Tomato Firmware/Printable version

Tomato Firmware

The current, editable version of this book is available in Wikibooks, the open-content textbooks collection, at

Permission is granted to copy, distribute, and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 3.0 License.

Supported Devices


Supported devices and revisions edit

  • Linksys WRT54G (v1-v4 only), WRT54GS (v1-v4 only), WRT54GL (v1 & v1.1), WRTSL54GS (no USB support), WRT-160Nv3 (with latest Teddy Bear mod based on kernel 2.6)
  • Buffalo WHR-G54S, WHR-HP-G54, WZR-G54, WZR-HP-G54, WZR-RS-G54, WZR-RS-G54HP, WBR-G54, WBR2-G54, WVR-G54-NF, WHR2-A54-G54, WHR3-AG54 (WHR-G125 Supported in the ND version of Tomato)
  • ASUS WL-500g Premium (no USB support), WL-500g Premium v2 (use the ND version), WL500GE, WL520GU (1.22 and above, see FAQ, no USB support), RT-N16, RT-N12 (with latest Teddy Bear mod based on kernel 2.6)
  • Netgear WNR2000v2 (with Tomato [2]), WNR3500L/v2 (with latest Teddy Bear mod based on kernel 2.6)
  • Microsoft MN-700 can work with v1.14 perfectly except the "Buttons and LED" function is not supported.
  • SparkLAN WX6615GT
  • Fuji RT390W
  • Dell TrueMobile 2300
  • D-Link DIR-320
  • Motorola WR850G v2/v3. "Buttons and LED" function is not supported.
  • Ovislink AirLive WL-1600GL
  • Cisco Valet M10 (same as Linksys e1000 or WRT-160N v3) (with latest Teddy Bear mod based on kernel 2.6).

Linksys edit

Linksys WRT54G edit

Version CPU speed RAM Flash memory S/N Prefix Notes
1.0 125 MHz 16 MB 4 MB CDF0
20 front panel LEDs (including link/activity, collision detection and speed rating indicators for each RJ-45 port). Wireless capability was provided by a Mini PCI card attached to the router motherboard
1.1 125 MHz 16 MB 4 MB CDF2
Front panel LEDs reduced to eight (one link/activity LED per port, plus one each for power, wireless, DMZ and WAN/Internet connectivity). Wireless chipset is integrated onto motherboard.
2.0 200 MHz 16 MB 4 MB CDF5 Same as 1.1 with a CPU upgrade and greater wireless transmitter integration (fewer transmitter parts). Some of these have 32 MB of RAM but are locked to 16 MB in the firmware
2.1 216 MHz 16 MB 4 MB CDF6 Same physical appearance as 1.1 and 2.0 models. Some of these models have 32 MB of RAM installed but have been locked to 16 MB by the manufacturer. Some models have two 16 MB MIRA P2V28S40BTP memory chips.
2.2 216 MHz 16 MB 4 MB CDF7 Same physical appearance as 1.1 and 2.0 models. Switching chipset from ADMtek 6996L to Broadcom BCM5325EKQM. Some of these models have 32 MB of RAM installed but have been locked to 16 MB by the manufacturer. Some models have 16 MB Hynix HY5DU28162ET-J memory chips.
3.0 216 MHz 16 MB 4 MB CDF8 Identical to 1.1 and later models, except for the CPU speed and an undocumented switch behind left front panel intended for use with a feature called "SecureEasySetup".
3.1 216 MHz 16 MB 4 MB CDF9 The Version 3.1 hardware is essentially the same as the Version 3.0 hardware. Adds "SecureEasySetup" button.
4.0 200 MHz 16 MB 4 MB CDFA Broadcom BCM5352EKPB Chipset
TM 200 MHz 32 MB 8 MB CO61 Use dd-wrt Tornado CFE updater (or JTAG) and cross-over to Tomato using Web upgrade

Linksys WRT54GS edit

Version CPU speed RAM Flash memory S/N Prefix Notes
1.0 200 MHz 32 MB 8 MB CGN0
Broadcom BCM4712KPB and ADMtek 6996L switch. Added SpeedBooster technology (Broadcom Afterburner technology), claims to boost the throughput of 802.11g by 30% (for maximum boost needs SpeedBooster technology on the other side, but will boost standard 802.11g as well)
1.1 216 MHz 32 MB 8 MB CGN2 Chipset changed to Broadcom BCM4712LKFB and BCM5325EKQM switch.
2.0 216 MHz 32 MB 8 MB CGN3 10 LED Front Panel (two new ones behind Cisco logo button). Also capable of SecureEasySetup, but use of the logo button and lighting of the new LEDs behind it requires firmware upgrade. Broadcom BCM4712 chip REV1 or REV 2
2.1 216 MHz 32 MB 8 MB CGN4 Radio chip is changed from BCM2050 to BCM2050KML.
3.0 200 MHz 32 MB 8 MB CGN5 Use System-on-Chip: processor, MAC, and switching are handled by Broadcom BCM5352EKBP.
4.0 200 MHz 16 MB 4 MB CGN6 Notes: Reduced RAM & Flash (a very rare few have 32MB/8MB)

Linksys WRT54GL edit

Version CPU speed RAM Flash memory S/N Prefix Notes
1.0 200 MHz 16 MB 4 MB CL7A New model line, released after the version 5 WRT54G, which returns to a Linux-based OS as opposed to the VxWorks firmware. SpeedBooster is not enabled in stock firmware, however third-party firmware will enable the feature. The hardware is essentially the same as the WRT54G version 4.0. One alteration is that the internal numbering scheme of the 4-port switch changed in this model, from 1 2 3 4, to 3 2 1 0.
1.1 200 MHz 16 MB 4 MB CL7B CL7C As of May 8, 2008, this version was shipping with firmware revision 4.30.11. This pre-loaded firmware allows the user to upload a 4MB firmware image, whereas the pre-loaded firmware on version 1.0 limited the image to 3MB. Firmware version 4.30.12 is now available for both hardware versions. Fully supported by Tomato

Linksys WRTSL54GS edit

Version CPU speed RAM Flash memory S/N Prefix Notes
1.0 264 MHz 32 MB 8 MB CJK0 Released after the WRT54GS and WRT54GL. Uses Linux-based OS. Includes SpeedBooster support, additional firmware features, and an external USB 2.0 port (StorageLink) for network storage. Uses 8 MB of Intel TE28F640 flash with a Broadcom BCM4704KPB processor and Broadcom BCM5325FKQM Ethernet switch.
1.1 264 MHz 32 MB 8 MB CJK11 Change from BCM4704 rev 8 to BCM4704 rev 9 unconfirmed

Linksys WRT54G-TM edit

The WRT54G-TM (TM stands for T-Mobile) is also called the T-Mobile "Hotspot@Home" service. It allows calls to be made via T-Mobile's GSM network or via WiFi Unlicensed Mobile Access (UMA), using the same telephone and phone number (a special dual-mode phone designed for the service is required e.g. Blackberry Pearl 8120). Additionally, once a call is in progress, one may transition from WiFi to GSM (and vice versa) seamlessly, as WiFi signal comes and goes, such as when entering or exiting a home or business. A special router is not needed to use the service, but the T-Mobile branded routers are supposed to enhance the telephone's battery life. This is the only known tweak to the TM version of the firmware. The hardware appears to be like WRT54GL however has 32MB ram and 8MB flash.

The WRT54G-TM having a serial number that starts with C061 has these specifications:

  • Broadcom BCM5352EKPBG CPU
  • 32 MB RAM (Hynix HY5DU561622ETP-D43)
  • 8 MB Flash (JS28f640)
  • Uses the same BINs that the WRT54GS v3.0 does
Version CPU speed RAM Flash memory S/N Prefix Notes


200 MHz 32 MB 8 MB CO61 T-Mobile Edition WRT54GS V3.0 (Renamed WRT54G-TM). It is possible to upgrade to third-party firmware via JTAG or by replacing the CFS and uploading a new firmware over TFTP. Instructions for the CFS/TFTP method can be found easily on the internet [1][2][3], and other third-party firmwares can be easily applied afterwards.

Yes, the Tomato Firmware works on the WRT54G-TM.[4]



200 MHz 64 MB 8 MB QMF00H T-Mobile Edition Model: WRTU54G-TM. This version has two RJ-11 telephone ports and two SIM card slots. The WRTU54G-TM is not supported by DD-WRT. It cannot be flashed [3].

Asus edit

Model CPU speed RAM Flash memory S/N Prefix Notes
WL-500g Broadcom 4710 @ 125MHz 16 4 ? ?
WL-500gE ? ? ? ? ?
WL-500gP Premium V1 BCM94704 @ 266 Mhz 32 8 ? First Flash manually via TFTP. Here's how: Download the Tomato firmware. Open a command prompt and 'cd' to the directory where you downloaded the firmware (.trx file). Type 'tftp -i PUT Tomato.trx' but DO NOT HIT ENTER! Unplug the power to the router. Hold down the reset/restore button while reconnecting the power. Wait until the power light starts blinking before releasing the reset/restore button. Hit enter in your command prompt window (to run 'tftp -i PUT Tomato.trx'). Wait 15-30 seconds for the image to upload. If you receive a TFTP timeout message start the process over again (from step 3). Wait 4-5 minutes and power cycle the router.
WL-500gP Premium V2 BCM5354 CPU @ 240 Mhz 32 8 ? Requires ND version as of 1.23, stock firmware has no USB support (See Teddy Bear Mod)
WL-500W Broadcom 4704 @ 264 Mhz 32 8 ? Unconfirmed but same chipset as Buffalo WZR-HP-G54,WZR-RS-G54,WZR-RS-G54HP,WHR3-AG54 as well as the Linksys WRTSL54GS. 802.11n feature is not supported. Reports that the Mimo driver from OpenWRT also works at 11/g.
WL-520gU BCM5354 CPU @ 240 Mhz 16 4 ? Requires ND version as of 1.23, tomato original firmware has no USB support (Teddy Bear Mod extends it to offer USB 2.0 support for printers and network-attached storage)
RT-N12 Broadcom 4716 @ 300 Mhz 32 4 ? Requires at least Teddy Bear Mod (beta version based on kernel 2.6)-NOUSB
RT-N16 Broadcom 4718 @ 533 128 32 ? Requires at least Teddy Bear Mod (beta version based on kernel 2.6)

Buffalo edit

Model CPU speed RAM Flash memory S/N Prefix Notes
WHR-G54S Broadcom 5352 @ 200MHz 16 4 ? supported
WHR-HP-G54 Broadcom 5352 @ 200MHz 16 4 ? supported
WZR-G54 Broadcom 4704 @264MHZ 64 4 ? supported
WZR-HP-G54 Broadcom 4704 @ 264MHz 64 4 ? ?
WZR-RS-G54 Broadcom 4704 @ 264MHz 64 8 ? ?
WZR-RS-G54HP Broadcom 4704 @ 266MHz 64 8 ? ?
WBR-G54 Broadcom 4710 @ 125MHz 16 4 ? ?
WBR2-G54 Broadcom 4712 @ 200MHz 16 4 ? supported k24 and k26-mini
WVR-G54-NF ? ? ? ? ?
WHR2-A54-G54 Broadcom 4704 @264 MHz 64 ? ? ?
WHR3-AG54 Broadcom 4704 @ 264MHz 64 4 ? ?
WHR-G125 Broadcom 5354 @ 240MHz 16 4 ? Must use the ND version of Tomato on this Router.

Dell edit

Model CPU speed RAM Flash memory S/N Prefix Notes
TrueMobile 2300 Broadcom BCM94710 @ 125MHz 16 4 ? ?

Microsoft edit

Model CPU speed RAM Flash memory S/N Prefix Notes
MN-700 Broadcom 4710 @ 125MHz 16 4 ? ?

Netgear edit

Model CPU speed RAM Flash memory S/N Prefix Notes
WNR2000v2 Broadcom 300 MHz BCM4716 CPU 32MB 4MB ? Fast Ethernet switch, 802.11n, requires Toastman or Teddy Bear Mod Mini.
WNR3500L Broadcom 480 MHz MIPS 74K CPU 64MB 8MB ? USB 2.0 host port, Gigabit Ethernet switch, 802.11n, requires Teddy Bear Mod (beta version based on kernel 2.6)
WNR3500Lv2 Broadcom 480 MHz MIPS 74K CPU 128MB 128MB ? USB 2.0 host port, Gigabit Ethernet switch, 802.11n, requires Teddy Bear Mod (beta version based on kernel 2.6)

Sparklan edit

SparkLAN WX6615GT

D-link edit

Model CPU speed RAM Flash memory S/N Prefix Notes
DIR-615 BCM5354 CPU @ 240 Mhz 32 4 ? Requires Teddy Bear Mod, version 8742 fully support LEDs and buttons.

Motorola edit

Model CPU speed RAM Flash memory S/N Prefix Notes
WR850G v2/v3 BCM4712 CPU @ 200 Mhz 16 4 ? For initial flash from stock firmware a special image is required. It is recommended to flash first to Motorola firmware 6.1.4, and continue with the Tomato afterwards.

The default Motorola CFE (Common Firmware Environment - so called bootloader) might have problem with reverting the router to default settings. It is recommended to modify the CFE in a way that it will be able to revert to default settings and switch on the boot_wait flag in order to enable TFTP recovery method.

References edit

  1. "Linksys WRT54G-TM DD-WRT Flashing Instructions". Greg Ledet. 2009-12-09.
  2. "How to flash the Linksys WRT54G-TM T-Mobile Edition". Luniz2k1. 2010-2-21. {{cite web}}: Check date values in: |date= (help)
  3. "Flash Using a Mac by StevenJJ". StevenJJ. 2008-10-15.
  4. "Tomato WRT54G-TM - supported?". soopahman. 2009-1-19. {{cite web}}: Check date values in: |date= (help)

Installation and Configuration


To do:
Need to reorganize as (1) General installation, (2) Device specific addenda, (3) Configuration adjuncts and recipes (adding features), (4) Config & operational notes on various topics -- Wrlee (talk) 05:19, 31 July 2009 (UTC)


Installation edit

Before the Upgrade edit

  • The GUI relies heavily on JavaScript to generate the content and XMLHTTP (AJAX) to update it. Be careful if you need to use this from an older/minimal browser since it was not designed to downgrade gracefully. This has been tested only on Firefox v1/2/3, Opera v9 and IE v6/7.
  • Do all upgrades through a wired LAN cable (i.e. NOT wirelessly). (Although it's possible to upgrade the firmware wirelessly, the transmission may be corrupted by a running microwave oven or ringing cell phone, which will render your router useless, so just don't do it.)
  • The GUI username is "admin" or "root" (username is required), ssh and telnet username is always "root", and the default password is "admin".
  • By default, the SES/AOSS button is programmed to start a password-less telnet daemon at port 233 if held for 20+ seconds. If you run into a problem of not being able to login, you can use this to view ("nvram get http_passwd") or reset ("nvram set http_passwd=newpassword") the password. You can disable this behavior in Admin/Buttons. Remember to reboot the router after retrieving your password to close the backdoor.
  • If you're upgrading from DD-WRT v23 SP2+, be aware that you may get locked-out because of a change in DD-WRT's use of the nvram password key. You have a few options:
    • Push the reset button to reset all the configuration after installing Tomato.
    • Use the SES/AOSS button as described above.
    • Log in with telnet* and type "nvram get http_passwd" while running DD-WRT and write down the result - this will be your password after loading Tomato. (*the telnet login name is always 'root' even if you have changed the user name in the DD-WRT web interface).
  • If you still have problems with Tomato after upgrading from DD-WRT (WPA2 not working, wireless broadcast failing, settings not being remembered, other) do a complete wipe of the NVRAM by going to Administration->Configuration->Restore Default Configuration->Erase all data in NVRAM memory (thorough). Then as an extra step reinstall (upgrade) to the Tomato firmware. This should solve all issues when upgrading from DD-WRT
  • G\code.bin is for WRT54G v1-4 and WRT54GL v1, GS\code.bin is for WRT54GS v1-3, GSv4\code.bin is for WRT54GS v4, and TRX\code.trx is for the WHR-G54S/ WHR-HP-G54S. If you're just upgrading an existing Tomato firmware from the GUI, any of these will work.

