Tomato

From Segfault
Jump to: navigation, search

Releases

While the original Tomato project is dormant, several community-maintained mods have emerged. Here's an overview of some of the better-known mods:

Release Last Release Remarks
Tomato 2010-06-28 (v1.28)
Tomato USB 2010-11-30 (Build 54) based on Tomato
AdvancedTomato 2015-04-22 based on Tomato by Shibby
Tomato by Shibby 2015-08-06 (v131) based on TomatoUSB

Installation

As I needed a supported relase for an old WRT54GL router, I went with Tomato by Shibby. There are basically two versions to choose[1] from for this router:

  • K24 - Kernel 2.4, Support for MIPSR1 routers
  • K26 - Kernel 2.6, Support for MIPSR1 & MIPSR2 routers.

The WRT54GL is a MIPS1 device[1]:

$ cat /proc/cpuinfo 
system type             : Broadcom BCM5352 chip rev 0 pkg 2
processor               : 0
cpu model               : Broadcom BCM3302 V0.8
BogoMIPS                : 199.47
cpu MHz                 : 200
wait instruction        : no
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : no
hardware watchpoint     : no
ASEs implemented        :
shadow register sets    : 1
VCED exceptions         : not available
VCEI exceptions         : not available

unaligned_instructions  : 8

...but since the K26 was said to be "supported", we went with it.

Download the latest MIPSR1 release that will fit into the 4 MB[2] NAND chip

$ w3m http://tomato.groov.pl/download/K26/build5x-131-EN/ | grep MIPSR1 | sort -nk4
file          tomato-K26-1.28.RT-MIPSR1-131-MiniIPv6.zip                2015-08-06 3610
file          tomato-K26-1.28.RT-MIPSR1-131-Mini.zip                    2015-08-06 3786
file          tomato-K26-1.28.RT-MIPSR1-131-MiniVPN.zip                 2015-08-06 4157
file          tomato-K26-1.28.RT-MIPSR1-131-IPv6-VPN.zip                2015-08-06 4675
file          tomato-K26-1.28.RT-MIPSR1-131-Max.zip                     2015-08-06 6371
file          tomato-K26USB-1.28.RT-MIPSR1-131-VPN.zip                  2015-08-06 7634
file          tomato-K26USB-1.28.RT-MIPSR1-131-BTgui-VPN.zip            2015-08-06 7640
file          tomato-K26USB-1.28.RT-MIPSR1-131-Nocat-VPN.zip            2015-08-06 7723
file          tomato-K26USB-1.28.RT-MIPSR1-131-Big-VPN.zip              2015-08-06 7856
file          tomato-K26USB-1.28.RT-MIPSR1-131-Tor-VPN.zip              2015-08-06 7949
file          tomato-K26USB-1.28.RT-MIPSR1-131-BT-VPN.zip               2015-08-06 8007
file          tomato-K26USB-1.28.RT-MIPSR1-131-Mega-VPN.zip             2015-08-06 10139
file          tomato-K26USB-1.28.RT-MIPSR1-131-AIO.zip                  2015-08-06 20590

Verify the checksum:

$ wget http://tomato.groov.pl/download/K26/build5x-131-EN/MD5SUM
$ md5sum -c MD5SUM 2>&1 | grep OK
image/tomato-K26-1.28.RT-MIPSR1-131-MiniIPv6.trx: OK

Tomato can be installed through the DD-WRT or OpenWRT GUI, as the firmware should be recognized by both systems.[3][4]. With OpenWRT, this can also be done from the command line:

sysupgrade -v -n tomato.trx

DNS

The standard dnsmasq configuration had a weird behaviour: for unknown names, NXDOMAIN was returned, but sometimes it would append the local domain name (which happens to be registered on the internet by someone else) and the following happened:

$ curl -L does-not-exist.example.net
This domain is for sale - click here to buy!

My local domain is called localdomain.net (not really, but you get the idea) and curl would end up trying to
resolve does-not-exist.example.net.localdomain.net - which resolved to a standard "This domain is for sale" placeholder webserver.

To fix this, I added a few dnsmasq directives in Tomato:

  1. Go to AdvancedDHCP/DNS
  2. Add the following lines to the Dnsmasq Custom configuration
bogus-priv
domain-needed
localise-queries
server=/localdomain.net/

With that, dnsmasq should not forward local queries to the internet.

