Posted: Tue Mar 17, 2020 11:15 Post subject: Slow WAN-to-LAN dd-wrt on Netgear WNR3500U/WNR3500L v1
Hello,
for some years now I've the following firmware on the Netgear WNR3500L (v1 ?) (label says "WNR3500U/WNR3500L"):
Router Model: Netgear WNR3500v2/U/L
Firmware: DD-WRT v24-sp2 (08/07/10) mega
Recently I got Gigabit from my ISP and discovered that the WAN-to-LAN speed of the router is very disappointing: only about 52 Mbps.
I then disabled the SPI Firewall in the dd-wrt web interface, but this didn't bring any improvement.
I suspect the slow speed has to do with iptables connection tracking stuff as it keeps long lists of each connection (--> cat /proc/net/nf_conntrack ).
So, my question is: how can I disable this IMHO useless connection tracking stuff on the router?
What else can I do to get a better WAN-to-LAN throughput?
Btw, WLAN on this device is not used here (Radio is off).
And also tried "Operating Mode" as Gateway, as well as Router; but no change in the speed.
Thx
Last edited by mutluit on Tue Mar 17, 2020 13:58; edited 1 time in total
Joined: 08 May 2018 Posts: 14217 Location: Texas, USA
Posted: Tue Mar 17, 2020 12:31 Post subject:
You need a newer, more powerful router. That one will not give you gigabit throughput. You probably won't see any change if you upgraded to the latest firmware (42681). If you're not using the wireless on your configuration, you could probably get a supported x86 device and go that route. The only other suggestion I have is the R7800, EA8500, or R9000. The only other suggestion for ethernet-only without wifi would be the WRT3200ACM or WRT32X, and maybe the R7000, R7000P, or R8000. Otherwise, the first three suggestions other than x86 are the best supported by this firmware. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
You need a newer, more powerful router. That one will not give you gigabit throughput. You probably won't see any change if you upgraded to the latest firmware (42681). If you're not using the wireless on your configuration, you could probably get a supported x86 device and go that route. The only other suggestion I have is the R7800, EA8500, or R9000. The only other suggestion for ethernet-only without wifi would be the WRT3200ACM or WRT32X, and maybe the R7000, R7000P, or R8000. Otherwise, the first three suggestions other than x86 are the best supported by this firmware.
I now flashed the Firmware Version "DD-WRT v3.0-r33555 mega (10/20/17)" and get 288 Mbits/sec. This is about 5 times more performance, but still far away from Gigabit speed.
Hmm. will also try two other (old) Gigabit routers (Ubiquiti EdgeRouter Lite and Banana Pi R1 (aka Lamobo R1) which I have here, and then maybe look for a newer one.
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Tue Mar 17, 2020 13:36 Post subject:
mutluit wrote:
kernel-panic69 wrote:
You need a newer, more powerful router. That one will not give you gigabit throughput. You probably won't see any change if you upgraded to the latest firmware (42681). If you're not using the wireless on your configuration, you could probably get a supported x86 device and go that route. The only other suggestion I have is the R7800, EA8500, or R9000. The only other suggestion for ethernet-only without wifi would be the WRT3200ACM or WRT32X, and maybe the R7000, R7000P, or R8000. Otherwise, the first three suggestions other than x86 are the best supported by this firmware.
I now flashed the Firmware Version "DD-WRT v3.0-r33555 mega (10/20/17)" and get 288 Mbits/sec. This is about 5 times more performance, but still far away from Gigabit speed.
Hmm. will also try two other (old) Gigabit routers (Ubiquiti EdgeRouter Lite and Banana Pi R1 (aka Lamobo R1) which I have here, and then maybe look for a newer one.
Thx
yep if you believe you can beet the system...
If, Ubiquiti EdgeRouter Lite may do....as it has a dual core @500 MIPS64, than y bother with this old Netgear you have...on and ancient build 33555 ... ???
kernel-panic69 gave you the basics, now you have to do your homework... and learn how CPU demanding are WAN to LAN translations...
good luck...
p.s. just bare in mind those Hardware Accelerations for Packet Processing and not very security proof... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Tue Mar 17, 2020 14:41 Post subject:
is this a joke ?
nf_conntrack is in the kernel and its in use for various services to run....it will kill your router if you stop it...
there wont be a NAT, Firewall and others...that depend on it
p.s. you can limit some packets to use contrack table...but you must know exactly what you want to achieve...at the end... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
nf_conntrack is in the kernel and its in use for various services to run....it will kill your router if you stop it...
there wont be a NAT, Firewall and others...that depend on it
p.s. you can limit some packets to use contrack table...but you must know exactly what you want to achieve...at the end...
