The Grumpy Editor's Tomato review
This article brought to you by LWN subscribers Subscribers to LWN.net made this article — and everything that surrounds it — possible. If you appreciate our content, please buy a subscription and make the next set of articles possible. |
Your editor has just completed an important transition: moving his Internet connectivity from one evil branch of the local telecom duopoly to the other, equally evil branch. This change required the acquisition of a new router; that, in turn, provided the opportunity to play with Linux-based router software, and Tomato in particular. Read on for your editor's impressions of this impressive bit of (mostly) free software.
Tomato has its roots in the original Linksys WRT54G firmware. This firmware was first distributed as if it were proprietary software, but Linksys, under heavy GPL-enforcement pressure, eventually made the source available under the GPL. The existence of this source, along with the ease by which the Linksys routers could have new firmware installed, led to the creation of a number of firmware distributions, all of which added new features and otherwise improved on the original Linksys offering. Over time, Linksys (Cisco) has incorporated some of these improvements; the company also continues to offer a special version of its basic household router (the WRT54GL) which is explicitly designed to allow firmware replacement.
If a company is going to make a competitively-priced, Linux-based, user-hackable router, your editor feels an obligation to buy it. That choice is easy, but the choice of which replacement firmware to use is harder. There's a wide variety of offerings, including OpenWrt, DD-WRT, FreeWRT, and Tomato. There appears to no easy way to pick one in particular; your editor started with Tomato because the screen shots looked nice and the installation instructions were straightforward. On the other hand, OpenWRT's installation instructions are simply missing (though some information is available on the OpenWRT wiki), and those for DD-WRT are lengthy and intimidating, making the process look similar to installing Gentoo.
The funny thing, of course, is that installing replacement firmware on a WRT54GL router is a trivial task: download firmware, go to the router's "upgrade firmware" screen, and upload the new blob. Two minutes later the job is done.
Your editor's first impression of Tomato is that it is great stuff - though reflection yields some concerns which will be discussed below. Tomato brings a whole range of new functionality to a cheap consumer device, yielding a degree of visibility into and control over the network which your editor has never had before. The web-based interface is slick - if JavaScript heavy - and mostly easy to use. It would have been nice to bring this device into the house some time ago, even if Evil Telecom #1's network did not require its presence.
One nice feature is simple bandwidth monitoring and display; there are a number of plots which can be brought up and watched in real time. The router is also able to store network statistics for a long period of time and produce plots on daily, weekly, or monthly scales. The only problem there is that the hardware lacks the storage for this amount of data; Tomato can work around that little limitation by using a built-in CIFS client to use storage found elsewhere on the net.
The Linux kernel has the facilities to exercise a great deal of control over the processing of network traffic. There is simple firewalling, of course, with the ability to decide which traffic is worthy of passage and which should be denied. But there is also an extensive traffic control subsystem allowing the user to prioritize the use of the available bandwidth. That feature is arguably underused because it takes a while to figure out how to configure it with the available command-line clients. Tomato provides a relatively straightforward mechanism for the creation of both access control and quality-of-service rules.
On the access control side, Tomato has a screen which allows the creation of rules for specific addresses and port numbers. Rules can be global, or they can apply only to traffic from specific machines on the local network. Rules can have a schedule attached so that, say, distracting web sites can be blocked during the day - encouraging accomplishment - while serious sites can be blocked at night - encouraging relaxation. Specific systems can be blocked from the net entirely on a schedule, a potentially useful feature for parents who have long since given up on trying to keep wireless-enabled devices out of the kids' rooms late at night.
Interestingly, Tomato does not stop with port-based restrictions; it also incorporates the L7-filter and IPP2P classifiers. Both modules are essentially deep packet inspection implementations, allowing the classification (and, thus, control) of traffic based on a look at the actual bits passing through. With L7-filter, for example, an administrator can block specific role-playing games, regardless of whether the official servers or ports are being used. There's a vast set of canned rules, enabling control of various instant messaging protocols, file formats, and more. It is now possible to block the downloading of Perl scripts - something which, while tempting, is probably unwise to actually do. IPP2P, instead, is more directly focused on the detection of peer-to-peer protocols. Together, they are a control freak's dream; network neutrality stops at the local router.
Even if a network administrator does not wish to ban, say, role-playing games outright, there is value in saying that such uses of the network should not interfere with real work like reading XKCD. That's where the quality of service (QOS) screens come in. QOS is a two-step process: dividing the available bandwidth among various classes of traffic, and assigning specific types of traffic to those classes. Tomato provides ten different classifications, each of which has a priority and a guaranteed bandwidth portion - all of which can be changed, of course. By default, only outbound (to the wide-area network) traffic is subject to control; it is possible to control inbound traffic, but, since that traffic has already passed over the WAN link by the time the router can work with it, there's usually little point. Classification rules look a lot like access control rules, allowing the use of addresses, port numbers, or classification by IPP2P or L7-filter.
With all this, the administrator can decree that, say, a certain proprietary role-playing game favored by the children is a very low priority stream - but it still gets a few percent of the available bandwidth so the kids do not suffer permanent trauma as a result of lag-induced fragging. Tomato can also generate pie charts showing (by classification) how bandwidth is being used currently; clicking on a classification yields a list of current connections. All told, it's a capable and easy-to-use way of ensuring that the network functions well even under heavy use.
Other features abound. There is a DHCP server, of course, along with a nice screen for doing static DHCP assignments without ever having to type a MAC address. The router can report its globally-visible address to a wide variety of dynamic DNS services. Incoming connections can be forwarded to internal machines in a flexible way. There is a "triggering" mechanism which automatically opens specific incoming ports in response to specific outgoing connections. Old-timers will see triggering as a way to support the full FTP protocol; everybody else will use it to enable incoming BitTorrent connections. And so on. It is, to say the least, a highly capable system.
The biggest operational problem your editor has experienced is the occasional dropping of long-lived SSH connections. A bit of research led to the tweaking of a few of the rather intimidating array of connection tracking parameters, and things would appear to have improved.
There are a couple of more general concerns, though. Like many of its peers, Tomato appears to be well past its active development phase; there were a few releases in 2009, but they did not make a great many changes. Meanwhile, its 2.4.20 kernel is rather far back from the leading edge, and both L7-Filter and IPP2P are explicitly unmaintained. Given the steady stream of security updates for protocol dissectors in WireShark, your editor has a hard time believing that these other classifiers can be completely free of security issues. But there is nobody maintaining them, and Tomato has no apparent means for the monitoring of security problems or the distribution of updates. Given that these routers are directly exposed to the net and are the first line of defense for many networks, the combination of ancient software and no security support is worrying.
Tomato is also not 100% free software. The core Linux system is, of course, free, but the user interface code carries a "for use with Tomato only" copyright notice. There is also the issue of the proprietary Broadcom network driver, but that's a problem any 2.4-based firmware for this router will have.
These concerns are strong enough that, despite Tomato's many qualities,
your editor is not yet sure that he has found the final distribution for
his router. In particular, OpenWRT - which offers a 2.6 kernel, a seemingly
larger and more active development team, release notes with CVE numbers
included, and a packaging system allowing others to add features to the
router - seems worth a detailed look. The good news is that this choice
exists and is easy to execute. That, in turn, is the result of the GPL and
the developers who made an effort to enforce it.
(Log in to post comments)
The Grumpy Editor's Tomato review
Posted Jan 11, 2010 22:14 UTC (Mon) by gidoca (subscriber, #62438) [Link]
From the OpenWRT Kamikaze 8.09.2 release notes: "Note: The brcm47xx still won't work for those of you needing broadcom wifi, stick to brcm-2.4. We will tell you when it does work." So at least for the WRT54GL, OpenWRT won't give you a 2.6 Kernel either for now.
The Grumpy Editor's Tomato review
Posted Jan 11, 2010 22:22 UTC (Mon) by ebiederm (subscriber, #35028) [Link]
The Grumpy Editor's Tomato review
Posted Jan 11, 2010 22:56 UTC (Mon) by proski (subscriber, #104) [Link]
I tried the git snapshot with the Linux 2.6 kernel on WRT54GL, and it worked for me. The only problem is that luci (the web interface) had to be installed manually. Admittedly, I only needed the wireless interface in the station mode. Anyway, I think there are good chances we'll see free Broadcom support in the next release.
The Grumpy Editor's Tomato review
Posted Jan 11, 2010 23:21 UTC (Mon) by zuki (subscriber, #41808) [Link]
or un-encrypted access-point mode. I tried a few recent versions of the brcm47xx branch a few days ago and the router always resets on a successful
authentication by a client - not good.