Installing on a Linksys WRT54G, WRT54GL or WRT54GS edit

  1. Unarchive the 7z package you downloaded. It's compressed using 7-Zip - tools to open this can be found at
  2. Open the Linksys GUI in your browser. The default URL is The default credentials are username: {blank}, password: admin
  3. Click the Administration tab, then Firmware Upgrade.
  4. Select and upload the correct firmware for your router.
  5. Wait for about 2 minutes while the firmware is uploaded & flashed.
  6. Log in to the router, and reset factory defaults (under Administration/Configuration/Restore Default Configuration, select the Erase all data in NVRAM Memory (thorough) option and click OK. Router will restart again, and the factory default login is "root" with a password of "admin". If you have a password set with the old Linksys firmware, try using that password before a manual reset if you encounter any problems logging into Tomato GUI.

Installing on an ASUS WL-520gU edit

Installing from OEM firmware edit

Installing Tomato firmware from OEM firmware may need a little massaging to get it on the device.

  1. If the device has OEM firmware version 3.x or later, then you need to revert it to a pre-3.x version, first (download from
  2. Downloading and unpack the "ND" version of Tomato firmware, rename the file to "WL520gu_2.0.0.9_EN.trx".
  3. Use the OEM menus to update the firmware with the renamed Tomato file.

Once installed, you can load any other firmware file without these machinations, using the config menu item to load new (or old) versions of firmware, including OEM versions.

USB support for storage and printers edit

As noted above, the USB port is not supported by the standard Tomato firmware. There are alternative variations that add this support; see the forum posting "Tomato 1.xx ND USB + FTP/Samba Mod" for the list of features.

  1. Downloaded and unpack the desired Tomato variation from
  2. Install (note OEM firmware installation instructions, above).
  3. Enable USB features in the web UI.

Installing on a Buffalo WHR-G54S/WHR-HP-G54 edit

Via Windows 2000 and XP edit

Warning: Be aware that Buffalo only has encrypted firmwares on their web site. You will not be able to revert back to Buffalo's firmware without an unencrypted version of their firmware.

Vista note: Install the tftp client before continuing. Go to Control Panel-->Programs and Features-->Add/remove Windows Features-->tftp client Reference

The following is for an initial install on a Buffalo router. If you're already using a third-party firmware or just upgrading a Tomato firmware, try uploading any of the .bin files from the GUI.

  • Plug your computer directly to the router's LAN port. This will not work over a wireless connection.
  • Set your computer's ethernet card settings to: IP=, mask=, gateway= (Gateway and DNS settings are optional and not needed to flash Tomato). In Windows, you can set this by going to Control Panel, Network Connections, right-click your ethernet card, click properties, then TCP/IP.
  • Plug in your router and quickly enter this in a DOS window. "tftp -i put tomato.trx" It will return Timeout if it failed or Transferred if it was successful.
  • Make sure you are unplugging/replugging the router's power cable (not ethernet cable). There's about a quick 3-5 second window when router is booting up where you can send a install a new firmware. If you miss that and the old firmware boots, you'll get a continuous "ping ... tftp ... ping ... tftp". Unplug, wait a few seconds and try again. Might be tricky to get the timing right...
  • After waiting for at least 2 minutes after the initial flash, with the power still on, push the reset button for one full minute to reset the configuration. Release the reset button and allow the unit to boot up before trying to access it.
  • Your router is now at the address of which you can access by manually changing the computer back to, subnet, Gateway and DNS, or simply set your computer back to DHCP (Obtain Automatically in the TCP/IP properties).
  • The tftp -i put code.trx process involves the manual hit and miss timing of running a ping loop and hitting enter at just the right time during the power up sequence. The provided batch file eliminates this hectic method of flashing and has rendered it obsolete. Use the Tomato batch file that is included with the Tomato firmware to flash all compatible Buffalo routers. If you get timeout errors copy the tftp.exe file from Windows/System32/ into the same directory as the .bat and .trx files so the system can find tftp.exe faster.

Migrating from DD-WRT Firmware via Windows edit

  • You can use the DD-WRT web interface to flash to the Tomato firmware.
  • First, obtain the password for the router: In the web interface, go to Administration -> Commands. Type "nvram get http_passwd" into the text box and click "Run Commands". When the page reloads, it will show the password below. Make note of this password for later use.
    • Alternatively, you can obtain the password via telnet. Assuming your router can be found at, you'd type "telnet" at a command prompt to login to the router. Once logged in, type "nvram get http_passwd" and write down the result.
  • Download the Tomato firmware and extract it. In the "trx" subfolder, rename the file code.trx to code.bin. (DD-WRT does not recognize the .trx file extension as firmware.)
  • Update the firmware via the DD-WRT web interface. The Tomato firmware is now installed.
  • Access the Tomato web interface. Use the username "root" and the complete password provided by the "nvram get http_passwd" response above.
  • Browse to Administration > Configuration > Restore Default Configuration. Then select "Erase all data in NVRAM memory (thorough)" and click OK.
  • Please note that the instructions for flashing the firmware via the web interface will only work once you've installed DD-WRT (or perhaps another 3rd party firmware).

Via OS X, Linux, and Other Unix-based OS's edit

Warning: Be aware that Buffalo only has encrypted firmwares on their web site. You will not be able to revert back to Buffalo's firmware without an unencrypted version of their firmware.

The following is for an initial install on a Buffalo router. If you're already using a third-party firmware or just upgrading a Tomato firmware, try uploading any of the .bin files from the GUI.

  1. Plug your computer directly to the router. This will not work over a wireless connection.
  2. Push the reset button for at least 30 seconds to reset the configuration.
  3. Unplug power to the router and plug it back in after at least 10 seconds.
  4. Set your computer's ethernet card settings to: IP=, mask=, gateway=
  5. Open two terminal windows.
    • In the first one, type and execute this: ping
    • You should now be continually pinging the router.
  6. Unplug power to the router. The pings should stop returning now.
  7. In the second window, cd to the directory in which your firmware is located. Then execute the following:
    rexmt 1
    connect Even though the router is still powered down, tftp doesn't actually "connect" when you execute the connect command. Instead, it merely stores the address away until needed.
  8. Still in the second terminal window, type the following but do not execute yet:
    • put tomato.trx
  9. Plug the router back in. The moment you see pings coming across in the first terminal window, execute the put code.trx command you prepared in the second terminal window. If you see a successful transfer, leave the router alone for at least 2 minutes, then unplug the power, wait 10 seconds and plug it back in.
  10. Reset your computer's ethernet card settings back to use DHCP. You can also manually enter the following settings: IP=, mask=, gateway=
  11. To login to the router, just go to in your web browser. Login name is root, password is admin.
  12. Configure your very fine router as desired.
  13. (Instructions adapted from DD-WRT Wiki and Chromite's "Guide to install DD-WRT Firmware on a Linksys WRT54G router.")

Upgrading the Firmware edit

  1. Open the GUI in your browser. The default URL is
  2. Click Administration→Upgrade.
  3. Select any of the files and click the Upgrade button.
  4. Wait for about 2 minutes while the firmware is uploaded & flashed.
  5. According to the author, it is not necessary to reset the configuration if you are upgrading from a previous version of Tomato Firmware. If you are upgrading from another firmware, however, a reset is recommended (Tomato's FAQ). Log in to the router, and reset factory defaults (under Administration/Configuration/Restore Default Configuration, select the Erase all data in NVRAM (thorough) option and click OK. The router will restart. The factory default login is "admin" with a password of "admin".
  6. However, unpredictable behavior of the router is nevertheless often experienced, and can usually be cured by an NVRAM erase and reconfiguration. NVRAM can also become corrupted in use by brownouts, etc. causing the same unpredictable behavior.

Known Problems edit

  • In some cases, you may need to reboot the router manually before the changes go into effect. If the changes involve switching wireless settings, you may need to reboot both ends. (Hasn't been known to happen with 1.07 or later firmware)
  • Not all wireless modes / security combinations work. For example, WEP, Client and WDS will not work in WPA2.
  • CIFS VFS timesout a lot. (or it might the server kicking the client off...)
  • Graphs/SVG may not work with all browsers. Firefox: Use 1.5 or higher. Internet Explorer: Use Adobe SVG. Opera: Use 9.0 or higher. Safari: Use 3.0 or higher.
  • Certain wireless clients cause the router to crash or reboot on while trying to associate. The "ND" drivers are an attempt to rectify this, but when used, Intel 2200B/G wireless clients cannot associate. The following script corrects the problem with the ND drivers - just run them once from the command line, once committed to NVRAM it doesn't need doing again.

nvram set wl_reg_mode=off

nvram commit

[More recent versions of tomato such as TomatoUSB have a wl_reg_mode checkbox in the wireless setup menu].

QoS / Access Restrictions Notes edit

General edit

  • Tomato implements traffic shaping by user-settable rules that divide all connections into classes and allocate bandwidth to each class.
  • Normal QoS classification and access restriction checking is performed on packets traveling out to the Internet (outbound), i.e. the source is from your computer and the destination is outside on the Internet. This is the more important kind, because you can thus influence the behavior of packet queues in your router and DSL modem, avoid buffer overruns and let important packets jump the queue.
  • You can additionally restrict inbound traffic.

Although there is an option to limit the download speed, it's often not recommended since what the router is really doing is dropping packets, which means they may need to be re-sent again over a slow Internet link. Some people erroneously believe that since you have no power over incoming traffic queues in routers out on the Internet, there is not much you can do to improve their behavior. However, this is a misconception, by understanding how TCP works it is most certainly possible to use QOS to manipulate and influence the incoming traffic. For more help on using QOS, visit the various forums.

Try the WRT54 Script Generator as an extension to the current QoS implementation (see Tools for details).

  • Why L7/IPP2P doesn't work all the time:
    • These work by matching known patterns in packets. Some protocols produce reliable uniquely identifiable signatures, but some do not.
    • A change in the protocol's design can sometimes break these.
    • Some L7/IPP2P patterns may depend on which direction the data is going. For example, an HTTP request from a browser is different from an HTTP response from a server.
  • Custom L7 patterns can be stored in /etc/l7-extra/ (you need to create the directory). It's up to you to actually populate it before the firewall starts. This can be tricky if you're using external storage, so consider just using JFFS2 or even simple "echo" statements in the startup script. To learn more about L7 patterns, go to
  • When testing changes to the QoS rules, restart the application on your computer to make sure it's connection is re-classified under the new rule. NOTE - You can now enable "reset classification when making changes" instead.
  • KB transferred match:
    • This is the OUTGOING (to-WAN) data transferred in kilobytes. Consider the amount an approximate value since it doesn't take into account protocol overhead and uses the 1024-based definition instead of the 1000-based definition used more commonly in networking.
    • Entering an upper limit of 1GB (1,048,576KB) or more is considered unlimited and will match anything above 1GB.
    • IPP2P may not work properly with this since IPP2P doesn't keep track of its state.
  • Sticky rules: IPP2P/L7 are "sticky" in that once they match, no other rules are processed. IP/MAC/port-only matches can also be sticky if there are no IPP2P/L7/KB matches above them. When coupled with a KB transferred match with an upper limit, they are not considered sticky. What this all means is you should watch out for rules like the following: "#1: L7 ABC & 1024KB+, #2: L7 ABC", the #1 rule may not match at all since #2 will lock-on if it sees L7 ABC within 0-1024KB. To get around this particular case: "#1: L7 ABC & 0-1024KB, #2: L7 ABC & 1024KB+."
  • Precedence: The rules are checked in the same order as they appear in the GUI, from top to bottom. The first rule that matches sets the class. If you disable "strict ordering", rules (no longer applicable) with IPP2P, L7 and KB matches are grouped in one set and are checked first, the rest in another. In the latest versions of Tomato there is no checkbox to turn off "strict ordering".
  • If you're concerned about performance: IPP2P and especially L7 are slower than simple IP, MAC or port matches.

QoS Basic Settings edit

Recommendations (incomplete, because some settings are undocumented and their effect is not known):

The following recommendations assume that you have some traffic that is critical and cannot tolerate lag, such as online gaming, and at the same time some other traffic that saturates your outgoing (upload) channel and interferes unfavorably with the critical traffic. For example, every time one user uploads a file, another user experiences intolerable lag in an online game.

Open the QoS, Basic Settings page.

Enable QoS.

You can prioritize ACK packets for absolute best performance. Be aware that if this is checked, then P2P traffic (which is mostly ACKS) will be prioritized, which will wreck your QOS settings. Effectively, you have placed most P2P in the highest class!

Activate "Reset class when changing settings", because this helps you to test the effect of your settings changes. It has no effect when you do not change any settings, so usually this can remain enabled.

The "Default class" is the one into which all connections go that are not caught by any of your rules. Use a setting that requires the least number of rules. If you don't know, try "Medium".

It is best to remove the rule for P2P, set your default class to e.g. lowest. In this way anything that is not specifically addressed by a rule will bypass the rules and end up in the default class. This is the best way to handle P2P.

Max Bandwidth is important, because it can avoid queues and the consequent lag in the DSL modem. Set it to a little less than the known and measured maximum throughput of your outgoing DSL channel. For example, if you have a 16000/1000 ADSL line, which you have measured to actually provide 1000 Kbit/s (125 KByte/s) outgoing, set it to 900 or less. Then tune this setting by saturating the outgoing channel (run a long file upload to a fast server or similar) and at the same time running ping tests and observing the turnaround times. If the setting is too high, you will observe too many unacceptably long turnaround times. Reduce the Max Bandwidth setting until you are happy with the results. You may have to set it to as much as 33% under the actually achievable maximum data rate to achieve uniformly low ping times.

The settings for the 10 classes from Highest to E have the following meaning.

