Aug 13
Tomato firmware: Remote desktop through SSH, using Wake-On-Lan and configuring LAN Hostnames
Hi,
I’ve been using 3rd party firmware for my Linksys WRT54GL router for some time. I’ve used DD-WRT, OpenWRT and finally Tomato. I switched from DD-WRT (for a reason I can’t remember) to go with OpenWRT. I learned a lot on OpenWRT and really like their Kamikaze version. The work they did for making it more like a standard distribution (no more NVRAM variables) is really cool. Finally I recently moved to Tomato because of the lack of User Interface of OpenWRT (Yes I could use X-WRT but I tried it before and prefered to explore Tomato…). When I feel lazy I prefer to use a GUI than go to the CLI…
Now that I am more familar with my WRT (thanks to OpenWRT and all its documentation), it has been pretty easy to configure Tomato (firmwares are different, but in the end, they often use the same tools… busybox, dnsmasq, etc.). I have some specific needs that drove me to install a 3rd party firmware in the first place:
-
I need to be able to access my computers from the internet using remote desktop
-
But I don’t want to leave my computers open all day long for nothing, so I need to be able to use Wake-On-Lan to power them up remotely
-
I don’t want to open remote desktop port (3389) on the firewall
-
I want to use DHCP server, but I need to set some specific address (static DHCP) on some computers
(so port forwarding is always configure correctly for my P2P machine…) -
I need to be able to use the same domain name (ex: mysite.dyndns.org) with my laptop no matter if I connected to my LAN or to a public network (through the Internet)
My Solution:
| Feature | Tomato Configuration |
| Access my computers from the internet using remote desktop. |
|
| I need to power up my computers only when needed. | This requires the Wake-On-Lan feature.Most modern computer has this feature (My old Pentium 2 266Mhz had it back in 1998) but you usually have to turn the feature ON in your computer BIOS because it is often disabled by default.When you want to power-up a computer, all you need is its mac address (in Windows, you can find it by running IPCONFIG at the command line) and a software that will broadcast a “magic packet” on your LAN.Tomato has a built-in software called ether-wake that does the job.My configuration is like this:On startup of the router, generate a file called wakeup-mycomputer.sh that will be placed in the root home directory. This file will contain the command able to wake-up the computer you want.
Then when you logon to your router using SSH (from the LAN or the Internet), you can issue this command “sh wakeup-mycomputer.sh” and you’re done. You wait a little bit (until your computer responds to ping) and use the steps of the previous feature to connect remotely… How to achieve this:
Note: for the wake-on-lan to work, the computer must have been turn off (soft off). After a power outage or a hard off (unplug, press power off for 5 seconds) the wake-on-lan may not work. Just turn on the computer manually and perform a shutdown. Note2: I found out that some Linux distribution does not “soft off”. With Ubuntu 8.04, for example, I needed to add a command in the shutdown script… can’t remember. Just post a comment if you want me to digg it again… |
| Configure static DHCP addresses. | This is easy, just navigate to the Tomato “Basic / static DHCP” menu item. Use the mac address of the computer you want a fix address and the address you want for it. |
| Use the same domaine name inside the LAN and outside (from the Internet). |
When I am connected from the Internet, my domain “example.dyndns.org” resolve to my router public address which forward the port to the right LAN machine.When I am on the LAN, I want to be able to connect using “example.dyndns.org”. But if this domaine resolve to the public address of the router while you are already in the LAN, it does not work. To correct the problem, you could use a host file on your LAN computers, but when you have a laptop that is sometimes on the LAN, sometimes on an external network, you would need to enable/disable your host file every time…The way I succeed to anwer my need, is by providing a host file to the router. I found 2 ways with the Tomato firmware: First way is explained here on Tomato FAQ. Unfortunately, I needed to provide multiple host names (domain name) to the same IP address, you can do it by separating them with a space, but Tomate host name field is not wide enough for me. So my solution goes like this:
|
Hi! This is a very good howto. Ok, it doesn’t work for me because my iMac’s wireless doesn’t support WOL, but still very useful.
Oh yes, I didn’t mention that it wouldn’t work with wireless cards… Ethernet cards that supports Wake-On-Lan are usually the wired one that are built-in on the motherboard.
