Tomato FAQ

Tomato's Frequently Asked Questions & Tips

Note: Most WRT54G and WRT54GS (not WRT54GL) sold in stores right now are the v5.0+ variety and will not work with Tomato.
Look at the bottom side of the router to check for the version number, or compare the first 4 characters of the serial number with the following list:
CDF0/CDF1 = WRT54G v1.0
CDF2/CDF3 = WRT54G v1.1
CDF5 = WRT54G v2.0
CDF7 = WRT54G v2.2
CDF8 = WRT54G v3.0
CDF9 = WRT54G v3.1
CDFA = WRT54G v4.0
CGN0/CGN1 = WRT54GS v1.0
CGN2 = WRT54GS v1.1
CGN3 = WRT54GS v2.0
CGN4 = WRT54GS v2.1
CGN5 = WRT54GS v3.0
CGN6 = WRT54GS v4.0
CL7A = WRT54GL v1.0
CL7B = WRT54GL v1.1
CL7C = WRT54GL v1.1
CF7C = WRT54GL v1.1

If it's not listed above, and it's not a WRT54GL, it's not supported.
Please see the included readme for detailed instructions and warnings.

For the WL-520GU, try renaming tomato-ND.trx to WL520gu_2.0.0.9_EN.trx and upgrade as usual.
Note: If you're using a Motorola router, install the original firmware first. See the included readme for additional information.

Note: If you're using the DD-WRT firmware, please see the information below about password incompatibility.

Open the router's GUI in your browser, use the same procedure as upgrading a firmware, pick a Tomato firmware file that is appropriate for your router, and "upgrade." If you can't find a file to exact match for your router (and your router is supported by Tomato -- check!), *choose any* of the file. You can also try renaming the .TRX file to .BIN to see if that helps. Don't worry, the header/signatures are different for each file, but the are exactly the same when installed.

Please see the included readme also.
Important: Make sure the firmware you are going to use is the correct type for your router. Tomato will accept WRT54G/GL, WRT54GS, WRT54GSv4, WRTSL54GS, WR850G and TRX types of files, but it cannot check if the firmware actually supports your router.

Open Tomato's GUI in your browser, go to Administration/Upgrade, select the file and click the Upgrade button.
Yes. It uses the Linux kernel and most of the utilities provided in Linksys' WRT54GL source code as a starting point. Besides the visible GUI change, a lot of the code inside has also undergone extensive changes to add new features, fix problems, optimize and reduce the size.
Make sure you're entering the username "admin" or "root". Unlike the Linksys firmware, they are required in Tomato.

If you're upgrading from the DD-WRT firmware, telnet into the router *before* upgrading and type "nvram get http_passwd". The result will be your password in Tomato. This is necessary because of a change in DD-WRT's way of using the standard http_passwd variable.

If you have a Buffalo router or a Linksys with a pushable Cisco logo, push the AOSS/Cisco button for at least 20 seconds, then telnet into the router on port 233. Type "nvram get http_passwd" to retrieve the password or "nvram set http_passwd='your_new_password'" followed by "nvram commit" to set it manually. Reboot the router using the command "reboot" after using this method.

If nothing else works, push the reset button for a few seconds to reset all of the settings. The default password after resetting is "admin".
If you're upgrading from an older version of Tomato, you don't need to perform a reset. Unless indicated in the release notes, Tomato will automatically upgrade older configurations if necessary.

If you upgraded from another firmware, a complete reset is recommended. Go to Administration/Configuration and select "Erase all NVRAM..." after installing Tomato.
Unless it's specifically for Tomato, probably not. The popular one floating around with several "echo xxx > xxx" lines is for an older version of HyperWRT and not necessary in Tomato.

The default maximum connections in Tomato is 4096. The default established timeout value (the infamous "5 day" value) is 4 hours. You can change these values in Advanced/Conntrack if you like.
  • Verify that hostname is valid (Basic/Identification).
  • Go to Advanced/DHCP and try enabling "Reduce Packet Size".
  • If you disabled NAT Loopback in Advanced/Firewall, try enabling it.
  • Try releasing -then- renewing the lease from your computer. In Windows, you can type "ipconfig /release" followed by "ipconfig /renew" from the command line.
Check your if your wireless card has an updated driver available. Some notebook manufacturers customize the drivers, so check their site first.

If you have an HP + Intel 2200BG, the following reportedly fixes a disconnect problem:
Free memory is often used temporarily for cache and is automatically freed when needed. If you want the free memory display to count the cache size as free memory, go to Administration/Debugging. But unless you're getting error messages about not having enough memory, don't worry about it.
This is probably more commonly known to some as Samba or Windows Shared Folders or the "\\machine\share" thing. It's used to make a drive from a computer or device accessible from within the router.
  • Use an IP address. ex: \\\share
  • Use a regular account that requires username/password instead of a guest account.
  • Make sure the account has read/write permission.
  • Make sure NAT Loopback is enabled in Advanced/Firewall.
It's a filesystem that is used to turn an unused portion of the router's NVRAM into a writable space.
|   CFE    |
| firmware |
~          ~
~  unused  ~
~          ~
|  config  |
Note: The CFE and config areas are constant in size, but the firmware size may change when you upgrade. Because of this, the unused portion used by JFFS2 may also shrink or expand, erasing the data in the JFFS2. Always backup your data before upgrading.
It's a directory that is accessible/writable from within the router. Examples: "/tmp/", "/cifs1/mystuff/" (if you mounted a drive). Windows "C:\directory\" should not be used. If you want to save the data to your computer's hard drive, use CIFS.
Some settings are saved in the browser as cookies, so make sure your browser is not set to erase these cookies.

Opera users should try using the router's hostname (http://hostname/) when accessing the router's GUI since Opera doesn't seem to save cookies when using an IP address.
If you're using Firefox or Opera, upgrade to the latest version. If you're using Internet Explorer, you need to install the Adobe SVG Viewer. If you're using Safari, install the latest Safari 3.

Note: Having a browser that has SVG support doesn't necessarily mean you will be able to view the graphs. Some implementations may be good for displaying simple static SVG, but may not support all features needed by Tomato.
Inside or outside of the DHCP range will work, but it's probably better to use an address outside of the range so it doesn't get in the way.
Use static DHCP in Basic/Static DHCP. If you don't want to use static DHCP, you can still use the page by entering 00:00:00:00:00:00 as the MAC address.

Names that have a dot, like "foo.lan", are treated as regular domain names. Undotted names like "foo" use the router's domain name. Multiple names may be entered by separating them with spaces (foo1 foo2).

The hostnames should work on all computers connected to the LAN as long as the router's DNS forwarder is used (the default setting). They will not work from the Internet side.
The most common setup is to simply use a straight port forwarding like the following examples:

Forward a single port:
External Ports: 5050
Internal Ports: (blank)
Internal Address: (your computer's IP address)
Forward a range of ports:
External Ports: 330-340
Internal Ports: (blank)
Internal Address: (your computer's IP address)
Forward multiple ports:
External Ports: 600,700,800-899
Internal Ports: (blank)
Internal Address: (your computer's IP address)

You can also forward a port to a different internal port:
External Ports: 888 (as seen from the Internet)
Internal Ports: 999 (as seen inside your LAN)
Internal Address: (your computer's IP address)
Entering ranges or multiple ports are not supported if forwarding to a different internal port.

Tip: Make sure the address always matches your computer's IP address by using Static DHCP.
This is a type of port forwarding where external ports are only opened if data is sent to a trigger port from your computer. Example:
Trigger: 1001-1005
Forwarded: 2000-2005
If my computer sends data to ports in the 1001 to 1005 range, ports 2000 to 2005 are opened and forwarded to my computer.
blocked     <-- 2003 <-- cow@internet
blocked     <-- 2001 <-- duck@internet

my computer --> 1002 --> duck@internet

my computer <-- 2001 <-- duck@internet
my computer <-- 2003 <-- cow@internet
my computer <-- 2002 <-- frog@internet
When my computer stops using all of the ports, the forwarding automatically stops after a few minutes.
  • Firewall Protection -- Firewall is always enabled in Tomato.
  • Block Anonymous Internet Requests, Filter Multicast, Filter Internet NAT Redirection -- Reversed and renamed to "Respond to Inbound Ping", "Allow Multicast" and "NAT Loopback" since these are closer to what they actually do.
  • Filter IDENT -- Not supported, but you can use Access Restriction to block destination port 113.
  • Block Active X, Java, P2P -- Use Access Restriction.
  • Block Cookies, Port Scan -- Not supported.
These options are not supported in Tomato. They are actually labeled a little bit incorrectly in Linksys' firmware: When disabled, ports are blocked. When enabled, they did nothing.

