Tomato (firmware)

From Wikibooks, the open-content textbooks collection

A Wikibookian suggests that this page be broken into several subpages Smaller pages are easier to read and edit. See best practices for more information. You can ask for help in the projects reading room.

Wikipedia has related information at Tomato (firmware)

Wikipedia has related information at Buffalo AirStation

Wikipedia has related information at Linksys WRT54G series

Contents 1 Introduction 2 Supported devices and revisions 2.1 Linksys 2.1.1 Linksys WRT54G 2.1.2 Linksys WRT54GS 2.1.3 Linksys WRT54GL 2.1.4 Linksys WRTSL54GS 2.2 Buffalo 2.3 Asus 2.4 Microsoft 2.5 Sparklan 2.6 Fuji 2.7 Dell 3 Features 4 Licensing 5 Tomato Firmware Interface 6 Installing 6.1 Before the Upgrade 6.2 Installing on a Linksys WRT54G, WRT54GL or WRT54GS 6.3 Installing on an ASuS WL-520gU 6.3.1 Installing from OEM firmware 6.3.2 USB support for storage and printers 6.4 Installing on a Buffalo WHR-G54S/WHR-HP-G54S in Windows 2000 and XP 6.5 Installing on a Buffalo WHR-G54S/WHR-HP-G54S in Windows (from DD-WRT) 6.6 Installing on a Buffalo WHR-G54S/WHR-HP-G54S in OS X, Linux, and other Unix-based OS's 6.7 Upgrading The Firmware 7 Menus in Tomato 7.1 Status 7.1.1 Overview 7.1.1.1 System 7.1.1.2 WAN 7.1.1.3 LAN 7.1.1.4 Wireless 7.1.2 Device List 7.1.3 Logs 7.2 Bandwidth 7.2.1 Real-Time 7.2.2 Last 24 Hours 7.2.3 Daily 7.2.4 Weekly 7.2.5 Monthly 7.3 Tools 7.3.1 Ping 7.3.2 Trace 7.3.3 Wireless Site Survey 7.3.4 WOL 7.4 Basic 7.4.1 Network 7.4.1.1 WAN / Internet 7.4.1.2 LAN 7.4.1.3 DHCP Server 7.4.1.4 Wireless 7.4.2 Identification 7.4.3 Time 7.4.4 DDNS 7.4.5 Static DHCP 7.4.6 Wireless Filter 7.5 Advanced 7.5.1 Conntrack / Netfilter 7.5.2 DHCP / DNS 7.5.3 Firewall 7.5.4 MAC Address 7.5.5 Miscellaneous 7.5.6 Routing 7.5.7 Wireless 7.6 Port Forwarding 7.6.1 Basic 7.6.2 DMZ 7.6.3 Triggered 7.6.4 UPnP 7.7 Quality of Service (QoS) 7.7.1 Basic Settings 7.7.2 Classification 7.7.2.1 QoS Rule Example: Setting Web Browsing to HIGH 7.7.3 View Graphs 7.7.4 View Details 7.8 Access Restriction 7.9 Administration 7.9.1 Admin Access 7.9.1.1 Web Admin 7.9.1.2 SSH Daemon 7.9.1.3 Remote Web/SSH Admin Restriction 7.9.1.4 Telnet Daemon 7.9.1.5 Password 7.9.2 Bandwidth Monitoring 7.9.2.1 Bandwidth Monitoring 7.9.2.2 Backup 7.9.2.3 Restore 7.9.3 Buttons / LED 7.9.3.1 SES/AOSS Button 7.9.3.2 Startup LED 7.9.4 CIFS Client 7.9.5 Configuration 7.9.6 Debugging (Miscellaneous) 7.9.7 JFFS2 7.9.8 Logging 7.9.9 Scripts 7.9.10 Upgrade 7.10 About 7.11 Reboot... 7.12 Shutdown... 7.13 Logout 8 Additional Notes 8.1 Known Problems 8.2 QoS / Access Restrictions Notes 8.3 Setting Up WDS Repeating 8.3.1 Step-by-step Instructions 8.4 Miscellaneous Notes 9 Miscellaneous 9.1 Tools 9.2 Tuning 9.3 USB Printing 9.4 Support 9.5 Weblinks 10 References

[edit] Introduction

Tomato is a partially free open source Linux-based firmware for several Broadcom-based Wi-Fi routers, including the Linksys WRT54G. The major emphasis of Tomato is on stability, speed and efficiency. It is maintained by Jonathan Zarate, who also developed HyperWRT +tofu; The official website is located here.

Tomato is notable for its web-based user interface that includes several types of bandwidth usage charts, advanced QoS access restriction features , raised connection limits which enables P2P networking, and support for 125 High Speed Mode (marketed by Linksys as "SpeedBooster").

[edit] Supported devices and revisions

• Linksys WRT54G (v1-v4 only), WRT54GS (v1-v4 only), WRT54GL (v1 & v1.1), WRTSL54GS (no USB support)
• Buffalo WHR-G54S, WHR-HP-G54, WZR-G54, WZR-HP-G54, WZR-RS-G54, WZR-RS-G54HP, WBR-G54, WBR2-G54, WVR-G54-NF, WHR2-A54-G54, WHR3-AG54 (WHR-G125 Supported in the ND version of Tomato)
• ASUS WL-500g Premium (no USB support), WL-500g Premium v2 (use the ND version), WL500GE, WL520GU (1.22 and above, see FAQ, no USB support)
• Microsoft MN-700 can work with v1.14 perfectly except the "Buttons and LED" function are not supported.
• SparkLAN WX6615GT
• Fuji RT390W
• Dell TrueMobile 2300
• Tomato is not compatible with Linksys routers WRT54G/GS version 5 or newer. These routers do not run Linux. See the Wikipedia Tomato page if you are interested in making a Tomato-compatible purchase.

[edit] Linksys

[edit] Linksys WRT54G

Version	CPU speed	RAM	Flash memory	S/N Prefix	Notes
1.0	125 MHz	16 MB	4 MB	CDF0 CDF1	20 front panel LEDs (including link/activity, collision detection and speed rating indicators for each RJ-45 port). Wireless capability was provided by a Mini PCI card attached to the router motherboard
1.1	125 MHz	16 MB	4 MB	CDF2 CDF3	Front panel LEDs reduced to eight (one link/activity LED per port, plus one each for power, wireless, DMZ and WAN/Internet connectivity). Wireless chipset is integrated onto motherboard.
2.0	200 MHz	16 MB	4 MB	CDF5	Same as 1.1 with a CPU upgrade and greater wireless transmitter integration (fewer transmitter parts). Some of these have 32 MB of RAM but are locked to 16 MB in the firmware
2.1	216 MHz	16 MB	4 MB	CDF6	Same physical appearance as 1.1 and 2.0 models. Some of these models have 32 MB of RAM installed but have been locked to 16 MB by the manufacturer. Some models have two 16 MB MIRA P2V28S40BTP memory chips.
2.2	216 MHz	16 MB	4 MB	CDF7	Same physical appearance as 1.1 and 2.0 models. Switching chipset from ADMtek 6996L to Broadcom BCM5325EKQM. Some of these models have 32 MB of RAM installed but have been locked to 16 MB by the manufacturer. Some models have 16 MB Hynix HY5DU28162ET-J memory chips.
3.0	216 MHz	16 MB	4 MB	CDF8	Identical to 1.1 and later models, except for the CPU speed and an undocumented switch behind left front panel intended for use with a feature called "SecureEasySetup".
3.1	216 MHz	16 MB	4 MB	CDF9	The Version 3.1 hardware is essentially the same as the Version 3.0 hardware. Adds "SecureEasySetup" button.
4.0	200 MHz	16 MB	4 MB	CDFA	Broadcom BCM5352EKPB Chipset
TM	200 MHz	32 MB	8 MB	CO61	Use dd-wrt Tornado CFE updater (or JTAG) and cross-over to Tomato using Web upgrade

[edit] Linksys WRT54GS

Version	CPU speed	RAM	Flash memory	S/N Prefix	Notes
1.0	200 MHz	32 MB	8 MB	CGN0 CGN1	Broadcom BCM4712KPB and ADMtek 6996L switch. Added SpeedBooster technology (Broadcom Afterburner technology), claims to boost the throughput of 802.11g by 30% (for maximum boost needs SpeedBooster technology on the other side, but will boost standard 802.11g as well)
1.1	200 MHz	32 MB	8 MB	CGN2	Chipset changed to Broadcom BCM4712LKFB and BCM5325EKQM switch.
2.0	216 MHz	32 MB	8 MB	CGN3	10 LED Front Panel (two new ones behind Cisco logo button). Also capable of SecureEasySetup, but use of the logo button and lighting of the new LEDs behind it requires firmware upgrade. Broadcom BCM4712 chip REV1 or REV 2
2.1	216 MHz	32 MB	8 MB	CGN4	Radio chip is changed from BCM2050 to BCM2050KML.
3.0	200 MHz	32 MB	8 MB	CGN5	Use System-on-Chip: processor, MAC, and switching are handled by Broadcom BCM5352EKBP.
4.0	200 MHz	16 MB	4 MB	CGN6	Notes: Reduced RAM & Flash (a Very Rare Few Have 32MB/8MB)

[edit] Linksys WRT54GL

Version	CPU speed	RAM	Flash memory	S/N Prefix	Notes
1.0	200 MHz	16 MB	4 MB	CL7A	New model line, released after the version 5 WRT54G, which returns to a Linux-based OS as opposed to the VxWorks firmware. SpeedBooster is not enabled in stock firmware, however third-party firmware will enable the feature. The hardware is essentially the same as the WRT54G version 4.0. One alteration is that the internal numbering scheme of the 4-port switch changed in this model, from 1 2 3 4, to 3 2 1 0.
1.1	200 MHz	16 MB	4 MB	CL7B CL7C	As of May 8, 2008, this version was shipping with firmware revision 4.30.11. This pre-loaded firmware allows the user to upload a 4MB firmware image, whereas the pre-loaded firmware on version 1.0 limited the image to 3MB. Firmware version 4.30.12 is now available for both hardware versions. Fully supported by Tomato

[edit] Linksys WRTSL54GS

Version	CPU speed	RAM	Flash memory	S/N Prefix	Notes
1.0	264 MHz	32 MB	8 MB	CJK0	Released after the WRT54GS and WRT54GL. Uses Linux-based OS. Includes SpeedBooster support, additional firmware features, and an external USB 2.0 port (StorageLink) for network storage. Uses 8 MB of Intel TE28F640 flash with a Broadcom BCM4704KPB processor and Broadcom BCM5325FKQM Ethernet switch.
1.1	264 MHz	32 MB	8 MB	CJK11	Change from BCM4704 rev 8 to BCM4704 rev 9 unconfirmed

[edit] Buffalo

Model	CPU speed	RAM	Flash memory	S/N Prefix	Notes
WHR-G54S	Broadcom 5352 @ 200MHz	16	4	?	?
WHR-HP-G54	Broadcom 5352 @ 200MHz	16	4	?	?
WZR-G54	?	?	?	?	?
WZR-HP-G54	Broadcom 4704 @ 264MHz	64	4	?	?
WZR-RS-G54	Broadcom 4704 @ 264MHz	64	8	?	?
WZR-RS-G54HP	Broadcom 4704 @ 266MHz	64	8	?	?
WBR-G54	Broadcom 4710 @ 125MHz	16	4	?	?
WBR2-G54	Broadcom 4712 @ 200MHz	16	4	?	?
WVR-G54-NF	?	?	?	?	?
WHR2-A54-G54	?	64	?	?	?
WHR3-AG54	Broadcom 4704 @ 264MHz	64	4	?	?
WHR-G125	Broadcom 5354 @ 240MHz	16	4	?	Must use the ND version of Tomato on this Router.

[edit] Asus

Model	CPU speed	RAM	Flash memory	S/N Prefix	Notes
WL-500g	Broadcom 4710 @ 125MHz	16	4	?	?
WL-500gE	?	?	?	?	?
WL-500gP Premium V1	BCM94704 @ 266 Mhz	32	8	?	First Flash via TFTP
WL-500gP Premium V2	BCM5354 CPU @ 240 Mhz	32	8	?	Requires ND version as of 1.23, stock firmware has no USB support (See Tomato 1.23 ND USB Mod)
WL-500W	Broadcom 4704 @ 264 Mhz	32	8	?	Unconfirmed but same chipset as Buffalo WZR-HP-G54,WZR-RS-G54,WZR-RS-G54HP,WHR3-AG54 as well as the Linksys WRTSL54GS.
WL-520gu	BCM5354 CPU @ 240 Mhz	16	4	?	Requires ND version as of 1.23, stock firmware has no USB support (See Tomato 1.23 ND USB Mod)

[edit] Microsoft

Model	CPU speed	RAM	Flash memory	S/N Prefix	Notes
MN-700	Broadcom 4710 @ 125MHz	16	4	?	?

[edit] Sparklan

[edit] Fuji

[edit] Dell

Model	CPU speed	RAM	Flash memory	S/N Prefix	Notes
TrueMobile 2300	Broadcom BCM94710 @ 125MHz	16	4	?	?

[edit] Features

• Dynamic interactive GUI using Ajax (a technique for creating interactive web pages that update without reloading), SVG (scalable vector graphics that provide quality graphics within a browser) and CSS-based color schemes (allowing you to change the look and feel of the router configuration screens).
• CLI (using BusyBox) with access via TELNET or SSH (using Dropbear)
• DHCP server (using Dnsmasq) with dynamic and static DHCP leases
• DNS forwarder (using Dnsmasq) with local hostnames, local domain names, and caching of internet addresses
• Netfilter/iptables with customizable settings, IPP2P and l7-filter
• Wake-on-LAN
• Advanced QoS: 10 unique QoS classes defined, real-time pie graph display of prioritized traffic with drilldown into class details
• Bandwidth graphing/statistics: real-time, last 5 hours, daily, monthly
• Wireless modes: access point (AP), wireless client station (STA), wireless ethernet (WET) bridge, wireless distribution system (WDS aka wireless bridging), simultaneous AP and WDS (aka wireless repeating)
• Dynamic DNS service with ezUpdate and services extended for more providers
• Syslog viewable through the GUI (also downloadable)
• SES button control
• JFFS2
• CIFS client
• Adjustment of transmit power of wireless LAN, antenna selection, and 14 wireless channels
• 'Boot wait' protection (increase the time slot for uploading firmware via the boot loader)
• Advanced port forwarding, redirection, and triggering with UPnP page to view and delete UPnP forwarded port mappings
• Advanced access restrictions
• Init, Shutdown, Firewall, and WAN Up scripts
• Uptime, load average, and free memory status
• Reboot ability, although almost no configuration changes require a reboot
• Wireless survey page to view other networks in your neighborhood
• Known bugs in Broadcom-based Linksys firmware fixed

[edit] Licensing

While the core source code is licensed under GPLv2, the source code for the user interface is under a more restrictive license which forbids use without the author's permission.

[edit] Tomato Firmware Interface

Try out the Virtual Tomato Interface- ( Based on firmware 1.07)

Real time bandwidth view.

[edit] Installing

[edit] Before the Upgrade

• The GUI relies heavily on JavaScript to generate the content and XMLHTTP (AJAX) to update it. Be careful if you need to use this from an older/minimal browser since it was not designed to downgrade gracefully. This has been tested only on Firefox v1/2/3, Opera v9 and IE v6/7.

• Do all upgrades through a wired LAN cable (i.e. NOT wirelessly). (Although it's possible to upgrade the firmware wirelessly, the transmission may be corrupted by a running microwave oven or ringing cell phone, which will render your router useless, so just don't do it.)

• The GUI username is "admin" or "root" (username is required), ssh and telnet username is always "root", and the default password is "admin".

• By default, the SES/AOSS button is programmed to start a password-less telnet daemon at port 233 if held for 20+ seconds. If you run into a problem of not being able to login, you can use this to view ("nvram get http_passwd") or reset ("nvram set http_passwd=newpassword") the password. You can disable this behavior in Admin/Buttons. Remember to reboot the router after retrieving your password to close the backdoor.

• If you're upgrading from DD-WRT v23 SP2+, be aware that you may get locked-out because of a change in DD-WRT's use of the nvram password key. You have a few options:
  • Push the reset button to reset all the configuration after installing Tomato.
  • Use the SES/AOSS button as described above.
  • Log in with telnet* and type "nvram get http_passwd" while running DD-WRT and write down the result - this will be your password after loading Tomato. (*the telnet login name is always 'root' even if you have changed the user name in the DD-WRT web interface).

• G\code.bin is for WRT54G v1-4 and WRT54GL v1, GS\code.bin is for WRT54GS v1-3, GSv4\code.bin is for WRT54GS v4, and TRX\code.trx is for the WHR-G54S/ WHR-HP-G54S. If you're just upgrading an existing Tomato firmware from the GUI, any of these will work.

[edit] Installing on a Linksys WRT54G, WRT54GL or WRT54GS

• Unarchive the 7z package you downloaded.

• Open the Linksys GUI in your browser. The default URL is http://192.168.1.1/. The default credentials are username: {blank}, password: admin

• Click the Administration tab, then Firmware Upgrade.

• Select and upload the correct firmware for your router.

• Wait for about 2 minutes while the firmware is uploaded & flashed.

• Log in to the router, and reset factory defaults (under Administration/Configuration/Restore Default Configuration, select the Erase all data in NVRAM Memory (thorough) option and click OK. Router will restart again, and the factory default login is "root" with a password of "admin". If you have a password set with the old Linksys firmware, try using that password before a manual reset if you encounter any problems logging into Tomato GUI.

MandLadventures.com has detailed instructions on how to upgrade from DD-WRT to Tomato.

[edit] Installing on an ASuS WL-520gU

[edit] Installing from OEM firmware

Installing Tomato firmware from OEM firmware may need a little massaging to get it on the device.

1. If the device has OEM firmware version 3.x or later, then you need to revert it to a pre-3.x version, first (download from support.asus.com.tw).
2. Downloading and unpack the "ND" version of Tomato firmware, rename the file to "WL520gu_2.0.0.9_EN.trx".
3. Use the OEM menus to update the firmware with the renamed Tomato file.

Once installed, you can load any other firmware file without the machinations.

[edit] USB support for storage and printers

As noted above, the USB port is not supported by the standard Tomato firmware. There are alternative variations that add this support; see the forum posting "Tomato 1.xx ND USB + FTP/Samba Mod" for the list of features.

1. Downloaded and unpack the desired Tomato variation from mediafire.com.
2. Install (note OEM firmware installation instructions, above).
3. Enable USB features in the web UI.

[edit] Installing on a Buffalo WHR-G54S/WHR-HP-G54S in Windows 2000 and XP

Warning: Be aware that Buffalo only has encrypted firmwares on their web site. You will not be able to revert back to Buffalo's firmware without an unencrypted version of their firmware.

Vista note: Install the tftp client before continuing. Go to Control Panel-->Programs and Features-->Add/remove Windows Features-->tftp client

The following is for an initial install on a Buffalo router. If you're already using a third-party firmware or just upgrading a Tomato firmware, try uploading any of the .bin files from the GUI.

• Plug your computer directly to the router's LAN port. This will not work over a wireless connection.

• Set your computer's ethernet card settings to: IP=192.168.11.2, mask=255.255.255.0, gateway=192.168.11.1 (Gateway and DNS settings are optional and not needed to flash Tomato). In Windows, you can set this by going to Control Panel, Network Connections, right-click your ethernet card, click properties, then TCP/IP.

• Plug in your router and quickly enter this in a DOS window. "tftp -i 192.168.11.1 put tomato.trx" It will return Timeout if it failed or Transferred if it was successful.

• Make sure you are unplugging/replugging the router's power cable (not ethernet cable). There's about a quick 3-5 second window when router is booting up where you can send a install a new firmware. If you miss that and the old firmware boots, you'll get a continous "ping ... tftp ... ping ... tftp". Unplug, wait a few seconds and try again. Might be tricky to get the timing right...

• After waiting for at least 2 minutes after the initial flash, with the power still on, push the reset button for one full minute to reset the configuration. Release the reset button and allow the unit to boot up before trying to access it.

• Your router is now at the address of 192.168.1.1 which you can access by manually changing the computer back to 192.168.1.2, subnet 255.255.255.0, Gateway 192.168.1.1 and DNS 192.168.1.1, or simply set your computer back to DHCP (Obtain Automatically in the TCP/IP properties).

• The tftp -i 192.168.11.1 put code.trx process involves the manual hit and miss timing of running a ping loop and hitting enter at just the right time during the power up sequence. The provided batch file eliminates this hectic method of flashing and has rendered it obsolete. Use the Tomato batch file that is included with the Tomato firmware to flash all compatible Buffalo routers. If you get timeout errors copy the tftp.exe file from Windows/System32/ into the same directory as the .bat and .trx files so the system can find tftp.exe faster.

[edit] Installing on a Buffalo WHR-G54S/WHR-HP-G54S in Windows (from DD-WRT)

• You can use the DD-WRT web interface to flash to the Tomato firmware.
• First, obtain the password for the router. Telnet to the router. Assuming your router can be found at 192.168.1.1, you'd type "telnet 192.168.1.1" at a command prompt to login to the router. Type "nvram get http_passwd". Make note of this password for later use.
• Download the Tomato firmware and extract it. In the "trx" subfolder, rename the file code.trx to code.bin. (DD-WRT does not recognize the .trx file extension as firmware.)
• Update the firmware via the DD-WRT web interface. The Tomato firmware is now installed.
• Access the Tomato web interface and browse to Administration > Configuration > Restore Default Configuration. Then select "Erase all data in NVRAM memory (thorough)" and click OK.
• Please note that the instructions for flashing the firmware via the web interface will only work once you've installed DD-WRT (or perhaps another 3rd party firmware).

[edit] Installing on a Buffalo WHR-G54S/WHR-HP-G54S in OS X, Linux, and other Unix-based OS's

Warning: Be aware that Buffalo only has encrypted firmwares on their web site. You will not be able to revert back to Buffalo's firmware without an unencrypted version of their firmware.

The following is for an initial install on a Buffalo router. If you're already using a third-party firmware or just upgrading a Tomato firmware, try uploading any of the .bin files from the GUI.

1. Plug your computer directly to the router. This will not work over a wireless connection.
2. Push the reset button for at least 30 seconds to reset the configuration.
3. Unplug power to the router and plug it back in after at least 10 seconds.
4. Set your computer's ethernet card settings to: IP=192.168.11.2, mask=255.255.255.0, gateway=192.168.11.1.
5. Open two terminal windows.
   • In the first one, type and execute this: ping 192.168.11.1
   • You should now be continually pinging the router.
6. Unplug power to the router. The pings should stop returning now.
7. In the second window, cd to the directory in which your firmware is located. Then execute the following:

   tftp

   binary

   rexmt 1

   trace

   connect 192.168.11.1 Even though the router is still powered down, tftp doesn't actually "connect" when you execute the connect command. Instead, it merely stores the address away until needed.

8. Still in the second terminal window, type the following but do not execute yet:
   • put tomato.trx
9. Plug the router back in. The moment you see pings coming across in the first terminal window, execute the put code.trx command you prepared in the second terminal window. If you see a successful transfer, leave the router alone for at least 2 minutes, then unplug the power, wait 10 seconds and plug it back in.
10. Reset your computer's ethernet card settings back to use DHCP. You can also manually enter the following settings: IP=192.168.1.2, mask=255.255.255.0, gateway=192.168.1.1.
11. To login to the router, just go to http://192.168.1.1/ in your web browser. Login name is root, password is admin.
12. Configure your very fine router as desired.
13. (Instructions adapted from DD-WRT Wiki and Chromite's "Guide to install DD-WRT Firmware on a Linksys WRT54G router.")

[edit] Upgrading The Firmware

1. Open the GUI in your browser. The default URL is http://192.168.1.1/
2. Click Administration, then Upgrade.
3. Select any of the files and click the Upgrade button.
4. Wait for about 2 minutes while the firmware is uploaded & flashed.
5. According to the author, it is not necessary to reset the configuration if you are upgrading from a previous version of Tomato Firmware. If you are upgrading from another firmware, however, a reset is recommended (Tomato's FAQ). Log in to the router, and reset factory defaults (under Administration/Configuration/Restore Default Configuration, select the Erase all data in NVRAM (thorough) option and click OK. The router will restart. The factory default login is "admin" with a password of "admin". ^[1]

[edit] Menus in Tomato

The following is a listing of all of the available menu options in the Tomato GUI, and their functions.

As settings on a page are edited the Save button at bottom of page must be clicked before navigating to another page otherwise the newly entered settings are not saved.

[edit] Status

Provides information on the current condition of the router.

[edit] Overview

The Overview screen shows information on the current state of the router. It is organized into four sections:

[edit] System

Gives current overall system status.

• Name: Router name
• Model: Router make and model
• Time: System Time and Date
• Uptime: Total time the router has been up since the last reboot
• CPU Load (1 / 5 / 15 mins): CPU load average for the 1, 5 and 15 minute intervals
• Total / Free Memory: Total device memory in MB, free memory (unused + cache) in KB, Percentage of free memory (FreeMemory(KB) / 1024 / TotalMemory(MB) * 100)

[edit] WAN

The WAN screen gives information on the Wide Area Network (Internet) connection.

• MAC Address: WAN (Internet) adapter MAC address
• Connection Type: DHCP or Static
• IP Address: WAN (Internet) IP Address
• Subnet Mask: WAN (Internet) IP Netmask
• Gateway: Internet gateway address
• DNS: lists WAN (Internet) DNS servers
• MTU: TCP maximum transmission unit, or maximum packet size in bytes. Do not increase this unless all other connected network gear supports jumbo frames.
• Status: whether the WAN (Internet) link is connected or not
• Connection Uptime: total time that the connection has been up
• Remaining Lease Time: total time remaining on DHCP lease from ISP
• Renew: button to Renew DHCP IP address
• Release: button to Release DHCP IP address

[edit] LAN

Gives a summary of the settings related to the Local Area Network, and the MAC Address for the wired portion of the network.

• Router MAC Address: Internal MAC address of the router, for LAN only
• Router IP Address: The Static LAN IP address assigned to the router
• Subnet Mask: The LAN Network Mask assigned to the router
• DHCP: The DHCP scope / range of addresses that can be assigned by the DHCP server

[edit] Wireless

Gives information on the wireless portion of the Local Area Network.

• MAC Address: The MAC address of the 802.11 wireless network interface
• Wireless Mode: The operational role assigned to the wireless interface (i.e. - Access Point)
• B/G Mode: 802.11b and 802.11g protocol restrictions (i.e. - G only)
• Radio: Displays enable/disable status of the wireless network interface
• SSID: Displays the wireless SSID or Service Set Identifier, a string used to distinguish wireless networks from each other
• Security: Displays the current encryption algorithm used for wireless communications
• Channel: Displays the current wireless channel and corresponding frequency (in GHz)
• Enable: button that enables the wireless radio (grayed out when already enabled)
• Disable: button that disables the wireless radio (grayed out when already disabled)

[edit] Device List

The Device List Provides a list of the current devices that have been assigned an IP address by the DHCP server. Devices are listed by Interface, which indicates where on the router they are connected:

• br0 refers to Wired Ethernet (LAN) devices. In other words, devices that are connected to the router on the four Ethernet ports (either directly or via a hub or switch).
  
• eth1 refers to Wireless Ethernet (WLAN) devices. In other words, devices that are connected to the router via the wireless radio.
  
• vlan1 refers to your WAN (Internet) connection. In other words, the connection to your Internet modem (Cable modem, DSL modem, or upstream router).
  

[edit] Logs

The Logs page allows you to view the Internal system logs (assuming Internal Logging is enabled - see "Logging" under "Administration").

• View Last 25 Lines: View most recent 25 lines of kernel log
• View Last 50 Lines: View most recent 50 lines of kernel log
• View Last 100 Lines: View most recent 100 lines of kernel log
• View All: View entire kernel log
• Download Log File: Download the kernel log to localhost
• Find: Search the kernel log for user-defined text string
• Logging Configuration
  • Log Internally
  • Log to Remote System
  • Mark Interval
  • Events Logged, Access Restriction De/Activation
  • Events Logged, Cron
  • Events Logged, DHCP Client
  • Events Logged, NTP
  • Events Logged, Scheduler
  • Connection Logging, Inbound Connection
  • Connection Logging, Outbound Connection
  • Limit Logging

[edit] Bandwidth

Displays the Bandwidth of the Interfaces. They can be excluded at Administration/Bandwidth Monitoring

The Real-Time and Last 24 Hours charts are rendered with Scalable Vector Graphics (SVG), and require an SVG-enabled web browser. Mozilla Firefox, Apple's Safari 3 and Opera have SVG built-in. Microsoft Internet Explorer requires the SVG plugin from the Adobe SVG Viewer download area. The charts display an Interface Tab for each available router interface. Persistence of Interface Tab selection requires browser cookies to be enabled.

Charts share these controls:

• Avg: Off, 2x, 4x, 6x, 8x : Number of samples to average, or no averaging.
• Max: Uniform, Per IF : Graphs are scaled Uniformly to the max traffic value of all interfaces, or individually Per IF.
• Display: Solid, Line : Selects a solid-filled "mountain" display or line only.
• Color: Blue & Orange »: Selects trace pair color scheme
• [reverse] : Toggles trace color order
•  » Configure : Shortcut to Administration->Bandwidth Monitoring page.
• Graph Legend toggle: Click on vertical text(left edge of graph) to toggle display of horizontal graph legends.

Automatically corrects as graph scale changes.

• Cursor-tracking Readout (lower right edge of graph): when mouse cursor moves over graph, shows

Day of Week, Time, and Bandwidth usage at that point. Updates only when mouse moves.

Disappears after 5 intervals: 10 seconds in Real-Time, 10 minutes in Last 24 Hours, etc.

• Mouse-click readout : Click anywhere on the graph to place a static readout.

Note: Does not update with graph movement or scaling.

[edit] Real-Time

The Real-Time Bandwidth section displays a chart, updated every two seconds, of the last 10 minutes of bandwidth used. Tabs at the top allow selection of the various interfaces for detail on the bandwidth for that interface.

[edit] Last 24 Hours

The Last 24 Hours section displays a chart, updated every two minutes, of the last 4/6/12/18/24 hours of bandwidth usage and the total data during the period. Tabs at the top allow selection of the various interfaces for detail on the bandwidth for that interface.

[edit] Daily

The Daily section displays a table with a row for each day showing download, upload and total bandwidth consumption. The default unit is GB (actually gigabinary bytes), but can be changed to MB or KB.

[edit] Weekly

The Weekly section displays a table with a row for each week showing download, upload and total bandwidth consumption. The default unit is GB (Gigabytes), but can be changed to MB or KB. The default week starting day is Sun (Sunday), but can be changed. An option to show Summary or Full data is available.

[edit] Monthly

The Monthly section displays a table with a row for each month showing total bandwidth consumption and the difference in bandwidth usage compared to the previous month. The start date of the month can be changed at "Administration->Bandwidth Monitoring->First Day Of The Month" to match the start date of data counter of any particular Internet plan.

[edit] Tools

A collection of useful network tools to analyze and troubleshoot the LAN, WAN and/or Wireless networks connected to the router.

[edit] Ping

The Ping tool allows you to ping computers on the Internet to verify connectivity. Simply enter the URL or IP address (Internet only) to ping, customize the number of retries or packet size if you wish, and press [PING]. Results will be displayed when the ping is complete.

[edit] Trace

The Trace tool allows you to perform a TRACERT (Trace Route) from your router to any Internet server. Enter the URL or IP address to trace to, and optionally the maximum hops and/or wait times, and press [TRACE]. Results are displayed when the trace is complete.

[edit] Wireless Site Survey

The Wireless Site Survey tool scans the wireless frequencies accessible to eth1 and reports a table of wireless devices. The Last Seen time stamp, SSID, BSSID (MAC address), RSSI, Noise, Quality rating (1-100), Channel, Capabilities and Rates are displayed.

[edit] WOL

The WOL tool allows you to send Wake-on-LAN (WOL) packets to computers on your network. A table of known MAC addresses is displayed so that individual WOL targets can be quickly selected, or user-defined MAC addresses can be entered in a data field.

Through ssh/telnet interface you can also issue ether-wake command. Remote SSH enables wakeup via

ssh root@yourwrt 'ether-wake mac-address'

as it can be difficult to get a WOL packet through the NAT.

[edit] Basic

Controls the most basic settings for the router.

[edit] Network

The Network section allows you to set up the Internet / Wide Area Network (WAN) connection that the router uses, the basic parameters of the Local Area Network (LAN) the basic Wireless radio parameters.

[edit] WAN / Internet

Specifies how your router should connect to the Internet. Normally, this is done via an Ethernet cable connected from the WAN/Internet port to a Cable or DSL Modem.

• Type: Specifies the type of connection used.

The rest of the parameters are variable, and based on the type of connection.

The default for most Cable modems is "DHCP", meaning that the router simply talks to your cable modem and is automatically assigned an IP address and other connection data.

DSL connections generally use PPPoE, which usually requires a username and password (provided by your DSL provider). Leave "Service Name" blank unless your provider requires one otherwise you won't be able to connect.

[edit] LAN

Controls setup of the Local area Network (LAN), which includes settings for wired and wireless clients connected to the router.

• Router IP Address: The IP address assigned to the router on the LAN. Default is 192.168.1.1.
• Subnet Mask: The default of 255.255.255.0 means that anything starting in the first three numbers as the router (default 192.168.1.x) is assumed to be on the Local Network. Making this too broad means that some Internet servers may be inaccessible.
• Static DNS: Allows you to list a series of DNS servers manually (as opposed to getting them from your Internet Service Provider). Useful if your ISP's DNS servers are slow or unreliable, or if you prefer a different one.

[edit] DHCP Server

Dynamic Host Configuration Protocol (DHCP) is a protocol used by networked computers (clients) to obtain IP addresses. Use this to control the IP addresses that your router hands out to computers connected to the Wired or Wireless Local Network. If checked, the router will hand out addresses within the range specified. You may also customize the amount of time before computers on the LAN will renew their IP addresses (the Lease Time) and specify a Windows Internet Name Service (WINS) server if you use WINS.

[edit] Wireless

Controls the connection over the Wireless Local Area Network.

• Enable Wireless: If checked, Wireless access will be allowed.
• MAC Address: Displays the MAC address assigned to the Wireless radio on the router.
• Wireless Mode: The normal setting for this is Access Point, which allows clients to connect to this router. The router can also be used in Wireless Distribution System (WDS) mode, and it can also connect to a Wireless ISP in Wireless Client. Another possible mode is Wireless Ethernet Bridge mode. This allows it to connect to another gateway router while still keeping all computers connected to both routers in the same subnet. Note: If the router is used as a wireless client or Wireless Ethernet Bridge, it cannot be used as an access point at the same time. (Note: As of 1.19 - Wireless Bridge must be set to WPA)
• B/G Mode: This may be Mixed (B+G), B-Only (restricted to 802.11b), or G-Only (restricted to 802.11g). If you set this to B-Only or G-Only, connection attempts from the other protocol may be seen as interference. Recommend leaving this set to "Mixed".
• SSID: Wireless router identifier. Allows you to uniquely identify your router and differentiate it from other routers in range.
  • Broadcast: If checked, the SSID will be broadcast, allowing the router to be found more easily. Disabling this is a very limited security measure. Casual scans will not be able to find the router, but anyone running sniffing software can easily find it.
• Channel: The 2.4Ghz range channel used by the router. Generally, it is best to use the Wireless Survey under Tools to find any other access points in range, and use the frequency that is the furthest from any other frequency in use. Note that channels above 11 are not licensed to use in some countries: use carefully. These channels are still interesting because most routers default at 6 or 11 and surprisingly few people change them.
• Security: Allows you to secure your wireless connections. WPA and/or WPA2 personal are the most secure protocols. Disabled means all connections are unencrypted and anyone can access the router. WEP is an older encryption protocol. While better than nothing, it is easily broken.

[edit] Identification

• Router Name: Allows you to change the name of the router, which appears on login and administration screens.
• Hostname: Use if your ISP or connection requires it.
• Domain Name: Use if your ISP or connection requires it.

[edit] Time

• Router Time: Displays current router time.
• Time Zone: Tell the router which time zone you are in so it can adjust to local time. If you set this to Custom, you can enter a string that allows you to customize a time zone.
  • Auto Daylight Saving Time: If checked, the router will compensate for Daylight Saving Time. If not, it will always use Standard Time.
• Auto Update Time: How often the router connects to a Network Time Protocol (NTP) server to update its internal clock. If the router time is not updated automatically, make sure you have a working DNS in Basic:Network, otherwise the router will not be able to resolve the NTP address.
  • Trigger Connect On Demand: If checked, the router will force a connection as needed to update time. If not checked, the router will only check time if a connection to the Internet is already established.
  • NTP Time Servers: List of NTP servers to use to update the time.

NTP Time Servers may request that Tomato block them from being used in the future. If this happens, Tomato will display the following message: "The following NTP servers have been automatically blocked by request from the server: XXX.XXX.XXX.XXX."

[edit] DDNS

Dynamic DNS, a special DNS registry/server that can be updated on frequent IP address shuffles. Instead of having to know your IP address each time it changes, a computer on your network can run a special network program that submits your updated IP address, which you can then refer to via a standard URL issued by your DDNS provider. Most DDNS providers offer a free personal account for you to use.

As an alternative to running an application on one of your PCs, Tomato provides a built-in DDNS client right in the firmware that supports a number of DDNS providers. From the main menu, select "Basic" then "DDNS".

For most DDNS providers, you simply select the provider from the pull-down list, and enter your username, password, and hostname. Detailed instructions on operating each DDNS provider's account can be found at their web site.

DDNS can be used to permit web access to the router for system administration purposes.

[edit] Static DHCP

This is a simple way to ensure that each of the clients that connects to your Tomato router gets the same IP address each time. Simply enter the MAC address for your device (which you can find on the "Device List"), and enter your preferred IP address.

Generally, it's best to use an IP address that is within the subnet range for your Tomato router, but outside the normal DHCP assignment range. In other words, use an address that starts with the same three numbers (default 192.168.1.x) as your router, but has a fourth number that is not likely to be assigned to any clients by the normal DHCP settings.

[!]Do not use spaces for the hostname field because the router uses the space character to parse multiple hostnames (e.g. if you enter the hostname: "My PC", the router will create two hostnames: "My" and "PC". These will both be resolved to the specified IP address). Use of the hyphen character is a good practice if you want a multi-word hostname: "My-PC".

If you have the DHCP server set to assign IP addresses in the range of 192.168.1.100 to 192.168.1.150, for example, good choices for Static DHCP assignments would be either in the 192.168.1.2 - 192.168.1.99 range, or 192.168.1.151 - 192.168.1.254.

An easy way to add an IP address to the Static DHCP list, is to go to the "Device List" and click on the IP address of the device you want to make Static. This will take you to the Static DHCP function and all you need to do is edit the device name (optional) and click "Add". (don't forget to click "Save" to commit).

Tomato originally supported 50 entries, this has been increased to 100.

[edit] Wireless Filter

The Wireless Filter allows you to configure which wireless equipped computers may or may not communicate with the router depending on their MAC addresses. If it is set up as an AP, bear in mind that all AP's need the same setup. This may be inconvenient. You may want to use "Access restriction" on the main router which will apply to all users on all AP's.

100 rules are presently supported.

While a decent basic security measure, understand that all MAC addresses are transmitted in cleartext, and may be intercepted. This should not be used as a primary means of security.

[edit] Advanced

[edit] Conntrack / Netfilter

Adjustments for the number of connections and persistence for each connection in the Network Address Translation (NAT) table.

This is mostly relevant for people who use P2P or other connection-intensive applications on their Internet connections. The connection table has a finite number of entries, and if the entries are all used up, the router cannot make new connections. The only way to free up an entry is to gracefully terminate a connection (normal), or to have one time out. Since P2P applications rarely drop connections gracefully, they need to depend on the router to time out their connections for them.

The most important settings are:

• Maximum Connections
  • Increasing this may slow down the router slightly. 4,096 is probably a good maximum value.
  • Keeping this too low may eventually result in running out of entries. The default of 2,048 is probably a good minimum value.
  • Clicking on count current next to the input field will tell you how many entries you are currently using.
  • Before increasing this field, consider using the TCP Timeout (below) to recycle existing connections faster, rather than increasing the number of connections.

• Conntrack TCP Timeout: Established
  • This is the amount of time that an established connection will be maintained after its last activity.
  • Setting this too low will cause active TELNET / FTP connections to be dropped unless you have a keepalive to keep data flowing over the connection.
  • Setting this too high will cause old connections to be retained, wasting entries in the NAT table.
  • Four Hours (14,400 seconds) is a decent compromise, but you have to choose a value that balances retaining valid connections versus killing old ones. In a non-P2P environment, you can set this to several days without any problems (the Linksys default for this is FIVE DAYS, which is why many Linksys routers don't do well for P2P).

Most of the remaining settings would generally be used pretty rarely, and are probably present for adjustment by advanced users who might need to tweak their network settings.

Many sites recommend adjusting these values using a script such as this one:

echo 4096 > /proc/sys/net/ipv4/ip_conntrack_max
echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh2
echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh3
echo "600 1800 120 60 120 120 10 60 30 120" > /proc/sys/net/ipv4/ip_conntrack_tcp_timeouts


However, the two settings in the GUI listed above will accomplish everything the oft-published scripts claim to do, with less effort. Specifically, the Established TCP Timeout setting replaces the "1800" in the last line of the script, and the ip_conntrack_max number is controlled by the Maximum Connections setting. The gc_thresh settings are not really useful, it's better to let Tomato use its defaults for thresholds.

• UDP Timeout
• Tracking / NAT Helpers
• Miscellaneous

[edit] DHCP / DNS

"Use Internal Caching DNS Forwarder" will allow dnsmasq to be your DNS server at the Router IP Address (typically 192.168.1.1). DHCP clients will receive the router IP address as the DNS server.

If you have static DNS entries, "Use Received DNS With Static DNS" will add any name servers received from your service provider. You can view these changes in the resolve file at "/etc/resolv.dnsmasq".

You may also consider adding "strict-order" (without quotes) in the "Dnsmasq Custom Configuration" box. This forces Dnsmasq to send DNS queries to servers strictly in the order that they appear in the resolve file. This is useful if you are using services such as OpenDNS but still want to use your ISP's server(s) as a backup. Without this setting your ISP's DNS server(s) will tend to be favored.

The "Intercept DNS Port" option may be helpful when used with OpenDNS for parental control. When enabled, anything going out to UDP port 53 is redirected to Dnsmasq. This prevents bypassing parental controls. Another use of this intercept is with VPN client software in combination with the 'use internal caching DNS forwarder'. Typically, VPN client software will 'tunnel' non-routable IP addresses such as 192.168.1.1 which will bypass the router and cause DNS failure. Instead, you can change the client's DNS address to any bogus routable IP address to prevent the VPN client from tunneling DNS requests and let the router intercept them. This works whether or not the VPN client software is active.

[edit] Firewall

Settings to configure some basic aspects of the router's firewall.

• Respond To Inbound Ping: If checked the router will respond to ping requests from on the WAN interface. If unchecked, the router will not respond to pings from the WAN.
• Allow Multicast: If checked, the router will allow multicast packets to reach the LAN. If unchecked, the router will block multicast packets from reaching the LAN.
• Enable NAT Loopback: If checked, the router allows LAN devices to reach other LAN devices via the router's WAN IP address and a properly configured port forward. If unchecked, LAN devices can only contact other LAN devices via their local IP addresses.
• SYN Cookies: Activates SYN cookies.

[edit] MAC Address

This sets the hardware address that is seen from the ISP. Some ISPs are set up to only accept the original network card you had when you first started service. Others simply have the modem set to only allow one HW address per boot, so try resetting your modem after changing this. For some cable internet service providers, changing the MAC address seen by the cable modem is a good way to request a new IP address if required.

[edit] Miscellaneous

• Boot wait time specifies the length of time the router will pause during startup, before attempting to load the firmware. This pause represents a period where a new firmware can be flashed to the router via TFTP, if the firmware on the flash chip has been corrupted.
• WAN Port Speed specifies the speed and duplex setting for the WAN interface port.

[edit] Routing

• Current Routing Table: Shows your current routing table.
• Static Routing Table: Allows you to add static routing entries if you have more than 1 router on your network.
• Miscellaneous - Mode: Gateway vs. Router.
  • Gateway = Don't let WAN traffic access the LAN, except through port forwarding or DMZ.
  • Router = Turn off these features and NAT. (May be incorrect on details, but this is the idea.)
• Miscellaneous - RIP v1 & v2: Enables RIP v1 and RIP v2. (It's not clear if this is for sending or receiving or both..)
• Miscellaneous - Spanning Tree Protocol: Enables the IEEE 802.1d spanning tree protocol for detecting and resolving loops in your internal network. (Switch A plugged into Switch B plugged into Switch C plugged into Switch A.)

[edit] Wireless

Controls advanced settings for the connection over the Wireless Local Area Network.

• Afterburner: Broadcom Afterburner is a 802.11g Standards Enhancement to provide additional speed for home wireless networks while remaining compatible with all Wi-Fi CERTIFIED™ 802.11b/g Products. When enabled, it allows 125 Mbps mode.
• AP Isolation: A prime example would be like in a hotspot (e.g. coffeeshop like Starbucks, hotels) wherein a lot of computers connect randomly to the network. Since all computers are connected to 1 single network there is a possibility that they could access each other which may result in unwanted hacking. AP isolation will help prevent this by making each and every single computer a separate entity on their own. When enabled, prevents wireless devices from communicating with each other. If disabled, the unit will switch traffic from one wireless client to another.
• Authentication Type: Controls whether clients must use shared keys to authenticate. This setting is disabled (i.e. forced) in some security modes.
• Basic Rate: Sets mandatory rate list transmitted by the AP which must be supported in order to connect. Some old 802.11b clients can only connect if this is set to 1-2Mbps.
• Beacon Interval: Sets the amount of time between beacon transmissions in milliseconds. A longer interval can save power on sleeping clients.
• CTS Protection Mode: When set to Auto, enables a mode which ensures 802.11b devices can connect when many 802.11g devices are present.
• Distance / ACK Timing*: Sets the approximate maximum distance in meters from which clients can connect. May be useful in preventing distant "cantenna leeches" from connecting. It will not prevent snooping, however. Setting to 0 disables this function.
• DTIM Interval: Sets the amount of time in milliseconds between Delivery Traffic Indication Messages, which tells a client in power-saving mode when to expect the next broadcast message.
• Fragmentation Threshold: Sets the maximum packet size in bytes before fragmenting it.
• Frame Burst: Enables frame burst mode which increases throughput but does not work well with more than about three clients.
• Maximum Clients*: Sets the maximum number of wireless clients that can connect at once.
• Multicast Rate: Sets the signalling rate used for multicasting.
• Preamble: Selects long or short preamble for 802.11b. Short will increase throughput, but some older 802.11b devices require the long preamble.
• RTS Threshold: Sets the minimum packet size in bytes which triggers Request to Send/Clear to Send signalling. A number higher than the Fragmentation Threshold serves to disable the function. It is normally not needed but may be useful in adverse conditions.
• Receive Antenna: Selects which antenna is used for receiving. These settings are primarily useful for external antennas. Single antenna units should be set to Auto.
• Transmit Antenna: Selects which antenna is used for transmitting.
• Transmit Power: Sets the transmit power in milliwatts. High settings may cause nonlinearity in the transmitter causing loss of data, interference to other users and channels, and a high "noise floor". It may also overheat and shorten the life of the transmitter. Tomato default is 42mW, using 84mW is usually safe.
• WMM: Enables Wireless Multimedia extensions which provide automatic QoS and power saving. Primarily intended for wi-fi phones and the like.
• No ACK: Controls whether WMM packets require acknowledgment. Enabled sets No Acknowledgment which allows higher throughput and lower latency when some packet loss is acceptable (i.e. for VoIP).

*New settings for v1.07.

[edit] Port Forwarding

Once you have set up your router you will have your own Local Area Network (LAN) managed by the router. You inevitably will have many devices connected to your LAN all using the same internet connection. This causes a problem because different devices on your LAN will need specific data that is coming in from (or going out to) the internet.

Port Forwarding allows your router to control the flow of data to and from the internet, and make sure the router knows which device (ie computer, webcam, VoIP telephone etc) connected to your LAN sent/requested/needs each packet of data. Usually packets coming in from the Internet will be in response to some request that one of your devices connected to your LAN has made (ie a VoIP phone making a request to connect a telephone call) . In these cases, the router keeps track of which device made the request, and forwards the response back to that same device.

Sometimes however, as in the case of "Server" applications (such as you hosting your own website on a PC within your LAN) requests come in from random locations on the Internet, and you need to tell the router which computer is running the “server” so that these random requests can be routed to the correct computer. This is generally done by telling the router that any "unsolicited packets" (packets that are not a response to a request from a local computer) on a specific port or list of ports should be forwarded to a specific computer on the network.

Finally, there are also "thief jiggling the handle" connections from random corners of the internet. Locking those out is another job of the router.

There are a few ways to set this up.

[edit] Basic

Allows you to specify simple port forwarding where all packets received on the specified External Ports will be routed to the specified Internal Address. eg you can forward all incoming data on ports 5060 and 5061 (used for SIP protocol to initiate a VoIP telephone call) to your VoIP telephone.

Optionally, you can change the local port by specifying Int Port. This is also known as Port Redirection. This technique is handy, for example, if you have two web servers. Both could be listening on the default port (80), but the router could be set to forward received packets on Internet Port 80 to Port 80 on the first web server, and packets on Internet Port 81 to Port 80 on the second web server.

The "External Ports" box can contain a single port (ie 8080) or a range of ports (5060:5061). The "Int Port" can be left blank. The "Internal Address" is the IP address of the device on your LAN (ie 192.168.1.2)

The Tomato Firmware GUI can take up to 50 entries for basic port forwarding.

[edit] DMZ

DMZ, or Demilitarized Zone, allows you to specify one device on your network that will receive all unsolicited packets from the Internet. This can be handy for devices that need largely unrestricted access to the Internet, or for a Web/email server. However, this bypasses all firewall functions of the router for this device, so be sure the device is very well secured. The current firmware version implements source restrictions based on IP-adresses.

If you want to transparently access the DMZ computer from your internal network, then you will need to check Enable NAT Loopback and set it to to All in "Firewall" page under "Advanced". If this is not set, then you will not be able to reach the DMZ computer using the external IP address when using the internal network. In this case, only the DMZ computer will only be reachable on its internal IP address from the internal network, meaning that the external IP address will point to the router on the internal network.

[edit] Triggered

Port Triggering is an on-demand port forward. The router will look for an outbound connection on a specified port, and will forward all of the requested ports to whatever computer initiated the outbound connection.

Under the Trigger Ports, you would enter a list of the ports that your computer will use to initiate the forwarding. Then you specify the ports you want to forward to that computer under Forwarded Ports. Any computer that sends outbound packets on any of the ports listed in Trigger Ports will then have all unsolicited packets received from the Internet on the Forwarded Ports sent to it.

[edit] UPnP

Universal Plug and Play (UPnP) allows devices on your network to set their own port forwards. A computer running a web server, for example, can tell the router to forward all communications on port 80 and/or 443 to it. UPnP allows your local devices to add, delete, and update port forwards at will. Often this is the only way for applications on a client machine to obtain a connection to the remote server.

Only 25 UPnP connections are presently supported.

There are some security disadvantages to UPnP, such as a trojan horse or other "bad" software package being able to forward ports to a given machine so the malware can use your computer as an Internet server. However, there are also security advantages to UPnP, since any well-behaved UPnP application will request cancellation of its forwarded ports when it shuts down or no longer needs them. This reduces the number of unneeded forwarded ports. Currently, forwarded ports which have not been terminated by an application after it has closed are not automatically closed by Tomato.

[edit] Quality of Service (QoS)

QoS, or Quality of Service, allows you to prioritize data, slowing down less important data to allow more important data to get through first.

This is primarily useful for outbound data (data going from your computers to the Internet). Inbound data cannot be prioritized effectively because it has already passed through the bottleneck (your Internet connection) by the time the router has a chance to evaluate it.

QoS in Tomato has ten levels of priority. HIGHEST will always get the very highest priority (use sparingly) and CLASS-E (labeled as E) is the lowest-priority class. If the upstream bandwidth becomes over-saturated (more packets want to go out than the connection can send), lower-priority packets will be delayed (and possibly eventually discarded) to make room for higher-priority packets.

If you like to go more into details of traffic shaping try the WRT54 Script Generator as an extension to the current QoS implementation (see Tools for details).

Note: QoS works by having fixed maximum inbound and outbound bandwidths, and then allocating that bandwidth based on packet priorities. This means that the firmware will NEVER allow more than the configured bandwidths. Even if your service provider allows more (either temporarily as a "speed boost" feature, or permanently as a service upgrade) you will still be restricted to the configured bandwidth. If you need the highest possible bandwidth at all times you may wish to leave QoS disabled.

[edit] Basic Settings

• Enable QoS: If checked, QoS will be enabled. If not checked, QoS will be disabled.

• Prioritize ACK: Prioritizes the sending of ACK (Acknowledgment) packets. Recommended: Checked (on).

• Prioritize ICMP: Prioritizes Internet Control Message Protocol packets (PING replies, etc).

• Reset Classification when making changes: If checked, all connections will be reevaluated when a change is made to the QoS rules. If not checked, you may need to restart each application on your PC to re-establish each connection before the rule is applied to that connection.

• Default Class: This is simply the "catch-all" classification when no rules are found for a connection.

If a connection does not meet any of the QoS criteria, it will default to the specified class. If you have a high-priority service (such as VoIP) and a low-priority one (such as P2P), your best bet is to set this to MEDIUM or LOW, then try to classify all of your high priority stuff above this classification, and your low priority stuff below it.

QOS is not easy to apply with P2P as even L7 filters do not work particularly well. An approach which generally works well with P2P is to set your default class to "lowest" and then address all other desired rules in classes above this. P2P will "fall" though all of the filters and end up in the default "lowest" class. This way, you don't have to use several different filters in an attempt to capture all of the possible P2P traffic.

• Max Bandwidth: One of the major limitations of QoS in most Linksys routers is their inability to determine the upstream speed of the Internet connection. This is true of many router models. The most effective way to tune QoS is to do an Internet speed test with QoS turned off. Then enter about 90%^{[dubious — see talk page]}

of the tested upstream (upload) bandwidth into the Max Bandwidth field.  This will allow the router to properly determine how much bandwidth is available and prioritize packets accordingly.  A more detailed explanation of this (targeted for Vonage VoIP users) may be found at http://vonage.nmhoy.net/qos.html

• Highest - Class E (the percentages under Outbound Rate/Limit): This specifies the minimum and maximum percentages of the connection each classification is allowed to consume. This is allocating, rather than prioritizing, and is useful for cases where you want to specify that certain classes of connection should never receive more than a given percentage of your upload bandwidth. Set each class to 1%-100% to allow each class unlimited access to the bandwidth (with higher priority classes receiving only higher priority, and not "reserved" amounts).

• Inbound Limit: This allows you to limit the overall amount of data coming in to your router, and allocate maximum percentages of that bandwidth for each QoS service. Note that packets that exceed your limit are simply thrown away, not delayed as in the case of Upload/Outbound QoS. Under certain circumstances, this setting is useful, but is a very inefficient way to control inbound data. Inbound traffic cannot be directly controlled with QOS as all rules operate on outbound traffic only.

• TCP Vegas: A congestion avoidance algorithm built into the Linux kernel, introduced in Tomato 1.23.

This may produce better results than QoS for some users. For example, users with connection speeds which vary considerably (cable users with "speed boost," or speed slows in the evening when everyone in the neighborhood goes online) are required to set QoS "Max Bandwidth" conservatively, to the lowest max speed encountered. They would never take advantage of higher speeds when available. In this case, TCP Vegas may be effective at dynamically adjusting speed while avoiding dropped packets which would occur if QoS "Max Bandwidth" were set aggressively (to the highest max speed encountered during day-to-day use.).

Some users have reported that a combination of TCP Vegas and QoS (with an aggressive "Max Bandwidth") works well. (This section requires additional feedback.).

TCP Vegas operates only on outbound traffic. However, some users have reported that changing its parameters affected inbound traffic. (This section requires expansion.).

For more information about TCP Vegas, see:

• Wikipedia entry
• TCP Vegas homepage
• History, and information on tuning parameters

[edit] Classification

Allows you to specify which connections will get what levels of priority. This will override the default priority set in the Basic Settings page. Classification may be done by MAC address, TCP/IP port, or using more advanced filters like IPP2P or Layer 7 (L7) filtering.

All QoS rules are "as seen by your LAN", so SOURCE always means your computer, and DESTINATION always means the Internet.

QoS can be classified in a number of ways:

• Address (first row in "Match Rule" Column): Identify the packet based on the IP or MAC address that is making the request, or the IP address that is being contacted. Example: If you have a VoIP device on your network that needs very high priority, you would set "Address" to "Src MAC" (source MAC address) and key the MAC address of the device, then set the priority to HIGH or HIGHEST.
• Protocol/Port (second row): Identifies the packet based on the Protocol (TCP, UDP, etc) and/or Port Number (or list of numbers) that the connection is being made on.
• IPP2P (third row): An attempt to identify P2P applications. Easily fooled by P2P Encryption, this is still useful for identifying some P2P applications.
• L7 (Layer 7, third row): A sophisticated filter that can classify a number of applications. Again, for P2P, easily fooled by Encryption, but still useful.

Errata: Specific to version 1.23: The L7 filter "rtp-2" was added to Tomato 1.23 as a temporary solution. The official "rtp" filter does not catch some VOIP traffic. This new filter appears to work better. If the "rtp" filter doesn't work for you, try "rtp-2." Eventually "rtp2" may replace the "rtp," or be renamed by the L7 project who graciously provided it.

NOTE: Address and Protocol/Port are the fastest and most efficient ways to match. IPP2P is slow, and L7 is even slower. If at all possible, use Address and Protocol/Port before resorting to IPP2P or L7. Too many L7 or IPP2P rules can cause your router to crash or restart. If you are experiencing frequent crashes and restarts under heavy load, these may be the cause.

To improve IPP2P and L7 performance, provide additional qualifications when possible. For example, if you know the traffic is UDP, or a port range is involved, then specify this in the rule. These qualifications will be checked first, preventing unnecessary packet inspection of all packets.

Similarly, the order of rules can affect performance. For example, if an L7 rule is qualified as UDP this will help performance. But, if it is moved below the DNS rule (with a classification of "Highest"), it will prevent packet inspection of all DNS connections which are also UDP.

[edit] QoS Rule Example: Setting Web Browsing to HIGH

Under Match Rule Column:

• First row = "Any Address", field to its right is blank Meaning this rule applies to any connection to the Internet on any server
• Second row = "TCP", "Dst Port", "80,443" Meaning that this rule applies to all TCP connections that are trying to connect to port 80 (HTTP) or 443 (HTTPS) on an Internet server
• Third row = "IPP2P (Disabled)", "Layer7 (Disabled)" Meaning that we do not want to apply any IPP2P or L7 rules
• Fourth row = "" "" (kb transferred) Meaning we do not want to match by amount transferred

Under Class Column:

• "High" Meaning anything matching this rule will be assigned a HIGH priority in upstream

Under Description Column:

• Assign any reasonable description. "WWW" or "Web Browsing" would be good here. This is not used except on this screen, to identify the connection for your future reference.

[edit] View Graphs

One of the most powerful features of Tomato, this allows you to view (in near-real-time) the current outbound connections and how the QoS engine is classifying them. This allows you to view how effective your QoS settings are, and whether they are capturing the connections you want them to. Simply click on any of the classes to view the list of specific connections for that class.

[edit] View Details

Lists each connection that has recently been made through the router, and what QoS class was assigned to that connection. Clicking any entry will attempt to do a reverse lookup on the destination TCP/IP address, or you can click on the "automatically resolve addresses" checkbox at the bottom of the list to resolve all addresses in the list (this can take a while).

[edit] Access Restriction

Set time, computer, site, and protocol based bans on Internet access.

This function works on all connections to the router and so can be used to control access to all users of a network.

Currently supports 50 entries.

Each entry supports 2048 characters for the entire entry, the practical limit is around 1900 characters.

See also #QoS / Access Restrictions Notes below.

[edit] Administration

[edit] Admin Access

Controls the various means that can be used to access the router for administrative purposes.

All services use the same password, which is changed at the bottom of this page.

[edit] Web Admin

Controls access to the router via a web browser. The web username may be "admin" or "root".

• Local Access: Determines whether and how the router may be accessed from a web browser on a local computer (a computer attached to the router, or attached to a switch or hub attached to the router). Access can be via HTTP (regular web), HTTPS (SSL-encrypted web), both, or disabled.

• HTTP Port: default 80

• Remote Access: Determines whether and how the router may be accessed from a web browser from the WAN (Internet) side of the router. It is not recommended that this be enabled, and if it must be enabled, consider using the HTTPS method, which at least encrypts your session data.

• Allow Wireless Access: If checked, wireless clients on your local network can access your router's administration screens using the same method as wired clients. This has no effect on Remote Access.

• Color Scheme: choose color scheme skin

• Show Browser Icon: shows tomato icon on address bar

[edit] SSH Daemon

Controls the Secure SHell (SSH) server that is installed on the router, which allows secure (encrypted) command-line access to the router. The SSH username is always "root".

• Enable at Startup: Specifies whether the SSH Daemon is started when the router starts up.

• Remote Access: If checked, you will be able to access the router via SSH from the Internet and the Local Network. If unchecked, only clients on the Local Network will have access.

• Port: Specifies the TCP port used by the SSH daemon (default = Port 22).

• Allow Password Login: If checked, you can use the router username and password to enable a connection to the command line. If not checked, key authentication will be required.

• Authorized Keys: Enter authorized keys for key authentication (a more secure alternative to password-based logins).

• [Start Now] / [Stop Now] Starts or stops the SSH Daemon.

[edit] Remote Web/SSH Admin Restriction

• Allowed IP Address: If you want to restrict access from the WAN to Remote Configuration of your router by IP address, enter the appropriate IP address string.

[edit] Telnet Daemon

Controls the Telnet command-line server built into the router. Telnet access is only allowed on the Local Network. The Telnet username is always "root".

• Enable at Startup: Specifies whether the Telnet daemon is enabled when the router starts up.

• Port: Specifies the Ethernet port used by Telnet (default = Port 23).

• [Start Now] / [Stop Now] Starts or stops the Telnet Daemon.

[edit] Password

Allows you to specify your password. It is highly recommended you change this immediately after the installation. Enter the same password into both fields, and click "Save". After changing your password, you will need to re-authenticate your session (you may need to shut down and restart your browser to clear the current authentication).

[edit] Bandwidth Monitoring

[edit] Bandwidth Monitoring

The bandwidth monitor history is just bandwidth data that can be viewed at the Bandwidth page of the Tomato UI.
Namely: WAN port monthly history, WAN port daily history for the current month and intraday history (for vlan1, eth1, br0, eth0 & vlan0) captured over the last 24 hours. For this reason the backup file does not grow in size once it has reached about 133 Bytes.

You can also associate each mac address with a letter (up to 10) and get a bandwidth pie chart so you can see bandwidth for each mac address, you can then throttle in % each address if required Please describe where/how these two functions (monitor by MAC and throttle by MAC) can be configured. If this idea relies upon the QOS classifications then refer to that section of the wiki.

• Enable: check to enable / uncheck to disable

• Save History Location Saving to RAM is not permanent. Saving to NVRAM or JFFS is permanent but will cause the internal flash (rewritable) memory to be flashed more frequently than the router design intended. This may lead to a shortened useful lifetime for your router. Better permanent storage alternatives are CIFS1 and CIFS2. Keep in mind that if the share that your CIFS1/2 points to is offline, that it will save the Bandwidth History the next time the share is online. Refer to the CIFS Client section for further detail.

• Save Frequency: Select an interval for periodic saving of bandwidth usage history. Useful if your router experiences power outages from time to time. The exact time that the save interval happens at is based on what time you save your settings. So if you set it to "Every 2 Days" at 10:35AM, it will save 48 hours from then, and every 48 hours thereafter.

• Save On Shutdown: Cause a save before any reboot or shutdown event but obviously not before a power outage!

• Create New File / Reset Data: Check this when setting up a new Save History Location. When checked a new file is created in the save location. If the file already exists in the save location all current data will be overwritten!

• First Day Of The Month: Used to align the monthly data to the same accounting cycle that your ISP uses.

• Excluded Interfaces: Comma separated list of Interfaces to exclude from the 24 Hours and Real Time Bandwidth pages of the Tomato UI. ( Example: vlan0,vlan1,eth0 will leave focus on the wireless LAN interface.) This has no appreciable effect on size of the history backup file being saved.

Although the role of the five interfaces is configuration dependent ( examples: WRT54G v2 and WRT54G v4 acknowledge: voidmain & WL-500gP and Network Configuration ack. OpenWRT ) the apparent convention is:

• • vlan1: wired WAN port
    
  • vlan0: wired LAN ports
    
  • eth1: Wireless LAN
    
  • br0: internal LAN bridge (configurable) for wired LAN and Wireless LAN
    
  • eth0: internal interface between CPU and the 6-port switch
    

Saved history may be viewed using the UI tools:

• • http: //192.168.1.1/bwm-24.asp
    
  • http: //192.168.1.1/bwm-daily.asp
    
  • http: //192.168.1.1/bwm-weekly.asp
    
  • http: //192.168.1.1/bwm-monthly.asp

[edit] Backup

[edit] Restore

[edit] Buttons / LED

Change the action performed by the button. Different actions can be set for different lengths of time the button is held down (Count the DMZ blinks). The default actions are (1) tap to toggle wireless and (2) hold 20 seconds to start telnet on port 23.

The LED lights have some minor checkbox settings. For better effect, you can use the "led" command inside scripts elsewhere.

[edit] SES/AOSS Button

[edit] Startup LED

[edit] CIFS Client

The CIFS client in Tomato allows you to mount a Windows-share or a Samba-share, that you can use as a history location for the bandwidth monitoring.
In the configuration UNC (Universal Naming Convention) points to that share and has to look as follows:

\\192.168.1.99\share-name

where 192.168.1.99 is the IP-address of the computer the share is located on and "share-name" is the shared folder-name.
The rest of the settings (username, password) speak more or less for themselves.

Give thought to the Shared Permissions for the specified Windows-share. The username/password pair specified here must be for an account that has permission to write to the shared folder, especially if you plan to use this network shared folder to save Bandwidth Monitor history. Also be sure to allow port 443 on any intermediate firewalls between the shared computer and the router.

It is advised to use "security = user" when using Samba, to avoid errors like these:
smb signing is incompatible with share level security !

[edit] Configuration

Allows you to back up all your settings to your PC, restore them, or reset the router to factory defaults.

When changing from one firmware to another, it is important to do a complete factory reset on your router. In Tomato, you go to this screen, select Erase all data in NVRAM (thorough), and click OK. When the router reboots, you will need to rekey all of your configuration settings manually. Instability and unpredictable behavior can occur if you don't erase the NVRAM.

[edit] Debugging (Miscellaneous)

• Avoid performing an NVRAM commit: If checked, changes are not committed to NVRAM if possible. This means that changes are temporary, and will not persist beyond the next reboot of the router.
• Do not erase some intermediate files:
• Enable cprintf output to console:
• Enable cprintf output to /tmp/cprintf
• Count cache memory as free memory:
• Avoid displaying LAN to router connections: If checked, LAN to router connections are not displayed on the QOS pages. If not checked, LAN to router connections are displayed on the QOS pages as "Unclassified" connections.

• Download CFE:
• Download NVRAM Dump:
• Download Iptables Dump:
• Download Logs:

• Console log level:
• Clear Cookies:
• NVRAM Commit: Commits all current settings to NVRAM, such that they survive rebooting.

[edit] JFFS2

In a router with 4MB flash, there's still some space leftover from the firmware. JFFS2 is the compressed, writable filesystem for the extra space, the /jffs folder gives 700KB after overhead but BEFORE compression. Turn this option on, and script some add-on executable to run from here.

[edit] Logging

Logging may be done internally or externally. Internal logs save information to the router's local memory. External logs send the log information to a remote computer.

Log Internally saves the connection logs to the internal memory of the router, where they may be extracted or viewed directly on the "Logs" page under "Status". These logs will consume router memory, but may be viewed directly on the router itself.

Log Externally sends the logs to a computer on your LAN. That computer must be running a log capture program, like WallWatcher. The computer can then show you the connection logs and analyze the data.

The remainder of the settings allow you to specify what types of connections you want logged, and to place a limit on the number of log entries per minute to send.

[edit] Scripts

You can enter commands to be run at Init (startup), Shutdown, Firewall startup, or WAN Up (whenever the Internet connection comes up).

Example script 1

Access the web interface of the modem connected to the WAN port of the router. In this example, the modem has the IP address 10.0.0.138. Both IP addresses used in the script below begins with 10.0.0. The 1st address can end with anything other than 138 but the second address must end with 0. The IP of a modem must be from a different network than your local LAN.

In Wan Up:

ip addr add 10.0.0.10/24 dev vlan1 brd +
/usr/sbin/iptables -I POSTROUTING -t nat -o vlan1 -d 10.0.0.0/24 -j MASQUERADE

Example Script 2

Establish a limit of 125 TCP connections per user.

In Firewall

iptables -I FORWARD -p tcp --syn -m iprange --src-range 192.168.22.10-192.168.22.250 -m connlimit --connlimit-above 125 -j DROP

Note : 192.168.22.10 - 192.168.22.250 is the LAN address range to be controlled.

Example Script 3

Opens the SSH server on the WAN side, while giving a better protection against Brute Force password guessing attacks. After 3 connections attempts in under 90 secs, the source address will be locked out for 90 secs. This seems enough to convince the script kiddies to search for a new target. Needs v1.21 to work (or later), as it now comes with the ipt_recent module built inside.

In Init

insmod ipt_recent

In Firewall

WANIP=$(nvram get wan_ipaddr)
iptables -t nat -A PREROUTING -p tcp -d $WANIP --dport 22 -j DNAT --to 192.168.1.1:22
iptables -A INPUT -d 192.168.1.1 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH_LIMIT --rsource
iptables -A INPUT -d 192.168.1.1 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 90 --hitcount 4 --name SSH_LIMIT --rsource -j DROP
iptables -A INPUT -d 192.168.1.1 -p tcp --dport 22 -j ACCEPT

Note : Do not enable Remote SSH via the menu, this script will do it and apply the right rules

[edit] Upgrade

Allows you to load a new firmware to the router (either a newer version of Tomato or an entirely different firmware).

Note: When changing from any firmware to any other firmware (stock Linksys -> Tomato, for example), it is important to clear the NVRAM and restore the factory default settings. Instructions on doing that will vary from firmware to firmware, but there is generally a factory reset option (in Tomato, this is located under Administration/Configuration/Restore Default Configuration

[edit] About

Shows information about:

• the version of tomato
• the copyright advice
• a direct http-link to tomato homepage
• the build date of the used firmware
• a donation button for the project
• an acknowledgment to all concerned people

[edit] Reboot...

Restarts the router (without erasing any settings).

[edit] Shutdown...

Turns the router off (controlled shutdown)

[edit] Logout

Logs you out of the firmware (clears your user session). This will dump you back to the initial login, where you are asked to present your credentials again (which causes occasional confusion, with people reporting that they "need to log in in order to log out"). Once you see the password prompt, you are logged out. Just hit cancel and you will end up at the "Unauthorized" page. This option is not supported on MS Internet Explorer (V7) and and the "logoff" item does not show in the menu. you will need to close the browser completely in order to log out.

[edit] Additional Notes

[edit] Known Problems

• There is no documentation other than a Tomato FAQ and this wiki.

• In some cases, you may need to reboot the router manually before the changes go into effect. If the changes involve switching wireless settings, you may need to reboot both ends. (Hasn't been known to happen with 1.07 or later firmware)

• Not all wireless modes / security combinations work. For example, WET, Client and WDS will not work in WPA2.

• CIFS VFS timesout a lot. (or it might the server kicking the client off...)

• Graphs/SVG may not work with all browsers. Firefox: Use 1.5 or higher. Internet Explorer: Use Adobe SVG. Opera: Use 9.0 or higher. Safari: Use 3.0 or higher.

• Certain wireless clients cause the router to reboot on while trying to associate. The "ND" drivers are an attempt to rectify this, but when used, Intel 2200B/G wireless clients cannot associate. The problem is still being addressed by developers. *Additional: The following script corrects the problem with the ND drivers: nvram set wl_reg_mode=off

[edit] QoS / Access Restrictions Notes

• All QoS classification and access restriction checking are performed while packets are traveling out to the Internet (outbound). The source is always from your computer and destination is always towards the Internet.

• If you restrict inbound traffic you are implementing "traffic shaping". Try the WRT54 Script Generator as an extension to the current QoS implementation (see Tools for details). Although there is an option to limit the download speed, it's not really recommended in most cases since what the router is really doing is dropping packets, which means they may need to be re-sent again over a slow Internet link.

• Why L7/IPP2P doesn't work all the time:
  • These work by matching known patterns in packets. Some protocols produce reliable uniquely identifiable signatures, but some do not.
  • A change in the protocol's design can sometimes break these.
  • Some L7/IPP2P patterns may depend on which direction the data is going. For example, an HTTP request from a browser is different from an HTTP response from a server.

• Custom L7 patterns can be stored in /etc/l7-extra/ (you need to create the directory). It's up to you to actually populate it before the firewall starts. This can be tricky if you're using external storage, so consider just using JFFS2 or even simple "echo" statements in the startup script. To learn more about L7 patterns, go to l7-filter.sf.net.

• When testing changes to the QoS rules, restart the application on your computer to make sure it's connection is re-classified under the new rule. NOTE - You can now enable "reset classification when making changes" instead.

• KB transferred match:
  • This is the to-WAN data transferred in kilobytes. Consider the amount an approximate value since it doesn't take into account protocol overhead and uses the 1024-based definition instead of the 1000-based definition used more commonly in networking.
  • Entering an upper limit of 1GB (1,048,576KB) or more is considered unlimited and will match anything above 1GB.
  • IPP2P may not work properly with this since IPP2P doesn't keep track of its state.

• Sticky rules: IPP2P/L7 are "sticky" in that once they match, no other rules are processed. IP/MAC/port-only matches can also be sticky if there are no IPP2P/L7/KB matches above them. When coupled with a KB transferred match with an upper limit, they are not considered sticky. What this all means is you should watch out for rules like the following: "#1: L7 ABC & 1024KB+, #2: L7 ABC", the #1 rule may not match at all since #2 will lock-on if it sees L7 ABC within 0-1024KB. To get around this particular case: "#1: L7 ABC & 0-1024KB, #2: L7 ABC & 1024KB+."

• Precedence: The rules are checked in the same order as they appear in the GUI, from top to bottom. The first rule that matches sets the class. If you disable "strict ordering", rules (no longer applicable) with IPP2P, L7 and KB matches are grouped in one set and are checked first, the rest in another. In the latest versions of Tomato there is no checkbox to turn off "strict ordering".

• If you're concerned about performance: IPP2P and especially L7 are slower than simple IP, MAC or port matches.

[edit] Setting Up WDS Repeating

Standard terminology for a two router setup:

• The client router is the router which does not have an internet connection.
• The host router is the router which does have the internet connection and is going to share it with other routers.
• To make troubleshooting easier, you can set client router's SSID to something different. Later you can set it to the same as the host router's SSID or leave it different.
• Also, it is a good idea to turn off any encryption while setting up WDS repeating. You can re-enable it after you have things working properly.

Using WDS to extend your network will reduce throughput, as each unit has to first receive the data and then resend it over the wireless link. Each added unit in the chain makes matters worse.

[edit] Step-by-step Instructions

1. For the client router, on the Basic -> Network page, in the LAN section:
   1. set the Router IP Address to a static IP in the range of the host router (e.g. if your host router's IP is 192.168.1.1, set your client router's IP to 192.168.1.2).
   2. uncheck the DHCP Server to disable it (you can only have one DHCP server per network).
2. For both the client router and the host router, on the Basic -> Network page, in the Wireless section:
   1. set the Channel to the same channel on both routers
   2. set the host router's Wireless Mode to Access Point + WDS
   3. set the client router's Wireless Mode to WDS
   4. set the WDS to Link With...
   5. on the host router, add the client router's Wireless MAC address to the first MAC Address field
   6. on the client router, add the host router's Wireless MAC address to the first MAC Address field

The above example sets up the client as a WDS repeater, but does not enable Wireless access on the client. To enable the client to serve as a WDS repeater and accept Wireless connections, set the client router's Wireless Mode to Access Point + WDS.

The Tomato FAQ on WDS documents an example with IP and Mac address samples for clarity.

[edit] Miscellaneous Notes

• Some NVRAM settings may not be compatible with other firmwares. A config (NVRam) reset is recommended after flashing to or from this firmware.

• You can enter a custom DDNS URL like the following: http://www.mycustomdns.com/update.cgi?username=scooby&password=spooky&ip=@IP. The "@IP" keyword is automatically replaced with the current IP address. Check with your DDNS provider for the exact format to use.

• The Busybox crond included in Tomato is a little different from the Vixie crond found in HyperWRT, DD-WRT, etc. To make it easier and safer to schedule a job, use the helper script called "cru" instead of manually changing the config file.

BusyBox

[edit] Miscellaneous

• Want to try changing things without permanently writing them to nvram? Go to Admin: Miscellaneous and enable "avoid performing an nvram commit." When you're done playing around, reboot to discard the changes, or use the "nvram commit" button to save the changes.

• Some GUI settings, like refresh time, are saved as cookies by your web browser.

• Linksys' password protected TFTP upgrade will not work with Tomato. If you need to use TFTP to upgrade the firmware, use the bootloader's TFTP upgrade feature.

• If you're saving the bandwidth history, don't forget to backup the data to another location!

[edit] Tools

• WRT54 Script Generator (download): A little application that generates scripts for traffic shaping. This script generator main purpose is to limit bandwidth of users that are connected to WRT (ex. share connection in fair way). Script shape traffic on LAN and WLAN. QoS is shaping outgoing traffic on WAN (vlan1) so if you try to shape traffic on vlan1 you will destroy actual QoS. These scripts are working without problems with enabled QoS. QoS prioritize outgoing traffic and you can also set speed limits to several (all users). It's good for people that are choking your connection.

[edit] Tuning

Tomato is extremely efficient and will dynamically unload modules, stop services and shutdown processes if certain features are no longer enabled. The following features, once disabled, will result in fewer running processes. Less running processes results in more free memory, less CPU load and faster boot times. In general, it is worth your time to disable unused features. For example, just enable HTTP or HTTPS web access, it is not necessary to have both enabled.

Of course, Tomato runs well with the entire gamut of functionality enabled.

• CIFS
• uPNP
• Telnet Server
• SSH Server
• Syslog
• DHCP Server
• HTTP Web Administration
• HTTPS Web Administration
• Bandwidth Statistics
• JFFS2 file system
• L7 QoS Filtering ("Inbound Layer 7"??) [1]

[edit] USB Printing

Tomato will support USB printing support with a bit of extra work:

• Installing USB Printer on Tomato

There is also a modified Tomato version with working USB Support:

• Linksysinfo.org thread on Tomato 1.23 ND USB Mod

[edit] Support

• Tomato (eng)

• Tomato FAQ (eng).

• Linksys (eng)

• Linksysinfo (eng)

• Openlinksys (pol)

[edit] Weblinks

Tomato Project Page

The project page may be found at

• http://www.polarcloud.com/tomato

Screenshots

• 45 Screenshots of Tomato 1.17

Bridging a Linksys WRT54G and Belkin 7230-4 Wirelessly

after many hours of searching and reading I found this, and it works. Connected wired to the belkin now and it is wirelessly linked to my buffalo running tomato which connects to my Cable Modem . Now I can ditch a long ugly CAT5 cable and can connect 4 wired devices and have improved signal strength for my wireless devices.

• Bridging a Linksys WRT54G and Belkin 7230-4 Wirelessly

Tomato Firmware Frappr!

Frappr! Maps are like a triple mash-up of an online guest book, a hit log and a map -- three services that, combined, create a fun and visually appealing environment that will keep Web site visitors coming back for more..

• Tomato Firmware World Map

WRT54G JTAG To AVR Cable

a simple/free way to program one of Atmel's AVR microcontrollers for those that already have the WRT54G-style JTAG cable:

• WRT54G JTAG To AVR Cable

Tomato (Firmware) - German (deutsches) Wikibook

• Tomato (Firmware)

[edit] References

Wikipedia

• Hardware routers
• Wireless networking
• Linux based devices

---