February 02 2017

Print Post

Rounding bug in settings of VLANs of the Tomato by Shibby and AdvancedTomato

Another article of the series problems and solutions. Dessa vez, What made me break my head were the VLAN settings firmware Tomato by Shibby and AdvancedTomato, I'm using the Router ASUS RT-AC68U.

The Motivation

Already passed 3 years since its launch, the Router ASUS RT-AC68U is still one of the best on the market. Asus and other manufacturers have released newer models, with new features, mainly on WiFi, but most of them make little or no difference in practice, given the current equipment often does not support such resources.

Regarding firmware, the Asus are good, stable and with virtually all of the features that home users and small businesses may need.

Want more? The firmware Asuswrt-Merlin It's even better. Based on the original firmware, the Asuswrt-Merlin brings new features and bug fixes to the original, always focusing on the stability.

But, There is a feature that has existed for a long time on routers and firmware from Asus, but they still were unable to leave fully functional: Dual WAN.

With this feature enabled, one of the LAN ports of the router turns into a WAN port, so that it is possible to use two ISPs, be doing load balancing, be leaving one of them idle and ready to be used in case of failure of the other, of way (almost) transparent to users.

The fact is that enabling this feature, the robustness and stability of the original firmware and Asuswrt-Merlin go to bag. In load balancing mode appear many problems: the port forwarding blinks and the remote access to the router interface also. In the latest version of the Asuswrt-Merlin (380.64_ 2) also you can't enable the option to respond ping the WAN, because with that all network devices are without Internet access, HE knows-because.

Another problem that can arise, and that is not the fault router, is that eventually the images of some sites (Facebook and Instagram included) fail to load. I believe that is because the site and the CDN where the images are being accessed from different IPs (one of each WAN), activating any CDN protection against direct links or DDoS attacks.

The router is smart enough to always use the same WAN for multiple connections with the same IP (same session), otherwise banks and some other sites or work. But when multiple connections happen with different IPs, the router has no way of knowing that this is the same session.

I've only been able to work around this problem so that all traffic directed to the door 443 (HTTPS) always use the same WAN, leaving the only balance to other protocols. But both the Asus firmware, or as Asuswrt-Merlin do not give this option, limited secure a WAN for specific IPs (remote or local).

The mode Failover, in the second WAN just assumes if the first fails, It is also problematic. The Watchdog from Asus, script that monitors the connections and triggers the second WAN in case of failure of the first, is flawed and often mistakenly detects that a WAN is inactive.

It is possible to turn off the Watchdog, but in this case the router only detects the dropped connections if the connection really fall. If the problem is the gateway the provider to front, go unnoticed by the router and devices will be no connection.

Many of these bugs exist and persist since the Dual WAN function has been added in the firmware from Asus. It seems that such functionality is not a priority of Asus, so much so that this feature doesn't even show up in the ads of your routers. The author of the Asuswrt-Merlin also don't touch this functionality, claiming that the code is confusing and poorly documented.

But to me this feature is quite important. No really reliable provider meets my region, and I need Internet to work from home, I cannot tolerate large interruptions. That way I have two providers and two connections: 15 Mbps for a fiber optic local provider and 10 Mbps for ADSL, Vivo, with upload 2 Mbps and 500 Kbps, respectively.

In fact these are the only two Internet Options. Other providers use radio (slow and unstable) or cellular data network (with franchises that do not reach the 10% What I use).

Given that both providers who sign have similar bandwidth, you might want to use them in load balancing mode. And that's where the Router ASUS RT-AC68U began to disturb me. I even bought a TP-Link TL-R470T+ Load Balance Broadband Router, that is quite competent at load balancing, but falls short in other features and also have your own set of bugs.

Before giving up Router ASUS RT-AC68U of time, I decided to test other firmwares Alternative. That's how I found the Tomato by Shibby and the AdvancedTomato. The second is based on the first and only bring a more modern interface, keeping all the features.

The Tomato has more features than the Asuswrt-Merlin, and the most important: your feature Multi-WAN apparently works. I'm wearing it for a week and found the same problems I found in Asuswrt-Merlin.



But not everything is perfect in Tomato, unfortunately. The QoS feature is not as advanced as that of the Asus and simply does not work along with the feature of Multi-WAN. For now I am being forced to give up the QoS. But between QoS and load balancing (and consequent increment of 67% in the flow), I get the balancing.

The Shibby, author of the Tomato by Shibby also not so active in development as RMerlin. The latest version of Tomato by Shibby has already 5 months, while Asuswrt-Merlin been receiving constant updates.

But there is an annoying bug that can prevent the activation of the feature of Multi-WAN, but fortunately it can be circumvented. That's who I'm talking about in the next section.

The Problem

To enable multiple WAN feature you need to first configure the VLANs properly. Basically, what needs to be done is: remove one of the ports that are part of VLAN with bridge for LAN (br0) and include it in a new VLAN that does bridge with the WAN2.

Seems simple, some? The problem is that you can't remove a door of VLAN1 through the web interface, some damn bug prevents it. How to get around? That's what I will explain in the next section.

The Solution

A solution I found is written in an article, but in a manner somewhat incomplete, so I decided to drill down into more.

The solution is to make a connection to the router via SSH and apply the configuration via command line:

To see which ports are in what VLAN, use:

Note that the door with an asterisk is not a physical port, but it needs to be maintained. Apparently this is the option “default”.

To configure the VLAN issue:

where X is the number of the VLAN and each Y is the number of a port. For example, in my case I used:

Then you must set the boot to manual, so that the changes are not rolled back on next boot. And then confirm the changes and restart.

Now the door LAN4 is already out of VLAN1. Going back to the GUI, created then and I put the LAN4 VLAN3 alone in her, with bridge to WAN2 interface. Soon, the VLANs are already configured correctly for the use of two WANs.

VLANs configured for Multi-WAN at AdvancedTomato

VLANs configured for Multi-WAN at AdvancedTomato

Note that I also created a VLAN4 and did bridge with the LAN1 (BR1) He also created. This VLAN connected WiFi networks of visitors, so that my visitors have access to the Internet, but not to my local network.

Final Considerations

I'm still testing the AdvancedTomato to see how he meets. There are some bugs, but the ones that affected me are just cosmetics, except the QoS.

Apparently there is no product on the market that meets me completely, and given the equipment we currently have, the ASUS RT-AC68U, and my needs, the AdvancedTomato given me better than the Asuswrt-Merlin came in view of.

I hope that Asus solved give due attention to the Dual WAN capability and let the functional in the next firmware version, so that I can take advantage of QoS and load balancing at the same time. Until then, I'm using the AdvancedTomato.

About the author


Skooter is a computer scientist and the founder of Skooter Blog. He is interested in everything related to technology and he likes to save money by making his purchases directly from abroad.

Permanent link to this article: http://www.skooterblog.com/2017/02/02/contornando-bug-nas-configuracoes-de-vlans-do-tomato-by-shibby-e-advancedtomato/


  1. 1

    I'm looking for a solution to this problem of vlan configuration for web gui and unfortunately only today I found your tips how to get command line. you assign the ports and vlan in the web gui until version 132 the tomato shibby and advanced tomato, but from this version without joy, that with 2 ASUS rt-n18 and 2 NETGEAR r6400 => boguosa firmware, with multiwan doesn't work but vlan without fix for command line @

  2. 2

    Yep, command line solved. you saved a few 20 hours of boringness and the last hair on my head. earned, obg.

    My tip for other ranges: access with ssh is always with root user, not with admin.

Leave a Reply