This page includes most basic settings needed to configure the network. It's divided into sections including MultiWAN, WAN Settings, Ethernet Ports Configuration, LAN and Wireless setttings.

Number of WAN ports: lets you select the number of WAN ports to be used on the device.

On routers with only one physical WAN interface, options with more WAN ports will be greyed out. You can select only “1 WAN” on such devices.

Tune route cache: is intended for MultiWAN configurations with load balancing.

This setting is advised when two or more WANs have a weight larger than “0”. Basically, it uses kernel tweaks to improve workload sharing. For more details, see the Notes section below.

Check Connections Every: is an easy way for FreshTomato to automatically test WAN connection reliability. (Default: Disabled). Choosing any setting but [Disabled] will execute the Watchdog script. This sets how often the router (regularly) pings to check it is still connected to the Internet.

The Watchdog script uses ping or traceroute to test WAN connection status.

Choosing a setting other than Disabled will make “Target 1” and “Target 2” fields appear.

• Target 1 - Here, enter the address of the first host to ping (Default: Google.com)
• Target 2 - Here, enter the address of the second host to ping (Default: Microsoft.com)
  
  

Settings in this section are used to configure the WAN interface. These settings depend on your ISP.

Depending on the type selected, other settings specific to that type of connection will be shown or hidden.

Type: sets the connection mode the WAN interface uses to connect to your ISP. (Default: DHCP).

• DHCP - Your ISP's DHCP server dynamically assigns a WAN IP lease to FreshTomato.
  • DHCP does not use authentication.
    
    

• PPPoE - The WAN port responds to authentication requests from your ISP's PPPoE server.
  • This is most often used for DSL networks.
  • FreshTomato stores the PPPoE username and password assigned by your ISP.
  • If authentication succeeds, the PPPoE server allows logon to the ISP network,
    and a DHCP server assigns you a WAN IP lease.
  • Leave the Service Name field blank.
  • Since release 2021.3, support for Baby Jumbo Frames (RFC 4638) was added to
    the Miscellaneous menu.
  • When using Baby Jumbo Frames, set MTU to 1500, consistent with the Baby Jumbo
    Frames change. (See Notes)
    
    

• Static - will configure your WAN port with a static IP.
  • You must manually enter the following settings in FreshTomato, from your ISP:
    • Static IP address
    • Subnet mask
    • Gateway address
    • DNS server addresses
  • This mode is usually used for business, when an IP address shouldn't change.
    
    

• PPTP - configures the WAN port to use Microsoft's PPTP protocol to connect.
  • This section will require you to enter:
    • a username
    • password
    • gateway server settings (given by your ISP).
      
      

• L2TP - configures the WAN port to connect using Layer Two Tunneling Protocol.
  • FreshTomato requires you enter the following, provided by your ISP:
    • L2TP username
    • Password
    • L2TP server static IP address
    • Subnet mask
    • Gateway setting
      
      

• 3G modem - enables support for 3G GSM (cellular) USB modems.
  • For modem detection, check USB and 3G/4G/5G modem support are enabled in USB Support.
    
    

• 4G/LTE - enables support for fourth generation cellular/LTE USB modems.
  • When using 4G, PIN code and APN fields appear. You must enter correct settings.
  • For modem detection, check USB and 3G/4G/5G modem support are enabled in USB Support.
    
    

• Disabled - disables the physical WAN port on your router.
  • This makes your device function only as a switch (if it has that function) and/or;
  • It may effectively make your device function as a WiFi A/P (if it has that function).
    
    

Wireless Client Mode: enables FreshTomato's Wireless Client mode.

This lets the router act as a client (like a WiFi adapter) to connect to another router/AP.
(For details, see Wireless Mode tables below).

• Disabled - Wireless Client mode will be disabled.
• 2.4 GHz - Wireless Client mode will be enabled on the 2.4 GHz interface.
• 5 GHz - Wireless Client mode will enabled on the 5 GHz interface.

Load Balance Weight: is visible only when number of WANs > 1. It can be set between 0 and 256.

When a router is configured in a MultiWAN configuration, the MultiWAN function performs load sharing of the links. Load sharing is performed on a per-session basis to prevent issues with interactive traffic, such as real-time voice/video, or RDP. This is because your links might have different speeds and per-packet load-sharing would generate Out-of-order packets. That could make interactive traffic pretty much unusable. Setting a Load Balance Weight on each interface adjusts how the interface will participate in MultiWAN activities.

