Software-update: FreshTomato 2026.1

FreshTomato versie 2026.1 is uitgekomen. FreshTomato is van Tomato afgeleide firmware voor verschillende op Arm of MIPS gebaseerde routers van Asus, D-Link, Huawei, Linksys, Netgear, Tenda en Xiaomi. Het kan gezien worden als de voortzetting van 'Tomato by Shibby' sinds deze ontwikkelaar, Michał Rupental, zijn tijd aan andere projecten is gaan besteden. De FreshTomato-firmware voegt ten opzichte van de originele firmware van de fabrikant diverse extra opties toe, zoals een realtime bandbreedtemonitor en uitgebreide instelmogelijkheden. De firmware is beschikbaar voor routers met een Arm- of MIPS-cpu.

Note:

Many CVE fixes and improvements, updating is strongly recommended!

Many CVE fixes and improvements, updating is strongly recommended!

Warning:

Due to changes in the naming of some nvram variables, users of OpenVPN should:clear nvram during the update oruse this script - read the inside HOWTO first!

Due to changes in the naming of some nvram variables, users of OpenVPN should:clear nvram during the update oruse this script - read the inside HOWTO first!

clear nvram during the update or

use this script - read the inside HOWTO first!

Changes in FreshTomato 2026.1

snmp: update to 5.9.5.2ebtables: updates from upstreamlibcurl: update to 8.18.0gettext-tiny: update to 0.3.3php: update to 8.3.30libsodium: update to 1.0.21irqbalance: update to 1.9.5libsodium: update to latest 1.0.21-stablesqlite: update to 3.51.2dnsmasq: update to v2.93test4openssl: update to 3.0.19meson: update to 1.10.1libcap-ng: update to 0.9libpng: update to 1.6.54busybox: updates from upstreamusb-modeswitch: update to 2.6.2usb-modeswitch: update data package to 20251207uqmi: update to 7914da43 (2025-07-29) snapshotlibubox: update to 7928f17 (2025-12-08) snapshottor: update to 0.4.8.22expat: update to 2.7.4GUI: basic-ipv6.asp - Add option to enable/disable rapid-commit (Case: DHCPv6 PD)GUI: Status: Device List: fix sort by Lease Time (close #165)GUI: Bandwidth: Real-Time: prevent bandwidth spikes on interface counter resetsGUI: IP Traffic: Real-Time: prevent bandwidth spikes on interface counter resetsGUI: Administration: Upgrade: display current filename used to flash the routerGUI: USB and NAS: File Sharing: use drop-down list for 'Samba protocol version' instead of check boxesbuild: embed firmware filename into imagebuild: OpenVPN: rename nvram variables to free up some space there - the reduction in nvram usage is 1140 bytes (for ARM)avahi/mDNS: fix start of avahi-daemon because of stupid typo in Makefile (close #187)avahi/mDNS: fix problems with avahi-daemon once more (on ARM only)apcupsd: only install apcupsd with other files if TCONFIG_UPS is selected (close #202)stubby: fix DNSSEC trust anchor bootstrapping by using static root trust anchors instead of Zero-config DNSSECsnmpd: save pid to filesnmp: also stop snmpd during upgradewireguard: fix regression in 2025.5 when using "External - VPN Provider" type of VPN you couldn't set "Redirect Internet Traffic" to "All" if you wanted all traffic to be routed through wg, but instead had to use "Routing Policy" and "To Destination IP" set to "0.0.0.0/0"wireguard: add delay on startup with user-defined value (close #204)ntpd: increase limits (Max Memory & Max Processes)DDNS: mdu.c: get_address(): add IPv6 support, refactor (close #215)DDNS: mdu.c: enhance _http_req() with full IPv6 support and safety fixesDDNS: mdu.c: update_cloudflare(): fix memory leak and improve Cloudflare DNS record handlingBandwidth/IP Traffic: fix calculation on real-time chart (close #27)Bandwidth/IP Traffic: add interactive range selection to bandwidth charts (close #17)Update defaults.c disable telnet enable at startupmwwatchdog: improve script robustnessmwwatchdog: cktracert(): fix rx_bytes overflow in traffic detection (busybox int32 limit) (close #181)WireGuard: separate the VPN tunnel check from the normal watchdog, as the former does not work with all configurationsOpenVPN Client: separate the VPN tunnel check from the normal watchdog, as the former does not work with all configurationsopenssl-1.1: add fix for: CVE-2025-68160, CVE-2025-69418, CVE-2025-69419, CVE-2025-69420, CVE-2025-69421, CVE-2026-22795 and CVE-2026-22796IPv6 (DHCPv6 with PD): add option to adjust Identity Association for Non-temporary Addresses ID and Identity Association for Prefix Delegation IDIPv6 (DHCPv6-PD): add default route ::/ with gateway if provided by the user (Metric 8192)Use snprintf for buffer safety in connect_pppol2tphttpd: bwm.c: use uint64_t for tx/rx in asp_iptmon(); cosmetichttpd: usb.c: fix critical bugs in asp_usbdevices()porthealth: add port health servicenginx: delay on startup with user-defined delaycstats: refactor: replace string literals with path constantscstats: improve buffer validation (snprintf)cstats: use safe/proper daemonizationcstats: use direct compression to .gz filecstats: introduce MAX_NODES for memory protection and add free_all_nodes() to clean up tree memory on --new and shutdowncstats: improve buffer handling (strlcpy/strlcat)cstats: use zlib if availablerstats: fix memory management issue - free only on successful allocationrstats: refactor: replace string literals with path constantsrstats: improve buffer validation (snprintf); cosmeticrstats: use memcpy instead of for looprstats: use memmove instead of memcpyrstats: use zlib if availablerstats: prepare for 64 bit countersrstats: user safe/proper daemonizationrstats: improve buffer handling (strlcpy/strlcat)rstats: add 24-hour history persistence to custom pathsrc: ddns.c: fix typo in update() functionrc: ppp.c: function ipup_main() - use safe_getenv()rc: dhcp.c: function dhcpc_event_main() - check ifname before using it (NULL)rc: dhcp.c: function dhcpc_event_main() and bound() - speed up (again) if the correct prefix (ifname) is foundrc: interface.c: function route_manip() - check pointer before using it (NULL)rc: snmp.c: use serialize_restart() to start/stop daemon, always remove pid file on stoprc: nginx.c: always remove child pid on nginx stop; cosmeticrc: wireguard.c: fix concurrency issuesrc: mysql.c: use _exit() instead of exit() to terminate the childrc: nginx.c: use _exit() instead of exit() to terminate the childrc: transmission.c: use _exit() instead of exit() to terminate the childshared: misc.c: refactor connect_timeout()shared: files.c: increase file path buffer size in f_write_procsysnet()www: vpn-[client|wireguard].asp: fix note about Kill Switchwww: status-devices.asp: fix javascript error when image is built without Network Discoverywww: tomato.js: anon_update(): use rel="external" instead of class="new_window" because on some pages eventHandler() is not added in init()www: admin-[bwm|iptraffic].asp: avoid reloading the page while savingwww: nas-usb.asp: avoid reloading the page while saving; cosmeticwww: tomato.js: wikiLink(): add title to linkswww: advanced-adblock-v2.asp: initialize variables before use, reset them when they are no longer needed, do not allow re-query when the previous one is still activewww: add grid backup and restore functionality to selected pageswww: tomato.js - allows for placeholder to work on password fields

