Tomato is an aftermarket firmware project for the following routers:
Linksys WRT54G (V4 and below)
Linksys WRT54GS (V4 and below)
Linksys WRT54GL
Buffalo WHR-G54S
Buffalo WHR-HP-G54S
The firmware is developed by the same author who wrote HyperWRT Tofu. This firmware is not a HyperWRT derivative.
The project page may be found at http://www.polarcloud.com/tomato
The major emphasis of Tomato is on speed and efficiency.
The GUI relies heavily on JavaScript to generate the content and XMLHTTP (AJAX) to update it. Be careful if you need to use this from an older/minimal browser since it was not designed to downgrade gracefully. This has been tested only on Firefox v1/2, Opera v9 and IE v6/7.
The GUI username is "admin" or "root" (username is required), ssh and telnet username is always "root", and the default password is "admin".
By default, the SES/AOSS button is programmed to start a password-less telnet deamon at port 233 if held for 20+ seconds. If you run into a problem of not being able to login, you can use this to view or reset the password ("nvram get http_passwd" and "nvram set http_passwd=newpassword"). You can disable this behavior in Admin/Buttons.
If you're upgrading from DD-WRT v23 SP2+, be aware that you may get locked-out because of a change in DD-WRT's use of the nvram password key. You have a few options:
Push the reset button to reset all the configuration after installing Tomato.
Use the SES/AOSS button as described above.
Type "nvram get http_passwd" while running DD-WRT and write down the result - this will be your password after loading Tomato.
G\code.bin is for WRT54G v1-4 and WRT54GL v1, GS\code.bin is for WRT54GS v1-3, GSv4\code.bin is for WRT54GS v4, and TRX\code.trx is for the WHR-G54S/ WHR-HP-G54S. If you're just upgrading an existing Tomato firmware from the GUI, any of these will work.
Open the Linksys GUI in your browser. The default URL is http://192.168.1.1/.
Click the Administration tab, then Firmware Upgrade.
Select and upload the correct firmware for your router.
Wait for about 2 minutes while the firmware is uploaded & flashed.
Log in to the router, and reset factory defaults (under Administration/Configuration/Restore Default Configuration, select the Erase all data in NVRAM (thorough) option and click OK. Router will restart again, and the factory default login is "admin" with a password of "admin".
Warning: Be aware that Buffalo only has encrypted firmwares on their web site. You will not be able to revert back to Buffalo's firmware without an unecrypted version of their firmware.
The following is for an initial install on a Buffalo router. If you're already using a third-party firmware or just upgrading a Tomato firmware, try uploading any of the .bin files from the GUI.
Push the reset button for a few seconds to reset the configuration.
Plug your computer directly to the router. This will not work over a wireless connection.
Set your computer's ethernet card settings to: IP=192.168.11.2, mask=255.255.255.0, gateway=192.168.11.1. In Windows, you can set this by going to Control Panel, Network Connections, right-click your ethernet card, click properties, then TCP/IP.
Make sure the red diagnostic light isn't lit, unplug the power cable, wait, then re-plug.
If you're using Windows, double-click on the whr_install.bat file or use the following command: tftp -i 192.168.11.1 put code.trx
If you're using another OS, start tftp with something like the following
tftp 192.168.11.1
binary
put code.trx
You only have a 5 second window to do this, so if it doesn't work, unplug and try again.
After uploading, wait. It still needs about 2 minutes to flash the image.
Reset your computer's ethernet card settings back to use DHCP.
The default router address is 192.168.1.1. The CFE and future TFTP upgrades will also default to this address and will following the settings entered in the GUI.
Open the GUI in your browser. The default URL is http://192.168.1.1/
Click Administration, then Upgrade.
Select any of the files and click the Upgrade button.
Wait for about 2 minutes while the firmware is uploaded & flashed.
Log in to the router, and reset factory defaults (under Administration/Configuration/Restore Default Configuration, select the Erase all data in NVRAM (thorough) option and click OK. Router will restart again, and the factory default login is "admin" with a password of "admin".
Provides information on the current condition of the router.
The Overview screen shows information on the current state of the router. It is organized into four sections:
System gives current overall system status, like the amount of time the router has been running, CPU load, and memory usage.
WAN gives information on the Wide Area Network (Internet) connection.
LAN gives a summary of the settings related to the Local Area Network, and the MAC Address for the wired portion of the network.
Wireless gives information on the wireless portion of the Local Area Network.
Provides a list of the current devices that have been assigned an IP address by the DHCP server. Devices are listed by Interface, which indicates where on the router they are connected:
br0 refers to Wired Ethernet (LAN) devices. In other words, devices that are connected to the router on the four Ethernet ports (either directly or via a hub or switch).
eth1 refers to Wireless Ethernet (WLAN) devices. In other words, devices that are connected to the router via the wireless radio.
vlan1 refers to your WAN (Internet) connection. In other words, the connection to your Internet modem (Cable modem, DSL modem, or upstream router).
Allows you to view the Internal system logs (assuming Internal Logging is enabled - see "Logging" under "Administration").
Displays a chart, updated every second or so, of the last 10 minutes of bandwidth used. Tabs at the top allow you to select the various interfaces for detail on the bandwidth for that interface.
Allows you to ping computers on the Internet to verify connectivity.
Adjustments for the number of connections and persistence for each connection in the Network Address Translation (NAT) table.
This is mostly relevant for people who use P2P or other connection-intensive applications on their Internet connections. The connection table has a finite number of entries, and if the entries are all used up, the router cannot make new connections. The only way to free up an entry is to gracefully terminate a connection (normal), or to have one time out. Since P2P applications rarely drop connections gracefully, they need to depend on the router to time out their connections for them.
The most important settings are:
Maximum Connections
Increasing this may slow down the router slightly. 4,096 is probably a good maximum value.
Keeping this too low may eventually result in running out of entries. The default of 2,048 is probably a good minimum value.
Clicking on count current next to the input field will tell you how many entries you are currently using.
Before increasing this field, consider using the TCP Timeout (below) to recycle existing connections faster, rather than increasing the number of connections.
Conntrack TCP Timeout: Established
This is the amount of time that an established connection will be maintained after its last activity.
Setting this too low will cause active TELNET / FTP connections to be dropped unless you have a keepalive to keep data flowing over the connection.
Setting this too high will cause old connections to be retained, wasting entries in the NAT table.
Four Hours (14,400 seconds) is a decent compromise, but you have to choose a value that balances retaining valid connections versus killing old ones. In a non-P2P environment, you can set this to several days without any problems (the Linksys default for this is FIVE DAYS, which is why many Linksys routers don't do well for P2P).
Most of the remaining settings would generally be used pretty rarely, and are probably present for adjustment by advanced users who might need to tweak their network settings.
Many sites recommend adjusting these values using a script such as this one:
echo 4096 > /proc/sys/net/ipv4/ip_conntrack_max
echo
2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh2
echo 4096 >
/proc/sys/net/ipv4/neigh/default/gc_thresh3
echo "600 1800
120 60 120 120 10 60 30 120" >
/proc/sys/net/ipv4/ip_conntrack_tcp_timeouts
However, the two settings in the GUI listed above will accomplish everything the oft-published scripst claim to do, with less effort. Specifically, the Established TCP Timeout setting replaces the "1800" in the last line of the script, and the ip_conntrack_max number is controlled by the Maximum Connections setting. The gc_thresh settings are not really useful, it's better to let Tomato use its defaults for thresholds.
Port Forwarding allows you to tell the router what to do with unsolicited data coming from the Internet. Usually, packets coming in from the Internet will be in response to some request that one of your computers has made. In these cases, the router keeps track of who made the request, and forwards the response to that computer.
However, in the case of "Server" applications, that receive random connections from the Internet, you need to tell the router which computer is running the server. This is generally done by telling the router that any "unsolicited packets" (packets that are not a response to a request from a local computer) on a specific port or list of ports should be forwarded to a specific computer on the network.
There are a few ways to set this up.
Allows you to specify simple port forwards (all packets received on the specified External Ports will be routed to the specified Internal Address.
Optionally, you can change the local port by specifying Int Port. This is also known as Port Redirection. This technique is handy, for example, if you have two web servers. Both could be listening on the default port (80), but the router could be set to forward received packets on Internet Port 80 to Port 80 on the first web server, and packets on Internet Port 81 to Port 80 on the second web server.