IPv6

Comcast

Comcast delivers native IPv6[5] to its customers and even has a manual[6] on how to configure Tomato for IPv6:

  1. Go to BasicIPv6 in the Tomato GUI
  2. Select DHCPv6 with Prefix Delegation
  3. Set the Prefix Length to 64
  4. Select Accept RA from WAN (but not LAN!)
  5. Save the configuration

Note: IPv6 bug has been fixed!

Comcast goes on to explain that there's a bug[7] in the IPv6 implementation in Tomato and proposes the following script to fix it:

# Go to AdministrationScripts and select the WAN Up tab # Add the following snippet:

echo 0 > /proc/sys/net/ipv6/conf/`nvram get wan_iface`/accept_ra
ip -6 route flush default dev `nvram get wan_iface`
echo 2 > /proc/sys/net/ipv6/conf/`nvram get wan_iface`/accept_ra

# Save the configuration and reboot the router.

Alas, IPv6 is still not working:

Oct 10 03:24:43 dnsmasq[2990]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset Tomato-helper auth no-DNSSEC loop-detect no-inotify
Oct 10 03:24:43 dnsmasq-dhcp[2990]: DHCPv6, IP range ::1 -- ::255.255.255.255, lease time 12h, template for br*
Oct 10 03:24:43 dnsmasq-dhcp[2990]: DHCPv4-derived IPv6 names on br*
Oct 10 03:24:43 dnsmasq-dhcp[2990]: IPv6 router advertisement enabled
Oct 10 03:24:43 dnsmasq-dhcp[2990]: no address range available for DHCPv6 request via br0
Oct 10 03:24:45 dnsmasq-dhcp[2990]: no address range available for DHCPv6 request via br0
Oct 10 03:24:49 dnsmasq-dhcp[2990]: no address range available for DHCPv6 request via br0
Oct 10 03:24:57 dnsmasq-dhcp[2990]: no address range available for DHCPv6 request via br0
Oct 10 03:25:13 dnsmasq-dhcp[2990]: no address range available for DHCPv6 request via br0
Oct 10 03:25:45 dnsmasq-dhcp[2990]: no address range available for DHCPv6 request via br0

Neighbour table overflow

Ever since IPv6 was enabled, the following messages were logged:

Oct 12 15:10:28 kernel: printk: 686 messages suppressed.
Oct 12 15:10:28 kernel: Neighbour table overflow.
Oct 12 15:10:28 kernel: Neighbour table overflow.
Oct 12 15:10:28 kernel: Neighbour table overflow.
Oct 12 15:10:28 kernel: Neighbour table overflow.
Oct 12 15:10:28 kernel: Neighbour table overflow.
Oct 12 15:10:28 kernel: Neighbour table overflow.
Oct 12 15:10:28 kernel: Neighbour table overflow.
Oct 12 15:10:28 kernel: Neighbour table overflow.
Oct 12 15:10:28 kernel: Neighbour table overflow.
Oct 12 15:10:35 kernel: printk: 1570 messages suppressed.
Oct 12 15:10:35 kernel: Neighbour table overflow.

Then the messages stop but appear again. Messages per day, so far:

    42 Oct 10
   535 Oct 11
   403 Oct 12

These messages[8] may be related to a kernel bug[9] but since Tomato is still running a rather ancient Linux 2.6.22.19 kernel, it may or may not be related to this bug.

For now, we'll monitor the nud table before we tweak the thresholds[10]

NUD_STATE  the state of the neighbour entry.  nud is an
           abbreviation for 'Neighbour Unreachability Detection'.
           The state can take one of the following values:

permanent  the neighbour entry is valid forever and can be only be
           removed administratively.

    noarp  the neighbour entry is valid. No attempts to validate
           this entry will be made but it can be removed when its
           lifetime expires.

 reachable the neighbour entry is valid until the reachability
           timeout expires.

    stale  the neighbour entry is valid but suspicious.  This
           option to ip neigh does not change the neighbour state
           if it was valid and the address is not changed by this
           command.

Print the NUD_STATE so that we can parse them more easliy later on:

$ while true; do
    echo "`date`    IPv4: all: `ip -4 neigh show nud all | wc -l` noarp: `ip -4 neigh show nud noarp | wc -l` \
                    reachable: `ip -4 neigh show nud reachable | wc -l` stale: `ip -4 neigh show nud stale | wc -l`"
    echo "`date`    IPv6: all: `ip -6 neigh show nud all | wc -l` noarp: `ip -6 neigh show nud noarp | wc -l` \
                    reachable: `ip -6 neigh show nud reachable | wc -l` stale: `ip -6 neigh show nud stale | wc -l`"
done
Mon Oct 12 15:46:08 PDT 2015    IPv4: all: 6 noarp: 1 reachable: 5 stale: 0
Mon Oct 12 15:46:08 PDT 2015    IPv6: all: 51 noarp: 49 reachable: 1 stale: 0
Mon Oct 12 15:46:10 PDT 2015    IPv4: all: 6 noarp: 1 reachable: 5 stale: 0
Mon Oct 12 15:46:10 PDT 2015    IPv6: all: 52 noarp: 50 reachable: 1 stale: 0
[...]

