commit removed.
  11. TexasFlood

    TexasFlood Network Guru Member

    Just wanted to saying thanks Toastman. I just used your "'nvram export --set >config.txt' then grep & paste back in" method to transfer a number of settings to my new E3000 including static DHCP, access restrictions, dynamic DNS. I did a few manually since they were small & easy. But the big stuff I did your way and it was the easiest setting transfer I've ever done.
  12. Toink

    Toink Network Guru Member

    Build 7466 working great, so far with my routers. Thank you, Toastman for all the hard work :)
  13. Toastman

    Toastman Super Moderator Staff Member Member

    You're welcome Toink!

    Texasflood - yes, funny how that facility got overlooked by us all for so long.

    Nowadays I just open a browser to a router, get the text file onscreen in the "Tools/System" box, and leave it there. I then open another browser window to the new router and cut and paste from one window to the other. Just 2 or 3 minutes and it's done. I used to spend 2-3 HOURS!
  14. TexasFlood

    TexasFlood Network Guru Member

    I've actually done the same thing before, but not as easily, not really understanding the syntax of the nvram export command. One problem I had before that I still have is apparently my static DHCP list is too long to type into an interactive telnet/ssh window so I just use vi to type it into a script and run that. You don't run into this using your browser window cut & paste method? Guess I can try it for myself huh? Anyway, thanks again!
  15. Toastman

    Toastman Super Moderator Staff Member Member

    I think the window is actually big enough to take the complete output, not that I actually use it that way. It's far easier and faster than messing about with telnet, ssh etc.

    It's useful to keep a little script in a text file somewhere so that when you need it, you can collect the relevant details easily by pasting into the system box and execute. Here is one that grabs almost everything I need, for example.

    nvram export --set | grep rrule1
    nvram export --set | grep qos_
    nvram export --set | grep dhcp_
    nvram export --set | grep dhcpd_
    nvram export --set | grep ddnsx0=
    nvram export --set | grep lan_hostname=
    nvram export --set | grep lan_ipaddr=
    nvram export --set | grep wan_proto=
    nvram export --set | grep wan_hostname=
    nvram export --set | grep wan_domain
    nvram export --set | grep pppoe_username=
    nvram export --set | grep pppoe_passwd=
    nvram export --set | grep http_
    nvram export --set | grep router_name
    c4flash, phlibby and crashnburn like this.
  16. nordberg

    nordberg Guest

    Yup, back up and running in a few minutes... less downtime and dirty looks from the other network users (wife and kids!)! :biggrin:
  17. randyoo

    randyoo Addicted to LI Member

    still having issues... but it's okay.

    I continue to experience crashes/reboots, especially when trying to save changes to QoS rules. I believe it's running out of memory, since I saw this error today: "Unable to handle kernel paging request". It might be due to the dnsmasq setup I'm running. I have a script that blocks about 10,000 hosts via DNS cache poisoning, and I set dnsmasq to cache 8,000 lookups. Even though the stats show >3,000 KB of RAM free, that's gotta be the problem. :confused:

    As long as I don't change any settings, though, it seems to be fairly stable (ran for over 16 hours when I left it alone). And since this router is being used 24/7 (by upwards of 30 simultaneous users on an 800/150 ADSL connection, BTW), and it's stable when I'm not trying to adjust settings, I'm inclined to just let it run, as-is.

    Toastman, I think it's a great real-life example of the effectiveness of your QoS rules. I've only made some minor changes, and web browsing remains fairly snappy, despite some of these users running P2P software, attempting large downloads, etc. Thanks once again for all of the knowledge you've shared... :)
  18. TexasFlood

    TexasFlood Network Guru Member

    Randyoo. Perhaps if the problem occurs mostly when saving settings you're simply running out of NVRAM space? It's not infinite and you may simply be trying to cram 10 pounds of NVRAM in a 5 pound bag, so to speak, :smile:. So you might want to check that. Some builds show the free NVRAM on the Administration->Configuration page or you can telnet/SSH in and do an NVRAM show and look at the bytes free there.

    As for the paging error, I really don't know, could be running out of memory I guess. Routers can run with with a fair amount of spare memory then spike and run out. This can be very hard to catch since the window of opportunity is so small. There are scripts to monitor memory usage and log it, which, of course use more memory, hah, but maybe not a lot if you're careful. Check out the VIT script for inspiration and I'm sure you can find something simpler by searching the forums. Also if you aren't already consider logging to a syslog server so you don't lose those last precious entries before a crash/reboot.
  19. Toastman

    Toastman Super Moderator Staff Member Member

    Teddy Bear has just updated tomatoUSBmod. So to follow is my latest update 7467 containing the latest commits from git as of today. The support for the Linksys E series routers has been increased and several bugs fixed. Looks to be fairly stable, so we better test it out, yes?

    My builds contain ftpput and ftpget commands.

    I have been tidying up nvram variables and menus for the bandwidth limiter, you'll find it under QOS.

    All limiter nvram variables now begin with qosl_ for consistency and ease of listing. e.g. qosl_ddlr = qoslimiter default down link rate. So in future, these two commands in the system box will get all QOS settings for copying to another router.

    nvram export --set | grep qos_
    nvram export --set | grep qosl_
    c4flash likes this.
  20. peyton

    peyton Network Guru Member

    My vpn prob is solved since the new firmware version (see sig).

    Thanks a lot !
  21. Toastman

    Toastman Super Moderator Staff Member Member

    The Fast-NAT module is now beginning to be of more interest as more people receive 100Mbps+ internet, and I am getting many mails about it. Here are some links referring to Fast-NAT, and some to the CTF: (the CTF probably isn't doing anything because the implementation in Tomato didn't work properly).

    I have to say, that Fast-NAT causes severe problems to my systems. I always use QOS so probably no point in it anyway, but the builds with those commits in - are unstable. I will remove it in future builds.
  22. phuque99

    phuque99 LI Guru Member

    Interesting articles Toastman. If Fast-NAT does not use netfilter, high routing speed can only be achieved on a router that does nothing but routing. Any attempts to introduce QoS on the router will eliminate any benefits of Fast-NAT.

    This also reminds me about WiFi. Theoretical / marketing speed is not achievable because real world folks will turn on encrytion.
  23. Toastman

    Toastman Super Moderator Staff Member Member

    Now - please read this, apologies to the more normal people here, but I need to get this out of my system. I have been getting so much mail from people asking me to help them fix their QOS when it is quite obvious that they haven't observed a single bit of advice from this thread, and probably never read it anyway. Now, if you did, and you can't read or understand what you read, I'm sorry about that, but that's your problem, not mine. Don't expect me or anyone else here to fix your broken 4 line QOS, with L7 filters, and no class limits anywhere in sight. Don't send me PM's except as a last resort. None of us are into babysitting. RTFM !!!!!

