Posted: Mon Sep 26, 2022 0:06 Post subject: Possible fix for port forwarding
Router - Netgear R7000
DDWRT build - r49934
Observed behavior knowing CTF/FA would be interfering with port forwarding - consistent dropping of traffic especially to internal Plex Media Server:
None of my port forward rules would work ( I confirmed too that they were present in iptables with iptables -vnL -t nat etc.). Traffic would hit the router but packets would either not make it through to the internal LAN destinations or get through but get dropped on the way out (this was particularly true with an FTP/Explicit TLS and Passive port config.)
I knew that disabling SFE/CTF/FA would "fix" this behavior but I did not want to give up ~ 1gb up/down WAN speeds for a couple of services I needed access to externally. I do have Wireguard as well but that is extra overhead on an already overburdened 6-7 year old (specs.-wise) home router.
Finally, I think I have a found a good compromise (seems stable so far) and that is by keeping all the same port forward rules I created and changing the following options in the Setup page:
Shortcut Forwarding Engine: CTF
Flow Acceleration: CTF
(as always a restart is required for these options to take effect)
These changes result in slightly slower throughput (50-100 Mbit lower depending on time of day and network load) but MUCH better than the 350-400 Mbit speed I was getting with SFE or both of these options 'Disabled'.
Flow Acceleration: CTF + FA results in the fastest and closest to advertise speed of my WAN/ISP but I lose port forwarding and then some. I have tried @egc's previous posts (https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=330016) about messing with the mangle table - didn't work with CTF+FA enabled. My Plex Media Server would go in/out of connecting to Plex's server too. This may be the best option and still requires some tweaks to DNSMasq (adding this option to my DNSMasq config:
https://svn.dd-wrt.com/ticket/7472) in order to access my FTP externally.
As others have pointed out...I wouldn't get my hopes up of getting full NAT/Port forwarding support with the CTF+FA NAT modules that are included in the current DDWRT builds - they are taxing as is (spiking my R7000's dual core processor to 30% during speed tests) and the code is "maybe" known by 1-2 people who are busy supporting ddwrt. As others have suggested, it will be time soon (for me) to consider an actual purpose-built device for routing (and not the overpriced Cisco kind either) so here is my $.02 for Firewalla Gig/Multigig router/firewall appliances
Hope this helps someone still running "old" SOHO wifi routers like mine with ddwrt.
Posted: Mon Sep 26, 2022 6:46 Post subject: Re: Possible fix for port forwarding
Spoke too soon...LAN NAT traversal works for FTPS(Explicit with Passive) on local network but gets hung up again coming from outside. Plex is still hit and miss (this may just be Plex). Oh well...current build suffices for now with Wireguard as needed but need to upgrade this soon...ddwrt was great while it lasted and caused more than a few sleepless nights troubleshooting.
Recent work that spurred this testing was realizing my VAP wifi setup was not as secure as it should be...more reading and recent developments on the VAP wifi front (finally doing away with the need to restart VAP wifi interfaces everytime router config. was Applied...not fun) prompted me to upgrade and with that a possible glimmer of hope to finally get NAT/Port forwarding working with CTF/FA...
J
jacdc wrote:
Router - Netgear R7000
DDWRT build - r49934
Observed behavior knowing CTF/FA would be interfering with port forwarding - consistent dropping of traffic especially to internal Plex Media Server:
None of my port forward rules would work ( I confirmed too that they were present in iptables with iptables -vnL -t nat etc.). Traffic would hit the router but packets would either not make it through to the internal LAN destinations or get through but get dropped on the way out (this was particularly true with an FTP/Explicit TLS and Passive port config.)
I knew that disabling SFE/CTF/FA would "fix" this behavior but I did not want to give up ~ 1gb up/down WAN speeds for a couple of services I needed access to externally. I do have Wireguard as well but that is extra overhead on an already overburdened 6-7 year old (specs.-wise) home router.
Finally, I think I have a found a good compromise (seems stable so far) and that is by keeping all the same port forward rules I created and changing the following options in the Setup page:
Shortcut Forwarding Engine: CTF
Flow Acceleration: CTF
(as always a restart is required for these options to take effect)
These changes result in slightly slower throughput (50-100 Mbit lower depending on time of day and network load) but MUCH better than the 350-400 Mbit speed I was getting with SFE or both of these options 'Disabled'.
Flow Acceleration: CTF + FA results in the fastest and closest to advertise speed of my WAN/ISP but I lose port forwarding and then some. I have tried @egc's previous posts (https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=330016) about messing with the mangle table - didn't work with CTF+FA enabled. My Plex Media Server would go in/out of connecting to Plex's server too. This may be the best option and still requires some tweaks to DNSMasq (adding this option to my DNSMasq config:
https://svn.dd-wrt.com/ticket/7472) in order to access my FTP externally.
As others have pointed out...I wouldn't get my hopes up of getting full NAT/Port forwarding support with the CTF+FA NAT modules that are included in the current DDWRT builds - they are taxing as is (spiking my R7000's dual core processor to 30% during speed tests) and the code is "maybe" known by 1-2 people who are busy supporting ddwrt. As others have suggested, it will be time soon (for me) to consider an actual purpose-built device for routing (and not the overpriced Cisco kind either) so here is my $.02 for Firewalla Gig/Multigig router/firewall appliances
Hope this helps someone still running "old" SOHO wifi routers like mine with ddwrt.
Joined: 26 Mar 2013 Posts: 1857 Location: Hung Hom, Hong Kong
Posted: Sun Jul 30, 2023 14:06 Post subject:
SO I copied the following 3 rules from Asus RT-N18U's official fimware:
Code:
$iptb -A FORWARD -s 192.168.1.0/24 -d 192.168.1.0/24 -o $(nvram get lan_ifname) -j MARK --set-xmark 0x1/0x7
$iptb -A FORWARD -p udp -m udp --dport 5060 -j MARK --set-xmark 0x1/0x7
$iptb -A FORWARD -p tcp -m tcp --dport 5060 -j MARK --set-xmark 0x1/0x7
Port-forwarding over CTF still didn't work. Switching "5060" to the port number being forwarded also didn't work.
The 3 rules seemed to work when used with official fimware, though I dunno whether the official firmware was actually using CTF, let alone CTF+FA. But the kernel 2.6.36.4brcmarm of official firmware was tainted. It's older than DD-WRT's kernel 4.4.302-st40. And DD-WRT's kernel might not be tainted.