Posted: Mon Oct 03, 2016 3:44 Post subject: DD-WRT w/ Cut-Through Forwarding (CTF) for 500+ Mpbs LAN-WAN
Hi,
I have always loved and been loyal to DD-WRT firmware and of course appreciate the work of the Developers who put in the time and effort to make this happen.
Recently, I subscribed to a 1Gbps internet service from my ISP and have a problem I thought I would never have - I have reached speeds which my router is not capable of transferring from LAN to WAN. As I understand, DD-WRT does not support Cut-Through Forwarding (CTF) and therefore the most I would be able to transfer is approximately 400Mbps with my R7000.
As more and more ISP's around the world are now starting to provide speeds well beyond 400Mbps, it makes me wonder what the future now holds for DD-WRT vis-a-vis Hardware Acceleration using CTF.
I wanted to ask this because as I understand, there are other 3rd party router software such as Tomato and Vortex that do indeed support CTF! Since other 3rd party router software supports CTF, why doesn't DD-WRT and what is required to enable CTF? Is there an active timeline to have DD-WRT CTF support?
Your best bet would be to use Tomato or Vortex, they back port fixes and patches to older kernels which allows CTF to work. I don't see either Brainslayer or Kong ever implementing CTF in Kernel 4.x.xx
If I were you, I'd buy another router or flash stock firmware on your R7000 which should get you to around 800-900Mbps. _________________
Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Mon Oct 03, 2016 5:07 Post subject:
the other fw projects run on linux builds using same kernel (v2.6) as is shipped by the manufacturers which allows them to use the closed source ctf binary blob shipped by asus etc. this binary is not usable by ddwrt as ddwrt is built on a newer linux kernel.
this doesn't mean ddwrt will never incorporate fastpath but don't hold your breath.
on another note newer router models are shipping with faster CPUs closing the gap on gbit via linux native kernel network stack.
ps ddwrt ran some fastpath trials about 18 months ago but there were serious issues that put the brakes on further testing.
Posted: Mon Oct 03, 2016 7:13 Post subject: Re: DD-WRT w/ Cut-Through Forwarding (CTF) for 500+ Mpbs LAN
E-Man wrote:
Hi,
I have always loved and been loyal to DD-WRT firmware and of course appreciate the work of the Developers who put in the time and effort to make this happen.
Recently, I subscribed to a 1Gbps internet service from my ISP and have a problem I thought I would never have - I have reached speeds which my router is not capable of transferring from LAN to WAN. As I understand, DD-WRT does not support Cut-Through Forwarding (CTF) and therefore the most I would be able to transfer is approximately 400Mbps with my R7000.
As more and more ISP's around the world are now starting to provide speeds well beyond 400Mbps, it makes me wonder what the future now holds for DD-WRT vis-a-vis Hardware Acceleration using CTF.
I wanted to ask this because as I understand, there are other 3rd party router software such as Tomato and Vortex that do indeed support CTF! Since other 3rd party router software supports CTF, why doesn't DD-WRT and what is required to enable CTF? Is there an active timeline to have DD-WRT CTF support?
Thank you.
CTF is just a hack that bypasses parts of the firewall it is closed source and requires, that an old kernel is used it also takes away the ability to fully customize the kernel. Thus CTF is not an option, because:
-you have to use old unsupported kernels, no security fixes from upstream
-is insecure by design as it only works if it pybasses certain frewall functionality
-causes instability if you recompile the kernel with changed network functionality
If you need a router that can handle 1Gbps, then you should just choose the right unit. Netgear R7800 has a different cpu architecture and allows gigabit speeds under dd-wrt without any hacks.
I'm sure broadcom will soon have a unit that can also do it without CTF.
And everything that was just recapped by James & Kong has been covered which means it can be found with the search feature.
Not trying to sound snobish or anything however the more the technically helpful guys answer the same questions again and again the less time they have to answer new questions.
The whole feed you or teach you to fish thing. _________________ Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode
And everything that was just recapped by James & Kong has been covered which means it can be found with the search feature.
Not trying to sound snobish or anything however the more the technically helpful guys answer the same questions again and again the less time they have to answer new questions.
Posted: Tue Oct 04, 2016 0:23 Post subject: Re: DD-WRT w/ Cut-Through Forwarding (CTF) for 500+ Mpbs LAN
<Kong> wrote:
CTF is not an option, because:
-you have to use old unsupported kernels, no security fixes from upstream
-is insecure by design as it only works if it pybasses certain frewall functionality
-causes instability if you recompile the kernel with changed network functionality
We tested a CTF port some time ago and removed it again as it broke some features.
Hi Kong,
Thanks everyone chiming in. Since CTF requires old unsupported kernels (2.6, etc) without security fixes/CVE, then does that mean that the newer Netgear Stock firmware (along with Tomato/Vortex) are unsafe/insecure to use because they do not have security patches/fixes installed? Or does Netgear utilize something that DD-WRT community cannot or does not have access to?
Out of curiosity, were any core features broken when CTF was tested w/ DD-WRT? Perhaps there would be a desire for a limited-feature DD-WRT with CTF.
Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Tue Oct 04, 2016 1:12 Post subject:
Glaring / serious package security issues are backported by the manufactures, which trickles down to merlin & vortex. I believe merlin also does / did some fixes himself but not sure how active he is with these backports as asuswrt has become more complex lately. better to check in with him directly. I suspect the situation is similar with tomato but I don't really follow that project.
kernel 2.6 is EOL so no longer receives upstream kernel patches.
as ctf is a closed source there have not been any security peer reviews.
if you go back in the forum, probably the mega r7000 thread you will see a discussion of those of us who tested ddwrt's fastpath. I among others experienced a serious issue with core routing as in completely unusable where others were able to get connectivity.
