Site Tools


network

Network

The Network page includes most settings needed to configure the network. It is divided into sections including MultiWAN, WAN Settings, Ethernet Ports Configuration, LAN and Wireless setttings.

MultiWAN

Number of WAN ports: This lets you select the number of WAN ports to be used on the device. On routers with only one physical WAN interface, options with WAN ports larger than one will be greyed out. This allows you to select only “1 WAN” on such devices.

Check Connections Every: This is a quick way to make Tomato automatically test the reliability of your WAN connection. (Default: Disabled). Choosing any setting other than [Disabled] will execute the “Watchdog” script. The Watchdog script uses ping or traceroute to test WAN connection status.

This setting specifies how often you want the router to send ICMP ping packets to check that it is still connected to the Internet. Choosing any setting other than Disabled will make the Target 1 and Target 2 fields appear.

Target 1: Address of first host you want Tomato to ping regularly (Default: Google.com)
Target 2: Address of second host you want Tomato to ping regularly (Default: Microsoft.com)

WAN Settings

Settings in this section are used to configure the WAN interface.

Type: This sets the connection mode the WAN interface uses to connect to your ISP. Depending on which Type you select, other configuration settings specific to that type of connection will be shown or hidden. See below. (Default: DHCP). The Type setting will depend on your ISP's setup.

DHCP: A DHCP server at your ISP will dynamically assign a WAN IP lease to your Tomato router. DHCP uses no authentication.
DHCP is most often used for cable, but there are exceptions. Even though DHCP itself doesn't include authentication, some cable companies require your cablemodem's MAC address to be on their whitelist, or they may block Internet access via that modem.

PPPoE: The router's WAN port will respond to authentication requests from your ISP's PPPoE server. This will require you to store in Tomato the PPPoE username and password that were assigned by your ISP. If authentication is successful, the PPPoE server will allow you to log on to the ISP's network, and a DHCP server will assign you a WAN IP lease. PPPoE is most often used for DSL networks, again with exceptions. It is suggested you leave the Service Name field blank.
Note: If you use your Tomato router for PPPoE authentication, you should ideally configure your DSL or cable modem for bridge mode. Otherwise, if your modem and router both have routing functions enabled, you have a situation called “Double NAT”. Double NAT may create various problems, such as VoIP issues, and reduced speed.

Static: This choice will configure your WAN port with a static IP. You must manually enter the static IP, subnet mask, gateway address and DNS server addresses into Tomato. These settings are given to you by your ISP. Static mode is typically used for business accounts, when it's important the IP address doesn't change.

PPTP: This will configure your WAN port to use Microsoft's PPTP (VPN) tunnelling protocol to connect. The encryption in PPTP provides a level of security, so your account credentials can't be stolen as easily. PPTP will require you to enter a username and password, and gateway server settings (given by your ISP).

L2TP: Choosing this will configure your WAN port to connect using Cisco's Layer Two Tunnelling Protocol. Tomato will require you enter the L2TP username, password, L2TP server, (static) IP address, subnet mask and gateway settings, as provided by your ISP. By default, only L2TP control messages are encrypted, not content. L2TP provides a tunnel for layer 2 protocols. Content is encrypted by layer 2 protocols, such as Ethernet or PPP.

3G modem: This setting will enable support for a 3G GSM (cellular) network dongle connected to a USB port. Always ensure USB and 3G/4G modem support are checked in the USB Support menu or this mode might not work. The modem might not be detected.

4G/LTE: This option enables support for fourth generation GSM (cellular) / LTE (Long Term Evolution) USB modem dongles. When choosing 4G/LTE, the PIN code and APN fields will appear, and must be completed with correct settings (see descriptions below). Always ensure USB and 3G/4G modem support are checked in the USB Support menu for this mode to work. The modem might not be detected. To ensure your modem is detected, check Tomato has USB Support enabled in the USB Support menu.

Disabled: Disables the physical WAN port on your router. This effectively makes your Tomato device function only as a switch (if it has switching functions) and/or a Wi-Fi access point (if it has those capabilities).

Wireless Client Mode: This locks or unlocks the the ability to enable Tomato's Wireless Client mode in the Wireless (2.4 GHz) and Wireless (5G GHz) menus. Wireless client mode allows the Tomato router to act as a client and connect to another router/AP, much like a normal wireless network adapter.

  • Disabled If Wireless Client mode is set to Disabled, the Wireless Client option becomes greyed out in the Wireless (2.4 GHz)
    and Wireless (5 GHz) menus. This prevents you from enabling Wireless Client mode in either frequency band.
  • 2.4 GHz If this option is selected, Tomato will unlock enabling of Wireless Client mode setting in the Wireless (2.4 GHz) menu.
    This will unlock enabling (but not enable) of the 2.4 GHz band Wireless Client mode. It's a bit confusing.
  • 5 GHz Tomato will unlock enabling of Wireless Client mode in the Wireless (5 GHz) menu. This will unlock enabling (but not enable) enabling
    of the 5 GHz frequnecy band Wireless Client mode. This is a little confusing.

Modem device: Here you specify the 3G modem's Linux device path/filename. If you're not sure what to choose, check the USB support page to see if your modem dongle is listed there. The Default device filename is the first serial device on the first USB port: (/dev/ttyUSB0). The “TTY” part of the device's filename represents a serial device and the “USB0” part of the device's filename means that device is connected to the first USB port on the Tomato machine. The /ttyUSB devices use the newer Serial→USB device driver framework. If your interface lists, for example, “/dev/ttyACM0 instead, the “ACM” means the device is of type “Abstract Control Model”, which uses Linux's serial modem driver framework. To ensure your modem is detected, check Tomato has USB Support enabled in the USB Support menu.

You could also log on to Tomato via Telnet and use the lsusb or dmesg commands to get device info. When you set 3G modem as the WAN type, other fields will appear, prompting you for more information.

PIN Code: This is the 3-digit PIN code for the SIM card associated with your cell account. Leave this field blank if your SIM card code has been deactivated.

Modem init string: Here, you enter the modem's default initialization string. This will come from your cell provider, or the modem manufacturer. (Default: *99#).

APN: The access point name (provided by your carrier). This specfies a gateway to route data between your cell carrier and the Internet. (Default: internet).

Username: Here you enter the username to access your cell carrier's APN (provided by your cell carrier) gateway.
Some carriers don't require this info.

Password: Here you enter the password to authenticate to your cell carrier's APN (provided by your cell carrier) gateway.
Some carriers do not require this info.

Network Type: This menu appears when WAN type is set to 4G/LTE. (Default setting: 4G/3G/2G). The default setting configures Tomato to start negotiating with a 4G connection, and, if that fails, fall back to negotiating a 3G connection,and failing that, a 2G connection.

DNS Server: When set to AUTO, Tomato uses the DNS server addresses included in your Internet Provider's DHCP lease.
When set to Manual, this enables Tomato's DNS server function (in dnsmaq). In Manual mode, the “DNS 1” and “DNS 2” fields appear in which to manually enter DNS server addresses.
DNS 1: Enter the first DNS server address here. (Applies only when DNS Server is set to Manual).
DNS 2: Enter the second DNS server address here. (Applies only when DNS Server is set to Manual).
Manually chosen DNS servers are useful if your ISP's DNS servers are slow or unreliable, or can be used for parental filtering.

MTU: Maximum Transmission Unit, the maximum size of Ethernet frames to be transferred between WAN and LAN.
This is only for the WAN interface and won't alter client devices on the LAN. However, MTU size differences among devices can cause issues.

  • (Default: 1500), is typical for Ethernet devices, and is suitable for most settings. When Default is selected, the number in the Manual field is greyed out and can't be changed.
  • Manual: Selecting manual allows you to enter a custom number in the field beside it. Jumbo Frame sizes typically begin at a size of 2000 bytes.

Use DHCP: This function is rarely used, and it is recommended you leave it disabled. On a few Internet providers, addressing is separated from PPPoE functionality. TBD.

Single Line MLPPP: This is similar to Multilink PPP (MLPPP). Multilink PPP is a version of the Point-to-Point Protocol which allows you to bond two or more physical connections to increase the bandwidth available. Single Line MLPPP is a version which allows you to use one modem, but bond the bandwidth of multiple PPPoE sessions. A side effect of using this is that it bypassed some Internet Providers' bandwidth throttling. This is rarely used nowadays.