Here are some examples:

Load Balance Weight: 0 (Failover)
If 0 is used, FreshTomato won't actively route traffic if other WAN interfaces are functioning. However, the WAN connection with weight “0” will be automatically enabled if there is a failure of all other WAN interfaces with a weight or 1 or more. This is commonly used in “failover” scenarios. When an interface with weight “0” it is automatically enabled, it will be assigned a weight of 1.

For example:

Let's assume we have 2 WANs, as follows:

• WAN0=“weight 0”

• WAN1=“weight 1”
  

When WAN1 fails, the failure is noticed. WAN0 will activate (assigned with weight 1) and begin routing packets.

Later, WAN1 recovers its connectivity. As soon as FreshTomato notices this, (within seconds or minutes), WAN0 will be set back to idle status while traffic is rerouted through the revived WAN1.

Recovering back to the originally active interface is called preempting. This is FreshTomato's default (fixed) behavior.

Load Balance Weight: 1
Any value higher than “0” makes an interface actively route packets.

Weights are relative, so a weight of “1” doesn't mean much. Each weight is compared to the Load Balance Weights of other Interfaces to direct functionality.

• One way of understanding this is to remember: “1=100% and 0=0%”.
• Thus, if WAN0=“weight 0” and WAN1=“weight 1”, WAN1 would be handling 100% of the traffic.

Load Balance Weight: 5
Basically, an interface set to weight 5 would handle 5 new sessions before any other interface was used.

For example, say we have 3 WANs, as follows:

• WAN0 = weight 0
• WAN1 = weight 1
• WAN2 = weight 5

In this case, WAN0 will be used only if both WAN1 and WAN2 are both in a failed state, and are unable to route packets. WAN1 will handle the very first new LAN client session going through the router. WAN2 is set to handle the second, third, fourth, fifth and sixth sessions. The seventh new session starts again from WAN1, as it would be treated as a another first new LAN client session. WAN2 will then handle the next five new sessions, meaning the eighth, ninth, tenth eleventh and twelfth sessions.

These settings only affect outbound traffic. Return traffic always tries to return to the WAN interface it came from. Since the allocation of new session to a WAN is dynamic, you can set what traffic gets allocated to which Interface (AKA “sticky connection”) in the MultiWAN routing configuration menu.

Modem device: Here, specify the 3G/4G/5G modem's Linux device path/filename.

• If unsure what to choose, check your modem is listed in 3G/4G/5G Dongle compatibility.
• Enable 3G/4G/5G modem and USB support in USB Support if your modem is not detected.
• If WAN type is 3G modem or 4G/LTE, new fields appear, prompting for more information.
• The Default device filename is the first serial device on the first USB port: (/dev/ttyUSB0).
  • The “tty” part of the device's filename represents a serial device.
  • “USB0” in the device's filename means the device is connected to the first USB port.
  • Devices listed as “/ttyUSB” use the newer Serial→USB device driver framework.
    • This device type uses Linux's serial modem driver framework.
• “ACM” in the device name Type means the device type is: “Abstract Control Model”
  • An ACM modem lets the modem hardware perform analog functions.

To get device details, you could also log on to FreshTomato via Telnet/SSH and use the lsusb or dmesg commands .

PIN Code: is the 3-digit PIN code for the SIM card associated with your cell account.

• Leave this blank if your SIM card code was deactivated.
  
  

Modem init string: is where you enter the modem's default initialization string.

• Your cellular provider or modem manufacturer gives you this. (Default: *99#).
  
  

APN: is the access point name (provided by your cell carrier).

• Specifies a gateway to route data between your carrier and the Internet. (Default: internet).
  
  

Username: here, enter the (carrier-provided) username to access your cell carrier's APN gateway.

• Some carriers don't require this info.
  
  

Password: here, enter the (carrier-provided) password to authenticate to your cell carrier's APN gateway.

• Some carriers do not require this info.
  
  

Network Type: appears when WAN type is set to 4G/LTE. (Default setting: 4G/3G/2G).

• The default setting set FreshTomato to start negotiating with a 4G connection.
  If that fails, it falls back to negotiating a 3G connection, and if that fails, a 2G connection.
  