  • The left figure determines the guaranteed bandwidth (data throughput), which is distributed fairly to all connections in the class.
  • If the 10 figures in the left column add up to more than 100%, the router still works well, but it is difficult to predict the bandwidth distribution, so this is not recommended. On the other hand, you can have the figures add up to less than 100% without any problems, if you want to guarantee only low throughputs. Don't worry, the router will still allocate all remaining bandwidth as well.
  • The router determines the bandwidth for each class as follows.
  1. Each channel is allocated its guaranteed bandwidth (according to the left percentage figure).
  2. The router determines how much of the allocated bandwidth each channel actually uses and from that determines the remaining, unallocated bandwidth.
  3. After doing this for all channels, the remaining bandwidth, if any, is given to the class Highest.
  4. The router again determines how much bandwidth is actually used in the Highest class and how much still remains unused.
  5. This remaining bandwidth, if any, is given to the next lower class, High, and so on down through the classes, until all available bandwidth is allocated. All lower classes, for which no extra bandwidth remained, keep only their guaranteed bandwidth.
  6. The router regularly, in short intervals, repeats this procedure and reallocates the bandwidth according to changing demands.
  • This means, by the way, that the guaranteed bandwidth for the class Highest has no effect, as long as the total of the left column stays below 100%, as the Highest class is anyway getting all of the remaining bandwidth it can use. You can actually set it to None, as long as you make sure the remaining figures add up to less than 100%, so the Highest class effectively gets some guaranteed bandwidth (100% minus the total of the left column).
  • If you don't know which guaranteed bandwidths to set, simply distribute the 100% evenly. A good start is to set each of the first 5 classes to 20%, set Classes A to E to None and use only the first 5.
  • Note that the name of the 5th class, Lowest, is actually wrong and misleading, as the classes A to E are all lower in priority than the "Lowest" class. In fact, the lowest class is E. Often, using all classes will help to provide you with more information as to what is going on via the pie charts and details.
  • The right figure is an absolute bandwidth limit. Under no circumstances do the connections in this class get more data throughput than this. Unless you have a reason for absolute throttling of particular classes, leave this setting at 100% for all classes. You may use this to limit a class such as P2P, to prevent congestion, if it is taking an unreasonably large amount of bandwidth.

The Incoming settings in early versions of Tomato were rather different. The Maximum bandwidth setting was not an overall limit. It was just a figure used for calculating the class percentages. There were only limits on individual classes. You should use these carefully to prevent congestion on your incoming link. Note that limits work by dropping packets, forcing the TCP retransmission timers at the far end to back off, thus stabilizing the connections. Hence UDP can't be "limited". Be aware that because there is no overall limit, it is possible for the sum of the individual class limits to exceed 100%, so causing congestion. Therefore, it is often necessary to set incoming limits rather lower than we would like, making a tradeoff in throughput for low latency and better stability.

A better QOS Ingress system was first introduced in Toastman Tomato and has since been adopted by others. The incoming QOS operates in a similar manner to the outgoing QOS. Initial "reserved" class bandwidths and maximum class bandwidths are honoured. Individual class limits are now applied correctly. This firmware also has the ability to use your own names for the individual classes. A comprehensive set of QOS rules are included as examples for you to examine and tailor to your own requirements.

For more information on understanding and using QOS with examples, try this link:

DNS/DHCP Configuration edit

The tomato firmware runs Dnsmasq 2.55, "a lightweight, easy to configure DNS forwarder and DHCP server." Most of the configuration is supported by the tomato web interface. However, there may be situations where special configuration is required. The Dnsmasq command syntax applies to the configuration file - just remove the two dashes at the front. To add additional lines to the tomato dnsmasq.conf file, use the Advanced -> DHCP / DNS page of the tomato configuration, in the Dnsmasq Custom configuration section.

There are some examples of using this technique in the Menu Reference / Advanced section of this manual under the DHCP / DNS section as well as Tomato Firmware as DNS Server. An interesting use of Dnsmasq Customer configuration allows support of a device that is configured via DHCP but needs to point to a unique gateway device such as a VPN appliance. The instructions for accomplishing this are described in [Dnsmasq-discuss] Setting different default gateway by mac address. In my case, I wanted to assign a static IP as well. Rather than doing this through the tomato web interface, I added the following lines to the Dnsmasq Custom configuration. The first line defines the alternate gateway (the VPN appliance) while the second line associates the MAC address with the alternate gateway and the static IP.


Setting Up WDS Repeating edit

Standard terminology for a two router setup:

  • The client router is the router which does not have an internet connection.
  • The host router is the router which does have the internet connection and is going to share it with other routers.
  • To make troubleshooting easier, you can set client router's SSID to something different. Later you can set it to the same as the host router's SSID or leave it different.
  • Also, it is a good idea to turn off any encryption while setting up WDS repeating as it is known that some encryption methods prevent WDS from working correctly. You can re-enable it after you have things working properly.

Using WDS to extend your network will reduce throughput, as each unit has to first receive the data and then resend it over the wireless link. Each added unit in the chain makes matters worse. For best throughput always wire extra AP's with CAT5 cable.

Step-by-step Instructions edit

  1. For the client router, on the Basic -> Network page, in the LAN section:
    1. set the Router IP Address to a static IP in the range of the host router (e.g. if your host router's IP is, set your client router's IP to
    2. uncheck the DHCP Server to disable it (you can only have one DHCP server per network).
  2. For both the client router and the host router, on the Basic -> Network page, in the Wireless section:
    1. set the Channel to the same channel on both routers
    2. set the host router's Wireless Mode to Access Point + WDS
    3. set the client router's Wireless Mode to WDS
    4. set the WDS to Link With...
    5. on the host router, add the client router's Wireless MAC address to the first MAC Address field
    6. on the client router, add the host router's Wireless MAC address to the first MAC Address field

The above example sets up the client as a WDS repeater, but does not enable Wireless access on the client. To enable the client to serve as a WDS repeater and accept Wireless connections, set the client router's Wireless Mode to Access Point + WDS.

The Tomato FAQ on WDS documents an example with IP and Mac address samples for clarity.

Setting Up A Wired Access Point edit

In scenarios where extra WiFi coverage is required, without the loss of speed WDS suffers from, it maybe a good idea to setup a wired AP (access point). You could buy an off the shelf AP to improve coverage, or put an old router (capable of running tomato) to use.

Some terminology:

  • The router is, well the router, which has internet access you desire to extended the wireless coverage of.
  • The AP, or access point is the router which you will use to extend your WiFi coverage.

Instructions edit

With the access point (via a wired connection perferably):

  1. Restore the access point to default settings: Administration > Configuration under Restore Default Configuration select Erase all data in NVRAM memory (thorough) and press OK.
  2. Once the AP restores, navigate to Basic > Network and under WAN/Internet/MultiWAN from the Type dropdown box select Disabled.
  3. Check Use WAN port for LAN.
  4. Under LAN change the IP Address to an unused one on your network (ex:
  5. Ensure the Netmask has the same value as your router (typically and click OK.
  6. Set the Default Gateway to the IP address of your router and Save the settings (at the bottom of the page).
  7. Head to Advanced > DHCP/DNS and under DHCP/DNS Server (LAN) check Use user-entered gateway if WAN is disabled and Save the settings.
  8. Go back to Basic > Network, enter Static DNS values (for example as in your router) and under LAN uncheck DHCP and click OK.
  9. Under Wireless check Enable Wireless and set Wireless Mode to Access Point.
  10. Configure the rest of these settings under Wireless as they are on your router (for roaming) and Save the settings.
  11. Reboot the access point and connect the router to the access point via their LAN ports (typically yellow).
  Router <===LAN to LAN===> AP

That's it you're done.

Tools edit

  • WRT54 Script Generator (download): A little application that generates scripts for traffic shaping. This script generator's main purpose is to limit the bandwidth of users that are connected to WRT (for example, to share the connection in a fair way). The script shapes traffic on the LAN and the WLAN. QoS shapes outgoing traffic on the WAN (vlan1), so if you try to shape traffic on vlan1 you will destroy actual QoS.

Tuning edit

Tomato is extremely efficient and will dynamically unload modules, stop services and shutdown processes if certain features are no longer enabled. The following features, once disabled, will result in fewer running processes. Less running processes results in more free memory, less CPU load and faster boot times. In general, it is worth your time to disable unused features. For example, just enable HTTP or HTTPS web access, it is not necessary to have both enabled.

Of course, Tomato runs well with the entire gamut of functionality enabled.

  • CIFS
  • uPNP
  • Telnet Server
  • SSH Server
  • Syslog
  • DHCP Server
  • HTTP Web Administration
  • HTTPS Web Administration
  • Bandwidth Statistics
  • JFFS2 file system
  • L7 QoS Filtering ("Inbound Layer 7"??) [4]

USB Printing edit

There is a modified Tomato version with working USB Support. TomatoUSB also has an FTP server, Samba for network sharing, and a media server. It now has its own website:

If you are already running a Tomato distribution that supports USB printing such as Tomato USB you can follow these instructions: In TomatoUSB

  1. choose the "USB and NAS" menu -> "USB Support" page
  2. enable core USB support and USB Printer Support (if your printer does not show up, try enabling USB 1.1 support)
  3. save and reboot router
  4. return to the USB Support page. Your printer should be showing up, if not, click refresh.
  5. On Windows 7 go to "Devices & Printers" in the control panel
  6. Click "add a printer"
  7. click " Add a local printer" , Create a new port, choose "standard tcp/ip port", click next
  8. Input the IP address of your router ( by default)
  9. Click Next, wait while Windows searches for your printer. It probably won't find it, click next
  10. Choose Standard: "Network Print Server (1 Port - USB)", click next.
  11. Install drivers as appropriate

Bridging a Linksys WRT54G and Belkin 7230-4 Wirelessly edit

after many hours of searching and reading I found this, and it works. Connected wired to the belkin now and it is wirelessly linked to my buffalo running tomato which connects to my Cable Modem . Now I can ditch a long ugly CAT5 cable and can connect 4 wired devices and have improved signal strength for my wireless devices.

WRT54G JTAG To AVR Cable edit

a simple/free way to program one of Atmel's AVR microcontrollers for those that already have the WRT54G-style JTAG cable:

Miscellaneous Notes edit

  • Some NVRAM settings may not be compatible with other firmwares. It is ALWAYS recommended to erase NVRAM and reconfigure from scratch after flashing to or from this firmware. Failure to do so will often result in erratic behavior and instability.
  • You can enter a custom DDNS URL like the following: The "@IP" keyword is automatically replaced with the current IP address. Check with your DDNS provider for the exact format to use.
  • The BusyBox crond included in Tomato is a little different from the Vixie crond found in HyperWRT, DD-WRT, etc. To make it easier and safer to schedule a job, use the helper script called cru instead of manually changing the config file.
  • Some GUI settings, like refresh time, are saved as cookies by your web browser.
  • Linksys' password protected TFTP upgrade will not work with Tomato. If you need to use TFTP to upgrade the firmware, use the bootloader's TFTP upgrade feature.
  • If you're saving the bandwidth history, don't forget to backup the data to another location!

References edit

Menu Reference


To do:
Reformat: condense reliance on TOC entries use def'n lists and consider using tables for better readability. Should consider more use of tables as well.-- Wrlee (talk) 07:41, 31 July 2009 (UTC)


Top Level Menu Items

The following is a listing of all of the available menu options in the Tomato GUI, and their functions.

NOTE: As settings on a page are edited, the 'Save' button at bottom of page must be clicked before navigating to another page. Otherwise the newly entered settings are NOT saved.

Status edit

Provides information on the current condition of the router.

Overview edit

The Overview screen shows information on the current state of the router. It is organized into four sections:

Gives current overall system status.
Router name
Router make and model
System Time and Date
Total time the router has been up since the last reboot
CPU Load (1 / 5 / 15 mins)
CPU load average for 1, 5 and 15 minute intervals
Total / Free Memory
Total device memory in MB, free memory (unused + cache) in KB, Percentage of free memory  
The WAN screen gives information on the Wide Area Network (Internet) connection.
MAC Address
WAN (Internet) adapter MAC address
Connection Type
DHCP or Static
IP Address
WAN (Internet) IP Address
Subnet Mask
WAN (Internet) IP Netmask
Internet gateway address
lists WAN (Internet) DNS servers
TCP maximum transmission unit, or maximum packet size in bytes for WAN interface. See to find optimal setting.
whether the WAN (Internet) link is connected or not
Connection Uptime
total time that the connection has been up
Remaining Lease Time
total time remaining on DHCP lease from ISP
button to Renew DHCP IP address
button to Release DHCP IP address
Gives a summary of the settings related to the Local Area Network, and the MAC Address for the wired portion of the network.
Router MAC Address
Internal MAC address of the router, for LAN only
Router IP Address
The Static LAN IP address assigned to the router
Subnet Mask
The LAN Network Mask assigned to the router
The DHCP scope / range of addresses that can be assigned by the DHCP server
Gives information on the wireless portion of the Local Area Network.
MAC Address
The MAC address of the 802.11 wireless network interface
Wireless Mode
The operational role assigned to the wireless interface (e.g. - Access Point)
B/G Mode
802.11b and 802.11g protocol restrictions (e.g. - G only)
Displays enable/disable status of the wireless network interface
Displays the wireless SSID or Service Set Identifier, a string used to distinguish wireless networks from each other
Displays the current encryption algorithm used for wireless communications
Displays the current wireless channel and corresponding frequency (in GHz)
button that enables the wireless radio (grayed out when already enabled)
button that disables the wireless radio (grayed out when already disabled)

Device List edit

The Device List Provides a list of the current devices that have been assigned an IP address by the DHCP server. Devices are listed by Interface, which indicates where on the router they are connected:

  • br0 refers to Wired Ethernet (LAN) devices: these are connected to the router on the four Ethernet ports, either directly or via a hub or switch. Inactive wireless devices are also moved to br0.
  • eth1 refers to active Wireless Ethernet (WLAN) devices: these are connected to the router via the wireless radio.
  • vlan1 refers to your WAN (Internet) connection: the connection to the external Internet (Cable modem, DSL modem, or upstream router).

Logs edit

The Logs page allows you to view the Internal system logs (assuming Internal Logging is enabled - see Administration→Logging).

View Last 25 Lines
View most recent 25 lines of kernel log
View Last 50 Lines
View most recent 50 lines of kernel log
View Last 100 Lines
View most recent 100 lines of kernel log
View All
View entire kernel log
Download Log File
Download the kernel log to localhost
Search the kernel log for user-defined text string
Logging Configuration
See Administration→Logging

Bandwidth edit

Displays the Bandwidth of the Interfaces. They can be excluded at Administration→Bandwidth Monitoring

The Real-Time and Last 24 Hours charts are rendered with Scalable Vector Graphics (SVG), and require an SVG-enabled web browser. Mozilla Firefox, Google's Chrome, Apple's Safari 3 and Opera have SVG built-in. Microsoft Internet Explorer requires the SVG plugin from the Adobe SVG Viewer download area. The charts display an Interface Tab for each available router interface. Persistence of Interface Tab selection requires browser cookies to be enabled.