What I understood of the feature is that it needs thight integration with the motherboard. When the operating system performs a “soft-off”, the power supply continue to leave a minimum power to the board so it can maintain power to the WOL-enabled adapter. The network card does not even have an IP address…
When the WOL application on the server sends a magic packet, it broadcast to all adapters on the network (it cannot target a specific IP). So the network adapter receives the packet and check if the mac address in the packet matches its own. If so, the power supply probably receives a signal to let full power go to the motherboard.
This is so low level stuff that I would be surprise to see a wireless adapter supports WOL. Wireless connection requires much power to maintain Wi-Fi link. Also the Wi-Fi connection information are usually stored at the user level, so requiring the operating system to be somewhat running…
Pascal.
Do you think this setup should work the other way around, i.e., connect to a sshd server located on my laptop which is a client of the router from a remote computer (at work) ?
For some reason I am not able to ssh into my laptop from work and I *think* I did define port forwarding correctly on the router using Tomato.
Amit.
I guess the SSH Deamon on your laptop probably runs on port 22. So I guess you configured to forward port 22 to the LAN IP address of your laptop.
There are 2 things to be cautious:
1- I have seen employers blocking some standard outbound ports.
2- I have seen firmware that had special routing defined that have precedence over port forwarding for ports used for administration.
I would try to forward port different than 22. ex: forward from public port 6666 to LAN IP / port 22
Pascal.
Ok, I tried forwarding port 22 to my home desktop and it worked. My home desktop is running Ubuntu 7.04 with OpenSSH.
Here is a screenshot of the Tomato port forwarding configuration (click the picture for bigger size):
.
Pascal.
“I found out that some Linux distribution does not “soft off”. With Ubuntu 8.04, for example, I needed to add a command in the shutdown script… can’t remember. Just post a comment if you want me to digg it again…”
I am having trouble with this myself with the 3c59x driver. Please do post the fix!
Hi, this is for an Ubuntu 8.04 Server installation.
in /etc/init.d/halt script I added the 2 following lines in the do_stop() function:
(just before –> log_action_msg “Will now halt”)
log_action_msg "Enable wake-on-lan"
ethtool -s eth1 wol g
eth1 refers the the ethernet adapter that is connected to the LAN and on which you want to receive wake-on-lan magic packet. So be sure to change it with the right ethernet adapter for your computer.
the full do_stop() function in the halt script looks like this:
do_stop () {
if [ "$INIT_HALT" = "" ]
then
case "$HALT" in
[Pp]*)
INIT_HALT=POWEROFF
;;
[Hh]*)
INIT_HALT=HALT
;;
*)
INIT_HALT=POWEROFF
;;
esac
fi
# See if we need to cut the power.
if [ "$INIT_HALT" = "POWEROFF" ] && [ -x /etc/init.d/ups-monitor ]
then
/etc/init.d/ups-monitor poweroff
fi
# Don't shut down drives if we're using RAID.
hddown="-h"
if grep -qs '^md.*active' /proc/mdstat
then
hddown=""
fi
# If INIT_HALT=HALT don't poweroff.
poweroff="-p"
if [ "$INIT_HALT" = "HALT" ]
then
poweroff=""
fi
log_action_msg "Enable wake-on-lan"
ethtool -s eth1 wol g
log_action_msg "Will now halt"
sleep 1
halt -d -f $poweroff $hddown
}
If your like to use RDP over internet using microsoft windows teredo service(peer to peer connectivity) you can check this soft http://www.lanoninternet.com
Now RDP can work behind NAT/firewall.
Great notes, but I can’t get it to work from the WAN side. I have set Tomato as suggested..
“2. I enabled the SSH Deamon
(Administration / Admin access)Enabled at Startup: checked
Remote Access: checked
Remote Port: [your choice]
Allow Password Login: checked”
I picked a remote port of 3000 (for example)
“3. When I want to connect to my computers, I use a SSH client software (PuTTY) to connect to my router.PuTTY allows me to configure SSH Tunnels so I can redirect a local port to a remote machine on my LAN without opening any additionnal ports.”
So in PuTTY I have entered the WAN IP (xxx.xxx.xxx.xxx ) source port as 3000 and destination my RAID LAN IP:22
I just get a timed out connection.
I also tried tunneling in to the routers setup interface..
source port 3000
destination router_LAN_IP:80
Do I need to activate remote access on HTTP/HTTPs as well?
I can ping from the WAN side. Do I need to open port 3000 somehow?
What port forwarding do I need?
Thanks
I assume that you configured the remote port to “3000″ in Tomato’s administration.
Now with PuTTY, all you have to do is connect to port 3000 on your router WAN IP. This will establish communication between your computer and your router. When this is working, we can start talking about tunnels.
I strongly suggest to go read this article I made which has Tomato and PuTTY screenshots which will help you.
Remote Desktop through SSH with PuTTY and Tomato
Some screenshots available in the article:
If you want to access the router using example.dyndns.org from within your lan you can always change ‘NAT Loopback’ to ‘All’, found in Advanced –> Firewall.
I have not been able to set up a tomato flashed wrt54gl router to work with a fixed IP address. I got a cheapy Airlink to work but not Tomato WRT54GL. Any hints???
With the Tomato firmware, can a Linksys WRT54GS port forward to a broadcast address? Because of ARP renew I can only wake my desktop over the internet for a short period of time after shutdown. The most convenient way (for 61 yr old, not very techie, me) to set this up would be to just broadcast the magic packet, but as you know that can’t be achieved with Linsys firm ware. Thank You!
Hi,
I never used the port forward technic to use Wake-on-Lan. Normally the magic packet is broadcast to your whole network (not a specific address) since the computer to wake-up does not actually have an IP address (it uses the MAC address found in the magic packet to know if it is the destination machine).
However, I found this article about configuring the Linksys firmware to be able to broadcast a port forward.
I could check if it is easier to do with the Tomato firmware, but first, are you sure your WRT54GS is supported by Tomato (hardware version 1 to 4)? Some hardware versions are not (hardware version 5 and up).
I will try to do a test with Tomato firmware as soon as I can.
Pascal.
Thank you for the reply Pascal! In answer to your question, yes my router is v2. By my failure to consistently wake over the internet and searching the problem it appears there are two issues which, if either can be circumvented, success will follow. The ARP issue can only be resolved with a static ARP which needs to be scheduled with a batch file because at shutdown the static ARP is lost. Not sure how that would work anyway since it may only reschedule it at boot, hence the PC still would not wake. The other issue is the inability to port forward a broadcast address. If one can do that then the ARP issue becomes moot!
Hi,
Have you tried what they suggests in the article I provided (http://geekswithblogs.net/twickers/archive/2007/02/21/106877.aspx)?
What I understood is on some Linksys firmware version, some people where able to port forward to a broadcast address by changing the subnet mask to 255.255.255.128 (broadcast address would be: 192.168.1.127)
Sorry, I didn’t have time to test the port forward on Tomato last night… I will try to test it tonight.
Pascal.
yet another way I found to use the same domain name inside and outside the lan was to…
In “Advanced / DHCP/DNS” menu item, in custom configuration, include the following to suit…
address=/example.dyndns.org/192.168.1.1
address=/my.lan/192.168.1.1
keeps everything within the tomato webgui that way
Months and months ago I tried changing the subnet. The only way it is possible with most routers is to port forward to .127 and save it. Then change the subnet and save. If you try to port forward to any broadcast address with a Linksys router it will list it as an “Invalid Entry” so you have to do it in reverse. You are sort of tricking it doing it the way I described, however, when I’ve attempted wake with this method it didn’t work. There could have been another problem though so I’m going to try it again. I suspect Linksys is smarter than I am though!
Hi,
I confirm that Tomato firmware prevents entering a broadcast address (192.168.1.255) for a port forward. But at least with Tomato you do not need to port forward. You just need to open a port for SSH for remote connection, then you can wake-up any computer you want. In the end this setup may be easier than port forward…
@ “I confirm that Tomato firmware prevents entering a broadcast address (192.168.1.255) for a port forward. But at least with Tomato you do not need to port forward. You just need to open a port for SSH for remote connection, then you can wake-up any computer you want. In the end this setup may be easier than port forward…”
But then the user has a root access to router, which is not allways a good thing.
If you want to WOL on the WAN interface change the script to:
echo “/usr/bin/ether-wake -i vlan1 01:23:45:67:89:AB” > /tmp/home/root/wakeup-mycomputer.sh
and the magic packet will be sent to vlan1 (aka WAN interface).
Hi,
Sending to the WAN interface may be usefull only if your router connects two LANs, right? Otherwise if the router connects a LAN to the Internet it wouldn’t make sense…
Pascal.
“Laptops powered by the Intel 3945 chipset or newer (with explicit BIOS support) allow waking up the machine using wireless (802.11 protocol). This is called Wake on Wireless LAN (WoWLAN).”
http://www.intel.com/support/wireless/wlan/sb/CS-029827.htm
Maybe Tomato should have a GUI option for WoL, so you can log in to the router in your browser, go to “Device List”, and then wake up your computer.
Oh wait, there is lulz
http://192.168.1.1/tools-wol.asp
So set up an SSH tunnel to your router, then you can go to the web interface without security implications, and from there you can wake your computers
Cool!
I can use dyndns inside the lan to access RDP without any tricks. Also I create tunnel from outside to the router ip at port 80 for the web interface.
Is there a way this traffic to not be counted from tomato, when doing RDP from inside the LAN using dyndns? My router is in DMZ from another outer router that is used to share Interenet, and my router is home router, and I want clean statistics about the amount of internet traffic/costs by months.
Thank you for the guides, they are very usefull to me!
I have a question regarding wake-on-lan. I cannot get it working, not via Lan nor via the internet. I adjusted the setting in my bios (I have an ASUS P5B-Plus motherboard and enabled the “Power-on via PCIE bus) and adjusted settings of my network card in device manager (i.e. shutdown wake up: on, wake up capibilities: magic packet and power management tab)
First I tested WOL using the gui of Tomato (1.25) and the script as mentioned above. None of this works.
Then I decided to first test whether the magic packet is recieved by using the Wake On Lan Monitor when the PC is switched on. No packages are recieved when using the Tomato gui. However when I use the Wake on Lan Gui and add port forwarding in Tomato it recieves the magic packet.
Do you know what I am doing wrong?
What is the wake-on-lan GUI you are using (the one that works)?
Hi Pascal,
I am currently using the Wake on Lan gui from depicus. To get it working I added two lines to the admin>scrips>init tab to setup an static arp (read this on a forum) and forward port 7 to the static arp ip address.
I cannot wake up my PC using the WOL tool from tomato. I tried it while accessing the tomato gui using a laptop which is inside my network.
However, remote desktop via ssh connection works like a charm !!
Thnx
I guess the 2 tools are not working the same way. Since the WOL Sniffer listens on port 7, I tried to find on which port ether-wake (the tool on Tomato) is sending the magic packet on. From wikipedia, I got this information (click here to see):
So far, my conclusion is ether-wake sends a native magic packet on the OSI-2 layer as opposed to the depicus GUI tool that sends an UDP (OSI-4 Layer) packet that wraps the magic packet. Since the depicus WOL sniffer (I assumed that’s the software you used) checks the OSI-4 layer, it won’t see the packet sent by ether-wake.
In the windows device manager, my “Wake Up Capabilities” options are:
I guess the Magic Packet vs Wake Up Frame relates to these 2 technics (OSI-2 Layer packet vs UDP Packet).
I have some WOL issues with a new machine I just bought. I guess it may be the same situation as you. I will try to take a look tonight so I can give more information if I end-up with success.
Pascal.
Hi Pascal,
Thank you for the clarification. Indeed I am using Depicus tools at the moment and it works. But it would be nice to also have it working using the approach you outlined above. In this way I do not have to remind my MAC address all the time
Hi,
I have succeed to configure my new machine for wake-on-lan yesterday. I can wake it up using the Tomato GUI.
In Windows XP, I had to set these advanced settings for the network card:
In the Wake-Up Capabilities, I had the option of: Magic Packet, Pattern Match or Both. I took Magic Packet. I guess this choice relates to the OSI-2 Layer packet vs UDP Packet…
In my BIOS, I had to turn on “Wake-Up from Onboard LAN”.
After a soft-off of the computer, I wake it up through SSH connection on the router using this command:
/usr/bin/ether-wake MA:Cx:Ad:dr:es:s0
Pascal.
I confirm that Depicus Wake-On-Lan Monitor does not “see” the wake-up packets sent by the Tomato router in my environment…
Pascal.
