Last Updated: 17 Mar 2018
Basic Advanced Tomato Setup
My very favorite router firmware is Advanced Tomato. It's a fork of Tomato by Shibby, which is itself a fork of no longer maintained Tomato firmware. It runs on many (but definitely not all) routers from Asus, Linksys, Netgear, etc. For full details see the firmware download page.
There are a number of how-to documents that tell you how to flash your router, and it varies by model, so I'm not going to cover that here. Google search for 'install tomato ROUTERNAME', e.g. 'install tomato asus RT-AC66U'. You'll probably find something that tells you how to either install the original Tomato or Tomato by Shibby, but the process is the same for Advanced Tomato.
What I am going to cover is the changes I typically make to get Tomato Setup for a well performing home network.
First, login. The default is
admin for the username & password. Now:
- Basic Settings → Network
- You'll want to change the LAN IP address. I usually like the
192.168.X.Xrange at home. No particular reason; just personal preference as I usually use the other private address spaces,
10.X.X.Xin the datacenter. If you're going to setup an inbound VPN on Tomato ( more on that later ), you'll want to choose a fairly random number for your Class C home network, e.g.
192.168.54.X. If you pick something common, like
192.168.0.X, you might end up with routing conflicts if you try to connect to your home network from another
192.168.0.Xnetwork. Change both the IP Address and the IP Range here.
- On the wireless network(s) (you may have more than one depending on your router model), you'll want to change the SSID to a name of your choosing (e.g.
home-wifi). Then change Security to
WPA2 Personal. (You may want
WPA/WPA2 Personalif you have older devices.) Set Encryption to
AESand enter your Secret Key (e.g. your wifi password).
- Remember that if you have more than one wireless network, you can't have the same SSID for both. You'll need something like
- Depending on your internet provider, you may also need to change the WAN Settings at the top. Generally, DHCP will work (the default), but if you have a weird setup with a static IP or something, this is where you do it.
- Save your changes. You'll likely need to refresh your DHCP address and reconnect to your router since it's IP will have changed.
- Basic Settings → Identification
- Personal preference, but I prefer to name my router the same as my default SSID. So I'd set
home-wififor both Router Name and Host Name
- Basic Settings → Time
- Set your Time Zone to wherever you are, and then set your NTP Time Server to whatever makes the most sense (e.g. for me it is US).
- Basic Settings → DDNS
- If you're going to want to connect to your router from outside your home network, you will likely want DDNS (Dynamic DNS). Your internet provider offers you a dynamic IP address, which can change at anytime. Your router can tell a DDNS service what it's current IP is, and then you can connect to a special hostname, provided by the DDNS service, which always points at your current IP.
- There are a million DDNS services, but my favorite is FreeDNS. Great community run service, and technically free although please donate if you use it.
- To set this up, sign for FreeDNS, create a domain record, and then select
FreeDNSfrom the Service drop down, and put the token they give you in the Token/URL field.
Generally, I leave the Advanced Settings alone unless I'm doing some specific troubleshooting. The two you may want to pay attention to are the Adblock section and the Wireless settings. Personally, I find Adblock to be a bit annoying – slightly more annoying than dealing with ads – because it sometimes blocks stuff I don't want it to. I personally leave it off, but you may want to turn it on. Second, I occasionally mess around with the Wireless settings, occasionally boosting the Transmit Power. You actually don't want to set this to it's max, but I've found boosting the number 25%-50% from the default can sometimes help a bit with range. Sometimes.
It's frequently handy to be able to get into home resources from remote locations. The two ways to do this are via a VPN, or Port Forwarding. Personally, I strongly prefer the VPN option, because it is more secure and gives you unlimited access to everything behind Tomato's firewall. That said, if you have some random server you want to make available, and a VPN isn't feasible, you can map an externally accessible port (e.g. port
80, the default web/http port) to an internal IP address and port (e.g.
80). If you do this, you'll want to make sure you setup dynamic DNS (DDNS) for your external IP, and that you use a static IP for whatever server you're trying to make accessible.
If you want to make all ports on a single server available, you can do this via the DMZ option. That will automatically pass inbound traffic to your firewall to the server at the IP address in question.
Quality of Service
I don't use the QoS settings, because I have a fairly simple network and don't need to keep the kid's online gaming from interrupting my Netflix binge watching. However, if you have lots of people on your network, or your online backup is taking up all your bandwidth, or similar, the QoS settings can help you control that.
USB & NAS
Tomato has some amazing features which let you connect external USB drives and more directly to your Tomato firewall, and use it as a NAS (network attached storage) or a media streaming device. Personally, I use the media streaming features to setup an AirPlay node and stream music to my stereo. However, that's fairly complicated and so I cover it in a separate doc: How to Setup Airplay on Tomato. Definitely not necessary for 'basic' setup.
I don't use any of Tomato's 'Web Services' features – you can setup a builtin web browser, run PHP apps, etc. Very flexible, but also not part of a 'basic' setup.
You don't need to enable VPN services to get started using Tomato – you'll be fully functional if you never set foot in these menus. However, Tomato's ability to run an OpenVPN server is one of the big reasons I choose to use this firmware in the first place, as its fantastic to be anywhere in the world and be able to get a secure connection back to my home network. Setting up a VPN is a little bit complicated, but if you've gotten this far, you can definitely do it.
Last but not least, the administrative section.
- Administration → Admin Access
- First things first, set your damn admin password. This is half way down the page, under Authorization Settings. Save this setting before changing the others. You'll need to relogin with the new password.
- Second, I like to enable local access over both
HTTPS. Depending on your network, you may want to choose only
- I also typically enable remote access, but over
HTTPSonly, and typically over a random high port. Something I can remember, but wouldn't be guessed by somebody sniffing my IP. YMMV on this though – opening this up is definitely more of a security issue than just connecting via VPN, but it means if something goes wrong the the VPN, you can still get in to troubleshoot.
- Administration → TomatoAnon
- This controls whether you send back anonymous usage data. You'll have to make your own call on this one – I typically enable it, but no harm if you don't.
That's it. That will get you setup with a basic functional network. Tomato has a LOT of great features, so that's just scratching the surface, but getting started is often the hardest part. Enjoy.