Joined: 18 Mar 2014 Posts: 12884 Location: Netherlands
Posted: Sat Mar 02, 2019 15:46 Post subject: Patched SFE module for use with Policy Based Routing
Shortcut Forwarding Engine (SFE) is a module designed to speed up WAN<>LAN throughput by bypassing the firewall for an established connection.
On some router models it can double the throughput.
On my own Netgear R6400v2 the throughput without SFE is about 250Mb/s, with SFE it goes up to over 500 Mb/s.
But there are reports that it does not make much of a difference on older routers on Kernel 3.10.
It is available in Kernel 3.10 and higher starting around July 2017 (build 33006)
SFE is not compatible with QoS (download) and with Policy Based Routing (routing over VPN client based on IP address of local clients).
One of our esteemed forum members @Quarkysg has however made a patched SFE module available which works with Policy Based Routing.
However this patch is only for Broadcom/Arm routers with Kernel 4.4.
You need permanent storage if you want it to survive a reboot.
So either use JFFS2 or use an USB stick
As there are often request where to find it and how to install it, I created this separate thread.
Consider this a first draft, so your remarks how I can improve the instructions are more than welcome.
The patch and instructions are attached to this post (only visible when logged in!)
Posted: Tue Mar 05, 2019 1:50 Post subject: Can someone mention shortcut-fe on PBR wiki page?
It took me quite a while to figure out why PBR was not working (and tcpdump output mistery?). It would be nice if somebody would update a wiki page and mention shortcut-fe and possible workarounds like this one!
egc, I didn't try the patch yet as I need to recreate long gone build environment, would it work with netfilter's -j MARK and fwmark rule as in routing traffic to a particular port?
Joined: 18 Mar 2014 Posts: 12884 Location: Netherlands
Posted: Tue Mar 05, 2019 8:53 Post subject:
Yes it is not well known and to make matters worse there is a patch for it.
I think @Quarkysg has submitted the patch upstream but the devs there (I think it is Felix F) are working on an alternate shortcut/fastpath implementation: flow-offload.
That looks promising but is only available for K4.14 and will not be backported I think.
The DDWRT devs are only willing to use this SFE patch if it will be reviewed and merged upstream.
Now on to your question, I once used such an implementation with iptables/netfilter, was fun to get it working @Eibgrad has made some really nice scripts for it which are even using ipset.
I am pretty sure that I was using the SFE patch and that was working.
At the moment I do not need routing on a per port basis, but I do need some destination based routing (I wanted to exclude amazon from the VPN).