    OK, rant over
  24. phuque99

    phuque99 LI Guru Member

    I believe fast nat helps at approximately 200Mbps or more in WAN-LAN routing. I've not seen any problems at 100Mbps, with and without fast nat.
  25. Incidentflux

    Incidentflux LI Guru Member

    Encouraged by peyton's sig, I flashed my Buffalo WHR-HP-G54-5-EU with tomato-K26-1.28.9054MIPSR1-beta-vpn3.6.trx, after using TomatoVPN (SgtPepperKSU) for the past few years ever since I found Tomato firmware.

    Only annoyance I found till now is in the Real-time bandwidth section tabs, it keeps jumping back to 'WL (eth1)' in the Opera browser.

    Are there any tests I can help with?
  26. peyton

    peyton Network Guru Member

    Their was a mistake in my sig ! Sorry about that. With my Buffalo i'm using Tomato Firmware v1.28.7616 -Toastman ND VPN

    Got no prob with Opera (11.10, Rév 2092. Win7). Are you up to date ?
  27. truesword

    truesword Networkin' Nut Member

    Hi Toastman;
    I had the same problem as 'cdanime' & 'yo adrian eh' with my wrt54gl router.

    It appears the posted script added symbols and spaces where it shouldn't have, for some reason or another..

    Anyway...After tinkering with it, the following works for me:

    nvram set qos_orules="0<<-1<d<53<0<<0:10<0<DNS>0<<-1<d<37<0<<0:10<0<Time>0<<-1<d<123<0<<0:10<0<Network Time (NTP)>0<<-1<d<3455<0<<0:10<0<RSVP>0<<-1<x<9<0<<<0<SCTP, Discard>0<<-1<x<135,2101,2103,2105<0<<<0<RPC (Microsoft)>0<<6<x<23,992<0<<<0<Telnet>0<<-1<d<22<0<<<3<SSH>0<<17<x<3544<0<<<3<Teredo port>0<<6<s<80,8080<0<<<3<Remote Router Access>0<<6<x<3389<0<<<3<Remote Assistance>0<<-1<a<<0<flash<<2<Flash Video,(Youtube)>0<<-1<a<<0<httpvideo<<2<HTTP Video,(Youtube)>0<<-1<a<<0<shoutcast<<2<Shoutcast>0<<-1<s<6970:7170,8554<0<<<2<Quicktime/RealAudio>0<<-1<d<1220,7070<0<<<2<Quicktime/RealAudio>0<<6<x<6005<0<<<2<Camfrog>0<<-1<d<1220,1234,5100,6005,6970<0<<<-1<VLC>0<<-1<x<554,5004,5005<0<<<2<RTP/RTSP>0<<-1<x<1755<0<<<2<MMS (Microsoft)>0<<-1<x<1935<0<<<2<RTMP>0<<-1<d<3478,3479,5060:5063<0<<<1<SIP, Sipgate Stun Services>0<<-1<d<1718:1720<0<<<1<H323>0<<-1<a<<0<skypetoskype<<1<Skype>0<<-1<a<<0<skypeout<<1<Skypeout>0<<-1<d<80<0<<0:512<4<HTTP>0<<-1<d<443<0<<0:512<4<HTTPS>0<<6<d<8080<0<<0:512<4< HTTP Proxy / Alternate>0<<-1<d<25,587,465<0<<<5<SMTP, Submission>0<<-1<d<110,995<0<<<5<POP3 Mail>0<<-1<d<119,563<0<<<5<NNTP>0<<-1<d<143,220,585,993<0<<<5<IMAP Mail>0<<-1<a<<0<irc<<6<IRC>0<<-1<d<1493,1502:1503,1542,1863,1963,3389,5061,5190:5193,7001<0<<<6<Windows Live>0<<-1<d<1071:1074,1455,1638,1644,5000:5010,5050,5100,5101,5150,8000:8002<0<<<6<Yahoo Messenger>0<<-1<d<194,1720,1730:1732,6660:6669,22555<0<<<6<MSG R 2 - Chat Services>0<<-1<d<5000:5010,5050,5220:5223,5298,8000:8002<0<<<6<MSGR3 - Chat Services>0<<6<d<20,21,989,990<0<<<7<FTP>0<<-1<x<6571,6891:6901<0<<<7<WLM File/Webcam>0<<6<d<80,443,8080<0<<512:<7<HTTP,SSL File Transfers>0<<17<x<1:65535<0<<<-1<P2P (uTP, UDP)"
    nvram set qos_orates="5-20,5-20,5-25,5-70,20-100,20-80,10-80,20-80,10-50,0-0"
    nvram set qos_irates="10,20,40,70,0,70,70,70,60,1" 
  28. Toastman

    Toastman Super Moderator Staff Member Member

    Perhaps some web browsers were doing that, because I actually tested that script by cutting it from my browser page (Safari) exactly as it is, and pasting it into the system box. It worked for me, which is why I was puzzled. It might be better to cut from the page source instead of the displayed web page itself.
  29. miracle2k

    miracle2k Networkin' Nut Member

    I've recently started to observe QoS behavior that is puzzling me a bit. I'm using Toastman's builds, and essentially the QoS rules from this post.

    Everything works quite well - until someone starts to use a download tool that opens multiple connections. Essentially, with half a dozen or more HTTP download connections, and maybe a bit of Bittorrent thrown in there as well (although Bittorrent alone, even with many connections, does not seem to cause this), things go awry - for example, my SSH sessions, correctly classified as a service, start becoming very slow.

    I only have a 3000Kbps connection. I've set the max incoming bandwidth to 2200Kbps, although the problem persists even if I set the limit significantly lower. Only once I'm down to about a 1000 Kbps do things improve.

    I have the Download and P2p/Bulk classes set to 90% and 80% limit respectively, but again, this problem only seems to improve one I decrease those limits to well below 50%.

    What I can observe in the Real-Time Bandwith view are RX transfer rates of at times up to 3100 Kbps, which would explain this - my connection is saturated. Now I understand the problem of limiting incoming transfer speeds, how it's not an exact science, and the subsequent need to leave room to the top when setting the incoming limit. But if I still see transfer rates in the ~3000 Kbps area with a limit set to 1000 Kbps, that seems rather extreme, no. Is this normal, or is there anything I can do (while still giving users who download with only a single connection good speeds as well, i.e. without actually limiting the download classes to something as low as 20%).

    As a future improvement, it certainly would be nice if the QoS could be configured to consider the local IP as well; say for each class, device the available bandwith equally among all those client machines currently using bandwith from the class.
  30. Toastman

    Toastman Super Moderator Staff Member Member

    Where is this limit set? [Hint: there's a clue here ...]
  31. shrne

    shrne Networkin' Nut Member

    Hey .. Can anyone tell me if I'm getting close to being correct here? I JUST want to throttle my newsgroups downloads (I don't care, just drop the packets, whatever, just so that it responds dynamically to other usage), and prioritize http use. That's all. Is there any pre-defined classification set for doing that?

    My classifications are my attempts to make my newsgroup activity classify to Lowest, since the usual advice I found here and elsewhere left much activity unclassified. I've really done my reading as best I can.

    Attached Files:

  32. miracle2k

    miracle2k Networkin' Nut Member

    The "Max Available Bandwidth (this is NOT an overall limit!)" setting.
  33. gomer

    gomer Networkin' Nut Member

    Anybody notice unclassified QOS traffic issue?

    The way I understand the QOS setup and classification is as follows;

    In theory.....If no matching rules exist then everything is classified as the default classification.

    Default classification is set = P2P/Bulk

    My issue is that I am experiencing unclassified packets without any rules set in the router. This "In Theory" should never happen to packets that go out the WAN interface and are acknowledged when you have a default classification set.

    I have looked everywhere on this site for unclassified packets issue. But I am not finding an answer. Can anybody throw me a bone of why there is a classification issue with the last line versus the first three lines? My CPU/Memory are fine so not running out of resources or anything like that.

    Below is a short listing of the data. I resolved the name for illustrative purposes.

    TCP 51053 80 P2P/Bulk
    TCP 51050 80 P2P/Bulk
    TCP 52844 80 P2P/Bulk
    UDP 23990 11534 P2P/Bulk
    UDP 23990 47234 P2P/Bulk
    UDP 23990 50712 P2P/Bulk
    TCP 52797 ( 80 Unclassified

    I am currently running "Tomato Firmware v1.28.7816 MIPSR1-Toastman K26 Std"
  34. Toastman

    Toastman Super Moderator Staff Member Member

  35. gomer

    gomer Networkin' Nut Member

    P2P in commercial app causing unclassified connections

    I appreciate the links. I read through them and then I started with checking the src/dst addresses. ( What I found was that Bitdefender has a P2P function built into it to allow customers to distribute its updates between customers. Mystery solved. So if anybody sees this in the future it is not just traditional torrent type programs it also seems to be common or becoming more common to use this technology in many commercial programs. Something else to be aware of when tuning your QOS.
  36. Toastman

    Toastman Super Moderator Staff Member Member

    Toastman CLIENTMON v 1.28.0035 Beta

    I've been trying to properly integrate a graphical client monitoring feature into the Tomato GUI for several weeks. I think It's ready for a test.

    There is nothing original in this - we've been using imq's for this purpose for several years. But it was done with scripts and I personally just got fed up of using it. I wanted to have something permanently in the GUI, with all of the bugs removed, that just works. I consider that we usually only want to monitor one client at a time, and that's what I have done. It's easy to add more clients to the GUI which is easy .... but ... unless this is done properly there won't be any 24 hour graphs and a nonfunctional BW Limiter that doesn't work together with QOS.

    K26 MIPSR2 version is running and tested on an RT-N16. Users report it also works on E3000. Look for v7469

    K26 version is running fine on an ASUS WL500gP v2. Test version in the K26 MIPSR1 directory.

    How to use it

    Look at the old "realtime" monitor, and you'll find a checkbox to enable monitoring, and an entry box for the client's IP address. After saving, two new imq interfaces are brought up to monitor incoming and outgoing streams from that client. The 24 hour graph page will also show the same interfaces. I may add more in future but only if it all works seamlessly.

    I've also added a few extra tweaks which will bring up and take down the imq's of this and also the bw limiter mod when you exit. However, at present the 24 hour page remains the same, it continues to monitor as it should, otherwise you would lose the data from other interfaces too.

    I'm interested in any feedback! Is it useful?

    ( See also )
  37. peyton

    peyton Network Guru Member

    Great idea !
  38. gomer

    gomer Networkin' Nut Member

    The IP monitoring is a great tool. It looks like it would be a good addition. I would definitely make use of it if I had the right router to run the SR2 versions.

    I made one tweak so far to the standard QOS rule set that I think for USA users is a must. Magic Jack is a very popular USB VOIP service here in the USA. I am not sure how popular or known outside the USA it is but I have a couple of users that definitely required the additional port. The sip L7 took care of the rest. (5060 is also utilized but was already present so only 5070 added.)

    0<<-1<d<3478,3479,5060:5063,5070<0<<<1<SIP, Sipgate Stun, MagicJack>

    I am just now getting a feel for the Tomato SW and Toastman updates. I realize now that I need a SR2 compatible router if I am going to really get with the program on this site. The Asus RT-N16 seems to be router of choice for now but I also see other cheaper SR2 compatible routers. It looks like the Toastman uses RT-N16 so leaning towards that one since I am new here. Basically in absence of other input go with what works. I also would like to buy something a little cheaper but I also do not want to get another router that leaves me out of the new build cycle again. I don't need gig ports or N capability. Just something to test and run the new builds on.

    I also noticed while updating the classifications/rules that when I tried to add additional text to the text field description it was very limited. Any plan to expand this field? I would like to be able to add more "self documentation" as to what each rule is performing.
  39. Toastman

    Toastman Super Moderator Staff Member Member

    Released as v 1.28.7469

    gomer - no, I won't change that field, so it will remain compatible with all the other tomato versions. Otherwise, it will use too much NVRAM.
  40. mrplow

    mrplow Addicted to LI Member

    tomato-K26-1.28.7820MIPSR2 BETA TEST VERSION - Toastman Client Monitor/tomato-K26USB-1.28.7820MIPSR1-Toastman-Std.trx
    is this firmware file for MIPSR1 or MIPSR2, the folder and file names are conflicting.
  41. Toastman

    Toastman Super Moderator Staff Member Member

    Sorry, the folder is named wrongly, the file name is what matters. It's MIPSR1 K26 - and I am running it on a GL AP right now, just checked.

    **UPDATE** - I flashed this remotely to an ASUS WL500gP v2 and it runs quite happily, seems to be fully functional.
  42. mrplow

    mrplow Addicted to LI Member

    just wanted to say thanks, tomato-K26USB-1.28.7820MIPSR1-Toastman-Std.trx is working great on my wl-500gpv1
  43. Toastman

    Toastman Super Moderator Staff Member Member

    Bandwidth Limiter - effect of limiting

    This example was from K2.6 MIPSR2 version 7470 running on a RT-N16. That is based on current tomato-RT code from the git repository.

    These thumbnails show the effectiveness of the bandwidth limiter and the appropriate monitoring graphs. It was set to limit at 200kbps outbound and 2000kbps inbound.

    Has anyone tested the bandwidth limiter on the K26 MIPSR1 releases? Let me know if it worked for you. There seems to be a problem for some people, need to get some more information.
    EDIT - seems like all those who replied said it worked for them.

    See also this thread:

    Reproduced graphs from that alfred's posts:


    Attached Files:

  44. shibby20

    shibby20 Network Guru Member

    its not mips1 problem. Many polish users have the same problem on mips2.

    I tested also the newest Victek`s tomato with captive portal and BW limiter doesnt work.

    This is my result on asus wl500gp v1:
    my tomato build52-032H - bw limit ok
    my tomato build5x-043 (before commit from 2011-04-02) - bw limit ok
    my tomato build5x-045 and 047 - after commit from 2011-04-02 - bw limit failed
    latest tomato-rt git - HTB script failed
    Toastman`s latest tomato - bw limit failed
    Victek`s latest tomato - bw limit failed
    my build5x-050 no public jet (revert commit from 2011-04-02) - bw limit ok!
  45. Toastman

    Toastman Super Moderator Staff Member Member

    Curious. That commit, quite a long time ago now, certainly caused me a problem and I used earlier code for a while to work around it before reverting it myself. But the latest git code from Fedor fixed it. My build currently has nothing special, it's bases on latest git. And the same code works if I compile it, but didn't work for you. Very odd. Maybe Fedor will see if/what the problem is! But I can't help feeling it's a compile problem.

    But if people are really having problems, then it's the FastNAT and CTF glitches still occurring I guess. They're a mess.


    I just downloaded Vic's version for MIPSR2 and tested it on ASUS RT-N16. Again, the Bandwidth Limiter is working perfectly. No point in posting any pics, they are exactly the same as above. There have been several thousand downloads and only two complaints about the BW Limiter.
  46. Azuse

    Azuse LI Guru Member

    Q. I've been using your time-out values for over a year on k2.4 but now Victek has made a k2.6 for mipsr1 routers there are now weird, wonderful and confusing new boxes :( If you can find time this would be helpful.

    1. What is the hash table size and how does it effect things?
    2. What are Generic & ICMP time-out and how do they effect things?
    3. RTSP is disabled by default, iirc it was originally because of a bug months back, was this fixed and if so is it worth enabling it?

    The defaults are below, established tcp seemed low to me, but I'm no expert :)

  47. Toastman

    Toastman Super Moderator Staff Member Member

    Usual setting for hash table size:: hashsize = nf_conntrack_max / 8

    more info at

    generic timeout is, presumably, timeout for any protocol not covered by the other timeout settings (which we don't often use on web).

    icmp timeout:

    I don't know if the rtsp ctf was fixed, so it would seem sensible not to enable it by default.

    established tcp is a matter of personal choice, I use 1800 here, but whatever ...
  48. Azuse

    Azuse LI Guru Member

    I'm no programmer, but I am good with numbers and I can't make either of those equations add up with 16MB of ram. How do I get the conntrack_max out of the router thus the hashsize? I'm sure Victek is correct, I'm simply curious :)

    That page also recommends and ICMP time-out of 60-120, yet at the beginning of this thread you suggest 10 for both generic and icmp :). My old settings were based off, an admittedly old, list of yours. TCP established was 1800, close 10 & UDP assured 10 yet your current list is 1200, 20* & 25.

    Confused :eek:

    *fw defaults for this are always 10
  49. shibby20

    shibby20 Network Guru Member

    Victek`s latest tomato on Netgear 3500L

    - tomato version
    - bw limiter settings
    - result from
    - result from

    Attached Files:

    • test.jpg
      File size:
      46.6 KB
  50. Toastman

    Toastman Super Moderator Staff Member Member

    Azuse, the advice given is usually for machines running full Linux with huge amounts of RAM, whereas the routers are a bit more limited. So the settings here have been adjusted according to the experience of the particular person involved. The firmware defaults are often also set by the guy that compiles it, so that doesn't mean the defaults are better/worse.

    In particular, the timeout values are open to all sorts of interpretation, but at the end of the day, the lower they are the fewer hanging connections on the router, the less CPU time is wasted, and the faster it becomes. Some of the really fast timeouts break the rules, admittedly, but except for the known effect on VOIP of fast UDP timeouts, mostly they work just fine, and are almost essential if you have a great many users or P2P hogs. You can try playing around with them. The minimum value is usually 10, you can save time messing about and set everything to 10 except for established TCP. Then watch how things go, change if necessary when you have a feel for what is going on.

    Shibby, please ...... this isn't a pissing contest !!!! The bandwidth limiter is working fine for us on WRT54GL's, WL500gPv2's, E3000's, RT-N16's, WNR3500L's. As I said before, I also tested Vic's versions and they also worked perfectly. I'm very curious why exactly the same firmware compiles downloaded from both our websites doesn't work on your routers but works fine for several thousand other people, this doesn't make any sense.
  51. shibby20

    shibby20 Network Guru Member

    i agree :/
  52. spaceone

    spaceone Addicted to LI Member


    I have the same problem. QoS BW Limiter is not limiting upload. Download is limited ok.
    Firmware:Tomato Firmware RAF1.28.9001 MIPSR1_RAF_NOCAT K26 Std
    Model Linksys WRT54GL
    Chipset Broadcom BCM5352 chip rev 0 pkg 2

    Settings from BW limiter:
    PS: When I input IP instead of MAC, it says that is out of range, altough my router has IP and all clients are connecting and LAN is working in that range.
    You can notice, that download is limited ok, but upload is unlimited.

    When trying to use (standard) qos to limit transfer by IP, it limits upload correctly.

    Is there different script for BW limiter in tomato-K26-1.28.7820MIPSR1-Toastman-Std.trx or is the same like in latest raf version?

    Attached Files:

  53. virgil

    virgil Network Guru Member

    Problems with BW limiter on K26 MIPSR2

    I am running on RT-N12 with RAF1.28.9001 MIPSR2_RAF_NOCAT K26 Std. Seems like BW limiter isnt working for me either.

    Am also puzzled by the CPU load which jumps from normal (<0.1) to close to 1.0 and stays there consistently.

    Yes - I had reset the Flash NVRam after updating FW (from Asus original) and reloaded settings manually. Have also reboot the RT-N12 manually. Why? - even the Reboot via the GUI doesn't seem to work...

    Attached Files:

  54. shibby20

    shibby20 Network Guru Member

    @virgil - thank you for conforming my words.
  55. Toastman

    Toastman Super Moderator Staff Member Member

    There is a history of the RT-N12 misbehaving, not only on Tomato but other platforms, instability and bricking are common. Use google ... I don't know why. It does seem to be with K26 builds, I did not see any report of K24 problems.
  56. spaceone

    spaceone Addicted to LI Member

    ntlynce the

    I tried also Tomato Firmware v1.28.7820 MIPSR1-Toastman K26 Std .

    It the same like with raf.

    But I notice, when I put in MAC address in BW limiter, donwload is limited ok, but when I input IP (I have this IP in static DHCP and also activated ARP if that would matter) download is NOT limited. Upload is not limited in both cases.

    I also checked qos and qoslimit scripts in /etc/ and it seems that qos is using vlan1 interface, while qoslimt is using imq0 (for upload). Could these be a reason that BW limiter is not limiting upload?
  57. Toastman

    Toastman Super Moderator Staff Member Member

    The IP out of range bug was fixed a while back, but looks like part of the fix seems to be missing from the code (tomato.js - function v_macip, approx line 410) in this latest version. Vic?

    IP's and MAC's are actually limited in different interfaces, due to a problem Deon had a while back. That implies that something may be wrong with the imq input limiting, where IP limiting is done, as the MAC limit is working OK.

    I can't reproduce the problem though. It works every time here.

    In my versions of the firmware, the bandwidth limiter uses IMQ. At present, the methods which aren't using IMQ are therefore less useful. I personally don't see the point of dividing up our limited bandwidth and assigning each user only a tiny slice of it even when nobody else is online - that seems to me to negate the whole point of a router and QOS systems.
  58. virgil

    virgil Network Guru Member

    I tried setting BW limiter by MAC and got these in the Logs:
    and this at Access Restriction Overview
    This is without ARP binding but with Static DHCP.
  59. shibby20

    shibby20 Network Guru Member

    iprange and MAC?!? Can you show me your BW Limiter config? And /etc/iptables.error
  60. spaceone

    spaceone Addicted to LI Member


    I flashed tomato-K26-1.28.905xRAF-EN-MIPSR1-050-Std.trx. BW limiter is working for me (both download and upload), using IP or MAC address. Didn't test IP range.

    Good work shibby20.
  61. virgil

    virgil Network Guru Member

    BW Limiter


    Attached Files:

  62. shibby20

    shibby20 Network Guru Member

    ok you use tcp and udp limit.

    this line is incorrect. I will fix it.

    //edit, fixed in repo. I`m compiling new version.
  63. virgil

    virgil Network Guru Member

    BW Limiter

    Fantastic! Can't wait for this to be put into the next Tomato RAF
  64. shibby20

    shibby20 Network Guru Member

    this bug is in all RAF versions tomato (with revised IP/MAC QOS/Bandwidth Limiter) - Victek`s and Toastman`s firmwares too.

    Strange that only now has been detected.
  65. shibby20

    shibby20 Network Guru Member

  66. Toastman

    Toastman Super Moderator Staff Member Member

    Shibby - the main reason that nobody has noticed the BWlimiter was bugged from day 1, when we all began to use that code, is simply that very few people actually use it :biggrin:

    Nevertheless, the bandwidth limiter works - and I do not understand why you keep posting the same thing even when several people have taken the trouble to post screenshots showing it working perfectly? Would you like us to come to your threads and tell everyone your mods don't work and ask them to try ours instead?

    Because that's what you have been doing, and are still doing, to myself and Victek :confused:
  67. gord

    gord Networkin' Nut Member

    VoIP QoS


    I am not sure if you have specifically addressed my voip requirement in this long running QoS thread for what i need to do that is a very common requirement:

    Many hosted PBX users work from homes and remote offices. They want their RTP VoIP traffic to get top priority over everything but DNS.

    I have tested my dsl link and it has a max speed of 1.2 MBS down/600k up.

    I would like to have my two VoIP users voip traffic have top priority over all other traffic(accept dns). Each voip user consumes a 90K RTP voip stream for each their phone calls.

    How would i setup my dsl with my Linksys w54rtGL ver 1.1 to do this with tomato ver 1.28? Thanks

  68. peyton

    peyton Network Guru Member

    Do we have to flash again with new 7473 build then ? (Great Cisco skin btw ! :) )

    Do you know if the remote forwarding with ssh bypass QoS classification and access restriction ?
  69. Toink

    Toink Network Guru Member

    I absolutely like the Cisco theme :) I noticed that in build 7473 the CPU Frequency selection (Advanced->Miscellanenous) is no longer there...

    OT: I have been using the GREP tool-thingy to restore my settings... I am able to restore my static dhcp, QOS, Port Forwards/Triggers, except for my Wireless MAC filters... Will someone please tell me what's the correct GREP?

    I tried using the ff:

    nvram set wl1_maclist="" with nvram set macnames="" but it just won't work... help! :)
  70. Toastman

    Toastman Super Moderator Staff Member Member

    I never used wireless filters, so a hasty check here... (this is on RT-N16.)

    nvram export --set | grep macnames

    returned this:

    nvram set macnames="000000000009<Just a test"

    So it **should** work..

    The "Cisco" theme is contributed by "twau" from the TomatoUSB forum ... it's a mod of the tomatoUSB theme by Absolon I think. Nice. Thanks for sharing, twau!

    My builds contain ftpput and ftpget commands.

    The cpu frequency set was giving some problems, and was removed - some newer routers are bricked too easily by wrong settings, or even ANY setting at all, or so I am led to believe. You may have to make sure your router has an NVRAM entry for CPU frequency, or it may use a very slow clock frequency as a default. Check your startup log.

    Peyton, it's probably OK not to reset NVRAM but never 100% sure. I don't know about the remote ssh - never tried it, but maybe you can set a rule for it and see if it appears in the QOS class?
  71. Toink

    Toink Network Guru Member

    Thanks for this Toast. Yeah, I have also tried that. It just wont work for some reason.. Hehe. Nevermind it's ok. I just input them manually....

    Also, setting the clock frequency of my E3000 to:

    nvram set clkfreq=480,240,120
    nvram commit

    now shows the frequency in the "Overview" page... I'm just curious why the drop down selection was removed in the Advanced> Miscellaneous option...

    Hey, thanks again for the hard work. much appreciated :)
  72. kaabob

    kaabob Addicted to LI Member

    Hey toastman, thanks for your QOS tips! everything runs smoothly and its nice to see things classified well.

    I have a question - are your "labeled classes" builds only good for the E2000/3000/4200 and K26's? I have a Buffalo WHR-54GS running Tomato 1.28 and was wondering if your Std build would work fine (under 4 mb!)

    I'm sure you've been asked this question before but I have no idea how to search for this...
  73. Toastman

    Toastman Super Moderator Staff Member Member

    I have not been bothering with K2.4 builds because most of the time they give too much trouble these days, things not working properly. Things are moving on. I retired all my WRT series routers for use as AP's long ago.

    Another paste of the QOS rules, a few small changes only, they may be mangled by the forum, so try your best to sort it out. NB it seems that the software used to cut and paste can scramble this up, so beware..

  74. Toastman

    Toastman Super Moderator Staff Member Member

    Okay, I just went back to use build 7466 as a base. A great many people seem to think that version was good and stable. I have added all my mods and bugfixes since that date and some important toolchain and build changes from Fedor. Plus a few usb and ipv6 tweaks that look useful and the E4200 mac address bugfix. I have tried to keep BCM fast NAT and CTF out of it, as these two "features" seem to be responsible for a fair number of problems.

    My builds contain ftpput and ftpget commands.

    That brings us to Toastman-RT version 1.28.7475 - let's see if that one satisfies a few more people. I am hoping it will be the most stable build yet.

    We found one error already, bug "dnsmasq can't find etc/dnsmasq/resolv.conf" which was fixed by a commit I did not include

    FYI - That original bug was fixed by:

    f24d71356699aa48f688bbeda02a13ba56a9b130 - rc: fix resolving IP addresses when not using Dnsmasq
    April 10 2011

    Look for revision version 7475.1


    CPU info method changed to Victek "sysinfo", CPU chipset, clock frequency, and amount of NVRAM display added to Overview page.

    I have made another attempt to set the CPU frequency which should keep people happy.

    There is now a wide selection of clock frequencies 188-266 MHz for the earlier routers, and 400-532MHz for the more recent and faster routers. Two parameters are set, for the WRT etc. legacy machines they are CPU clock frequency and backplane frequency. For the later series routers such as the RT-N16 etc. they will instead represent CPU clock frequency and memory clock frequency - the third (backplane) frequency isn't set because it isn't necessary. This therefore makes it possible to use just two parameters for all routers.

    No guarantee is given or implied as to the infallibility of this method of setting clock speed.

    Caveat Emptor !

    The "default" setting sets "" - or no clock frequency in nvram, so the router's default is not changed. However, some routers do seem to set themselves to some hardware default of 133MHz. Nobody seems to know why. If this happens to you, just make sure to se the correct clock speed, save, and reboot the router. After that, it should remain.

    This is version 7475.2


    May 31st - NOCAT versions added.
    June 2nd - time and uptime not refreshing in overview page.

    Download again to update.


    Note - future versions will have a change in behaviour. If a router loses it's NVRAM settings and resets to factory defaults (for example following power outages), it reappears back on the network with DHCP turned on and issuing the wrong IP's to clients. To prevent this happening I will make the default to start with the DHCP turned off.

    If you run a large network, I would encourage you not to use for your router's address. Use .2 onwards for routers. Then if a router fails and reboots with the defaults of and DHCP off, it will not impact your network. And you can easily access it and fix it.
  75. Toastman

    Toastman Super Moderator Staff Member Member

    We've all seen the reports of dropped connections and failure to connect via wireless. Well, I have a good number of residents complaining to the management about our internet about speed, failure to connect, and so on. I do get rather fed up of this, because I very rarely ever find any other cause than simple user error. And so I performed this little experiment :D

    I tested my AP's and router - in front of a complaining resident and the building's management - to prove to them once and for all that the majority of the people in these apartments who complain about failure to connect with wireless, dropped connections, have something wrong with their computers. Our routers and AP's are very rarely to blame.

    I used 3 different computers to demonstrate to them that I don't suffer these problems.

    These were:

    1) W7(64) i7 @4 GHz with 8GB RAM and Tenda "N" USB Wireless,
    2) W7(32) E7400@4GHz with 4GB RAM and TP-Link USB Wireless,
    3) W7 DELL Latitude PP09S Notebook @1.2GHz with 1.5GB RAM and Broadcom Wireless.

    You will notice I don't use XP. Fine in it's day, but it's junk now. A large number of problems with connectivity come from XP. [I won't mention Apple here .... cough cough].

    All were set to ping the main router (W7 ping -t) once every second. All were connected via an AP using K24 Firmware v 1.28.7619 Wireless Driver (later tested with latest 7475.2 with identical results).

    I must also add that the whole system was online at the time with between 30 and 70 users connected at various times, with around 9 Mbps of traffic including P2p. There were several other clients connecting on occasions to the same AP, maximum I saw was 7. All of us also used the PC's to surf the web and download via P2P at the same time, causing slightly longer ping response times on occasions.

    All computers connected around midday. The complaining resident's PC's tried to refresh lease regularly, between every 5 and 10 minutes and out to half an hour, at which point they disconnected. Or maybe the renewal attempt was caused by them reconnecting after a dropout. None of mine did that. Clients were either broken or misconfigured :eek:

    I used Ping Assist Light to give a warning of lost connections after 2 missed pings. The complaining client's computers fired the alarm regularly. None of mine triggered it even once, there never were two consecutive dropped packets. There were almost no dropped packets AT ALL.

    At 6 p.m I terminated the W7 ping sessions and obtained the packet loss figures. There were a few odd dropped packets but the statistics rounded these off to 0 %.

    After the resident had gone away with food for thought carrying their little toy laptops, and the owners of the building suitably impressed and happy with the outcome, I repeated the test on the E3000 (running as an AP with v.7475.2). I did this for my own interest because of the large numbers of forum posts complaining about flaky wireless with this router. I ran ping sessions again for 6 hours with the same results, NO wireless drops, NO disconnects, and the same 0% packet loss.

    As once pointed out by Teddy Bear, for some reason we don't seem to see the connection problems reported by many users of Tomato. If you have problems, you should remember this post and look elsewhere first.
  76. airbot

    airbot Networkin' Nut Member

    I am having new P2P problems and would be grateful for any suggestions that you might have.

    I have some aggressive 24/7 P2P users that have several hundred connections each and are downloading hundreds of GB. This is a problem for me because my ISP provider caps our monthly traffic (GB) and it is expensive when we go over the cap. I believe that the tomato QOS (RT-N16) has effectively governed the P2P speed in the past. But it isn't at the moment, so perhaps the P2P clients are doing something new.

    The outgoing P2P is still properly governed by the tomato QOS. But the incoming P2P traffic has me scratching my head. The incoming traffic is properly classified into my default crawl class. But the P2P speed is about five times what the class is defined as. My incoming bandwidth is defined as 70% of measured minimum (peak period) line speed. If I turn off the QOS, the P2P rate skyrockets. So QOS is having an effect, just not anything close to the defined figure. I also tried bottoming out all of the other class speeds temporarily to see if traffic was somehow falling into another class but that didn't change anything.

    I also tried adding some IP table rules to limit the number of udp connections + the P2P clients then opened up tcp connections. Fine.. then I set a maximum limit of tcp and udp connections for the offending IPs. That does limit the number of P2P connections but doesn't really affect the overall download speed.

    Any suggestions how I can limit either the incoming P2P speed or GB transferred?
  77. Toastman

    Toastman Super Moderator Staff Member Member

    I can't say if your clients are doing anything new or not, but you do seem to be aware of the whole situation and how normally to cope with it. But here's a few thoughts.

    1) Use very aggressive timeouts in Conntrack/Netfilter. Hacking everything except TCP (Established) down to 10 seconds will quickly prove the idea. Usually the vast majority of connections are actually not doing anything useful. (I have 140+ users and generally run at less than 1000 connections, max is usually around 1500). Is the "prioritize ACKS box checked by accident?

    2) How much of the download bandwidth being taken up by UDP? Prevent your users from using UDP or uTP, which often takes an incredible amount of bandwidth for almost no improvement in downloads. Do you use class E as a "Crawl" or "discard" class for UDP?

    3) If your default class is limiting at double the speed it should, then probably much of that is UDP which doesn't get slowed down. And just knock back the limit until it does work, does this help?

    4) Use the Client Monitor 24 hour graphs to examine the bandwidth usage of each of your clients to see who is responsible for the traffic. Knock their teeth out.

    5) Use the Bandwidth Limiter in addition to QOS to limit that client's maximum bandwidth.

    6) The final choice, which I absolutely hate, is to use the Bandwidth Limiter in QOS mode and share out the bandwidth amongst your clients, each one having his own "slice". The end result is that nobody gets fast internet, only his slice.

    But basically, there does seem to be something about your QOS setup that isn't working right. You could post the whole setup here and maybe we could spot something.
  78. Toastman

    Toastman Super Moderator Staff Member Member

    Thanks javilin, we'll take a look at that.

    Well, I was inspired - I did a K24 MIPSR1 build, tried it on a few WRT54GL AP's and it seems to work nicely. No guarantees, but this could be an improvement in speed over the K26 ones.

