Fresh Tomato - Web Admin - Wireless Access

[Miti]

I've been using an older version of Tomato on my oldie Linksys WRT54GL and everything was OK until last year when it started dropping the WiFi. The connection was there but I wouldn't get any data. The solution was to reboot the router.
Thinking that it may be a SW issue, I don't know why I think that, I decided to upgrade and I installed "FreshTomato Firmware 2020.1 MIPSR1 K26 Mini". All good, the Wifi seems OK now, surprisingly, but I can't disable the wireless admin access, I want to allow only wired access.
There is a check-box in the Administration>Admin Access>Web Admin > Allow Wireless Access but if I uncheck that box, I still get access from a wireless connected laptop.
Do you have any experience with Tomato and what can I do to disable that?

Thanks,
Miti

[retiredcaps]

There is a check-box in the Administration>Admin Access>Web Admin > Allow Wireless Access but if I uncheck that box, I still get access from a wireless connected laptop.

I have only tried Fresh Tomato a couple of times so I'm not an expert, but did you try rebooting the router after making the change?  Try clearing your browser cache?

Currently, I run dd-wrt on my Cisco/Linksys router, but my first choice would be openwrt.  Unfortunately, all the free Cisco/Linksys routers that I get don't have open source broadcom 802.11n support so I have to use dd-wrt.  Nothing wrong with dd-wrt, but I prefer openwrt.

[Miti]

I have only tried Fresh Tomato a couple of times so I'm not an expert, but did you try rebooting the router after making the change?  Try clearing your browser cache?

I did soft and hard reboot multiple times, cleared cache, nope...still there.

[retiredcaps]

I installed "FreshTomato Firmware 2020.1 MIPSR1 K26 Mini".

Try the latest and greatest code

https://freshtomato.org/downloads/freshtomato-mips/2020/2020.3/K26/freshtomato-K26_RT-MIPSR1-2020.3-Mini.zip

It's version 3 instead of 1.

I suggest you erase your current config, start fresh, test the wireless access first and if that works, continue configuring your router.

[retiredcaps]

Changelog for version 2 says

https://tweakers.net/downloads/51156/freshtomato-20202.html

"GUI: Fix Issue #15 to allow configuring remote access in router mode"

---

Maybe this is related to your wireless access?

[Miti]

What if I save the configuration and I reload it into the new install? Would that work. I worked half day today to configure it. I have lots of cr..  stuff.

[james_s]

I've used Tomato for many years and more recently moved to FreshTomato. I haven't noticed this particular bug but I've never felt need to disable wireless access either, I figure once someone has gotten onto my wireless then they're already inside my network.

I did set it up so the VLAN that my guest network is on can't access the router config but now I don't remember how I did it, I think it was some custom routing.

[Miti]

I've used Tomato for many years and more recently moved to FreshTomato. I haven't noticed this particular bug but I've never felt need to disable wireless access either, I figure once someone has gotten onto my wireless then they're already inside my network.

Yes, you are right but it would give me an extra (fake) sense of security. I enabled WPA2, disabled SSID broadcasting, created a MAC filter, disabled remote access, etc., but I understand none of these are stopping a determined hacker. Not that I would be a worthy target.

I did set it up so the VLAN that my guest network is on can't access the router config but now I don't remember how I did it, I think it was some custom routing.

That’s a line in the Admin>Scripts>Firewall, I did that as well.

[james_s]

Seems like you might be better off just disabling WiFi entirely and using a wire if you are that paranoid.

[retiredcaps]

What if I save the configuration and I reload it into the new install? Would that work.

Well, you can do the above and retest.

When troubleshooting, I like to simplify as much as possible.  With a fresh config, I know there isn't likely a corrupt stored/saved setting.

[retiredcaps]

Yes, you are right but it would give me an extra (fake) sense of security. I enabled WPA2, disabled SSID broadcasting, created a MAC filter, disabled remote access, etc., but I understand none of these are stopping a determined hacker.

The best you can do is to slow down or put up enough layers to deter someone.

When I do banking, I only use wired connection on my main computer.

For other things like eevblog posting, I use other computers with wifi.

PS. I recently added dnscrypt to my lubuntu setup so my dns requests are encrypted.

[cdev]

Did they update the WRT54GL firmware so it wasnt suceptible to the Krack (wifi) attack? Around a year or two ago, I stopped using mine because all the versions of firmware (openwrt, the original Tomato, Lede, dd-wrt etc) I could find at that time were all vulnerable.  Of course its been a while since then so maybe I am wrong now.

At the time I got the impression that it was being represented that it needed more memory but that was obviously bullshit because there are very compact versions of WRT54GL FW, and I wasnt using one so it would likely have been easy to make a stripped down version -but there wasnt one at that time that I could find. .

[james_s]

Did they update the WRT54GL firmware so it wasnt suceptible to the Krack (wifi) attack? Around a year or two ago, I stopped using mine because all the versions of firmware (openwrt, the original Tomato, Lede, dd-wrt etc) I could find at that time were all vulnerable.  Of course its been a while since then so maybe I am wrong now.

At the time I got the impression that it was being represented that it needed more memory but that was obviously bullshit because there are very compact versions of WRT54GL FW, and I wasnt using one so it would likely have been easy to make a stripped down version -but there wasnt one at that time that I could find. .

I doubt there has been much focus on the WRT54GL in a while, it's a very old router by now and not really powerful enough for modern broadband. I used a WRT54G running DD-WRT and later Tomato for a long time but at some point I realized I'd had 30Mb broadband for a while and the router was limiting me to around 20Mb throughput.

Now I'm in the process of upgrading to gigabit since it's only $30 more than I pay for 30Mb and there are not many consumer routers even now that can handle that kind of throughput. Not that I need that much but if it's available it's going to bother me if I can't utilize it.

[james_s]

The best you can do is to slow down or put up enough layers to deter someone.

When I do banking, I only use wired connection on my main computer.

For other things like eevblog posting, I use other computers with wifi.

PS. I recently added dnscrypt to my lubuntu setup so my dns requests are encrypted.

I have a subscription to PIA VPN, if I'm doing something where I really care about privacy I just fire up the client for that, then I don't really have to care too much about the security of the connection itself. I keep my WiFi network mundane looking and try not to give anyone a reason to single it out and try to get in. I can typically see 10-15 other networks from my house and figure I just have to not be any less secure than they are.

[Miti]

I doubt there has been much focus on the WRT54GL in a while, it's a very old router by now and not really powerful enough for modern broadband. I used a WRT54G running DD-WRT and later Tomato for a long time but at some point I realized I'd had 30Mb broadband for a while and the router was limiting me to around 20Mb throughput.

Now I'm in the process of upgrading to gigabit since it's only $30 more than I pay for 30Mb and there are not many consumer routers even now that can handle that kind of throughput. Not that I need that much but if it's available it's going to bother me if I can't utilize it.

Since there’s a new recent Tomato version for this router, or processor, I assume they fixed these high risk bugs but I can’t know for sure. I don’t know how this works but I don’t expect them to maintain a separate package for each router but rather have a master package and then a different compilation for each router. A new package, new compilation and is done. So what I’m saying is, if they fixed it in the master package, it should propagate to all the routers. I may be wrong though, there may be some drivers that are included in the compilation but not maintained at the master level. I’m a HW guy.

Anyway, it is indeed an old router but looking to buy a new one, my eyes rolled multiple times in the sockets. 300 + $? Wow, are they gold plated?  Since I have two WRTs I couldn’t find the motivation to pay that much for another one. I realize however that my bandwidth is severely limited.

So if I decide to buy a new router, what model that can run open SW and doesn’t break the bank would you recommend?

[james_s]

It depends on the throughput you need. There's nothing wrong with an old router if it's fast enough to handle the connection you have, but just make sure the router isn't the bottleneck.

I've never paid more than $40 for a router and most that I've had were much less. I've always bought them used, either at thrift stores or more recently I bought a R7000 in preparation for an upgrade to gigabit, got a EA6900 for $32 also as a backup. After accidentally bricking my main router twice in one week while updating the wrong one I decided it was prudent to have a preconfigured spare on the shelf.

[Zucca]

So if I decide to buy a new router, what model that can run open SW and doesn’t break the bank would you recommend?

If you want the cream of the cream, go with a pfSense firewall and a Mesh wifi. Do not do Firewall and Wifi on the same box.

If you want something basic but decent go for Asus RT-AC3200, but there are many choices:

https://wiki.freshtomato.org/doku.php/hardware_compatibility

[cdev]

You can use a Raspberry Pi with wifi as a router, that is actually one of the more flexible options, but be aware that some models, particularly the 3B (first RPI 3) have a very weak wifi signal and so if you have a very large house or noisy wifi environment you'may need to replace the antenna with something a bit better (which can simply be a short piece of insulated wire cut to the right length)  the Raspberry Pi 4 with its gigabit lan and Ac MIMO wifi is likely a very good wifi AP and router, if you know how to set it up properly)

[edavid]

So if I decide to buy a new router, what model that can run open SW and doesn’t break the bank would you recommend?

How about a used R7000?  Strong radios and a huge upgrade over the WRT54GL.

[retiredcaps]

Since there’s a new recent Tomato version for this router, or processor, I assume they fixed these high risk bugs but I can’t know for sure.

There is usually a change log with each new version and you can see what bugs are fixed.

[retiredcaps]

It depends on the throughput you need. There's nothing wrong with an old router if it's fast enough to handle the connection you have, but just make sure the router isn't the bottleneck.

+1. My Internet connection used to be 5Mbps.  Yes 5Mbps in Canada in the city (not rural).  So using an older free router with 802.11g was fine.

After some negotiation with the ISP and a lower price, I have now 100Mbps.  So I had to upgrade my older router to another free not so old router to run 802.11n.  I currently get around 35Mbps on a good day with wifi, but my area is congested with others around me.  That's good enough for general web browsing + using ublock origin.

When I need to download a big file, then I will use ethernet at 100Mbps.

So far all my routers have been free.  I pickup the ones that have 8MB flash and at least 32MB DRAM and that are supported by openwrt or dd-wrt.  If free is not an option, then check your local ads for routers $20 or less.

I give away all my old ones, with updated software, to people who only need 802.11g.  Just trying to keep working useful electronics out of the landfill.

[retiredcaps]

How about a used R7000?  Strong radios and a huge upgrade over the WRT54GL.

If you are referring to the Netgear 7000, see

https://openwrt.org/toh/netgear/r7000

Specifically

"Devices with Broadcom WiFi chipsets have limited OpenWrt supportability (due to limited FLOSS driver availability for Broadcom chips). Consider this when chosing a device to buy, or when deciding to flash OpenWrt on your device because it is listed as supported. See Broadcom WiFi for details. "

That's the same issue I have with my free Cisco/Linksys routers with Broadcom chipset NOT being able to run at 802.11n speeds and why I have to use dd-wrt.  Some of the Cisco/Linksys routers don't use the Broadcom chipset.

[Miti]

Thank you all for the info! I’ve seen some routers at Value Village but not knowing what they can do or even why they are there, and having very little time lately, I hesitated but one day I’ll have to do something to upgrade to dual band. My home internet is 30Mbps and up until recently when my family got Netflix, it was 30Mbps constant. Now I think they throttle me. It’s in the contract.

[edavid]

How about a used R7000?  Strong radios and a huge upgrade over the WRT54GL.

If you are referring to the Netgear 7000, see

https://openwrt.org/toh/netgear/r7000

Specifically

"Devices with Broadcom WiFi chipsets have limited OpenWrt supportability (due to limited FLOSS driver availability for Broadcom chips). Consider this when chosing a device to buy, or when deciding to flash OpenWrt on your device because it is listed as supported. See Broadcom WiFi for details. "

That's the same issue I have with my free Cisco/Linksys routers with Broadcom chipset NOT being able to run at 802.11n speeds and why I have to use dd-wrt.  Some of the Cisco/Linksys routers don't use the Broadcom chipset.

That doesn't seem to be an issue for Tomato.

https://www.bestvpn.co/blog/best-tomato-routers/

[Monkeh]

How about a used R7000?  Strong radios and a huge upgrade over the WRT54GL.

If you are referring to the Netgear 7000, see

https://openwrt.org/toh/netgear/r7000

Specifically

"Devices with Broadcom WiFi chipsets have limited OpenWrt supportability (due to limited FLOSS driver availability for Broadcom chips). Consider this when chosing a device to buy, or when deciding to flash OpenWrt on your device because it is listed as supported. See Broadcom WiFi for details. "

That's the same issue I have with my free Cisco/Linksys routers with Broadcom chipset NOT being able to run at 802.11n speeds and why I have to use dd-wrt.  Some of the Cisco/Linksys routers don't use the Broadcom chipset.

That doesn't seem to be an issue for Tomato.

https://www.bestvpn.co/blog/best-tomato-routers/

Because Tomato is using closed drivers with all the issues they bring. It's just rehashing dead old firmware to feel good.

[retiredcaps]

I hesitated but one day I’ll have to do something to upgrade to dual band. My home internet is 30Mbps and up until recently when my family got Netflix, it was 30Mbps constant.

When looking for a new router or used router, I think it's best to get one that has support from Openwrt and dd-wrt, freshtomato, etc.  That gives you options on which to run.

For example, on an older dlink router, openwrt runs fine, but with dd-wrt, the 802.11n becomes unresponsive after several minutes or days.

I think you will have better luck searching your local kijiji or other online vs value village for a decent router.

Start with a filter for < $50 and see what is the "best".  Then offer 50% of the asking price.   Routers are usually not hot selling items on kijiji and many people would be happy to get rid of them for $10 or $20.

If you disclose which city you live in, I can help you narrow down the options.

[james_s]

Because Tomato is using closed drivers with all the issues they bring. It's just rehashing dead old firmware to feel good.

Fully supported open drivers would be nice, but the closed drivers work just fine. Tomato brings a vastly superior (IMO) user interface than the stock Netgear firmware and more features. It also lets me standardize across all the different routers I've used. When I upgrade, I upgrade to something that supports FreshTomato and it's already familiar. My current R7000 looks exactly the same as my old E2000 except that it's a lot faster. My router is an appliance, if it works it works, it's not something I use to make a statement for open source.

[Monkeh]

Fully supported open drivers would be nice, but the closed drivers work just fine.

Within their limitations. And running a 2.6.. Yeah, no, sorry. It's 2020, would you run XP still in a security role?

[james_s]

Within their limitations. And running a 2.6.. Yeah, no, sorry. It's 2020, would you run XP still in a security role?

I wouldn't have run XP in a security role back when it was new.

What sort of security issues are you concerned with? Can you find some cases of these being exploited? I'd like to see some quantifiable data comparing the security of fully open drivers vs closed source Broadcom drivers because it sounds like speculation to me. We're not talking about corporate use where there are high value targets, most consumers run weak passwords and I still occasionally see networks with no password at all. It's not hard to not be the low hanging fruit.

Either way I'm going to continue running the R7000 with FreshTomato for the foreseeable future, in close to 20 years I've never had anyone crack my network, I keep pretty close tabs on things.

[Monkeh]

Within their limitations. And running a 2.6.. Yeah, no, sorry. It's 2020, would you run XP still in a security role?

I wouldn't have run XP in a security role back when it was new.

What sort of security issues are you concerned with? Can you find some cases of these being exploited? I'd like to see some quantifiable data comparing the security of fully open drivers vs closed source Broadcom drivers because it sounds like speculation to me. We're not talking about corporate use where there are high value targets, most consumers run weak passwords and I still occasionally see networks with no password at all. It's not hard to not be the low hanging fruit.

Either way I'm going to continue running the R7000 with FreshTomato for the foreseeable future, in close to 20 years I've never had anyone crack my network, I keep pretty close tabs on things.

The point is, there are no eyes on this code. None. Haven't been for a decade. I'm not even talking about Broadcom's vomit-code, just the kernel.

It's time to move on.

[Miti]

The best price I found for an R7000 on Kijiji is $70 CAD. Still looking...

[cdev]

You can use a Raspberry Pi with a $5 USB dongle and run current code. Ralink dongles are very compatble and the drivers are open sourced. That would give you more opportunity for logging. As far as performance, if you use the RPI 2 or 3 with a USB3 ethernet adaptor for the uplink NIC, the Ethernet performance quadruples or more. With a modern, fast USB wireless dongle running as an access point, (you can use Raspbian or OpenWRT) the performance will be quite good, you can even use 5 GHz and you'll have far more memory and storage space for applications and logging.

[Miti]

You can use a Raspberry Pi with a $5 USB dongle and run current code. Ralink dongles are very compatble and the drivers are open sourced. That would give you more opportunity for logging. As far as performance, if you use the RPI 2 or 3 with a USB3 ethernet adaptor for the uplink NIC, the Ethernet performance quadruples or more. With a modern, fast USB wireless dongle running as an access point, (you can use Raspbian or OpenWRT) the performance will be quite good, you can even use 5 GHz and you'll have far more memory and storage space for applications and logging.

You gave me an idea, I don't have a newer R-Pi but I do have an Intel NUC DCCP847DYE collecting dust in my toy box. I see that Openwrt and DD-WRT have X86 images and I incline towards DD-WRT since is more...NOOB friendly,  but it requires "registered users" for Wi-Fi support, which translates into "paid". I wonder if I should try the public image and then, if I can make it work, pay 20 euros for the registered version to add Wi-Fi. I will need to find what dual band USB adapters would work with this image, they mention Atheros.

[Monkeh]

You can use a Raspberry Pi with a $5 USB dongle and run current code. Ralink dongles are very compatble and the drivers are open sourced. That would give you more opportunity for logging. As far as performance, if you use the RPI 2 or 3 with a USB3 ethernet adaptor for the uplink NIC, the Ethernet performance quadruples or more. With a modern, fast USB wireless dongle running as an access point, (you can use Raspbian or OpenWRT) the performance will be quite good, you can even use 5 GHz and you'll have far more memory and storage space for applications and logging.

You gave me an idea, I don't have a newer R-Pi but I do have an Intel NUC DCCP847DYE collecting dust in my toy box. I see that Openwrt and DD-WRT have X86 images and I incline towards DD-WRT since is more...NOOB friendly,  but it requires "registered users" for Wi-Fi support, which translates into "paid". I wonder if I should try the public image and then, if I can make it work, pay 20 euros for the registered version to add Wi-Fi. I will need to find what dual band USB adapters would work with this image, they mention Atheros.

He's now charging for basic functionality? Grand.

DD-WRT is a dead end project. Just don't go there.

[Miti]

I don’t get it. What do you mean by basic functionality?

[Monkeh]

I don’t get it. What do you mean by basic functionality?

Uh, wifi?

[Miti]

Read again please.

[Monkeh]

Read again please.

pay 20 euros for the registered version to add Wi-Fi.

Read again, still says 'pay for wifi'. This is basic functionality (as is allowing over 4096 states).

