Tomato Firmware/Menu Reference

From Wikibooks, open books for an open world
Jump to navigation Jump to search


To do:
Reformat: condense reliance on TOC entries use def'n lists and consider using tables for better readability. Should consider more use of tables as well.-- Wrlee (talk) 07:41, 31 July 2009 (UTC)


Top Level Menu Items
  1. Status
  2. Bandwidth
  3. Tools
  4. Basic
  5. Advanced
  6. Port Forwarding
  7. QoS — Quality of Service
  8. Access Restriction
  9. USB and NAS
  10. Administration
  11. About
  12. Reboot...
  13. Shutdown...
  14. Logout

The following is a listing of all of the available menu options in the Tomato GUI, and their functions.

NOTE: As settings on a page are edited, the 'Save' button at bottom of page must be clicked before navigating to another page. Otherwise the newly entered settings are NOT saved.


[edit | edit source]

Provides information on the current condition of the router.


[edit | edit source]

The Overview screen shows information on the current state of the router. It is organized into four sections:

Gives current overall system status.
Router name
Router make and model
System Time and Date
Total time the router has been up since the last reboot
CPU Load (1 / 5 / 15 mins)
CPU load average for 1, 5 and 15 minute intervals
Total / Free Memory
Total device memory in MB, free memory (unused + cache) in KB, Percentage of free memory
The WAN screen gives information on the Wide Area Network (Internet) connection.
MAC Address
WAN (Internet) adapter MAC address
Connection Type
DHCP or Static
IP Address
WAN (Internet) IP Address
Subnet Mask
WAN (Internet) IP Netmask
Internet gateway address
lists WAN (Internet) DNS servers
TCP maximum transmission unit, or maximum packet size in bytes for WAN interface. See to find optimal setting.
whether the WAN (Internet) link is connected or not
Connection Uptime
total time that the connection has been up
Remaining Lease Time
total time remaining on DHCP lease from ISP
button to Renew DHCP IP address
button to Release DHCP IP address
Gives a summary of the settings related to the Local Area Network, and the MAC Address for the wired portion of the network.
Router MAC Address
Internal MAC address of the router, for LAN only
Router IP Address
The Static LAN IP address assigned to the router
Subnet Mask
The LAN Network Mask assigned to the router
The DHCP scope / range of addresses that can be assigned by the DHCP server
Gives information on the wireless portion of the Local Area Network.
MAC Address
The MAC address of the 802.11 wireless network interface
Wireless Mode
The operational role assigned to the wireless interface (e.g. - Access Point)
B/G Mode
802.11b and 802.11g protocol restrictions (e.g. - G only)
Displays enable/disable status of the wireless network interface
Displays the wireless SSID or Service Set Identifier, a string used to distinguish wireless networks from each other
Displays the current encryption algorithm used for wireless communications
Displays the current wireless channel and corresponding frequency (in GHz)
button that enables the wireless radio (grayed out when already enabled)
button that disables the wireless radio (grayed out when already disabled)

Device List

[edit | edit source]

The Device List Provides a list of the current devices that have been assigned an IP address by the DHCP server. Devices are listed by Interface, which indicates where on the router they are connected:

  • br0 refers to Wired Ethernet (LAN) devices: these are connected to the router on the four Ethernet ports, either directly or via a hub or switch. Inactive wireless devices are also moved to br0.
  • eth1 refers to active Wireless Ethernet (WLAN) devices: these are connected to the router via the wireless radio.
  • vlan1 refers to your WAN (Internet) connection: the connection to the external Internet (Cable modem, DSL modem, or upstream router).

The Logs page allows you to view the Internal system logs (assuming Internal Logging is enabled - see Administration→Logging).

View Last 25 Lines
View most recent 25 lines of kernel log
View Last 50 Lines
View most recent 50 lines of kernel log
View Last 100 Lines
View most recent 100 lines of kernel log
View All
View entire kernel log
Download Log File
Download the kernel log to localhost
Search the kernel log for user-defined text string
Logging Configuration
See Administration→Logging


[edit | edit source]

Displays the Bandwidth of the Interfaces. They can be excluded at Administration→Bandwidth Monitoring

The Real-Time and Last 24 Hours charts are rendered with Scalable Vector Graphics (SVG), and require an SVG-enabled web browser. Mozilla Firefox, Google's Chrome, Apple's Safari 3 and Opera have SVG built-in. Microsoft Internet Explorer requires the SVG plugin from the Adobe SVG Viewer download area. The charts display an Interface Tab for each available router interface. Persistence of Interface Tab selection requires browser cookies to be enabled.

Charts share these controls:

  • Avg: Off, 2x, 4x, 6x, 8x : Number of samples to average, or no averaging.
  • Max: Uniform, Per IF : Graphs are scaled Uniformly to the max traffic value of all interfaces, or individually Per IF.
  • Display: Solid, Line : Selects a solid-filled "mountain" display or line only.
  • Color: Blue & Orange »: Selects trace pair color scheme
  • [reverse] : Toggles trace color order
  •  » Configure : Shortcut to Administration->Bandwidth Monitoring page.
  • Graph Legend toggle: Click on vertical text(left edge of graph) to toggle display of horizontal graph legends.
Automatically corrects as graph scale changes.
  • Cursor-tracking Readout (lower right edge of graph): when mouse cursor moves over graph, shows
Day of Week, Time, and Bandwidth usage at that point. Updates only when mouse moves.
Disappears after 5 intervals: 10 seconds in Real-Time, 10 minutes in Last 24 Hours, etc.
  • Mouse-click readout : Click anywhere on the graph to place a static readout.
Note: Does not update with graph movement or scaling.
The Real-Time Bandwidth section displays a chart, updated every two seconds, of the last 10 minutes of bandwidth used. Tabs at the top allow selection of the various interfaces for detail on the bandwidth for that interface.
Last 24 Hours
The Last 24 Hours section displays a chart, updated every two minutes, of the last 4/6/12/18/24 hours of bandwidth usage and the total data during the period. Tabs at the top allow selection of the various interfaces for detail on the bandwidth for that interface.
The Daily section displays a table with a row for each day showing download, upload and total bandwidth consumption. The default unit is GB (actually gigabinary (GiB) bytes), but can be changed to MB (MiB) or KB (kib).
The Weekly section displays a table with a row for each week showing download, upload and total bandwidth consumption. The default unit is GB (Gigabytes), but can be changed to MB or KB. The default week starting day is Sun (Sunday), but can be changed. An option to show Summary or Full data is available.
The Monthly section displays a table with a row for each month showing total bandwidth consumption and the difference in bandwidth usage compared to the previous month. The start date of the month can be changed at "Administration->Bandwidth Monitoring->First Day Of The Month" to match the start date of data counter of any particular Internet plan.


[edit | edit source]

A collection of useful network tools to analyze and troubleshoot the LAN, WAN and/or Wireless networks connected to the router.

The Ping tool allows sending 'ping' packets to computers on the Internet to verify connectivity. Enter the domain (e.g. or IPV4 address (e.g. to ping, adjust the Ping Count or Packet Size as desired, and click [Ping]. Results are displayed after all pings complete. The default timeout is 2 seconds, with a 1 second delay between attempts.

the desired IP address or domain
Ping Count
total number of pings to attempt
Packet Size
length of data to send. 56 is the default. 1500 is a typical maximum.

Results Table

sequence number of ping attempt
(domain) (IP address)
RX Bytes
number of received bytes. 8 bytes more than 'Packet Size' is typical.
Time to Live - number of hops this packet is permitted to take before expiring.
RTT (ms)
Round Trip Time in milliseconds.
+/- (ms)
Jitter: difference in RTT from prior measurement.


<minimum time> min, <average time> avg, <maximum time> max (ms)
<Ping Count> transmitted, <Seq - 1> received, <percentage>% lost


[edit | edit source]

The Trace tool allows you to perform a TRACERT (Trace Route) from your router to any Internet server. Enter the domain or IP address to trace to, and optionally the maximum hops and/or wait times, and click [TRACE]. Results are displayed when the trace is complete. This may take hops*wait-times before being displayed.

the desired IP address or domain
Maximum Hops
total number of nodes to attempt
Maximum Wait Time (per hop)
number of seconds to wait for each hop

Results Table

sequence number of this hop
domain (IP address)
Min (ms)
shortest ping time found for this hop
Max (ms)
longest ping time found for this hop
Avg (ms)
Five traces are performed to produce the average time displayed.
+/- (ms)
Jitter: average differences in RTT from prior measurements.

