Posted: Mon Oct 23, 2017 14:46 Post subject: (BAD) New Build 33586 for DIR-868L(Rev A) & DIR-880L(Rev
Hi folks,
I've uploaded a new build. This build supposedly includes the KRACK WiFi vulnerability fix. So if you're already using my builds, please update ASAP.
Other than the usual fixes committed by the dd-wrt developers, my build includes the following changes:
1. Allows full 4096 VLANs for 802.1q tagging. Scripting required tho, as the GUI does not allow VLANs > 15.
2. Enabled the WiFi LEDs for the D-Link DIR-880L (Rev A)
3. Allows acceleration of network packets that are policy routed. You can now use OpenVPN with PBR and also enable SFE.
4. Accelerate IPv6 network packets where previously all IPv6 packets are ignored.
5. Disabled a competing SFE connection manager where previously two connection managers are initialised. This should reduce router CPU usage further.
Limitation of my builds:
1. Broadcom wireless and ethernet drivers may not be the latest, but at least it seems stable.
2. Does not contain Sputnik as source codes not available.
This version has been successfully flashed for both DIR-868L and DIR-880L (my main home router).
For those using ARM CPU routers who would like to try out the Shortcut Forwarding Engine with PBR, I've attached the kernel module that you can try. Hopefully it'll work for you. To use the kernel module, unzip the attached file and upload it into your router. SSH/telnet into your router and run issue the following commands:
1. rmmod shortcut-fe
(in the directory you have uploaded the shortcut-fe.ko file)
2. insmod shortcut-fe.ko
The default kernel module only accelerates for the 129th packets onwards, so if you want the acceleration to happen faster, do the following:
echo 4 > /sys/fast_classifier/offload_at_pkts
The above command will offload established connections from the 5th packets onwards.
The attached kernel module will only work for ARM based routers and builds on or after 32622 and that your router must also be running the 4.4.x Linux kernel. Otherwise it will likely crash your router or it will not load at all.
I will do later, but preliminary testing shows it more than doubles the speed and is on par with the regular SFE.
With SFE about 600Mb/s, without SFE about 250Mb/s. This is the same for regular SFE.
In pre SFE builds my speed was about 300Mb/s. So it actually seems that the builds with SFE are slower if SFE is not used.
Mind you these figures are indicative it is possible that I max out my harddrive.
Testing is done on the internal network by copying a large file between windows clients and measuring speed, not a scientific approach
Have not tested it through the VPN tunnel (the tunnel is working but I am only on 40/4 Mb/s and that is maxed out)
I will set up an internal VPN server for testing but that will be later this week.
But so far looking good
Good to know that the kernel module is working for you. I’m planning to submit a patch to the devs once it’s been put thru it’s paces. As it’s kind of low level code that involves networking, it’s better to test more. The concept is smart and yet simple tho, so I’m impressed by the developers who thought this up.
For OpenVPN, don’t expect good speed. On my DIR-880L running at 1000MHz, the best I can achieve over OpenVPN is 30mbps. My tunnel security is considered secured tho, so if I configured it to be less secure, I probably can get higher bit rate.
Joined: 18 Mar 2014 Posts: 12903 Location: Netherlands
Posted: Thu Oct 26, 2017 10:39 Post subject:
I have done some extensive speed testing with your modded shortcut-fe, and it is looking good.
I have setup an OpenVPN server on my LAN for internal testing.
Test setup
OpenVPN server on QNAP 453Pro, Intel Celeron quad core 2,0 GHz/ 8GB Ram
Encryption 128 bit AES
Gigabit Ethernet
Open VPN client router Netgear R6400 dual core ARM A9, 800 MHz, firmware Kong 33575, Linux 4.4.94
Shortcut Forwarding Engine modded by @Quarkysg date 23-10-17 size: 18.910 bytes
Speed testing
Totusoft Lanspeed testing lite 1.3.2
Throughput measured with Totusoft Lanspeed testing lite 1.3.2, 200MB file when on VPN, 1000MB file when through WAN, this is testing windows file copy so this is net throughput, raw througput is higher (10-20%?)
Conclusion
The modded SFE is working with Policy Based routing in contrast with the regular SFE which is not working when VPN gateway is used.
On a Netgear R6400 the speeds of both SFE’s are comparable, SFE is more than doubling the throughput on LAN<> WAN traffic and possibly gives a slightly increases in VPN throughput.
Preliminary testing shows no benefits from moddifying the packetstream.
Wow man, really well done, seems promising. Too bad 7800 is still on 3.x kernel if not I would have try it. I hope to see your patch soon in ddwrt builds _________________ R6400v2 (boardID:30) - Kong 36480 running since 03/09/18 - (AP - DNSMasq - AdBlocking - QoS) R7800 - BS 31924 running since 05/26/17 - (AP - OpenVPN Client - DNSMasq - AdBlocking - QoS) R7000 - BS 30771 running since 12/16/16 - (AP - NAS - FTP - SMB - OpenVPN Server - Transmission - DDNS - DNSMasq - AdBlocking - QoS) R6250 - BS 29193 running since 03/20/16 - (AP - NAS - FTP - SMB - DNSMasq - AdBlocking)
For those using 868L and 880L who feels that the KRACK fix is crucial to you and you don’t use IPv6 or don’t mind losing IPv6, you can try my 33586a build.
The recent releases seem to cause issue with IPv6, so turning off IPv6 in your 868 and 880 should be ok.
For me, I’ll live with the vulnerability for now, since most of my important Internet transactions are protected by SSL.
For those using 868L and 880L who feels that the KRACK fix is crucial to you and you don’t use IPv6 or don’t mind losing IPv6, you can try my 33586a build.
The recent releases seem to cause issue with IPv6, so turning off IPv6 in your 868 and 880 should be ok.
For me, I’ll live with the vulnerability for now, since most of my important Internet transactions are protected by SSL.
For those using 868L and 880L who feels that the KRACK fix is crucial to you and you don’t use IPv6 or don’t mind losing IPv6, you can try my 33586a build.
The recent releases seem to cause issue with IPv6, so turning off IPv6 in your 868 and 880 should be ok.
For me, I’ll live with the vulnerability for now, since most of my important Internet transactions are protected by SSL.