back
26 November 2018
Background
click for routers vs gateways
Often bundled by cable TV or other ISP,
commodity boxes called routers are
more accurately gateways.
- Routers establish and maintain connections among network nodes.
Routers advertise paths for connecting fragments of Internet address space,
This requires that routers advertise address ranges for nodes attached to them.
- Gateways hide details about network nodes attached to their LAN side from those in Internet address space on their WANside.
So-called home routers (AKA wireless routers) are a particular kind of gateway,
in that home LAN devices could at least in theory attach directly to the Internet, since they implement Internet protocols
Additionally, wireless routers bridge Wi-Fi nodes to e.g. switched CAT5/6 ethernet nodes,
so that an iPad using Wi-Fi can discover and communicate with other LAN nodes without distinguishing between radio and twisted wire connections.
- Few home network devices are robust against Internet malware exploits.
- Some important home router features:
- firewall and NAT
- relatively frequent updates to address new exploits
- VLAN,
VPN
and DDNS
These can help secure privacy (e.g., block ISP monetizing your Internet habits)
and login to your home PC from away.
- Dnsmasq
This allows assigning your network-attached printer a name, such as printer,
then print to printer from other LAN nodes
without knowing its current IP address assignment.
click for Tomato vs dd-wrt vs OpenWrt
These are IMO
most significant embedded Linux distributions for routers,
all derived from Linksys WRT54G firmware.
- OpenWrt continues to make releases, but
- relatively complex to use
- has a writeable filesystem, making it more immediately vulnerable,
all other things being equal (which they rarely are)
- dd-wrt has not made stable releases for years..
- supports more devices than others
- many, if not the most, configurable options
- hard to identify a stable current beta release that is robust on a specific router
- Commercial versions bundled with (refurbished) routers..
- FreshTomato is the currently-supported fork of Tomato
- IMO, most appropriate for DIY router upgrades.
- easiest and seemingly most robust distro
- supports relatively few routers (simplifying releases)
Linksys EA6300v1/EA6400, EA6500v2, EA6700, EA6900 are supported.
- Probably the least-well documented
Much has been written about various Tomato forks and release versions,
but little is specific to FreshTomato, much less 2018.4 for ARM
click for FreshTomato-ARM AIO vs VPN builds; Entware
Shibby Tomato K26ARM builds include EA6500-6900
(K26ARM7 applied only to R8000 and Asus RT-AC3200)
For clear definition of AIO vs VPN; go to
source:
shibby-arm branch for release/src-rt-6.x.4708/Makefile
Comparing Makefile VPN and AIO target line items sorted,
VPN has no unique options
AIO has additional options:
Comments from http://tomato.groov.pl/?page_id=78
BTCLIENT=y # BlueTooth?
TR_EXTRAS=y # transmission-remote tool[s]..?
DNSCRYPT=y # user selectable/manual DNS
STUBBY=y # DNS-over-TLS resolver
UPS=y # UPS presumably by USB
TINC=y # Tunneling VPN daemon
NFS=y # NFS fileserver
NANO=y # text editor
TOR=y # Bittorrent?
NGINX=y # webserver?
IPERF=y # network utilities - available separately for
TomatoUSB from Entware
In theory, mount a flash drive on the USB port and
install Entware there
"the FreshTomato project gives native support to ENTWARE"
How To -
more forum support -
.. but that was before entware-ng went away
click for Sagemcom F@st 5260 vs Linksys EA6500v2 vs EA6700
- Bundled by Spectrum, who control F@st 5260 firmware,
which does not support Dnsmasq. USB is 2.0.
- Relatively cheap and fairly fast, the Linksys EA6500 was developed by Cisco.
IMO, cloud management is weird, then useless when diagnosing ISP issues.
Stock NAS firmware supports few USB 3.0 hard drives .
Available in two versions, v2 is equivalent to the Linksys EA6700
I purchased mine in 2014,
would now get a refurbished EA6700.
IMO, an EA6700 has hardware nearly as good as many $150 routers,
but available for < $40 used or refurbished. Linksys rates their EA6900
faster only on 2.4 GHz and has overheating issues
that would be mitigated by vertical mounting.
Buying used cuts prices and avoids early life failures.
Replacing problematic Linksys firmware with FreshTomato should make an EA6900 equivalent to
NETGEAR's more popular and expensive Nighthawk R7000 running nearly
identical firmware.
Linksys ARM CFE, NVRAM and firmware
CFE is basically a standardized BIOS and bootloader.
In their version, Linksys
- disabled firmware update by HTTP during boot,
- reduced available NVRAM for storing variable data to 32KB, and
- enabled dual-booting.
If current firmware is problematic,
either the user can revert to prior firmware
or the EA6500 might reboot to it automagically.
These are unexpected behaviors among routers sharing Broadcom SoC technology..
Understanding
Tomato NVRAM
Recent Linksys firmware releases reject unsigned binaries, which complicates hacking.
Only the latest EA6500v2 firmware release (build 176451) has this restriction,
and reverting to the previous release allows loading e.g. mini-dd-wrt.
FreshTomato 2018.4 installation on EA6500v2
This works only on Windows.
Instructions here are nearly accurate, but IMO confusing,
since they focus on problematic tftp recovery, which should be unnecessary.
Step 1
- Download FreshTomato firmware from
https://exotic.se/freshtomato-arm/v2018/2018.4/
- Download
EA6500v2 CFE Flash kit, which requires 7-Zip to unpack.
Step 2
Connect the Linksys router ONLY to its power dongle and your Windows PC.
**Disconnect its WAN port!**
Routers are usually found by web browsers at 192.168.1.1.
For current Linksys firmware newer than 166281, restore the previous version:
login, Troubleshooting>Diagnostics>[Restore previous firmware]
That worked for me...
If the router *still* reports firmware newer than 166281, then get 166281
here
and
perform a manual firmware update
to FW_EA6500v2_1.1.40.166281_prod.img:
EA6500 eventually reboots itself
click to understand steps 3-8
custom CFE
FreshTomato (and dd-wrt) expect to be able to use 64KB NVRAM,
which is NOT supported by stock Linksys CFE.
The workaround is to install a custom CFE.
Linksys firmware has no provision for replacing CFE,
so we first install a mini-dd-wrt that
- works with Linksys' small NVRAM
- simplifies backup of original Linksys CFE
- supports CFE replacement
- but is too old to include important exploit fixes,
so should NOT be used for Internet access.
After that custom CFE is customized and installed using mini-dd-wrt,
that CFE's HTTP bootloader will be used to install FreshTomato 2018.4
Step 3
On the router,
- goto Troubleshooting>Diagnostics
- Factory Reset
Step 4
- Tools
- linksys_ea6500_cfe.bin
- linksys_ea6500_ddwrt.bin
- click OK for reboot
- takes awhile; I waited ~20 minutes (lunch break)
Step 5
- Power off/on - rebooted to dd-wrt
- Set userid/password to admin admin admin
- click Services
- enable Secure Shell SSHd
Step 6
New CFE has relatively few customizable parameters, based on:
- MAC Address (found on the bottom of the router)
- WPS Password (found on the bottom of the router)
On the PC,
- Tools\CFEEdit.exe
- Open linksys_ea6500_cfe.bin
- find and set
- et0macaddr=(MAC Address)
- secret_code=(WPS Password without '-')
- in Advanced
- 0:macaddr=(2 + MAC Address)
- 1:macaddr=(4 + MAC Address)
- Save As new-cfe.bin
- Exit
Step 7
Copy original CFE to Windows PC and copy custom CFE to router
- browse to http://192.168.1.1/backup/cfe.bin
and save this orignal Linksys CFE somewhere memorable,
in case you ever want to restore Linksys firmware..
- launch Tools\WinSCP-5.9.6-Portable\WinSCP.exe
Host name: 192.168.1.1
Port: 22
Connection type: SFTP
[Open]
login as: root
password: admin
- make sure the right pane is in the /tmp/root directory
- drag new-cfe.bin from left pane to right
- Close WinSCP
Step 8
Flash this custom CFE
- Tools\putty.exe
Host name: 192.168.1.1
Port: 22
Connection type: SSH
and Open
login as: root
password: admin
3 commands: (# is prompt)
# mtd unlock /dev/mtd0
# mtd write -f /tmp/root/new-cfe.bin /dev/mtd0
# exit
click for NVRAM discussion
Firmware is easily crashed by bad NVRAM data.
Until now, Linksys CFE reserved only 32KB for NVRAM.
Now, custom CFE and new firmware expect 64KB for NVRAM,
where previously valid data for old could crash new firmware,
not to mention whatever is in the 32K
that was not previously considered NVRAM.
Consequently, take every opportunity to clear NVRAM
until tweaking FreshTomato settings,
which will be after the *second* time booting into FreshTomato.
Step 9
Install FreshTomato by CFE Recovery Web Interface
Router must be coming from powered off state
while depressing the red reset button for 10-15 sec.
- click Restore default NVRAM values
- [Browse] to freshtomato-EA6500v2-ARM-2018.4-AIO-64K.trx
- [Upload]
- Flash can take up to five minutes;
check ping 192.168.1.1 for ttl=64 to see if it's done.
Step 10
reset NVRAM
- power off router
- press blue WPS button while powering on the router,
- continue holding WPS until the Linksys logo starts flashing -or- 15-20 seconds
- browse to 192.168.1.1
- Administration > Configuration > Restore Default Configuration >
Erase all data in NVRAM memory (thorough)
Step 11
Tweak and deploy FreshTomato
- First, reboot router
click for Wireless Ethernet Bridge configuration
Tomato routers offer
various wireless bridge modes, such as:
Wireless Client Bridge, Wireless Ethernet Bridge, and
WDS (Wireless Distribution System).
WDS
requires compatible support at both ends;
Sagemcom 5260 manual does not mention WDS..
Wireless Client Bridge mode
puts clients on a different subnet.
FreshTomato owner declared wireless client bridge mode broken by multi-wan
Wireless Ethernet Bridge is different
* wireless ethernet bridge should transparantly bridge ethernet ports to Wi-Fi gateway
FWIW, Wireless Client Mode is a WAN Setting in FreshTomato:
Relevant entry from tools-survey:
My5G B8:EE:0E:BD:F2:BB -70 dBm 50% ch 155 5 GHz 80 MHz WPA2-Personal AES 11ac
basic-network.asp shows
Enable Wireless unchecked for 2.4 GHz/ eth1
.. but is otherwise default.
Both eth1 and eth2 were Access Point mode;
5 Ghz/eth2 was 40 MHz Channel Width
Changed eth2 to:
Wireless Ethernet Bridge (from Access Point)
My5G (from Tomato50)
80 MHz (from 40)
with the Shared Key appropriate for that SSID.
Perhaps should have also changed EA6500v2 IP address?
New address 192.68.1.68 was assigned by MySpectrumWiFib4-5G DHCP;
can ping it at 192.68.1.68, but cannot login by web or putty SSH.
YouTube video streams fine; Speakeasy shows great speed
as does http://www.dslreports.com/speedtest?
Wireless client mode was broken after release 132, which preceded FreshTomato
Usage Documentation
- FreshTomato-ARM @ LinksysInfo.org
- Using QOS - Tutorial and discussion
(not necessarily Fresh) Tomato User Documentation
- Tomato Advanced Firmware Setup 8 Nov 2018
- Tomato Wireless Recommended Settings Sept 2018
- Tomato Firmware/Installation and Configuration 25 Jan 2018
- HaganFox.net - Tomato Firmware Setup Guide 4 Jan 2018
- SaferVPN - Manual OpenVPN setup for Tomato Router 14 Nov 2018
- Surfshark - AdvancedTomato 3-5.140 OpenVPN tutorial Jun 2018
- IVPN Tomato Setup Guide
- shibby Tomato IPVanish VPN setup
- shibby Tomato windscribe VPN setup
Probably NOT current for FreshTomato:
LearnTomato 16 Nov 2014
TomatoUSB Tutorials 8 Jun 2011
|