DD-WRT w/ Cut-Through Forwarding (CTF) for 500+ Mpbs LAN-WAN

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
E-Man
DD-WRT User


Joined: 10 Mar 2014
Posts: 85

PostPosted: Mon Oct 03, 2016 3:44    Post subject: DD-WRT w/ Cut-Through Forwarding (CTF) for 500+ Mpbs LAN-WAN Reply with quote
Hi,

I have always loved and been loyal to DD-WRT firmware and of course appreciate the work of the Developers who put in the time and effort to make this happen.

Recently, I subscribed to a 1Gbps internet service from my ISP and have a problem I thought I would never have - I have reached speeds which my router is not capable of transferring from LAN to WAN. As I understand, DD-WRT does not support Cut-Through Forwarding (CTF) and therefore the most I would be able to transfer is approximately 400Mbps with my R7000.

As more and more ISP's around the world are now starting to provide speeds well beyond 400Mbps, it makes me wonder what the future now holds for DD-WRT vis-a-vis Hardware Acceleration using CTF.

I wanted to ask this because as I understand, there are other 3rd party router software such as Tomato and Vortex that do indeed support CTF! Since other 3rd party router software supports CTF, why doesn't DD-WRT and what is required to enable CTF? Is there an active timeline to have DD-WRT CTF support?


Thank you.
Sponsor
A7Legit
DD-WRT Novice


Joined: 19 Mar 2016
Posts: 12

PostPosted: Mon Oct 03, 2016 5:00    Post subject: Reply with quote
Your best bet would be to use Tomato or Vortex, they back port fixes and patches to older kernels which allows CTF to work. I don't see either Brainslayer or Kong ever implementing CTF in Kernel 4.x.xx

If I were you, I'd buy another router or flash stock firmware on your R7000 which should get you to around 800-900Mbps.

_________________
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Mon Oct 03, 2016 5:07    Post subject: Reply with quote
the other fw projects run on linux builds using same kernel (v2.6) as is shipped by the manufacturers which allows them to use the closed source ctf binary blob shipped by asus etc. this binary is not usable by ddwrt as ddwrt is built on a newer linux kernel.

this doesn't mean ddwrt will never incorporate fastpath but don't hold your breath.

on another note newer router models are shipping with faster CPUs closing the gap on gbit via linux native kernel network stack.

ps ddwrt ran some fastpath trials about 18 months ago but there were serious issues that put the brakes on further testing.
<Kong>
DD-WRT Guru


Joined: 15 Dec 2010
Posts: 4339
Location: Germany

PostPosted: Mon Oct 03, 2016 7:13    Post subject: Re: DD-WRT w/ Cut-Through Forwarding (CTF) for 500+ Mpbs LAN Reply with quote
E-Man wrote:
Hi,

I have always loved and been loyal to DD-WRT firmware and of course appreciate the work of the Developers who put in the time and effort to make this happen.

Recently, I subscribed to a 1Gbps internet service from my ISP and have a problem I thought I would never have - I have reached speeds which my router is not capable of transferring from LAN to WAN. As I understand, DD-WRT does not support Cut-Through Forwarding (CTF) and therefore the most I would be able to transfer is approximately 400Mbps with my R7000.

As more and more ISP's around the world are now starting to provide speeds well beyond 400Mbps, it makes me wonder what the future now holds for DD-WRT vis-a-vis Hardware Acceleration using CTF.

I wanted to ask this because as I understand, there are other 3rd party router software such as Tomato and Vortex that do indeed support CTF! Since other 3rd party router software supports CTF, why doesn't DD-WRT and what is required to enable CTF? Is there an active timeline to have DD-WRT CTF support?


Thank you.


CTF is just a hack that bypasses parts of the firewall it is closed source and requires, that an old kernel is used it also takes away the ability to fully customize the kernel. Thus CTF is not an option, because:

-you have to use old unsupported kernels, no security fixes from upstream
-is insecure by design as it only works if it pybasses certain frewall functionality
-causes instability if you recompile the kernel with changed network functionality

If you need a router that can handle 1Gbps, then you should just choose the right unit. Netgear R7800 has a different cpu architecture and allows gigabit speeds under dd-wrt without any hacks.

I'm sure broadcom will soon have a unit that can also do it without CTF.

We tested a CTF port some time ago and removed it again as it broke some features.

_________________
KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
slidermike
DD-WRT Guru


Joined: 11 Nov 2013
Posts: 1487
Location: USA

PostPosted: Mon Oct 03, 2016 13:39    Post subject: Reply with quote
And everything that was just recapped by James & Kong has been covered which means it can be found with the search feature.
Not trying to sound snobish or anything however the more the technically helpful guys answer the same questions again and again the less time they have to answer new questions.

The whole feed you or teach you to fish thing.