Route Modem IP: When using a separate modem and router, you typically use the modem in bridge mode, or PPPoE passthrough mode. That means you can't easily access the modem's LAN interface when it's behind the router. This is because Tomato's WAN interface will get a public IP address, whereas the modem will be reachable via a private LAN address, for local administration only. Since private addresses are not routable on the Internet, Tomato would block the LAN > WAN > MODEM PRIVATE IP traffic, by default. The Route Modem IP function adds a simple static route in Tomato's routing table to make the modem a private IP on a /32 subnet, reachable via the WAN interface. That subnet mask allows only one host, so only the modem will be reachable. You can then communicate with the modem without having to resort to other, more difficult measures. (Default: Off)

Query Hilink Modem IP: This function is specifically for Hilink brand modems. (Default: Disabled).

Call Custom Status Script: TBD.

Connect Mode: This chooses which method is used to keep the Tomato router connected to the Internet provider. Selecting Connect on Demand will make Tomato disconnect from the Internet provider after the time period specified in the Max Idle Time field. Tomato will reconnect to the Internet a soon as one of its LAN clients requests Internet access.

Some Internet Providers drop a connection if their router sees no Internet activity. If you select Keepalive, Tomato will send small keepalive packets at specified, brief intervals. This will make the connection appear to the Internet Provider as if there is intermittent activity, even when no Tomato clients request Internet access. Redial Interval: Here, enter the time in seconds for how often the router should check the Internet connection. (Default: 10 seconds). This option minimizes your Internet connection response time, since generally, the connection will always be up.

(Default: Keepalive).

Redial Interval: When PPPoE dialling fails, the Redial Interval is used to delay each attempt for the defined number of seconds. (Default: 10 seconds). This allows more time for the PPPoE server or network infrastructure to start functioning properly again before attempting another PPPoE connection.

LCP Echo Interval: The Link Control Protocol sends and receives frames between two peers to determine if they are still connected. The LCP Echo Interval is the period of time between these signals. This is typically used to verify a DSL modem still has a valid PPPoE connection to the Internet provider. (Default: 10 seconds).

LCP Echo Link fail limit: This is the number of times LCP echo request checks can fail between two LCP peers before the status is deemed to be dead. The client DSL modem will then drop the PPPoE link. When the link is terminated, LCP will try to renegotiate a new PPPoE session.

LAN

The LAN section includes information and settings to configure Tomato's LAN interface functions. This includes Tomato's:

  • LAN IP address and (sub)netmask
  • Spanning Tree Protocol function
  • DHCP server status and setttings (through dnsmasq), such as scope and lease time
  • Stubby (DNS-over-TLS) setting and WINS settings

Bridge: Selects the bridge whose LAN settings will be modified

STP: Checking or unchecking this enables or disables Spanning Tree Protocol. This is used primarily to prevent forwarding loops in switches. The recommended setting is off, unless you're very experienced with networks. (Default: Off).

IP Address: Here you enter the IP Address you want to assign to the specified LAN interface. (Default: 192.168.1.1)

Netmask: The (sub)netmask associated with Tomato's LAN IP address. (Default: 255.255.255.0 - a class C netmask).

DHCP: Checking this box enables the DHCP server functions in dnsmasq. Unchecking this disables Tomato's DHCP server functions. (Default: Off)

IP Range (first/last) : Here you enter the first address and last address of the DHCP Scope. This is the range of IP addresses Tomato's DHCP server will assign to LAN clients.

Lease Time (mins.): This is the DHCP lease time, in minutes. (Default: 1440 = one day).

Use Stubby (DNS-over-TLS): This enhances DNS privacy. Checking this box enables Stubby, a DNS Stub resolver. DNS over TLS sends DNS queries over a secure connection, encrypted with TLS, the same technology that encrypts secure Web traffic. This prevents third parties from seeing your DNS queries.

WINS (for DHCP): Here, you can specify the IP adddress of a WINS Server which will be given to DHCP clients. NOTE: This does NOT actually enable the WINS service. Tomato's WINS Server function is enabled on the USB and NAS/File Sharing menu.

Windows Internet Name Service (WINS) is a legacy computer name registration and resolution service that maps computer NetBIOS names to IP addresses. Officially, WINS is outdated and largely obsolete. DNS is supposed to have replaced most WINS functionality. However, Microsoft has not officially deprecated WINS. It may still be necessary for some Windows LAN browsing functions, especially on very old Windows versions.

More details about WINS can be found here:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc784707(v=ws.10)

Ethernet Ports State - Configuration

This section has settings for the Ethernet Ports State graphic on the Status/Overview page. That graphic intuitively shows the status, link speed, and other diagnostic information for each Ethernet port on the router.
Enable Ports State: Checking this enables the Ethernet Ports State graphic on the Status/Overview page. (Default: On).

Show Speed Info: Checking this displays the link speed of each Ethernet port, (such as 1GB/100MB/10MB). (Default: On).

Invert ports order: Checking this option displays the port icons in the Ethernet Ports State graphic in the opposite order to the default where they are located on the switch. This is useful in situations where the sequence of icons on the Ethernet Ports State do not match the actual port locations on the router's switch. (Default: Off).

Wireless Band Steering - Configuration

Options (checkbox):

  • Disable
  • Enable

If you enable Wireless Band Steering, Tomato can decide, for each dual-band client device, on which band the device should try to connect. To achieve this, enter the same SSID name, security settings, password, and other settings (see picture below) for all wireless interfaces (up to 3 on a Tri-Band-Router).

Note: client devices can also try to switch bands on their own, without Wireless Band Steering's influence. (Default: Disabled).

Here's an example for the default parameter to trigger the switching (2.4 GHz):

Steer Policy:
max=0 period=5 cnt=3 rssi=-52 phyrate_high=110 phyrate_low=0 flags=0x22 state=3
Rule Logic: OR
RSSI: Greater than
VHT: Allowed
NON VHT: Allowed
NEXT RF: NO
PHYRATE (HIGH): Greater than or Equal to
LOAD BALANCE: NO
STA NUM BALANCE: NO
PHYRATE (LOW): Less than
N ONLY: NO

⇒ The target will be the 5 GHz wi-Fi network

Here's an example for the default parameter to trigger the switching (5 GHz):

Steer Policy:
max=80 period=5 cnt=3 rssi=-82 phyrate_high=0 phyrate_low=0 flags=0x20 state=2
Rule Logic: OR
RSSI: Less than or Equal to
VHT: Allowed
NON VHT: Allowed
NEXT RF: NO
PHYRATE (HIGH): Greater than or Equal to
LOAD BALANCE: NO
STA NUM BALANCE: NO
PHYRATE (LOW): Less than
N ONLY: NO

⇒ The target will be the 2.4 GHz Wi-Fi network.

For more details, see https://www.smallnetbuilder.com/wireless/wireless-howto/32653-asus-rt-ac3200-smart-connect-the-missing-manual?start=0

Wireless Band Steering is available with FreshTomato version 2020-8 and up.

Wireless (2.4 GHz / interface eth1)

The Wireless (2.4 GHz) section displays information and settings for the wireless network interface on the 2.4 GHz Wi-Fi band.

Your device may show a different device name than eth1. Note: Tomato (Linux) hardware device numbers begin at 0.
For example, the first ethernet device might be called eth0. The second wireless device might be called wl1.

Enable Wireless: When checked, this turns on the 2.4 GHz Wi-Fi network interface.
When unchecked, the 2.4 GHzWi-Fi network interface is turned off.

MAC Address: This displays the MAC address of the 2.4 GHz Wi-Fi radio interface.
Clicking on the MAC address takes you to the Advanced/MAC Address page, where you can specify your own MAC address for this interface.

Wireless Mode: This allows you to select the wireless mode (function) of the 2.4 GHz Wi-fi network interface.

Selection Description

Access Point

The normal (default) setting, which allows clients to connect to Tomato's wireless network(s).
(IPv4 & IPv6 communication working for mips and arm)

Access Point WDS

Sets the router in “repeater mode”, allowing clients to connect wirelessly while simultaneously acting as a
WDS Wireless Distribution System base station.

Wireless Client
The router connects to the other router/access point like any other wireless client device would connect to an access point. The router provides client connections ONLY through the Ethernet ports. Status as of 2020-12-31: This mode is working on MIPS devices (RT and RT-N images) but NOT working for SDK6 and up, code is missing - tbd.