    There's one known problem, the QOS-Rates page doesn't work under 2.4. Hopefully we can fix it soon. It's removed for these builds in future.

    1.28.7621, posting shortly.
  79. Toastman

    Toastman Super Moderator Staff Member Member

    Something that has been niggling me for a while I want to address:

    Several people have made comments that they won't try my builds because of the "extra features" in my "about" page. That's fine and it's their own choice, but posting those comments in the forums does misinform others. I list the changes to inform people as to what that the build contains. Perhaps I should not do so ? Because other people do not list the changes they made, does that make their builds more or less stable? Yet they have much more dross in their builds than I do, or didn't you notice that I concentrate on routing and reliability? Why are you turning this into a pissing contest by posting all these comparisons?

    I wanted to illustrate that the majority of the "changes" that are in my builds are minor changes that should not impact stability. I am interested above all in stability, because I have several thousand users in several buildings who will probably leave and go elsewhere if the internet isn't stable.

    So here are some notes:

    - 250 entry limit in Static DHCP & Wireless Filter - is only a limit change
    - 500 entry limit in Access Restriction rules - is only a limit change
    - Configurable QOS class names - sets a new nvram variable which changes class names - cannot impact stability
    - Client Monitor Graphs - creates 2 imq's as dummy interfaces, these are automatically added to the graphs page - does nothing if not selected
    - Revised CPU frequency selector - changes one nvram variable
    - Faster page refresh settings - adds a faster refresh time choice to the existing menu
    - Fast conntrack timeout settings - merely changes timeout values in the existing conntrack page
    - FTPput and FTPget enabled - is there if you want to use it - ignore it if you don't
    - 16 IMQ's enabled with 24 hour graphs - enables 16 IMQ's for use if you wish to use them, ignore if you don't
    - Starts with LAN DHCP off if nvram is reset - this default can't impact stability, but it prevents failed routers from issuing wrong IP's to clients
    - UPnP Support for vlans (if exists, loads upnpconfig.custom from JFFS) - uses file if it is there, does nothing otherwise
    - Comprehensive QOS rule examples set by default - changes QOS example rules in the existing QOS classification page. That's just another nvram variable
    - Extra Themes - used if you select one, otherwise does nothing
    Last edited: Aug 14, 2016
  80. nricciardi

    nricciardi LI Guru Member

    Hei Toastman and other gurus of this forum.

    Thanks for all the info here. Extremely valuable and appreciated.

    I read the messages twice, printed some of them, made notes and went on to configure QoS on my Tmobile 54G with 32 MB of memory, clocked at 250 Mhz, running Tomato Firmware RAF1.28.121006. But I'm not sure it is working as its supposed to. Probably my fault.

    I have Fios internet. Usual download is 32 Mbps. Upload is 24.5 Mbps. (These are true speeds).

    We have 5 computers, one game console + one Asterisk Server. And 5 cellphones also connected to our wireless.

    The most important app is VoIP. (regular SIP + Skype).

    Second most important is terminal emulation, connecting these 5 computers to other hosts out of our network, using from VNC to LogmeIn and others.

    One of the users is a HEAVY uTorrent/News downloader, using private trackers. Without QoS, and with only one well seeded torrent, he can fill the pipes in less than 10 seconds. Pretty amazing.

    So I started by using your setup, Toastman. 85% of max, traffic classification, torrent on Class D. I did it once, and checked twice to make sure the settings were ok.

    It seems to work extremely well. We can open 4 or 5 well seeded Torrents and VoIP, HHTP, etc, would still work very well.

    The only problem I'm having is that no matter what I do, I was never able to use my whole bandwidth again. Not even 60% of it. Torrents that used to be dowloaded at 32 Mbps now come at 18 Mbps, more or less, even when nothing else is happening in the network. I was not expecting to get 32 Mbps anymore. I knew QoS would slow it down. But 18 Mbps seems to be a little too much.

    So, overall, 18 Mbps is now my new max download speed. And I'm wasting approximately 9 Mbps of bandwidth (85% of 32 Mbps minus the 18 Mbps).

    I'm certainly doing something wrong, but can't determine what.

    I would appreciate any insight.

    Again, thank you for dedicating time and for sharing knowledge here.

  81. careh

    careh Addicted to LI Member

    I am new to tomato and have recently installed toastman Tomato Firmware v1.28.9055 MIPSR2-beta-git-20110414 K26 VPN on a Cisco/Linksys E2000.

    I read where it is good to lower the CPU setting from 354 to 300 for this router. Apparently in a prior version of the toastman router firmware one could set this under Advanced - Miscellaneous - but I don't see it in this version. Could someone show me where to enter the commands (so I don't mess up the router)?
  82. Toastman

    Toastman Super Moderator Staff Member Member

    nricciardi, please post your QOS setup, we can take a look at it.


    I don't have a 9055 build, that was quite an old test build from Teddy Bear, I believe. You need version 7475.2, which is the latest one. See download link below.

    Curious about the supposed lower clock speeds for this chip. The chipset die is unlikely to be much different to the higher spec chips, and many people report the things working fine at 480MHz. I can't see it suffering from a stability problem due to the speed (what speed? LOL).

    However - The manufacturers spec sheet says 300. I have added some more frequencies to the selection on the newest builds.

    But you can enter any supported frequency by pasting this into the "Tools/System" box and executing it - in any version:

    nvram set clkfreq="300,150"
    nvram commit

    nvram set clkfreq="354,177" gets you back to the shipped frequency.
  83. careh

    careh Addicted to LI Member

    How do I put in addresses in QOS and what version to use?

    I have an E2000 router and have done a first time install of toastman version
    tomato-E2000-NVRAM60K-1.28.9055MIPSR2-beta-git-201 10414-VPN.bin

    from the:
    latest GIT tomato - RT compiles
    April 14 2011 9054 git compile folder.

    One question is whether I should instead be using the compiles from the
    MIPS32R2 Kernel 2.6 (RT-N16 etc) Builds
    folder as I see those have a June 6 compile date (but a lower version number).
    A fellow on another forum had given me some QOS settings for tomato which are copied below. The idea is at a summer camp to limit campers to a low rate of access while giving 4 staff computers full access. I would set the 4 staff computers to static IP addresses and ensure their addresses are not within the DHCP range for the campers.

    I don't know how to go about putting the QOS settings in.

    The QOS suggestion was:

    It's pretty east to set.

    1) Set Static IP for Staff, set ip, 6, 7, 8 and DHCP for the campers to through 149 ....This part I know how to do.....

    2). Set QOS Settings ....This part I know how to do.....
    Max Outbound Bandwidth :12000, Max Inbound Bandwidth: 5000 <--check bandwidth with
    Class A (Fast) Outbound Rate 1-100% Inbound None
    Class B (Slow) Outbound Rate 1-30% Inbound 25%

    3) Classification **** This part I need help with - I don't know how/where to put this in *****
    From - 149 Class B
    From - 9 Class A

    then set the default at QOS settings to Class B, and set your staff's ip to Class A on classification page.

    So all your staffs will get top speed and all other users will get default Class B speed
  84. Toink

    Toink Network Guru Member

    @ Careh use build 1.28.7475.2 for your E2000 from Toastman's link. That's the latest. As for the QOS, you can try using the MAC addresses of your four staff's computer to highest or you can try the bandwidth limiter in QOS.
  85. Toastman

    Toastman Super Moderator Staff Member Member


    1) enter your staff and campers into static DHCP list
    2) in QOS/Classified, under the box showing as "any address" change that to "source IP" and enter the IP's in there. That's basically it.

    You may also use the normal QOS rules if you have problems with (P2P etc) and then use the bandwidth limiter AS WELL to additionally limit the campers bandwidth.

    Or you can turn off QOS and use the Bandwidth limiter alone and give the staff priority over the campers as well as lower bandwidth (it is a completely separate QOS system but working with bandwidth limits instead of the QOS rules).

    So, you have a lot of flexibility!
  86. Toastman

    Toastman Super Moderator Staff Member Member

    nricciardi, doesn't seem to be anything wrong with your setup. I'm sure you've tried experimenting.

    Please remember that Tomato's incoming QOS system is basically unfinished. The incoming classes have no priorities. They are just bandwidth limits. When multiple classes are in use, the bandwidth is shared equally between classes.

    The implications of this have been discussed here:

    EDIT - The QOS ingress was improved in early 2012 and is now a part of Toastman firmware.
  87. careh

    careh Addicted to LI Member

    I now have Tomato Firmware v1.28.7475 MIPSR2-Toastman-RT K26 Std installed on a E2000 router.

    ***** Update - I did not mention that I was using the router in WDS mode. I got a reply from toastman that says you can't use QOS when the router is in WDS mode. **********

    toastman reply: The bandwidth limiter and normal QOS are intended to work on a router that is connected via WAN port to the ISP gateway. So WDS machines or AP's that are not connected via the WAN port can't use these features. *********

    When running I do not see any difference in reported down/up speeds when I enable or disable the bandwidth limiter as follows:

    B/W Limiter
    Enable Limiter (checked)
    Max download bandwidth 50 kbit/s
    Max upload bandwidth 10 kbit/s
    No I/P ranges specified

    Default Class rate/ceiling for unlisted IP's
    Enable (checked)
    Download ceil 60 kbits/s
    Max upload 10 kbit/s
    Upload ceil 12 kbit/s
    TCP limit no limit
    UDP limit no limit

    I set these values very low as I wanted to see the bandwidth limited in the results- am I missing something? Am I using the wrong product to do the bandwidth measuring?
  88. peyton

    peyton Network Guru Member

    Is the B/W limiter dynamically share equally when users are not all their ?

    If i set 3 ppl on a 30Mbps to share 10Mbps max each with 30 on ceil. Will it equally share bandwith between the 2 ? (like 15Mbps each) or will it restrict 10 like rule preset and lost the 10Mbps unuse ?

    (long time since i wrote in English, sorry if it's a bit confuse)
  89. Toastman

    Toastman Super Moderator Staff Member Member

    If you set each guy in his own rule - he will get whatever bandwidth you set for him.

    If you set 3 guys in a "range" of IP's - then they will share whatever bandwidth you assign to them, but if only one person is active, he will get all the bandwidth set for that rule. There's nothing that says each USER will get equal shares.
  90. richardtaur

    richardtaur Addicted to LI Member

    Wonder where is the function for Nocat Portal start and logs for 1.28.7475.4 build.

  91. Toastman

    Toastman Super Moderator Staff Member Member

    In the menu!
  92. richardtaur

    richardtaur Addicted to LI Member

    Oh! :biggrin: I see now. I thought it is a new future.
  93. fei2010

    fei2010 Networkin' Nut Member

    I have RT-N16 with Tomato and followed post #133 exactly to set up QoS. I found that the p2p media player PPStream is classified as E and not able to watch movies. I have 1MB/6MB line, I know that PPStream usually need 130KBps to play movies smoothly, what changes I need to make to allow this? Thanks.
  94. sfernan

    sfernan Network Guru Member

    Just migrated to Toastman today as well on my E2000. Just wondering if the values in post #133 are updated to optimal settings . Some of the values are different from what is in the current build.
  95. pharma

    pharma Network Guru Member

    I've found optimal settings vary from what is in post #133. I used the default Toastman firmware values as a starting point and changed them accordingly based on how many computers were connected, what they were doing and what my preferences are with regard to assigning QOS priorities.

    I think you'll achieve the best balance by trial-and-error.

  96. Toastman

    Toastman Super Moderator Staff Member Member

    pharma is right - there are no "optimal" settings. I alter mine quite often to reflect changes in the habits of the clients.

    They vary from most standalone users perhaps not even needing QOS at all, to complex situations like mine where absolutely nobody can use the internet if QOS is turned off. Take the rules as examples and study what they are doing and why, then disable or change them to do what you want, add new rules for anything that you use that isn't covered.
  97. Toastman

    Toastman Super Moderator Staff Member Member


    New theme "Flame" by BrandonC
    added hdd spindown in K26 builds
    minor improvements to portal
    increased maximum number of QOS rules to 80

  98. careh

    careh Addicted to LI Member

    I am using multiple E2000 devices (one configured as a router, the rest as Access Points). Some have the stock internal antennas while others have the external add-on antennas sold on eBay. I am running Tomato Firmware v1.28.7475 MIPSR2-Toastman-RT K26 Std. Distances between router to AP are up to 300 feet or so with trees in the way - and the signal is weak - but it is still working. I tried increasing the TX power from the default 42 to 80 first on the router, then on the AP and then on both - but did not see any change with inSSIDer and also the RSSI Quality and TX/RX rate in the 'Device List'. I saw another post somewhere where the person said they though the power setting was not working with their E2000.

    I wonder -if the power is not really changing- if it is the E2000 or the firmware?
  99. Toastman

    Toastman Super Moderator Staff Member Member

    I don't have an E2000 so not sure. But the E3000 certainly changes. From 42 to the maximum would however be a very small change that you may not even notice, just a dB or so, hardly worth doing.

    Maximum output is at around 60 - above that there is no change. Check that you can see change from 1 up to 60 - if you don't see a change even then, something is wrong.

    You might also check you have "interference mitigation" turned off in the wireles settings. Also try Singapore and U.S. as country, just in case your normal choice doesn't allow higher powers.
  100. shadowken

    shadowken Networkin' Nut Member

    What kind of changes have you made to "tomato-E3000USB-NVRAM60K-1.28.7475.5MIPSR2-Toastman-RT-VPN-NOCAT" ?
    is the VPN server working or not yet ? because i am using "tomato-E3000USB-NVRAM60K-1.28.7477.1MIPSR2-Toastman-RT-Beta-VPN-NOCAT" and didn't get VPN server working properly .
    Can i just backup the configurations and upgrade to "tomato-E3000USB-NVRAM60K-1.28.7475.5MIPSR2-Toastman-RT-VPN-NOCAT" without erasing the NVRAM ?
    Glad to use your firmwares , Thanks :)
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice