Voxel Best tunnel for R7800 (HW acceleration, perfs…)

HELLO_wORLD

Very Senior Member
Now, I did a little experiment to check what is going on with the packets…
I tried to access the site from one device on the LAN (192.168.0.7), and I ran simultaneously tcpdump on the device, and on br0 and mw0 on the router.

Here are the results:

LAN DEVICE:
Code:
LAN_DEVICE ~ % tcpdump -i en0 -tnn net 151.101.0.0/16
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 192.168.0.7.49702 > 151.101.65.69.443: Flags [S], seq 349707654, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2792555536 ecr 0,sackOK,eol], length 0
IP 151.101.65.69.443 > 192.168.0.7.49702: Flags [S.], seq 1940917054, ack 349707655, win 65535, options [mss 1436,sackOK,TS val 2364860915 ecr 2792555536,nop,wscale 9], length 0
IP 192.168.0.7.49702 > 151.101.65.69.443: Flags [.], ack 1, win 2069, options [nop,nop,TS val 2792555561 ecr 2364860915], length 0
IP 192.168.0.7.49702 > 151.101.65.69.443: Flags [P.], seq 1:518, ack 1, win 2069, options [nop,nop,TS val 2792555561 ecr 2364860915], length 517
IP 151.101.65.69.443 > 192.168.0.7.49702: Flags [R], seq 1940917055, win 0, length 0
IP 192.168.0.7.49704 > 151.101.65.69.443: Flags [S], seq 111806618, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2793825812 ecr 0,sackOK,eol], length 0
IP 151.101.65.69.443 > 192.168.0.7.49704: Flags [S.], seq 4084942119, ack 111806619, win 65535, options [mss 1436,sackOK,TS val 99780230 ecr 2793825812,nop,wscale 9], length 0
IP 192.168.0.7.49704 > 151.101.65.69.443: Flags [.], ack 1, win 2069, options [nop,nop,TS val 2793825830 ecr 99780230], length 0
IP 192.168.0.7.49704 > 151.101.65.69.443: Flags [P.], seq 1:518, ack 1, win 2069, options [nop,nop,TS val 2793825830 ecr 99780230], length 517
IP 151.101.65.69.443 > 192.168.0.7.49704: Flags [R], seq 4084942120, win 0, length 0
IP 192.168.0.7.49705 > 151.101.65.69.443: Flags [S], seq 3924872707, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1041151777 ecr 0,sackOK,eol], length 0
IP 151.101.65.69.443 > 192.168.0.7.49705: Flags [S.], seq 2124022676, ack 3924872708, win 65535, options [mss 1436,sackOK,TS val 2104550973 ecr 1041151777,nop,wscale 9], length 0
IP 192.168.0.7.49705 > 151.101.65.69.443: Flags [.], ack 1, win 2069, options [nop,nop,TS val 1041151799 ecr 2104550973], length 0
IP 192.168.0.7.49705 > 151.101.65.69.443: Flags [P.], seq 1:155, ack 1, win 2069, options [nop,nop,TS val 1041151799 ecr 2104550973], length 154
IP 151.101.65.69.443 > 192.168.0.7.49705: Flags [R], seq 2124022677, win 0, length 0
IP 192.168.0.7.49706 > 151.101.65.69.443: Flags [S], seq 2678318931, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 398440232 ecr 0,sackOK,eol], length 0
IP 151.101.65.69.443 > 192.168.0.7.49706: Flags [S.], seq 1036460967, ack 2678318932, win 65535, options [mss 1436,sackOK,TS val 3060488742 ecr 398440232,nop,wscale 9], length 0
IP 192.168.0.7.49706 > 151.101.65.69.443: Flags [.], ack 1, win 2069, options [nop,nop,TS val 398440251 ecr 3060488742], length 0
IP 192.168.0.7.49706 > 151.101.65.69.443: Flags [P.], seq 1:518, ack 1, win 2069, options [nop,nop,TS val 398440251 ecr 3060488742], length 517
IP 151.101.65.69.443 > 192.168.0.7.49706: Flags [.], ack 518, win 285, options [nop,nop,TS val 3060488762 ecr 398440251], length 0
IP 151.101.65.69.443 > 192.168.0.7.49706: Flags [.], seq 1:1425, ack 518, win 285, options [nop,nop,TS val 3060488765 ecr 398440251], length 1424
IP 151.101.65.69.443 > 192.168.0.7.49706: Flags [P.], seq 1425:2849, ack 518, win 285, options [nop,nop,TS val 3060488765 ecr 398440251], length 1424
IP 151.101.65.69.443 > 192.168.0.7.49706: Flags [.], seq 2849:4273, ack 518, win 285, options [nop,nop,TS val 3060488765 ecr 398440251], length 1424
IP 151.101.65.69.443 > 192.168.0.7.49706: Flags [P.], seq 4273:5487, ack 518, win 285, options [nop,nop,TS val 3060488765 ecr 398440251], length 1214
IP 192.168.0.7.49706 > 151.101.65.69.443: Flags [.], ack 5487, win 1983, options [nop,nop,TS val 398440275 ecr 3060488765], length 0
IP 192.168.0.7.49706 > 151.101.65.69.443: Flags [.], ack 5487, win 2048, options [nop,nop,TS val 398440275 ecr 3060488765], length 0
IP 192.168.0.7.49706 > 151.101.65.69.443: Flags [P.], seq 518:611, ack 5487, win 2048, options [nop,nop,TS val 398440280 ecr 3060488765], length 93
IP 151.101.65.69.443 > 192.168.0.7.49706: Flags [R], seq 1036466454, win 0, length 0
IP 151.101.65.69.443 > 192.168.0.7.49706: Flags [R], seq 1036466454, win 0, length 0
IP 192.168.0.7.49707 > 151.101.65.69.443: Flags [S], seq 4127560428, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2238924493 ecr 0,sackOK,eol], length 0
IP 151.101.65.69.443 > 192.168.0.7.49706: Flags [R], seq 1036466454, win 0, length 0
IP 151.101.65.69.443 > 192.168.0.7.49706: Flags [P.], seq 4273:5487, ack 518, win 285, options [nop,nop,TS val 3060488819 ecr 398440251], length 1214
IP 192.168.0.7.49706 > 151.101.65.69.443: Flags [R], seq 2678319449, win 0, length 0
IP 151.101.65.69.443 > 192.168.0.7.49707: Flags [S.], seq 3352961221, ack 4127560429, win 65535, options [mss 1436,sackOK,TS val 1748180666 ecr 2238924493,nop,wscale 9], length 0
IP 192.168.0.7.49707 > 151.101.65.69.443: Flags [.], ack 1, win 2069, options [nop,nop,TS val 2238924511 ecr 1748180666], length 0
IP 192.168.0.7.49707 > 151.101.65.69.443: Flags [P.], seq 1:518, ack 1, win 2069, options [nop,nop,TS val 2238924511 ecr 1748180666], length 517
IP 151.101.65.69.443 > 192.168.0.7.49707: Flags [R], seq 3352961222, win 0, length 0
IP 192.168.0.7.49709 > 151.101.65.69.443: Flags [S], seq 1383821784, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2703958094 ecr 0,sackOK,eol], length 0
IP 151.101.65.69.443 > 192.168.0.7.49709: Flags [S.], seq 3904209256, ack 1383821785, win 65535, options [mss 1436,sackOK,TS val 1930031065 ecr 2703958094,nop,wscale 9], length 0
IP 192.168.0.7.49709 > 151.101.65.69.443: Flags [.], ack 1, win 2069, options [nop,nop,TS val 2703958113 ecr 1930031065], length 0
IP 192.168.0.7.49709 > 151.101.65.69.443: Flags [P.], seq 1:155, ack 1, win 2069, options [nop,nop,TS val 2703958113 ecr 1930031065], length 154
IP 151.101.65.69.443 > 192.168.0.7.49709: Flags [R], seq 3904209257, win 0, length 0
IP 151.101.65.69.443 > 192.168.0.7.49702: Flags [S.], seq 1940917054, ack 349707655, win 65535, options [mss 1436,sackOK,TS val 2364861945 ecr 2792555561,nop,wscale 9], length 0
IP 192.168.0.7.49702 > 151.101.65.69.443: Flags [R], seq 349707655, win 0, length 0
IP 151.101.65.69.443 > 192.168.0.7.49704: Flags [S.], seq 4084942119, ack 111806619, win 65535, options [mss 1436,sackOK,TS val 99781254 ecr 2793825830,nop,wscale 9], length 0
IP 192.168.0.7.49704 > 151.101.65.69.443: Flags [R], seq 111806619, win 0, length 0
IP 151.101.65.69.443 > 192.168.0.7.49705: Flags [S.], seq 2124022676, ack 3924872708, win 65535, options [mss 1436,sackOK,TS val 2104551987 ecr 1041151799,nop,wscale 9], length 0
IP 192.168.0.7.49705 > 151.101.65.69.443: Flags [R], seq 3924872708, win 0, length 0
IP 151.101.65.69.443 > 192.168.0.7.49707: Flags [S.], seq 3352961221, ack 4127560429, win 65535, options [mss 1436,sackOK,TS val 1748181691 ecr 2238924511,nop,wscale 9], length 0
IP 192.168.0.7.49707 > 151.101.65.69.443: Flags [R], seq 4127560429, win 0, length 0
IP 151.101.65.69.443 > 192.168.0.7.49709: Flags [S.], seq 3904209256, ack 1383821785, win 65535, options [mss 1436,sackOK,TS val 1930032090 ecr 2703958113,nop,wscale 9], length 0
IP 192.168.0.7.49709 > 151.101.65.69.443: Flags [R], seq 1383821785, win 0, length 0
^C
52 packets captured
506 packets received by filter
0 packets dropped by kernel

1/3
 

HELLO_wORLD

Very Senior Member
BR0

Code:
[email protected]:~$ tcpdump -i br0 -tnn net 151.101.0.0/16
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
IP 192.168.0.7.49702 > 151.101.65.69.443: Flags [S], seq 349707654, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2792555536 ecr 0,sackOK,eol], length 0
IP 151.101.65.69.443 > 192.168.0.7.49702: Flags [S.], seq 1940917054, ack 349707655, win 65535, options [mss 1436,sackOK,TS val 2364860915 ecr 2792555536,nop,wscale 9], length 0
IP 192.168.0.7.49702 > 151.101.65.69.443: Flags [.], ack 1, win 2069, options [nop,nop,TS val 2792555561 ecr 2364860915], length 0
IP 151.101.65.69.443 > 192.168.0.7.49702: Flags [R], seq 1940917055, win 0, length 0
IP 192.168.0.7.49704 > 151.101.65.69.443: Flags [S], seq 111806618, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2793825812 ecr 0,sackOK,eol], length 0
IP 151.101.65.69.443 > 192.168.0.7.49704: Flags [S.], seq 4084942119, ack 111806619, win 65535, options [mss 1436,sackOK,TS val 99780230 ecr 2793825812,nop,wscale 9], length 0
IP 192.168.0.7.49704 > 151.101.65.69.443: Flags [.], ack 1, win 2069, options [nop,nop,TS val 2793825830 ecr 99780230], length 0
IP 151.101.65.69.443 > 192.168.0.7.49704: Flags [R], seq 4084942120, win 0, length 0
IP 192.168.0.7.49705 > 151.101.65.69.443: Flags [S], seq 3924872707, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1041151777 ecr 0,sackOK,eol], length 0
IP 151.101.65.69.443 > 192.168.0.7.49705: Flags [S.], seq 2124022676, ack 3924872708, win 65535, options [mss 1436,sackOK,TS val 2104550973 ecr 1041151777,nop,wscale 9], length 0
IP 192.168.0.7.49705 > 151.101.65.69.443: Flags [.], ack 1, win 2069, options [nop,nop,TS val 1041151799 ecr 2104550973], length 0
IP 151.101.65.69.443 > 192.168.0.7.49705: Flags [R], seq 2124022677, win 0, length 0
IP 192.168.0.7.49706 > 151.101.65.69.443: Flags [S], seq 2678318931, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 398440232 ecr 0,sackOK,eol], length 0
IP 151.101.65.69.443 > 192.168.0.7.49706: Flags [S.], seq 1036460967, ack 2678318932, win 65535, options [mss 1436,sackOK,TS val 3060488742 ecr 398440232,nop,wscale 9], length 0
IP 192.168.0.7.49706 > 151.101.65.69.443: Flags [.], ack 1, win 2069, options [nop,nop,TS val 398440251 ecr 3060488742], length 0
IP 192.168.0.7.49706 > 151.101.65.69.443: Flags [P.], seq 1:518, ack 1, win 2069, options [nop,nop,TS val 398440251 ecr 3060488742], length 517
IP 151.101.65.69.443 > 192.168.0.7.49706: Flags [.], ack 518, win 285, options [nop,nop,TS val 3060488762 ecr 398440251], length 0
IP 151.101.65.69.443 > 192.168.0.7.49706: Flags [.], seq 1:1425, ack 518, win 285, options [nop,nop,TS val 3060488765 ecr 398440251], length 1424
IP 151.101.65.69.443 > 192.168.0.7.49706: Flags [P.], seq 1425:2849, ack 518, win 285, options [nop,nop,TS val 3060488765 ecr 398440251], length 1424
IP 151.101.65.69.443 > 192.168.0.7.49706: Flags [.], seq 2849:4273, ack 518, win 285, options [nop,nop,TS val 3060488765 ecr 398440251], length 1424
IP 151.101.65.69.443 > 192.168.0.7.49706: Flags [P.], seq 4273:5487, ack 518, win 285, options [nop,nop,TS val 3060488765 ecr 398440251], length 1214
IP 151.101.65.69.443 > 192.168.0.7.49706: Flags [R], seq 1036466454, win 0, length 0
IP 151.101.65.69.443 > 192.168.0.7.49706: Flags [R], seq 1036466454, win 0, length 0
IP 151.101.65.69.443 > 192.168.0.7.49706: Flags [R], seq 1036466454, win 0, length 0
IP 192.168.0.7.49707 > 151.101.65.69.443: Flags [S], seq 4127560428, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2238924493 ecr 0,sackOK,eol], length 0
IP 151.101.65.69.443 > 192.168.0.7.49706: Flags [P.], seq 4273:5487, ack 518, win 285, options [nop,nop,TS val 3060488819 ecr 398440251], length 1214
IP 151.101.65.69.443 > 192.168.0.7.49707: Flags [S.], seq 3352961221, ack 4127560429, win 65535, options [mss 1436,sackOK,TS val 1748180666 ecr 2238924493,nop,wscale 9], length 0
IP 192.168.0.7.49706 > 151.101.65.69.443: Flags [R], seq 2678319449, win 0, length 0
IP 192.168.0.7.49707 > 151.101.65.69.443: Flags [.], ack 1, win 2069, options [nop,nop,TS val 2238924511 ecr 1748180666], length 0
IP 151.101.65.69.443 > 192.168.0.7.49707: Flags [R], seq 3352961222, win 0, length 0
IP 192.168.0.7.49709 > 151.101.65.69.443: Flags [S], seq 1383821784, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2703958094 ecr 0,sackOK,eol], length 0
IP 151.101.65.69.443 > 192.168.0.7.49709: Flags [S.], seq 3904209256, ack 1383821785, win 65535, options [mss 1436,sackOK,TS val 1930031065 ecr 2703958094,nop,wscale 9], length 0
IP 192.168.0.7.49709 > 151.101.65.69.443: Flags [.], ack 1, win 2069, options [nop,nop,TS val 2703958113 ecr 1930031065], length 0
IP 151.101.65.69.443 > 192.168.0.7.49709: Flags [R], seq 3904209257, win 0, length 0
IP 151.101.65.69.443 > 192.168.0.7.49702: Flags [S.], seq 1940917054, ack 349707655, win 65535, options [mss 1436,sackOK,TS val 2364861945 ecr 2792555561,nop,wscale 9], length 0
IP 192.168.0.7.49702 > 151.101.65.69.443: Flags [R], seq 349707655, win 0, length 0
IP 151.101.65.69.443 > 192.168.0.7.49704: Flags [S.], seq 4084942119, ack 111806619, win 65535, options [mss 1436,sackOK,TS val 99781254 ecr 2793825830,nop,wscale 9], length 0
IP 192.168.0.7.49704 > 151.101.65.69.443: Flags [R], seq 111806619, win 0, length 0
IP 151.101.65.69.443 > 192.168.0.7.49705: Flags [S.], seq 2124022676, ack 3924872708, win 65535, options [mss 1436,sackOK,TS val 2104551987 ecr 1041151799,nop,wscale 9], length 0
IP 192.168.0.7.49705 > 151.101.65.69.443: Flags [R], seq 3924872708, win 0, length 0
IP 151.101.65.69.443 > 192.168.0.7.49707: Flags [S.], seq 3352961221, ack 4127560429, win 65535, options [mss 1436,sackOK,TS val 1748181691 ecr 2238924511,nop,wscale 9], length 0
IP 192.168.0.7.49707 > 151.101.65.69.443: Flags [R], seq 4127560429, win 0, length 0
IP 151.101.65.69.443 > 192.168.0.7.49709: Flags [S.], seq 3904209256, ack 1383821785, win 65535, options [mss 1436,sackOK,TS val 1930032090 ecr 2703958113,nop,wscale 9], length 0
IP 192.168.0.7.49709 > 151.101.65.69.443: Flags [R], seq 1383821785, win 0, length 0
^C
44 packets captured
44 packets received by filter
0 packets dropped by kernel