snmp: update to 5.9.5.2

ebtables: updates from upstream

libcurl: update to 8.18.0

gettext-tiny: update to 0.3.3

php: update to 8.3.30

libsodium: update to 1.0.21

irqbalance: update to 1.9.5

libsodium: update to latest 1.0.21-stable

sqlite: update to 3.51.2

dnsmasq: update to v2.93test4

openssl: update to 3.0.19

meson: update to 1.10.1

libcap-ng: update to 0.9

libpng: update to 1.6.54

busybox: updates from upstream

usb-modeswitch: update to 2.6.2

usb-modeswitch: update data package to 20251207

uqmi: update to 7914da43 (2025-07-29) snapshot

libubox: update to 7928f17 (2025-12-08) snapshot

tor: update to 0.4.8.22

expat: update to 2.7.4

GUI: basic-ipv6.asp - Add option to enable/disable rapid-commit (Case: DHCPv6 PD)

GUI: Status: Device List: fix sort by Lease Time (close #165)

GUI: Bandwidth: Real-Time: prevent bandwidth spikes on interface counter resets

GUI: IP Traffic: Real-Time: prevent bandwidth spikes on interface counter resets

GUI: Administration: Upgrade: display current filename used to flash the router

GUI: USB and NAS: File Sharing: use drop-down list for 'Samba protocol version' instead of check boxes

build: embed firmware filename into image

build: OpenVPN: rename nvram variables to free up some space there - the reduction in nvram usage is 1140 bytes (for ARM)

avahi/mDNS: fix start of avahi-daemon because of stupid typo in Makefile (close #187)

avahi/mDNS: fix problems with avahi-daemon once more (on ARM only)

apcupsd: only install apcupsd with other files if TCONFIG_UPS is selected (close #202)

stubby: fix DNSSEC trust anchor bootstrapping by using static root trust anchors instead of Zero-config DNSSEC

snmpd: save pid to file

snmp: also stop snmpd during upgrade

wireguard: fix regression in 2025.5 when using "External - VPN Provider" type of VPN you couldn't set "Redirect Internet Traffic" to "All" if you wanted all traffic to be routed through wg, but instead had to use "Routing Policy" and "To Destination IP" set to "0.0.0.0/0"

wireguard: add delay on startup with user-defined value (close #204)

ntpd: increase limits (Max Memory & Max Processes)

DDNS: mdu.c: get_address(): add IPv6 support, refactor (close #215)

DDNS: mdu.c: enhance _http_req() with full IPv6 support and safety fixes

DDNS: mdu.c: update_cloudflare(): fix memory leak and improve Cloudflare DNS record handling

Bandwidth/IP Traffic: fix calculation on real-time chart (close #27)

Bandwidth/IP Traffic: add interactive range selection to bandwidth charts (close #17)

Update defaults.c disable telnet enable at startup

mwwatchdog: improve script robustness

mwwatchdog: cktracert(): fix rx_bytes overflow in traffic detection (busybox int32 limit) (close #181)

WireGuard: separate the VPN tunnel check from the normal watchdog, as the former does not work with all configurations

OpenVPN Client: separate the VPN tunnel check from the normal watchdog, as the former does not work with all configurations

openssl-1.1: add fix for: CVE-2025-68160, CVE-2025-69418, CVE-2025-69419, CVE-2025-69420, CVE-2025-69421, CVE-2026-22795 and CVE-2026-22796

IPv6 (DHCPv6 with PD): add option to adjust Identity Association for Non-temporary Addresses ID and Identity Association for Prefix Delegation ID

IPv6 (DHCPv6-PD): add default route ::/ with gateway if provided by the user (Metric 8192)

Use snprintf for buffer safety in connect_pppol2tp

httpd: bwm.c: use uint64_t for tx/rx in asp_iptmon(); cosmetic

httpd: usb.c: fix critical bugs in asp_usbdevices()

porthealth: add port health service

nginx: delay on startup with user-defined delay

cstats: refactor: replace string literals with path constants

cstats: improve buffer validation (snprintf)

cstats: use safe/proper daemonization

cstats: use direct compression to .gz file

cstats: introduce MAX_NODES for memory protection and add free_all_nodes() to clean up tree memory on --new and shutdown

cstats: improve buffer handling (strlcpy/strlcat)

cstats: use zlib if available

rstats: fix memory management issue - free only on successful allocation

rstats: refactor: replace string literals with path constants

rstats: improve buffer validation (snprintf); cosmetic

rstats: use memcpy instead of for loop

rstats: use memmove instead of memcpy

rstats: use zlib if available

rstats: prepare for 64 bit counters

rstats: user safe/proper daemonization

rstats: improve buffer handling (strlcpy/strlcat)

rstats: add 24-hour history persistence to custom paths

rc: ddns.c: fix typo in update() function

rc: ppp.c: function ipup_main() - use safe_getenv()

rc: dhcp.c: function dhcpc_event_main() - check ifname before using it (NULL)

rc: dhcp.c: function dhcpc_event_main() and bound() - speed up (again) if the correct prefix (ifname) is found

rc: interface.c: function route_manip() - check pointer before using it (NULL)

rc: snmp.c: use serialize_restart() to start/stop daemon, always remove pid file on stop

rc: nginx.c: always remove child pid on nginx stop; cosmetic

rc: wireguard.c: fix concurrency issues

rc: mysql.c: use _exit() instead of exit() to terminate the child

rc: nginx.c: use _exit() instead of exit() to terminate the child

rc: transmission.c: use _exit() instead of exit() to terminate the child

shared: misc.c: refactor connect_timeout()

shared: files.c: increase file path buffer size in f_write_procsysnet()

www: vpn-[client|wireguard].asp: fix note about Kill Switch

www: status-devices.asp: fix javascript error when image is built without Network Discovery

www: tomato.js: anon_update(): use rel="external" instead of class="new_window" because on some pages eventHandler() is not added in init()

www: admin-[bwm|iptraffic].asp: avoid reloading the page while saving

www: nas-usb.asp: avoid reloading the page while saving; cosmetic

www: tomato.js: wikiLink(): add title to links

www: advanced-adblock-v2.asp: initialize variables before use, reset them when they are no longer needed, do not allow re-query when the previous one is still active

www: add grid backup and restore functionality to selected pages

www: tomato.js - allows for placeholder to work on password fields

Source: Tweakers.net