Develop your Cybersecurity Framework
Supply chain attacks, ransomware attacks, phishing, data breaches; all these types of attacks are on the rise, thanks to the expansion of the connected world. With greater expansion comes greater security risk.Recent comments
- I think the R8000 firmware 5 days 13 hours ago
- Just want to add some update: 1 week 7 hours ago
- When I press Ctrl+C, the boot 1 week 9 hours ago
- Well, Netgear has the 1 week 2 days ago
- waste of time 1 month 3 weeks ago
cool, but will it have this nat fast driver?
No the fast nat driver is missing functionality, I have extracted some info about fast nat:
Fast-NAT is generally called by this name since it is much faster than the netfilter NAT code. It doesn't keep track of connections, and this is both its main pro and con. Connection tracking takes a lot of processor power, and hence it is slower, which is one of the main reasons that the Fast-NAT is faster than Netfilter-NAT. As we also said, the bad thing about Fast-NAT doesn't track connections, which means it will not be able to do SNAT very well for whole networks, neither will it be able to NAT complex protocols such as FTP, IRC and other protocols that Netfilter-NAT is able to handle very well.
This means that a couple of features dd-wrt offers would be unavailable. The original netgear firmware does not have these features and therefore does not suffer from this. Tomato had to disable the fast-nat module again since they found out that it will break some Tomato features as well.
Well I know for sure that the Netgear firmware (using Fast-NAT) is much faster even for complex protocols such as FTP since this was what I tried first. I suppose FTP is implemented as a separate proxy if the NAT module can't hadle it.
SNAT is a vendor specific abbreviation (S might stand for Source, Secure, Stateful or Softwires) so it's a bit difficult to know what the problem is, but since we are talking open source here I assume you are refering to the IETF definition (Softwires) and in that case it should only be a problem to a very limited group of people.
The fast-nat will definitely break L7 filters, since they need connection tracking. Qos and VPN daemon has problems according to Tomato sources. These are all features the Netgear Firmware does not have
Well. This are all the feature I dont seem to need either. However Since I only got a 20/20Mbit line It wont matter that much. But I critically need DynDNS, updxy supported installation for IPTV and a Media Server or whatever its called when you connect your external HD to your router to stream .AVI to another location without the need to run your own apache server or Orb 2.x on a physical computer that is always on. I believe all this is supported by you right?
I just tried your latest build Kong.
http://www.desipro.de/ddwrt/dd-wrt-usb-ftp-samba3-dlna-O2-v24-K26-broadc...
And it's even faster!! Great work!
Did you tune it for mips32r2?
I also tired to disable everything under VPN passthrough which made it possible to squeeze even more throughput out of it :)
Hi bosa,
nope I didn't try mips32r2 yet. But to compile minidlna I had to move from dd-wrt's toolchain to my own toolchain with a new uclibc:-)
Ok! So there may even be some more speed to gain there then
I noticed that the latest tomato firmware I tried (Tomato v1.28 without fast-nat) had MIPSR2 in the filename and since it's faster than the regular DD-WRT builds (although not as fast as your optiomized build) the R2 optimization may be part of the explanation.
Bosa: since you are testing all that stuff. How do you know if netgear is set to half or full duplex? where do you set this up? As I'm seeing some wired behavior. When Im downloading my UL drops to practically zero with utorrent. I'm running bridge mode with router. Lan to Lan cable and pppoe sessions out of windows so theoretically bypasses routers NAT and everything, should be just a switch right?. So will this still effect the 100/100Mbit performance when I use it as pass through only with windows pppoe?
It never behaved that way when I only gad the modem connected so I'm assuming the router cant handle the speed. 100Mbit or it is in half bridge since either one way it goes full 10MByte/s
Still on original firmware if it matters.
alright I just checked the status
WAN 100M/Full 4272768899 4252447614 0 43970 17151 15:00:49
LAN1 1000M/Full 22568243 43306969 0 34710 74620 15:33:00
LAN2 100M/Full 03:18:51
I guess this means its running in 100Mbit full duplex. Why the wired speed drop then.......????
The problems with duplex settings on interfaces occurs when one end of the cable thinks it is running at half duplex while the other thinks its running at full duplex.
The best way to find a duplex conflict on a Unix/Linux system is to run "netstat -i" and check for Oerrs (Solaris) or TX-ERR (Linux), they should normally be 0 or close to 0. But unfortunately the netstat command in DD-WRT I'm running does not have the -i flag so I guess the best way to check it is to run (on DD-WRT at least):
in a wide window and check for Transmit errs.
If that is the case you may get the problems you are having. One way to troubleshoot this is to try different duplex settings if that is possible in Netgear firmware.
Another way of troubleshooting could be to connect a switch (preferably with some kind of speed/duplex leds) between the WAN interface of the router and the "ISP WAN cable" to see if that helps.
Regarding my tests: All interfaces are always running at 1000Mbps full duplex. The full/half duplex results refers to if data is transfered in one direction at the time (like when you download a file using http) or both directions simultaneously (like when you use a bittorrent software) it has nothing to do with interface settings.
well the above stats are from netgears firmware under status report. So it is full duplex. Maybe the router is just to weak to handlr 100/100Mb but since its all on pppoe. exactly 5 times pppoe. I dunno.
I think you are missing my point. The problem is if you are running at full duplex and your ISP at half duplex. So the fact that your interface is showing Full duplex is no guarantee that everything is OK.
I guess all ISP:s have their remote interfaces set to Auto, but if the negotiation for some reason would fail and you get a duplex conflict on the WAN link you will have lots of problems.
It's however rather unlikely for this to happen so there may well be other reasons for this. I have not done any testing with PPPoE...
I see and its a fiber optic modem so dont think its running in half duplex. Maybe I need to try with just one pppoe session which is 20/20Mbit. With that said, if it runs at 20/20 in utorrent at the same time. The question about full or half is solved right?
Please help me to understand this practically now.
One thing I still dont get about half and full duplex. I know the theory is that half transfers only in one direction at a time. But how can this work actually.
Right now I'm connected with one single PPPOE session which is exactly 20/20MBit. Now Utorrent is steady transferring at 2.3MByte/s down and 2.1MByte/s up at the same time. Testing it right now.
Can you read any data from this now? Because the way I understand it. This cant be anything else then full duplex. Right?
No it can still be half duplex on the 100Mbps interface as long as it's just 20/20Mbps, if you go above 50/50Mbps it has to be full duplex.
If you receive a package on an half duplex interface the computer have to wait until the data is received before it can send anything on the interface. So with 20/20 it will receive data 20% of the time and send data 20% of the time and be idle 60% of the time.
If it's full duplex the computer can send while receiving data, thats why a 100/100Mbps full duplex interface sometimes is refered to as 200Mbps.
I see. So meaning I have to run at last 2x PPPOE 20/20 full speed in both direction to actually find out if the 100Mbps interface is full or half duplex.
I was able to have that without the router easy.
Interface is 100MBit http://www.shrani.si/f/1r/Og/4k6vW7DC/utorrent3.jpg
This is a confirmed full duplex connection. 5x PPPOE 20/20 sessions on one 100MBit interface.
But with this router I can go 10MB/s down easy also. Up is alot harder. Dont think I hit above 7.1MB/s yet.
However I wasnt able to do 7 / 10 as on the picture yet.
Will give it a go tomorrow again with some high profile torrent hopefully. But the original firmware should be able to do this?
Since the Netgear reports full duplex you may NOT be running at half duplex.
You are either running at full duplex OR you have a duplex conflict.
A duplex conflict (as described earlier) is far worse than running at half duplex and I doupt that you could even get 20/20 through a duplex conflict so my conclusion is that you are running at full duplex.
I will try to set the network card to forced half duplex to see if netgear info changes at all and if speed drops or something. However I see not that it reached 9MB/s of upload. So at last in one direction it goes full speed or at last the speed it went without the router.
I couldnt get it to more then 12-13% on the 1Giga lan interface when ul and dl in both direction. This are signs of half duplex then.
Next test. I limited the download to 7 and ul unmanaged and got 15-16% out.
Either its hald duplex or the download speed slows down the upload.
I set it now to 100MBit half duplex and it didnt go over 80%. So thats even slower then the before 15% on 1Gigabit LAN. Download didnt go over 900kB/s at all whailst upload was at about 8MBYte/s. However I did notice that the download was getting up really really slow and download dropping. This would confirm again that it actually was working on full duplex the whole time before but the limitation is elsewhere. Probably router.
I tested the network card in 100 half now and noticed that it rearley goes over 80% of the interface. When I changed back to full. The network card was always at 100%. So it had to be combined more then 100MBit. So modem is actually full duplex 100MBit. 8.2/8.1MB/s in that test.
Now done a test with the router and same ammount of torrents and dont think there is any noticable difference really.
I hope DD-WRT or Tomato wont degenerate this any further.
Hi,
Yes the new Tomato is indeed faster than the previous one (although not close to the old fast_nat version).
One interesting thing with Tomato is that only the send speed drops if you send and receive at the same time, the receive speed is always about the same.
Here's a summary of all the versions I have tested:
Tomato USB v1.27 9047 (Beta 16) TCP Speed test, host=192.168.0.30, transfer size=50000000 bytes Half Duplex Receive = Throughput: 250627822 bps (250.63 Mbit/s) Send = Throughput: 274621170 bps (274.62 Mbit/s) Full Duplex Receive = Throughput: 242672209 bps (242.67 Mbit/s) Send = Throughput: 130494608 bps (130.49 Mbit/s) Tomato USB v1.28 9048 (Beta 18) TCP Speed test, host=192.168.0.30, transfer size=50000000 bytes Half Duplex Receive = Throughput: 102954643 bps (102.95 Mbit/s) Send = Throughput: 123144660 bps (123.14 Mbit/s) Full Duplex Receive = Throughput: 102915519 bps (102.92 Mbit/s) Send = Throughput: 54901252 bps (54.90 Mbit/s) Tomato USB v1.28 9050 (Beta 20) TCP Speed test, host=192.168.0.30, transfer size=50000000 bytes Half Duplex Receive = Throughput: 135319782 bps (135.32 Mbit/s) Send = Throughput: 150838683 bps (150.84 Mbit/s) Full Duplex Receive = Throughput: 133922413 bps (133.92 Mbit/s) Send = Throughput: 73200920 bps (73.20 Mbit/s)Most interesting, it seems that Tomato USB v1.27 9047 (Beta 16) was around double the speed of the latest release. That's a big drop in throughput!
hi m8
The tomato beta16 used FastNAT (it vas fast yes), it didnt work so good whit smb and openvpn.
Sorry.. Double post.
This is an intresting thread but not that updated today. Is there any firmware today that is anywhere near the throughput of fast_nat enabled versions? I was planning to mabye buy a WNR3500L router but since i have a 250/250Mbit connection i would like i little bit more throughput with custom firmware than you where able to acheve with the tweaks in this thread.
Hi djmoonshine,
I fear you are out of luck here, even the faster wndr3700 will have trouble routing the traffic of a 250/250 line.
Even if they can handle it with the default config, as soon as you switch on some features like fw logging or other services that consume cpu time, the speed will drop.
Basically there is no consumer router right now that can handle such speeds easily, You would need professional equipment like:
http://routerboard.com/pricelist.php?showProduct=91
But thats pricy
Great thread. Anyone have any insight into who originally developed fast_nat and will fixes be implemented in it or diff firmwares to fix the above mentioned problems? The performance difference is so huge it can't be passed up. Any time frame on the fixes?
For the 250/250 line problem, you could always run a virtual appliance on a vmware whitebox server. The Vyatta gateway appliance is free with registration and it claims forwarding performance in the 10's of gb/s on the latest Intel processors. Of course this is with Fiber, Multiprocessors, etc but the possibility is there. I would guess a relatively inexpensive whitebox installation of vmware esxi & Vyatta would give more than enough performance. This would obviously be more $$ too, but maybe you have a compatible whitebox machine laying around.
Well there is at least one fairly affordable router out there that probably can handle 250/250 easily but it's not Netgear WNR3500L.
When I finally got my 100/100 mbit fiber connection I tried the different firmwares that I had tested earlier in this thread only to discover that theory is one thing but real life is a different story.
Although I could push more than 100mbit through using my benchmark software, when I hook it up to the Internet and my son started som heavily fileshareing my WNR3500L went down on it's knees begging for mercy.
The first thing that happend when the router was overloaded was that it stoped responding to DNS and DHCP requests and when I finally managed to access it through the web interface I noticed that the average load was more that 6 (the past 15 minutes).
Same problems with both the latest DD-WRT (Kong) and Tomato (Toastman).
The only firmware that could handle the fileshareing load without problems was Netgear original.
So I finally gave up and bought an ASUS Black Diamond instead (RT-N56U), and this router is the fastest thing I have ever seen in the SOHO segment. It has hardware accelerated NAT and my guess is that it easily can handle 500/500 Mbps.
The WNR3500L really is a nice product which gives good value for money, but it's just not the best choise if you have a really fast Internet connection, especially if you want the advanced features that are available in the open projects.
There are some interesteing (and more relaistic I guess) benchmarks here:
http://www.smallnetbuilder.com/lanwan/router-charts/view
Notice that that above list shows Netgear original firmware, they have also done some tests with DD-WRT:
http://www.smallnetbuilder.com/wireless/wireless-reviews/31164-lots-more-features-lots-less-performance-netgear-wnr3500l-with-dd-wrt-reviewed
Pages