  

DNS Server:

• AUTO - FreshTomato uses DNS server addresses in your ISP's DHCP lease.
• Manual - Enables DNS server functions (dnsmasq). “DNS 1” and “DNS 2” fields appear.
  • DNS 1 - Enter DNS server 1 address here (if DNS Server is set to Manual).
  • DNS 2 - Enter DNS server 2 address here (if DNS Server is set to Manual).

Manually-set DNS servers are useful if your ISP DNS servers are slow/unreliable. Some can provide ad/content filtering.

MTU: sets the Maximum Transmission Unit, (Ethernet frame size) for traffic between WAN and LAN.

This is only for the WAN interface. It won't affect LAN traffic. Different MTU sizes among devices may cause problems.

• (Default: 1500) - works for most Ethernet devices. The Manual field gets greyed out/fixed.
• Manual - Enter a custom value here. Jumbo Frames start at 2000 bytes.
  
  

Use DHCP: is rarely used. You are advised to leave it disabled.

• A few Internet providers separate addressing from PPPoE functionality.
  
  

Single Line MLPPP: is outdated, and rarely used nowadays.

Multilink PPP is a version of the PPP protocol that lets you bond two or more physical connections to increase bandwidth. Single Line MLPPP is a variant that lets you use one modem to bond the bandwidth of multiple PPPoE sessions.

A side effect of using this was that it bypassed some ISP's bandwidth throttling.

Route Modem IP: lets you access a modem “behind a router” with a quick configuration change. (Default: Off)

• When using separate modem and router, usually the modem is in bridge mode or
  PPPoE passthrough mode. This makes it hard to access the modem's LAN interface,
  as it's behind“ the router.
• The router's WAN interface has a public address, but the modem is reachable
  only via a private LAN address.
• Private addresses aren't routable, so by default, FreshTomato blocks any
  LAN > WAN > MODEM PRIVATE IP traffic.
• Route Modem IP adds a static route to the routing table, giving the modem a
  private address on a /32 subnet. This makes the private address reachable via the WAN interface.
• The mask allows only one host, so only the modem is reachable on that subnet.
  
  

Query Hilink Modem IP: This function is only for Huawei USB modems supporting Hilink mode. (Default: Disabled).

Some Huawei modems have a “HiLink” operation mode. Enabling this lets you communicate with a modem in HiLink mode connected to a device on the network other than the FreshTomato router. This is useful for monitoring LTE statistics, or signal strength.

Call Custom Status Script: TBD.

Connect Mode: This chooses the method used to keep the router connected to the Internet provider. (Default: Keepalive).

• Connect on Demand - makes the router disconnect from the ISP after the Max Idle Time.
  FreshTomato will reconnect to the Internet as soon as a LAN client requests Internet access.
• Some ISPs drop a connection if their router detects no Internet activity.
  • Keepalive - makes FreshTomato send keepalive packets at brief, specified intervals.
    This makes the ISP think there's intermittent activity when no clients request Internet access.
• Redial Interval - how often the router checks the Internet connection. (Default: 10 seconds).
  This minimizes Internet connection response time, since usually the connection will be up.

Redial Interval: When PPPoE dialling fails, this is used to delay attempts for the defined number of seconds.
This allows more time for the PPPoE server or network gear to restart proper functioning before retrying a PPPoE connection.
(Default: 10 seconds).

LCP Echo Interval: The Link Control Protocol sends/receives frames between two peers to verify they're still connected.

• LCP Echo Interval is the time between these signals.
• Usually used to check that a DSL modem's PPPoE is still connected to the ISP.
• (Default: 10 seconds).

LCP Echo Link fail limit: is the number of times LCP echo requests can fail between LCP peers before the status is considered dead.

• The client DSL modem will then drop the PPPoE link. LCP will try to renegotiate
  a new PPPoE session.

Disable Watchdog: disables the Watchdog function, (described below) only for the WAN connection currently seen on that menu. (Default: Enabled, using Tracert).

Watchdog Mode: regularly checks a given WAN connection is up. It's supported for DHCP, PPPoE, PPTP, L2TP, and 3G/4G/5G LTE connection types. Here, you choose which method is used to test the connection.

• Traceroute *
• Ping

The LAN section includes information and settings to configure FreshTomato's LAN interface functions.