Charts share these controls:

  • Avg: Off, 2x, 4x, 6x, 8x : Number of samples to average, or no averaging.
  • Max: Uniform, Per IF : Graphs are scaled Uniformly to the max traffic value of all interfaces, or individually Per IF.
  • Display: Solid, Line : Selects a solid-filled "mountain" display or line only.
  • Color: Blue & Orange »: Selects trace pair color scheme
  • [reverse] : Toggles trace color order
  •  » Configure : Shortcut to Administration->Bandwidth Monitoring page.
  • Graph Legend toggle: Click on vertical text(left edge of graph) to toggle display of horizontal graph legends.
Automatically corrects as graph scale changes.
  • Cursor-tracking Readout (lower right edge of graph): when mouse cursor moves over graph, shows
Day of Week, Time, and Bandwidth usage at that point. Updates only when mouse moves.
Disappears after 5 intervals: 10 seconds in Real-Time, 10 minutes in Last 24 Hours, etc.
  • Mouse-click readout : Click anywhere on the graph to place a static readout.
Note: Does not update with graph movement or scaling.
The Real-Time Bandwidth section displays a chart, updated every two seconds, of the last 10 minutes of bandwidth used. Tabs at the top allow selection of the various interfaces for detail on the bandwidth for that interface.
Last 24 Hours
The Last 24 Hours section displays a chart, updated every two minutes, of the last 4/6/12/18/24 hours of bandwidth usage and the total data during the period. Tabs at the top allow selection of the various interfaces for detail on the bandwidth for that interface.
The Daily section displays a table with a row for each day showing download, upload and total bandwidth consumption. The default unit is GB (actually gigabinary (GiB) bytes), but can be changed to MB (MiB) or KB (kib).
The Weekly section displays a table with a row for each week showing download, upload and total bandwidth consumption. The default unit is GB (Gigabytes), but can be changed to MB or KB. The default week starting day is Sun (Sunday), but can be changed. An option to show Summary or Full data is available.
The Monthly section displays a table with a row for each month showing total bandwidth consumption and the difference in bandwidth usage compared to the previous month. The start date of the month can be changed at "Administration->Bandwidth Monitoring->First Day Of The Month" to match the start date of data counter of any particular Internet plan.

Tools edit

A collection of useful network tools to analyze and troubleshoot the LAN, WAN and/or Wireless networks connected to the router.

Ping edit

The Ping tool allows sending 'ping' packets to computers on the Internet to verify connectivity. Enter the domain (e.g. or IPV4 address (e.g. to ping, adjust the Ping Count or Packet Size as desired, and click [Ping]. Results are displayed after all pings complete. The default timeout is 2 seconds, with a 1 second delay between attempts.

the desired IP address or domain
Ping Count
total number of pings to attempt
Packet Size
length of data to send. 56 is the default. 1500 is a typical maximum.

Results Table

sequence number of ping attempt
(domain) (IP address)
RX Bytes
number of received bytes. 8 bytes more than 'Packet Size' is typical.
Time to Live - number of hops this packet is permitted to take before expiring.
RTT (ms)
Round Trip Time in milliseconds.
+/- (ms)
Jitter: difference in RTT from prior measurement.


<minimum time> min, <average time> avg, <maximum time> max (ms)
<Ping Count> transmitted, <Seq - 1> received, <percentage>% lost

Trace edit

The Trace tool allows you to perform a TRACERT (Trace Route) from your router to any Internet server. Enter the domain or IP address to trace to, and optionally the maximum hops and/or wait times, and click [TRACE]. Results are displayed when the trace is complete. This may take hops*wait-times before being displayed.

the desired IP address or domain
Maximum Hops
total number of nodes to attempt
Maximum Wait Time (per hop)
number of seconds to wait for each hop

Results Table

sequence number of this hop
domain (IP address)
Min (ms)
shortest ping time found for this hop
Max (ms)
longest ping time found for this hop
Avg (ms)
Five traces are performed to produce the average time displayed.
+/- (ms)
Jitter: average differences in RTT from prior measurements.

Wireless Site Survey edit

The Wireless Site Survey tool scans the wireless frequencies accessible to eth1 and reports a table of wireless devices. The Last Seen time stamp, SSID, BSSID (MAC address), RSSI, Noise, Quality rating (1-100), Channel, Capabilities and Rates are displayed.

Table Content

Last Seen
Time stamp of most recent network detection.
Service Set Identifier – remote-assigned network name.
MAC address of remote network device.
Relative Signal Strength (dBm).
Detected noise floor (dBm).
Derived channel signal quality estimate (1-100, 100=best).
Operating channel of remote network device.
List of protocol modifiers available.
List of available bit rates.

WOL (Wake on LAN) edit

The WOL tool allows you to send Wake-on-LAN (WOL) packets to computers on your network. A table of known MAC addresses is displayed so that individual WOL targets can be quickly selected, or user-defined MAC addresses can be entered in a data field.

Table Content

MAC Address
IP Address
MAC Address List
Enter any MAC address you want in this box and click Wake Up to attempt to wake that machine.
Wake up
Wake up the computer(s) with the MAC address(es) you have entered in the above box.

Alternatively, you can add a static DHCP entry for ff:ff:ff:ff:ff:ff and (the ip can be anything you want). And forward udp port 9 (the port can also be anything you want) to In this case, make sure .254 isn't in the range of your DHCP. (Note, this trick will work on any router which you can get shell access to via arp -s ff:ff:ff:ff:ff:ff

Through ssh/telnet interface you can also issue ether-wake command. Remote SSH enables wakeup via
ssh root@yourwrt 'ether-wake mac-address'
as it can be difficult to get a WOL packet through the NAT.

Basic edit

Controls the most basic settings for the router.

Network edit

The Network section allows you to set up the Internet / Wide Area Network (WAN) connection that the router uses, the basic parameters of the Local Area Network (LAN) the basic Wireless radio parameters.

WAN / Internet edit

Specifies how your router should connect to the Internet. Normally, this is done via an Ethernet cable connected from the WAN/Internet port to a Cable or DSL Modem.

Specifies the type of connection used. The rest of the parameters in this section are dependent on this connection type.
WAN Connection Types
Common Name Description
DHCP Get WAN IP assignment from DHCP server. The default for most Cable modems is "DHCP", meaning that the router simply talks to your cable modem and is automatically assigned an IP address and other connection data.
PPPoE DSL connections generally use PPPoE, which usually requires a username and password (provided by your DSL provider). Leave "Service Name" blank unless your provider requires one otherwise you won't be able to connect.
Static Manually set a static IP address.
PPTP Connect to VPN server via PPTP
L2TP Connect VPN server via L2TP (e.g., Cisco)
Disabled No connection to an Internet stream is handled.

LAN edit

Controls setup of the Local area Network (LAN), which includes settings for wired and wireless clients connected to the router.

Router IP Address
The IP address assigned to the router on the LAN. Default is
Subnet Mask
The default of means that anything starting in the first three numbers as the router (default 192.168.1.x) is assumed to be on the Local Network. Making this too broad means that some Internet servers may be inaccessible.
Static DNS
Allows you to list a series of DNS servers manually (as opposed to getting them from your Internet Service Provider). Useful if your ISP's DNS servers are slow or unreliable, or if you prefer a different one.

DHCP Server edit

Dynamic Host Configuration Protocol (DHCP) is a protocol used by networked computers (clients) to obtain IP addresses. Use this to control the IP addresses that your router hands out to computers connected to the Wired or Wireless Local Network. If checked, the router will hand out addresses within the range specified. You may also customize the amount of time before computers on the LAN will renew their IP addresses (the Lease Time) and specify a Windows Internet Name Service (WINS) server if you use WINS.

Wireless edit

Controls the connection over the Wireless Local Area Network.

Enable Wireless
If checked, Wireless access will be allowed.
MAC Address
Displays the MAC address assigned to the Wireless radio on the router.
Wireless Mode
Wireless Mode Selections
Selection Description
Access Point The normal setting which allows clients to connect to this router wirelessly.
Access Point + WDS Sets the router in "repeater mode," allowing clients to connect wirelessly while simultaneously acting as a Wireless Distribution System (WDS) base station.
Wireless Client
Wireless Ethernet Bridge This allows it to connect to another gateway router while still keeping all computers connected to both routers in the same subnet. Note: As of version 1.19 - Wireless Bridge must be set to WPA
WDS Serve as a Wireless Distribution System (WDS) base station only.

Note: If the router is used as a wireless client or Wireless Ethernet Bridge, it cannot be used as an access point at the same time.

B/G Mode
This may be Mixed (B+G), B-Only (restricted to 802.11b), or G-Only (restricted to 802.11g). If you set this to B-Only or G-Only, connection attempts from the other protocol may be seen as interference. Recommend leaving this set to "Mixed".
Wireless router identifier. Allows you to uniquely identify your router and differentiate it from other routers in range.
If checked, the SSID will be broadcast, allowing the router to be found more easily. Disabling this is a very limited security measure. Casual scans will not be able to find the router, but anyone running sniffing software can easily find it.
The 2.4xxGhz range channel used by the router, from channel 1-14 (2.412 – 2.484 GHz). It's interesting to know that most routers default at 6 or 11 and surprisingly few people change them. It's noted that channel 14 is forbidden in most countries. Channels above 11 are not licensed to use in North America. See List of WLAN channels at Wikipedia for details.
The "scan" button on that page (simple result) or Tools -> Wireless Survey (detailed result) will detect any other access points in range, completing in about 10 seconds. Choose the frequency that is the furthest from any other frequency in use.
The "scan" button fills out a table like this example, in the format of (n AP / strongest "xxx" -n dBm). n = number. xxx = SSID.
  • n AP means how many other wireless networks are found in your surroundings.
  • strongest "xxx" -n dBm means the wireless network which has the strongest signal around you (the lower the dBm, the weaker. Note that dBm is indicated as a negative value). Normally -80dBm and below is considered 'unacceptable' signal level and is too weak for most radio equipment.
Allows you to secure your wireless connections.
  • Disabled means all connections are unencrypted and anyone can read traffic.
  • WEP (Wired Equivalent Privacy) is the oldest Wi-Fi security framework which some older devices only support it. While better than nothing, it is very easily broken (a few minutes to crack it).
    • Tip: If you must use WEP because a device doesn't support WPA/WPA2, go to Basic -> Wireless Filter. Click on "Permit Only the Following Clients" - only clients which match the MAC address can access to your wireless network. It isn't really safe, but better than nothing.
  • WPA personal/enterprise (WPA = Wi-Fi Protected Access) is more secure than WEP but only newer devices support it. Choose personal if you are a home user. Choose AES for encryption algorithm. TKIP has exploits and is crackable. Use very long (20-63 characters) and an unguessably random passphrase. Don't be worried about forgetting your passphrase since you only need to enter once per device.
  • WPA2 personal/enterprise improves upon WPA and is currently the most secure encryption protocol but only newer devices support it. See WPA for other details.
  • Radius Remote Authentication Dial In User Service
Notes: Security can be increased slightly by limiting the number of wireless clients which can connect to your router. It's located at Advanced --> Wireless -> "Maximum Clients" option.

Identification edit

Router Name
Allows the router name to be changed. This appears on login and administration screens.
Use if your ISP or connection requires it.
Domain Name
Use if your ISP or connection requires it.

Time edit

Router Time
Displays current router time.
Time Zone
Tell the router which time zone you are in so it can adjust to local time. If you set this to Custom, you can enter a string that allows you to customize a time zone.
  • Auto Daylight Saving Time: If checked, the router will compensate for Daylight Saving Time. If not, it will always use Standard Time.
Auto Update Time
How often the router connects to a Network Time Protocol (NTP) server to update its internal clock. If the router time is not updated automatically, make sure you have a working DNS in Basic:Network, otherwise the router will not be able to resolve the NTP address.
  • Trigger Connect On Demand: If checked, the router will force a connection as needed to update time. If not checked, the router will only check time if a connection to the Internet is already established.
  • NTP Time Servers: List of NTP servers to use to update the time.

NTP Time Servers may request that Tomato block them from being used in the future. If this happens, Tomato will display the following message: "The following NTP servers have been automatically blocked by request from the server: XXX.XXX.XXX.XXX."

DDNS edit

Dynamic DNS, a special DNS registry/server that can be updated on frequent IP address shuffles. Instead of having to know your IP address each time it changes, a computer on your network can run a special network program that submits your updated IP address, which you can then refer to via a standard URL issued by your DDNS provider. Most DDNS providers offer a free personal account for you to use.

As an alternative to running an application on one of your PCs, Tomato provides a built-in DDNS client right in the firmware that supports a number of DDNS providers. From the main menu, select "Basic" then "DDNS".

For most DDNS providers, you simply select the provider from the pull-down list, and enter your username, password, and hostname. Detailed instructions on operating each DDNS provider's account can be found at their web site.

DDNS can be used to permit web access to the router for system administration purposes.

Dynamic DNS edit

IP Address
IP Address Selections
Selection Description
Use WAN IP Address (recommended) The normal setting which obtains the WAN address from the WAN login/connection process. If this proves unreliable, try Use External IP Address Checker option.
Use External IP Address Checker (every 10 minutes) Obtains the WAN address from the remote DDNS provider.
Offline ( Reports the router as offline with a 0 IP address.
Offline ( Reports the router as offline with a IP address.
Offline ( Reports the router as offline with a IP address.
Custom IP address (enter address in open field) Reports the router WAN address as entered.
Auto Refresh Every (number) Days (0 = disable)
Sends a WAN IP Update report by default every chosen number of days. In the event that your WAN IP address is infrequently changed, this acts as a "keep alive" for some Dynamic DNS services, to avoid suspension of service due to disuse. A value of 0 disables Auto Refresh.

Dynamic DNS 1 edit

A list of available Dynamic DNS Providers, or Custom URL. Each provider requires establishment of an account, and compliance with their terms of use, before accessing their service.
URL of the selected DDNS provider, for administrative purposes.
your login ID for the selected DDNS provider.
your password for the selected DDNS provider.
Force next update [ ]
checkbox to force the next WAN IP update to the selected DDNS provider. Too-frequent forced updates may result in suspension of service.
Last IP Address
most recent IP address uploaded to the DDNS provider.
Last result
status of last DDNS update

Dynamic DNS 2 edit

See above.

Note: for each Dynamic DNS provider, refresh or touch the IP Address selection to fill out the form.

Static DHCP edit

This is a simple way to ensure that each of the client hardware devices that connects to your Tomato router gets the same IP address and hostname each time. Simply enter the MAC address for your device (which you can find on the "Device List"), and enter your preferred IP address.

Generally, it's best to use an IP address that is within the subnet range for your Tomato router, but outside the normal DHCP assignment range. In other words, use an address that starts with the same three numbers (default 192.168.1.x) as your router, but has a fourth number that is not likely to be assigned to any clients by the normal DHCP settings.

For multiple hostnames for the same IP address (e.g., the server should be known as both "galaxy" and "mail"), separate them in the hostname field with a space. Use a hyphen for a single, multi-word hostname like "My-PC".

If a computer has multiple network devices (wired vs Wi-Fi, for instance) with different MAC addresses, there is no way to assign the same hostname to both devices, as would be the case if Tomato respected the computer's own hostname. You will get a "Duplicate name" error.

If you have the DHCP server set to assign IP addresses in the range of to, for example, good choices for Static DHCP assignments would be either in the - range, or -

An easy way to add an IP address to the Static DHCP list, is to go to the "Device List" and click on the IP address of the device you want to make Static. This will take you to the Static DHCP function and all you need to do is edit the device name (optional) and click "Add". (don't forget to click "Save" to commit).

Tomato originally supported 50 entries, this has been increased to 100.

Wireless Filter edit

The Wireless Filter allows you to configure which wireless equipped computers may or may not communicate with the router depending on their MAC addresses. If it is set up as an AP, bear in mind that all AP's need the same setup. This may be inconvenient. You may want to use "Access restriction" on the main router which will apply to all users on all AP's.

100 rules are presently supported.

While a decent basic security measure, understand that all MAC addresses are transmitted in cleartext, and may be intercepted. This should not be used as a primary means of security.

Advanced edit

Conntrack / Netfilter edit

Adjustments for the number of connections and persistence for each connection in the Network Address Translation (NAT) table.

Maximum Connections
The maximum number of connections the router can hold. Default value in teddy_bear's mod is 4096.
TCP Timeout
Control different aspects of TCP Timeout. Read The TCP/IP Guide - TCP Connection Termination for details.
The wait time for established connections before the connection is forgotten and removed from the NAT table. Default value in teddy_bear's mod is 1200.
SYN Sent
The meaning of SYN Sent and its implications can be found here. Default value in official tomato and teddy_bear's mod is 120.
SYN Received
???. Default value in official tomato and teddy_bear's mod is 60.
FIN Wait
???. Default value in official tomato and teddy_bear's mod is 120.
Time Wait
???. Default value in official tomato and teddy_bear's mod is 120. If you appears to have too many connections in time wait, read lot of connections in Time_wait.
Advantages of decreasing TCP Time Wait interval from the default include:
  • more rapid recovery of system resources associated with sockets
  • more connections can be handled
  • less memory consumption
Disadvantages of decreasing TCP Time Wait interval include:
  • more CPU time spent in recovering connections
  • there is a possibility that data loss can occur without notification if set too low
  • connections could be refused if old duplicate SYN segments exist
  • the connection cannot be re-used (new SYN)
???. Default value in official tomato and teddy_bear's mod is 10.
Close Wait
???. Default value in official tomato and teddy_bear's mod is 60.
Last ACK
???. Default value in official tomato and teddy_bear's mod is 30.
UDP Timeout
???. Default value in official tomato and teddy_bear's mod is 30.
???. Default value in official tomato and teddy_bear's mod is 180.
Other Timeouts
???. Default value in teddy_bear's mod is 600.
???. Default value in teddy_bear's mod is 30.
Tracking / NAT Helpers
File Transfer Protocol. 40-years-old and still common. Default value is checked.
Point-to-Point-Tunneling-Protocol. For virtual private network (VPN) connections. Default value is unchecked.
Protocol primarily used for Voice Over IP (VOIP) and videoconferencing. Default value is checked.
Real Time Streaming Protocol. Used for the control stream for streaming media. Default value is checked.
TTL Adjust
???. Default value is none.
Inbound Layer 7
This L7 matches inbound traffic, caches the results, then the L7 outbound should read the cached result and set the appropriate marks[1]. Default value is checked.

Usage notes edit

This is mostly relevant for people who use P2P or other connection-intensive applications on their Internet connections. The connection table has a finite number of entries, and if the entries are all used up, the router cannot make new connections. The only way to free up an entry is to gracefully terminate a connection (normal), or to have one time out. Since P2P applications rarely drop connections gracefully, they need to depend on the router to time out their connections for them.

The most important settings are:

  • Maximum Connections
    • Increasing this may slow down the router slightly. 4,096 is probably a good maximum value.
    • Keeping this too low may eventually result in running out of entries. The default of 2,048 is probably a good minimum value.
    • Clicking on count current next to the input field will tell you how many entries you are currently using.
    • Before increasing this field, consider using the TCP Timeout (below) to recycle existing connections faster, rather than increasing the number of connections.
  • TCP Timeout: Established
    • This is the amount of time that an established connection will be maintained after its last activity.
    • Setting this too low will cause active TELNET / FTP connections to be dropped unless you have a keepalive to keep data flowing over the connection.
    • Setting this too high will cause old connections to be retained, wasting entries in the NAT table.
    • Four Hours (14,400 seconds) is a decent compromise, but you have to choose a value that balances retaining valid connections versus killing old ones. In a non-P2P environment, you can set this to several days without any problems (the Linksys default for this is FIVE DAYS, which is why many Linksys routers don't do well for P2P).

Most of the remaining settings would generally be used pretty rarely, and are probably present for adjustment by advanced users who might need to tweak their network settings.

Many sites recommend adjusting these values using a script such as this one:

echo 4096 > /proc/sys/net/ipv4/ip_conntrack_max
echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh2
echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh3
echo "600 1800 120 60 120 120 10 60 30 120" > /proc/sys/net/ipv4/ip_conntrack_tcp_timeouts

However, the two settings in the GUI listed above will accomplish everything the oft-published scripts claim to do, with less effort. Specifically, the Established TCP Timeout setting replaces the "1800" in the last line of the script, and the ip_conntrack_max number is controlled by the Maximum Connections setting. The gc_thresh settings are not really useful, it's better to let Tomato use its defaults for thresholds.

DHCP / DNS edit

DHCP / DNS Server (LAN) edit

  • Use Internal DNS (Default: on): Allows Dnsmasq to be your DNS server at the Router IP Address (typically DNS is cached in Tomato firmware. DHCP clients will receive the router IP address as the DNS server.
  • Use Received DNS With Static DNS (Default: off): If unticked, DNS from your ISP servers are ignored if you've entered static ones specified on the Basic > Network page. If ticked, if your WAN obtains a DHCP address from the ISP it also gets a DNS from the ISP. This option allows the router to use together both the ISP assigned DNS and the static DNS server(s) specified on the Basic > Network page.
    If you have static DNS entries, "" will add any name servers received from your service provider.
    You may also consider adding "strict-order" (without quotes) in the "Dnsmasq Custom Configuration" box. This forces Dnsmasq to send DNS queries to servers strictly in the order that they appear in the resolve file. This is useful if you are using services such as OpenDNS but still want to use your ISP's server(s) as a backup. Without this setting your ISP's DNS server(s) will tend to be favored.
    You can view these changes in the resolve file at "/etc/resolv.dnsmasq".
  • Intercept DNS port (UDP 53) (Default: off): When enabled, anything going out to UDP port 53 is redirected to Dnsmasq. This prevents bypassing parental controls. It may be helpful when used with OpenDNS for parental control.
    Another use of this intercept is with VPN client software in combination with the "Use internal DNS. Typically, VPN client software will 'tunnel' non-routable IP addresses such as which will bypass the router and cause DNS failure. Instead, you can change the client's DNS address to any bogus routable IP address to prevent the VPN client from tunneling DNS requests and let the router intercept them. This works whether or not the VPN client software is active.
  • Use user-entered gateway if WAN is disabled (Default: off): This setting is useful if you are using your Tomato device's DHCP and/or DNS servers, but are not using it as a gateway to the WAN (i.e. the internet). If some other device is performing that function (usually with NAT or similar functionality), you want Tomato's DHCP server to instruct clients that they should use that other device as their default gateway in their routing tables. If that is the case, enable this checkbox and be sure the Default Gateway is set under Network / Basic.
  • Maximum active DHCP leases (Default: 255): ???
  • Static lease time (Default: Same as normal lease time): ???
  • Dnsmasq Custom configuration (Default: blank): ???
    Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP server. Adding "stop-dns-rebind" (without quotes) into the "Dnsmasq Custom Configuration" box prevents DNS Rebinding attacks. This does not negate the need for a strong password however.

DHCP Client (WAN) edit

  • Reduce packet size (Default: off): ???

Firewall edit

Settings to configure some basic aspects of the router's firewall.

  • Respond To Inbound Ping: If checked the router will respond to ping requests from on the WAN interface. If unchecked, the router will not respond to pings from the WAN. Default value is unchecked.
  • Allow Multicast: If checked, the router will allow multicast packets to reach the LAN. Otherwise it will block multicast packets from reaching the LAN. Default value is unchecked.
  • Enable NAT Loopback: If checked, the router allows LAN devices to reach other LAN devices via the router's WAN IP address and a properly configured port forward. If unchecked, LAN devices can only contact other LAN devices via their local IP addresses. Default value is Forwarded only. Edit: Tomato Firmware v1.21.1515 - There is no option to check to enable NAT loopback. You may only choose between 'all, 'forward only' and 'disable',
  • SYN Cookies: Activates SYN cookies. Default value is unchecked.

MAC Address edit

This sets the hardware address that is seen from the ISP. Some ISPs are set up to only accept the original network card you had when you first started service. Others simply have the modem set to only allow one HW address per boot, so try resetting your modem after changing this. For some cable internet service providers, changing the MAC address seen by the cable modem is a good way to request a new IP address if required.

Miscellaneous edit

  • Boot wait time specifies the length of time the router will pause during startup, before attempting to load the firmware. This pause represents a period where a new firmware can be flashed to the router via TFTP, if the firmware on the flash chip has been corrupted. Default value is 5 seconds.
  • WAN Port Speed specifies the speed and duplex setting for the WAN interface port. Default value is Auto.

Routing edit

  • Current Routing Table: Shows your current routing table.
  • Static Routing Table: Allows you to add static routing entries if you have more than 1 router on your network.
  • Miscellaneous
    • Mode: Options available are Gateway and Router.
      Gateway = Don't let WAN traffic access the LAN, except through port forwarding or DMZ. (Required mode for PPPoE connections connected through WAN port to a bridged ADSL modem.)
      Router (Default) = Turn off these features and NAT. (May be incorrect on details, but this is the idea)
    • RIP v1 & v2: See RIP v1 and RIP v2 (It's not clear if this is for sending or receiving or both). Default value is disabled.
    • Efficient Multicast Forwarding: Default is unchecked.
    • DHCP Routes: Default is checked.
    • Spanning-Tree Protocol: If checked, enables the IEEE 802.1d spanning tree protocol for detecting and resolving loops in your internal network. (Switch A plugged into Switch B plugged into Switch C plugged into Switch A.). Default value is unchecked.

Wireless edit

Controls advanced settings for the connection over the Wireless Local Area Network. Please note that some of these settings do not exist in traditional Tomato Version 1.28 and prior.

  • Afterburner: Broadcom Afterburner is a 802.11g Standards Enhancement to provide additional speed for home wireless networks while remaining compatible with all Wi-Fi CERTIFIED™ 802.11b/g Products. When enabled, it allows 125 Mbps mode.
  • AP Isolation: A prime example would be like in a hotspot (e.g. coffeeshop like Starbucks, hotels) wherein a lot of computers connect randomly to the network. Since all computers are connected to 1 single network there is a possibility that they could access each other which may result in unwanted hacking. AP isolation will help prevent this by making each and every single computer a separate entity on their own. When enabled, the router prevents wireless devices from communicating with each other. If disabled, the unit will switch traffic from one wireless client to another.
  • Authentication Type: Controls whether clients must use shared keys to authenticate. This setting is disabled (i.e. forced) in some security modes.
  • Basic Rate: Sets mandatory rate list transmitted by the AP which must be supported in order to connect. Some old 802.11b clients can only connect if this is set to 1-2Mbps.
  • Beacon Interval: Sets the amount of time between beacon transmissions in milliseconds. A longer interval can save power on sleeping clients, and a shorter interval can improve connectivity in poor reception situations.
  • CTS Protection Mode: When set to Auto, enables a mode which ensures 802.11b devices can connect when many 802.11g devices are present.
  • Regulatory Mode: Enables watching for services that have priority use of wireless bands shared with WiFi, such as aircraft radar. Enabling this function can cause compatibility issues with WiFi clients, so it is normally turned off.
  • Country / Region: Select the current country where the access point is in. This ensures that local regulation regarding channel usage and maximum output power are observed.
  • Bluetooth Coexistence: Router will attempt to share airtime with Bluetooth devices to improve performance of both classes. May have no effect if Bluetooth devices are older and do not "cooperate."
  • Distance / ACK Timing: Sets the approximate maximum distance in meters from which clients can connect. May be useful in preventing distant "cantenna leeches" from connecting. It will not prevent snooping, however. Setting to 0 disables this function.
  • DTIM Interval: Sets the amount of time in milliseconds between Delivery Traffic Indication Messages, which tells a client in power-saving mode when to expect the next broadcast message.
  • Fragmentation Threshold: Sets the maximum packet size in bytes before fragmenting it into multiple packets. Increasing this value may help in high packet error rate situations. Making this value too small will reduce network performance.
  • Frame Burst: Enables frame burst mode which increases throughput, but is only recommended for 1-3 wireless clients. Enabling with many connected clients can result in lower performance.
  • Maximum Clients: Sets the maximum number of wireless clients that can connect at once.
  • Multicast Rate: Sets the signalling rate used for multicasting.
  • Preamble: Selects long or short preamble for 802.11b. Short will increase throughput, but some older 802.11b devices require the long preamble.
  • 802.11n Preamble: By default, 802.11n operates in "mixed" mode which transmits a radio preamble and signal field that can be decoded by 802.11a and 802.11g radios. 802.11n Wi-Fi networks have an optional "greenfield" mode that improves efficiency by eliminating support for 802.11a/b/g devices. However, enabling this mode can cause throughput issues on some 802.11n network devices that are not fully compatible with the 802.11n standard.
  • RTS Threshold: Sets the minimum packet size in bytes which triggers Request to Send/Clear to Send signalling. A number higher than the Fragmentation Threshold effectively disables this function. It is normally not needed but may be useful in adverse conditions.
  • Receive Antenna: Selects which antenna is used for receiving. These settings are primarily useful for external antennas. Single antenna units should be set to Auto.
  • Transmit Antenna: Selects which antenna is used for transmitting.
  • Transmit Power: Sets the transmit power in milliwatts.
    • Tomato default is 42mW.
    • High settings may cause non-linearity in the transmitter causing loss of data, interference to other users and channels, and a high "noise floor".
    • High setting may overheat and shorten the life of the transmitter.
    • Based on the results of testing reported on the forum[5], the maximum actual broadcast power is achieved with a setting around 64 mW in Tomato (or DD-WRT).
    • Settings as high as 84 mW have reportedly been used without harm to the hardware.
  • Interference Mitigation: Sets the wireless interference mitigation mode. It seems that the "WLAN Auto" selection works better in most cases, but you may try to disable the mitigation if you experience wireless stability issues. This "feature" has been responsible for much instability and poor throughput.
    • Select "None" if you have no other electronic devices around that may cause an interference.
    • Use "Non-WLAN" if the primary source of interference in your area are non-WLAN electronic devices, such as cordless phones, microwaves etc.
    • "WLAN Manual" activates interference mitigation against other Wireless LAN APs.
    • "WLAN Auto" is similar to "WLAN Manual", but it only activates mitigation if it actually can see other wireless APs transmitting at the time.
  • WMM: Wi-Fi Multimedia (WMM) is a Wi-Fi Alliance interoperability certification, based on the IEEE 802.11e standard. It provides basic Quality of service (QoS) features to IEEE 802.11 networks. WMM prioritizes wireless traffic according to four Access Categories (AC) - voice, video, best effort, and background. However, it does not provide guaranteed throughput. It is suitable for simple applications that require QoS, such as Voice over IP (VoIP) on Wi-Fi phones. Operation is limited to the local network, there is no implied QOS over the Internet. This feature must be enabled for iPhones and iPads to connect in 802.11n mode.
  • No ACK: Controls whether WMM packets require acknowledgment. Enabled sets No Acknowledgment which allows higher throughput and lower latency when some packet loss is acceptable (i.e. for VoIP).
  • APSD Mode: Automatic Power Save Delivery is a more efficient power management method than legacy 802.11 Power Save Polling. Most newer 802.11 stations already support a power management mechanism similar to APSD. APSD is very useful for a VoIP phone, as data rates are roughly the same in both directions. Whenever Voice data are sent to the Access Point, the Access Point is triggered to send the buffered Voice data in the other direction. After that the Voice over IP phone enters doze state until next Voice data have to be sent to the Access Point.

VLAN edit

Allows the creation and modification of VLANs along with their associated ports.

When modifying VLANs some VLAN port associations may reset on reboot. If this is the case please run the following commands, under Tools > System Commands, by pasting it in the Command field and clicking Execute.

nvram set manual_boot_nv=1
nvram commit

Port Forwarding edit

Once you have set up your router you will have your own Local Area Network (LAN) managed by the router. You inevitably will have many devices connected to your LAN all using the same internet connection. This causes a problem because different devices on your LAN will need specific data that is coming in from (or going out to) the internet.

Port Forwarding allows your router to control the flow of data to and from the internet, and make sure the router knows which device (ie computer, webcam, VoIP telephone etc) connected to your LAN sent/requested/needs each packet of data. Usually packets coming in from the Internet will be in response to some request that one of your devices connected to your LAN has made (ie a VoIP phone making a request to connect a telephone call) . In these cases, the router keeps track of which device made the request, and forwards the response back to that same device.

Sometimes however, as in the case of "Server" applications (such as you hosting your own website on a PC within your LAN) requests come in from random locations on the Internet, and you need to tell the router which computer is running the “server” so that these random requests can be routed to the correct computer. This is generally done by telling the router that any "unsolicited packets" (packets that are not a response to a request from a local computer) on a specific port or list of ports should be forwarded to a specific computer on the network.

Finally, there are also "thief jiggling the handle" connections from random corners of the internet. Locking those out is another job of the router.

There are a few ways to set this up.

Basic edit

Allows you to specify simple port forwarding where all packets received on the specified External Ports will be routed to the specified Internal Address. e.g., you can forward all incoming data on ports 5060 and 5061 (used for SIP protocol to initiate a VoIP telephone call) to your VoIP telephone.

Optionally, you can change the local port by specifying Int Port. This is also known as Port Redirection. This technique is handy, for example, if you have two web servers. Both could be listening on the default port (80), but the router could be set to forward received packets on Internet Port 80 to Port 80 on the first web server, and packets on Internet Port 81 to Port 80 on the second web server.

The "External Ports" box can contain a single port (ie 8080) or a range of ports (5060:5061). The "Int Port" can be left blank. The "Internal Address" is the IP address of the device on your LAN (ie

The Tomato Firmware GUI can take up to 50 entries for basic port forwarding.

DMZ edit

DMZ, or Demilitarized Zone, allows you to specify one device on your network that will receive all unsolicited packets from the Internet. This can be handy for devices that need largely unrestricted access to the Internet, or for a Web/email server. However, this bypasses all firewall functions of the router for this device, so be sure the device is very well secured. The current firmware version implements source restrictions based on IP-addresses.

If you want to transparently access the DMZ computer from your internal network, then you will need to check Enable NAT Loopback and set it to to All in "Firewall" page under "Advanced". If this is not set, then you will not be able to reach the DMZ computer using the external IP address when using the internal network. In this case, only the DMZ computer will only be reachable on its internal IP address from the internal network, meaning that the external IP address will point to the router on the internal network.

Triggered edit

Port Triggering is an on-demand port forward. The router will look for an outbound connection on a specified port, and will forward all of the requested ports to whatever computer initiated the outbound connection.

Under the Trigger Ports, you would enter a list of the ports that your computer will use to initiate the forwarding. Then you specify the ports you want to forward to that computer under Forwarded Ports. Any computer that sends outbound packets on any of the ports listed in Trigger Ports will then have all unsolicited packets received from the Internet on the Forwarded Ports sent to it.

UPnP / NAT-PMP edit

Universal Plug and Play (UPnP) allows devices on your network to set their own port forwards. A computer running a web server, for example, can tell the router to forward all communications on port 80 and/or 443 to it. UPnP allows your local devices to add, delete, and update port forwards at will. Often this is the only way for applications on a client machine to obtain a connection to the remote server.

Only 25 UPnP connections are presently supported.

There are some security disadvantages to UPnP, such as a trojan horse or other "bad" software package being able to forward ports to a given machine so the malware can use your computer as an Internet server. However, there are also security advantages to UPnP, since any well-behaved UPnP application will request cancellation of its forwarded ports when it shuts down or no longer needs them. This reduces the number of unneeded forwarded ports. Currently, forwarded ports which have not been terminated by an application after it has closed are not automatically closed by Tomato.

QoS — Quality of Service edit

QoS, or Quality of Service, allows you to prioritize data, slowing down less important data to allow more important data to get through first.

This is primarily useful for outbound data (data going from your computers to the Internet). Inbound data cannot be prioritized effectively because it has already passed through the bottleneck (your Internet connection) by the time the router has a chance to evaluate it.

QoS in Tomato has ten levels of priority. HIGHEST will always get the very highest priority (use sparingly) and CLASS-E (labeled as E) is the lowest-priority class. If the upstream bandwidth becomes over-saturated (more packets want to go out than the connection can send), lower-priority packets will be delayed (and possibly eventually discarded) to make room for higher-priority packets.

If you like to go more into details of traffic shaping try the WRT54 Script Generator as an extension to the current QoS implementation (see Tools for details).

Note: QoS works by having fixed maximum inbound and outbound bandwidths, and then allocating that bandwidth based on packet priorities. This means that the firmware will NEVER allow more than the configured bandwidths. Even if your service provider allows more (either temporarily as a "speed boost" feature, or permanently as a service upgrade) you will still be restricted to the configured bandwidth. If you need the highest possible bandwidth at all times you may wish to leave QoS disabled.

Basic Settings edit

Enable QoS
If checked, QoS will be enabled. If not checked, QoS will be disabled.
Prioritize ACK
Prioritizes the sending of ACK (Acknowledgment) packets. Recommended: Checked (on).
Prioritize ICMP
Prioritizes Internet Control Message Protocol packets (PING replies, etc).
Reset Classification when making changes
If checked, all connections will be reevaluated when a change is made to the QoS rules. If not checked, you may need to restart each application on your PC to re-establish each connection before the rule is applied to that connection.
Default Class
This is simply the "catch-all" classification when no rules are found for a connection.
If a connection does not meet any of the QoS criteria, it will default to the specified class. If you have a high-priority service (such as VoIP) and a low-priority one (such as P2P), your best bet is to set this to MEDIUM or LOW, then try to classify all of your high priority stuff above this classification, and your low priority stuff below it.
QOS is not easy to apply with P2P as even L7 filters do not work particularly well. An approach which generally works well with P2P is to set your default class to "lowest" and then address all other desired rules in classes above this. P2P will "fall" though all of the filters and end up in the default "lowest" class. This way, you don't have to use several different filters in an attempt to capture all of the possible P2P traffic.
Max Bandwidth
One of the major limitations of QoS in most Linksys routers is their inability to determine the upstream speed of the Internet connection. This is true of many router models. The most effective way to tune QoS is to do an Internet speed test with QoS turned off. Then enter about 90% of the tested upstream (upload) bandwidth into the Max Bandwidth field. This will allow the router to properly determine how much bandwidth is available and prioritize packets accordingly. A more detailed explanation of this (targeted for Vonage VoIP users) may be found at [dubious ]
Highest - Class E (the percentages under Outbound Rate/Limit)
This specifies the minimum and maximum percentages of the connection each classification is allowed to consume. This is allocating, rather than prioritizing, and is useful for cases where you want to specify that certain classes of connection should never receive more than a given percentage of your upload bandwidth. Set each class to 1%-100% to allow each class unlimited access to the bandwidth (with higher priority classes receiving only higher priority, and not "reserved" amounts).
Inbound Limit
This allows you to limit the overall amount of data coming in to your router, and allocate maximum percentages of that bandwidth for each QoS service. Note that packets that exceed your limit are simply thrown away, not delayed as in the case of Upload/Outbound QoS. Under certain circumstances, this setting is useful, but is a very inefficient way to control inbound data. Inbound traffic cannot be directly controlled with QOS as all rules operate on outbound traffic only.
TCP Vegas
A congestion avoidance algorithm built into the Linux kernel, introduced in Tomato 1.23.
This may produce better results than QoS for some users. For example, users with connection speeds which vary considerably (cable users with "speed boost," or speed slows in the evening when everyone in the neighborhood goes online) are required to set QoS "Max Bandwidth" conservatively, to the lowest max speed encountered. They would never take advantage of higher speeds when available. In this case, TCP Vegas may be effective at dynamically adjusting speed while avoiding dropped packets which would occur if QoS "Max Bandwidth" were set aggressively (to the highest max speed encountered during day-to-day use.).
Some users have reported that a combination of TCP Vegas and QoS (with an aggressive "Max Bandwidth") works well. (This section requires additional feedback.).
TCP Vegas operates only on outbound traffic. However, some users have reported that changing its parameters affected inbound traffic. (This section requires expansion.).
For more information about TCP Vegas, see:

Classification edit

Allows you to specify which connections will get what levels of priority. This will override the default priority set in the Basic Settings page. Classification may be done by MAC address, TCP/IP port, or using more advanced filters like IPP2P or Layer 7 (L7) filtering.

All QoS rules are "as seen by your LAN", so SOURCE always means your computer, and DESTINATION always means the Internet.

QoS can be classified in a number of ways:

  • Address (first row in "Match Rule" Column): Identify the packet based on the IP or MAC address that is making the request, or the IP address that is being contacted. Example: If you have a VoIP device on your network that needs very high priority, you would set "Address" to "Src MAC" (source MAC address) and key the MAC address of the device, then set the priority to HIGH or HIGHEST.
  • Protocol/Port (second row): Identifies the packet based on the Protocol (TCP, UDP, etc) and/or Port Number (or list of numbers) that the connection is being made on.
  • IPP2P (third row): An attempt to identify P2P applications. Easily fooled by P2P Encryption, this is still useful for identifying some P2P applications.
  • L7 (Layer 7, third row): A sophisticated filter that can classify a number of applications. Again, for P2P, easily fooled by Encryption, but still useful.
Errata: Specific to version 1.23: The L7 filter "rtp-2" was added to Tomato 1.23 as a temporary solution. The official "rtp" filter does not catch some VOIP traffic. This new filter appears to work better. If the "rtp" filter doesn't work for you, try "rtp-2." Eventually "rtp2" may replace the "rtp," or be renamed by the L7 project who graciously provided it.

NOTE: Address and Protocol/Port are the fastest and most efficient ways to match. IPP2P is slow, and L7 is even slower. If at all possible, use Address and Protocol/Port before resorting to IPP2P or L7. Too many L7 or IPP2P rules can cause your router to crash or restart. If you are experiencing frequent crashes and restarts under heavy load, these may be the cause.

To improve IPP2P and L7 performance, provide additional qualifications when possible. For example, if you know the traffic is UDP, or a port range is involved, then specify this in the rule. These qualifications will be checked first, preventing unnecessary packet inspection of all packets.
Similarly, the order of rules can affect performance. For example, if an L7 rule is qualified as UDP this will help performance. But, if it is moved below the DNS rule (with a classification of "Highest"), it will prevent packet inspection of all DNS connections which are also UDP.

QoS Rule Example: Setting Web Browsing to HIGH edit

Under Match Rule Column:

  • First row = "Any Address", field to its right is blank Meaning this rule applies to any connection to the Internet on any server
  • Second row = "TCP", "Dst Port", "80,443" Meaning that this rule applies to all TCP connections that are trying to connect to port 80 (HTTP) or 443 (HTTPS) on an Internet server
  • Third row = "IPP2P (Disabled)", "Layer7 (Disabled)" Meaning that we do not want to apply any IPP2P or L7 rules
  • Fourth row = "" "" (kb transferred) Meaning we do not want to match by amount transferred

Under Class Column:

  • "High" Meaning anything matching this rule will be assigned a HIGH priority in upstream

Under Description Column:

  • Assign any reasonable description. "WWW" or "Web Browsing" would be good here. This is not used except on this screen, to identify the connection for your future reference.

View Graphs edit

One of the most powerful features of Tomato, this allows you to view (in near-real-time) the current outbound connections and how the QoS engine is classifying them. This allows you to view how effective your QoS settings are, and whether they are capturing the connections you want them to. Simply click on any of the classes to view the list of specific connections for that class.

View Details edit

Lists each connection that has recently been made through the router, and what QoS class was assigned to that connection. Clicking any entry will attempt to do a reverse lookup on the destination TCP/IP address, or you can click on the "automatically resolve addresses" checkbox at the bottom of the list to resolve all addresses in the list (this can take a while).

Access Restriction edit

Set time, computer, site, and protocol based bans on Internet access.

This function works on all connections to the router and so can be used to control access to all users of a network.

Currently supports 50 entries.

Each entry supports 2048 characters for the entire entry, the practical limit is around 1900 characters.

USB and NAS edit

This menu item is only available with the Teddy Bear modified build. It allows USB configuration.

  • Core USB Support: Enable the USB driver/services for hardware equipped with USB port(s) (e.g., ASuS WL-5xx series routers). Enabling this item makes the following of the settings accessible.
  • USB 1.1 Support (OHCI): ???
  • USB 1.1 Support (UHCI)': ???
  • USB 2.0 Support: ???
  • USB Printer Support: Load drivers for printer support.
    • Bidirectional copying: ???
  • USB Storage Support : If enabled, the following settings become accessible:
    • Ext2 / Ext3 File System Support: Load file system drivers to access (primarily) Linux formatted media.
    • FAT File System Support: Load file system drivers for Windows device compatibility. This file system is predominant among thumbdrives but might be used for hard drives as well.
    • Automount: Automatically mount all partitions to sub-directories in /mnt.
    • Run after mounting: Enter command-line statements to be executed when a USB storage device is connected.
    • Run before unmounting: Enter command-line statements to be executed when a USB storage device is removed.
  • Hotplug script: Enter command-line statements to be executed when a USB device is connected* they are run when any USB device is attached or removed)

Administration edit

Admin Access edit

Controls the various means that can be used to access the router for administrative purposes.

All services use the same password, which is changed at the bottom of this page.

Web Admin edit

Controls access to the router via a web browser. The web username may be "admin" or "root".

