[quarkysg]

Hi folks,

I've uploaded a new build. This build supposedly includes the KRACK WiFi vulnerability fix. So if you're already using my builds, please update ASAP.

Other than the usual fixes committed by the dd-wrt developers, my build includes the following changes:

1. Allows full 4096 VLANs for 802.1q tagging. Scripting required tho, as the GUI does not allow VLANs > 15.
2. Enabled the WiFi LEDs for the D-Link DIR-880L (Rev A)
3. Allows acceleration of network packets that are policy routed. You can now use OpenVPN with PBR and also enable SFE.
4. Accelerate IPv6 network packets where previously all IPv6 packets are ignored.
5. Disabled a competing SFE connection manager where previously two connection managers are initialised. This should reduce router CPU usage further.

Limitation of my builds:

1. Broadcom wireless and ethernet drivers may not be the latest, but at least it seems stable.
2. Does not contain Sputnik as source codes not available.

The download link below:

https://app.box.com/s/b4v1s342ef2dpd52j02lqtuzi1oiipco

This version has been successfully flashed for both DIR-868L and DIR-880L (my main home router).

For those using ARM CPU routers who would like to try out the Shortcut Forwarding Engine with PBR, I've attached the kernel module that you can try. Hopefully it'll work for you. To use the kernel module, unzip the attached file and upload it into your router. SSH/telnet into your router and run issue the following commands:

1. rmmod shortcut-fe
(in the directory you have uploaded the shortcut-fe.ko file)
2. insmod shortcut-fe.ko

The default kernel module only accelerates for the 129th packets onwards, so if you want the acceleration to happen faster, do the following:

echo 4 > /sys/fast_classifier/offload_at_pkts

The above command will offload established connections from the 5th packets onwards.

The attached kernel module will only work for ARM based routers and builds on or after 32622 and that your router must also be running the 4.4.x Linux kernel. Otherwise it will likely crash your router or it will not load at all.

Have fun!

[quarkysg]

Hi folks,

This build is bad. Wireless is not usable. Wired interface looks OK tho.

Looks like the developers need to fix the AP utility.

If you have already updated, please revert back to my 33570a build.

Apologies.

[egc]

Did a quick test on my R6400 with Kong's latest 33575 build (seems problematic in wireless).

If SFE is disabled in the GUI the module is apparently not loaded so you can skip the first step (or test with lsmod) and just insert the module.

I have not done extensive testing but I can report SUCCESS!!

This is really working with PBR.

Besides Kong and BS we now have a third genius

Will do more testing but kudos to @Quarkysg

[quarkysg]

[egc]

I will do later, but preliminary testing shows it more than doubles the speed and is on par with the regular SFE.

With SFE about 600Mb/s, without SFE about 250Mb/s. This is the same for regular SFE.

In pre SFE builds my speed was about 300Mb/s. So it actually seems that the builds with SFE are slower if SFE is not used.

Mind you these figures are indicative it is possible that I max out my harddrive.

Testing is done on the internal network by copying a large file between windows clients and measuring speed, not a scientific approach

Have not tested it through the VPN tunnel (the tunnel is working but I am only on 40/4 Mb/s and that is maxed out)

I will set up an internal VPN server for testing but that will be later this week.

But so far looking good

[quarkysg]

[egc]

For testing maybe start another thread, because the heading of this thread is for Dlink routers.

I totally agree that more testing should be done.

My VPN speed is 40 MB/s for a dual core 800 MHz Arm router but I use 128bit AES which is on the edge of decent security

Again great job!

[egc]

I have done some extensive speed testing with your modded shortcut-fe, and it is looking good.
I have setup an OpenVPN server on my LAN for internal testing.

Test setup
OpenVPN server on QNAP 453Pro, Intel Celeron quad core 2,0 GHz/ 8GB Ram
Encryption 128 bit AES
Gigabit Ethernet
Open VPN client router Netgear R6400 dual core ARM A9, 800 MHz, firmware Kong 33575, Linux 4.4.94
Shortcut Forwarding Engine modded by @Quarkysg date 23-10-17 size: 18.910 bytes

Speed testing
Totusoft Lanspeed testing lite 1.3.2
Throughput measured with Totusoft Lanspeed testing lite 1.3.2, 200MB file when on VPN, 1000MB file when through WAN, this is testing windows file copy so this is net throughput, raw througput is higher (10-20%?)

Results
VPN:
SFE Kong: 39, 36, 33, 35 Mb/s
No SFE : 30, 32, 30, 33, 35, 29, 30 Mb/s,
Modded SFE: 34, 34, 33, 39, 33 Mb/s

VPN with PBR:
No SFE:
Through VPN: 30, 31, 30, 32 Mb/s
through WAN: 240, 235, 242 Mb/s

Modded SFE:
through VPN: 32, 34, 34, 35 Mb/s
through WAN: 588, 586, 599 Mb/s
echo 4 > /sys/fast_classifier/offload_at_pkts
through VPN: 34, 39, 33 Mb/s
through WAN: 595, 593, 594, 591 Mb/s

No VPN:
SFE Kong: 579, 594, 593, 589, 596, 600 Mb/s
No SFE 280, 284, 289, 244, 243, 253, 253 Mb/s
Modded SFE 571, 590, 586, 585. 590 Mb/s


Conclusion
The modded SFE is working with Policy Based routing in contrast with the regular SFE which is not working when VPN gateway is used.

On a Netgear R6400 the speeds of both SFE’s are comparable, SFE is more than doubling the throughput on LAN<> WAN traffic and possibly gives a slightly increases in VPN throughput.

Preliminary testing shows no benefits from moddifying the packetstream.

LAN <> WAN
No SFE: 240 Mb/s
SFE: 590 Mb/s

LAN<>VPN (AES 128)
No SFE: 32 Mb/s
SFE: 34 Mb/s


To do
Testing if QOS is working

[quarkysg]

Wow, that’s quite an extensive suite of test you’re doing there.

Looks like I can submit the patch to the devs and hopefully they will commit it into the SVN repo.

Excellent work!

[egc]

Well you did the real work!

I also think that there are people interested in your tweaking of the robo switch, there is demand for vlan's over 15

[Xeon2k8]

Wow man, really well done, seems promising. Too bad 7800 is still on 3.x kernel if not I would have try it. I hope to see your patch soon in ddwrt builds

[quarkysg]

Have updated my problem ticket with the patch.

http://svn.dd-wrt.com/ticket/5986#comment:2

Hopefully the dev team will pick it up and review the changes. I think they should be OK as the changes are quite minimal.

[quarkysg]

For those using 868L and 880L who feels that the KRACK fix is crucial to you and you don’t use IPv6 or don’t mind losing IPv6, you can try my 33586a build.

The recent releases seem to cause issue with IPv6, so turning off IPv6 in your 868 and 880 should be ok.

For me, I’ll live with the vulnerability for now, since most of my important Internet transactions are protected by SSL.

[myogyisg]

You mean, if I am not using IPV6, I can test https://app.box.com/s/b4v1s342ef2dpd52j02lqtuzi1oiipco/folder/39733133557 ?
Is this the corret link for 33586a ?

[quarkysg]