I'm using this router as a second router in series to the ISP-router. Also my PCs in LAN have their own iptables-firewalls configured. So then there is no need for a firewall on this router, nor for NAT, nor for SPI. It just shall do what it's primarily designed for (and what the name "router" means): just routing, nothing else.
If completely throwing out (or disabling) conntrack is not possible, then I would need to find a different firmware, maybe OpenWRT, Tomato or so.
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Tue Mar 17, 2020 18:20 Post subject:
mutluit wrote:
Alozaros wrote:
is this a joke ?
nf_conntrack is in the kernel and its in use for various services to run....it will kill your router if you stop it...
there wont be a NAT, Firewall and others...that depend on it
p.s. you can limit some packets to use contrack table...but you must know exactly what you want to achieve...at the end...
I'm using this router as a second router in series to the ISP-router. Also my PCs in LAN have their own iptables-firewalls configured. So then there is no need for a firewall on this router, nor for NAT, nor for SPI. It just shall do what it's primarily designed for (and what the name "router" means): just routing, nothing else.
If completely throwing out (or disabling) conntrack is not possible, then I would need to find a different firmware, maybe OpenWRT, Tomato or so.
you can put router in WAP/switch mode this will completely disable NAT, SPI, DNS/DHCP and so...
nf_conntrack is in the kernel and its in use for various services to run....it will kill your router if you stop it...
there wont be a NAT, Firewall and others...that depend on it
p.s. you can limit some packets to use contrack table...but you must know exactly what you want to achieve...at the end...
I'm using this router as a second router in series to the ISP-router. Also my PCs in LAN have their own iptables-firewalls configured. So then there is no need for a firewall on this router, nor for NAT, nor for SPI. It just shall do what it's primarily designed for (and what the name "router" means): just routing, nothing else.
If completely throwing out (or disabling) conntrack is not possible, then I would need to find a different firmware, maybe OpenWRT, Tomato or so.
you can put router in WAP/switch mode this will completely disable NAT, SPI, DNS/DHCP and so...
I just tried the original Netgear Firmware Version V1.2.0.56_50.0.96 :
WAN-to-LAN speed is about 580 Mbits/s
(measured using iperf clients (the senders) on 2 remote hosts in WAN connecting at the same time to the local iperf server here in LAN, for a duration of 60 seconds).
I surely would try dd-wrt again, but only if it beats the above quoted performance of 580 Mbits/s on Netgear WNR3500L v1 or v2.
Let me someone know who kindly did the performance test with the above said new dd-wrt release.
Btw, here are my above mentioned settings of iperf on Linux:
Server in LAN:
iperf -s -p $PortOfServerInLAN -w 1M
Client(s) in WAN (the sender(s)):
iperf -c $IPofServerInLAN -p $PortOfServerInLAN -w 1M -P 8 -t 60
Just replace the above $variables with your own IP and port.
And, of course on the router one has to do port-forwarding to the server where the iperf-server instance runs.
Joined: 08 May 2018 Posts: 14217 Location: Texas, USA
Posted: Wed Mar 18, 2020 15:19 Post subject:
Cooling mods, overclocking, tweaking the tcp buffers properly. You might get better performance. But otherwise.... you are just shooting yourself in the foot trying to use it on a gigabit Internet link. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Cooling mods, overclocking, tweaking the tcp buffers properly. You might get better performance. But otherwise.... you are just shooting yourself in the foot trying to use it on a gigabit Internet link.
Man, 580 Mbits/s is a nice value, especially compared to the lousy 52 Mbits/s as stated in my OP with the very old dd-wrt version. The next improvement with 288 Mbits/s with a newer but still older dd-wrt version is not bad, but hey, 580 MBits/s is more than twice faster than that!
I think for another year or so I can live with 580 Mbits/s with this old Netgear WNR3500L device.
Update / Summary of my tests:
WNR3500Lv2 (w/orig Netgear FW V1.2.0.56_50.0.96) : about 580 Mbits/s
WNR3500Lv1 (w/orig Netgear FW V1.2.2.48_35.0.55NA): about 320 Mbits/s
There someone (Kong) says that "Netgear official firmware uses the fast_nat module and due to a different featureset doesn't see the bugs that were seen in tomato. DD-WRT does not use the fast nat module."
He further says "Actually it would be interesting to see how much performance increases if one disables connection traffic using NOTRACK target in iptables rules."