_________________
Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode

R7000 specific Tips/Tricks.
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=264152
Xeon2k8
DD-WRT Guru


Joined: 11 Feb 2016
Posts: 1288

PostPosted: Mon Oct 03, 2016 13:42    Post subject: Reply with quote
slidermike wrote:
And everything that was just recapped by James & Kong has been covered which means it can be found with the search feature.
Not trying to sound snobish or anything however the more the technically helpful guys answer the same questions again and again the less time they have to answer new questions.

The whole feed you or teach you to fish thing.

Great closure to the topic.
E-Man
DD-WRT User


Joined: 10 Mar 2014
Posts: 85

PostPosted: Tue Oct 04, 2016 0:23    Post subject: Re: DD-WRT w/ Cut-Through Forwarding (CTF) for 500+ Mpbs LAN Reply with quote
<Kong> wrote:
CTF is not an option, because:
-you have to use old unsupported kernels, no security fixes from upstream
-is insecure by design as it only works if it pybasses certain frewall functionality
-causes instability if you recompile the kernel with changed network functionality

We tested a CTF port some time ago and removed it again as it broke some features.


Hi Kong,

Thanks everyone chiming in. Since CTF requires old unsupported kernels (2.6, etc) without security fixes/CVE, then does that mean that the newer Netgear Stock firmware (along with Tomato/Vortex) are unsafe/insecure to use because they do not have security patches/fixes installed? Or does Netgear utilize something that DD-WRT community cannot or does not have access to?

Out of curiosity, were any core features broken when CTF was tested w/ DD-WRT? Perhaps there would be a desire for a limited-feature DD-WRT with CTF.

Thanks. @JAMESMTL @A7Legit
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Tue Oct 04, 2016 1:12    Post subject: Reply with quote
Glaring / serious package security issues are backported by the manufactures, which trickles down to merlin & vortex. I believe merlin also does / did some fixes himself but not sure how active he is with these backports as asuswrt has become more complex lately. better to check in with him directly. I suspect the situation is similar with tomato but I don't really follow that project.

kernel 2.6 is EOL so no longer receives upstream kernel patches.

as ctf is a closed source there have not been any security peer reviews.

if you go back in the forum, probably the mega r7000 thread you will see a discussion of those of us who tested ddwrt's fastpath. I among others experienced a serious issue with core routing as in completely unusable where others were able to get connectivity.
E-Man
DD-WRT User


Joined: 10 Mar 2014
Posts: 85

PostPosted: Tue Oct 04, 2016 4:26    Post subject: Reply with quote
JAMESMTL wrote:
Glaring / serious package security issues are backported by the manufactures, which trickles down to merlin & vortex. I believe merlin also does / did some fixes himself but not sure how active he is with these backports as asuswrt has become more complex lately. better to check in with him directly. I suspect the situation is similar with tomato but I don't really follow that project.

kernel 2.6 is EOL so no longer receives upstream kernel patches.

as ctf is a closed source there have not been any security peer reviews.

if you go back in the forum, probably the mega r7000 thread you will see a discussion of those of us who tested ddwrt's fastpath. I among others experienced a serious issue with core routing as in completely unusable where others were able to get connectivity.


James, sorry ahead of time if I am misunderstanding your post. Are you saying that the manufacturers are the ones creating the majority of security fixes to the old Kernel (2.6, etc) and passing it along to the third-party software developers like Tomato? If so, then what Kernel/drivers does the manufacturer (Netgear) use themselves and why can't we, the DD-WRT community, leverage what they use in conjunction with our third-party software?

I understand that CTF is closed-source and is a black box, but still do not understand the limitation to have CTF working *if* we are provided with all of the required core components (except for closed-source code) from the manufacturer.

Sorry and thanks again.
<Kong>
DD-WRT Guru


Joined: 15 Dec 2010
Posts: 4339
Location: Germany

PostPosted: Tue Oct 04, 2016 5:52    Post subject: Reply with quote
[quote="E-Man"]
JAMESMTL wrote:
Glaring / serious package security issues are backported by the manufactures, which trickles down to merlin & vortex.


You misunderstand. It is not realistic to just backport security fixes, if no upstream maintainer fixes it.

E.g. someone finds a issue in openssl 1.3.x, we use 0.9.9, then it would be extremely difficult for us to first know if it affects our 0.9.9 in any way, as it could be possible, that a known exploit works a bit different. As we do not understand the code logic we might not be able to understand if the exploit just needs a little modification.

Finally you need to be an expert in the affected application in order to fix it in a way that is ok and not just make things worse.

Along with the fact, that such a huge number of systems is stuck on a certain kernel version and therefore makes it very attractive to crackers, you don't have to fear, that 4 weeks later your exploit does not work anymore, since the kernel was updated and an issue that allowed the trick does not work anymore.

A kernel is the core component and it is a very complex piece of software.

_________________
KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
E-Man
DD-WRT User


Joined: 10 Mar 2014
Posts: 85

PostPosted: Wed Oct 05, 2016 15:58    Post subject: Reply with quote
[quote="<Kong>"]
E-Man wrote:
JAMESMTL wrote:
Glaring / serious package security issues are backported by the manufactures, which trickles down to merlin & vortex.


You misunderstand. It is not realistic to just backport security fixes, if no upstream maintainer fixes it.

E.g. someone finds a issue in openssl 1.3.x, we use 0.9.9, then it would be extremely difficult for us to first know if it affects our 0.9.9 in any way, as it could be possible, that a known exploit works a bit different. As we do not understand the code logic we might not be able to understand if the exploit just needs a little modification.

Finally you need to be an expert in the affected application in order to fix it in a way that is ok and not just make things worse.

Along with the fact, that such a huge number of systems is stuck on a certain kernel version and therefore makes it very attractive to crackers, you don't have to fear, that 4 weeks later your exploit does not work anymore, since the kernel was updated and an issue that allowed the trick does not work anymore.

A kernel is the core component and it is a very complex piece of software.




Kong,

I still do not understand one main thing which I have posted above which is asking what the manufacturer Netgear uses in their own builds which do have CTF:
E-Man wrote:
since CTF requires old unsupported kernels (2.6, etc) without security fixes/CVE, then does that mean that the newer Netgear Stock firmware (along with Tomato/Vortex) are unsafe/insecure to use because they do not have security patches/fixes installed? Or does Netgear utilize something that DD-WRT community cannot or does not have access to?


What does Netgear use/have that we do not or cannot leverage? Are they simply not providing something to third-party vendors besides the closed-source code of CTF?
E-Man
DD-WRT User


Joined: 10 Mar 2014
Posts: 85

PostPosted: Thu Oct 06, 2016 12:48    Post subject: Reply with quote
Hi @<Kong>, sorry if my question in the post above is irritating. Please let me know if you have a minute to reply.

Thanks
Nilugeator
DD-WRT Novice


Joined: 31 Jul 2016
Posts: 32

PostPosted: Thu Oct 06, 2016 14:14    Post subject: Re: DD-WRT w/ Cut-Through Forwarding (CTF) for 500+ Mpbs LAN Reply with quote
<Kong> wrote:
Hi,


If you need a router that can handle 1Gbps, then you should just choose the right unit. Netgear R7800 has a different cpu architecture and allows gigabit speeds under dd-wrt without any hacks.



Hi,
I have a R7800 and as I said on r7800 topic, within DDWRT I cant get more than 350mbps in LAN or WAN.

With original firmware : 900 mbps (LAn and WAN, I have a Gbps provider)

I ve tried both kong and BS release

Reading the r7800 thread, it appears I am really not the only one with this speed limitation

No one answered this in R7800 topic...

But I am happy to hear that we can reach 1gbps Laughing

@Kong : could you please tell us here or in the r7800 specific thread, how to reach 1 gbps wit 78000/DDWRT combo?



thx in advance
A7Legit
DD-WRT Novice


Joined: 19 Mar 2016
Posts: 12

PostPosted: Thu Oct 06, 2016 15:29    Post subject: Re: DD-WRT w/ Cut-Through Forwarding (CTF) for 500+ Mpbs LAN Reply with quote
Nilugeator wrote:
...could you please tell us here or in the r7800 specific thread, how to reach 1 gbps wit 78000/DDWRT combo?


I don't mean this with any disrespect but maybe try the latest Trunk LEDE build with your R7800 for those close to Gigabit speeds?

_________________
<Kong>
DD-WRT Guru


Joined: 15 Dec 2010
Posts: 4339
Location: Germany

PostPosted: Thu Oct 06, 2016 22:11    Post subject: Re: DD-WRT w/ Cut-Through Forwarding (CTF) for 500+ Mpbs LAN Reply with quote
Nilugeator wrote:
<Kong> wrote:
Hi,


If you need a router that can handle 1Gbps, then you should just choose the right unit. Netgear R7800 has a different cpu architecture and allows gigabit speeds under dd-wrt without any hacks.



Hi,
I have a R7800 and as I said on r7800 topic, within DDWRT I cant get more than 350mbps in LAN or WAN.

With original firmware : 900 mbps (LAn and WAN, I have a Gbps provider)

I ve tried both kong and BS release

Reading the r7800 thread, it appears I am really not the only one with this speed limitation

No one answered this in R7800 topic...

But I am happy to hear that we can reach 1gbps Laughing

@Kong : could you please tell us here or in the r7800 specific thread, how to reach 1 gbps wit 78000/DDWRT combo?



thx in advance


I did not do any specific thing, just connect the wan port and run the test.
Are you using pppoe?
Are you measuring via wire connected pc?

The 350Mbps don't make any sense even the 1Ghz broadcoms offer more throughput with dd-wrt. Thus it is most likely a test/config problem.

_________________
KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum