A good resource on router information is the OpenWRT Wiki (in addition to Deviwiki).
It shows that WNDR3700v3 is the only one out of five WNDR3700 versions that has a Broadcom chipset (Tomato is only for Broadcom routers). Your v4 has an Atheros chipset (ruling out Tomato), and is supported by DD-WRT, OpenWRT and Gargoyle.
DD-WRT is a bit unstable. Gargoyle is an outdated, but beginner-friendly OpenWRT fork. For maximum features and modernity, OpenWRT is generally recommended. You can refer to the OpenWRT Wiki linked before for installation instructions (TFTP flashing OpenWRT directly is one way to go, or you could TFTP flash stock and then upload OpenWRT via stock WebUI).
As for OpenWRT's interface, the default LuCI is pretty popular and well-regarded. But you can install other interfaces on OpenWRT if you prefer.
Here are the common vulnerabilities affecting some Tomato routers:
Also make sure your network has no access points with WPS enabled (you can check with your phone), otherwise bad things can/will happen.
You should probably also elaborate on "weekly hacks". Even Shibby shouldn't be susceptible to a takeover given the proper configuration. You have any IoT devices sitting on your router talking to the internet? Is your wifi security WPA2 on every antenna (Basic Settings -> Network)?
no problem. so i just remoted in home, and realized that i didnt even setup this after putting advanced tomato on my r7000.
so i checked plex server settings, and sure enough, it was red and stated 'unavailable outside the network'. went to plex.tv here at work, and it said it was inaccessible. i added the default ext port (as you did), and my internal IP, then saved it and gave it 30s. it worked fine for me on plex.tv, and myip:32400.
if you go into your plex server settings/remote access, is it all green?
> the theme must be set after every reboot
Perhaps FreshTomato has a way to set the theme via the command line (something like UCI on OpenWrt), in which case you could probably use cron to have those commands run at boot.
Just throwing that out there as a possible idea. Like I said, it's been about a decade since I last used Tomato, so I don't know if it can do that or not.
Sadly, (not-shady) VPN subscriptions cost money. There are a lot of different ones (and often deals to be found), but Mullvad is great and costs 5 euros a month.
The router you use is also important; for running VPN, a slow MIPS router won't suffice and you should use a fast ARM router instead (think ASUS RT-68U/Netgear R7000 or faster). This is because the computational load of decryption is lifted from your PC onto your router. If your current router is slow, you may be better off installing the providers' client software on your PC rather than buying a new router.
As for secure protocols, you should use either OpenVPN or Wireguard. OpenVPN is more commonly supported, but Wireguard can be faster. Either is fine.
Linksys WRT3200ACM amazon
It sounds like you're fairly green to this, so I advise you to approach with caution. If you're not careful and do not follow the appropriate instructions, you could potentially brick your R7000. With that being said, in the event you don't like Tomato, Shibby allows you to revert back to stock fairly easily
> Mainly I want good VPN access via ExpressVPN
No. Shibby offers a couple of different options like OpenVPN and PPTP, but ExpressVPN (from what I understand) is propreitary Netgear software which you would be blowing away.
> and also the ability to manage the NAS section of it via a web browser (similar to ReadyCloud)
You can manage basic attributes of the NAS portion -- like creating a share, assigning users, etc. -- but seeing the files directly from a UI is out of scope.
I guess you have two options here.
Setup pihole and setup per-device blocking.
Or you could setup a separate network like this guide:
https://learntomato.flashrouters.com/setup-guest-network-guest-wifi-tomato-vlan/
Then in the firewall settings, you could redirect all requests on your children’s subnet to the filtered DNS. I’m on mobile but it would be something like:
iptables -t nat -I PREROUTING -p tcp -s 192.168.2.0 —-dport 53 -j DNAT —-to YOUR.FILTERED.DNS
iptables -t nat -I PREROUTING -p udp -s 192.168.2.0 —-dport 53 -j DNAT —-to YOUR.FILTERED.DNS
There is an an old article, showing it as supported with installation instructions, but all I couldn't find are beta and test versions. It is possible that the version for WNDR3700 will work (WNDR3800 has 2 times more flash and RAM and the OpenWRT page for it says that this is the only difference), but do it on your own risk and be prepared to unbrick it (if possible).
BTW, if you want to try, it looks like OpenWRT supports it.
Good luck and let us know how this works!
The -Max version also supports VPN functionality, just like the -VPN and -MiniVPN. Please refer to the feature matrix (linked in first comment) to determine the features of each version. I'd advise the -Max version. The RT-N12 is really underpowered for running VPN though (a more powerful router is highly recommended for that).
It doesn't sound like memory pressure is the problem, as that wouldn't cause NVRAM clearing. It really sounds like a bug. And memory pressure is determined by the features you're using, not by features being present but disabled (no need to flash a build with fewer features than -Max).
I guess the WiFi being unprotected by default is a convenience thing. DD-WRT also does this (SSID="dd-wrt"). OpenWRT doesn't do this (in fact, OpenWRT doesn't support WiFi at all on the RT-N12 C1).
In short, it seems the old FreshTomato builds you tried likely suffer from a bug. Depending on your use case and preferences, you can now try your luck with:
If you don't plan on using WiFi at all, OpenWRT might be your best bet (see Techdata).
Upgrading to newer FreshTomato should be straightforward; just upload through the WebUI. For switching to either stock, DD-WRT or OpenWRT you should use "ASUS Firmware Restoration Tool".
I tried this and works great. I also have adblock installed in my browser. Follow the link, ( https://adblockplus.org/subscriptions ) choose which list you want. (With Adlbock installed in browser) you can click on "Suscribe" which will bring up a window to add the list. Copy the URL and in Tomato UI, just simply add the url. I have test 3 different lists and all are successfully loaded into Tomato.
As far as HTTPS is concerned (someone please correct me if i'm wrong about this) but as far as https, the encryption is endpoint to endpoint meaning your PC is an Endpoint and the remote server is an Endpoint. IF the ad's are hosted using a secure connection, i don't see how tomato would be able to decypher and intercept the AD as the connection is encrypted while in transit through the router. If the ads are HTTPS based, I would recommend installing AD Block into your browser which would handle the encryption on your end. I'm no expert but I believe that's why Tomato isn't recognizing ads through HTTPS.
Edit: After reading your reply closer, I added that particular list to my ad block and it downloaded and loaded into adblock just fine.
Aug 25 09:32:27 unknown user.info adblock: [8] downloading blacklist - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts Aug 25 09:32:27 unknown user.info adblock: ... [8] found 28642 entries
You will need to figure out why you are unable to access that list. Do other HTTPS sites work?
Oh that really sucks :(
Your wireless chipset might be defective, so maybe it's still okay for wired-only (if you have separate APs)?
P.S. you could still try OpenWRT as a last resort. I know software-wise, OpenWRT is somewhat removed from all the other firmwares because it uses the open-source brcmfmac drivers instead of closed-source. There's a small chance those drivers can even work around hardware issues. You have nothing to lose really...
Makes sense. 802.1x is for sure in AdvancedTomato. But you should probably go with dd-wrt as that will give you more flexibility.
https://wiki.dd-wrt.com/wiki/index.php/VLAN_Support
https://openwrt.org/docs/guide-user/network/wifi/wireless.security.8021x
hi! Flashed this FW to my Netgear R6700v3 and it´s amazing.
Only thing that doesn´t work is my Plex Server. Can´t access it form inside the network if i try "plex.tv". With the App I have no problem...but unfortunately it also doesn´t work with my amazon fire TV stick. :-(
I guess it´s only a setting or something like that...hope someone could help me.
So I have been reading about Asuswrt-Merlin/xwrt-vortex, but I sill think I will go with Tomato. I don't intend to keep these, and I will flip them on my Facebook Marketplace and/or Nextdoor.com. I am in an area that has enough techies that I think that Tomato will be more well understood, but I appreciate your suggestion!
I'm not familiar with using CTF.
I think openWRT uses a different WiFi driver than Tomato and DD-WRT.
https://openwrt.org/toh/netgear/r7000
But here (3 years old) says openWRT doesn't support CTF. It also mentioned that anything with QoS won't have support for CTF.
https://www.reddit.com/r/HomeNetworking/comments/5oz77p/openwrt_vs_ddwrt_vs_tomato_for_r7000/
Maybe the non-aio tomato firmware will support CTF?
(Reddit won't save my post, so I have to do edits for links)
DD-WRT wiki is seriously outdated so I'm also going to mention, just in case, that you SHOULD NOT use any builds that are "recommended" there. Even if these pages do say that these builds are "stable" - they are NOT. They're infested with bugs and problems (like bootloops, etc), in comparison to the newest betas.
So when in doubt - always use the newest build.
You can grab them from here: ftp://ftp.dd-wrt.com/betas/2020/
or here: https://dd-wrt.com/support/other-downloads/?path=betas%2F2020%2F
Also - there is always a new thread for the newest build that you can check for comments (on the official DD-WRT forums>Broadcom SoC based hardware), and if it works without issues for some other people that do have: R7000, Asus AC68U or DLink DIR-880L then it should also work for you. These routers have pretty much the same hardware.
Here's the newest one: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=326140&sid=e30a2a90196a87a585b2a5f0f58b1a66
The Developer of Advanced Tomato pushes out updates quite frequently; they're bundled with the latest Shibby builds.
You can use Shibby's builds directly, but I prefer Advanced Tomato purely because of the clean GUI interface.
If you use the original Tomato, you'll be stuck on very old, dated, unsecured firmware.
Well, I don't understand iptables well enough to do this correctly, but I have done it & it works. I followed this guide, and it didn't work because the WAN Up tab on the router's admin section didn't apply the rules, so I applied them myself from a computer through a shell session and it works fine.
Now, to route all ports but one (say 80, for example), you would need to change the last line to this:
iptables -t mangle -I PREROUTING -i br0 -s 192.168.1.151/24 -p tcp -m multiport --dport 1:79,81:99999 -j MARK --set-mark 1
adjusting the subnet mask and specific ports, of course. I'm sure there's a million better ways to do it, but this will work.
Just keep in mind that you need to run all the commands referenced on the vpn.ac knowledgebase in a shell logged in as root to the Tomato router every time you restart it - all of which you can automate from your computer.
I guess you could attach a current meter at the power cable and measure the results with both firmware, but that might be too much work.
Somwthing like this: https://www.amazon.com/TS-836A-Energy-Voltage-Electricity-Monitor/dp/B00E945SJG
Well, the VPN guys got it wrong. Tomato in general only works on some Broadcom-SoC-powered routers, which the DIR-842 is not.
If your DIR-842 has version number C1, C2 or C3 (Qualcomm SoC) though, you can install OpenWRT. If your version number is A1, B1 or R1, you're out of luck as there are no custom firmwares for Realtek-SoC models like those.
If you have a C1/2/3-model, please refer to the OpenWRT page and install the correct OpenWRT image carefully following the Wiki. After that, use NordVPN's guide to connect to NordVPN.
Finally got around to messing with my router.
Your info really helped me out! I have Mullvad running on my router now, so the wife can use her phone or tablet for the internet without the clumsy Android VPN business.
Thanks again.
Thanks for the reply- very happy to hear your speeds, and that it's hopefully limited to the ExpressVPN firmware. Weird, since it's based off DD-WRT but whatever. And makes sense about the AIO, but in an apartment complex that primarily uses whatever cheap wifi router that comes with their subscription, I'm far from the bottom of the food chain.
I'm using Fresh Tomato with an R7000 and the Astrill applet with no problem at all.
The Great Firewall is pretty tough so you are best sticking with one of the major VPN providers that advertise works in China. Most people have two because the PRC seems to take turns picking on one VPN provider or the other.
Just route everything through a VPN and your issue is solved. I use NordVPN, and I have not had an issue since I started using it. As someone else pointed out, there are many VPNs out there, so choose what works best for you.
Configure the RT-AC66U as a range extender/repeater.
I assume that you can mostly follow the instructions from ASUS for doing this on a RT-AC68U.
You can't really control which bands use each antenna in the router. Both bands will always use all three antennas. If you replace one of the stock dual-band antennas with that 2.4 GHz HawkingTech antenna, you might boost reception for one of the three spatial streams but it wouldn't help the other two. One spatial stream of 802.11n is limited to a theoretical max of 150 Mbps and is more likely to only connect at 72 Mbps due to neighbor friendly rules. If you can't connect to the harbor Wi-Fi unless you use the HawkingTech antenna then it makes sense to use that antenna since some connection is better than nothing.
If you repeat this signal on your boat at 2.4GHz then the single 2.4GHz radio will spend half the time sending and half receiving which cuts its bandwidth in half. It would be better to use the 5GHz radio for your clients on the boat.
A GL.iNet GL-AR150 Mini Travel Router might be easier to get working for your purposes than the ASUS router.
The speed is entirely depends on how far your remote server is connected, and also the encryption will bring down your speed little, not much. it is advisable to connect to the nearest possible server to reduce the latency.
How much is the Processor Clock Speed of your router?
Well, I think it is possible to do that. Talk with NordVPN and get assistance, they will help you.
Between do not use 256 bit e2e over router, since they are not powerful like modern PC's use 128 bit e2e instead.
I opted for the E3000 due to cost and I also read some pretty solid reviews on it.
So I'm with Virgin and have a Superhub 3. I cant install a VPN client on the hub so the workaround I found was to put the Virgin Hub into modem mode and then connect a router into it (the E3000) and then use that as my primary router.
Doing it that way, I dont think I can wirelessly connect to the Virgin Hub as it's purely a modem? So I wouldn't be able to interchange between Virgin Hub and E3000..
I spoke with NordVPN and they advised me that I can connect all devices to the E3000 but once connected, I can't choose which are on the VPN and which aren't, they told me that it's all or none. Hence why I have gone with ExpressVPN.
So yeah, my plan is as mentioned previously: Utilising the split tunneling that ExpressVPN offer by having my TV on the 'VPN tunnel' and all other devices on the 'non VPN tunnel'. The ExpressVPN server that my TV is connected to will be saved on the ExpressVPN app on my mobile so when I want to stream from my mobile to the TV, I can just log into ExpressVPN and begin streaming.
If that's not feasible or you can think of a better way, please let me know. I'm new to this..
Hi Furay10,
Ah I saw you had helped somebody with a similar issue on another thread. So glad you've chimed in.
I'll be configuring a few things once my router arrives. I've now opted for Express VPN so I can take advantage of Split Tunnelling. I plan to have my Smart TV and my personal mobile device connected to the VPN. With all other devices being connected direct to the ISP.
I would like to know if I could easily switch my phone from VPN to ISP without having to mess about with too many settings? Almost like a switch to cycle between the two..?
Maybe if I set the TV up on the router to be purely on VPN and then all other devices connected to the ISP (so that'd be utilising the split tunneling). Then when I want to stream content from my phone to my tv, I suppose I could just open the ExpressVPN app on my phone and select the same server that my TV is on and stream away? Lol...
Is that possible?
The stuff that is important to me that can be classed by port is at the top, but I don't currently game online or use VOIP so there isn't very much of that sort of thing.
Small DNS and NTP connections get caught by port-based rules at the top: Small, because there's a lot of stuff that can use these ports for serious data transfers. (AirVPN, for instance, can run on UDP port like DNS.)
My VPN uses port 2018 and I don't generally care how slow it works, so that's also an explicit rule.
The reason for doing it this way, for me, is as follows: If I'm downloading a 4GB ISO or a 50GB game or whatever, I'm not going to sit waiting around for it -- it'll get done whenever it gets done. While it does its thing, I still want a speedy-feeling network for web browsing, small-ish downloads, Youtube and such while that download happens.
As-configured, this goal is accomplished pretty much automatically: The downloads happen eventually, and the network is always speedy regardless.
I used to have complicated rulesets, where I could pick different classifications for IMAP, FTP, HTTP(s), ssh, [...] just like every tutorial and included example shows. And then I realized one day that IDGAF protocol is downloading a big thing, I only care that something is downloading a big thing.
Furthermore, is my rsync-over-ssh traffic more important than my HTTP traffic? Maybe today it is, but maybe tomorrow is different. Ain't nobody got time to tweak around with QoS rules based on the activity of the moment.
So, I don't. Just because I can classify something by protocol or port or magic doesn't mean I need to. In fact, it turns out that I really don't even want to most of the time.
Ah, I actually changed VPN from VyprVPN to HMA and without running it through the router I am getting about 80-100mpbs with the VPN so I might stick with this now and try run it through my router at a later time!
I got my TigerVPN woking on Tomato 1.28 with the following settings, YMMV:
VPN Tunneling / OpenVPN Client / Basic tab: Type = TUN Protocol = UDP Server Address /port = my vpn's server and port Firewall = Automatic Auth Mode = TLS Username/Password Auth = check Username and Password added in their respective boxes, Username Authen. only = Not checked Extra HMAC auth = Disabled Create NAT on tunnel = check
Advanced: Poll interval = 5 Redirect internet traffic = check Accept DNS configuration = Relaxed Encryption cipher = AES-256-CBC Compression = Adaptive TLS Renegotiation time = -1 Connection retry = 30 Verify server certificate = Not checked
Keys:
I added the VPN key in Certificate Authority
There's a link to this doc in the Keys page:
Hopefully that helps.
The ticket with NordVPN sorted it out partially. I had a # where there shouldn't have been one.
The issue now is my PC won't load websites while the VPN is on. All sites get browser message, this site can't be reached.
But my other devices such as my phone connected to the wifi are able to browse while the VPN is active...
I think I had the same issue(s), I was using the hostname. I switched to use the IP and I got the following error. openvpn[22736]: write UDP: Network is unreachable (code=101)
I'm trying to connect to HideMyAss with the domain .rocks
I have an R7000 running Tomato Shibby, and a VPN with PIA. It was pretty easy to set up, i'm not familiar with ExpressVPN but i can't imagine it would be too different...
I never used my VPN with the stock firmware, but from what i saw it didn't seem very nice to use. It seemed to require you to use it in combination with software on your PC. With Tomato, the router will be running OpenVPN (or PPTP, but i think OpenVPN is the best), which lets it handle all the VPN stuff for the traffic going through it, so you can just keep your PC configured to connect to your router in the normal way, and when the OpenVPN is enabled on the router, your PC's traffic will be routed through the VPN.
I've never used any of the NAS stuff but there is a section for it in the admin web GUI, and there's lots of options. I think it's very likely to be better than the stock Netgear ReadyCloud, but may possibly need a bit more in the way of configuring.
By the way, if you're choosing Tomato Shibby, this is a very useful youtube video of the installation process, which is using the R7000 as an example, i think a regular Tomato install would probably be pretty similar.
Thanks and I normally do things like this so flashing a router with instructions should be no issue at all, but ExpressVPN (VPN Provider) I believe works, they sell routers with Tomato on it that has their VPN system setup already, The R7000 was picked because of the tomato support with addition to just getting a custom ovpn file for the router.
I had the same issue before with that router, I bought this cable and didn't have to deconstruct. This cable worked perfect for me. Youll just need the prolific driver. It arrived in 2 days with prime.
https://www.amazon.com/gp/product/B00QT7LQ88/ref=oh_aui_detailpage_o01_s00?ie=UTF8&psc=1