Some of you were on the right track for a better WOL solution, but here is the one I find most appealing:
Login to the router via ssh (or telnet) (or run this command by any other means)
arp -s 192.168.1.254 ff:ff:ff:ff:ff:ff
Then forward UDP port 9 to 192.168.1.254. Presto – you can now forward to the broadcast address (layer 2 – which is what really matters.)
This assumes your network is 192.168.1 with a netmask of 255.255.255.0, you can modify it to fit your needs.
Got a “permisson denied” after executing “wakeup-mycomputer.sh”.
Its important to give the file executing rights with:
chmod uog+x wakeup-mycomputer.sh
This is why, in my post, I wrote:
sh wakeup-mycomputer.sh
this way I don’t need the extra step of setting the executing right. Each time your router will restart, you will be forced to set the execution bit because the file will be re-created.
Pascal.
Hi Pascal,
I’m having problems waking my laptop up remotely.
I have two laptops at home, both connected to the same router. I have configured the router and my second laptop for the WoWLAN feature; however, I can only wake up the second laptop via the web interface (Tools–>WOL in Tomato) on my first laptop. Whenever, I SSH into the router and run the command sh wakeup-mycomputer.sh nothing happens. I have set the script exactly as you have described with my MAC address. Can it be because I’m testing within the LAN?
Any feedback is much appreciated.
Hi Brad,
If I understand well, if you connect to router web interface, you are able to wake-up the second laptop. But if you connect SSH, it doesn’t wake-up.
I am sure it is not because you are from the LAN. You are executing the wake-up command from the router, no matter you connected to the router from LAN or Internet…
the wake-up script just calls the ether-wake program passing the mac address. I have no WoWLAN computer and never had to do it wireless… The ether-wake documentation talks about a second parameter that is the network interface. I guess the default is the wired ones… (eth0)
see: http://linux.die.net/man/8/ether-wake
if you logon SSH onto your router and send this command
ifconfig
you should see a list of available network interface. You will have to find the one that is the wireless and modify the script this way:
/usr/bin/ether-wake -i [network interface] [mac address]
example:
/usr/bin/ether-wake -i eth1 01:02:03:04:05:06
where the mac address is the one from your second laptop and the interface is your router wireless interface.
Finally, I guess that Tomato GUI is probably sending the wake-up on all network interfaces. That would explain why it works from GUI and not from command line.
I hope this is helping you.
Pascal.
Hi Pascal,
Thanks for the tip. I modified the script to echo “/usr/bin/ether-wake -i eth1 xx:xx:xx:xx:xx:xx”> /tmp/home/root/wakeup-mycomputer.sh, rebooted the router, and now it works no problem.
BTW, is there a way to access Tomato’s GUI after the SSH tunnel is initialised?
Reading your response, I realized that I did a mistake in my example. I fixed my comment, thanks
I will check if I can connect to Tomato’s GUI through an SSH tunnel… never tried it.
Pascal.
Hi Brad,
I finally made the test and to connect to the Tomato Web GUI through SSH is as simple as creating a tunnel where the destination is your router IP address on port 80.
Pascal.
Besides having a Linksys router connected to my cable modem for my home network, I have a Cisco router connected to my Linksys to provide access to my wife’s corporate network. That means if I screw up the Linksys I’m in big trouble. Will upgrading my BIOS to Tomato cause me any problems in this area? After the upgrade I assume that I’ll have to reenter all of my connection inormation. Correct?
Thanks
Hi,
Flashing a router with a third party firmware is always at your own risk. It is a good idea to reset the settings after flashing with a new firmware (I tend to do it before as well). So yes you will have to re-enter all you connection information.
The worst case scenario, is to brick your router and being forced to buy another one. I have flashed my old router many times (DD-WRT (many versions), OpenWRT (multiple times with multiple versions), Tomato and original). I brick my router once and it was not because of this process. I played with something I shouldn’t (related to file system) using OpenWRT…
So I guess it is quite safe but you have to make sure your hardware is compatible first and what are the known issues. Than if you think it is worth the risk, do the flashing during open hours so you can rush to the store to buy another one in case it goes wrong
Pascal.
I always like a good tinker, but wouldn’t it be much easier to go with third part remote desktop software for these solutions? They are so much easier to setup AND install, that it just seems like a no-brainer.
As you can see his guide does not mention a specific piece of remote desktop software. To achieve this additional level of security, these steps would be necessary even with the mentioned (probably expensive) third party software.