Recent Forum Posts
From categories:
page »

Hi Shibby,

I'm using tomato shibby version few years and it's great. Recently, i tried to upgrade my linksys ea3200 from 132 to any multi wan version (136, 138 and 140). All of them will make my 5G wireless disappear. Once I rollback to 132, the 5G is back. I did hard reset and erase all data in NVRAM every time i upgrade and downgrade. Finally I found out it's relate to my VPN. once i enable the OpenVPN server with TLS authorization Mode with all the keys input and reboot the device. the 5G wireless will disappear.

Hope this info can help you fix on next version.


Re: Shibby Builds by cyberbastioncyberbastion, 19 Sep 2017 01:41

Asus rt-ac66u
Shibby release 140

Every time I try and enable the bandwidth limit I find all traffic from the lan/wireless devices get blocked from the internet/WAN.
I have used this in the past on a much older release (I forgot with version) and it appeared to work fine.

Now every time time I setup a simple rule and enable bw limit, it appears to stop iptables running.
When don't enable bw limit I end up with the file /tmp/etc/iptables and all looks ok and everything run ok.
However when I enable bw limit, I don't get /tmp/etc/iptables but iptables.error instead. Looking at this file
root@crossway:/tmp/etc# more iptables.error
-A POSTROUTING ! -s -d -j MARK —set-mark 10
-A PREROUTING -s ! -d -j MARK —set-mark 10
-I PREROUTING -i vlan2 -j DSCP —set-dscp 0
-I FORWARD -p tcp —tcp-flags SYN,RST SYN -j TCPMSS —clamp-mss-to-pmtu

Trying to load this error file using iptables-restore and reducing it down to the first line that gives an error, it seems the first line:-
-A POSTROUTING ! -s -d -j MARK —set-mark 10
does indeed error.
When tried by inself with iptables command I get:-
iptables -t mangle -A POSTROUTING ! -s
55.255.0 -d -j MARK —set-mark 10
iptables: No chain/target/match by that name

but iptables -t mangle —list seems to show there is a POSTROUTING, so I don't see whats worng.

iptables -t mangle —list
target prot opt source destination
DSCP all — anywhere anywhere DSCP set 0x00

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp — anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

target prot opt source destination

I'm no expert with iptables so any help gratefully received. Any thoughts as to where to look next?


Hello. I am spooked after bricking a TP-Link router last night.

I have the correct Tomato image file, I want to be clear on this one. Do I do a 30/30/30, go to the administraction->upgrade flash. After its successful, do I do another 30/303/30?

I really do not want another brick.

thanks, Bj

Cisco EA2500 flash by Brian_caBrian_ca, 14 Sep 2017 22:43

Hi everyone

I´m using "Advanced Tomato Version 3.4-140" on a Asus RT-N16, but it doesn´t showed my "HEWLETT-PACKARD DESKJET 930C" under "Attached Devices".

Before I used "Advanced Tomato Version 3.2-137" and this problem doesn´t happen. There were no recognition problems never…

Has any driver been removed from the firmware? How could you recognize this printer model again?



1. 学校或任课老师会先给作弊学生发邮件,并给予承认或申诉的机会。
如若该生承认作弊,则此次作业或考试记零分,并记录在案(由于美国校园非常注重隐私性的保护,作弊记录通常都是秘密的,不会被其他同学或老师知道),以观后效。如若该生日后再犯则会面临停课休学或开除遣返等更为严重的后果。 若无再犯,该作弊记录毕业后会清除。

2. 若该生不承认作弊,则其有权利在学校的学术违纪委员会前申诉。
3. 如果你不幸被美国大学开除,I-20被取消,F1签证失效,也请不要过分的绝望,因为被遣返回国并不是唯一的道路



I'm also stuck on almost same problem, I can't route a segment or an address through the PPTP Client.

What I want is to route only a local PC with ip through the PPTP Client.

== PPTP Client Configuration ==
Start with WAN: checked  
Server Address: (....)
Username: (....)
Password: (....)
Encryption: None
Stateless MPPE connection: checked
Accept DNS configuration: Disabled
Redirect Internet traffic: Disabled (doesn't matter if on or off)
Remote subnet / netmask
Create NAT on tunnel: Checked
MTU: Default 1450
MRU: Default 1450
Custom Configuration: (empty)
== In ssh terminal ==
ip rule add from table 200 prio 4
ip route flush table 200
VPN_GW=`ifconfig ppp4 | awk '/inet addr/ {split ($3,A,":"); print A[2]}'`; ip route add table 200 default via $VPN_GW dev ppp4
ip route flush cache

iptables -I FORWARD -i br0 -o ppp4 -j ACCEPT
iptables -I FORWARD -i ppp4 -o br0 -j ACCEPT
iptables -I INPUT -i ppp4 -j REJECT
iptables -t nat -A POSTROUTING -o ppp4 -j MASQUERADE

I can verify that the PPTP Client is work by routing all traffic through the client.
Done by changing the default routing:

ip route del default
VPN_GW=`ifconfig ppp4 | awk '/inet addr/ {split ($3,A,":"); print A[2]}'`; ip route add default via $VPN_GW dev ppp4
iptables -t nat -A POSTROUTING -o ppp4 -j MASQUERADE
ip route flush cache

Using Wireshark on the WAN side shows that only 2 requests are encapsulated by PPP 215.x.x.x   TCP 55001->80 [SYN]        (Encapsulated in PPP)
215.x.x.x   TCP 80->55001 [SYN, ACK]   (Encapsulated in PPP) 215.x.x.x   TCP 55001->80 [ACK]        (NOT!!! Encapsulated in PPP)
The rest of the traffic is not Encapsulated. If all traffic are routed through PPTP Client then all packages are correctly encapsulated in PPP!

When looking at the SYN / SYN,ACK above it is like iptable is doing something with 'Established connection' but I can't find any statement indicating this.

== build ==
Netgear R7000
Tomato Firmware 1.28.0000 -140 K26ARM USB AIO-64K

I am stuck here, but I may have missed something simple….


I would like to use my asus tomato router instead of my ISP router. They say that it should be possible directly, if my new router can set VLAN 101.
Is it possible to set VLAN 101? I can only see a limited amount of VLANs(15) in the UI, would this be possible.
Ive read that passtrough could also be an option, but cant find that on the ISP router configurations. But if that is done, wouldnt I still need to setup the appropriate vlan things?

Asus RT-N16

Was doing some work on my network and started experiencing problems. All WIFI devices lost connection. After much poking around finally found a workaround and that was to set Wireless Client Filter to "Block the following clients". "Permit only the following clients" and "Block the following clients" seem to have reversed. Any ideas as to what could be causing this? Tried "Restore Default Configuration" and re-configured everything with the same result.

Hey, Im runnin tomato with dns pointed to a dnscrypt address with no-resolv, how can I have the router use the DNS from the running openvpn client?
SOLUTION: I disabled dnscrypt, unchecked the no dns rebind option in the advanced setting, set in the open vpn client tab Accept DNS configuration > Exclusive

I have some new information about my problem.
I try different firmware openwrt-brcm-2.4-squashfs.trx (backfire). It is old version (2011 year), but last version on 2.4 kernel. Router is slow down, but work. Sometimes I see 75.34 in ARP table, but I have not problems with it. Internet connection don't fallen.
Looks like it is problem with Tomato builds. Both the old 2.4 kernel and newest 2.6 kernel.
How can I fix it? May be to add some rules in firewall?

I cannot post links. Replace are spaces with slashes. photos 170907_02_01.png

Re: Shibby Builds by GrishanenkoGrishanenko, 09 Sep 2017 11:33

Another note before someone asks I also have the below in my firewall rules.

iptables -I FORWARD -i br0 -o tun22 -j ACCEPT
iptables -I FORWARD -i tun22 -o br0 -j ACCEPT
iptables -I INPUT -i tun22 -j ACCEPT

Hi, if someone could point me in the right direction. I am trying to link my parents home network over openvpn. I am following a guide I found online at and what I am finding is that even though my custom configuration contains route-up "/sbin/route add -net netmask gw" tomato seems to completely ignore the route. If I do a trace route from tomato it just sends it out the gateway even though I show the route in the current routing table.

Thoughts anyone?

Asus WL-520gu
tomato-K26-1.28.RT-MIPSR1-140-Mini and any old firmware.
Sometimes my Internet connection seems to be OK, but I can not open any site and I can not even ping a gateway (74.1). In this case, I see in Device List that someone (75.34) is connected to the vlan1 interface. My ip - 75.57
In the log I do not see 75.34
With direct connection everything alright, with router TP-Link WR-741ND everything alright. But with WL-520gu I see again that 75.34. It may takes 1-2 hours per day. Other time my router work fine.
Please help me to understand how this IP connected to my WAN interface?

I cannot post links. Replace a spaces with slashes. photos 170829_02.png

Re: Shibby Builds by GrishanenkoGrishanenko, 04 Sep 2017 10:05

Please help me as I'm wanting to find a way to connect tomato router to my adsl2+ pppoa modem. The modem supports bridge mode but can't seem to get the tomato router setup to work along side it.

The setup I would like is to have my vpn setup on tomato router and have ideally all traffic to go through it before modem. But at least would like to have my 3 android boxes connected to tomato via ethernet through USB and out.

Is this possible. I'm stumped trying. A bit over my head.

Thanks in advance

Idea isn't bad I see. Thanks for posting here.

I'm curious if this was ever resolved. I'm having nearly identical issues on a Asus RT-AC3200 with TomatoUSB 140. The router has one USB3 port and one USB2 port. I have a USB3 hard drive. The hard drive works fine from the USB2 port, with or without a USB3 hub between. The drive works OK from the USB3 port directly, but completely kills ALL USB detection on both ports when the drive is connected through the hub to the USB3 port. Curiously, the USB3 hub with a USB2 thumb drive attached to the USB3 port works OK. I've tried two different USB3 hubs, same result. Most odd. I've spent hours trying to resolve this with no joy. Clues appreciated. Thanks!

Re: USB 3.0 with USB hub by wseverinwseverin, 23 Aug 2017 21:56

I resolved it by doing a complete reset-to-default/thorough NVRAM clear:
Administration > Restore Default Configuration > Select… > "Erase all data in NVRAM (thorough)" > OK.
Warning: this will reset all your settings. But this is also the page you can backup your settings. (Not sure if reloading saved settings from the previous state will re-introduce the problem—perhaps better to re-do settings from scratch, or at least first check if you obtained a lease on your WAN IP after clearing settings.)
Tomato had been warning me on this page that my NVRAM free space was very limited, and that it was highly recommended to do this. I didn't realize it would fix the WAN DHCP problem, but it did.

In web searching about this problem, I round this page and also this other page, which I was hopeful for, but it didn't do the trick. Perhaps it will help someone else, if the above doesn't help:
[okay, nice, my 'new user/low-karma' status I'm forbidden from posting links]
awesomeprogrammer [] com/blog/2015/04/23/wan-dhcp-mystery-on-tomato-software/
In case the above page ever goes down or whatever, I'll copy the key part below:
"Go to Settings –> Advanced –> DHCP Client (WAN)
In DHCPC Options simply add -t 0 -C, click save and enjoy obtained IP"
According to that page, the switches mean this:
-t 0 – Send up to N discover packets
-C – Don’t send MAC as client identifier

I want to clarify that I did that, and when that didn't work, I tried removing the -C. I also tried checking 'self-explanatory' 'reduce packet size' right there (as this used to be default in Tomato) on both switch combinations, and some other things, including doing a decently long power-off of my modem, none of that worked. And I also want to clarify that I am still not using any of those settings, after my NVRAM clearing. Registered here to post this, and hope it might help someone.

I hope someone can get me help here. I already did 4 hours on google now I end up making a new thread to get it right. I don't know what to do. Please help.

page »
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License