Firmware-update: FreshTomato 2026.2
FreshTomato versie 2026.1 is uitgekomen. FreshTomato is van Tomato afgeleide firmware voor verschillende op Arm of MIPS gebaseerde routers van Asus, D-Link, Huawei, Linksys, Netgear, Tenda en Xiaomi. Het kan gezien worden als de voortzetting van 'Tomato by Shibby' sinds deze ontwikkelaar, MichaĆ Rupental, zijn tijd aan andere projecten is gaan besteden. De FreshTomato-firmware voegt ten opzichte van de originele firmware van de fabrikant diverse extra opties toe, zoals een realtime bandbreedtemonitor en uitgebreide instelmogelijkheden. De firmware is beschikbaar voor routers met een Arm- of MIPS-cpu.
FreshTomato 2026.2Note: Many fixes and improvements (for ex.: mwwatchdog), updating is strongly recommended!tinc: update to 1.1pre18-6707f23 (2026-04-06)nginx: update to 1.30.0iperf: update to 3.21libexif: update to 0.6.26libsodium: update to 1.0.22libxml2: update to 2.15.3nano: update to 9.0meson: update to 1.11.0libpng: update to 1.6.58libcap-ng: update to 0.9.3sqlite: update to 3.53.0openssl: update to 3.0.20libubox: update to 8156338 (2026-03-16) snapshotlibcurl: update to 8.19.0libid3tag: update to 0.16.4conntrack-tools: update to 1.4.9libnetfilter_conntrack: update to 1.1.1xl2tpd: update to 1.3.20zlib: update to 1.3.2udpxy: update to 1.0-25.2nettle: update to 4.0wireguard-tools: update to 1.0.20260223dnsmasq: update to 2.93test9openvpn: update to 2.7.1libiconv: update to 1.19tor: update to 0.4.9.6expat: update to 2.7.5libjpeg-turbo: update to 3.1.4.1ebtables: fix from the upstreamrom: update CA bundle to 2026-03-19GUI: Random Password improvementGUI: Status: Logs: add clear search icon to syslog filter inputbuild: move OVPN_CLIENT_COUNT, OVPN_SERVER_COUNT and WG_INTERFACE_COUNT to libsharedhttpd: fix web_read_x() return semanticshttpd: upgrade.c: harden firmware upgrade path (wi_upgrade/wo_flash)httpd: config.c: flush filesystem before serving reboot pagehttpd: config.c: fix wi_restore() POST handling and temp file usagehttpd: nocat.c: fix unsafe boundary handling in wi_uploadsplash()httpd: webio.c: improve web_read() error and EOF handlinghttpd: bwm.c: fix missing error handling in wi_statsrestore()httpd: upgrade.c: fix mkstemp() misuse in wi_upgrade()httpd: httpd.c: harden skip_header() length handlinghttpd: fix fd handling in wo_backup()httpd: tomato.c: harden _execute_command() temp file handlinghttpd: webio.c: add output limit to _web_putfile()httpd: httpd.c: harden do_file() file handlinghttpd: tomato.c: define OVPN/WG variable types at compile time via preprocessorhttpd: misc.c: add a special mode to the asp_psup() function to return the status for all defined services at oncehttpd: ddns.c: fix XSS, null deref, and timestamp escapinghttpd: log.c: fix memory leak, XSS, path traversal, and grep injectionlibshared: files.c: fix partial write handling in f_write()libshared: shutils.c: improve readability in _eval()libshared: defaults.c: generate OVPN/WG entries at compile time via preprocessorlibshared: default.c: fix wgX_tunchk namesimplement link state persistence in robocfgporthealth: fix for nvram variable and defaultsmwwatchdog: rewrite findHost, remove timeout(), add IPv6 supportmwwatchdog/OpenVPN/wireguard: avoid adding temporary routes from mwwatchdog used for WAN checking to OpenVPN/wireguard in PBR modemwwatchdog: fix DNS filtering, timeout behaviour and cktracert RESULT variableupdate advanced-adblock-v2.asp and adblock-v2 script to latest versiondnscrypt-proxy: update download url and resolvers csv fileDDNS: mdu.c: improve get_option() to ensure robust configuration analysisOpenVPN: disable compression in buildsusb_modeswitch: add ZTE MF833U1usb_modeswitch: add Huawei E5785openssl-1.1: add fix for: CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390OpenVPN: change how ovpn variables are retrieved from nvram; iterate over OVPN_CLIENT_COUNT/OVPN_SERVER_COUNT in nvram.c; iterate over MAX_BRIDGE_ID in asp scriptsOpenVPN/wireguard: add