DMZ, or Demilitarized Zone, allows you to specify one device on your network that will receive all unsolicited packets from the Internet. This can be handy for devices that need largely unrestricted access to the Internet, or for a Web/email server. However, this bypasses all firewall functions of the router for this device, so be sure the device is very well secured.
Port Triggering is an on-demand port forward. The router will look for an outbound connection on a specified port, and will forward all of the requested ports to whatever computer initiated the outbound connection.
Under the Trigger Ports, you would enter a list of the ports that your computer will use to initiate the forwarding. Then you specify the ports you want to forward to that computer under Forwarded Ports. Any computer that sends outbound packets on any of the ports listed in Trigger Ports will then have all unsolicited packets received from the Internet on the Forwarded Ports sent to it.
Universal Plug and Play (UPnP) allows devices on your network to set their own port forwards. A computer running a web server, for example, can tell the router to forward all communications on port 80 and/or 443 to it. This allows your local devices to add, delete, and update port forwards at will.
There are some security disadvantages to UPnP, such as a trojan horse or other "bad" software package being able to forward ports to a given machine so the malware can use your computer as an Internet server. However, there are also security ADVANTAGES to UPnP, since any well-behaved UPnP application will request cancellation of its forwarded ports when it shuts down or no longer needs them. This reduces the number of unneeded forwarded ports.
QoS, or Quality of Service, allows you to prioritize data, slowing down less important data to allow more important data to get through first.
This is primarily useful for outbound data (data going from your computers to the Internet). Inbound data cannot be prioritized effectively because it has already passed through the bottleneck (your Internet connection) by the time the router has a chance to evaluate it.
Max Bandwidth: One of the major limitations of QoS in most Linksys routers is their inability to determine the upstream speed of the Internet connection. This is true of many router models. The most effective way to tune QoS is to do an Internet speed test with QoS turned off. Then enter about 90% of the tested upstream (upload) bandwidth into the Max Bandwidth field. This will allow the router to properly determine how much bandwidth is available and prioritize packets accordingly. A more detailed explanation of this may be found at http://vonage.nmhoy.net/qos.html
Allows you to specify which connections will get what levels of priority. This will override the default priority set in the Basic Settings page. Classification may be done by MAC address, TCP/IP port, or using more advanced filters like IPP2P or Layer 7 (L7) filtering.
One of the most powerful features of Tomato, this allows you to view (in near-real-time) the current outbound connections and how the QoS engine is classifying them. This allows you to view how effective your QoS settings are, and whether they are capturing the connections you want them to. Simply click on any of the classes to view the list of specific connections for that class.
Lists each connection that has recently been made through the router, and what QoS class was assigned to that connection. Clicking any entry will attempt to do a reverse lookup on the destination TCP/IP address, or you can click on the "automatically resolve addresses" checkbox at the bottom of the list to resolve all addresses in the list (this can take a while).
Allows you to save your current configuration to a file, restore a previously-saved configuration, or restore the router to factory defaults.
When changing from one firmware to another, it is important to do a complete factory reset on your router. In Tomato, you go to this screen, select Erase all data in NVRAM (thorough), and click OK. When the router reboots, you will need to rekey all of your configuration settings manually.
Logging may be done internally or externally. Internal logs save information to the router's local memory. External logs send the log information to a computer running software like WallWatcher, where the logs can be captured and analyzed without taking up memory on the router.
Log Internally saves the connection logs to the internal memory of the router, where they may be extracted or viewed directly on the "Logs" page under "Status". These logs will consume router memory, but may be viewed directly on the router itself.
Log Externally sends the logs to a computer on your LAN. That computer must be running a log capture program, like WallWatcher. The computer can then show you the connection logs and analyze the data.
The remainder of the settings allow you to specify what types of connections you want logged, and to place a limit on the number of log entries per minute to send.
Allows you to load a new firmware to the router (either a newer version of Tomato or an entirely different firmware).
Note: When changing from any firmware to any other firmware (stock Linksys -> Tomato, for example), it is important to clear the NVRAM and restore the factory default settings. Instructions on doing that will vary from firmware to firmware, but there is generally a factory reset option (in Tomato, this is located under Administration/Configuration/Restore Default Configuration
Restarts the router (without erasing any settings).
Logs you out of the firmware (clears your user session). This will dump you back to the initial login, where you are asked to present your credentials again (which causes occasional confusion, with people reporting that they "need to log in in order to log out"). Once you see the password prompt, you are logged out. Just hit cancel and you will end up at the "Unauthorized" page.
There is no help file :-)
In some cases, you may need to reboot the router manually before the changes go into effect. If the changes involve switching wireless settings, you may need to reboot both ends.
Not all wireless modes / security combinations work. For example, WET, Client and WDS will not work in WPA2.
CIFS VFS timesout a lot. (or it might the server kicking the client off...)
Graphs/SVG may not work with all browsers. Firefox: Use 1.5 or higher. Internet Explorer: Use Adobe SVG. Opera: Use 9.0 or higher. Safari: Doesn't support SVG (2.0.x). Safari/WebKit nightly: Bandwidth Monitor works, but not QOS graph (r17960).
All QOS classification and access restriction checking are performed while packets are traveling out to the Internet. The source is always from your computer and destination is always towards the Internet.
Why L7/IPP2P doesn't work all the time: (1) These work by matching known patterns in packets. Some protocols produce reliable uniquely identifiable signatures, but some do not. (2) A change in the protocol's design can sometimes break these. (3) Some L7/IPP2P patterns may depend on which direction the data is going. For example, an HTTP request from a browser is different from an HTTP response from a server.
Custom L7 patterns can be stored in /etc/l7-extra/ (you need to create the directory). It's up to you to actually populate it before the firewall starts. This can be tricky if you're using external storage, so consider just using JFFS2 or even simple "echo" statements in the startup script. To learn more about L7 patterns, go to l7-filter.sf.net.
When testing changes to the QOS rules, restart the application on your computer to make sure it's connection is re-classified under the new rule. You can also enable "reset classification when making changes" instead.
Although there is an option to limit the download speed, it's not really recommended in most cases since what the router is really doing is dropping packets, which means they may need to be re-sent again over a slow Internet link.
KB transferred match: (1) This is the to-WAN data transferred in kilobytes. Consider the amount an approximate value since it doesn't take into account protocol overhead. (2) Entering an upper limit of 1GB (1,048,576KB) or more is considered unlimited and will match anything above 1GB. (3) IPP2P may not work properly with this since IPP2P doesn't keep track of its state.
Sticky rules: IPP2P/L7 are sticky in that once they match, no other rules are processed. IP/MAC/port-only matches can also be sticky if there are no IPP2P/L7/KB matches above them. When coupled with a KB transferred match with an upper limit, they are not considered sticky. What this all means is you should watch out for rules like the following: "#1: L7 ABC & 1024KB+, #2: L7 ABC", the #1 rule may not match at all since #2 will lock-on if it sees L7 ABC within 0-1024KB. To get around this particular case: "#1: L7 ABC & 0-1024KB, #2: L7 ABC & 1024KB+."
Precedence: The rules are checked in the same order as they appear in the GUI, from top to bottom. The first rule that matches sets the class. If you disable "strict ordering", rules with IPP2P, L7 and KB matches are grouped in one set and are checked first, the rest in another.
If you're concerned about performance: IPP2P and especially L7 are slower than simple IP, MAC or port matches.
Some NVRAM settings may not be compatible with other firmwares. A config reset is recommended after flashing to or from this firmware.
You can enter a custom DDNS URL like the following: http://www.mycustomdns.com/update.cgi?username=scooby&password=spooky&ip=@IP. The "@IP" keyword is automatically replaced with the current IP address. Check with your DDNS provider for the exact format to use.
The Busybox crond included in Tomato is a little different from the Vixie crond found in HyperWRT, DD-WRT, etc. To make it easier and safer to schedule a job, use the helper script called "cru" instead of manually changing the config file.
Want to try changing things without permanently writing them to nvram? Go to Admin: Miscellaneous and enable "avoid performing an nvram commit." When you're done playing around, reboot to discard the changes, or use the "nvram commit" button to save the changes.
Some GUI settings, like refresh time, are saved as cookies.
Linksys' password protected TFTP upgrade will not work with Tomato. If you need to use TFTP to upgrade the firmware, use the bootloader's TFTP upgrade feature.
If you're saving the bandwidth history, don't forget to backup the data to another location!
[WRT54 Script Generator][1]