Tomato
Releases
While the original Tomato project is dormant, several community-maintained mods have emerged. Here's an overview of some of the better-known mods:
Release | Last Release | Remarks |
---|---|---|
Tomato | 2010-06-28 (v1.28) | |
Tomato USB | 2010-11-30 (Build 54) | based on Tomato |
AdvancedTomato | 2015-04-22 | based on Tomato by Shibby |
Tomato by Shibby | 2015-08-06 (v131) | based on TomatoUSB |
Installation
As I needed a supported relase for an old WRT54GL router, I went with Tomato by Shibby. There are basically two versions to choose[1] from for this router:
The WRT54GL is a MIPS1
device[1]:
$ cat /proc/cpuinfo system type : Broadcom BCM5352 chip rev 0 pkg 2 processor : 0 cpu model : Broadcom BCM3302 V0.8 BogoMIPS : 199.47 cpu MHz : 200 wait instruction : no microsecond timers : yes tlb_entries : 32 extra interrupt vector : no hardware watchpoint : no ASEs implemented : shadow register sets : 1 VCED exceptions : not available VCEI exceptions : not available unaligned_instructions : 8
...but since the K26
was said to be "supported", we went with it.
Download the latest MIPSR1
release that will fit[2] into the 4 MB NAND chip:
$ w3m http://tomato.groov.pl/download/K26/build5x-131-EN/ | grep MIPSR1 | sort -nk4 file tomato-K26-1.28.RT-MIPSR1-131-MiniIPv6.zip 2015-08-06 3610 file tomato-K26-1.28.RT-MIPSR1-131-Mini.zip 2015-08-06 3786 file tomato-K26-1.28.RT-MIPSR1-131-MiniVPN.zip 2015-08-06 4157 file tomato-K26-1.28.RT-MIPSR1-131-IPv6-VPN.zip 2015-08-06 4675 file tomato-K26-1.28.RT-MIPSR1-131-Max.zip 2015-08-06 6371 file tomato-K26USB-1.28.RT-MIPSR1-131-VPN.zip 2015-08-06 7634 file tomato-K26USB-1.28.RT-MIPSR1-131-BTgui-VPN.zip 2015-08-06 7640 file tomato-K26USB-1.28.RT-MIPSR1-131-Nocat-VPN.zip 2015-08-06 7723 file tomato-K26USB-1.28.RT-MIPSR1-131-Big-VPN.zip 2015-08-06 7856 file tomato-K26USB-1.28.RT-MIPSR1-131-Tor-VPN.zip 2015-08-06 7949 file tomato-K26USB-1.28.RT-MIPSR1-131-BT-VPN.zip 2015-08-06 8007 file tomato-K26USB-1.28.RT-MIPSR1-131-Mega-VPN.zip 2015-08-06 10139 file tomato-K26USB-1.28.RT-MIPSR1-131-AIO.zip 2015-08-06 20590
Verify the checksum:
$ wget http://tomato.groov.pl/download/K26/build5x-131-EN/MD5SUM $ md5sum -c MD5SUM 2>&1 | grep OK image/tomato-K26-1.28.RT-MIPSR1-131-MiniIPv6.trx: OK
Tomato
can be installed through the DD-WRT or OpenWRT GUI, as the firmware should be recognized by both systems.[3][4]. With OpenWRT, this can also be done from the command line:
sysupgrade -v -n tomato.trx
DNS
The standard dnsmasq configuration had a weird behaviour: for unknown names, NXDOMAIN was returned, but sometimes it would append the local domain name (which happens to be registered on the internet by someone else) and the following happened:
$ curl -L does-not-exist.example.net This domain is for sale - click here to buy!
My local domain is called localdomain.net
(not really, but you get the idea) and curl
would end up trying to
resolve
does-not-exist.example.net.localdomain.net
- which resolved to a standard "This domain is for sale" placeholder webserver.
To fix this, I added a few dnsmasq
directives in Tomato:
- Go to Advanced → DHCP/DNS
- Add the following lines to the Dnsmasq Custom configuration
bogus-priv domain-needed localise-queries server=/localdomain.net/
With that, dnsmasq
should not forward local queries to the internet.
IPv6
Comcast
Comcast delivers native IPv6[5] to its customers and even has a manual[6] on how to configure Tomato for IPv6:
- Go to Basic → IPv6 in the Tomato GUI
- Select
DHCPv6 with Prefix Delegation
- Set the
Prefix Length
to64
- Select
Accept RA from WAN
(but notLAN
!) - Save the configuration
Note: IPv6 bug has been fixed!
Comcast goes on to explain that there's a bug[7] in the IPv6 implementation in Tomato and proposes the following script to fix it:
# Go to Administration → Scripts and select the WAN Up tab
# Add the following snippet:
echo 0 > /proc/sys/net/ipv6/conf/`nvram get wan_iface`/accept_raip -6 route flush default dev `nvram get wan_iface`echo 2 > /proc/sys/net/ipv6/conf/`nvram get wan_iface`/accept_ra
# Save the configuration and reboot the router.
Alas, IPv6 is still not working:
Oct 10 03:24:43 dnsmasq[2990]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset Tomato-helper auth no-DNSSEC loop-detect no-inotify Oct 10 03:24:43 dnsmasq-dhcp[2990]: DHCPv6, IP range ::1 -- ::255.255.255.255, lease time 12h, template for br* Oct 10 03:24:43 dnsmasq-dhcp[2990]: DHCPv4-derived IPv6 names on br* Oct 10 03:24:43 dnsmasq-dhcp[2990]: IPv6 router advertisement enabled Oct 10 03:24:43 dnsmasq-dhcp[2990]: no address range available for DHCPv6 request via br0 Oct 10 03:24:45 dnsmasq-dhcp[2990]: no address range available for DHCPv6 request via br0 Oct 10 03:24:49 dnsmasq-dhcp[2990]: no address range available for DHCPv6 request via br0 Oct 10 03:24:57 dnsmasq-dhcp[2990]: no address range available for DHCPv6 request via br0 Oct 10 03:25:13 dnsmasq-dhcp[2990]: no address range available for DHCPv6 request via br0 Oct 10 03:25:45 dnsmasq-dhcp[2990]: no address range available for DHCPv6 request via br0
- dnsmasq DHCPv6 not working (WNR3500Lv1/Shibby 121) (2014-07-13)
- IPv6 (native) on Toastman TomatoUSB (latest) (2013-11-07)
- Configuring FreeBSD 9.1 as a Native IPv6 DHCP Client (2013-09-02)
Neighbour table overflow
Ever since IPv6 was enabled, the following messages were logged:
Oct 12 15:10:28 kernel: printk: 686 messages suppressed. Oct 12 15:10:28 kernel: Neighbour table overflow. Oct 12 15:10:28 kernel: Neighbour table overflow. Oct 12 15:10:28 kernel: Neighbour table overflow. Oct 12 15:10:28 kernel: Neighbour table overflow. Oct 12 15:10:28 kernel: Neighbour table overflow. Oct 12 15:10:28 kernel: Neighbour table overflow. Oct 12 15:10:28 kernel: Neighbour table overflow. Oct 12 15:10:28 kernel: Neighbour table overflow. Oct 12 15:10:28 kernel: Neighbour table overflow. Oct 12 15:10:35 kernel: printk: 1570 messages suppressed. Oct 12 15:10:35 kernel: Neighbour table overflow.
Then the messages stop but appear again. Messages per day, so far:
42 Oct 10 535 Oct 11 403 Oct 12
These messages[8] may be related to a kernel bug[9] but since Tomato is still running a rather ancient Linux 2.6.22.19 kernel, it may or may not be related to this bug.
For now, we'll monitor the nud table before we tweak the thresholds[10]
NUD_STATE the state of the neighbour entry. nud is an abbreviation for 'Neighbour Unreachability Detection'. The state can take one of the following values: permanent the neighbour entry is valid forever and can be only be removed administratively. noarp the neighbour entry is valid. No attempts to validate this entry will be made but it can be removed when its lifetime expires. reachable the neighbour entry is valid until the reachability timeout expires. stale the neighbour entry is valid but suspicious. This option to ip neigh does not change the neighbour state if it was valid and the address is not changed by this command.
Print the NUD_STATE
so that we can parse them more easliy later on:
$ while true; do echo "`date` IPv4: all: `ip -4 neigh show nud all | wc -l` noarp: `ip -4 neigh show nud noarp | wc -l` \ reachable: `ip -4 neigh show nud reachable | wc -l` stale: `ip -4 neigh show nud stale | wc -l`" echo "`date` IPv6: all: `ip -6 neigh show nud all | wc -l` noarp: `ip -6 neigh show nud noarp | wc -l` \ reachable: `ip -6 neigh show nud reachable | wc -l` stale: `ip -6 neigh show nud stale | wc -l`" done Mon Oct 12 15:46:08 PDT 2015 IPv4: all: 6 noarp: 1 reachable: 5 stale: 0 Mon Oct 12 15:46:08 PDT 2015 IPv6: all: 51 noarp: 49 reachable: 1 stale: 0 Mon Oct 12 15:46:10 PDT 2015 IPv4: all: 6 noarp: 1 reachable: 5 stale: 0 Mon Oct 12 15:46:10 PDT 2015 IPv6: all: 52 noarp: 50 reachable: 1 stale: 0 [...]
Tweaking the thresholds:[11][10]
$ grep . /proc/sys/net/ipv[46]/neigh/default/gc_thresh* /proc/sys/net/ipv4/neigh/default/gc_thresh1:128 /proc/sys/net/ipv4/neigh/default/gc_thresh2:512 /proc/sys/net/ipv4/neigh/default/gc_thresh3:1024 /proc/sys/net/ipv6/neigh/default/gc_thresh1:128 /proc/sys/net/ipv6/neigh/default/gc_thresh2:512 /proc/sys/net/ipv6/neigh/default/gc_thresh3:1024
This just happened again:
Mon Oct 12 16:24:20 PDT 2015 IPv4: all: 6 noarp: 1 reachable: 5 stale: 0 Mon Oct 12 16:24:20 PDT 2015 IPv6: all: 34 noarp: 31 reachable: 2 stale: 1 Mon Oct 12 16:24:21 PDT 2015 IPv4: all: 6 noarp: 1 reachable: 5 stale: 0 Mon Oct 12 16:24:21 PDT 2015 IPv6: all: 35 noarp: 32 reachable: 2 stale: 1 Mon Oct 12 16:24:23 PDT 2015 IPv4: all: 6 noarp: 1 reachable: 5 stale: 0 Mon Oct 12 16:24:23 PDT 2015 IPv6: all: 37 noarp: 34 reachable: 2 stale: 1 Mon Oct 12 16:24:24 PDT 2015 IPv4: all: 6 noarp: 1 reachable: 5 stale: 0 Mon Oct 12 16:24:24 PDT 2015 IPv6: all: 38 noarp: 35 reachable: 2 stale: 1 Mon Oct 12 16:24:26 PDT 2015 IPv4: all: 6 noarp: 1 reachable: 5 stale: 0 Mon Oct 12 16:24:26 PDT 2015 IPv6: all: 757 noarp: 1023 reachable: 2 stale: 0 Mon Oct 12 16:24:29 PDT 2015 IPv4: all: 6 noarp: 1 reachable: 5 stale: 0 Mon Oct 12 16:24:29 PDT 2015 IPv6: all: 1024 noarp: 1022 reachable: 2 stale: 0 Mon Oct 12 16:24:31 PDT 2015 IPv4: all: 6 noarp: 1 reachable: 5 stale: 0 Mon Oct 12 16:24:31 PDT 2015 IPv6: all: 1024 noarp: 836 reachable: 1 stale: 0 Mon Oct 12 16:24:33 PDT 2015 IPv4: all: 6 noarp: 1 reachable: 5 stale: 0 Mon Oct 12 16:24:34 PDT 2015 IPv6: all: 32 noarp: 30 reachable: 1 stale: 0
Oct 12 16:24:27 kernel: printk: 5 messages suppressed. Oct 12 16:24:27 kernel: Neighbour table overflow. Oct 12 16:24:27 kernel: Neighbour table overflow. Oct 12 16:24:27 kernel: Neighbour table overflow. Oct 12 16:24:27 kernel: Neighbour table overflow. Oct 12 16:24:28 kernel: Neighbour table overflow. Oct 12 16:24:28 kernel: Neighbour table overflow. Oct 12 16:24:28 kernel: Neighbour table overflow. Oct 12 16:24:28 kernel: Neighbour table overflow. Oct 12 16:24:28 kernel: Neighbour table overflow.
Let's raise the thresholds for IPv6:
$ echo 256 > /proc/sys/net/ipv6/neigh/default/gc_thresh1 $ echo 1024 > /proc/sys/net/ipv6/neigh/default/gc_thresh2 $ echo 2048 > /proc/sys/net/ipv6/neigh/default/gc_thresh3 $ grep . /proc/sys/net/ipv6/neigh/default/gc_thresh* /proc/sys/net/ipv6/neigh/default/gc_thresh1:256 /proc/sys/net/ipv6/neigh/default/gc_thresh2:1024 /proc/sys/net/ipv6/neigh/default/gc_thresh3:2048
Links
References
- ↑ 1.0 1.1 TomatoUSB: Build Types (2013-10-12)
- ↑ Notes on specific WRT54G hardware versions: WRT54GL
- ↑ Migrating from DD-WRT Firmware via Windows
- ↑ Flashing Tomato over OpenWRT on WRT54GL
- ↑ COMCAST ACTIVATES FIRST USERS WITH IPV6 NATIVE DUAL STACK OVER DOCSIS (2011-01-31)
- ↑ Tomato USB with Comcast Native IPv6 (2013-04-30)
- ↑ TomatoUSB and Comcast IPv6 -- bugs found (2012-06-14)
- ↑ Comcast: kernel: Neighbour table overflow.
- ↑ Neighbour table overflow on Linux hosts related to bridging and ipv6
- ↑ 10.0 10.1 Linux: Neighbour Table Overflow Error and Solution
- ↑ Documentation/networking/ip-sysctl.txt