dedicated IP to check the tunnelothers: adblock-v2: exclude wireguard endpointsothers: adblock-v2: fix server addresses for OpenVPNothers: Makefile: clean scripts also for ARM branchwireguard: increase allowed Poll Interval to 99 secondswireguard: change how wg variables are retrieved from nvram; iterate over WG_INTERFACE_COUNT in nvram.crc: add NVRAM variable migration for renamed OpenVPN settings on firmware upgraderc: convert OpenVPN vpnsX_plan to bitmask and migrate legacy variablesrc: suspend multi-wan-watchdog during PPP connection setuprc: network.c: fix lan_ifname memory leak in start_lan()rc: openvpn.c: fix IP to check in watchdogrc: openvpn.c: change log level to ERROR in some placesrc: openvpn.c: write_ovpn_dnsmasq_config(): num -> cur in a few missed placesrc: openvpn.c: write_ovpn_dnsmasq_config(): fix .conf sscanf pattern, replace strtok with strtok_r, fix interface number validationrc: openvpn.c: harden watchdog script and interface state checksrc: openvpn.c: simplify code, use strlcpy() instead of strnpcy(), do not clear the buffer unless necessaryrc: openvpn.c: fix CCD client entries being silently truncated for server instancesrc: usb.c: leftover nvram change from usb_xhci to usb_usb3rc: wireguard.c: add custom message to run_cmd in shell start scriptrc: wireguard.c: refactor routing control and improve robustnessrc: wireguard.c: replace_in_file(): change log levelsrc: wireguard.c: add_domain(): check for empty domain, normalize dnsmasq wildcard format, change log levelsrc: wireguard.c: improve update_dnsmasq_ipset() performance and robustnessrc: wireguard.c: harden watchdog script and interface state checksrc: wireguard.c: Insert firewall rules instead of appending. Also add a prerouting rule in case DMZ is being usedrc: wireguard.c: start_wireguard(), stop_wireguard(): fix port/fwmark init after fork, fix fwmark scope, fix firewall teardown order, simplify function signaturesrc: wireguard.c: start_wireguard(): fix unchecked strdup return value for peersrc: wireguard.c: wg_route_peer_allowed_ips(): fix unchecked strdup return values, fix misleading loop guard, remove redundant NULL checksrc: wireguard.c: wg_set_iface_addr(): fix unchecked strdup return value, fix misleading loop guard, remove redundant NULL checksrc: wireguard.c: wg_build_routing(): fix silent fopen failure, memory leak, strdup return value unchecked, remove unused parameter, add rules counter loggingrc: wireguard.c: write_wg_dnsmasq_config(): fix sscanf pattern matching all files, replace strtok with strtok_r, fix interface number validationrc: wireguard.c: wg_quick_iface(): fix fd leak and execution after fopen failurerc: wireguard.c: replace_in_file(): fix temp file path constructionrc: wireguard.c: add_domain(): fix capacity corruption on realloc failure, add sentinel, improve error handlingrc: wireguard.c: update_dnsmasq_ipset(): fix bugs and improve robustnesswww: VLAN/ethernet: add ethernet-icon.js, update to advanced-vlan.asp and status-overview.aspwww: add svg icon to 'Continue' button for Advanced themeswww: advanced-misc.asp: one version for ARM and MIPS branchwww: advanced-vlan.asp: clear tagged ports when trunk override is disabled (incl. active edit)www: advanced-vlan.asp: simplify trunk enforcement logicwww: advanced-vlan.asp: restore trunk VLAN enforcement in GUIwww: advanced-wlanvifs.asp: one version for ARM/MIPS branchwww: advanced-wlanvifs.asp: update notes in Security formwww: advanced-themes: fix padding for select and checkboxwww: ethernet-icon.js: minimize sizewww: tomato.js: add case 'display' to handle span renderingwww: tools-survey.asp: fix WiFi survey graph X-axis labels not visible in Firefoxwww: tools-survey.asp: add support for Advanced themes, other fixeswww: tools-survey.asp - upgrade to v2.01www: vpn-wireguard.asp: iterate over MAX_BRIDGE_ID for bridgeswww: vpn-wireguard.asp: simplify variable creationwww: vpn-wireguard.asp: add a warning to Scripts tabwww: vpn-wireguard.asp: update note for Poll Intervalwww: vpn-client.asp: update note for Poll Intervalwww: vpn-[client|wireguard].asp: limit the Routing Policy table to 60 entrieswww: vpn-server.asp: fix broken "Generate DH Params", "Generate client config", and "Generate static key" buttonswww: wireless.js: fix condition in refreshChannels()
Note: Many fixes and improvements (for ex.: mwwatchdog), updating is strongly recommended!tinc: update to 1.1pre18-6707f23 (2026-04-06)nginx: update to 1.30.0iperf: update to 3.21libexif: update to 0.6.26libsodium: update to 1.0.22libxml2: update to 2.15.3nano: update to 9.0meson: update to 1.11.0libpng: update to 1.6.58libcap-ng: update to 0.9.3sqlite: update to 3.53.0openssl: update to 3.0.20libubox: update to 8156338 (2026-03-16) snapshotlibcurl: update to 8.19.0libid3tag: update to 0.16.4conntrack-tools: update to 1.4.9libnetfilter_conntrack: update to 1.1.1xl2tpd: update to 1.3.20zlib: update to 1.3.2udpxy: update to 1.0-25.2nettle: update to 4.0wireguard-tools: update to 1.0.20260223dnsmasq: update to 2.93test9openvpn: update to 2.7.1libiconv: update to 1.19tor: update to 0.4.9.6expat: update to 2.7.5libjpeg-turbo: update to 3.1.4.1ebtables: fix from the upstreamrom: update CA bundle to 2026-03-19GUI: Random Password improvementGUI: Status: Logs: add clear search icon to syslog filter inputbuild: move OVPN_CLIENT_COUNT, OVPN_SERVER_COUNT and WG_INTERFACE_COUNT to libsharedhttpd: fix web_read_x() return semanticshttpd: upgrade.c: harden firmware upgrade path (wi_upgrade/wo_flash)httpd: config.c: flush filesystem before serving reboot pagehttpd: config.c: fix wi_restore() POST handling and temp file usagehttpd: nocat.c: fix unsafe boundary handling in wi_uploadsplash()httpd: webio.c: improve web_read() error and EOF handlinghttpd: bwm.c: fix missing error handling in wi_statsrestore()httpd: upgrade.c: fix mkstemp() misuse in wi_upgrade()httpd: httpd.c: harden skip_header() length handlinghttpd: fix fd handling in wo_backup()httpd: tomato.c: harden _execute_command() temp file handlinghttpd: webio.c: add output limit to _web_putfile()httpd: httpd.c: harden do_file() file handlinghttpd: tomato.c: define OVPN/WG variable types at compile time via preprocessorhttpd: misc.c: add a special mode to the asp_psup() function to return the status for all defined services at oncehttpd: ddns.c: fix XSS, null deref, and timestamp escapinghttpd: log.c: fix memory leak, XSS, path traversal, and grep injectionlibshared: files.c: fix partial write handling in f_write()libshared: shutils.c: improve readability in _eval()libshared: defaults.c: generate OVPN/WG entries at compile time via preprocessorlibshared: default.c: fix wgX_tunchk namesimplement link state persistence in robocfgporthealth: fix for nvram variable and defaultsmwwatchdog: rewrite findHost, remove timeout(), add IPv6 supportmwwatchdog/OpenVPN/wireguard: avoid adding temporary routes from mwwatchdog used for WAN checking to OpenVPN/wireguard in PBR modemwwatchdog: fix DNS filtering, timeout behaviour and cktracert RESULT variableupdate advanced-adblock-v2.asp and adblock-v2 script to latest versiondnscrypt-proxy: update download url and resolvers csv fileDDNS: mdu.c: improve get_option() to ensure robust configuration analysisOpenVPN: disable compression in buildsusb_modeswitch: add ZTE MF833U1usb_modeswitch: add Huawei E5785openssl-1.1: add fix for: CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390OpenVPN: change how ovpn variables are retrieved from nvram; iterate over OVPN_CLIENT_COUNT/OVPN_SERVER_COUNT in nvram.c; iterate over MAX_BRIDGE_ID in asp scriptsOpenVPN/wireguard: add dedicated IP to check the tunnelothers: adblock-v2: exclude wireguard endpointsothers: adblock-v2: fix server addresses for OpenVPNothers: Makefile: clean scripts also for ARM branchwireguard: increase allowed Poll Interval to 99 secondswireguard: change how wg variables are retrieved from nvram; iterate over WG_INTERFACE_COUNT in nvram.crc: add NVRAM variable migration for renamed OpenVPN settings on firmware upgraderc: convert OpenVPN vpnsX_plan to bitmask and migrate legacy variablesrc: suspend multi-wan-watchdog during PPP connection setuprc: network.c: fix lan_ifname memory leak in start_lan()rc: openvpn.c: fix IP to check in watchdogrc: openvpn.c: change log level to ERROR in some placesrc: openvpn.c: write_ovpn_dnsmasq_config(): num -> cur in a few missed placesrc: openvpn.c: write_ovpn_dnsmasq_config(): fix .conf sscanf pattern, replace strtok with strtok_r, fix interface number validationrc: openvpn.c: harden watchdog script and interface state checksrc: openvpn.c: simplify code, use strlcpy() instead of strnpcy(), do not clear the buffer unless necessaryrc: openvpn.c: fix CCD client entries being silently truncated for server instancesrc: usb.c: leftover nvram change from usb_xhci to usb_usb3rc: wireguard.c: add custom message to run_cmd in shell start scriptrc: wireguard.c: refactor routing control and improve robustnessrc: wireguard.c: replace_in_file(): change log levelsrc: wireguard.c: add_domain(): check for empty domain, normalize dnsmasq wildcard format, change log levelsrc: wireguard.c: improve update_dnsmasq_ipset() performance and robustnessrc: wireguard.c: harden watchdog script and interface state checksrc: wireguard.c: Insert firewall rules instead of appending. Also add a prerouting rule in case DMZ is being usedrc: wireguard.c: start_wireguard(), stop_wireguard(): fix port/fwmark init after fork, fix fwmark scope, fix firewall teardown order, simplify function signaturesrc: wireguard.c: start_wireguard(): fix unchecked strdup return value for peersrc: wireguard.c: wg_route_peer_allowed_ips(): fix unchecked strdup return values, fix misleading loop guard, remove redundant NULL checksrc: wireguard.c: wg_set_iface_addr(): fix unchecked strdup return value, fix misleading loop guard, remove redundant NULL checksrc: wireguard.c: wg_build_routing(): fix silent fopen failure, memory leak, strdup return value unchecked, remove unused parameter, add rules counter loggingrc: wireguard.c: write_wg_dnsmasq_config(): fix sscanf pattern matching all files, replace strtok with strtok_r, fix interface number validationrc: wireguard.c: wg_quick_iface(): fix fd leak and execution after fopen failurerc: wireguard.c: replace_in_file(): fix temp file path constructionrc: wireguard.c: add_domain(): fix capacity corruption on realloc failure, add sentinel, improve error handlingrc: wireguard.c: update_dnsmasq_ipset(): fix bugs and improve robustnesswww: VLAN/ethernet: add ethernet-icon.js, update to advanced-vlan.asp and status-overview.aspwww: add svg icon to 'Continue' button for Advanced themeswww: advanced-misc.asp: one version for ARM and MIPS branchwww: advanced-vlan.asp: clear tagged ports when trunk override is disabled (incl. active edit)www: advanced-vlan.asp: simplify trunk enforcement logicwww: advanced-vlan.asp: restore trunk VLAN enforcement in GUIwww: advanced-wlanvifs.asp: one version for ARM/MIPS branchwww: advanced-wlanvifs.asp: update notes in Security formwww: advanced-themes: fix padding for select and checkboxwww: ethernet-icon.js: minimize sizewww: tomato.js: add case 'display' to handle span renderingwww: tools-survey.asp: fix WiFi survey graph X-axis labels not visible in Firefoxwww: tools-survey.asp: add support for Advanced themes, other fixeswww: tools-survey.asp - upgrade to v2.01www: vpn-wireguard.asp: iterate over MAX_BRIDGE_ID for bridgeswww: vpn-wireguard.asp: simplify variable creationwww: vpn-wireguard.asp: add a warning to Scripts tabwww: vpn-wireguard.asp: update note for Poll Intervalwww: vpn-client.asp: update note for Poll Intervalwww: vpn-[client|wireguard].asp: limit the Routing Policy table to 60 entrieswww: vpn-server.asp: fix broken "Generate DH Params", "Generate client config", and "Generate static key" buttonswww: wireless.js: fix condition in refreshChannels()
Source:
Tweakers.net