This includes FreshTomato's:

• LAN IP address and subnet mask
• Spanning Tree Protocol function
• DHCP server status/settings (via dnsmasq), such as scope and lease time
• Stubby (DNS-over-TLS) setting and WINS settings

Bridge: lets you Selects the bridge whose LAN settings will be modified

STP: enables Spanning Tree Protocol to prevent forwarding loops in switches. The default (off) is recommended, unless you are highly experienced.

IP Address: the IP Address to assign to the specified LAN interface. (Default: 192.168.1.1). FreshTomato supports Class A/B/C networks.

Netmask: the subnet mask associated with FreshTomato's LAN IP address. (Default: 255.255.255.0 - class “C” netmask).

DHCP: enables DHCP server functions in dnsmasq. (Default: Off)

IP Range (first/last): the range of IP addresses the DHCP server will assign to LAN clients. In the top field, enter the first valid address in the subnet. In the bottom field, enter the last valid address.

Lease Time (mins.): is the DHCP lease time, in minutes. (Default: 1440).

Automatic IP: lets FreshTomato obtain a LAN IP via DHCP. Since release 2022.6, you can select this option if the router is in AP Mode, Wireless Ethernet Bridge Mode or Media Bridge Mode.

After saving settings, the router's new, default address is 192.168.1.1 as it awaits DHCP details. That address changes once it obtains DHCP data.

These are settings for the Ethernet Ports State graphic in the Overview menu. The graphic shows status, link speed, and diagnostic information for all ports.

Enable Ports State: Checking this enables the Ethernet Ports State graphic. (Default: On).

Show Speed Info: Checking this displays the link speed of each port, (1GB/100MB/10MB). (Default: On).

Invert ports order: Enabling this displays port icons in Ethernet Ports State in the opposite order from where they are on the hardware. This is useful when the sequence of display icons doesn't match the actual locations on the router. (Default: Off).

With Wireless Band Steering enabled, FreshTomato can assess on which band the client device should try to connect. It then “nudges” the client towards that band.

• Disable *
• Enable

To achieve this, for all WiFi interfaces, enter the same:

• SSID name
• Security settings
• Password
• Other settings

Client devices can also try to switch bands on their own, without the influence of Wireless Band Steering.

This feature is available starting with release 2020.8 (and only for ARM hardware). See the Notes section below for more details on how it works.

The Wireless (2.4 GHz) section displays information and settings for the 2.4 GHz wireless network interface.

Your device may show a different device name than eth1. FreshTomato hardware device numbers begin at “0”. The first Ethernet device might be called “eth0”. The second wireless device might be called “wl1”.

Enable Wireless: When checked, this turns on the 2.4 GHz WiFi interface. When unchecked, the 2.4 GHz WiFi interface is off.

MAC Address: This displays the MAC address of the 2.4 GHz WiFi interface. Clicking on it takes you to the MAC Address page, where you can specify a custom MAC address for this interface.

Wireless Mode: This allows you to select the wireless mode (function) of the 2.4 GHz WiFi network interface.

Wireless Network Mode: This lets you choose which 802.11 WiFi protocol(s) to make available to clients.

The network modes available in this dropdown will depend on your hardware.

• Auto: * FreshTomato and WiFi client devices negotiate the best protocol automatically.
  • Auto is recommended, unless you're very experienced with networking.
  • Compatibility issues can create problems. The best settings are not always obvious.
• B Only: allows WiFi clients to connect using only the 802.11b protocol.
• G Only: allows WiFi clients to connect using only the 802.11n protocol.
• B/G Mixed: allows clients to connect using either 802.11b or 802.11g protocols.
• N only: allows clients to connect using only the 802.11n protocol.

These apply only to the 2.4 GHz band interface. There are separate Wireless Network Mode settings for any 5 GHz interface.

SSID: This is the network name (Service Set IDentifier) for the 2.4 GHz WiFi interface. For security reasons, you're advised not to include personal words which may indicate your identity, address, location, or equipment type. For example, “HELENLIUNG” would be a poor choice, unless you want everyone nearby to know who owns the network. Single dictionary words also make for very poor security.
(Default: FreshTomatoXX, where “XX” is the two numbers in the band.) For example, on the 2.4 GHz network, the default SSID is “FreshTomato24”.

Broadcast: enables SSID broadcasting. This “announces” the SSID on the air, so it's easy to find and connect to. Some argue that disabling SSID Broadcast provides more security. However, SSID names are easily sniffed using common software. Thus, disabling this provides little increase in security.

Channel: selects the channel on which the 2.4 GHz radio interface will operate. Generally, it's best to choose a different channel than your neighbours are using. (Default: Auto).

• Auto: This default is generally safe unless there's significant interference from other networks or equipment. FreshTomato chooses and uses the channel it believes has the least interference.
• Channel: lets you manually choose available channels on the band. Unavailable channels won't appear here.
  
  

Channel Width: lets you choose the width of the channel (in terms of frequency).

• 20 MHz
• 40 MHz

802.11n can use 40 MHz channel width, but to maintain compatibility with legacy systems, it uses one main 20 MHz channel plus a free adjacent channel 20 MHz above or below the main channel.

Control Sideband: lets you choose whether the extra sideband channel used is above (Upper) or below (Lower) the main channel used. (Default: Upper). This is only available If 20 or 40 Channel Width is selected.

• Upper
• Lower
  
  

Security: lets you select the security protocol used on the 2.4 GHz WiFi interface.

• Disabled: disables security entirely, leaving the network open to anyone. Avoid using this.
  • This is a basically an unlimited security risk.

• WEP: enables Wired Equivalent Privacy protocol. Avoid using this. It's obsolete due to serious vulnerabilities,
  such as weak encryption.

• WPA Personal: enables WiFi Protected Access Protocol 1.x. WPA uses the RC4-based TKIP protocol.
  • Lets hosts exchange pre-shared keys, for more security.
  • Is more secure than WEP, but still has weaknesses, like lower encryption standards.
  • WPA2 is strongly encouraged instead of WPA.

• WPA Enterprise: (AKA: WPA-802.1X). This is similar to WPA Personal, but each user
  has their own username/password.
  • No common pre-shared key is used.
  • Doesn't require a RADIUS server. Often, one is used for compatibility/security reasons.
  • Is more secure against dictionary attacks on short passwords.
  • Is suitable for larger, more formal networks.

• WPA2 Personal: WiFi Protected Access version 2 uses elements of the 802.11i standard.
  • This supports mandatory use of AES encryption, so it is much more secure than older protocols.
  • WPA2 Personal is recommended for small- to mid-sized, informal networks.

• WPA2 Enterprise: This enables the Enterprise version of WPA2.
  • This uses WPA2, but each user has their own WiFi username/passkey.
  • WPA2 Enterprise is based on parts of 802.11i.
  • This doesn't require a RADIUS server, but one is often used for legacy compatibility/security.
  • This is appropriate for larger, more structured networks.

• WPA / WPA2 Personal:

• WPA / WPA2 Enterprise:

• RADIUS: Enables Remote Access Dialup User Service.
  • This is designed for larger organizations.
  • This uses a separate server to authenticate, permit and keep track of users.
  • This supports authentication via certificates, which eases user management.
  • This is usually only for advanced users.
    
    

Shared Key: the shared key to authenticate WiFi clients on the LAN. Asterisks are shown until you insert your cursor.

Group Key Renewal: sets how often encryption keys used between clients and the router are rotated/changed.
This is a part of the WPA protocol. (Default: 3600 seconds = 1 hour).

Starting with release 2023.5, you can adjust the key rotation interval within the following limits:
From 1 sec to 2592000 sec [for all ARM routers and MIPS RT-N / MIPS-RT-AC]
0 = disabled (not recommended)

In releases 2023.4 and older, you can set this within the following limits: 60 sec to 7200 sec [all routers]

The Wireless (5 GHz) section displays information and settings for the wireless network interface on the 5 GHz WiFi band.

Your device may show a different device name than eth1. Note: FreshTomato hardware device numbers begin at 0.
For example, the first Ethernet device might be called eth0. The second wireless device might be called wl1.

Typically, the 5 GHz WiFi band has higher bandwidth, but shorter distance propagation than the 2.4 GHz band.

Enable Wireless: Checking this turns on the 5 GHz WiFi interface. When unchecked, the 5 GHz WiFi interface is turned off.

MAC Address: This displays the MAC (hardware) address of the 5 GHz WiFi interface.
Clicking on the MAC address takes you to the MAC Address page, where you can choose your own MAC address for this interface.

Wireless Mode: This lets you choose the wireless mode (function) of the 5 GHz WiFi interface.

Wireless Network Mode: This lets you choose which 802.11 WiFi protocol(s) to make available to clients.

• Auto - FreshTomato and WiFi clients automatically negotiate the best WiFi protocol.
  • This is recommended unless you're highly experienced with WiFi.
  • Compatibility issues can create problems. The most “logical” setting isn't always the best.
• A Only - allows WiFi clients to connect using only the 802.11a protocol.
• N Only - allows clients to connect using only the 802.11n protocol.
• N/AC mixed - allows Wifi clients to connect using only 802.11AC or 802.11N.
• AC Only - allows WiFi clients to connect using only the 802.11ac protocol.

Note that only releases 2021.8 and later have have a separate setting for 802.11ac. Earlier releases don't.

Separate Wireless Network Mode settings will exist for any 2.4 GHz band interface. See the 2.4 GHz section.
(Default: Auto)

SSID: is network name of the 5 GHz WiFi. For security, don't include personal words/phrases here that indicate your identity, address, location, or equipment type. For example, “HELENLIUNG” would be a poor choice, unless you want everyone nearby to know who owns that network. Single dictionary words also make for poor security.

(Default: FreshTomatoXX, where “XX” is the digits in the band.) For example, on a 5 GHz network, the default SSID is “FreshTomato50”.

Broadcast: this enables SSID broadcasting. This “announces” the SSID on the air, so it's easy to find/ connect to. Some argue disabling SSID Broadcast provides more security. However, SSIDs names are easily sniffed with common software, so disabling SSID Broadcast provides little increase in security.

Channel: Selects the channel on which the 5 GHz radio interface will operate. (Default: Auto).

Generally, it's wise to choose a different channel than the one your neighbours are using.

• Auto: This default is generally safe unless there's significant interference from nearby equipment.
  • FreshTomato selects and uses the channel it believes has the least interference.
• Channel: lets you manually choose from available channels on the band.
  Unavailable channels won't appear.
  
  

Channel Width: This allows you to choose the width of the channel (in terms of frequency).

• 20 MHz
• 40 MHz
• 80 MHz
• 160 MHz (not yet supported. May be supported on some SDK714 models)

20 MHz channels on the 5 GHz band have no overlap, so the 5GHz band is less prone to interference and noise. Larger channel widths provide more speed/bandwidth if there's low interference. Interference is more common on the 2.4 GHz band. It's usually fine to choose a wider channel width here. However, if you see slowdowns or trouble authenticating/associating with the router, you may need to use a narrower channel width.

802.11N can use 40 MHz channel width. However, to maintain legacy compatibility, it uses a main 20 MHz channel plus a free adjacent channel 20 MHz above or below the main channel.

Control Sideband: This option is available only if the 40, 80 or 160 MHz Channel Width is selected. This lets you choose whether the extra channel used is above (Upper) or below (Lower) the main channel being used. (Default: Upper).

Starting with release 2023.3, this menu will allow you to choose the exact control channel for use FixME!

Security: This menu lets you select the security protocol that will be used on the 2.4 GHz WiFi interface.

• Disabled: disables security entirely, leaving the network open to anyone. Avoid using this.
  • This is a basically an unlimited security risk.

• WEP: enables Wired Equivalent Privacy protocol. Avoid using this.
  • This is obsolete due to serious vulnerabilities, such as weak encryption.

• WPA Personal: enables WiFi Protected Access Protocol 1.x. WPA uses the RC4-based TKIP protocol.
  • This lets hosts exchange pre-shared keys, for more security.
  • While more secure than WEP, this has weaknesses like lower encryption standards.
  • WPA2 is strongly encouraged instead of WPA.

• WPA Enterprise: (AKA: WPA-802.1X). This is similar to WPA Personal, but each user
  has their own username/password
  • No common pre-shared key is used.
  • This doesn't require a RADIUS server. Often, one is used for compatibility and security.
  • This is more secure against dictionary attacks on short passwords.
  • This is suitable for larger, more formal networks.

• WPA2 Personal: uses elements of the 802.11i standard.
  • This supports mandatory use of AES encryption, so is much more secure than old protocols.
  • WPA2 Personal is recommended for small/mid-sized informal networks.

• WPA2 Enterprise: This enables the Enterprise version of WPA2.
  • This uses WPA2, but each user has their own username/passkey.
  • WPA2 Enterprise is based on parts of 802.11i.
  • This doesn't require a RADIUS server, but often, one is used for legacy compatibility/security.
  • This is appropriate for larger, more structured networks.

• WPA / WPA2 Personal: uses WPA2 Personal, and if that fails, allows WPA security

• WPA / WPA2 Enterprise: uses WPA2 Enterprise, or if that fails, WPA .

• RADIUS: Enables Remote Access Dialup User Service.
  • This is designed for larger organizations.
  • This uses a separate server to authenticate, permit and keep track of users.
  • This supports authentication via certificates, for easier user management.
  • This is usually only for advanced users.

Shared Key: Here, enter the shared key to authenticate WiFi clients on the network. Asterisks are shown until you click your cursor.

Group Key Renewal: sets how often encryption keys used between clients/router are rotated. This is part of the WPA protocol.

(Default: 3600 seconds). See the first wireless radio unit for more details.

Specifically, enabling this option does the following:

# 2018-01-19
# Reduce and flush the route cache to ensure a more synchronous load-balancing across multi-wan
# https://vincent.bernat.im/en/blog/2011-ipv4-route-cache-linux
 
/bin/echo 1 > /proc/sys/net/ipv4/route/flush
/bin/echo 1 > /proc/sys/net/ipv4/route/secret_interval
/bin/echo 0 > /proc/sys/net/ipv4/route/min_delay
/bin/echo 1 > /proc/sys/net/ipv4/route/max_delay
/bin/echo 1 > /proc/sys/net/ipv4/route/gc_interval
/bin/echo 1 > /proc/sys/net/ipv4/route/gc_elasticity
/bin/echo 1 > /proc/sys/net/ipv4/route/gc_min_interval_ms
/bin/echo 0 > /proc/sys/net/ipv4/route/gc_min_interval
/bin/echo 1 > /proc/sys/net/ipv4/route/gc_thresh
/bin/echo 1 > /proc/sys/net/ipv4/route/gc_timeout
 
#Causes connectivity issues if this value is too small, use defaults or tune accordingly
/bin/echo 512 > /proc/sys/net/ipv4/route/max_size

Support for Baby Jumbo Frames (RFC 4638) was added starting with release 2021.3. This function works only on gigabit routers. Not all ISPs support Jumbo Frames for PPPoE (RFC 4638).

To enable Baby Jumbo Frames:

• Go the Miscellaneous menu. Check Enable jumbo frame support in that menu. The router will reboot.
• In the Network menu, Set the MTU option to manual, and enter an MTU value of 1500 for PPPoE operation. (Usually, packet size will be 1492)
• Clamping can be manually disabled, if needed. (Type nvram set tcp_clamp_disable=1 at a FreshTomato command prompt).
• Ping with packet size 1472 to verify that you have a working PPP MTU of 1500.

This example shows the default parameters to steer clients from the 2.4 GHz band to the 5 GHz band:

Steer Policy:
max=0 period=5 cnt=3 rssi=-52 phyrate_high=110 phyrate_low=0 flags=0x22 state=3
Rule Logic: OR
RSSI: Greater than
VHT: Allowed
NON VHT: Allowed
NEXT RF: NO
PHYRATE (HIGH): Greater than or Equal to
LOAD BALANCE: NO
STA NUM BALANCE: NO
PHYRATE (LOW): Less than
N ONLY: NO

This example shows default parameters to steer clients from the 5 GHz band to the 2.4 GHz band:

Steer Policy:
max=80 period=5 cnt=3 rssi=-82 phyrate_high=0 phyrate_low=0 flags=0x20 state=2
Rule Logic: OR
RSSI: Less than or Equal to
VHT: Allowed
NON VHT: Allowed
NEXT RF: NO
PHYRATE (HIGH): Greater than or Equal to
LOAD BALANCE: NO
STA NUM BALANCE: NO
PHYRATE (LOW): Less than
N ONLY: NO

For more details, see:
https://www.smallnetbuilder.com/wireless/wireless-howto/32653-asus-rt-ac3200-smart-connect-the-missing-manual?start=0