Site Tools


network

Network

The Network page includes most settings needed to configure the network. It is divided into sections including MultiWAN, WAN Settings, Ethernet Ports Configuration, LAN and Wireless setttings.

MultiWAN

Number of WAN ports: This lets you select the number of WAN ports to be used on the device. On routers with only one physical WAN interface, options with WAN ports larger than one will be greyed out. This allows you to select only “1 WAN” on such devices.

Check Connections Every: This is a quick way to make FreshTomato automatically test the reliability of your WAN connection. (Default: Disabled). Choosing any setting other than [Disabled] will execute the Watchdog script. The Watchdog script uses ping or traceroute to test WAN connection status.

This setting specifies how often you want the router to send ICMP ping packets to check that it is still connected to the Internet. Choosing any setting other than Disabled will make the Target 1 and Target 2 fields appear.

Target 1: Address of first host you want FreshTomato to ping regularly (Default: Google.com)
Target 2: Address of second host you want FreshTomato to ping regularly (Default: Microsoft.com)

WAN Settings

Settings in this section are used to configure the WAN interface.

Type: This sets the connection mode the WAN interface uses to connect to your ISP. Depending on which Type you select, other configuration settings specific to that type of connection will be shown or hidden. See below. (Default: DHCP). The Type setting will depend on your ISP's setup.

DHCP: A DHCP server at your ISP will dynamically assign a WAN IP lease to your FreshTomato router. DHCP uses no authentication.
DHCP is most often used for cable, but there are exceptions. Even though DHCP itself doesn't include authentication, some cable companies require your cablemodem's MAC address to be on their whitelist, or they may block Internet access via that modem.

PPPoE: The router's WAN port will respond to authentication requests from your ISP's PPPoE server. This will require you to store in FreshTomato the PPPoE username and password that were assigned by your ISP. If authentication is successful, the PPPoE server will allow you to log on to the ISP's network, and a DHCP server will assign you a WAN IP lease. PPPoE is most often used for DSL networks, again with exceptions. It is suggested you leave the Service Name field blank.
Note: If you use your FreshTomato router for PPPoE authentication, you should ideally configure your DSL or cable modem for bridge mode. Otherwise, if your modem and router both have routing functions enabled, you have a situation called “Double NAT”. Double NAT may create various problems, such as VoIP issues, and reduced speed.

Starting with release 2021.3, support for Baby Jumbo Frames (RFC 4638) was added. FreshTomato will try to increase the WAN interface MTU to 1508. That is a PPPoE MTU/MRU value of 1500 with an 8 byte overhead. (Default is 1492).

To enable Baby Jumbo Frames:

  1. Enable jumbo frame support (router will reboot, only for gigabit router).
  2. Set MTU to 1500 for PPPoE.
  3. Clamping can be disabled manually if needed (nvram set tcp_clamp_disable=1).

Then verify (using ifconfig AND ping with packet size 1472) that you have a working PPP MTU of 1500. Not all ISPs support RFC 4638. Usually, packet size will be 1492.

Static: This choice will configure your WAN port with a static IP. You must manually enter the static IP, subnet mask, gateway address and DNS server addresses into FreshTomato. These settings are given to you by your ISP. Static mode is typically used for business accounts, when it's important the IP address doesn't change.

PPTP: This will configure your WAN port to use Microsoft's PPTP (VPN) tunnelling protocol to connect. The encryption in PPTP provides a level of security, so your account credentials can't be stolen as easily. PPTP will require you to enter a username and password, and gateway server settings (given by your ISP).

L2TP: Choosing this will configure your WAN port to connect using Cisco's Layer Two Tunnelling Protocol. FreshTomato will require you enter the L2TP username, password, L2TP server, (static) IP address, subnet mask and gateway settings, as provided by your ISP. By default, only L2TP control messages are encrypted, not content. L2TP provides a tunnel for layer 2 protocols. Content is encrypted by layer 2 protocols, such as Ethernet or PPP.

3G modem: This setting will enable support for a 3G GSM (cellular) network dongle connected to a USB port. Always ensure USB and 3G/4G modem support are checked in the USB Support menu or this mode might not work. The modem might not be detected.

4G/LTE: This option enables support for fourth generation GSM (cellular) / LTE (Long Term Evolution) USB modem dongles. When choosing 4G/LTE, the PIN code and APN fields will appear, and must be completed with correct settings (see descriptions below). Always ensure USB and 3G/4G modem support are checked in the USB Support menu for this mode to work. The modem might not be detected. To ensure your modem is detected, check FreshTomato has USB Support enabled in the USB Support menu.

Disabled: Disables the physical WAN port on your router. This effectively makes your FreshTomato device function only as a switch (if it has switching functions) and/or a Wi-Fi access point (if it has those capabilities).

Wireless Client Mode: This enables FreshTomato's Wireless Client mode. Wireless client mode allows the FreshTomato router to act as a client and connect to another router/AP, much like a normal wireless network adapter. (For more details on wireless modes, see Wireless Mode tables below).

  • Disabled: If set to Disabled, FreshTomato's Wireless Client mode will be disabled.
  • 2.4 GHz: If selected, FreshTomato will enable Wireless Client mode on the 2.4 GHz interface.
  • 5 GHz: FreshTomato will enable Wireless Client mode on the 5 GHz interface.

Modem device: Here you specify the 3G modem's Linux device path/filename. If you're not sure what to choose, check the USB support page to see if your modem dongle is listed there. The Default device filename is the first serial device on the first USB port: (/dev/ttyUSB0). The “TTY” part of the device's filename represents a serial device and the “USB0” part of the device's filename means that device is connected to the first USB port on the FreshTomato machine. The /ttyUSB devices use the newer Serial→USB device driver framework. If your interface lists, for example, “/dev/ttyACM0 instead, the “ACM” means the device is of type “Abstract Control Model”, which uses Linux's serial modem driver framework. To ensure your modem is detected, check FreshTomato has USB Support enabled in the USB Support menu.

You could also log on to FreshTomato via Telnet and use the lsusb or dmesg commands to get device info. When you set 3G modem as the WAN type, other fields will appear, prompting you for more information.

PIN Code: This is the 3-digit PIN code for the SIM card associated with your cell account. Leave this field blank if your SIM card code has been deactivated.

Modem init string: Here, you enter the modem's default initialization string. This will come from your cell provider, or the modem manufacturer. (Default: *99#).

APN: The access point name (provided by your carrier). This specfies a gateway to route data between your cell carrier and the Internet. (Default: internet).

Username: Here you enter the username to access your cell carrier's APN (provided by your cell carrier) gateway.
Some carriers don't require this info.

Password: Here you enter the password to authenticate to your cell carrier's APN (provided by your cell carrier) gateway.
Some carriers do not require this info.

Network Type: This menu appears when WAN type is set to 4G/LTE. (Default setting: 4G/3G/2G). The default setting configures FreshTomato to start negotiating with a 4G connection, and, if that fails, fall back to negotiating a 3G connection,and failing that, a 2G connection.

DNS Server: When set to AUTO, FreshTomato uses the DNS server addresses included in your Internet Provider's DHCP lease.
When set to Manual, this enables FreshTomato's DNS server function (in dnsmaq). In Manual mode, the “DNS 1” and “DNS 2” fields appear in which to manually enter DNS server addresses.
DNS 1: Enter the first DNS server address here. (Applies only when DNS Server is set to Manual).
DNS 2: Enter the second DNS server address here. (Applies only when DNS Server is set to Manual).
Manually chosen DNS servers are useful if your ISP's DNS servers are slow or unreliable, or can be used for parental filtering.

MTU: Maximum Transmission Unit, the maximum size of Ethernet frames to be transferred between WAN and LAN.
This is only for the WAN interface and won't alter client devices on the LAN. However, MTU size differences among devices can cause issues.

  • (Default: 1500), is typical for Ethernet devices, and is suitable for most settings. When Default is selected, the number in the Manual field is greyed out and can't be changed.
  • Manual: Selecting manual lets you to enter a custom number in the field beside it. Jumbo Frame sizes typically begin at a size of 2000 bytes.

Use DHCP: This function is rarely used, and it is recommended you leave it disabled. On a few Internet providers, addressing is separated from PPPoE functionality. TBD.

Single Line MLPPP: This is similar to Multilink PPP (MLPPP). Multilink PPP is a version of the Point-to-Point Protocol which allows you to bond two or more physical connections to increase the bandwidth available. Single Line MLPPP is a version which lets you use one modem, but bond the bandwidth of multiple PPPoE sessions. A side effect of using this is that it bypassed some Internet Providers' bandwidth throttling. This is rarely used nowadays.

Route Modem IP: When using a separate modem and router, you typically use the modem in bridge mode, or PPPoE passthrough mode. That means you can't easily access the modem's LAN interface when it's behind the router. This is because FreshTomato's WAN interface will get a public IP address, whereas the modem will be reachable via a private LAN address, for local administration only. Since private addresses are not routable on the Internet, FreshTomato would block the LAN > WAN > MODEM PRIVATE IP traffic, by default. The Route Modem IP function adds a simple static route in FreshTomato's routing table to make the modem a private IP on a /32 subnet, reachable via the WAN interface. That subnet mask allows only one host, so only the modem will be reachable. You can then communicate with the modem without having to resort to other, more difficult measures. (Default: Off)

Query Hilink Modem IP: This function is specifically for Hilink brand modems. (Default: Disabled).

Call Custom Status Script: TBD.

Connect Mode: This chooses which method is used to keep the FreshTomato router connected to the Internet provider. Selecting Connect on Demand will make FreshTomato disconnect from the Internet provider after the time period specified in the Max Idle Time field. FreshTomato will reconnect to the Internet a soon as one of its LAN clients requests Internet access.

Some Internet Providers drop a connection if their router sees no Internet activity. If you select Keepalive, FreshTomato will send small keepalive packets at specified, brief intervals. This will make the connection appear to the Internet Provider as if there is intermittent activity, even when no FreshTomato clients request Internet access. Redial Interval: Here, enter the time in seconds for how often the router should check the Internet connection. (Default: 10 seconds). This option minimizes your Internet connection response time, since generally, the connection will always be up.

(Default: Keepalive).

Redial Interval: When PPPoE dialling fails, the Redial Interval is used to delay each attempt for the defined number of seconds. (Default: 10 seconds). This allows more time for the PPPoE server or network infrastructure to start functioning properly again before attempting another PPPoE connection.

LCP Echo Interval: The Link Control Protocol sends and receives frames between two peers to determine if they are still connected. The LCP Echo Interval is the period of time between these signals. This is typically used to verify a DSL modem still has a valid PPPoE connection to the Internet provider. (Default: 10 seconds).

LCP Echo Link fail limit: This is the number of times LCP echo request checks can fail between two LCP peers before the status is deemed to be dead. The client DSL modem will then drop the PPPoE link. When the link is terminated, LCP will try to renegotiate a new PPPoE session.

LAN

The LAN section includes information and settings to configure FreshTomato's LAN interface functions. This includes FreshTomato's:

  • LAN IP address and (sub)netmask
  • Spanning Tree Protocol function
  • DHCP server status and setttings (through dnsmasq), such as scope and lease time
  • Stubby (DNS-over-TLS) setting and WINS settings

LAN settings

Bridge: Selects the bridge whose LAN settings will be modified

STP: Checking or unchecking this enables or disables Spanning Tree Protocol. This is used primarily to prevent forwarding loops in switches. The recommended setting is off, unless you're very experienced with networks. (Default: Off).

IP Address: Here you enter the IP Address you want to assign to the specified LAN interface. (Default: 192.168.1.1)

Netmask: The (sub)netmask associated with FreshTomato's LAN IP address. (Default: 255.255.255.0 - a class C netmask).

DHCP: Checking this box enables the DHCP server functions in dnsmasq. Unchecking this disables FreshTomato's DHCP server functions. (Default: Off)

IP Range (first/last) : Here you enter the first address and last address of the DHCP Scope. This is the range of IP addresses FreshTomato's DHCP server will assign to LAN clients.

Lease Time (mins.): This is the DHCP lease time, in minutes. (Default: 1440 = one day).

Ethernet Ports State - Configuration

This section has settings for the Ethernet Ports State graphic on the Status/Overview page. That graphic intuitively shows the status, link speed, and other diagnostic information for each Ethernet port on the router.
Enable Ports State: Checking this enables the Ethernet Ports State graphic on the Status/Overview page. (Default: On).

Show Speed Info: Checking this displays the link speed of each Ethernet port, (such as 1GB/100MB/10MB). (Default: On).

Invert ports order: Checking this option displays the port icons in the Ethernet Ports State graphic in the opposite order to the default where they are located on the switch. This is useful in situations where the sequence of icons on the Ethernet Ports State do not match the actual port locations on the router's switch. (Default: Off).

Wireless Band Steering - Configuration

Options (checkbox):

  • Disable
  • Enable

If you enable Wireless Band Steering, FreshTomato can decide, for each dual-band client device, on which band the device should try to connect. To achieve this, enter the same SSID name, security settings, password, and other settings (see picture below) for all wireless interfaces (up to 3 on a Tri-Band-Router).

Note: client devices can also try to switch bands on their own, without Wireless Band Steering's influence. (Default: Disabled).

Here's an example for the default parameter to trigger the switching (2.4 GHz):

Steer Policy:
max=0 period=5 cnt=3 rssi=-52 phyrate_high=110 phyrate_low=0 flags=0x22 state=3
Rule Logic: OR
RSSI: Greater than
VHT: Allowed
NON VHT: Allowed
NEXT RF: NO
PHYRATE (HIGH): Greater than or Equal to
LOAD BALANCE: NO
STA NUM BALANCE: NO
PHYRATE (LOW): Less than
N ONLY: NO

⇒ The target will be the 5 GHz wi-Fi network

Here's an example for the default parameter to trigger the switching (5 GHz):

Steer Policy:
max=80 period=5 cnt=3 rssi=-82 phyrate_high=0 phyrate_low=0 flags=0x20 state=2
Rule Logic: OR
RSSI: Less than or Equal to
VHT: Allowed
NON VHT: Allowed
NEXT RF: NO
PHYRATE (HIGH): Greater than or Equal to
LOAD BALANCE: NO
STA NUM BALANCE: NO
PHYRATE (LOW): Less than
N ONLY: NO

⇒ The target will be the 2.4 GHz Wi-Fi network.

For more details, see https://www.smallnetbuilder.com/wireless/wireless-howto/32653-asus-rt-ac3200-smart-connect-the-missing-manual?start=0

Wireless Band Steering is available with FreshTomato version 2020.8 and up.

Wireless (2.4 GHz / interface eth1)

The Wireless (2.4 GHz) section displays information and settings for the wireless network interface on the 2.4 GHz Wi-Fi band.

Your device may show a different device name than eth1. Note: FreshTomato (Linux) hardware device numbers begin at 0. For example, the first ethernet device might be called eth0. The second wireless device might be called wl1.

Enable Wireless: When checked, this turns on the 2.4 GHz Wi-Fi network interface. When unchecked, the 2.4 GHz Wi-Fi interface is turned off.

MAC Address: This displays the MAC address of the 2.4 GHz Wi-Fi radio interface. Clicking on the MAC address takes you to the Advanced/MAC Address page, where you can specify your own MAC address for this interface.

Wireless Mode: This allows you to select the wireless mode (function) of the 2.4 GHz Wi-Fi network interface.

Selection Description

Access Point

The normal (default) setting, which allows clients to connect to FreshTomato's wireless network(s).
(IPv4 & IPv6 communication working for MIPS and ARM)

Access Point WDS

Sets the router in “repeater mode”, allowing clients to connect wirelessly while simultaneously acting as a
WDS Wireless Distribution System base station.

Wireless Client
The router connects to the other router/access point like any other wireless client device would connect to an access point. The router provides client connections ONLY through the Ethernet ports. Status as of 2020-12-31: This mode is working on MIPS devices (RT and RT-N images) but NOT working for SDK6 and up, code is missing - tbd.

Wireless Ethernet Bridge

Configures the FreshTomato Router to connect to another router while still keeping all computers connected to both routers in the same subnet. Note: As of version 1.19 - Wireless Bridge must be set to WPA2 (Example: WPA2 Personal AES)
IPv4 communication working for mips and arm builds; IPv6 communication will only work for FreshTomato 2021-1 SDK6 ARM Dual-Core and newer (Status as of 2021-02-20; SDK7 not tested)

WDS

Serve as a Wireless Distribution System (WDS) base station only.
Table is a derived work from (Creative Commons) Wikibooks - “Tomato Firmware/Menu Reference” Wireless Mode Selections

Wireless Network Mode: This lets you choose which 802.11 Wi-Fi LAN protocol(s) you wish to make available to clients.

  • Auto: On this setting, FreshTomato and Wi-Fi client devices negotiate
    the best wireless protocol automatically. Generally, Auto is recommended,
    unless you are very knowledgeable about networking.
    Compatibility issues can create all kinds of problems,
    and often, the most “logical” setting is not the best one.
  • B Only: This allows Wi-Fi clients to connect using only the 802.11b protocol.
  • G Only: This allows Wi-Fi clients to connect using only the 802.11N protocol.
  • B/G Mixed: This allows clients to connect using either 802.11b or 802.11g protocols.
  • N only: This allows clients to connect using 802.11N protocol only.

These ONLY apply to the 2.4 GHz band radio interface. Separate Wireless Network Mode settings exist for any 5 GHz band interface.

(Default: Auto)

SSID: This is the network name for the 2.4 GHz Wi-Fi interface (Service Set IDentifier). For security purposes, it's recommended you don't include any personal words or phrases which might indicate your identity, address, location, or equipment type in your SSID. For example, “HELENLIUNG” would not be a good choice, unless you want everyone on the street to know who owns that network. Common words found in the dictionary also make for poor security.
(Default: FreshTomatoXX, where “XX” is the two numbers in the frequency band.) On the 2.4 GHz network, for example, the default SSID is “FreshTomato24”.

Broadcast: Checking this enables SSID broadcasting. This “announces” the SSID (network name) on the air, so it's easy to find and connect to. Some people argue that disabling SSID Broadcast provides more security. However, SSIDs names can be easily sniffed using common software. Therefore, disabling SSID Broadcast provides little increase in security.

Channel: Selects the channel on which the 2.4 GHz radio interface will operate. Generally, it's a good idea to choose a different channel than the one your neighbours are using. (Default: Auto).

  • Auto: This default setting is generally safe unless there is significant interference
    from nearby networks or other equipment.

FreshTomato chooses and uses the channel it believes has the least interference.

  • Channel: This menu lets you manually choose available Wi-Fi channels
    on the band. Unavailable channels will not appear here.

Channel Width: This menu allows you to choose the width of the channel (in terms of frequency).

  • 20 MHz
  • 40 MHz

802.11N can use 40 MHz channel width, but to maintain compatibility with legacy systems, it uses one main 20 MHz channel plus a free adjacent channel 20 MHz above or below the main channel.

Control Sideband: This option is only available If the 20 or 40 Channel Width is selected. This menu allows you to choose whether the extra channel used is above (Upper) or below (Lower) the main channel being used. (Default: Upper).

  • Upper
  • Lower

Security: This menu lets you select the security protocol that will be used on the 2.4 GHz Wi-Fi interface.

  • Disabled: This option disables security entirely, leaving the network open to anyone.
    This is STRONGLY discouraged, as it is an almost unlimited security risk.
  • WEP: enables Wired Equivalent Privacy protocol. This is STRONGLY discouraged,
    due to serious vulnerabilities and obsolescence.
  • WPA Personal: enables Wi-Fi Protected Access Protocol (1.x). WPA implements the
    RC4-based TKIP protocol, making pre-shared key exchange between hosts more secure.
    While more secure than WEP, WPA still has weaknesses, such as lower encryption standards.
    WPA is strongly discouraged in favour of WPA2 or higher.
  • WPA Enterprise: Also known as WPA-802.1X, this is similar to WPA Personal,
    but each user has their own username and password, instead of using the same pre-shared passkey.
    WPA2 Enterprise DOES NOT requires a RADIUS server. However, one is often used
    anyway for compatibility and security purposes. WPA Enterpise is more secure against
    dictionary attacks on short passwords. Suitable for larger, more formal networks.
  • WPA2 Personal: Wi-Fi Protected Access protocol version 2 implements elements
    of the 802.11i standard. It adds mandatory support for AES encryption. This makes
    WPA2 much more secure than older protocols. WPA2 Personal is recommended for
    small to mid-sized, informal networks.
  • WPA2 Enterprise: This enables the Enterprise version of the WPA2 protocol. This uses WPA2,
    but each user has their own Wi-Fi username and passkey, instead of using a pre-shared key.
    WPA2 Enterprise is based on parts of 802.11i that are based on 802.1X.
    802.1X does NOT require a RADIUS server, but one is often used for legacy purposes
    to maintain compatibility and security. It is appropriate for larger, more structured networks.
  • WPA / WPA2 Personal:
  • WPA / WPA2 Enterprise:
  • RADIUS: This setting enables FreshTomato's Remote Access Dialup User Service.
    Designed for larger organizations, RADIUS uses a separate server to authenticate, permit and
    keep track of users. RADIUS also supports authentication via certificates, which also
    makes user management easier. This is usually used only by advanced users.

Shared Key: In this field, enter the shared key used to authenticate the Wi-Fi client on the network. The field will show only asterisks until you click your cursor in it. The characters will then become visible.

Group Key Renewal: This sets the interval for how often the encryption keys used between client devices and the router/access point are rotated/changed. This is a part of the WPA protocol. (Default: 3600 seconds = 1 hour).

Wireless (5 GHz / interface eth2)

The Wireless (5 GHz) section displays information and settings for the wireless network interface on the 5 GHz Wi-Fi band.

Your device may show a different device name than eth1. Note: FreshTomato (Linux) hardware device numbers begin at 0.
For example, the first Ethernet device might be called eth0. The second wireless device might be called wl1.

Typically, the 5 GHz Wi-Fi band has higher bandwidth, but shorter distance propagation than the 2.4 GHz band.

Enable Wireless: Checking this turns on the 5 GHz Wi-Fi network interface. When unchecked, the 5 GHz Wi-Fi network interface is turned off.

MAC Address: This displays the MAC (hardware) address of the 5 GHz Wi-Fi radio interface.
Clicking on the MAC address takes you to the Advanced/MAC Address page, where you can specify your own MAC address for this interface.

Wireless Mode: This lets you choose the wireless mode (function) of the 5 GHz Wi-fi network interface.

Selection Description

Access Point

The normal (default) setting, which allows clients to connect to FreshTomato's wireless network(s).
(IPv4 & IPv6 communication working for MIPS and ARM)

Access Point WDS

Sets the router in “repeater mode”, allowing clients to connect wirelessly while simultaneously acting as a
WDS Wireless Distribution System base station.

Wireless Client
The router connects to the other router/access point like any other wireless client device would connect to an access point. The router provides client connections ONLY through the Ethernet ports. Status as of 2020-12-31: This mode works on MIPS devices (RT and RT-N images) but NOT for SDK6 and up. The code is missing - tbd.

Wireless Ethernet Bridge

Configures FreshTomato Router to connect to another router while still keeping all computers connected to both routers in the same subnet. Note: Starting with version 1.19, Wireless Bridge must be set to WPA2 (Example: WPA2 Personal AES)
IPv4 communication works for MIPS and ARM builds. IPv6 communication will only work for FreshTomato 2021-1 SDK6 ARM Dual-Core and newer (Status as of 2021-02-20; SDK7 not tested)

WDS

Serve as a Wireless Distribution System (WDS) base station only.
Table is a derived work from (Creative Commons) Wikibooks - “Tomato Firmware/Menu Reference” Wireless Mode Selections

Wireless Network Mode: This lets you choose which 802.11 Wi-Fi protocol(s) to make available to clients.

  • Auto: On this setting, FreshTomato and Wi-Fi client devices negotiate the best wireless protocol automatically. Auto is recommended unless you are very knowledgeable about networking/Wi-Fi. Compatibility issues can create all kinds of problems, and often, the most “logical” setting is not the best one.
  • A Only: allows Wi-Fi clients to connect using only the 802.11a protocol.
  • N Only: allows Wi-Fi clients to connect using only the 802.11n protocol.

Separate Wireless Network Mode settings will exist for any 2.4 GHz band interface. See the 2.4 GHz section.
(Default: Auto)

SSID: This the 5 GHz Wi-Fi interface's network name, (Service Set IDentifier). For security purposes, it's recommended you don't include any personal words or expressions/phrases which might indicate your identity, address, location, or equipment type in your SSID. For example, “HELENLIUNG” would not be a good choice, unless you want everyone on the street to know who owns that network. Common words found in the dictionary also make for poor security.
(Default: FreshTomatoXX, where “XX” is the two numbers in the frequency band.) On a 5 GHz network, for example, the default SSID is “FreshTomato50”.

Broadcast: Checking this enables SSID broadcasting. This “announces” the SSID (network name) on the air, so it's easy to find and connect to. Some people argue that disabling SSID Broadcast provides more security. However, SSIDs names can be easily sniffed using common software. Therefore, disabling SSID Broadcast provides little increase in security.

Channel: Selects the channel on which the 5 GHz radio interface will operate. Generally, it's a good idea to choose a different channel than the one your neighbours are using.

  • Auto: This is the default, and is generally safe unless you have significant interference from nearby networks or other equipment. On this setting, FreshTomato chooses and uses the channel it believes has the least interference.
  • Channel: This menu lets you manually choose available Wi-Fi channels on the band. Unavailable channels will not appear in this menu.

(Default: Auto).

Channel Width: This menu allows you to choose the width of the channel (in terms of frequency).

  • 20 MHz
  • 40 MHz
  • 80 MHz
  • 160 MHz

The 20 MHz channels on the 5 GHz band have no overlap. Therefore, the 5GHz band is less prone to interference and noise. Larger channel widths provide more speed/bandwidth if there's minimal interference. Interference is more common on the 2.4 GHz band than it on the 5 GHz band. It is usually fine to choose a wider channel width here. However, if you see effects, such as slow speeds or trouble authenticating/associating with the router, you may need to use a narrower channel width.

802.11N can use 40 MHz channel width, but to maintain compatibility with legacy systems, it uses one main 20 MHz channel plus a free adjacent channel 20 MHz above or below the main channel.

Control Sideband: This option is available only if the 40, 80 or 160 MHz Channel Width is selected. This menu allows you to choose whether the extra channel used is above (Upper) or below (Lower) the main channel being used. (Default: Upper).

  • Upper
  • Lower

Security

  • Disabled: This option disables security entirely, leaving the network open to anyone.
    This is STRONGLY discouraged, as it is an almost unlimited security risk.
  • WEP: enables Wired Equivalent Privacy protocol. This is STRONGLY discouraged,
    due to serious vulnerabilities and obsolescence.
  • WPA Personal: enables Wi-Fi Protected Access Protocol (1.x). WPA implements the
    RC4-based TKIP protocol, making pre-shared key exchange between hosts more secure.
    While more secure than WEP, WPA still has weaknesses, such as lower encryption standards.
    WPA is strongly discouraged in favour of WPA2 or higher.
  • WPA Enterprise: Also known as WPA-802.1X, this is similar to WPA Personal,
    but each user has their own username and password, instead of using the same pre-shared passkey.
    WPA2 Enterprise DOES NOT requires a RADIUS server. However, one is often used
    anyway for compatibility and security purposes. WPA Enterpise is more secure against
    dictionary attacks on short passwords. Suitable for larger, more formal networks.
  • WPA2 Personal: Wi-Fi Protected Access protocol version 2 implements elements
    of the 802.11i standard. It adds mandatory support for AES encryption. This makes
    WPA2 much more secure than older protocols. WPA2 Personal is recommended for
    small to mid-sized, informal networks.
  • WPA2 Enterprise: This enables the Enterprise version of the WPA2 protocol. This uses WPA2,
    but each user has their own Wi-Fi username and passkey, instead of using a pre-shared key.
    WPA2 Enterprise is based on parts of 802.11i that are based on 802.1X.
    802.1X does NOT require a RADIUS server, but one is often used for legacy purposes
    to maintain compatibility and security. It is appropriate for larger, more structured networks.
  • WPA / WPA2 Personal:
  • WPA / WPA2 Enterprise:
  • RADIUS: This setting enables FreshTomato's Remote Access Dialup User Service.
    Designed for larger organizations, RADIUS uses a separate server to authenticate, permit and
    keep track of users. RADIUS also supports authentication via certificates, which also
    makes user management easier. This is usually used only by advanced users.

Shared Key: Here, enter the shared key used to authenticate the Wi-Fi client on the network. The field will show asterisks until you click your cursor in it. The characters will then become visible.

Group Key Renewal: This sets how often the encryption keys used between clients and the router/access point are rotated/changed. This is a part of the WPA protocol. (Default: 3600 seconds = 1 hour).

network.txt · Last modified: 2021/06/19 17:13 by hogwild