Wireless Site Survey

[edit | edit source]

The Wireless Site Survey tool scans the wireless frequencies accessible to eth1 and reports a table of wireless devices. The Last Seen time stamp, SSID, BSSID (MAC address), RSSI, Noise, Quality rating (1-100), Channel, Capabilities and Rates are displayed.

Table Content

Last Seen
Time stamp of most recent network detection.
Service Set Identifier – remote-assigned network name.
MAC address of remote network device.
Relative Signal Strength (dBm).
Detected noise floor (dBm).
Derived channel signal quality estimate (1-100, 100=best).
Operating channel of remote network device.
List of protocol modifiers available.
List of available bit rates.

WOL (Wake on LAN)

[edit | edit source]

The WOL tool allows you to send Wake-on-LAN (WOL) packets to computers on your network. A table of known MAC addresses is displayed so that individual WOL targets can be quickly selected, or user-defined MAC addresses can be entered in a data field.

Table Content

MAC Address
IP Address
MAC Address List
Enter any MAC address you want in this box and click Wake Up to attempt to wake that machine.
Wake up
Wake up the computer(s) with the MAC address(es) you have entered in the above box.

Alternatively, you can add a static DHCP entry for ff:ff:ff:ff:ff:ff and (the ip can be anything you want). And forward udp port 9 (the port can also be anything you want) to In this case, make sure .254 isn't in the range of your DHCP. (Note, this trick will work on any router which you can get shell access to via arp -s ff:ff:ff:ff:ff:ff

Through ssh/telnet interface you can also issue ether-wake command. Remote SSH enables wakeup via
ssh root@yourwrt 'ether-wake mac-address'
as it can be difficult to get a WOL packet through the NAT.


[edit | edit source]

Controls the most basic settings for the router.


[edit | edit source]

The Network section allows you to set up the Internet / Wide Area Network (WAN) connection that the router uses, the basic parameters of the Local Area Network (LAN) the basic Wireless radio parameters.

WAN / Internet

[edit | edit source]

Specifies how your router should connect to the Internet. Normally, this is done via an Ethernet cable connected from the WAN/Internet port to a Cable or DSL Modem.

Specifies the type of connection used. The rest of the parameters in this section are dependent on this connection type.
WAN Connection Types
Common Name Description
DHCP Get WAN IP assignment from DHCP server. The default for most Cable modems is "DHCP", meaning that the router simply talks to your cable modem and is automatically assigned an IP address and other connection data.
PPPoE DSL connections generally use PPPoE, which usually requires a username and password (provided by your DSL provider). Leave "Service Name" blank unless your provider requires one otherwise you won't be able to connect.
Static Manually set a static IP address.
PPTP Connect to VPN server via PPTP
L2TP Connect VPN server via L2TP (e.g., Cisco)
Disabled No connection to an Internet stream is handled.

Controls setup of the Local area Network (LAN), which includes settings for wired and wireless clients connected to the router.

Router IP Address
The IP address assigned to the router on the LAN. Default is
Subnet Mask
The default of means that anything starting in the first three numbers as the router (default 192.168.1.x) is assumed to be on the Local Network. Making this too broad means that some Internet servers may be inaccessible.
Static DNS
Allows you to list a series of DNS servers manually (as opposed to getting them from your Internet Service Provider). Useful if your ISP's DNS servers are slow or unreliable, or if you prefer a different one.

DHCP Server

[edit | edit source]

Dynamic Host Configuration Protocol (DHCP) is a protocol used by networked computers (clients) to obtain IP addresses. Use this to control the IP addresses that your router hands out to computers connected to the Wired or Wireless Local Network. If checked, the router will hand out addresses within the range specified. You may also customize the amount of time before computers on the LAN will renew their IP addresses (the Lease Time) and specify a Windows Internet Name Service (WINS) server if you use WINS.


[edit | edit source]

Controls the connection over the Wireless Local Area Network.

Enable Wireless
If checked, Wireless access will be allowed.
MAC Address
Displays the MAC address assigned to the Wireless radio on the router.
Wireless Mode
Wireless Mode Selections
Selection Description
Access Point The normal setting which allows clients to connect to this router wirelessly.
Access Point + WDS Sets the router in "repeater mode," allowing clients to connect wirelessly while simultaneously acting as a Wireless Distribution System (WDS) base station.
Wireless Client
Wireless Ethernet Bridge This allows it to connect to another gateway router while still keeping all computers connected to both routers in the same subnet. Note: As of version 1.19 - Wireless Bridge must be set to WPA
WDS Serve as a Wireless Distribution System (WDS) base station only.

Note: If the router is used as a wireless client or Wireless Ethernet Bridge, it cannot be used as an access point at the same time.

B/G Mode
This may be Mixed (B+G), B-Only (restricted to 802.11b), or G-Only (restricted to 802.11g). If you set this to B-Only or G-Only, connection attempts from the other protocol may be seen as interference. Recommend leaving this set to "Mixed".
Wireless router identifier. Allows you to uniquely identify your router and differentiate it from other routers in range.
If checked, the SSID will be broadcast, allowing the router to be found more easily. Disabling this is a very limited security measure. Casual scans will not be able to find the router, but anyone running sniffing software can easily find it.
The 2.4xxGhz range channel used by the router, from channel 1-14 (2.412 – 2.484 GHz). It's interesting to know that most routers default at 6 or 11 and surprisingly few people change them. It's noted that channel 14 is forbidden in most countries. Channels above 11 are not licensed to use in North America. See List of WLAN channels at Wikipedia for details.
The "scan" button on that page (simple result) or Tools -> Wireless Survey (detailed result) will detect any other access points in range, completing in about 10 seconds. Choose the frequency that is the furthest from any other frequency in use.
The "scan" button fills out a table like this example, in the format of (n AP / strongest "xxx" -n dBm). n = number. xxx = SSID.
  • n AP means how many other wireless networks are found in your surroundings.
  • strongest "xxx" -n dBm means the wireless network which has the strongest signal around you (the lower the dBm, the weaker. Note that dBm is indicated as a negative value). Normally -80dBm and below is considered 'unacceptable' signal level and is too weak for most radio equipment.
Allows you to secure your wireless connections.
  • Disabled means all connections are unencrypted and anyone can read traffic.
  • WEP (Wired Equivalent Privacy) is the oldest Wi-Fi security framework which some older devices only support it. While better than nothing, it is very easily broken (a few minutes to crack it).
    • Tip: If you must use WEP because a device doesn't support WPA/WPA2, go to Basic -> Wireless Filter. Click on "Permit Only the Following Clients" - only clients which match the MAC address can access to your wireless network. It isn't really safe, but better than nothing.
  • WPA personal/enterprise (WPA = Wi-Fi Protected Access) is more secure than WEP but only newer devices support it. Choose personal if you are a home user. Choose AES for encryption algorithm. TKIP has exploits and is crackable. Use very long (20-63 characters) and an unguessably random passphrase. Don't be worried about forgetting your passphrase since you only need to enter once per device.
  • WPA2 personal/enterprise improves upon WPA and is currently the most secure encryption protocol but only newer devices support it. See WPA for other details.
  • Radius Remote Authentication Dial In User Service
Notes: Security can be increased slightly by limiting the number of wireless clients which can connect to your router. It's located at Advanced --> Wireless -> "Maximum Clients" option.


[edit | edit source]
Router Name
Allows the router name to be changed. This appears on login and administration screens.
Use if your ISP or connection requires it.
Domain Name
Use if your ISP or connection requires it.
Router Time
Displays current router time.
Time Zone
Tell the router which time zone you are in so it can adjust to local time. If you set this to Custom, you can enter a string that allows you to customize a time zone.
  • Auto Daylight Saving Time: If checked, the router will compensate for Daylight Saving Time. If not, it will always use Standard Time.
Auto Update Time
How often the router connects to a Network Time Protocol (NTP) server to update its internal clock. If the router time is not updated automatically, make sure you have a working DNS in Basic:Network, otherwise the router will not be able to resolve the NTP address.
  • Trigger Connect On Demand: If checked, the router will force a connection as needed to update time. If not checked, the router will only check time if a connection to the Internet is already established.
  • NTP Time Servers: List of NTP servers to use to update the time.

NTP Time Servers may request that Tomato block them from being used in the future. If this happens, Tomato will display the following message: "The following NTP servers have been automatically blocked by request from the server: XXX.XXX.XXX.XXX."

Dynamic DNS, a special DNS registry/server that can be updated on frequent IP address shuffles. Instead of having to know your IP address each time it changes, a computer on your network can run a special network program that submits your updated IP address, which you can then refer to via a standard URL issued by your DDNS provider. Most DDNS providers offer a free personal account for you to use.

As an alternative to running an application on one of your PCs, Tomato provides a built-in DDNS client right in the firmware that supports a number of DDNS providers. From the main menu, select "Basic" then "DDNS".

For most DDNS providers, you simply select the provider from the pull-down list, and enter your username, password, and hostname. Detailed instructions on operating each DDNS provider's account can be found at their web site.

DDNS can be used to permit web access to the router for system administration purposes.

Dynamic DNS

[edit | edit source]
IP Address
IP Address Selections
Selection Description
Use WAN IP Address (recommended) The normal setting which obtains the WAN address from the WAN login/connection process. If this proves unreliable, try Use External IP Address Checker option.
Use External IP Address Checker (every 10 minutes) Obtains the WAN address from the remote DDNS provider.
Offline ( Reports the router as offline with a 0 IP address.
Offline ( Reports the router as offline with a IP address.
Offline ( Reports the router as offline with a IP address.
Custom IP address (enter address in open field) Reports the router WAN address as entered.
Auto Refresh Every (number) Days (0 = disable)
Sends a WAN IP Update report by default every chosen number of days. In the event that your WAN IP address is infrequently changed, this acts as a "keep alive" for some Dynamic DNS services, to avoid suspension of service due to disuse. A value of 0 disables Auto Refresh.

Dynamic DNS 1

[edit | edit source]
A list of available Dynamic DNS Providers, or Custom URL. Each provider requires establishment of an account, and compliance with their terms of use, before accessing their service.
URL of the selected DDNS provider, for administrative purposes.
your login ID for the selected DDNS provider.
your password for the selected DDNS provider.
Force next update [ ]
checkbox to force the next WAN IP update to the selected DDNS provider. Too-frequent forced updates may result in suspension of service.
Last IP Address
most recent IP address uploaded to the DDNS provider.
Last result
status of last DDNS update

Dynamic DNS 2

[edit | edit source]

See above.

Note: for each Dynamic DNS provider, refresh or touch the IP Address selection to fill out the form.

Static DHCP

[edit | edit source]

This is a simple way to ensure that each of the client hardware devices that connects to your Tomato router gets the same IP address and hostname each time. Simply enter the MAC address for your device (which you can find on the "Device List"), and enter your preferred IP address.

Generally, it's best to use an IP address that is within the subnet range for your Tomato router, but outside the normal DHCP assignment range. In other words, use an address that starts with the same three numbers (default 192.168.1.x) as your router, but has a fourth number that is not likely to be assigned to any clients by the normal DHCP settings.

For multiple hostnames for the same IP address (e.g., the server should be known as both "galaxy" and "mail"), separate them in the hostname field with a space. Use a hyphen for a single, multi-word hostname like "My-PC".

If a computer has multiple network devices (wired vs Wi-Fi, for instance) with different MAC addresses, there is no way to assign the same hostname to both devices, as would be the case if Tomato respected the computer's own hostname. You will get a "Duplicate name" error.

If you have the DHCP server set to assign IP addresses in the range of to, for example, good choices for Static DHCP assignments would be either in the - range, or -

An easy way to add an IP address to the Static DHCP list, is to go to the "Device List" and click on the IP address of the device you want to make Static. This will take you to the Static DHCP function and all you need to do is edit the device name (optional) and click "Add". (don't forget to click "Save" to commit).

Tomato originally supported 50 entries, this has been increased to 100.

Wireless Filter

[edit | edit source]

The Wireless Filter allows you to configure which wireless equipped computers may or may not communicate with the router depending on their MAC addresses. If it is set up as an AP, bear in mind that all AP's need the same setup. This may be inconvenient. You may want to use "Access restriction" on the main router which will apply to all users on all AP's.

100 rules are presently supported.

While a decent basic security measure, understand that all MAC addresses are transmitted in cleartext, and may be intercepted. This should not be used as a primary means of security.


[edit | edit source]

Conntrack / Netfilter

[edit | edit source]

Adjustments for the number of connections and persistence for each connection in the Network Address Translation (NAT) table.

Maximum Connections
The maximum number of connections the router can hold. Default value in teddy_bear's mod is 4096.
TCP Timeout
Control different aspects of TCP Timeout. Read The TCP/IP Guide - TCP Connection Termination for details.
The wait time for established connections before the connection is forgotten and removed from the NAT table. Default value in teddy_bear's mod is 1200.
SYN Sent
The meaning of SYN Sent and its implications can be found here. Default value in official tomato and teddy_bear's mod is 120.
SYN Received
???. Default value in official tomato and teddy_bear's mod is 60.
FIN Wait
???. Default value in official tomato and teddy_bear's mod is 120.
Time Wait
???. Default value in official tomato and teddy_bear's mod is 120. If you appears to have too many connections in time wait, read lot of connections in Time_wait.
Advantages of decreasing TCP Time Wait interval from the default include:
  • more rapid recovery of system resources associated with sockets
  • more connections can be handled
  • less memory consumption
Disadvantages of decreasing TCP Time Wait interval include:
  • more CPU time spent in recovering connections
  • there is a possibility that data loss can occur without notification if set too low
  • connections could be refused if old duplicate SYN segments exist
  • the connection cannot be re-used (new SYN)
???. Default value in official tomato and teddy_bear's mod is 10.
Close Wait
???. Default value in official tomato and teddy_bear's mod is 60.
Last ACK
???. Default value in official tomato and teddy_bear's mod is 30.
UDP Timeout
???. Default value in official tomato and teddy_bear's mod is 30.
???. Default value in official tomato and teddy_bear's mod is 180.
Other Timeouts
???. Default value in teddy_bear's mod is 600.
???. Default value in teddy_bear's mod is 30.
Tracking / NAT Helpers
File Transfer Protocol. 40-years-old and still common. Default value is checked.
Point-to-Point-Tunneling-Protocol. For virtual private network (VPN) connections. Default value is unchecked.
Protocol primarily used for Voice Over IP (VOIP) and videoconferencing. Default value is checked.
Real Time Streaming Protocol. Used for the control stream for streaming media. Default value is checked.
TTL Adjust
???. Default value is none.
Inbound Layer 7
This L7 matches inbound traffic, caches the results, then the L7 outbound should read the cached result and set the appropriate marks[1]. Default value is checked.

Usage notes

[edit | edit source]

This is mostly relevant for people who use P2P or other connection-intensive applications on their Internet connections. The connection table has a finite number of entries, and if the entries are all used up, the router cannot make new connections. The only way to free up an entry is to gracefully terminate a connection (normal), or to have one time out. Since P2P applications rarely drop connections gracefully, they need to depend on the router to time out their connections for them.

The most important settings are:

  • Maximum Connections
    • Increasing this may slow down the router slightly. 4,096 is probably a good maximum value.
    • Keeping this too low may eventually result in running out of entries. The default of 2,048 is probably a good minimum value.
    • Clicking on count current next to the input field will tell you how many entries you are currently using.
    • Before increasing this field, consider using the TCP Timeout (below) to recycle existing connections faster, rather than increasing the number of connections.
  • TCP Timeout: Established
    • This is the amount of time that an established connection will be maintained after its last activity.
    • Setting this too low will cause active TELNET / FTP connections to be dropped unless you have a keepalive to keep data flowing over the connection.
    • Setting this too high will cause old connections to be retained, wasting entries in the NAT table.
    • Four Hours (14,400 seconds) is a decent compromise, but you have to choose a value that balances retaining valid connections versus killing old ones. In a non-P2P environment, you can set this to several days without any problems (the Linksys default for this is FIVE DAYS, which is why many Linksys routers don't do well for P2P).

Most of the remaining settings would generally be used pretty rarely, and are probably present for adjustment by advanced users who might need to tweak their network settings.

Many sites recommend adjusting these values using a script such as this one:

echo 4096 > /proc/sys/net/ipv4/ip_conntrack_max
echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh2
echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh3
echo "600 1800 120 60 120 120 10 60 30 120" > /proc/sys/net/ipv4/ip_conntrack_tcp_timeouts

However, the two settings in the GUI listed above will accomplish everything the oft-published scripts claim to do, with less effort. Specifically, the Established TCP Timeout setting replaces the "1800" in the last line of the script, and the ip_conntrack_max number is controlled by the Maximum Connections setting. The gc_thresh settings are not really useful, it's better to let Tomato use its defaults for thresholds.


[edit | edit source]

DHCP / DNS Server (LAN)

[edit | edit source]
  • Use Internal DNS (Default: on): Allows Dnsmasq to be your DNS server at the Router IP Address (typically DNS is cached in Tomato firmware. DHCP clients will receive the router IP address as the DNS server.
  • Use Received DNS With Static DNS (Default: off): If unticked, DNS from your ISP servers are ignored if you've entered static ones specified on the Basic > Network page. If ticked, if your WAN obtains a DHCP address from the ISP it also gets a DNS from the ISP. This option allows the router to use together both the ISP assigned DNS and the static DNS server(s) specified on the Basic > Network page.
    If you have static DNS entries, "" will add any name servers received from your service provider.
    You may also consider adding "strict-order" (without quotes) in the "Dnsmasq Custom Configuration" box. This forces Dnsmasq to send DNS queries to servers strictly in the order that they appear in the resolve file. This is useful if you are using services such as OpenDNS but still want to use your ISP's server(s) as a backup. Without this setting your ISP's DNS server(s) will tend to be favored.
    You can view these changes in the resolve file at "/etc/resolv.dnsmasq".
  • Intercept DNS port (UDP 53) (Default: off): When enabled, anything going out to UDP port 53 is redirected to Dnsmasq. This prevents bypassing parental controls. It may be helpful when used with OpenDNS for parental control.
    Another use of this intercept is with VPN client software in combination with the "Use internal DNS. Typically, VPN client software will 'tunnel' non-routable IP addresses such as which will bypass the router and cause DNS failure. Instead, you can change the client's DNS address to any bogus routable IP address to prevent the VPN client from tunneling DNS requests and let the router intercept them. This works whether or not the VPN client software is active.
  • Use user-entered gateway if WAN is disabled (Default: off): This setting is useful if you are using your Tomato device's DHCP and/or DNS servers, but are not using it as a gateway to the WAN (i.e. the internet). If some other device is performing that function (usually with NAT or similar functionality), you want Tomato's DHCP server to instruct clients that they should use that other device as their default gateway in their routing tables. If that is the case, enable this checkbox and be sure the Default Gateway is set under Network / Basic.
  • Maximum active DHCP leases (Default: 255): ???
  • Static lease time (Default: Same as normal lease time): ???
  • Dnsmasq Custom configuration (Default: blank): ???
    Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP server. Adding "stop-dns-rebind" (without quotes) into the "Dnsmasq Custom Configuration" box prevents DNS Rebinding attacks. This does not negate the need for a strong password however.

DHCP Client (WAN)

[edit | edit source]
  • Reduce packet size (Default: off): ???


[edit | edit source]

Settings to configure some basic aspects of the router's firewall.

  • Respond To Inbound Ping: If checked the router will respond to ping requests from on the WAN interface. If unchecked, the router will not respond to pings from the WAN. Default value is unchecked.
  • Allow Multicast: If checked, the router will allow multicast packets to reach the LAN. Otherwise it will block multicast packets from reaching the LAN. Default value is unchecked.
  • Enable NAT Loopback: If checked, the router allows LAN devices to reach other LAN devices via the router's WAN IP address and a properly configured port forward. If unchecked, LAN devices can only contact other LAN devices via their local IP addresses. Default value is Forwarded only. Edit: Tomato Firmware v1.21.1515 - There is no option to check to enable NAT loopback. You may only choose between 'all, 'forward only' and 'disable',
  • SYN Cookies: Activates SYN cookies. Default value is unchecked.

MAC Address

[edit | edit source]

This sets the hardware address that is seen from the ISP. Some ISPs are set up to only accept the original network card you had when you first started service. Others simply have the modem set to only allow one HW address per boot, so try resetting your modem after changing this. For some cable internet service providers, changing the MAC address seen by the cable modem is a good way to request a new IP address if required.


[edit | edit source]
  • Boot wait time specifies the length of time the router will pause during startup, before attempting to load the firmware. This pause represents a period where a new firmware can be flashed to the router via TFTP, if the firmware on the flash chip has been corrupted. Default value is 5 seconds.
  • WAN Port Speed specifies the speed and duplex setting for the WAN interface port. Default value is Auto.


[edit | edit source]
  • Current Routing Table: Shows your current routing table.
  • Static Routing Table: Allows you to add static routing entries if you have more than 1 router on your network.
  • Miscellaneous
    • Mode: Options available are Gateway and Router.
      Gateway = Don't let WAN traffic access the LAN, except through port forwarding or DMZ. (Required mode for PPPoE connections connected through WAN port to a bridged ADSL modem.)
      Router (Default) = Turn off these features and NAT. (May be incorrect on details, but this is the idea)
    • RIP v1 & v2: See RIP v1 and RIP v2 (It's not clear if this is for sending or receiving or both). Default value is disabled.
    • Efficient Multicast Forwarding: Default is unchecked.
    • DHCP Routes: Default is checked.
    • Spanning-Tree Protocol: If checked, enables the IEEE 802.1d spanning tree protocol for detecting and resolving loops in your internal network. (Switch A plugged into Switch B plugged into Switch C plugged into Switch A.). Default value is unchecked.


[edit | edit source]

Controls advanced settings for the connection over the Wireless Local Area Network. Please note that some of these settings do not exist in traditional Tomato Version 1.28 and prior.

  • Afterburner: Broadcom Afterburner is a 802.11g Standards Enhancement to provide additional speed for home wireless networks while remaining compatible with all Wi-Fi CERTIFIED™ 802.11b/g Products. When enabled, it allows 125 Mbps mode.
  • AP Isolation: A prime example would be like in a hotspot (e.g. coffeeshop like Starbucks, hotels) wherein a lot of computers connect randomly to the network. Since all computers are connected to 1 single network there is a possibility that they could access each other which may result in unwanted hacking. AP isolation will help prevent this by making each and every single computer a separate entity on their own. When enabled, the router prevents wireless devices from communicating with each other. If disabled, the unit will switch traffic from one wireless client to another.
  • Authentication Type: Controls whether clients must use shared keys to authenticate. This setting is disabled (i.e. forced) in some security modes.
  • Basic Rate: Sets mandatory rate list transmitted by the AP which must be supported in order to connect. Some old 802.11b clients can only connect if this is set to 1-2Mbps.
  • Beacon Interval: Sets the amount of time between beacon transmissions in milliseconds. A longer interval can save power on sleeping clients, and a shorter interval can improve connectivity in poor reception situations.
  • CTS Protection Mode: When set to Auto, enables a mode which ensures 802.11b devices can connect when many 802.11g devices are present.
  • Regulatory Mode: Enables watching for services that have priority use of wireless bands shared with WiFi, such as aircraft radar. Enabling this function can cause compatibility issues with WiFi clients, so it is normally turned off.
  • Country / Region: Select the current country where the access point is in. This ensures that local regulation regarding channel usage and maximum output power are observed.
  • Bluetooth Coexistence: Router will attempt to share airtime with Bluetooth devices to improve performance of both classes. May have no effect if Bluetooth devices are older and do not "cooperate."
  • Distance / ACK Timing: Sets the approximate maximum distance in meters from which clients can connect. May be useful in preventing distant "cantenna leeches" from connecting. It will not prevent snooping, however. Setting to 0 disables this function.
  • DTIM Interval: Sets the amount of time in milliseconds between Delivery Traffic Indication Messages, which tells a client in power-saving mode when to expect the next broadcast message.
  • Fragmentation Threshold: Sets the maximum packet size in bytes before fragmenting it into multiple packets. Increasing this value may help in high packet error rate situations. Making this value too small will reduce network performance.
  • Frame Burst: Enables frame burst mode which increases throughput, but is only recommended for 1-3 wireless clients. Enabling with many connected clients can result in lower performance.
  • Maximum Clients: Sets the maximum number of wireless clients that can connect at once.
  • Multicast Rate: Sets the signalling rate used for multicasting.
  • Preamble: Selects long or short preamble for 802.11b. Short will increase throughput, but some older 802.11b devices require the long preamble.
  • 802.11n Preamble: By default, 802.11n operates in "mixed" mode which transmits a radio preamble and signal field that can be decoded by 802.11a and 802.11g radios. 802.11n Wi-Fi networks have an optional "greenfield" mode that improves efficiency by eliminating support for 802.11a/b/g devices. However, enabling this mode can cause throughput issues on some 802.11n network devices that are not fully compatible with the 802.11n standard.
  • RTS Threshold: Sets the minimum packet size in bytes which triggers Request to Send/Clear to Send signalling. A number higher than the Fragmentation Threshold effectively disables this function. It is normally not needed but may be useful in adverse conditions.
  • Receive Antenna: Selects which antenna is used for receiving. These settings are primarily useful for external antennas. Single antenna units should be set to Auto.
  • Transmit Antenna: Selects which antenna is used for transmitting.
  • Transmit Power: Sets the transmit power in milliwatts.
    • Tomato default is 42mW.
    • High settings may cause non-linearity in the transmitter causing loss of data, interference to other users and channels, and a high "noise floor".
    • High setting may overheat and shorten the life of the transmitter.
    • Based on the results of testing reported on the forum[1], the maximum actual broadcast power is achieved with a setting around 64 mW in Tomato (or DD-WRT).
    • Settings as high as 84 mW have reportedly been used without harm to the hardware.
  • Interference Mitigation: Sets the wireless interference mitigation mode. It seems that the "WLAN Auto" selection works better in most cases, but you may try to disable the mitigation if you experience wireless stability issues. This "feature" has been responsible for much instability and poor throughput.
    • Select "None" if you have no other electronic devices around that may cause an interference.
    • Use "Non-WLAN" if the primary source of interference in your area are non-WLAN electronic devices, such as cordless phones, microwaves etc.
    • "WLAN Manual" activates interference mitigation against other Wireless LAN APs.
    • "WLAN Auto" is similar to "WLAN Manual", but it only activates mitigation if it actually can see other wireless APs transmitting at the time.
  • WMM: Wi-Fi Multimedia (WMM) is a Wi-Fi Alliance interoperability certification, based on the IEEE 802.11e standard. It provides basic Quality of service (QoS) features to IEEE 802.11 networks. WMM prioritizes wireless traffic according to four Access Categories (AC) - voice, video, best effort, and background. However, it does not provide guaranteed throughput. It is suitable for simple applications that require QoS, such as Voice over IP (VoIP) on Wi-Fi phones. Operation is limited to the local network, there is no implied QOS over the Internet. This feature must be enabled for iPhones and iPads to connect in 802.11n mode.
  • No ACK: Controls whether WMM packets require acknowledgment. Enabled sets No Acknowledgment which allows higher throughput and lower latency when some packet loss is acceptable (i.e. for VoIP).
  • APSD Mode: Automatic Power Save Delivery is a more efficient power management method than legacy 802.11 Power Save Polling. Most newer 802.11 stations already support a power management mechanism similar to APSD. APSD is very useful for a VoIP phone, as data rates are roughly the same in both directions. Whenever Voice data are sent to the Access Point, the Access Point is triggered to send the buffered Voice data in the other direction. After that the Voice over IP phone enters doze state until next Voice data have to be sent to the Access Point.

Allows the creation and modification of VLANs along with their associated ports.

When modifying VLANs some VLAN port associations may reset on reboot. If this is the case please run the following commands, under Tools > System Commands, by pasting it in the Command field and clicking Execute.

nvram set manual_boot_nv=1
nvram commit

Port Forwarding

[edit | edit source]

Once you have set up your router you will have your own Local Area Network (LAN) managed by the router. You inevitably will have many devices connected to your LAN all using the same internet connection. This causes a problem because different devices on your LAN will need specific data that is coming in from (or going out to) the internet.

Port Forwarding allows your router to control the flow of data to and from the internet, and make sure the router knows which device (ie computer, webcam, VoIP telephone etc) connected to your LAN sent/requested/needs each packet of data. Usually packets coming in from the Internet will be in response to some request that one of your devices connected to your LAN has made (ie a VoIP phone making a request to connect a telephone call) . In these cases, the router keeps track of which device made the request, and forwards the response back to that same device.

Sometimes however, as in the case of "Server" applications (such as you hosting your own website on a PC within your LAN) requests come in from random locations on the Internet, and you need to tell the router which computer is running the “server” so that these random requests can be routed to the correct computer. This is generally done by telling the router that any "unsolicited packets" (packets that are not a response to a request from a local computer) on a specific port or list of ports should be forwarded to a specific computer on the network.

Finally, there are also "thief jiggling the handle" connections from random corners of the internet. Locking those out is another job of the router.

There are a few ways to set this up.


[edit | edit source]

Allows you to specify simple port forwarding where all packets received on the specified External Ports will be routed to the specified Internal Address. e.g., you can forward all incoming data on ports 5060 and 5061 (used for SIP protocol to initiate a VoIP telephone call) to your VoIP telephone.

Optionally, you can change the local port by specifying Int Port. This is also known as Port Redirection. This technique is handy, for example, if you have two web servers. Both could be listening on the default port (80), but the router could be set to forward received packets on Internet Port 80 to Port 80 on the first web server, and packets on Internet Port 81 to Port 80 on the second web server.

The "External Ports" box can contain a single port (ie 8080) or a range of ports (5060:5061). The "Int Port" can be left blank. The "Internal Address" is the IP address of the device on your LAN (ie

The Tomato Firmware GUI can take up to 50 entries for basic port forwarding.

DMZ, or Demilitarized Zone, allows you to specify one device on your network that will receive all unsolicited packets from the Internet. This can be handy for devices that need largely unrestricted access to the Internet, or for a Web/email server. However, this bypasses all firewall functions of the router for this device, so be sure the device is very well secured. The current firmware version implements source restrictions based on IP-addresses.

If you want to transparently access the DMZ computer from your internal network, then you will need to check Enable NAT Loopback and set it to to All in "Firewall" page under "Advanced". If this is not set, then you will not be able to reach the DMZ computer using the external IP address when using the internal network. In this case, only the DMZ computer will only be reachable on its internal IP address from the internal network, meaning that the external IP address will point to the router on the internal network.


[edit | edit source]

Port Triggering is an on-demand port forward. The router will look for an outbound connection on a specified port, and will forward all of the requested ports to whatever computer initiated the outbound connection.

Under the Trigger Ports, you would enter a list of the ports that your computer will use to initiate the forwarding. Then you specify the ports you want to forward to that computer under Forwarded Ports. Any computer that sends outbound packets on any of the ports listed in Trigger Ports will then have all unsolicited packets received from the Internet on the Forwarded Ports sent to it.


[edit | edit source]

Universal Plug and Play (UPnP) allows devices on your network to set their own port forwards. A computer running a web server, for example, can tell the router to forward all communications on port 80 and/or 443 to it. UPnP allows your local devices to add, delete, and update port forwards at will. Often this is the only way for applications on a client machine to obtain a connection to the remote server.

Only 25 UPnP connections are presently supported.

There are some security disadvantages to UPnP, such as a trojan horse or other "bad" software package being able to forward ports to a given machine so the malware can use your computer as an Internet server. However, there are also security advantages to UPnP, since any well-behaved UPnP application will request cancellation of its forwarded ports when it shuts down or no longer needs them. This reduces the number of unneeded forwarded ports. Currently, forwarded ports which have not been terminated by an application after it has closed are not automatically closed by Tomato.

QoS — Quality of Service

[edit | edit source]

QoS, or Quality of Service, allows you to prioritize data, slowing down less important data to allow more important data to get through first.

This is primarily useful for outbound data (data going from your computers to the Internet). Inbound data cannot be prioritized effectively because it has already passed through the bottleneck (your Internet connection) by the time the router has a chance to evaluate it.

QoS in Tomato has ten levels of priority. HIGHEST will always get the very highest priority (use sparingly) and CLASS-E (labeled as E) is the lowest-priority class. If the upstream bandwidth becomes over-saturated (more packets want to go out than the connection can send), lower-priority packets will be delayed (and possibly eventually discarded) to make room for higher-priority packets.

If you like to go more into details of traffic shaping try the WRT54 Script Generator as an extension to the current QoS implementation (see Tools for details).

Note: QoS works by having fixed maximum inbound and outbound bandwidths, and then allocating that bandwidth based on packet priorities. This means that the firmware will NEVER allow more than the configured bandwidths. Even if your service provider allows more (either temporarily as a "speed boost" feature, or permanently as a service upgrade) you will still be restricted to the configured bandwidth. If you need the highest possible bandwidth at all times you may wish to leave QoS disabled.

