My new N66U has arrived a few days ago and I am now testing it and have found a couple of issues, in both the factory 3.112 firmware and the latest 4.260.
The very first problem I encountered is its ethernet ports (all ports including WAN) aren't playing nice with NICs with Realtek RTL8169 controllers in Linux (haven't got time to test it in Windows) - link speed auto-neg always fails and the link state flip-flops frequently, and eventually the router will crash and become inaccessible even from the LAN side. The only remedy is to switch off autoneg and force 100/full duplex from the NIC side - but then that's 1/10th of the full speed. I tried the et command (equivalent to ethtool?) in the firmware to set link speed but also to no avail. The cables are all Cat6 tested, and the same NIC/cable combo negotiates perfectly with other switches and network devices. To be fair, my other Intel giga NICs have no problem whatsoever when plugged into N66U. Any chance the router is at fault here?
Granted, I proceeded to test the WAN-LAN throughput. Using iperf and Cat6 cables and NICs that have no link speed issues, I was only able to obtain approx 250Mbps in either direction and simultaneous both way transmissions when WAN NAT is off. It is rather low when compared to the various benchmarks on the net citing something like 700+ Mbps. Strangely when NAT is on, the WAN-to-LAN speed jumped to 900+ Mbps (while the other direction remained the same at ~250Mbps.) I reckon it has something to do with the LAN acceleration (not disabled). QoS and Firewall didn't seem to have any noticeable effect on throughput. The question is, how can I increase the throughput?
The last issue is the iptables rules. No matter what the "Firewall" settings is, external packets from the WAN side can be routed to any internal interface, be it LAN or WLAN. This seems like a security problem to me. This is my FORWARD chain:
You see the default FOWARD policy is ACCEPT. Anything from eth0 (WAN) to br0 (LAN) match no rules here and will hit ACCEPT and will leak through. Shouldn't it look more like this instead when Firewall is on? Or am I missing anything here?
The very first problem I encountered is its ethernet ports (all ports including WAN) aren't playing nice with NICs with Realtek RTL8169 controllers in Linux (haven't got time to test it in Windows) - link speed auto-neg always fails and the link state flip-flops frequently, and eventually the router will crash and become inaccessible even from the LAN side. The only remedy is to switch off autoneg and force 100/full duplex from the NIC side - but then that's 1/10th of the full speed. I tried the et command (equivalent to ethtool?) in the firmware to set link speed but also to no avail. The cables are all Cat6 tested, and the same NIC/cable combo negotiates perfectly with other switches and network devices. To be fair, my other Intel giga NICs have no problem whatsoever when plugged into N66U. Any chance the router is at fault here?
Granted, I proceeded to test the WAN-LAN throughput. Using iperf and Cat6 cables and NICs that have no link speed issues, I was only able to obtain approx 250Mbps in either direction and simultaneous both way transmissions when WAN NAT is off. It is rather low when compared to the various benchmarks on the net citing something like 700+ Mbps. Strangely when NAT is on, the WAN-to-LAN speed jumped to 900+ Mbps (while the other direction remained the same at ~250Mbps.) I reckon it has something to do with the LAN acceleration (not disabled). QoS and Firewall didn't seem to have any noticeable effect on throughput. The question is, how can I increase the throughput?
The last issue is the iptables rules. No matter what the "Firewall" settings is, external packets from the WAN side can be routed to any internal interface, be it LAN or WLAN. This seems like a security problem to me. This is my FORWARD chain:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 DROP all -- !br0 eth0 anywhere anywhere
0 0 DROP all -- any any anywhere anywhere state INVALID
0 0 ACCEPT all -- br0 br0 anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere ctstate DNAT
You see the default FOWARD policy is ACCEPT. Anything from eth0 (WAN) to br0 (LAN) match no rules here and will hit ACCEPT and will leak through. Shouldn't it look more like this instead when Firewall is on? Or am I missing anything here?
iptables -P FORWARD DROP
iptables -D FORWARD ! -i br0 -o eth0 -j DROP
iptables -I FORWARD -i br0 -o eth0 -j ACCEPT