Glaring / serious package security issues are backported by the manufactures, which trickles down to merlin & vortex. I believe merlin also does / did some fixes himself but not sure how active he is with these backports as asuswrt has become more complex lately. better to check in with him directly. I suspect the situation is similar with tomato but I don't really follow that project.
kernel 2.6 is EOL so no longer receives upstream kernel patches.
as ctf is a closed source there have not been any security peer reviews.
if you go back in the forum, probably the mega r7000 thread you will see a discussion of those of us who tested ddwrt's fastpath. I among others experienced a serious issue with core routing as in completely unusable where others were able to get connectivity.
James, sorry ahead of time if I am misunderstanding your post. Are you saying that the manufacturers are the ones creating the majority of security fixes to the old Kernel (2.6, etc) and passing it along to the third-party software developers like Tomato? If so, then what Kernel/drivers does the manufacturer (Netgear) use themselves and why can't we, the DD-WRT community, leverage what they use in conjunction with our third-party software?
I understand that CTF is closed-source and is a black box, but still do not understand the limitation to have CTF working *if* we are provided with all of the required core components (except for closed-source code) from the manufacturer.
Glaring / serious package security issues are backported by the manufactures, which trickles down to merlin & vortex.
You misunderstand. It is not realistic to just backport security fixes, if no upstream maintainer fixes it.
E.g. someone finds a issue in openssl 1.3.x, we use 0.9.9, then it would be extremely difficult for us to first know if it affects our 0.9.9 in any way, as it could be possible, that a known exploit works a bit different. As we do not understand the code logic we might not be able to understand if the exploit just needs a little modification.
Finally you need to be an expert in the affected application in order to fix it in a way that is ok and not just make things worse.
Along with the fact, that such a huge number of systems is stuck on a certain kernel version and therefore makes it very attractive to crackers, you don't have to fear, that 4 weeks later your exploit does not work anymore, since the kernel was updated and an issue that allowed the trick does not work anymore.
Glaring / serious package security issues are backported by the manufactures, which trickles down to merlin & vortex.
You misunderstand. It is not realistic to just backport security fixes, if no upstream maintainer fixes it.
E.g. someone finds a issue in openssl 1.3.x, we use 0.9.9, then it would be extremely difficult for us to first know if it affects our 0.9.9 in any way, as it could be possible, that a known exploit works a bit different. As we do not understand the code logic we might not be able to understand if the exploit just needs a little modification.
Finally you need to be an expert in the affected application in order to fix it in a way that is ok and not just make things worse.
Along with the fact, that such a huge number of systems is stuck on a certain kernel version and therefore makes it very attractive to crackers, you don't have to fear, that 4 weeks later your exploit does not work anymore, since the kernel was updated and an issue that allowed the trick does not work anymore.
A kernel is the core component and it is a very complex piece of software.
Kong,
I still do not understand one main thing which I have posted above which is asking what the manufacturer Netgear uses in their own builds which do have CTF:
E-Man wrote:
since CTF requires old unsupported kernels (2.6, etc) without security fixes/CVE, then does that mean that the newer Netgear Stock firmware (along with Tomato/Vortex) are unsafe/insecure to use because they do not have security patches/fixes installed? Or does Netgear utilize something that DD-WRT community cannot or does not have access to?
What does Netgear use/have that we do not or cannot leverage? Are they simply not providing something to third-party vendors besides the closed-source code of CTF?
Posted: Thu Oct 06, 2016 14:14 Post subject: Re: DD-WRT w/ Cut-Through Forwarding (CTF) for 500+ Mpbs LAN
<Kong> wrote:
Hi,
If you need a router that can handle 1Gbps, then you should just choose the right unit. Netgear R7800 has a different cpu architecture and allows gigabit speeds under dd-wrt without any hacks.
Hi,
I have a R7800 and as I said on r7800 topic, within DDWRT I cant get more than 350mbps in LAN or WAN.
With original firmware : 900 mbps (LAn and WAN, I have a Gbps provider)
I ve tried both kong and BS release
Reading the r7800 thread, it appears I am really not the only one with this speed limitation
No one answered this in R7800 topic...
But I am happy to hear that we can reach 1gbps
@Kong : could you please tell us here or in the r7800 specific thread, how to reach 1 gbps wit 78000/DDWRT combo?
Posted: Thu Oct 06, 2016 22:11 Post subject: Re: DD-WRT w/ Cut-Through Forwarding (CTF) for 500+ Mpbs LAN
Nilugeator wrote:
<Kong> wrote:
Hi,
If you need a router that can handle 1Gbps, then you should just choose the right unit. Netgear R7800 has a different cpu architecture and allows gigabit speeds under dd-wrt without any hacks.
Hi,
I have a R7800 and as I said on r7800 topic, within DDWRT I cant get more than 350mbps in LAN or WAN.
With original firmware : 900 mbps (LAn and WAN, I have a Gbps provider)
I ve tried both kong and BS release
Reading the r7800 thread, it appears I am really not the only one with this speed limitation
No one answered this in R7800 topic...
But I am happy to hear that we can reach 1gbps
@Kong : could you please tell us here or in the r7800 specific thread, how to reach 1 gbps wit 78000/DDWRT combo?
thx in advance
I did not do any specific thing, just connect the wan port and run the test.
Are you using pppoe?
Are you measuring via wire connected pc?
The 350Mbps don't make any sense even the 1Ghz broadcoms offer more throughput with dd-wrt. Thus it is most likely a test/config problem. _________________ KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/