  • Local Access: Determines whether and how the router may be accessed from a web browser on a local computer (a computer attached to the router, or attached to a switch or hub attached to the router). Access can be via HTTP (regular web), HTTPS (SSL-encrypted web), both, or disabled.
  • HTTP Port: default 80
  • Remote Access: Determines whether and how the router may be accessed from a web browser from the WAN (Internet) side of the router. It is not recommended that this be enabled, and if it must be enabled, consider using the HTTPS method, which at least encrypts your session data.
  • Allow Wireless Access: If checked, wireless clients on your local network can access your router's administration screens using the same method as wired clients. This has no effect on Remote Access.
  • Color Scheme: choose color scheme skin
  • Show Browser Icon: shows tomato icon on address bar

SSH Daemon edit

Controls the Secure SHell (SSH) server that is installed on the router, which allows secure (encrypted) command-line access to the router. The SSH username is always "root".

  • Enable at Startup: Specifies whether the SSH Daemon is started when the router starts up.
  • Remote Access: If checked, you will be able to access the router via SSH from the Internet and the Local Network. If unchecked, only clients on the Local Network will have access.
  • Remote Forwarding: If checked, the SSH server will be listening for new connections to be tunneled. A tunnel initiated on the server side will then go back through the client machine. Example of usage.
  • Port: Specifies the TCP port used by the SSH daemon (default = Port 22). It is recommended to change the port to non-default because port 22 is being constantly scanned by the hackers on the Internet.
  • Allow Password Login: If checked, you can use the router username and password to enable a connection to the command line. If not checked, key authentication will be required.
  • Authorized Keys: Enter authorized keys for key authentication (a more secure alternative to password-based logins). Each key must start on a new line. Dropbear SSH daemon supports a subset of authorized_keys options, as described in sshd(8): command, no-agent-forwarding, no-pty, no-port-forwarding. It is not possible to limit the source address of connection or the port numbers and destinations of forwarded ports at this time. Use something like command="cat /dev/null" to prevent command execution.
  • [Start Now] / [Stop Now] Starts or stops the SSH Daemon.

Telnet Daemon edit

Controls the Telnet command-line server built into the router. Telnet access is only allowed on the Local Network. The Telnet username is always "root".

  • Enable at Startup: Specifies whether the Telnet daemon is enabled when the router starts up.
  • Port: Specifies the Ethernet port used by Telnet (default = Port 23).
  • [Start Now] / [Stop Now] Starts or stops the Telnet Daemon.

Admin Restriction (for Remote Web/SSH) edit

  • Allowed IP Address: If you want to restrict access from the WAN to Remote Configuration of your router by IP address, enter the appropriate IP address string.

Password edit

Allows you to specify your password. It is highly recommended you change this immediately after the installation. Enter the same password into both fields, and click "Save". After changing your password, you will need to re-authenticate your session (you may need to shut down and restart your browser to clear the current authentication).

Bandwidth Monitoring edit

The bandwidth monitor history is just bandwidth data that can be viewed at the Bandwidth page of the Tomato UI, namely WAN port monthly history, WAN port daily history for the current month and intraday history (for vlan1, eth1, br0, eth0 & vlan0) captured over the last 24 hours. For this reason the backup file does not grow in size once it has reached about 133 Bytes.

  • Enable: check to enable / uncheck to disable
  • Save History Location: Saving to RAM is not permanent. Saving to NVRAM or JFFS2 is permanent but will cause the internal flash (rewritable) memory to be flashed more frequently than the router design intended. This may lead to a shortened useful lifetime for your router. Better permanent storage alternatives are CIFS1 and CIFS2. Keep in mind that if the share that your CIFS1 or CIFS2 points to is offline, then it will save the Bandwidth History the next time the share is online. Refer to the CIFS Client section for further detail.
    • If you use CIFS, you will have to wait until the first set of data is saved to see the 24 hour, weekly and monthly stats. You might see a message about 'rstat' not responding. A solution for this is to check "Create new file" if you do not want to wait the time until the first data is saved (from one hour, to days).
  • Save Frequency: Select an interval for periodic saving of bandwidth usage history. Useful if your router experiences power outages from time to time. The exact time that the save interval happens at is based on what time you save your settings. So if you set it to "Every 2 Days" at 10:35AM, it will save 48 hours from then, and every 48 hours thereafter.
  • Save On Shutdown: Cause a save before any reboot or shutdown event but obviously not before a power outage!
  • Create New File / Reset Data: Check this when setting up a new Save History Location. When checked a new file is created in the save location. If the file already exists in the save location all current data will be overwritten!
  • First Day Of The Month: Used to align the monthly data to the same accounting cycle that your ISP uses.
  • Excluded Interfaces: Comma separated list of Interfaces to exclude from the 24 Hours and Real Time Bandwidth pages of the Tomato UI. ( Example: vlan0,vlan1,eth0 will leave focus on the wireless LAN interface.) This has no appreciable effect on size of the history backup file being saved.

Although the role of the five interfaces is configuration dependent ( examples: WRT54G v2 and WRT54G v4 acknowledge: voidmain & WL-500gP and Network Configuration ack. OpenWRT ) the apparent convention is:

  • vlan1: wired WAN port
  • vlan0: wired LAN ports
  • eth1: Wireless LAN
  • br0: internal LAN bridge (configurable) for wired LAN and Wireless LAN
  • eth0: internal interface between CPU and the 6-port switch

Saved history may be viewed using the UI tools:

  • http: //
  • http: //
  • http: //
  • http: //

Backup edit

Permits saving the entire contents of the current bandwidth history to a GZIP-compressed file on the client computer. Useful for archiving evidence of bandwidth issues, for easy display later.

Restore edit

Permits restoring a previously saved bandwidth history file (GZIPped) from the client computer. Useful for displaying the contents of a previously saved history file.

Buttons / LED edit

Change the action performed by the button. Different actions can be set for different lengths of time the button is held down (Count the DMZ blinks). The default actions are (1) tap to toggle wireless and (2) hold 20 seconds to start telnet on port 233.

The LED lights have some minor checkbox settings. For better effect, you can use the "led" command inside scripts elsewhere.

For unsupported router hardware, this text is displayed: This feature is not supported on this router.

Startup LED edit

  • Amber SES: ???
  • White SES: ???

CIFS Client edit

The CIFS client in Tomato allows you to mount a Windows-share or a Samba-share, that you can use as a history location for the bandwidth monitoring.

In the configuration UNC (Universal Naming Convention) points to that share and has to look as follows:

where is the IP-address of the computer the share is located on and "share-name" is the shared folder-name. The rest of the settings (username, password) speak more or less for themselves.

Give thought to the Shared Permissions for the specified Windows-share. The username/password pair specified here must be for an account that has permission to write to the shared folder, especially if you plan to use this network shared folder to save Bandwidth Monitor history. Also be sure to allow port 445 on any intermediate firewalls between the shared computer and the router.

It is advised to use "security = user" when using Samba, to avoid errors like these:
smb signing is incompatible with share level security !

Configuration edit

Allows you to back up all your settings to your PC, restore them, or reset the router to factory defaults.

When changing from one firmware to another, it is important to do a complete factory reset on your router. In Tomato, you go to this screen, select Erase all data in NVRAM (thorough), and click OK. When the router reboots, you will need to rekey all of your configuration settings manually. Instability and unpredictable behavior can occur if you don't erase the NVRAM.

Debugging (Miscellaneous) edit

  • Avoid performing an NVRAM commit: If checked, changes are not committed to NVRAM if possible. This means that changes are temporary, and will not persist beyond the next reboot of the router.
  • Do not erase some intermediate files: ???
  • Enable cprintf output to console: ???
  • Enable cprintf output to /tmp/cprintf: ???
  • Count cache memory as free memory: ???
  • Avoid displaying LAN to router connections: If checked, LAN to router connections are not displayed on the QOS pages. If not checked, LAN to router connections are displayed on the QOS pages as "Unclassified" connections.
  • Download CFE: Download the CFE binary data. (default name: cfe.bin)

Please note: This is *not* information from the CBOE Futures Exchange (“CFE”). This download is the Common Firmware Environment (CFE) data, a firmware interface and bootloader developed by Broadcom for 32-bit and 64-bit system-on-a-chip systems.

  • Download Iptables Dump: Download the system output of 'tcpdump -L -v' (default name: iptables.txt)
  • Download Logs: Download the system's /var/log/massages file (default name: syslog.txt)
  • Download NVRAM Dump: Download systems NVRAM as a text file. (default name: nvram.txt)

Warning: The NVRAM Dump text file may contain information like wireless encryption keys and usernames/passwords for the router, ISP and DDNS. Please review & edit this file before sharing it with anyone.

  • Console log level:
 0 (KERN_EMERG)		system is unusable
 1 (KERN_ALERT)		action must be taken immediately
 2 (KERN_CRIT)		critical conditions
 3 (KERN_ERR)		error conditions
 4 (KERN_WARNING)	warning conditions
 5 (KERN_NOTICE)	normal but significant condition
 6 (KERN_INFO)		informational
 7 (KERN_DEBUG)		debug-level messages
  • Clear Cookies: Clears local web cookies: ( to include but not inclusive )
  • NVRAM Commit: Commits all current settings to NVRAM, such that they survive rebooting.

JFFS2 edit

In a router with 4MB flash, there's still some space leftover from the firmware. JFFS2 is the compressed, writable filesystem for the extra space, the /jffs folder gives 700KB after overhead but BEFORE compression. Turn this option on, and script some add-on executable to run from here.

Logging edit

Logging may be done internally or externally. Internal logs save information to the router's local memory. External logs send the log information to a remote computer.

  • Log Internally : saves the connection logs to the internal memory of the router, where they may be extracted or viewed directly on the "Logs" page under "Status". These logs will consume router memory, but may be viewed directly on the router itself.
  • Log to Remote System : sends the logs to a computer on your LAN. That computer must be running a log capture program, like WallWatcher. The computer can then show you the connection logs and analyze the data.
    • IP Address / Port : The IP address and port for the remote syslog server.
  • Generate Marker : At the specified time interval, a line of text "------MARK-----" is inserted into the log to make it easier to read. Options available: Disabled, Every 30 Minutes, Every 1 hour, Every 2 hours.
  • Events Logged: Allow you to specify what types of events you want logged.
    • Access Restriction: Access Restriction activity.
    • Cron: Cron job information.
    • DHCP Client: DHCP actions.
    • NTP: NTP time synchronization activity.
    • PPPoE: Point to Point Protocol over Ethernet activity.
    • Scheduler: Activity generated by Tomato's Schedulery. ( Menu: Administration -> Scheduler )
  • Connection Logging: Allow you to specify what types of connections you want logged, and place a limit on the number of entries per minute to log. Unless logging externally, Disabled is recommended for both. Unless you need to detect all attempted connections, select to log only Allowed by Firewall. Note that most connections will be outbound, since the connections were initiated by a device inside the LAN. The only incoming connections (which are Allowed by Firewall) are things such as remote admin, FTP, SSH, or forwarded ports.
    • Inbound (Connections): As above
    • Outbound (Connections): As above
    • Limit: How many messages per minute at maximum can the system log. Enter '0' for unlimited.

Scheduler edit

Shows 5 dialogs permitting scheduled actions to be enabled, and their day and time of execution selected. Reboot performs a router cold start, as if power had been cycled. Reconnect performs a WAN Release and Renew sequence. Custom 1,2,3 allow execution of arbitrary commands, within those present in Tomato. The dialogs differ slightly.

Reboot, Reconnect dialogs edit

  • Enable: Allows execution and editing. Default: disabled.
  • Time: Drop-down menu to select Execution Time(24-hour format) in 15 minute increments, or to repeat every 1, 12, or 24 hours, or every user-selectable number of minutes.
  • Days: Week days of operation, selected individually. Default: Every Day.

Custom 1, Custom 2, Custom 3 dialogs edit

  • Enable: Allows execution and editing. Default: disabled.
  • Time: Drop-down menu to select Execution Time(24-hour format) in 15 minute increments, or to repeat every 1, 3, 5, 15, 30 minutes, 1, 12 or 24 hours, or every user-selectable number of minutes.
  • Days: Week days of operation, selected individually. Default: Every Day.
  • Command: Text field for user-defined command. See BusyBox commands.
  • Save: Save settings. Must be performed for Enabled items to be scheduled.
  • Cancel: Aborts any editing actions, exits without saving.

Note: During initial editing, the GUI (as of 1.27) prevents enabling Custom dialogs after enabling Reboot or Reconnect. Enable any desired Custom dialog first before enabling Reboot or Reconnect.

The scheduler is actually the crond daemon. The scheduler GUI has some limitation, can not generate arbitrary crontabs. You can use cru command to manipulate crontabs. Remember to add them to init script, crontabs added by cru command will not survive reboot.

Scripts edit

Presents four text-entry tabs Init, Shutdown, Firewall, and WAN Up. You can enter commands in these tabs to be run at router Init (startup), Shutdown, Firewall startup, or WAN Up (whenever the Internet connection comes up).

Example script 1

Access the web interface of the modem connected to the WAN port of the router. In this example, the modem has the IP address Both IP addresses used in the script below begins with 10.0.0. The 1st address can end with anything other than 138 but the second address must end with 0. The IP of a modem must be from a different network than your local LAN.

In WAN Up:

ip addr add dev eth1 brd +
/usr/sbin/iptables -I POSTROUTING -t nat -o eth1 -d -j MASQUERADE

Example Script 2

Establish a limit of 125 TCP connections per user.

In Firewall:

iptables -I FORWARD -p tcp --syn -m iprange --src-range -m connlimit --connlimit-above 125 -j DROP

Note : - is the LAN address range to be controlled.

Example Script 3

Opens the SSH server on the WAN side, while giving a better protection against Brute Force password guessing attacks. After 3 connections attempts in under 90 secs, the source address will be locked out for 90 secs. This seems enough to convince the script kiddies to search for a new target. Needs v1.21 to work (or later), as it now comes with the ipt_recent module built inside.

In Init:

insmod `find /lib/modules/ -name ipt_recent.o`

In Firewall:

WANIP=$(nvram get wan_ipaddr)
iptables -t nat -A PREROUTING -p tcp -d $WANIP --dport 22 -j DNAT --to
iptables -A INPUT -d -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH_LIMIT --rsource
iptables -A INPUT -d -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 90 --hitcount 4 --name SSH_LIMIT --rsource -j DROP
iptables -A INPUT -d -p tcp --dport 22 -j ACCEPT

Note: Do not enable Remote SSH via the menu, this script will do it and apply the right rules

Upgrade edit

Allows you to load a new firmware image to the router (either a newer version of Tomato or an entirely different firmware).

Note: When changing from any firmware to any other firmware (stock Linksys -> Tomato, for example), it is important to clear the NVRAM and restore the factory default settings. Instructions on doing that will vary from firmware to firmware, but there is generally a factory reset option (in Tomato, this is located under Administration/Configuration/Restore Default Configuration

About edit

This page shows information about:

  • Name and the version number of Tomato firmware
  • Copyright statement
  • A direct http-link to tomato homepage
  • The build date of Tomato firmware
  • A donation button for the project
  • An acknowledgment message to all people

Reboot... edit

Restarts the router (without erasing any settings).

Shutdown... edit

Turns the router off (controlled shutdown)

Logout edit

Logs you out of the web session (clears your user session) and returns to the initial login screen, where you are asked to present login credentials again. This causes occasional confusion, with people reporting that they "need to log in in order to log out". Once you see the password prompt, you are logged out. Just hit cancel and you will end up at the "Unauthorized" page. This option is not supported on MS Internet Explorer (V7) and and the "logoff" item does not show in the menu. you will need to close the browser completely in order to log out.

References edit



Distributions edit

The Tomato firmware distribution is maintained, primarily by Jonathan Zarate at Polar Cloud as a derivation of LinkSys's open-source code. Tomato is built in two flavors, a standard version that should run on all routers and the "New Driver" (ND) version for newer routers. Warning! Loading an ND version on an unsupported router could brick the router.

As such, others have further derived new distributions, named by the authors' usernames in the[1].

Feature comparison edit

Mod Name Base Tomato
Min Flash MB Min
Tomato 1.28 4MB 4096 No No No No No No No No No
Tomato ND 1.28 4MB 4096 No No No No No No No No No
TomatoVPN 1.27** 4MB 4096 No No OpenVPN (GUI Setup) OpenVPN (GUI Setup) No No No No No
hardc0re 1.25 4MB 4000+ Yes No No No No No No No No
jyavenard 1.27*** 4MB PPTP/OpenVPN PPTP/OpenVPN Yes No No
Neorouter 1.25*** proprietary proprietary Yes No
roadkill 1.21 Yes OpenVPN OpenVPN SD, MMC No No
SgtPepperKSU 1.27v3.6*** No No OpenVPN (GUI Setup) OpenVPN (GUI Setup) No No No No No
slodki 1.28** 4MB 10240 Yes Yes OpenVPN with GUI OpenVPN with GUI No SDHC, MMC with GUI Print, NAS No No
Teddy Bear 1.28** 4MB/8MB 128 10240 Yes Yes OpenVPN (GUI Setup) OpenVPN (GUI Setup) No No Print, NAS No Yes****
Toastman 1.28** 4MB/8MB+ 128 Configurable Yes Yes OpenVPN OpenVPN Yes No Print,NAS,FTP,Media Yes Yes
Thor 1.25** 8MB 8192 Yes FTP only OpenVPN OpenVPN Yes SDHC, MMC NAS No No
Trzepako 1.21 4MB ? Yes No No No No No No
Victek 1.28*** 4MB 8192 Yes No No No No No Yes No No
* Tomato standard only
** Tomato ND (New Driver) only
*** Tomato standard and ND
**** With GUI, in current git builds only
NAS = Network-attached storage

hardc0re Mod edit

Latest version: 10 jul 2009[2] (as of 08/2009)

  • Based on Tomato 1.25
  • aims to improve the router's performance under high load (many connections, more than 4000 or so).
  • Tuned route cache and conntrack hash sizes.
  • Tuned route cache parameters.
  • Updated conntrack and netfilter components to later versions.
  • Modified hash function to a newer one.

jyavenard Mod edit

Latest version: 30 jan 2010[3] (as of 01/2010)

  • Based on Tomato 1.27
  • has been modified to include a PPTP client (PPTP server included but no GUI)
  • OpenVPN client and server
  • and an SNMP server.

Neorouter Mod edit

Latest version: 0.9.8, 12 oct 2009[6] (as of 10/2009)

  • Based on Tomato 1.25
  • Cross-platform zero-config VPN solution that connects computers into a virtual LAN.

roadkill Mod edit

Latest version: 16 oct 2008[4] (as of 08/2009)

TomatoMod 1.21 *TEST VERSION 5* - This is a new test version it is only half baked for those who want to try.

  • LZO 2.03
  • OpenVPN v2.1rc13 + Management
  • VPN GUI Interface
  • SD/MMC GUI Interface with switchable gpio
  • SFTP-Server
  • QoS Limit
  • App Limit
  • Arp Binding
  • IPID Adjust

slodki Mod edit

Latest version: 1.28.02, 18 Feb 2011[5] (as of 02/2011)

  • Tomato firmware ver. 1.28
  • Optimized SDHC/MMC driver ver. 2.0.1 - this adds up to 32GB build-in storage on flash memory
  • Higher transfers then previous mmc driver ver. 1.3.5 - +40% writing, +10% reading
  • GPIO pins parametres selectable via GUI
  • Detailed card ID data available via GUI
  • Support for mounting ext2, ext3 and vfat partitions
  • OpenVPN, vsFTP, Samba, print server etc - the same as in Teddy Bear Mod

SgtPepperKSU Mod edit

Latest version: 01 jun 2009[6] (as of 08/2009)

  • Based on Tomato 1.25 (ND also available)
  • OpenVPN 2.1rc16 is compiled in and fully integrated as a system service.
  • LZO 2.0.3 is compiled in for VPN compression option
  • Two separately configurable instances of each clients and servers can be configured in the GUI
  • TLS (optionally with static key HMAC authentication) and static-key encryption is supported
  • Custom configuration field is added to the end of the dynamically generated config file
  • UDP and TCP protocols supported
  • TAP and TUN style tunnels supported
  • Site-to-site tunnels without any custom configuration
  • Status tabs displaying connected clients, VPN routes, and/or statistics.
  • Sets up and tears down (including module insertion/removal) interfaces as appropriate to save memory
  • Automatically adds and removes firewall rules as needed.
  • Option to automatically start server/client with router
  • Option to redirect Internet traffic over tunnel
  • Options to accept/push DNS options.
  • Encryption cipher settings are available.
  • Client address allocation is handled via GUI.
  • Added capability to use hostnames in the access restrictions page (unrelated to VPN, but I wanted it)
  • and more...

Teddy Bear Mod edit

Latest version: 30 November 2010[7] (as of December 20, 2010), available for download from

Currently based on the 1.28 build of Tomato, this is the list of changes made to official Tomato ND (New Driver):

  • Support for USB 1.1 (OHCI and UHCI) and USB 2.0, configurable via Tomato GUI.
  • USB storage (Ext2/Ext3, FAT/FAT32 and NTFS filesystems) and USB printing support.
  • Auto-mounting for USB drives (added in v05). When this feature is activated in the GUI, and USB drive is plugged in, all mountable partitions will be automatically mounted to a directory under /mnt. If you want to override default mount point, mount your partition manually in the satrtup, wanup, or hotplug script, i.e.: mount -o noatime,nodev /dev/discs/disc0/part1 /opt, or by using /etc/fstab file and "mount -a" command. If you mount the partition manually, it will not be re-mounted to a default mount point. If after mounting the drive you want to execute some additional scripts - to run the programs etc - it's a good idea to add several seconds sleep before doing so.
  • Support for /etc/fstab, and mounting by label and UUID.
  • Network File Sharing using built-in Samba server 2.0.10. Please check this post if you're experiencing problems copying files to Samba shares, and this post if you have issues with authenticated access to Samba shares.
  • Printer server (p910nd) is included and started automatically if you enable printing support. Bidirectional copying can be disabled via GUI if it causes problems with your printer. Only one instance of printer server is started automatically, and listens on port 9100. If you need to support more than 1 printer, add commands to run additional instances of p910nd to your startup script. Follow these directions to set up your printer in Windows.
  • USB Hotplug script - it can be useful for configuring USB devices after connecting them to the router or on boot-up, for example loading firmware into HP1018 or similar printer (there're some posts on page 11 of this thread with more details about HP1018 printer).
  • Fixed slow running clock problem on Asus WL-520GU. After flashing this firmware you have to reboot the router at least once for clock to get fixed (this fix is included into official Tomato releases starting from Tomato 1.24).
  • Fixed WLAN LED on Asus WL-520GU, SES button and WLAN led on Asus WL500gP v1 and Buffalo WBR2-G54 (these fixes are included into official Tomato releases starting from Tomato 1.24).
  • Built-in FTP server daemon (vsftpd) with GUI.
  • L7 filter patterns are updated to the latest official version (2009-05-28), removed experimental rtp-2 pattern.
  • Added CGI scripts support to HTTP daemon - you can place your CGI scripts into "/www/ext/cgi-bin" folder, and they will be executed when you access them via http://<router_ip>/ext/cgi-bin/my_script_name.
  • Included SpeedMod by Rodney H.
  • Added new "NAT Target" setting to "Advanced -> Firewall" (SNAT or MASQUERADE).
  • Upgraded Broadcom Wireless driver to version
  • UPnP daemon is replaced with MiniUPnPd with NAT-PMP support (MiniUPnPd is included into official Tomato releases starting from Tomato 1.24. This mod however adds additional GUI settings for UPnP). UPnP is disabled by default, NAT-PMP is enabled by default.
  • Added new "Regulatory Mode" setting (off|g|h) and "Country/Region" setting to "Advanced -> Wireless".
  • Added wireless auto channel selection.
  • Changed to use passive mode for wireless scan (generally should pick up more APs).
  • Replaced JFFS2 filesystem driver by JFFS ver 1.3 from ray123 to provide more available JFFS space.
  • Replaced ramfs by tmpfs.
  • Updated busybox and dnsmasq.

The mod (starting from build 20) comes in 4 different flavours:

all standard features described above; ~180KB JFFS space (3 blocks) available on 4MB flash routers;
all features of Standard plus Linux Ext2/Ext3 and FAT32 filesystem utilities (fdisk, e2fsck, mke2fs, mkswap, mkdosfs), built-in loop device support, additional color schemes. ~60KB JFFS space (1 block) available on 4MB flash. This version is for people who don't really need JFFS space, or have 8MB flash routers, and would like to be able to partition/format drives in Linux native Ext2/Ext3 format or in FAT32 format directly on the router without installing any additional tools.
all features of Standard but no Samba; some very minor features are stripped out of Busybox, about 540KB JFFS space (9 blocks) available on 4MB flash routers;
all features of Standard but no CIFS Network filesystem support, about 300KB JFFS space (5 blocks) available on 4MB flash routers;

Toastman Mod edit

Latest version; 9 Mar 2012[8]

Toastman-RT-1.28.7496.2-RT MIPSR2 K2.6 for RT-N16 etc. Toastman-RT-1.28.0496.2-RT-N MIPSR2 K2.6 for E4200, RT-N66U etc.

(New versions are available frequently, check for releases).

With Teaman Client Monitor (IPTMon or BWclimon depending on build, can have graphical monitoring of all clients in realtime or last 24 hours and download statistics for all clients.

Web Portal "NoCatSplash" (splashd) integrated by Victek.

VLAN builds include the VLAN-GUI by Augusto Bott and experimental Multi-SSID.

CPU frequency display, CPU % useage, CPU Overclock menu.

Static ARP Binding, Bandwidth Limiter per client,

Significant improvements to Tomato's QOS includes new IMQ based ingress system with class priorities, and an incoming class bandwidth pie chart, making it much easier to evaluate QOS rule effectiveness.

Configurable QOS class names, comprehensive example QOS rules loaded as default. Many useful features/tools for easier administration of networks.

Up to 250 clients in Static DHCP, Access Restrictions, 500 in Wireless Restrictions. Suitable for large installations such as hotels and condominiums as well as the normal user.

  • MiniDLNA 1.0.22: cvs 2011-08-25
  • Miniupnpd ver. 1.6 (20110725)
  • Dnsmasq: 2.59 update
  • Busybox 1.18.5 update
  • radvd: 1.8.1 update
  • Dropbear 0.54 update
  • ebtables: update to 2.0.10-2 (August 11th, 2011)
  • Samba 3: security updates CVE-2011-2522 & CVE-2011-2694
  • ntfs-3g release 2011.4.12
  • IPV6 improvements
  • BCM SDK: wireless driver in RT builds
  • BCM SDK: wireless driver in RT-N builds
  • PPP: single line MLPPP support
  • Support for Belkin F7D3301/F7D3302/F7D4301/F7D4302/F5D8235v3, ASUS RT-N12 B1/RT-N10U/RT-N66U routers.
  • Added support for USB led on E3000, WRT610Nv2, DIR-320, H-618B routers.
  • Various optimizations backports and fixes from upstream 2.6 kernel.
  • PPTP Client with GUI by Jean-Yves Avenard
  • Support for 3G USB Modems
  • Udpxy v1.0-Chipmunk-build21

Includes the new updates from Tomato-USB/RT by Fedor Kozhevnikov. The RT wireless driver has however been reverted to in the interests of stability.

Thor Mod edit

Latest version; 27 jul 2009[9] (as of 08/2009)

Tomato_RAF_1.25.8515 ND USB .8 v3

  • Based on Tomato 1.25
  • ND only
  • recent versions need more than 4 MB
  • includes USB / NAS / FTP / VPN / SNMP
  • includes all the updates and changes up till now (15/07/2009)
  • Based on Victek's sources so it has all his features
  • Wrt54 Skin based on absolon
  • tomato-FS-patches 27062009
  • net-snmp 5.0.9 & Interface
  • OpenVPN 2.1rc13 & Inteface(Keith Moyer's implementation)
  • Optware options under USB
  • NTFS support with RW

Trzepako Mod edit

Latest version: 03 aug 2008[10] (as of 08/2009)

Based off the Tomato 1.21 build, this modification adds:

  • conanxu mod 1.5 (IP/MAC Bandwidth, pps, connection limiter, SPEEDMOD and so on...)
  • ipt_ROUTE & ipt_random

Victek Mod. Tomato RAF edit

Latest version: 1.28 as of 4 Jan 2010[11]

This modification has two branches; Standard Version (A) & ND (New Driver) Version (B).

(A) Common in both versions (and not included in Official Tomato version):

  • BusyBox 1.14.2
  • ip_conntrack version 2.1 (16384 buckets, 8192 connection max)
  • DNSMasq 2.49
  • Dropbear 0.51 extended RWIN cli command
  • Extended static DHCP / MAC restriction (up to 140 clients)
  • IP/MAC Bandwidth Limiter (up to 140 clients)
  • ARP Binding (up to 140 clients)
  • Extended miniupnpd
  • Extended themes (18 themes)
  • CPU Freq. Display & Overclock (125-300MHz)
  • Previous WAN IP
  • ISP Concentrator ID
  • Two additional button script windows
  • System command window built into GUI (Tools-System)
  • ARP command included
  • Extended command in BusyBox; chown, hostname ..

(B) Additionally in ND version:

  • Wireless & Ethernet driver
  • Added new "Regulatory Mode" setting (off|d|h) and "Country/Region" setting to "Advanced -> Wireless" in ND version
  • Added wireless auto channel selection.
  • Wireless Scan 'passive mode' (shows more AP's if they exist in the neighborhood).

References edit

  1. List of Tomato mods
  2. hardc0re release announcement.
  3. jyavenard release announcement.
  4. roadkill release announcement.
  5. slodki release announcement.
  6. SgtPepperKSU release announcement.
  7. Teddy Bear's TomatoUSB Changelog
  8. [1]
  9. Thor release announcement.
  10. Trzepako release announcement.
  11. Victek Mod. Tomato RAF release announcement.