Wireless Ethernet Bridge

Configures the Tomato Router to connect to another router while still keeping all computers connected to both routers in the same subnet. Note: As of version 1.19 - Wireless Bridge must be set to WPA2 (Example: WPA2 Personal AES)
IPv4 communication working for mips and arm builds; IPv6 communication will only work for FreshTomato 2021-1 SDK6 ARM Dual-Core and newer (Status as of 2021-02-20; SDK7 not tested)

WDS

Serve as a Wireless Distribution System (WDS) base station only.
Table is a derived work from (Creative Commons) Wikibooks - “Tomato Firmware/Menu Reference” Wireless Mode Selections

Wireless Network Mode: This lets you choose which 802.11 Wi-Fi LAN protocol(s) you wish to make available to clients.

  • Auto: On this setting, Tomato and Wi-Fi client devices negotiate the best wireless protocol automatically. Generally, Auto is recommended, unless you are very knowledgeable about networking/Wi-Fi. Compatibility issues can create all kinds of problems, and often, the most “logical” setting is not the best one.
  • A Only: allows Wi-Fi clients to connect using only the 802.11a protocol.
  • N Only: allows Wi-Fi clients to connect using only the 802.11N protocol.

These ONLY apply to the 2.4 GHz band radio interface. Separate Wireless Network Mode settings exist for any 5 GHz band interface.

(Default: Auto)

SSID: This the network name for the 2.4 GHz Wi-Fi interface (Service Set IDentifier). For security purposes, it's recommended you don't include any personal words or expressions/phrases which might indicate your identity, address, location, or equipment type in your SSID. For example, “HELENLIUNG” would not be a good choice, unless you want everyone on the street to know who owns that network. Common words found in the dictionary also make for poor security.
(Default: TomatoXX, where “XX” is the two numbers in the frequency band.) On the 2.4 GHz network, for example, the default SSID is “Tomato24”.

Broadcast: Checking this enables SSID broadcasting. This “announces” the SSID (network name) on the air, so it's easy to find and connect to. Some people argue that disabling SSID Broadcast provides more security. However, SSIDs names can be easily sniffed using common software. Therefore, disabling SSID Broadcast provides little increase in security.

Channel: Selects the channel on which the 2.4 GHz radio interface will operate. Generally, it's a good idea to choose a different channel than the one your neighbours are using. (Default: Auto).

  • Auto: This setting is the default, and is generally safe unless you have significant interference from nearby networks or other equipment.

On this setting, Tomato chooses and uses the channel it believes has the least interference.

  • Channel: This menu lets you manually choose available Wi-Fi channels on the band. Unavailable channels will not appear in this menu.

Channel Width: This menu allows you to choose the width of the channel (in terms of frequency).

  • 20 MHz
  • 40 MHz

802.11N can use 40 MHz channel width, but to maintain compatibility with legacy systems, it uses one main 20 MHz channel plus a free adjacent channel 20 MHz above or below the main channel.

Control Sideband: This option is only available If the 20 or 40 Channel Width is selected. This menu allows you to choose whether the extra channel used is above (Upper) or below (Lower) the main channel being used. (Default: Upper).

  • Upper
  • Lower

Security: This menu lets you select the security protocol that will be used on the 2.4 GHz Wi-Fi interface.

  • Disabled: This option disables security entirely, leaving the network open to anyone. This is STRONGLY discouraged, as it is an almost unlimited security risk.
  • WEP: This enables Wired Equivalent Privacy protocol. This is STRONGLY discouraged, due to its known serious vulnerabilities and obsolescence.
  • WPA Personal: This enables Wi-Fi Protected Access Protocol (1.x). WPA implements the RC4-based TKIP protocol, which makes the key exchange process between hosts much more secure. While more secure than WEP, WPA still contains weaknesses, such as lower encryption standards. Therefore, the use of WPA is strongly discouraged in favour of WPA2 or higher.
  • WPA Enterprise: Also known as WPA-802.1X, this is similar to WPA Personal, but requires a RADIUS server for authentication, authorization and accounting services. It is more secure, for example, against dictionary attacks on short passwords. This is suitable for larger, more formal networks.
  • WPA2 Personal: This is Wi-Fi Protected Access protocol version 2. This implements elements of the 802.11i standard. The most important change here is mandatory support for AES encryption. This makes WPA2 much more secure than older protocols. As a result, this protocol is recommended for small to mid-sized, informal networks.
  • WPA2 Enterprise: This enables version 2 of the Wi-Fi Protected Access protocol Enterprise version. This protocol uses WPA2, but requires a RADIUS server for authentication, authorization and accounting services. Because of RADIUS, it also offers further security. This is appropriate for larger, more formally-structured networks.
  • WPA / WPA2 Personal:
  • WPA / WPA2 Enterprise:
  • RADIUS: This setting enables the Remote Access Dialup User Service. Designed for businesses and larger organizations, this service uses a separate server to authenticate, permit and keep track of users. This option will generally only be used by highly technical users.

Shared Key: In this field, enter the shared key used to authenticate the Wi-Fi client on the network. The field will show only asterisks until you click your cursor in it. The characters will then become visible.

Group Key Renewal: This sets the interval for how often the encryption keys used between client devices and the router/access point are rotated/changed. This is a part of the WPA protocol. (Default: 3600 seconds = 1 hour).

Wireless (5 GHz / interface eth2)

The Wireless (5 GHz) section displays information and settings for the wireless network interface on the 5 GHz Wi-Fi band.

Your device may show a different device name than eth1. Note: Tomato (Linux) hardware device numbers begin at 0.
For example, the first ethernet device might be called eth0. The second wireless device might be called wl1.

Typically, the 5 GHz Wi-Fi band has higher bandwidth, but shorter distance propagation than the 2.4 GHz band.

Enable Wireless: Checking this turns on the 5 GHz Wi-Fi network interface. When unchecked, the 5 GHz Wi-Fi network interface is turned off.

MAC Address: This displays the MAC (hardware) address of the 5 GHz Wi-Fi radio interface.
Clicking on the MAC address takes you to the Advanced/MAC Address page, where you can specify your own MAC address for this interface.

Wireless Mode: This allows you to select the wireless mode (function) of the 5 GHz Wi-fi network interface.

Selection Description

Access Point

The normal (default) setting, which allows clients to connect to Tomato's wireless network(s). (IPv4 & IPv6 communication working for mips and arm)

Access Point WDS

Sets the router in “repeater mode,” allowing clients to connect wirelessly while simultaneously acting as a WDS
Wireless Distribution System base station.

Wireless Client
The router connects to the other router/access point like any other wireless client device would connect to an access point. The router provides client connections ONLY through the Ethernet ports. Status as of 2020-12-31: This mode is working on MIPS devices (RT and RT-N images) but NOT working for SDK6 and up, code is missing - tbd.


Wireless Ethernet Bridge

Configures the Tomato Router to connect to another router while still keeping all computers connected to both routers in the same subnet.
Note: As of version 1.19 - Wireless Bridge must be set to WPA2 (Example: WPA2 Personal AES) to function.
IPv4 communication is working for mips and arm builds; IPv6 communication will only work for FreshTomato 2021-1 SDK6 ARM Dual-Core and newer (Status as of 2021-02-20; SDK7 not tested)

WDS

Serve as a Wireless Distribution System (WDS) base station only.
Table is a derived work from (Creative Commons) Wikibooks - “Tomato Firmware/Menu Reference” Wireless Mode Selections

Wireless Network Mode: This lets you choose which 802.11 Wi-Fi protocol(s) you wish to make available to clients.

  • Auto: On this setting, Tomato and Wi-Fi client devices negotiate the best wireless protocol automatically. Auto is recommended unless you are very knowledgeable about networking/Wi-Fi. Compatibility issues can create all kinds of problems, and often, the most “logical” setting is not the best one.
  • A Only: allows Wi-Fi clients to connect using only the 802.11a protocol.
  • N Only: allows Wi-Fi clients to connect using only the 802.11N protocol.

Separate Wireless Network Mode settings will exist for any 2.4 GHz band interface. See above section.
(Default: Auto)

SSID: This the 5 GHz Wi-Fi interface's network name, (Service Set IDentifier). For security purposes, it's recommended you don't include any personal words or expressions/phrases which might indicate your identity, address, location, or equipment type in your SSID. For example, “HELENLIUNG” would not be a good choice, unless you want everyone on the street to know who owns that network. Common words found in the dictionary also make for poor security.
(Default: TomatoXX, where “XX” is the two numbers in the frequency band.) On a 5 GHz network, for example, the default SSID is “Tomato50”.

Broadcast: Checking this enables SSID broadcasting. This “announces” the SSID (network name) on the air, so it's easy to find and connect to. Some people argue that disabling SSID Broadcast provides more security. However, SSIDs names can be easily sniffed using common software. Therefore, disabling SSID Broadcast provides little increase in security.

Channel: Selects the channel on which the 2.4 GHz radio interface will operate. Generally, it's a good idea to choose a different channel than the one your neigbhours are using.

  • Auto: This is the default, and is generally safe unless you have significant interference from nearby networks or other equipment.
    On this setting, Tomato chooses and uses the channel it believes has the least interference.
  • Channel: This menu lets you manually choose available Wi-Fi channels on the band. Unavailable channels will not appear in this menu.

(Default: Auto).

Channel Width: This menu allows you to choose the width of the channel (in terms of frequency).

  • 20 MHz
  • 40 MHz
  • 80 MHz
  • 160 MHz

The 20 MHz channels on the 5 GHz band have no overlap. Therefore, it tends to be less prone to interference and noise. Larger channel widths, provide more speed/bandwidth if there's minimal interference. This is, however, more of a problem on the 2.4 GHz band than it is on the 5 GHz band. It is usually okay to choose some of the wider channel widths here. However, if you see effects, such as slow speeds or trouble authenticating/associating with the router, you may need to use a narrower channel width.

802.11N can use 40 MHz channel width, but to maintain compatibility with legacy systems, it uses one main 20 MHz channel plus a free adjacent channel 20 MHz above or below the main channel.

Control Sideband: This option is only available If the 40, 80 or 160 MHz Channel Width is selected. This menu allows you to choose whether the extra channel used is above (Upper) or below (Lower) the main channel being used. (Default: Upper).

  • Upper
  • Lower

Security: This menu lets you select the security protocol that will be used on the 2.4 GHz Wi-Fi interface.

  • Disabled: This option disables security entirely, leaving the network open to anyone. This is STRONGLY discouraged, as it is an almost unlimited security risk.
  • WEP: This enables Wired Equivalent Privacy protocol. This is STRONGLY discouraged, due to its known serious vulnerabilities and obsolescence.
  • WPA Personal: This enables Wi-Fi Protected Access Protocol (1.x). WPA implements the RC4-based TKIP protocol, which makes the key exchange process between hosts much more secure. While more secure than WEP, WPA still contains weaknesses, such as lower encryption standards. Therefore, the use of WPA is strongly discouraged in favour of WPA2 or higher.
  • WPA Enterprise: Also known as WPA-802.1X, this is similar to WPA Personal, but requires a RADIUS server for authentication, authorization and accounting services. It is more secure, for example, against dictionary attacks on short passwords. This is suitable for larger, more formal networks.
  • WPA2 Personal: This uses Wi-Fi Protected Access protocol version 2. This implements elements of the 802.11i standard. The most important change here is mandatory support for AES encryption. This makes WPA2 much more secure than older protocols. As a result, this is recommended for small to mid-sized, informal networks.
  • WPA2 Enterprise: This uses the Enterprise version of Wi-Fi Protected Access protocol version 2. This protocol uses WPA2, but requires a RADIUS server for authentication, authorization and accounting services. Because of RADIUS, it also offers further security. This is appropriate for larger, more formally-structured networks.
  • WPA / WPA2 Personal:
  • WPA / WPA2 Enterprise:
  • RADIUS: This setting enables the Remote Access Dialup User Service. Designed for businesses and larger organizations, this service uses a separate server to authenticate, permit and keep track of users. This option will generally only be used by highly technical users.

Shared Key: In this field, enter the shared key used to authenticate the Wi-Fi client on the network. The field will show only asterisks until you click your cursor in it. The characters will then become visible.

Group Key Renewal: This sets the interval for how often the encryption keys used between client devices and the router/access point are rotated/changed. This is a part of the WPA protocol. (Default: 3600 seconds = 1 hour).

network.txt · Last modified: 2021/04/11 02:04 by hogwild