Basic Settings

[edit | edit source]
Enable QoS
If checked, QoS will be enabled. If not checked, QoS will be disabled.
Prioritize ACK
Prioritizes the sending of ACK (Acknowledgment) packets. Recommended: Checked (on).
Prioritize ICMP
Prioritizes Internet Control Message Protocol packets (PING replies, etc).
Reset Classification when making changes
If checked, all connections will be reevaluated when a change is made to the QoS rules. If not checked, you may need to restart each application on your PC to re-establish each connection before the rule is applied to that connection.
Default Class
This is simply the "catch-all" classification when no rules are found for a connection.
If a connection does not meet any of the QoS criteria, it will default to the specified class. If you have a high-priority service (such as VoIP) and a low-priority one (such as P2P), your best bet is to set this to MEDIUM or LOW, then try to classify all of your high priority stuff above this classification, and your low priority stuff below it.
QOS is not easy to apply with P2P as even L7 filters do not work particularly well. An approach which generally works well with P2P is to set your default class to "lowest" and then address all other desired rules in classes above this. P2P will "fall" though all of the filters and end up in the default "lowest" class. This way, you don't have to use several different filters in an attempt to capture all of the possible P2P traffic.
Max Bandwidth
One of the major limitations of QoS in most Linksys routers is their inability to determine the upstream speed of the Internet connection. This is true of many router models. The most effective way to tune QoS is to do an Internet speed test with QoS turned off. Then enter about 90% of the tested upstream (upload) bandwidth into the Max Bandwidth field. This will allow the router to properly determine how much bandwidth is available and prioritize packets accordingly. A more detailed explanation of this (targeted for Vonage VoIP users) may be found at [dubious ]
Highest - Class E (the percentages under Outbound Rate/Limit)
This specifies the minimum and maximum percentages of the connection each classification is allowed to consume. This is allocating, rather than prioritizing, and is useful for cases where you want to specify that certain classes of connection should never receive more than a given percentage of your upload bandwidth. Set each class to 1%-100% to allow each class unlimited access to the bandwidth (with higher priority classes receiving only higher priority, and not "reserved" amounts).
Inbound Limit
This allows you to limit the overall amount of data coming in to your router, and allocate maximum percentages of that bandwidth for each QoS service. Note that packets that exceed your limit are simply thrown away, not delayed as in the case of Upload/Outbound QoS. Under certain circumstances, this setting is useful, but is a very inefficient way to control inbound data. Inbound traffic cannot be directly controlled with QOS as all rules operate on outbound traffic only.
TCP Vegas
A congestion avoidance algorithm built into the Linux kernel, introduced in Tomato 1.23.
This may produce better results than QoS for some users. For example, users with connection speeds which vary considerably (cable users with "speed boost," or speed slows in the evening when everyone in the neighborhood goes online) are required to set QoS "Max Bandwidth" conservatively, to the lowest max speed encountered. They would never take advantage of higher speeds when available. In this case, TCP Vegas may be effective at dynamically adjusting speed while avoiding dropped packets which would occur if QoS "Max Bandwidth" were set aggressively (to the highest max speed encountered during day-to-day use.).
Some users have reported that a combination of TCP Vegas and QoS (with an aggressive "Max Bandwidth") works well. (This section requires additional feedback.).
TCP Vegas operates only on outbound traffic. However, some users have reported that changing its parameters affected inbound traffic. (This section requires expansion.).
For more information about TCP Vegas, see:


[edit | edit source]

Allows you to specify which connections will get what levels of priority. This will override the default priority set in the Basic Settings page. Classification may be done by MAC address, TCP/IP port, or using more advanced filters like IPP2P or Layer 7 (L7) filtering.

All QoS rules are "as seen by your LAN", so SOURCE always means your computer, and DESTINATION always means the Internet.

QoS can be classified in a number of ways:

  • Address (first row in "Match Rule" Column): Identify the packet based on the IP or MAC address that is making the request, or the IP address that is being contacted. Example: If you have a VoIP device on your network that needs very high priority, you would set "Address" to "Src MAC" (source MAC address) and key the MAC address of the device, then set the priority to HIGH or HIGHEST.
  • Protocol/Port (second row): Identifies the packet based on the Protocol (TCP, UDP, etc) and/or Port Number (or list of numbers) that the connection is being made on.
  • IPP2P (third row): An attempt to identify P2P applications. Easily fooled by P2P Encryption, this is still useful for identifying some P2P applications.
  • L7 (Layer 7, third row): A sophisticated filter that can classify a number of applications. Again, for P2P, easily fooled by Encryption, but still useful.
Errata: Specific to version 1.23: The L7 filter "rtp-2" was added to Tomato 1.23 as a temporary solution. The official "rtp" filter does not catch some VOIP traffic. This new filter appears to work better. If the "rtp" filter doesn't work for you, try "rtp-2." Eventually "rtp2" may replace the "rtp," or be renamed by the L7 project who graciously provided it.

NOTE: Address and Protocol/Port are the fastest and most efficient ways to match. IPP2P is slow, and L7 is even slower. If at all possible, use Address and Protocol/Port before resorting to IPP2P or L7. Too many L7 or IPP2P rules can cause your router to crash or restart. If you are experiencing frequent crashes and restarts under heavy load, these may be the cause.

To improve IPP2P and L7 performance, provide additional qualifications when possible. For example, if you know the traffic is UDP, or a port range is involved, then specify this in the rule. These qualifications will be checked first, preventing unnecessary packet inspection of all packets.
Similarly, the order of rules can affect performance. For example, if an L7 rule is qualified as UDP this will help performance. But, if it is moved below the DNS rule (with a classification of "Highest"), it will prevent packet inspection of all DNS connections which are also UDP.

QoS Rule Example: Setting Web Browsing to HIGH

[edit | edit source]

Under Match Rule Column:

  • First row = "Any Address", field to its right is blank Meaning this rule applies to any connection to the Internet on any server
  • Second row = "TCP", "Dst Port", "80,443" Meaning that this rule applies to all TCP connections that are trying to connect to port 80 (HTTP) or 443 (HTTPS) on an Internet server
  • Third row = "IPP2P (Disabled)", "Layer7 (Disabled)" Meaning that we do not want to apply any IPP2P or L7 rules
  • Fourth row = "" "" (kb transferred) Meaning we do not want to match by amount transferred

Under Class Column:

  • "High" Meaning anything matching this rule will be assigned a HIGH priority in upstream

Under Description Column:

  • Assign any reasonable description. "WWW" or "Web Browsing" would be good here. This is not used except on this screen, to identify the connection for your future reference.

View Graphs

[edit | edit source]

One of the most powerful features of Tomato, this allows you to view (in near-real-time) the current outbound connections and how the QoS engine is classifying them. This allows you to view how effective your QoS settings are, and whether they are capturing the connections you want them to. Simply click on any of the classes to view the list of specific connections for that class.

View Details

[edit | edit source]

Lists each connection that has recently been made through the router, and what QoS class was assigned to that connection. Clicking any entry will attempt to do a reverse lookup on the destination TCP/IP address, or you can click on the "automatically resolve addresses" checkbox at the bottom of the list to resolve all addresses in the list (this can take a while).

Access Restriction

[edit | edit source]

Set time, computer, site, and protocol based bans on Internet access.

This function works on all connections to the router and so can be used to control access to all users of a network.

Currently supports 50 entries.

Each entry supports 2048 characters for the entire entry, the practical limit is around 1900 characters.


[edit | edit source]

This menu item is only available with the Teddy Bear modified build. It allows USB configuration.

  • Core USB Support: Enable the USB driver/services for hardware equipped with USB port(s) (e.g., ASuS WL-5xx series routers). Enabling this item makes the following of the settings accessible.
  • USB 1.1 Support (OHCI): ???
  • USB 1.1 Support (UHCI)': ???
  • USB 2.0 Support: ???
  • USB Printer Support: Load drivers for printer support.
    • Bidirectional copying: ???
  • USB Storage Support : If enabled, the following settings become accessible:
    • Ext2 / Ext3 File System Support: Load file system drivers to access (primarily) Linux formatted media.
    • FAT File System Support: Load file system drivers for Windows device compatibility. This file system is predominant among thumbdrives but might be used for hard drives as well.
    • Automount: Automatically mount all partitions to sub-directories in /mnt.
    • Run after mounting: Enter command-line statements to be executed when a USB storage device is connected.
    • Run before unmounting: Enter command-line statements to be executed when a USB storage device is removed.
  • Hotplug script: Enter command-line statements to be executed when a USB device is connected* they are run when any USB device is attached or removed)


[edit | edit source]

Admin Access

[edit | edit source]

Controls the various means that can be used to access the router for administrative purposes.

All services use the same password, which is changed at the bottom of this page.

Web Admin

[edit | edit source]

Controls access to the router via a web browser. The web username may be "admin" or "root".

  • Local Access: Determines whether and how the router may be accessed from a web browser on a local computer (a computer attached to the router, or attached to a switch or hub attached to the router). Access can be via HTTP (regular web), HTTPS (SSL-encrypted web), both, or disabled.
  • HTTP Port: default 80
  • Remote Access: Determines whether and how the router may be accessed from a web browser from the WAN (Internet) side of the router. It is not recommended that this be enabled, and if it must be enabled, consider using the HTTPS method, which at least encrypts your session data.
  • Allow Wireless Access: If checked, wireless clients on your local network can access your router's administration screens using the same method as wired clients. This has no effect on Remote Access.
  • Color Scheme: choose color scheme skin
  • Show Browser Icon: shows tomato icon on address bar

SSH Daemon

[edit | edit source]

Controls the Secure SHell (SSH) server that is installed on the router, which allows secure (encrypted) command-line access to the router. The SSH username is always "root".

  • Enable at Startup: Specifies whether the SSH Daemon is started when the router starts up.
  • Remote Access: If checked, you will be able to access the router via SSH from the Internet and the Local Network. If unchecked, only clients on the Local Network will have access.
  • Remote Forwarding: If checked, the SSH server will be listening for new connections to be tunneled. A tunnel initiated on the server side will then go back through the client machine. Example of usage.
  • Port: Specifies the TCP port used by the SSH daemon (default = Port 22). It is recommended to change the port to non-default because port 22 is being constantly scanned by the hackers on the Internet.
  • Allow Password Login: If checked, you can use the router username and password to enable a connection to the command line. If not checked, key authentication will be required.
  • Authorized Keys: Enter authorized keys for key authentication (a more secure alternative to password-based logins). Each key must start on a new line. Dropbear SSH daemon supports a subset of authorized_keys options, as described in sshd(8): command, no-agent-forwarding, no-pty, no-port-forwarding. It is not possible to limit the source address of connection or the port numbers and destinations of forwarded ports at this time. Use something like command="cat /dev/null" to prevent command execution.
  • [Start Now] / [Stop Now] Starts or stops the SSH Daemon.

Telnet Daemon

[edit | edit source]

Controls the Telnet command-line server built into the router. Telnet access is only allowed on the Local Network. The Telnet username is always "root".

  • Enable at Startup: Specifies whether the Telnet daemon is enabled when the router starts up.
  • Port: Specifies the Ethernet port used by Telnet (default = Port 23).
  • [Start Now] / [Stop Now] Starts or stops the Telnet Daemon.

Admin Restriction (for Remote Web/SSH)

[edit | edit source]
  • Allowed IP Address: If you want to restrict access from the WAN to Remote Configuration of your router by IP address, enter the appropriate IP address string.


[edit | edit source]

Allows you to specify your password. It is highly recommended you change this immediately after the installation. Enter the same password into both fields, and click "Save". After changing your password, you will need to re-authenticate your session (you may need to shut down and restart your browser to clear the current authentication).

Bandwidth Monitoring

[edit | edit source]

The bandwidth monitor history is just bandwidth data that can be viewed at the Bandwidth page of the Tomato UI, namely WAN port monthly history, WAN port daily history for the current month and intraday history (for vlan1, eth1, br0, eth0 & vlan0) captured over the last 24 hours. For this reason the backup file does not grow in size once it has reached about 133 Bytes.

  • Enable: check to enable / uncheck to disable
  • Save History Location: Saving to RAM is not permanent. Saving to NVRAM or JFFS2 is permanent but will cause the internal flash (rewritable) memory to be flashed more frequently than the router design intended. This may lead to a shortened useful lifetime for your router. Better permanent storage alternatives are CIFS1 and CIFS2. Keep in mind that if the share that your CIFS1 or CIFS2 points to is offline, then it will save the Bandwidth History the next time the share is online. Refer to the CIFS Client section for further detail.
    • If you use CIFS, you will have to wait until the first set of data is saved to see the 24 hour, weekly and monthly stats. You might see a message about 'rstat' not responding. A solution for this is to check "Create new file" if you do not want to wait the time until the first data is saved (from one hour, to days).
  • Save Frequency: Select an interval for periodic saving of bandwidth usage history. Useful if your router experiences power outages from time to time. The exact time that the save interval happens at is based on what time you save your settings. So if you set it to "Every 2 Days" at 10:35AM, it will save 48 hours from then, and every 48 hours thereafter.
  • Save On Shutdown: Cause a save before any reboot or shutdown event but obviously not before a power outage!
  • Create New File / Reset Data: Check this when setting up a new Save History Location. When checked a new file is created in the save location. If the file already exists in the save location all current data will be overwritten!
  • First Day Of The Month: Used to align the monthly data to the same accounting cycle that your ISP uses.
  • Excluded Interfaces: Comma separated list of Interfaces to exclude from the 24 Hours and Real Time Bandwidth pages of the Tomato UI. ( Example: vlan0,vlan1,eth0 will leave focus on the wireless LAN interface.) This has no appreciable effect on size of the history backup file being saved.

Although the role of the five interfaces is configuration dependent ( examples: WRT54G v2 and WRT54G v4 acknowledge: voidmain & WL-500gP and Network Configuration ack. OpenWRT ) the apparent convention is:

  • vlan1: wired WAN port
  • vlan0: wired LAN ports
  • eth1: Wireless LAN
  • br0: internal LAN bridge (configurable) for wired LAN and Wireless LAN
  • eth0: internal interface between CPU and the 6-port switch

Saved history may be viewed using the UI tools:

  • http: //
  • http: //
  • http: //
  • http: //


[edit | edit source]

Permits saving the entire contents of the current bandwidth history to a GZIP-compressed file on the client computer. Useful for archiving evidence of bandwidth issues, for easy display later.


[edit | edit source]

Permits restoring a previously saved bandwidth history file (GZIPped) from the client computer. Useful for displaying the contents of a previously saved history file.

Buttons / LED

[edit | edit source]

Change the action performed by the button. Different actions can be set for different lengths of time the button is held down (Count the DMZ blinks). The default actions are (1) tap to toggle wireless and (2) hold 20 seconds to start telnet on port 233.

The LED lights have some minor checkbox settings. For better effect, you can use the "led" command inside scripts elsewhere.

For unsupported router hardware, this text is displayed: This feature is not supported on this router.

Startup LED

[edit | edit source]
  • Amber SES: ???
  • White SES: ???

CIFS Client

[edit | edit source]

The CIFS client in Tomato allows you to mount a Windows-share or a Samba-share, that you can use as a history location for the bandwidth monitoring.

In the configuration UNC (Universal Naming Convention) points to that share and has to look as follows:

where is the IP-address of the computer the share is located on and "share-name" is the shared folder-name. The rest of the settings (username, password) speak more or less for themselves.

Give thought to the Shared Permissions for the specified Windows-share. The username/password pair specified here must be for an account that has permission to write to the shared folder, especially if you plan to use this network shared folder to save Bandwidth Monitor history. Also be sure to allow port 445 on any intermediate firewalls between the shared computer and the router.

It is advised to use "security = user" when using Samba, to avoid errors like these:
smb signing is incompatible with share level security !


[edit | edit source]

Allows you to back up all your settings to your PC, restore them, or reset the router to factory defaults.

When changing from one firmware to another, it is important to do a complete factory reset on your router. In Tomato, you go to this screen, select Erase all data in NVRAM (thorough), and click OK. When the router reboots, you will need to rekey all of your configuration settings manually. Instability and unpredictable behavior can occur if you don't erase the NVRAM.

Debugging (Miscellaneous)

[edit | edit source]
  • Avoid performing an NVRAM commit: If checked, changes are not committed to NVRAM if possible. This means that changes are temporary, and will not persist beyond the next reboot of the router.
  • Do not erase some intermediate files: ???
  • Enable cprintf output to console: ???
  • Enable cprintf output to /tmp/cprintf: ???
  • Count cache memory as free memory: ???
  • Avoid displaying LAN to router connections: If checked, LAN to router connections are not displayed on the QOS pages. If not checked, LAN to router connections are displayed on the QOS pages as "Unclassified" connections.
  • Download CFE: Download the CFE binary data. (default name: cfe.bin)

Please note: This is *not* information from the CBOE Futures Exchange (“CFE”). This download is the Common Firmware Environment (CFE) data, a firmware interface and bootloader developed by Broadcom for 32-bit and 64-bit system-on-a-chip systems.

  • Download Iptables Dump: Download the system output of 'tcpdump -L -v' (default name: iptables.txt)
  • Download Logs: Download the system's /var/log/massages file (default name: syslog.txt)
  • Download NVRAM Dump: Download systems NVRAM as a text file. (default name: nvram.txt)

Warning: The NVRAM Dump text file may contain information like wireless encryption keys and usernames/passwords for the router, ISP and DDNS. Please review & edit this file before sharing it with anyone.

  • Console log level:
 0 (KERN_EMERG)		system is unusable
 1 (KERN_ALERT)		action must be taken immediately
 2 (KERN_CRIT)		critical conditions
 3 (KERN_ERR)		error conditions
 4 (KERN_WARNING)	warning conditions
 5 (KERN_NOTICE)	normal but significant condition
 6 (KERN_INFO)		informational
 7 (KERN_DEBUG)		debug-level messages
  • Clear Cookies: Clears local web cookies: ( to include but not inclusive )
  • NVRAM Commit: Commits all current settings to NVRAM, such that they survive rebooting.


[edit | edit source]

In a router with 4MB flash, there's still some space leftover from the firmware. JFFS2 is the compressed, writable filesystem for the extra space, the /jffs folder gives 700KB after overhead but BEFORE compression. Turn this option on, and script some add-on executable to run from here.


[edit | edit source]

Logging may be done internally or externally. Internal logs save information to the router's local memory. External logs send the log information to a remote computer.

  • Log Internally : saves the connection logs to the internal memory of the router, where they may be extracted or viewed directly on the "Logs" page under "Status". These logs will consume router memory, but may be viewed directly on the router itself.
  • Log to Remote System : sends the logs to a computer on your LAN. That computer must be running a log capture program, like WallWatcher. The computer can then show you the connection logs and analyze the data.
    • IP Address / Port : The IP address and port for the remote syslog server.
  • Generate Marker : At the specified time interval, a line of text "------MARK-----" is inserted into the log to make it easier to read. Options available: Disabled, Every 30 Minutes, Every 1 hour, Every 2 hours.
  • Events Logged: Allow you to specify what types of events you want logged.
    • Access Restriction: Access Restriction activity.
    • Cron: Cron job information.
    • DHCP Client: DHCP actions.
    • NTP: NTP time synchronization activity.
    • PPPoE: Point to Point Protocol over Ethernet activity.
    • Scheduler: Activity generated by Tomato's Schedulery. ( Menu: Administration -> Scheduler )
  • Connection Logging: Allow you to specify what types of connections you want logged, and place a limit on the number of entries per minute to log. Unless logging externally, Disabled is recommended for both. Unless you need to detect all attempted connections, select to log only Allowed by Firewall. Note that most connections will be outbound, since the connections were initiated by a device inside the LAN. The only incoming connections (which are Allowed by Firewall) are things such as remote admin, FTP, SSH, or forwarded ports.
    • Inbound (Connections): As above
    • Outbound (Connections): As above
    • Limit: How many messages per minute at maximum can the system log. Enter '0' for unlimited.


[edit | edit source]

Shows 5 dialogs permitting scheduled actions to be enabled, and their day and time of execution selected. Reboot performs a router cold start, as if power had been cycled. Reconnect performs a WAN Release and Renew sequence. Custom 1,2,3 allow execution of arbitrary commands, within those present in Tomato. The dialogs differ slightly.

Reboot, Reconnect dialogs

[edit | edit source]
  • Enable: Allows execution and editing. Default: disabled.
  • Time: Drop-down menu to select Execution Time(24-hour format) in 15 minute increments, or to repeat every 1, 12, or 24 hours, or every user-selectable number of minutes.
  • Days: Week days of operation, selected individually. Default: Every Day.

Custom 1, Custom 2, Custom 3 dialogs

[edit | edit source]
  • Enable: Allows execution and editing. Default: disabled.
  • Time: Drop-down menu to select Execution Time(24-hour format) in 15 minute increments, or to repeat every 1, 3, 5, 15, 30 minutes, 1, 12 or 24 hours, or every user-selectable number of minutes.
  • Days: Week days of operation, selected individually. Default: Every Day.
  • Command: Text field for user-defined command. See BusyBox commands.
  • Save: Save settings. Must be performed for Enabled items to be scheduled.
  • Cancel: Aborts any editing actions, exits without saving.

Note: During initial editing, the GUI (as of 1.27) prevents enabling Custom dialogs after enabling Reboot or Reconnect. Enable any desired Custom dialog first before enabling Reboot or Reconnect.

The scheduler is actually the crond daemon. The scheduler GUI has some limitation, can not generate arbitrary crontabs. You can use cru command to manipulate crontabs. Remember to add them to init script, crontabs added by cru command will not survive reboot.


[edit | edit source]

Presents four text-entry tabs Init, Shutdown, Firewall, and WAN Up. You can enter commands in these tabs to be run at router Init (startup), Shutdown, Firewall startup, or WAN Up (whenever the Internet connection comes up).

Example script 1

Access the web interface of the modem connected to the WAN port of the router. In this example, the modem has the IP address Both IP addresses used in the script below begins with 10.0.0. The 1st address can end with anything other than 138 but the second address must end with 0. The IP of a modem must be from a different network than your local LAN.

In WAN Up:

ip addr add dev eth1 brd +
/usr/sbin/iptables -I POSTROUTING -t nat -o eth1 -d -j MASQUERADE

Example Script 2

Establish a limit of 125 TCP connections per user.

In Firewall:

iptables -I FORWARD -p tcp --syn -m iprange --src-range -m connlimit --connlimit-above 125 -j DROP

Note : - is the LAN address range to be controlled.

Example Script 3

Opens the SSH server on the WAN side, while giving a better protection against Brute Force password guessing attacks. After 3 connections attempts in under 90 secs, the source address will be locked out for 90 secs. This seems enough to convince the script kiddies to search for a new target. Needs v1.21 to work (or later), as it now comes with the ipt_recent module built inside.

In Init:

insmod `find /lib/modules/ -name ipt_recent.o`

In Firewall:

WANIP=$(nvram get wan_ipaddr)
iptables -t nat -A PREROUTING -p tcp -d $WANIP --dport 22 -j DNAT --to
iptables -A INPUT -d -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH_LIMIT --rsource
iptables -A INPUT -d -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 90 --hitcount 4 --name SSH_LIMIT --rsource -j DROP
iptables -A INPUT -d -p tcp --dport 22 -j ACCEPT

Note: Do not enable Remote SSH via the menu, this script will do it and apply the right rules


[edit | edit source]

Allows you to load a new firmware image to the router (either a newer version of Tomato or an entirely different firmware).

Note: When changing from any firmware to any other firmware (stock Linksys -> Tomato, for example), it is important to clear the NVRAM and restore the factory default settings. Instructions on doing that will vary from firmware to firmware, but there is generally a factory reset option (in Tomato, this is located under Administration/Configuration/Restore Default Configuration


[edit | edit source]

This page shows information about:

  • Name and the version number of Tomato firmware
  • Copyright statement
  • A direct http-link to tomato homepage
  • The build date of Tomato firmware
  • A donation button for the project
  • An acknowledgment message to all people


[edit | edit source]

Restarts the router (without erasing any settings).


[edit | edit source]

Turns the router off (controlled shutdown)


[edit | edit source]

Logs you out of the web session (clears your user session) and returns to the initial login screen, where you are asked to present login credentials again. This causes occasional confusion, with people reporting that they "need to log in in order to log out". Once you see the password prompt, you are logged out. Just hit cancel and you will end up at the "Unauthorized" page. This option is not supported on MS Internet Explorer (V7) and and the "logoff" item does not show in the menu. you will need to close the browser completely in order to log out.


[edit | edit source]