Now, to be fair, some other options also charge for AP capability, but those tend to bring more to the table. Like clear websites, documentation, support staff who speak English, hardware platforms to go with their OS.. An actual release in the last 12 years..

And all of this comes on top of the fantasy of using some cheap USB dongles and expecting to get a good AP out of the solution.

[retiredcaps]

I see that Openwrt and DD-WRT have X86 images and I incline towards DD-WRT since is more...NOOB friendly,

Openwrt is menu driven with luci interface.  It's like any other menu based system.

[retiredcaps]

The best price I found for an R7000 on Kijiji is $70 CAD. Still looking...

On my local kijiji, I can get a 64MB flash 64MB dram router with a recent (June 10, 2020) dd-wrt supported image for $5 CAD.  No support from open-wrt, otherwise I would be getting this router for myself.  Obviously, this is the best deal I found, but there's lots of options $20 CAD or less.

I already have enough free Cisco/Linksys routers with dd-wrt images.  My preference is openwrt.

[Monkeh]

The best price I found for an R7000 on Kijiji is $70 CAD. Still looking...

On my local kijiji, I can get a 64MB flash 64MB dram router with a recent (June 10, 2020) dd-wrt supported image for $5 CAD.  No support from open-wrt, otherwise I would be getting this router for myself.  Obviously, this is the best deal I found, but there's lots of options $20 CAD or less.

And what device is this?

[retiredcaps]

And what device is this?

Cisco/Linksys EA2700.  Specs at

https://deviwiki.com/wiki/Linksys_EA2700

dd-wrt image (June 10, 2020 image - build r43381) at

https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2020/06-10-2020-r43381/linksys-ea2700/

No openwrt support.

https://openwrt.org/toh/linksys/ea2700

[retiredcaps]

And when I say recent dd-wrt build, I mean it's been compiled recently.  I don't mean it has a recent kernel like 4.x or 5.x.  It's going to be running kernel 2.x or 3.x.

Again, my preference would be openwrt since it uses a 4.x kernel.

For now, I'm happy with my layered security defense approach and not too worried about running dd-wrt on my current free router.

If I was super concerned, I would just spend $20 CAD on an used router that supports openwrt.  I found a handful that have at least 8MB flash and 64MB DRAM (or better specs) in the $20 to $30 range.  I'm sure that I could get them for $20 or less since most of the ads have been up for 1+ month meaning no one is interested in them.

I realize that having a 4.x kernel doesn't mean it's 100% secure either.  Unknown/undiscovered bugs are always present and some patches may not be applied to the underlying hardware.

[Monkeh]

Ah, yes, impractical Broadcrap. Also N only, so no wonder it's $5.

[retiredcaps]

Cisco/Linksys EA2700.  Specs at

Just doing a project today and ran into some problems and when searching for a solution, I ran into this wrt to dd-wrt. Note, I don't keep up with all the various wifi router models and don't know all the caveats.  See below

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1069911

"Brainslayer has said of the e2500, e3200 and ea2700 that they use a shifty usb 5ghz card and he isn't going to support it."

[Miti]

Ok, I bought a Netgear R7000, paid $60 CAD for it, the best price I could find. I installed Fresh Tomato with VPN, I’m in process of (manually) transferring my settings from the old router. I tried going back and forth between Tomato and Netgear Genie, very easy process. I’ll see how it goes.

[retiredcaps]

Since your initial post, I downloaded fresh tomato source code, compiled it and loaded it on an old router and it works.  Very simple to do and it took about 20 minutes to compile on an older Core2Duo machine.

Just today and before your post, I'm downloading and trying to compile openwrt to see how it works.  Compiling and building the 2, fresh tomato and openwrt, are completely different.  Openwrt tries to be more user friendly.

PS. I picked up a Linksys EA6400 for $5.  Yes, I know it's broadcom based so I'm limited to dd-wrt if I want 802.11n, ac and 5Ghz, but I thought it was too good of deal to pass up.

I also see another $5 used router that supports openwrt (8MB DRAM, 128MB flash). The current openwrt flash size for it is 3.8MB so there's lots of room for future code.  The router and code supports 802.11n and 5Ghz, but the router doesn't support ac.

The reason why so many, IMHO, good used routers are so cheap is that more and more ISPs when they are replacing or upgrading the customer's dsl or cable CPE, the new ISP CPE are coming with wifi/router built in and customers are opting to use them instead of buying new $100 routers that support 802.11ac and 5Ghz. 

My old cable CPE didn't have wifi and router functionality.  My new cable CPE does support 802.1n, ac and 5Ghz, but I have it set to bridge mode and use my own router as I don't trust the cable provider to properly manage those settings and I have no idea what backdoors are present.

In my area, 80% the broadcast SSIDs are ISP1xxxyyyzzz, ISP2xxxyyyzzz.  So many are opting for the ISP routers and they aren't even bothering to changing the SSIDs and default passwords/keys on the front sticker of the CPE.

More on home router security since your initial post.

https://routersecurity.org/

[Miti]

Thanks for the link! Lots of good info there. Yesterday, I found another router by the side of the road. It is a Linksys E2500, 300MHz, supported by Fresh Tomato. I’m thinking I should make it wireless guest only. 

[retiredcaps]

The E2500 has the 5Ghz radio on the USB bus.  I got a E3200 for free from a friend and it also has the 5Ghz on the USB bus.

According to

https://www.linksysinfo.org/index.php?threads/linksys-e2500-v3-what-is-the-expected-throughput.72856/

The 5Ghz speed is limited because the CPU is at 99%.

The best throughput I can get is around 65Mbps in 5Ghz mode.  With nat acceleration (using bcm_nat), I can get around 82Mbps.

I don't use that much bandwidth on wifi so right now the E3200 is a backup router.

[Miti]

Finally I found the time to configure and install my new ( for me) router. Speed is good, range is... wooow.
I have a problem though. The routers’ place is close to a wireless PIR sensor for the stay zone of my alarm system. That zone is armed at night. Every time I access 5GHz network, that sensor triggers. 

[retiredcaps]

Every time I access 5GHz network, that sensor triggers. 

There's a number of settings on the 5Ghz that you can try to change.

Generically speaking, make 5Ghz only AC (instead of A/N/AC), try different channels, try changing channel width 20/40/80HT, turn on/off beam forming, etc.  I don't know what options Tomato gives you.

It would help us if you tell what alarm system you are using.

[retiredcaps]

Ok, I bought a Netgear R7000, paid $60 CAD

One R7000 just showed up in my local listings for $20 CAD.  I would get it, but then I look at the stack of backup routers that I accumulated for free and remind myself that my current bandwidth is 100Mbps and my current router and backups can handle 100Mbps.

If the R7000 didn't have the proprietary Broadcom chipset, I might actually spend the $20 CAD for it. But I already have enough of those type of routers and limited to dd-wrt firmware.

[Miti]

This POS drives me crazy! It started with good range, good speed, then it started going down. I put my phone in airplane mode over night and when I turn it back on in the morning, it doesn't even see my 5 GHz network in certain areas of the house, some not even that far from the router. I tried raising the power, disabling the beam forming, etc, with not much success. What is the radiation pattern of these antennas? How should I orient them to better cover the entire house from my basement lab? I've attached the current settings, can you recommend better settings?

[retiredcaps]

I don't know about the settings, but personally I try to use stock (or defaults).

If it worked well to begin with and degraded over time, have you tried rebooting the router to see if range and performance comes back?

If it does, a hack that I have seen some people do is to write a router script to reboot the router every night at around 3AM.

If that's not acceptable, then I would check the logs (enable them) and see if there are any obvious errors. I would also check free memory, temperature of the CPU and radio.  Running out of memory and hot temperatures can affect performance.

PS. The $20 R7000 sold quickly as I expected.