Tomato (firmware)/Installation and Configuration

From Wikibooks, the open-content textbooks collection

A Wikibookian believes this page should be split into smaller pages with a narrower subtopic. You can help by splitting this big page into smaller ones. Please make sure to follow the naming policy. Dividing books into smaller modules can provide more focus and allow each one to do one thing well, which benefits everyone. You can ask for help in dividing this book in the assistance reading room.

TODO Need to reorganize as (1) General installation, (2) Device specific addenda, (3) Configuration adjuncts and recipes (adding features), (4) Config & operational notes on various topics -- Wrlee (talk) 05:19, 31 July 2009 (UTC)

• Introduction
• Features
• Supported Devices
• Distributions
• Installation and Configuration
• Menu Reference
• Web Resources

---

Contents 1 Before the Upgrade 2 Installing on a Linksys WRT54G, WRT54GL or WRT54GS 3 Installing on an ASUS WL-520gU 3.1 Installing from OEM firmware 3.2 USB support for storage and printers 4 Installing on a Buffalo WHR-G54S/WHR-HP-G54 4.1 Via Windows 2000 and XP 4.2 Migrating from DD-WRT Firmware via Windows 4.3 Via OS X, Linux, and Other Unix-based OS's 5 Upgrading the Firmware 6 Known Problems 7 QoS / Access Restrictions Notes 8 Setting Up WDS Repeating 8.1 Step-by-step Instructions 9 Tools 10 Tuning 11 USB Printing 12 Bridging a Linksys WRT54G and Belkin 7230-4 Wirelessly 13 WRT54G JTAG To AVR Cable 14 Miscellaneous Notes 15 References

[edit] Before the Upgrade

• The GUI relies heavily on JavaScript to generate the content and XMLHTTP (AJAX) to update it. Be careful if you need to use this from an older/minimal browser since it was not designed to downgrade gracefully. This has been tested only on Firefox v1/2/3, Opera v9 and IE v6/7.

• Do all upgrades through a wired LAN cable (i.e. NOT wirelessly). (Although it's possible to upgrade the firmware wirelessly, the transmission may be corrupted by a running microwave oven or ringing cell phone, which will render your router useless, so just don't do it.)

• The GUI username is "admin" or "root" (username is required), ssh and telnet username is always "root", and the default password is "admin".

• By default, the SES/AOSS button is programmed to start a password-less telnet daemon at port 233 if held for 20+ seconds. If you run into a problem of not being able to login, you can use this to view ("nvram get http_passwd") or reset ("nvram set http_passwd=newpassword") the password. You can disable this behavior in Admin/Buttons. Remember to reboot the router after retrieving your password to close the backdoor.

• If you're upgrading from DD-WRT v23 SP2+, be aware that you may get locked-out because of a change in DD-WRT's use of the nvram password key. You have a few options:
  • Push the reset button to reset all the configuration after installing Tomato.
  • Use the SES/AOSS button as described above.
  • Log in with telnet* and type "nvram get http_passwd" while running DD-WRT and write down the result - this will be your password after loading Tomato. (*the telnet login name is always 'root' even if you have changed the user name in the DD-WRT web interface).

• If you still have problems with Tomato after upgrading from DD-WRT (WPA2 not working, wireless broadcast failing, settings not being remembered, other) do a complete wipe of the NVRAM by going to Administration->Configuration->Restore Default Configuration->Erase all data in NVRAM memory (thorough). Then as an extra step reinstall (upgrade) to the Tomato firmware. This should solve all issues when upgrading from DD-WRT

• G\code.bin is for WRT54G v1-4 and WRT54GL v1, GS\code.bin is for WRT54GS v1-3, GSv4\code.bin is for WRT54GS v4, and TRX\code.trx is for the WHR-G54S/ WHR-HP-G54S. If you're just upgrading an existing Tomato firmware from the GUI, any of these will work.

[edit] Installing on a Linksys WRT54G, WRT54GL or WRT54GS

1. Unarchive the 7z package you downloaded.
2. Open the Linksys GUI in your browser. The default URL is http://192.168.1.1/. The default credentials are username: {blank}, password: admin
3. Click the Administration tab, then Firmware Upgrade.
4. Select and upload the correct firmware for your router.
5. Wait for about 2 minutes while the firmware is uploaded & flashed.
6. Log in to the router, and reset factory defaults (under Administration/Configuration/Restore Default Configuration, select the Erase all data in NVRAM Memory (thorough) option and click OK. Router will restart again, and the factory default login is "root" with a password of "admin". If you have a password set with the old Linksys firmware, try using that password before a manual reset if you encounter any problems logging into Tomato GUI.

MandLadventures.com has detailed instructions on how to upgrade from DD-WRT to Tomato.

[edit] Installing on an ASUS WL-520gU

[edit] Installing from OEM firmware

Installing Tomato firmware from OEM firmware may need a little massaging to get it on the device.

1. If the device has OEM firmware version 3.x or later, then you need to revert it to a pre-3.x version, first (download from support.asus.com.tw).
2. Downloading and unpack the "ND" version of Tomato firmware, rename the file to "WL520gu_2.0.0.9_EN.trx".
3. Use the OEM menus to update the firmware with the renamed Tomato file.

Once installed, you can load any other firmware file without these machinations, using the config menu item to load new (or old) versions of firmware, including OEM versions.

[edit] USB support for storage and printers

As noted above, the USB port is not supported by the standard Tomato firmware. There are alternative variations that add this support; see the forum posting "Tomato 1.xx ND USB + FTP/Samba Mod" for the list of features.

1. Downloaded and unpack the desired Tomato variation from mediafire.com.
2. Install (note OEM firmware installation instructions, above).
3. Enable USB features in the web UI.

[edit] Installing on a Buffalo WHR-G54S/WHR-HP-G54

[edit] Via Windows 2000 and XP

Warning: Be aware that Buffalo only has encrypted firmwares on their web site. You will not be able to revert back to Buffalo's firmware without an unencrypted version of their firmware.

Vista note: Install the tftp client before continuing. Go to Control Panel-->Programs and Features-->Add/remove Windows Features-->tftp client

The following is for an initial install on a Buffalo router. If you're already using a third-party firmware or just upgrading a Tomato firmware, try uploading any of the .bin files from the GUI.

• Plug your computer directly to the router's LAN port. This will not work over a wireless connection.

• Set your computer's ethernet card settings to: IP=192.168.11.2, mask=255.255.255.0, gateway=192.168.11.1 (Gateway and DNS settings are optional and not needed to flash Tomato). In Windows, you can set this by going to Control Panel, Network Connections, right-click your ethernet card, click properties, then TCP/IP.

• Plug in your router and quickly enter this in a DOS window. "tftp -i 192.168.11.1 put tomato.trx" It will return Timeout if it failed or Transferred if it was successful.

• Make sure you are unplugging/replugging the router's power cable (not ethernet cable). There's about a quick 3-5 second window when router is booting up where you can send a install a new firmware. If you miss that and the old firmware boots, you'll get a continous "ping ... tftp ... ping ... tftp". Unplug, wait a few seconds and try again. Might be tricky to get the timing right...

• After waiting for at least 2 minutes after the initial flash, with the power still on, push the reset button for one full minute to reset the configuration. Release the reset button and allow the unit to boot up before trying to access it.

• Your router is now at the address of 192.168.1.1 which you can access by manually changing the computer back to 192.168.1.2, subnet 255.255.255.0, Gateway 192.168.1.1 and DNS 192.168.1.1, or simply set your computer back to DHCP (Obtain Automatically in the TCP/IP properties).

• The tftp -i 192.168.11.1 put code.trx process involves the manual hit and miss timing of running a ping loop and hitting enter at just the right time during the power up sequence. The provided batch file eliminates this hectic method of flashing and has rendered it obsolete. Use the Tomato batch file that is included with the Tomato firmware to flash all compatible Buffalo routers. If you get timeout errors copy the tftp.exe file from Windows/System32/ into the same directory as the .bat and .trx files so the system can find tftp.exe faster.

[edit] Migrating from DD-WRT Firmware via Windows

• You can use the DD-WRT web interface to flash to the Tomato firmware.
• First, obtain the password for the router. Telnet to the router. Assuming your router can be found at 192.168.1.1, you'd type "telnet 192.168.1.1" at a command prompt to login to the router. Type "nvram get http_passwd". Make note of this password for later use.
• Download the Tomato firmware and extract it. In the "trx" subfolder, rename the file code.trx to code.bin. (DD-WRT does not recognize the .trx file extension as firmware.)
• Update the firmware via the DD-WRT web interface. The Tomato firmware is now installed.
• Access the Tomato web interface and browse to Administration > Configuration > Restore Default Configuration. Then select "Erase all data in NVRAM memory (thorough)" and click OK.
• Please note that the instructions for flashing the firmware via the web interface will only work once you've installed DD-WRT (or perhaps another 3rd party firmware).

[edit] Via OS X, Linux, and Other Unix-based OS's

Warning: Be aware that Buffalo only has encrypted firmwares on their web site. You will not be able to revert back to Buffalo's firmware without an unencrypted version of their firmware.

The following is for an initial install on a Buffalo router. If you're already using a third-party firmware or just upgrading a Tomato firmware, try uploading any of the .bin files from the GUI.

1. Plug your computer directly to the router. This will not work over a wireless connection.
2. Push the reset button for at least 30 seconds to reset the configuration.
3. Unplug power to the router and plug it back in after at least 10 seconds.
4. Set your computer's ethernet card settings to: IP=192.168.11.2, mask=255.255.255.0, gateway=192.168.11.1.
5. Open two terminal windows.
   • In the first one, type and execute this: ping 192.168.11.1
   • You should now be continually pinging the router.
6. Unplug power to the router. The pings should stop returning now.
7. In the second window, cd to the directory in which your firmware is located. Then execute the following:

   tftp

   binary

   rexmt 1

   trace

   connect 192.168.11.1 Even though the router is still powered down, tftp doesn't actually "connect" when you execute the connect command. Instead, it merely stores the address away until needed.

8. Still in the second terminal window, type the following but do not execute yet:
   • put tomato.trx
9. Plug the router back in. The moment you see pings coming across in the first terminal window, execute the put code.trx command you prepared in the second terminal window. If you see a successful transfer, leave the router alone for at least 2 minutes, then unplug the power, wait 10 seconds and plug it back in.
10. Reset your computer's ethernet card settings back to use DHCP. You can also manually enter the following settings: IP=192.168.1.2, mask=255.255.255.0, gateway=192.168.1.1.
11. To login to the router, just go to http://192.168.1.1/ in your web browser. Login name is root, password is admin.
12. Configure your very fine router as desired.
13. (Instructions adapted from DD-WRT Wiki and Chromite's "Guide to install DD-WRT Firmware on a Linksys WRT54G router.")

[edit] Upgrading the Firmware

1. Open the GUI in your browser. The default URL is http://192.168.1.1
2. Click Administration→Upgrade.
3. Select any of the files and click the Upgrade button.
4. Wait for about 2 minutes while the firmware is uploaded & flashed.
5. According to the author, it is not necessary to reset the configuration if you are upgrading from a previous version of Tomato Firmware. If you are upgrading from another firmware, however, a reset is recommended (Tomato's FAQ). Log in to the router, and reset factory defaults (under Administration/Configuration/Restore Default Configuration, select the Erase all data in NVRAM (thorough) option and click OK. The router will restart. The factory default login is "admin" with a password of "admin".
6. However, unpredictable behavior of the router is nevertheless often experienced, and can usually be cured by an NVRAM erase and reconfiguration. NVRAM can also become corrupted in use by brownouts, etc. causing the same unpredictable behavior.

^[1]

[edit] Known Problems

• There is no documentation other than a Tomato FAQ and this wiki. The best source of help and information is the linksysinfo tomato forum http://www.linksysinfo.org/forums/forumdisplay.php?f=160

• In some cases, you may need to reboot the router manually before the changes go into effect. If the changes involve switching wireless settings, you may need to reboot both ends. (Hasn't been known to happen with 1.07 or later firmware)

• Not all wireless modes / security combinations work. For example, WET, Client and WDS will not work in WPA2.

• CIFS VFS timesout a lot. (or it might the server kicking the client off...)

• Graphs/SVG may not work with all browsers. Firefox: Use 1.5 or higher. Internet Explorer: Use Adobe SVG. Opera: Use 9.0 or higher. Safari: Use 3.0 or higher.

• Certain wireless clients cause the router to crash or reboot on while trying to associate. The "ND" drivers are an attempt to rectify this, but when used, Intel 2200B/G wireless clients cannot associate. The following script corrects the problem with the ND drivers:

nvram set wl_reg_mode=off

nvram commit

[edit] QoS / Access Restrictions Notes

• All QoS classification and access restriction checking are performed while packets are traveling out to the Internet (outbound). The source is always from your computer and destination is always towards the Internet.

• If you restrict inbound traffic you are implementing "traffic shaping". Try the WRT54 Script Generator as an extension to the current QoS implementation (see Tools for details). Although there is an option to limit the download speed, it's not really recommended in most cases since what the router is really doing is dropping packets, which means they may need to be re-sent again over a slow Internet link.

• Why L7/IPP2P doesn't work all the time:
  • These work by matching known patterns in packets. Some protocols produce reliable uniquely identifiable signatures, but some do not.
  • A change in the protocol's design can sometimes break these.
  • Some L7/IPP2P patterns may depend on which direction the data is going. For example, an HTTP request from a browser is different from an HTTP response from a server.

• Custom L7 patterns can be stored in /etc/l7-extra/ (you need to create the directory). It's up to you to actually populate it before the firewall starts. This can be tricky if you're using external storage, so consider just using JFFS2 or even simple "echo" statements in the startup script. To learn more about L7 patterns, go to l7-filter.sf.net.

• When testing changes to the QoS rules, restart the application on your computer to make sure it's connection is re-classified under the new rule. NOTE - You can now enable "reset classification when making changes" instead.

• KB transferred match:
  • This is the to-WAN data transferred in kilobytes. Consider the amount an approximate value since it doesn't take into account protocol overhead and uses the 1024-based definition instead of the 1000-based definition used more commonly in networking.
  • Entering an upper limit of 1GB (1,048,576KB) or more is considered unlimited and will match anything above 1GB.
  • IPP2P may not work properly with this since IPP2P doesn't keep track of its state.

• Sticky rules: IPP2P/L7 are "sticky" in that once they match, no other rules are processed. IP/MAC/port-only matches can also be sticky if there are no IPP2P/L7/KB matches above them. When coupled with a KB transferred match with an upper limit, they are not considered sticky. What this all means is you should watch out for rules like the following: "#1: L7 ABC & 1024KB+, #2: L7 ABC", the #1 rule may not match at all since #2 will lock-on if it sees L7 ABC within 0-1024KB. To get around this particular case: "#1: L7 ABC & 0-1024KB, #2: L7 ABC & 1024KB+."

• Precedence: The rules are checked in the same order as they appear in the GUI, from top to bottom. The first rule that matches sets the class. If you disable "strict ordering", rules (no longer applicable) with IPP2P, L7 and KB matches are grouped in one set and are checked first, the rest in another. In the latest versions of Tomato there is no checkbox to turn off "strict ordering".

• If you're concerned about performance: IPP2P and especially L7 are slower than simple IP, MAC or port matches.

[edit] Setting Up WDS Repeating

Standard terminology for a two router setup:

• The client router is the router which does not have an internet connection.
• The host router is the router which does have the internet connection and is going to share it with other routers.
• To make troubleshooting easier, you can set client router's SSID to something different. Later you can set it to the same as the host router's SSID or leave it different.
• Also, it is a good idea to turn off any encryption while setting up WDS repeating as it is known that some encryption methods prevent WDS from working correctly. You can re-enable it after you have things working properly.

Using WDS to extend your network will reduce throughput, as each unit has to first receive the data and then resend it over the wireless link. Each added unit in the chain makes matters worse. For best throughput always wire extra AP's with CAT5 cable.

[edit] Step-by-step Instructions

1. For the client router, on the Basic -> Network page, in the LAN section:
   1. set the Router IP Address to a static IP in the range of the host router (e.g. if your host router's IP is 192.168.1.1, set your client router's IP to 192.168.1.2).
   2. uncheck the DHCP Server to disable it (you can only have one DHCP server per network).
2. For both the client router and the host router, on the Basic -> Network page, in the Wireless section:
   1. set the Channel to the same channel on both routers
   2. set the host router's Wireless Mode to Access Point + WDS
   3. set the client router's Wireless Mode to WDS
   4. set the WDS to Link With...
   5. on the host router, add the client router's Wireless MAC address to the first MAC Address field
   6. on the client router, add the host router's Wireless MAC address to the first MAC Address field

The above example sets up the client as a WDS repeater, but does not enable Wireless access on the client. To enable the client to serve as a WDS repeater and accept Wireless connections, set the client router's Wireless Mode to Access Point + WDS.

The Tomato FAQ on WDS documents an example with IP and Mac address samples for clarity.

[edit] Tools

• WRT54 Script Generator (download): A little application that generates scripts for traffic shaping. This script generator's main purpose is to limit the bandwidth of users that are connected to WRT (for example, to share the connection in a fair way). The script shapes traffic on the LAN and the WLAN. QoS shapes outgoing traffic on the WAN (vlan1), so if you try to shape traffic on vlan1 you will destroy actual QoS. These scripts work without problems with QoS enabled. QoS prioritizes outgoing traffic and you can also set speed limits to some or all users. It's good for people that are choking your connection.

[edit] Tuning

Tomato is extremely efficient and will dynamically unload modules, stop services and shutdown processes if certain features are no longer enabled. The following features, once disabled, will result in fewer running processes. Less running processes results in more free memory, less CPU load and faster boot times. In general, it is worth your time to disable unused features. For example, just enable HTTP or HTTPS web access, it is not necessary to have both enabled.

Of course, Tomato runs well with the entire gamut of functionality enabled.

• CIFS
• uPNP
• Telnet Server
• SSH Server
• Syslog
• DHCP Server
• HTTP Web Administration
• HTTPS Web Administration
• Bandwidth Statistics
• JFFS2 file system
• L7 QoS Filtering ("Inbound Layer 7"??) [1]

[edit] USB Printing

Tomato will support USB printing support with a bit of extra work:

• Installing USB Printer on Tomato

There is also a modified Tomato version with working USB Support:

• Linksysinfo.org thread on Tomato 1.23 ND USB Mod

[edit] Bridging a Linksys WRT54G and Belkin 7230-4 Wirelessly

after many hours of searching and reading I found this, and it works. Connected wired to the belkin now and it is wirelessly linked to my buffalo running tomato which connects to my Cable Modem . Now I can ditch a long ugly CAT5 cable and can connect 4 wired devices and have improved signal strength for my wireless devices.

• Bridging a Linksys WRT54G and Belkin 7230-4 Wirelessly

[edit] WRT54G JTAG To AVR Cable

a simple/free way to program one of Atmel's AVR microcontrollers for those that already have the WRT54G-style JTAG cable:

• WRT54G JTAG To AVR Cable

[edit] Miscellaneous Notes

• Some NVRAM settings may not be compatible with other firmwares. It is recommended to erase NVRAM and reconfigure from scratch after flashing to or from this firmware.

• You can enter a custom DDNS URL like the following: http://www.mycustomdns.com/update.cgi?username=scooby&password=spooky&ip=@IP. The "@IP" keyword is automatically replaced with the current IP address. Check with your DDNS provider for the exact format to use.

• The BusyBox crond included in Tomato is a little different from the Vixie crond found in HyperWRT, DD-WRT, etc. To make it easier and safer to schedule a job, use the helper script called cru instead of manually changing the config file.

• Want to try changing things without permanently writing them to nvram? Go to Administration→Debugging and enable "Avoid performing an NVRAM commit". When you're done playing around, reboot to discard the changes or use the "NVRAM commit" link to save the changes.

• Some GUI settings, like refresh time, are saved as cookies by your web browser.

• Linksys' password protected TFTP upgrade will not work with Tomato. If you need to use TFTP to upgrade the firmware, use the bootloader's TFTP upgrade feature.

• If you're saving the bandwidth history, don't forget to backup the data to another location!

[edit] References