2/3
 

HELLO_wORLD

Very Senior Member
MW0

Code:
[email protected]:~$ tcpdump -i mw0 -tnn net 151.101.0.0/16
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on mw0, link-type LINUX_SLL (Linux cooked v1), snapshot length 262144 bytes
IP TUN_PUB_IP.49702 > 151.101.65.69.443: Flags [S], seq 349707654, win 65535, options [mss 1436,nop,wscale 6,nop,nop,TS val 2792555536 ecr 0,sackOK,eol], length 0
IP 151.101.65.69.443 > TUN_PUB_IP.49702: Flags [S.], seq 1940917054, ack 349707655, win 65535, options [mss 1436,sackOK,TS val 2364860915 ecr 2792555536,nop,wscale 9], length 0
IP TUN_PUB_IP.49702 > 151.101.65.69.443: Flags [.], ack 1, win 2069, options [nop,nop,TS val 2792555561 ecr 2364860915], length 0
IP 151.101.65.69.443 > TUN_PUB_IP.49702: Flags [R], seq 1940917055, win 0, length 0
IP TUN_PUB_IP.49704 > 151.101.65.69.443: Flags [S], seq 111806618, win 65535, options [mss 1436,nop,wscale 6,nop,nop,TS val 2793825812 ecr 0,sackOK,eol], length 0
IP 151.101.65.69.443 > TUN_PUB_IP.49704: Flags [S.], seq 4084942119, ack 111806619, win 65535, options [mss 1436,sackOK,TS val 99780230 ecr 2793825812,nop,wscale 9], length 0
IP TUN_PUB_IP.49704 > 151.101.65.69.443: Flags [.], ack 1, win 2069, options [nop,nop,TS val 2793825830 ecr 99780230], length 0
IP 151.101.65.69.443 > TUN_PUB_IP.49704: Flags [R], seq 4084942120, win 0, length 0
IP TUN_PUB_IP.49705 > 151.101.65.69.443: Flags [S], seq 3924872707, win 65535, options [mss 1436,nop,wscale 6,nop,nop,TS val 1041151777 ecr 0,sackOK,eol], length 0
IP 151.101.65.69.443 > TUN_PUB_IP.49705: Flags [S.], seq 2124022676, ack 3924872708, win 65535, options [mss 1436,sackOK,TS val 2104550973 ecr 1041151777,nop,wscale 9], length 0
IP TUN_PUB_IP.49705 > 151.101.65.69.443: Flags [.], ack 1, win 2069, options [nop,nop,TS val 1041151799 ecr 2104550973], length 0
IP 151.101.65.69.443 > TUN_PUB_IP.49705: Flags [R], seq 2124022677, win 0, length 0
IP TUN_PUB_IP.49706 > 151.101.65.69.443: Flags [S], seq 2678318931, win 65535, options [mss 1436,nop,wscale 6,nop,nop,TS val 398440232 ecr 0,sackOK,eol], length 0
IP 151.101.65.69.443 > TUN_PUB_IP.49706: Flags [S.], seq 1036460967, ack 2678318932, win 65535, options [mss 1436,sackOK,TS val 3060488742 ecr 398440232,nop,wscale 9], length 0
IP TUN_PUB_IP.49706 > 151.101.65.69.443: Flags [.], ack 1, win 2069, options [nop,nop,TS val 398440251 ecr 3060488742], length 0
IP TUN_PUB_IP.49706 > 151.101.65.69.443: Flags [P.], seq 1:518, ack 1, win 2069, options [nop,nop,TS val 398440251 ecr 3060488742], length 517
IP 151.101.65.69.443 > TUN_PUB_IP.49706: Flags [.], ack 518, win 285, options [nop,nop,TS val 3060488762 ecr 398440251], length 0
IP 151.101.65.69.443 > TUN_PUB_IP.49706: Flags [.], seq 1:1425, ack 518, win 285, options [nop,nop,TS val 3060488765 ecr 398440251], length 1424
IP 151.101.65.69.443 > TUN_PUB_IP.49706: Flags [P.], seq 1425:2849, ack 518, win 285, options [nop,nop,TS val 3060488765 ecr 398440251], length 1424
IP 151.101.65.69.443 > TUN_PUB_IP.49706: Flags [.], seq 2849:4273, ack 518, win 285, options [nop,nop,TS val 3060488765 ecr 398440251], length 1424
IP 151.101.65.69.443 > TUN_PUB_IP.49706: Flags [P.], seq 4273:5487, ack 518, win 285, options [nop,nop,TS val 3060488765 ecr 398440251], length 1214
IP 151.101.65.69.443 > TUN_PUB_IP.49706: Flags [R], seq 1036466454, win 0, length 0
IP 151.101.65.69.443 > TUN_PUB_IP.49706: Flags [R], seq 1036466454, win 0, length 0
IP 151.101.65.69.443 > TUN_PUB_IP.49706: Flags [R], seq 1036466454, win 0, length 0
IP TUN_PUB_IP.49707 > 151.101.65.69.443: Flags [S], seq 4127560428, win 65535, options [mss 1436,nop,wscale 6,nop,nop,TS val 2238924493 ecr 0,sackOK,eol], length 0
IP 151.101.65.69.443 > TUN_PUB_IP.49706: Flags [P.], seq 4273:5487, ack 518, win 285, options [nop,nop,TS val 3060488819 ecr 398440251], length 1214
IP 151.101.65.69.443 > TUN_PUB_IP.49707: Flags [S.], seq 3352961221, ack 4127560429, win 65535, options [mss 1436,sackOK,TS val 1748180666 ecr 2238924493,nop,wscale 9], length 0
IP TUN_PUB_IP.49706 > 151.101.65.69.443: Flags [R], seq 2678319449, win 0, length 0
IP TUN_PUB_IP.49707 > 151.101.65.69.443: Flags [.], ack 1, win 2069, options [nop,nop,TS val 2238924511 ecr 1748180666], length 0
IP 151.101.65.69.443 > TUN_PUB_IP.49707: Flags [R], seq 3352961222, win 0, length 0
IP TUN_PUB_IP.49709 > 151.101.65.69.443: Flags [S], seq 1383821784, win 65535, options [mss 1436,nop,wscale 6,nop,nop,TS val 2703958094 ecr 0,sackOK,eol], length 0
IP 151.101.65.69.443 > TUN_PUB_IP.49709: Flags [S.], seq 3904209256, ack 1383821785, win 65535, options [mss 1436,sackOK,TS val 1930031065 ecr 2703958094,nop,wscale 9], length 0
IP TUN_PUB_IP.49709 > 151.101.65.69.443: Flags [.], ack 1, win 2069, options [nop,nop,TS val 2703958113 ecr 1930031065], length 0
IP 151.101.65.69.443 > TUN_PUB_IP.49709: Flags [R], seq 3904209257, win 0, length 0
IP 151.101.65.69.443 > TUN_PUB_IP.49702: Flags [S.], seq 1940917054, ack 349707655, win 65535, options [mss 1436,sackOK,TS val 2364861945 ecr 2792555561,nop,wscale 9], length 0
IP TUN_PUB_IP.49702 > 151.101.65.69.443: Flags [R], seq 349707655, win 0, length 0
IP 151.101.65.69.443 > TUN_PUB_IP.49704: Flags [S.], seq 4084942119, ack 111806619, win 65535, options [mss 1436,sackOK,TS val 99781254 ecr 2793825830,nop,wscale 9], length 0
IP TUN_PUB_IP.49704 > 151.101.65.69.443: Flags [R], seq 111806619, win 0, length 0
IP 151.101.65.69.443 > TUN_PUB_IP.49705: Flags [S.], seq 2124022676, ack 3924872708, win 65535, options [mss 1436,sackOK,TS val 2104551987 ecr 1041151799,nop,wscale 9], length 0
IP TUN_PUB_IP.49705 > 151.101.65.69.443: Flags [R], seq 3924872708, win 0, length 0
IP 151.101.65.69.443 > TUN_PUB_IP.49707: Flags [S.], seq 3352961221, ack 4127560429, win 65535, options [mss 1436,sackOK,TS val 1748181691 ecr 2238924511,nop,wscale 9], length 0
IP TUN_PUB_IP.49707 > 151.101.65.69.443: Flags [R], seq 4127560429, win 0, length 0
IP 151.101.65.69.443 > TUN_PUB_IP.49709: Flags [S.], seq 3904209256, ack 1383821785, win 65535, options [mss 1436,sackOK,TS val 1930032090 ecr 2703958113,nop,wscale 9], length 0
IP TUN_PUB_IP.49709 > 151.101.65.69.443: Flags [R], seq 1383821785, win 0, length 0
^C
44 packets captured
44 packets received by filter
0 packets dropped by kernel

On the router, I do have 44 packets on both br0 and mw0, showing that the routing/forwarding is correctly working (no loss).
But on the device, I see 52 packets !
Additional lines on the device are line 3, 9, etc…
Line 3:
IP 192.168.0.7.49702 > 151.101.65.69.443: Flags [P.], seq 1:518, ack 1, win 2069, options [nop,nop,TS val 2792555561 ecr 2364860915], length 517

So it seems these packets are not being received by br0 from the device on LAN !??
Some progress, but more mysteries…
 

R. Gerrits

Senior Member
So it seems these packets are not being received by br0 from the device on LAN !??
Some progress, but more mysteries…

could it be that tcpdump is not seeing all packets that are handled by the NSS acceleration?
(as also not all traffic is always counted by iptables)
 

sfx2000

Part of the Furniture
But on the device, I see 52 packets !

fragmented packets?
retransmitted?

Going back to what i said early about MTU - let MTU and MSS float, by fixing values, you're forcing the issue, and that can hurt performance
 

HELLO_wORLD

Very Senior Member
fragmented packets?
retransmitted?

Going back to what i said early about MTU - let MTU and MSS float, by fixing values, you're forcing the issue, and that can hurt performance
MTU: I do nothing, it is what it is 1500 ethernet, 1476 GRE tunnel.

If I don't clamp the MSS, then the packets are being fragmented by the router, and the connection becomes extremely slow.
So I need to clamp it ether manually to 1436 (or less), or automatically with -j TCPMSS --clamp-mss-to-pmtu
Without this, it the tunnel is unusable.

Now, I am afraid @R. Gerrits is right and the accelerated TCP data flow is not hitting at all linux stack, even for tcpdump promiscuously listening to the interface.
This is consistant with what you sent me: https://people.netfilter.org/pablo/netdev0.1/slides/IPQ806x-Hardware-acceleration_v2.pdf
And this means I am totally stuck and that there is no solution, since I have no control on these packets… I even tried to use an qdisc ingress on the ath0 en redirect to ifb0 and tcpdump it, but it seems even as early as the ingress stage, the packets are already on the invisible accelerated path.
Any way to prevent these packets to hit the NSS? Or to figure out where this packet is going in the NSS and have it go to the right path?
 

sfx2000

Part of the Furniture
Any updates on your plans for l2tp?

remember, GRE is layer three - l2tp is layer 2 (obvious hint) - recall the switch is layer 2 (more obvious hint)
 

R. Gerrits

Senior Member
you could at least do a test and disable the NSS, to test if you then do see the same number of packets on all sides.

Or are you afraid that the mss clamping is done for the packets that flow through the NSS?
in that case also test the connection with NSS disabled. If it then is accessible, then the NSS might be the cause.

But shouldn't the iptables rules somehow sync to the NSS module? Would be strange if that module is doing different stuff than iptables itself?

btw, also interesting for your IDS project : do the tee rules in iptables also mirror packets that go via NSS?
 

HELLO_wORLD

Very Senior Member
I just ordered this (from another place): https://www.lavarma.com/soft-router...eleron_n5105/28334-color-16gb_ddr4_256gb_nvme

It supports OpenWRT, and sustains gigabit traffic easily.

L2TP: did not go further, because I was trying to have the GRE working.

I find also strange that rules in iptables would not be reflected in the NSS acceleration.
Maybe my IDS (disabled while I am experimenting with the tunnel) is missing a few TCP packet as well…
I will see if I can disable NSS and test. Not easy when this is the main router in the house in production… Cannot meddle with it too much.

Also @sfx2000 thank you for the link, I will read this.
 
Last edited:

sfx2000

Part of the Furniture
Also @sfx2000 thank you for the link, I will read this.

Take a look at slide 16 and later - the flow offload portion

the rest is good reading as well - and iptables at some point are going away, replaced with nftables - openwrt 22.03 and master support nftables now, and they're actually pretty easy to work with once one gets a handle on the concepts.
 

HELLO_wORLD

Very Senior Member
Take a look at slide 16 and later - the flow offload portion

the rest is good reading as well - and iptables at some point are going away, replaced with nftables - openwrt 22.03 and master support nftables now, and they're actually pretty easy to work with once one gets a handle on the concepts.
nftables is interesting indeed. I avoided it since it is not supported in the R7800, but now I will likely learn it (it will take some adjustment since I am used to ebtables and iptables a lot).
The offload flow bypass is interesting, but I don't have much control on it, and the kernel in the firmware is < 4.16, so the implementation is specific to Netgear and unfortunately not open. This is what is preventing @Voxel to be able to use a modern kernel.
 

HELLO_wORLD

Very Senior Member
Anyone knows how to disable nss temporarily, or to force some packets/interface to not use it?

The LAN device I am trying the tunnel with is on ath0 (Wifi), so ethtool would not be helpful.
 

HELLO_wORLD

Very Senior Member
/etc/init.d/qca-nss-ecm stop
Very simple indeed! Thank you.

I will try this likely tomorrow (when the family is not too awake). It will be interesting to see if it changes anything about this problem.
 

HELLO_wORLD

Very Senior Member
Ok, the verdict:

1) with NSS ON
Speedtest through WAN via a LAN device (using ethernet)

Code:
Speedtest by Ookla

      Server: LaFibre.info BBR - Massy (id: 2231)
         ISP: K-NET SARL
Idle Latency:    28.43 ms   (jitter: 0.12ms, low: 28.40ms, high: 28.61ms)
    Download:   967.16 Mbps (data used: 1.2 GB)                                               
                201.78 ms   (jitter: 56.71ms, low: 30.47ms, high: 993.54ms)
      Upload:   935.41 Mbps (data used: 1.1 GB)                                               
                 29.32 ms   (jitter: 0.43ms, low: 26.68ms, high: 33.61ms)
Packet Loss:     0.0%

Speedtest through WAN via a LAN device (using wifi!)
Download: 627
Upload: 472

Speedtest through GRE tunnel via a LAN device NSS ON, PUBLIC IP NO (using wifi!)
Download: 183
Upload: 449
Note: in this configuration, I have the TCP problem


2) with NSS OFF
Speedtest through WAN via a LAN device (using ethernet)

Code:
Speedtest by Ookla

      Server: LaFibre.info BBR - Massy (id: 2231)
         ISP: K-NET SARL
Idle Latency:    27.57 ms   (jitter: 0.06ms, low: 27.51ms, high: 27.65ms)
    Download:   258.90 Mbps (data used: 329.9 MB)                                               
                315.76 ms   (jitter: 74.11ms, low: 27.31ms, high: 1226.10ms)
      Upload:   939.36 Mbps (data used: 1.1 GB)                                               
                 30.26 ms   (jitter: 0.57ms, low: 27.12ms, high: 32.46ms)
Packet Loss:     0.0%

Speedtest through WAN via a LAN device (using wifi!)
Download: 419
Upload: 393

Speedtest through GRE tunnel via a LAN device NSS OFF, PUBLIC IP NO (using wifi!)
Download: 237
Upload: 205
Note: in this configuration, I don't have the TCP problem



Now, I found a way to have it working with nss ON:
I just need to add this ip address add MY_PUBLIC_IP_THROUGH_TUNNEL/32 dev mw0

And no TCP problems through the tunnel, but here is the speedtest:
Speedtest through GRE tunnel via a LAN device NSS ON, PUBLIC IP YES (using wifi!)
Download: 68
Upload: 85

And by curiosity, using the same added address with nss OFF:
Speedtest through GRE tunnel via a LAN device NSS OFF, PUBLIC IP YES (using wifi!)
Download: 222
Upload: 230

So it seems that with NSS ON, it is a lot slower if I add the public IP address I get through the tunnel to the tunnel interface (on top of my end of the tunnel IP), but I have no TCP problems… Seems this bypass NSS making it work.
Strange thing is that with NSS OFF, it is way faster… So adding this address slows the NSS in that specific situation.

it is clear that NSS is the culprit. Now, is there a way to tune it and optimize the tunnel, I don't know… I don't really have the time to tweak more and I will wait for my new router to set things up.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top