If it worked before with the Linksys firmware when the "passthrough" was enabled, they should work fine under Tomato without any additional settings.
No. In Tomato, these buttons are assigned to be wireless on/off switches by default. They can also be configured to do other tasks like running a custom script.
Reports indicate yes on both platforms. AOSS-based setup is not supported.
Check with your DDNS provider's help pages for the exact format. It's the same type of URL that you can enter in your regular web browser.

  • The keyword @IP can be used if you need to insert the current WAN IP address.
  • Basic authentication can be entered using the "http://username:password@domain/" notation.
  • POST requests are not supported.
You can use "standard Linux commands." Google to find a list of the most common ones. But keep in mind that only a few are included and most are simplified Busybox versions.

Some interesting utilities to play with: wl, nvram, ttcp, iptables, top
  • The startup script runs at startup or when the router is soft-restarted.
  • The shutdown script runs when the router is shutdown, rebooted, or soft-restarted.
  • The firewall script runs after setting up the firewall/iptables rules which means it will run after the WAN is connected and whenever there are changes to the configuration that affect the firewall.
  • The WAN UP script runs when the WAN is connected.
  • The SES/AOSS scripts run when the SES or AOSS buttons are pushed. The first argument passed to this script is the number of seconds the button was held.
  • The Auto/Bridge script, which is only in Buffalo routers, runs whenever a change in the auto/bridge switch at the bottom of the router is detected. It will also run at startup so the initial position can be read (see example on how to avoid running at startup). The first argument passed to this script are the words "auto" or "bridge".
The startup script actually runs ahead of some services. Things that involve networking, for example, are not going to be up yet when the startup script begins. To work around this, use "sleep 5" or a similar command to wait until what you need is up and running. Better yet, consider putting the script in other areas like the firewall script where you're assured that the network is ready.
Use a utility called "cru". Examples:
# cru
add:    cru a <unique id> <"min hour day month week command">
delete: cru d <unique id>
list:   cru l

# cru a TwiceMonthlyReboot "0 3 1,15 * * reboot"
(03:00, 1st and 15th of every month)

# cru a SundayWanRestart "0 2 * * 0 service wan restart"
(02:00, every Sunday)

# cru a NightLightOn "0 20 * * * led white on aoss on"
(20:00 everyday)

# cru a NightLightOff "0 6 * * * led white off aoss off"
(06:00 everyday)
If you'd rather do this manually: Tomato uses Busybox's crond implementation which doesn't use the same files as the ones found in DD-WRT or HyperWRT (Vixie). The cron file is in /var/spool/cron/crontabs/root.
It's a text from the URL. More specifically, from the hostname, path and query parts of a URL:
Multiple words can be entered by using spaces or new lines:
word1 word2
These are treated as an "OR" expression: "If word1 OR word2 OR word3 matches, block."

You can use some special characters to specify how to match:$ (ends with
^pies (begins with pies)
^$ ( exactly)
Some limitations: Hostname is a separate string from path?query (path and query are considered as one string), so you can't use "". Others, like the POST data, or the content of the requested pages are not checked. Escaped characters are not decoded.

See also:
Go to the Access Restriction page, and add a new rule with "Type" set to "Disable Wireless Radio".

If your router has an AOSS or SES (Cisco logo) button, you can also disable wireless temporarily by pushing the button for 2 seconds.
Here's an example basic 2-router setup as configured in the Basic/Network page:

#1 - 00:11:11:11:11:11
The WAN port of this router is connected to the Internet.
(configure normally)

IP Address =
DHCP Server = enabled

Wireless Mode = Access Point + WDS
SSID = samessid
Channel = 3
Security = WPA Personal
Encryption = AES
Shared Key = samesharedkey
WDS = Link With
MAC Address = 00:22:22:22:22:22 (the *wireless* MAC of the 2nd router)

#2 - 00:22:22:22:22:22
The WAN port of this router is not used.
Type = Disabled

IP Address =
Default Gateway = (the 1st router's IP address)
Static DNS = (the 1st router's IP address or any DNS server)
DHCP Server = Disabled (the 1st router handles it)

Wireless Mode = Access Point + WDS
SSID = samessid
Channel = 3
Security = WPA Personal
Encryption = AES
Shared Key = samesharedkey
WDS = Link With
MAC Address = 00:11:11:11:11:11 (the *wireless* MAC of the 1st router)
Once you configure #2, you can hook up wired computers on it or use it as a second AP to extend your LAN's wireless range. As long as you configure your notebook not to stick to a single MAC address, it should switch automatically to the strongest signal as you move around.

You can chain several more routers this way by changing the WDS' MAC address field.
#1 --- #2 --- #3

   /  \
  /    \
#2      #3
But avoid creating loop or a situation where there are multiple paths.
   /  \
  /    \
#2 ---- #3

   /  \
  /    \
#2      #3
  \    /
   \  /
If you have to do this for link redundancy, try enabling STP in Advanced/Routing to avoid problems.
Try setting the security setting to WPA Personal on both ends.
This is a tough one to answer since it depends on what you need. But in most cases, simply entering 90% of your maximum upload speed in QOS/Basic, putting your VOIP device's (if you use one) MAC address on "Highest" and on the top of the classification list, and leaving everything else as-is will get you up and running quickly. If you need a more complex setup, check one of the Linksys forums for more examples or additional help.
Whenever your computer opens a connection to the Internet, the router will try to determine what "class" it should be in by following the "rules" in the QOS/Classification page. A "class" is basically a group rate and speed limit as set in QOS/Basic Settings.
Here's a detailed explanation of the default rules in QOS/Classification:
#1: WWW
Class: High
TCP Dst Port: 80,443
Transferred: 0 - 512KB
Connections that have a destination port of 80 or 443 (outbound; 80 is the standard HTTP/WWW port, 443 is the standard HTTPS port), and have transferred LESS than 512 KB of data (outbound / upload) are put in the "High" class.

This makes web browsing a priority, as long as we're not uploading a big file.
#2: WWW (512K+)
Class:	Low
TCP Dst Port: 80,443
Transferred: 512KB+
Connections that have a destination port of 80 or 443 (same as rule #1), and have transferred MORE than 512 KB of data (outbound) are put in the "Low" class.

This makes sure long browser uploads do not monopolize the bandwidth. It also makes sure other applications that may use the same ports, like P2P, do not hog the bandwidth.
#3: DNS
Class: Highest
TCP/UDP Dst Port: 53
Transferred: 0 - 2KB
Connections that have a destination port of 53 (outbound), and have transferred less than 2 KB of data (outbound / upload) are put in the "Highest" class.

This makes DNS lookup a priority.
#4: DNS (2K+)
Class: Lowest
TCP/UDP Dst Port: 53
Transferred: 2KB+
Connections that have a destination port of 53 (same as rule #3), and have transferred more than 2 KB of data (outbound) are put in the "Lowest" class.

This makes sure other applications that may use the same ports, like P2P, do not hog the bandwidth.
#5: Bulk Traffic
Class: Lowest
TCP/UDP Dst Port: 1024-65535
Connections that have a destination port of 1024 to 65535 are put in the "Lowest" class.

High port numbers are often used for non-essential services like P2P, so this puts them in the "Lowest" class.

And finally... Ports 1 to 1023, which doesn't match any of the rules above, are set to the default (see QOS/Basic Settings) "Low" class.

Additional notes:
  • The rules are evaluated top to bottom, as shown in the GUI. The *first* one that matches sets the class.
  • #2, #4, #5 set the class permanently since once they match, there's no possible change left to expect. #1 and #3 set the class temporarily since changes to bytes transferred may go beyond the specified limit.
Connections that travel from your computer directly to the router (the endpoint is the router) are never classified. Connections that travel from the Internet to your computer or router, but not the other way around are also not classified.
Try searching for Robson's WRT54 Script Generator.
Go to Administration/Debugging and enable "Avoid commiting to NVRAM". To make the router stay in this mode even after a reboot, click "NVRAM Commit" after clicking "Save."

When you're done, you can undo changes by rebooting or commit the changes by clicking on the "NVRAM Commit" button.
Yes. The new DST is supported in the US/Canadian timezones: Alaska, Pacific, Mountain, Central, Eastern, Atlantic, Newfoundland. If I missed something else, let me know (see bottom of FAQ).
In Administration/Access, select "Custom" as the color scheme and create a CSS file in /var/wwwext/custom.css (/www/ext/custom.css).

One way to create this file is to use startup script similar to the following:
mkdir /var/wwwext
cat <<END >/var/wwwext/custom.css
---insert css here---
You can use as a template or if you want the long version.

Here are a few examples sent in by users:
See the firmware page:
See the README included with the firmware for additional information.

For other questions/problems, try the following: Please try these first. Thanks. :)
Send as much information as you can, including steps on how to reproduce the problem, "nvram show", logs, caps or other files (see Administration/Debugging) if you think it would help. You can send it to .
You can send it to the same email address above. But please understand that I cannot implement all suggestions that I receive. And please keep the suggestions within Tomato's "small and simple" theme. :)