The Grumpy Editor's Tomato review
Posted Jan 12, 2010 2:08 UTC (Tue) by nbd (subscriber, #14393) [Link]
The Grumpy Editor's Tomato review
Posted Jan 12, 2010 7:55 UTC (Tue) by zuki (subscriber, #41808) [Link]
The Grumpy Editor's Tomato review
Posted Feb 15, 2010 21:59 UTC (Mon) by jengelh (subscriber, #33263) [Link]
The Grumpy Editor's Tomato review
Posted Jan 11, 2010 22:40 UTC (Mon) by smoogen (subscriber, #97) [Link]
The Linksys WRT54GL seems friendly at first, but then you have to deal with the Broadcom blob. Are atherios based hardware more hackable/long term supportable?
The Grumpy Editor's Tomato review
Posted Jan 11, 2010 23:37 UTC (Mon) by eli (guest, #11265) [Link]
The Grumpy Editor's Tomato review
Posted Jan 11, 2010 23:50 UTC (Mon) by smoogen (subscriber, #97) [Link]
The Grumpy Editor's Tomato review
Posted Jan 12, 2010 2:09 UTC (Tue) by nbd (subscriber, #14393) [Link]
The Grumpy Editor's Tomato review
Posted Jan 12, 2010 5:32 UTC (Tue) by zooko (guest, #2589) [Link]
Linksys firmware that came with it. Seems to work fine.
The Grumpy Editor's Tomato review
Posted Jan 12, 2010 8:06 UTC (Tue) by djc (subscriber, #56880) [Link]
Anyway, I have an aging WRT54GL I'd like to replace by something that also runs Linux, but I hadn't previously found anything else like it, so I'm happy enough to hear about the 160NL and will probably get it soon (I also run tomato at home).
At work, we just replaced our WRT54GL by something a little bit more enterprisey (a DrayTek with dual WAN configuration), but had to install dnsmasq separately on one of our servers (it was previously running as a part of tomato).
I really like the slickness and full-featuredness of tomato, I hope the author will update it sometime soon.
The Grumpy Editor's Tomato review
Posted Jan 12, 2010 11:53 UTC (Tue) by nbd (subscriber, #14393) [Link]
The Grumpy Editor's Tomato review
Posted Jan 21, 2010 14:53 UTC (Thu) by jch (guest, #51929) [Link]
Any other hardware you can recommend for doing ad-hoc and master at the same time on a single radio? I've had little success with AR7.
Ubiquiti routers
Posted Jan 12, 2010 1:19 UTC (Tue) by Per_Bothner (subscriber, #7375) [Link]
Ubiquiti has various access points and routers, including the NanoStation 2 (which I have). They have Atheros hardware, and come with AirOS with offers "Open Source" Philosophy and Full SDK and Ubiquiti engineering support open for 3rd party firmware development. Not sure how much of AirOS is actually free software, but it can reportedly be reflashed with OpenWRT.
Ubiquiti routers
Posted Jan 14, 2010 12:14 UTC (Thu) by dion (guest, #2764) [Link]
Older AirOS versions (<5) were home-rolled Linux 2.4 distributions, where most things are OpenSource and delivered with the SDK, the exceptions being a few Atheros blobs and some userspace programs.
AirOS 5 is a customized OpenWRT, with Linux 2.6, with a specialized init and user interface.
The proprietary blobs in AirOS 5 are: Atheros blobs, Ubiquity userspace and kernel blobs.
The amount of binary blobs is limited in any case and Ubiquity hasn't gone out of their way to make it hard to customize the system.
The Grumpy Editor's Tomato review
Posted Jan 12, 2010 1:39 UTC (Tue) by ras (subscriber, #33059) [Link]
http://oldwiki.openwrt.org/OpenWrtDocs(2f)Hardware(2f)Asus(2f)WL500W.html
The Grumpy Editor's Tomato review
Posted Jan 12, 2010 2:10 UTC (Tue) by nbd (subscriber, #14393) [Link]
The Grumpy Editor's Tomato review
Posted Jan 12, 2010 6:43 UTC (Tue) by verbovet (guest, #46457) [Link]
The Grumpy Editor's Tomato review
Posted Jan 14, 2010 10:02 UTC (Thu) by Frej (guest, #4165) [Link]
on wired. The standard firmware might be better, but i haven't really tried.
Also i still don't have 802.11n with openwrt (stable).
WRT-Alternatives
Posted Jan 12, 2010 9:58 UTC (Tue) by Felix.Braun (guest, #3032) [Link]
I'm very happy with my Fonera2.0: Atheros Chipset+USB2.0 It runs quite well with OpenWRT although there are occasional issues because it still relies on the madwifi driver. They even have a model with 801.22N WiFi but I don't have any experience with that particular model.
Their official Firmware is OpenWRT based and they employ some of the OpenWRT hackers, so it can be expected that the hardware will be well supported, even in the future.
WRT-Alternatives
Posted Jan 21, 2010 14:55 UTC (Thu) by jch (guest, #51929) [Link]
The non-N Fonera models (original, + and 2) use the Madwifi drivers, which include a binary blob.
Look at Ubiquiti RouterStation Pro
Posted Jan 14, 2010 11:59 UTC (Thu) by dion (guest, #2764) [Link]
http://www.ubnt.com/products/rspro.php
I can't recommend Ubiquiti products enough, somehow they manage to do cheap, flexible and high-quality at the same time.
The Grumpy Editor's Tomato review
Posted Jan 11, 2010 22:43 UTC (Mon) by timh (subscriber, #1946) [Link]
testing with your choice of router firmware.
After I switched branches of the telecom duopoly, I continued to use OpenWrt
and it looked like they weren't delivering the promised performance. But,
after running tests using the telco provided router, it turned out the
performance problem was in the Linksys/OpenWrt combination.
Also, you might want to take a look at http://x-wrt.org, which provides a
web interface to tame OpenWrt.
Performance
Posted Jan 12, 2010 0:17 UTC (Tue) by corbet (editor, #1) [Link]
That's a good point. I didn't really even think about it because, with Tomato, the WRT54GL is able to run my (10Mb) connection at full speed without really even getting warm, even with QOS and L7 turned on. If OpenWRT is not able to do the same, that would certainly be worth noting.
Performance
Posted Jan 12, 2010 2:16 UTC (Tue) by nbd (subscriber, #14393) [Link]
With 2.4 the difference won't be as big, but if I remember correctly, our 2.4 kernel also contains some performance enhancements that were not merged back into the 8.09 release branch.
The Grumpy Editor's Tomato review
Posted Jan 19, 2010 13:54 UTC (Tue) by HelloWorld (guest, #56129) [Link]
The Grumpy Editor's Tomato review
Posted Jan 11, 2010 23:43 UTC (Mon) by eli (guest, #11265) [Link]
And if the Grumpy Editor is up for more bleeding-edge development combined with a $100 expenditure, I'd be interested to see what he thinks of those firmwares running on the WRT160NL. (I, sadly, have utterly failed to even attempt this, despite purchasing two of those routers. I shall get a round "toit" yet!) The WRT160NL is the successor to the WRT54GL: it runs Linux and has twice the memory and twice the speed of the venerable WRT54GL, and if I am not mistaken, requires no binary blobs. (Also note that the 'L' is very important; the WRT160N has completely different hardware.)
The Grumpy Editor's Tomato review
Posted Jan 12, 2010 4:17 UTC (Tue) by louie (guest, #3285) [Link]
The Grumpy Editor's Tomato review
Posted Jan 14, 2010 19:12 UTC (Thu) by dsommers (subscriber, #55274) [Link]
After this thread, I'm not even going to consider DD-WRT, unless they change their security attitude and prove it by acting differently.
The Grumpy Editor's Tomato review
Posted Jan 12, 2010 7:41 UTC (Tue) by cmot (guest, #53097) [Link]
Access Point" explicitly. There is some kind of source download, but
since it does what we need it for with the default firmware, I haven't
investigated if it's actually usable to build a customized firmware or if
there are free firmware replacements. Anybody has done so?
And, a bit OT, another piece of hardware which deserves a plug (I just
bought one, I don't work there or anything) because the manufacturer not
only tolerates FOSS firmware replacements, possibly even after a threats
etc., but actively encourages it: QNAP's storage appliances. The default
firmwares are nice, but of course I just had to run Debian on mine... :-)
The Grumpy Editor's Tomato review
Posted Jan 12, 2010 22:42 UTC (Tue) by Chousuke (subscriber, #54562) [Link]
The default firmware may well be good enough for me, but it's reassuring to know that I can use Debian should QNAP's own software prove insufficient.
The Grumpy Editor's Tomato review
Posted Jan 12, 2010 9:02 UTC (Tue) by ikke (guest, #33529) [Link]
The Grumpy Editor's Tomato review
Posted Jan 12, 2010 9:05 UTC (Tue) by ikke (guest, #33529) [Link]
The Grumpy Editor's Tomato review
Posted Jan 12, 2010 9:11 UTC (Tue) by djc (subscriber, #56880) [Link]
The Grumpy Editor's Tomato review
Posted Jan 12, 2010 17:08 UTC (Tue) by Thalience (subscriber, #4217) [Link]
http://www.tp-link.com/products/productDetails.asp?class=...
The Grumpy Editor's Tomato review
Posted Jan 12, 2010 18:37 UTC (Tue) by djc (subscriber, #56880) [Link]
The Grumpy Editor's Tomato review
Posted Jan 12, 2010 20:03 UTC (Tue) by Thalience (subscriber, #4217) [Link]
The Grumpy Editor's Tomato review
Posted Jan 13, 2010 2:16 UTC (Wed) by smoogen (subscriber, #97) [Link]
The Grumpy Editor's Tomato review
Posted Jan 13, 2010 17:46 UTC (Wed) by johill (subscriber, #25196) [Link]
The Grumpy Editor's Tomato review
Posted Jan 13, 2010 17:53 UTC (Wed) by pj (subscriber, #4506) [Link]
The Grumpy Editor's Tomato review
Posted Jan 13, 2010 9:31 UTC (Wed) by arekm (subscriber, #4846) [Link]
People are doing interesting things with it already like replacing 32MB memory with 64MB chip (works fine), putting usb hub inside of the case (to have more usb ports) or putting 1.8" hdd and then boot from that hdd instead of flash.
http://openlinksys.info/forum/viewthread.php?forum_id=63&...
The Grumpy Editor's Tomato review
Posted Jan 14, 2010 12:23 UTC (Thu) by dion (guest, #2764) [Link]
http://www.ubnt.com/products/rspro.php
... oh and it's cheap too:)
The Grumpy Editor's Tomato review
Posted Jan 14, 2010 21:40 UTC (Thu) by bfields (subscriber, #19510) [Link]
A *case* is one feature that doesn't usually show on on checklists, but that can be nice.... And will anyone actually sell you one of those? (OK, I didn't look too hard.)
The Grumpy Editor's Tomato review
Posted Jan 16, 2010 8:58 UTC (Sat) by dion (guest, #2764) [Link]
http://www.netgate.com/product_info.php?cPath=60_84&p...
... but you're right, it's quite strange that Ubiquiti themselves didn't run off a simple box for the boards.
Quote: "making the process look similar to installing Gentoo."
Posted Jan 15, 2010 0:35 UTC (Fri) by golding (guest, #32795) [Link]
right there!
That is why I like my WRT54G, I essentially built the firmware, not just
installed it, just like Gentoo, which I also use.
Regards, Rob
The Grumpy Editor's Tomato review
Posted Jan 16, 2010 16:05 UTC (Sat) by chsnyder (guest, #52714) [Link]
And though I, too, lament the lack of active development, I think that all of the open firmwares are a huge step up securitywise from the proprietary factory firmware that home/office routers use. I don't think we have many years left before the botnets move out of desktops and into the network infrastructure where they can much more effectively hide, and play man in the middle for an entire network in one shot.
Router manufacturers don't have any incentive to make great software or patch security flaws. They would rather that you buy a new router every few years, and they know most consumers aren't going to test-drive the interface before they do. Every consumer router I've purchased since 2002 (including Apple gear) has been buggy under everyday use. Not a good sign for attack worthiness.
To everyone pushing Open-WRT development (and Tomato, too!) thank you. This is hugely important work.
The Grumpy Editor's Tomato review
Posted Jan 23, 2010 15:59 UTC (Sat) by dnl (subscriber, #13782) [Link]
Amen, brother, Amen.
Voting with your wallet is a most compelling input to ny manufacturer. I completely agree with this and practice it whenever I can--even if I don't feel the need to hack that particular bit of hardware.
DRM-free media is another primary example.
I also humbly suggest this be done with books that are available online *and* in print (e.g., Rute Linux and the SVN book). I have online and printed copies of these and others.
Bottom line--if you have a choice to support freedom, do so.
The Grumpy Editor's Tomato review
Posted Feb 15, 2010 22:04 UTC (Mon) by jengelh (subscriber, #33263) [Link]
The Grumpy Editor's Tomato review
Posted Mar 2, 2010 20:09 UTC (Tue) by ernstp (guest, #13694) [Link]
http://www.netgear.com/Products/RoutersandGateways/Wirele...