Tweaking the thresholds:[11][10]

$ grep . /proc/sys/net/ipv[46]/neigh/default/gc_thresh*
/proc/sys/net/ipv4/neigh/default/gc_thresh1:128
/proc/sys/net/ipv4/neigh/default/gc_thresh2:512
/proc/sys/net/ipv4/neigh/default/gc_thresh3:1024
/proc/sys/net/ipv6/neigh/default/gc_thresh1:128
/proc/sys/net/ipv6/neigh/default/gc_thresh2:512
/proc/sys/net/ipv6/neigh/default/gc_thresh3:1024

This just happened again:

Mon Oct 12 16:24:20 PDT 2015    IPv4: all: 6 noarp: 1 reachable: 5 stale: 0
Mon Oct 12 16:24:20 PDT 2015    IPv6: all: 34 noarp: 31 reachable: 2 stale: 1
Mon Oct 12 16:24:21 PDT 2015    IPv4: all: 6 noarp: 1 reachable: 5 stale: 0
Mon Oct 12 16:24:21 PDT 2015    IPv6: all: 35 noarp: 32 reachable: 2 stale: 1
Mon Oct 12 16:24:23 PDT 2015    IPv4: all: 6 noarp: 1 reachable: 5 stale: 0
Mon Oct 12 16:24:23 PDT 2015    IPv6: all: 37 noarp: 34 reachable: 2 stale: 1
Mon Oct 12 16:24:24 PDT 2015    IPv4: all: 6 noarp: 1 reachable: 5 stale: 0
Mon Oct 12 16:24:24 PDT 2015    IPv6: all: 38 noarp: 35 reachable: 2 stale: 1
Mon Oct 12 16:24:26 PDT 2015    IPv4: all: 6 noarp: 1 reachable: 5 stale: 0
Mon Oct 12 16:24:26 PDT 2015    IPv6: all: 757 noarp: 1023 reachable: 2 stale: 0
Mon Oct 12 16:24:29 PDT 2015    IPv4: all: 6 noarp: 1 reachable: 5 stale: 0
Mon Oct 12 16:24:29 PDT 2015    IPv6: all: 1024 noarp: 1022 reachable: 2 stale: 0
Mon Oct 12 16:24:31 PDT 2015    IPv4: all: 6 noarp: 1 reachable: 5 stale: 0
Mon Oct 12 16:24:31 PDT 2015    IPv6: all: 1024 noarp: 836 reachable: 1 stale: 0
Mon Oct 12 16:24:33 PDT 2015    IPv4: all: 6 noarp: 1 reachable: 5 stale: 0
Mon Oct 12 16:24:34 PDT 2015    IPv6: all: 32 noarp: 30 reachable: 1 stale: 0
Oct 12 16:24:27 kernel: printk: 5 messages suppressed.
Oct 12 16:24:27 kernel: Neighbour table overflow.
Oct 12 16:24:27 kernel: Neighbour table overflow.
Oct 12 16:24:27 kernel: Neighbour table overflow.
Oct 12 16:24:27 kernel: Neighbour table overflow.
Oct 12 16:24:28 kernel: Neighbour table overflow.
Oct 12 16:24:28 kernel: Neighbour table overflow.
Oct 12 16:24:28 kernel: Neighbour table overflow.
Oct 12 16:24:28 kernel: Neighbour table overflow.
Oct 12 16:24:28 kernel: Neighbour table overflow.

Let's raise the thresholds for IPv6:

$ echo  256 > /proc/sys/net/ipv6/neigh/default/gc_thresh1
$ echo 1024 > /proc/sys/net/ipv6/neigh/default/gc_thresh2
$ echo 2048 > /proc/sys/net/ipv6/neigh/default/gc_thresh3

$ grep . /proc/sys/net/ipv6/neigh/default/gc_thresh*
/proc/sys/net/ipv6/neigh/default/gc_thresh1:256
/proc/sys/net/ipv6/neigh/default/gc_thresh2:1024
/proc/sys/net/ipv6/neigh/default/gc_thresh3:2048

Links

References