Hacker News new | past | comments | ask | show | jobs | submit login
FreshTomato (freshtomato.org)
169 points by julianlam 8 days ago | hide | past | favorite | 52 comments





It's great to see so many different alternative Router OSs.

I have a pile of routers, more than a dozen, which have stopped being updated and just basically abandoned by their manufacturers, well within their functional life, and many of them expensive, £100+ "pro home (wifi) routers".

For some time I used a variety of OpenWRT(LEDE)[0], DDWrt[1], Tomato, PFSense[2], OPNSense[3] and others, because CVEs in my edge-router / firewall isn't something I'm keen on.

I use an Ubiquiti EdgeRouter now, but I'm looking to move to a perhaps PCEngines + OPNSense for my next replacement.

[0]https://openwrt.org/ [1]https://dd-wrt.com/ [2]https://www.pfsense.org/ [3]https://opnsense.org/


PCEngines are all out of stock for quite some time: https://www.pcengines.ch/newshop.php?c=4

I found out after my APU2 bit the dust last month. Though that's what I get for running it in a room that routinely gets to 35C/95F in the summer months. Lasted years so I still recommend, just don't put it somewhere stupid like me. Running a spare Celeron J1900 ITX board paired with a dual GbE NIC in the meantime.


Interesting, that's a pretty big window.

How was performance, could it handle Gigabit WAN? Would/have you run OPNSense on it?

I was considering an apu2e4 because I'd like something more open (coreboot) than the other hardware I have to hand.


Yeah the APU2 handles gigabit no problem and the CPU is plenty fast. They have really nice intel NICs, see https://pcengines.ch/apu2.htm. As you say, ships with coreboot.

I've been using APU2's for years (and before that APU and ALIX). The ALIX couldn't really saturate gigabit, but iirc even the APU could. Highly recommended.


I only have 100Mb FiOS and it handles that just fine. I'm not sure if it can handle gigabit. It ran OPNsense and acted as a basic router and dyndns, nothing fancy. My only real advice is to use an mSATA disk and not SD. My first install ran from a 32GB Sandisk SD card which died after a year.

If and when I buy a new APU I plan on running OpenBSD and learn to setup PF proper and roll my own router (A friend runs such a setup and loves it). At this point I just want a standard OS.


I don't run SDs for anything important. I've had a dozen RPis in my home rack alongside the "serious" hardware so I've killed my fair share if microSDs.

I'm not very familiar with OpenBSD, have run FreeBSD for a while, would certainly be fun to play around with a router based on a standard OS and not have to worry about proprietary updates like with the EdgeRouter any more.


That was my first and last important thing running off SD. And I too have had a few uSDs die in RPis. Though at work I have a Beckhoff PLC in a machine with a uSD running in a control cabinet. Still running fine after 2.5 years and I've not heard of issues with them. I'll have to find out which brand it is.

I run both FreeBSD and OpenBSD. FreeBSD for recently built home server as it has first class zfs support, bhyve works well, and excellent docs. OpenBSD as I know a few hard core users, and I've been using it on old hardware for years (have an imac G3 running it :). VPS for webcrap. OpenBSD is clean and they have good documentation as well. At the bottom of the following link is the pf router how-to I want to give a go, https://www.openbsd.org/faq/pf/


Thanks for the link, it's amazing that this is so thoroughly documented, I think I'm going to have to give it a go myself!

I have an APU2 as the primary OPNSense router at home and picked up an HP T6xx thin client as a backup. There are a lot of small, low powered x86 boxes that will run OPNSense well but it is pretty common knowledge so prices have risen.

The current goto is commercial display PCs with multiple NICs otherwise there are some great micro PCs e.g. Qotom.


I currently have OPNSense running on a small x86 box, it's sitting inside my network though and providing a secondary network for access to some buddies for "SaaS" I run from home for our projects.

I really want a PCEngines APU specifically for my edge router though, mainly for coreboot and potentially failover to cellular, and it fits nicely in 1u too.


Speaking of PCEngines, about a month ago I read a blog post about a personal project involving a prototype APU with an optical port and other improvements, but I can't find anymore.

Does anyone know more?


Surprised you didn't mention VyOS. EdgeRouterOS is based on Vyatta. VyOS is a continuation of that.

It was in there originally, I messed up copy pasting bits back and forth and left it out, but yet, VyOS/Vyatta is a great one.

For asus routers, there is https://www.asuswrt-merlin.net/ as well.

I honestly expected a RottenTomatoes fork, not a Tomato fork.

I expected a libre implementation of WholeTomato's Visual Assist plugin :)

I run this on my Asus R7000 and it's the best firmware I've ever used on this (or any router) device. NAS, OpenVPN, Guest Wifi and even Transmission (Bittorrent Client) and nginx have been running stable for many years now, and the network speed can keep up with my 500Mbit line (I heard Gigabit might be a bit too much for that device).

So glad FreshTomato still keeps on getting regular updates and lets me use the now 7 years old R7000.


Same, FreshTomato is great

If anyone else is looking for this: If I get it right, there seems to be wireguard available but there is no GUI yet (for ARM devices).

https://wiki.freshtomato.org/doku.php/feature_matrix?s[]=%2A...


That’s correct. Setup must be through cli. But it’s faster than the OpenVPN implementation and the GUI will happen eventually.


Surprised to see this on HN, but can vouch for this one: actually good router software.

why surprised? seems like it fits right in here.

It's maybe an unfair bar for open source projects, but I'd love to see a third party audit of the source code (and binaries). Downloading a binary that all of my network traffic goes through is...trusting. (And I have done so the past - dd-wrt & tomato; and, sure, it's not a ton different from using out of the box firmware from e.g. Tp-Link or Ubiquiti)

My logic is this:

Open source router firmware: a) is derived from well-established Linux/BSD networking stacks, b) has a smaller installed user base, so is a less-attractive target, and correspondingly c) has a lower value of exploit, which is more likely to be CVE'ed for reputation than sold for cash.

An audit would be interesting and welcome, but I have more ambient confidence in open source router firmware than vendor firmware. There's nothing unusual about the hardware in these things that the vendor has special knowledge of.

Also, most alternative firmwares have better performance, a better UI, are more frequently updated if bugs are found, and have more features than most stock firmware.

I've used OpenWRT, DD-WRT, and Tomato on inexpensive consumer routers in the past. Never regretted any of them. I purchase home router hardware specifically by the compatibility lists.


Yeah, it's a fair point that e.g. broadcom firmware is a good target (https://www.cvedetails.com/vendor/5420/Broadcom.html) because it's widely deployed.

No idea tomato was forked again !

Tomato was the only firmware that I liked to use and only stopped using it when shibby abandoned is 4 years ago.


You mean 11 years ago

Oof... right in the feels. Are... are we old now?

For those of us who know less about these things, how does this compare to something like OPNsense/pfSense in a homelab setting? When would one use OPNsense/pfSense over OpenWrt/Tomato?

For starters, I don't think you will get OPNsense, pfSense or the likes running on OTS router hardware. So, if this is what you intend, there is not much choice.

Then it depends on your requirements. If your homelab lands in the area of 95% of the typical use cases, you will be very fine with OpenWrt or Tomato, or actually even most original firmware. Unless you bought something that is ridden with bugs and will not get updates, there are most certainly no noticeable benefits of running an alternative firmware. (Things like bufferbloat come to mind, I prefer control over my buffers, but good routers firmwares also do this quite reasonably).

Another difference: getting OPNsense/pfSense running (and well maintained) will require considerably more time and effort, than OpenWrt or Tomato.

Actually, for most soho/home users I would recommend a FritzBox. They are really packed with features, are well updated, zero hassle. Unless you really, really need something more exotic, they will save you lots of time and money. Also: automatic updates (configurable).

There is also MikroTik. Slightly more expensive than FritzBox, also packed, but slightly different audience (larger networks, less "user-friendly"...).

Disclaimer: I have a FritzBox running PPPoE passthrough to an OpenWRT router running on a NanoPi 2RS dialing in over PPPoE, with a MikroTik CRS112 behind that running only as a switch.

I have my reasons for that setup, but the time and money I wasted on that setup is really difficult to justify to an outsider (and sometimes to myself). The FritzBox worked really, really well.


I mostly agree with this comment except for:

> there are most certainly no noticeable benefits of running an alternative firmware

For me, those are wireguard, pihole, and the unquantifiable benefit of freedom and choice. Oh, and vim at the cli, and usually a more complete environment than an outdated busybox shell.


Oh, you got me wrong there. I do the same. Wireguard's the reason why I run OpenWRT.

(Although I'm hesitant to put a pihole up there too, it would not be the 'official' pihole or maybe in a container, both don't seem optimal).

But what I meant is: From a practical standpoint, on a daily basis, besides your subjective feeling, nobody else notices a difference if your router has Vim or not - as long as it works. And any decent router nowadays usually works.

And I think one should realize that this is tinkering for the tinkering's own sake. There are no objective benefits[*] if you ask an outsider, e.g. your partner.

And now I have to manually keep my router up to date, against all possible bugs in numerous open source packages. In 2021 at least security updates should be automatic for OSS- period.

[*] (Repeating:) UNLESS you have some specific requirements, e.g. VPN, multiple uplinks, specific software due to specific use cases, etc. In these cases OpenWRT/Tomato etc. are an somewhat easier and cheaper way to get your own stack running, compared to setting up a full-fledged OTS x86 box with Linux or BSD, even pfSense is more work and more expensive I would argue, where the benefits over OpenWRT are even less tangible.


I have a small x86 home server running wireguard and Pi, but i prefer to keep the router 'stock' unless there are issues

Any time you can actually use it on your hardware.

OpenWRT/Tomato can work on devices with 4MB RAM, 32MB ROM.


Tomato has always been my favorite router firmware. It's a shame it hasn't been continuously maintained. I never donated to it but in retrospect I would pay for it. Last time I updated my router I used another fork called AdvancedTomato. It looks like that's dead now too.

I find the router firmware space very confusing. I’ve got a Netgear R6400 with TomatoNG. It worked well for a while but lately I seem to be having a lot of trouble with dropped connections and general sluggishness. I haven’t taken the time to try to rule out the router or anything but I did try to look up if there was any newer firmware and TomatoNG seems to be abandoned. From there I couldnt really figure out other things to try.

Which (decent) current era modem/routers could I use this with now? Working out which routers support flashed firmware has always confused me. Thx

I was also a little confused and bought the cheapest router on the list, the Asus RT-N12. The underpowered 2.4GHz radio meant it was completely overwhelmed by competing signals.

I now run this on an RT-AC68U, which has a dual radio. Is it the most recent router? Probably not, but it gets the job done and has a USB port for printer sharing (no clue if that works, we shall see.)


used to run tomato on linksys e4200, had a symmetric gigabit connection (university network, 2017)- it had issues getting passed 125 mbps due to not having access to certain hardware features.

Flashing back to stock firmware gave me my gigabit back but lost me my control.

I hope that this is a solved issue, i never looked far in to it either so it may have already been solved. Just check before you jump in.


Yeah you could load the bcm_nat module at boot to use Broadcom's hardware NAT. Worked on some chipsets. Openwrt is better, so just look for something with a supported chip, Atheros or Qualcomm these days.

Had to flush it off from the router because it didn't support the FTTH configuration required by ISP.

This is pretty neat, I used to run Tomato on a lot of hardware. Shame there are no screenshots, as the original Tomato GUI was pretty nice for the time and I'm curious as to what it looks like now.

There are 2 screenshots on the main page.

But none on the "Screenshots" page, which is where I immediately clicked. The ones you point out are below the fold on my display.

It's considerably heavier than older Tomato versions, so if you have a 10-year-old router that's already running fine on an older Tomato variant I don't recommend it.

If you expect people to be running a WRT54G from 2002 or a WRT54GL from 2005, that's a fair warning. Those only had like 4 MB Flash and 16 MB RAM, and a single-core MIPS processor at 125 or 200 MHz.

When those came out, you were probably running a Pentium 3 with 512 MB of DDR2-800 and had an 80 GB hard drive. If you're still running that as your PC, be careful, because modern desktop operating systems and programs are also considerably heavier. Stick with Netscape for browsing the web, though there's a new browser called Firefox in version 0.9. Napster recently shut down, but yes, your old Tomato firmware should be nice and snappy while using Limewire over your DSL modem, FreshTomato, with all the options built in, might not fit.

This will, indeed, run best and be enable the most features when using a router that has a comparatively generous 128 MB of Flash, 64 kB of NVRAM, and 128/256 MB of DRAM. Those are no longer opulent or excessive stats. Wifi AC is out, treat yourself to something with MIMO antennas, a dual-core 1+ GHz ARM processor to run all the neat plugins you might want to use, and USB3 storage. Even with that higher power, switching power supplies have improved dramatically in the past few decades, both the router and the power brick will probably not be as hot as on that old router at the same time as they're doing more and doing it faster.


I think the maintainers build different variants based on RAM size and feature set.

For example, the image I used on my router was 27Mb, but the smaller "min" image for the relatively old RT-N12 was only 3.6Mb.


Once the original Tomato fell off, DDwrt is such a shitshow, OpenWRT/LEDE has been the go-to for years this is neat to see because I didn't know about it

Have used this on a few different router models, works well.

Oh Thank You. I always thought Tomato was dead, and the only living thing that carry its legacy was ASUSWRT.

Time to play with it on my old ( no longer updated ) ASUS Router.


After I lost pretty much a whole day to a bug in another Tomato variant I think I will stick with the stock firmware. Asus's is decent enough.



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: