Possible bug on Asus RT-AC87U with ebtables

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2, 3  Next
Author Message
dvs23
DD-WRT Novice


Joined: 11 Feb 2017
Posts: 12

PostPosted: Tue Mar 21, 2017 18:47    Post subject: Possible bug on Asus RT-AC87U with ebtables Reply with quote
Hello everyone!

First: Asus RT-AC87U with latest beta build 03-17-2017-r31690

Today I noticed that something on my router consumes really much processor power, so I started to search. top showed this to me
Code:
/usr/sbin/ebtables -t nat -D POSTROUTING -o tap1 --pkttype-type multicast -j DROP

is using one complete core. The only Multicast related thing I remembered was enabling Security->Firewall->Block WAN Requests->"Filter Multicast" (checkbox enabled)
When I disabled this the process was not restarted after a kill, so it no longer consumes all the power Smile

Is it a bug in DD-WRT or could there be anything else that's wrong with my router? I don't really need it, but in case it's a bug I thought I should tell someone Smile

Thanks for such a great and free router firmware Smile
dvs23
Sponsor
Hawk2001
DD-WRT Novice


Joined: 01 Apr 2017
Posts: 4

PostPosted: Sun Apr 02, 2017 5:52    Post subject: Reply with quote
This has been happening on my R7000 too. I've been associating it with OpenVPN, since the tap1 is involved. I assumed it has to do with NAT protection. I've had to kill the ebtables to get the VPN to work anywhere near line speeds.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 3449
Location: UK, London, just across the river..

PostPosted: Sun Apr 02, 2017 7:01    Post subject: Reply with quote
hmm, i guess VPN is using high CPU power as its a very CPU aggressive process, also it depends what VPN encryption is used, high encryption lowers the speed and rises the CPU use..
_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 42514 BS WAP/Switch
TP-Link WR740Nv4 ------DD-WRT 42557 BS AP,NAT
TP-Link WR1043NDv2 ----DD-WRT 42287 BS AP,NAT,AD Block,AP Isolation,Firewall,Local DNS,Forced DNS,DoT,VPN
TP-Link WR1043NDv2 ----DD-WRT 42602 BS AP,NAT,AD Block,Firewall,Local DNS,Forced DNS,DoT,VPN
TP-Link WR1043NDv2 ----Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -------DD-WRT 42803 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -------DD-WRT 42803 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,DoT,VPN
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913
Hawk2001
DD-WRT Novice


Joined: 01 Apr 2017
Posts: 4

PostPosted: Sun Apr 02, 2017 10:49    Post subject: Reply with quote
This is definitely NOT the normal part of the VPN causing high usage. If I leave the ebtables processes running (sometimes one on each cpu @ 100%) the VPN maxes out at 15 mbit/s because the router doesn't have enough overhead to support the VPN. If I kill any ebtables processes not only does the VPN stay running, but it also jumps to 40+ mbit/s. The rule that ebtables is trying to run is part of the nat <-> tun1 drop for nat protection. This isn't the root of the problem however. If you attempt to interact with ebtables (e.g., CLI) at all it will peg a cpu and hang.

Edit: When speed testing with VPN on, ebtables not running the cpu usage is ~15%.
dvs23
DD-WRT Novice


Joined: 11 Feb 2017
Posts: 12

PostPosted: Sun Apr 02, 2017 12:32    Post subject: Reply with quote
Yup, same here! VPN CPU usage does not cause that trouble - at least not directly.
demilenos
DD-WRT Novice


Joined: 30 Oct 2017
Posts: 4

PostPosted: Mon Oct 30, 2017 2:57    Post subject: Reply with quote
same problem here
EA6900 / Firmware: DD-WRT v3.0-r33607 std (10/25/17)
Ebtables Firewall consume 1 whole core.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5105
Location: Netherlands

PostPosted: Mon Oct 30, 2017 15:37    Post subject: Reply with quote
I have no ebtables running is this related to the TAP OpenVPN which is a bridged (and thus ebtables related) solution?
_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
JohnS@
DD-WRT User


Joined: 10 Jun 2006
Posts: 311

PostPosted: Mon Oct 30, 2017 19:57    Post subject: Reply with quote
Other routers are affected as well by this problem Sad, e.g. RT-AC56U or RT-18N.

See http://svn.dd-wrt.com/ticket/5807
demilenos
DD-WRT Novice


Joined: 30 Oct 2017
Posts: 4

PostPosted: Tue Oct 31, 2017 2:51    Post subject: Reply with quote
egc wrote:
I have no ebtables running is this related to the TAP OpenVPN which is a bridged (and thus ebtables related) solution?


I just follow instruction here: https://www.dd-wrt.com/wiki/index.php/Setting_up_IPTV_without_impact_to_LAN_and_Wireless_traffic
JohnS@
DD-WRT User


Joined: 10 Jun 2006
Posts: 311

PostPosted: Thu Nov 09, 2017 21:09    Post subject: Reply with quote
Issue is still present in build 33679 (device under test RT-AC-56U / DD-WRT v3.0-r33679 std (11/04/17)).Without OpenVPN client enabled in GUI the looping ebtables process is not present.

This seriously makes DDWRT currently unusable as GUI-configured OpenVPN client Sad . This need to get sorted.

Trac-Ticket 5807 has been updated.

Edit: Maybe this topic label could be edited as is seems to affect not one single device but apparetly at least the BCM47xx platform.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5105
Location: Netherlands

PostPosted: Fri Nov 10, 2017 11:21    Post subject: Reply with quote
But only when using the bridged TAP, I am running OpenVPN client TUN and have no problem
_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
JohnS@
DD-WRT User


Joined: 10 Jun 2006
Posts: 311

PostPosted: Fri Nov 10, 2017 12:05    Post subject: Reply with quote
egc wrote:
But only when using the bridged TAP[...]

Thanks for the information, I've updated Trac 5807 accordingly.

According to further diagnosis by user quarkysg the problem may result from a compilation bug of the ebtables binary.
quarkysg
DD-WRT User


Joined: 03 May 2015
Posts: 297

PostPosted: Fri Nov 10, 2017 21:31    Post subject: Reply with quote
Hi folks,

I've attached the ebtables binary for ARM CPU routers. This binary will likely only work for DD-WRT firmware running the Linux 4.4.x kernel.

I've also encountered the situation where ebtables will hang when it is executed on my DLink DIR-880L running r30342, so this issue has been there for quite a while. To investigate the issue, I downloaded the DD-WRT firmware and compiled a copy of the ebtables executables and to my surprise, my compiled copy of ebtables runs without any problem. So I suspect it could be the developers build bot may have messed up the compilation when compiling for multiple targets.

The steps below should allow you to try out the attached ebtables executable:

1. Upload the attached 'ebtables.gz' file to your router using 'scp' (for Unix based OS) or WinSCP (using Windows)

2. Uncompress the compressed 'ebtables.gz' file and make it executable:

    (assuming that you have uploaded the file to the '/tmp/root' directory in your router:

    gunzip /tmp/root/ebtables.gz
    chmod a+x /tmp/root/ebtables

3. Test to ensure that the uploaded 'ebtables' is working:

    /tmp/root/ebtables -L

    You should see some output as shown below:

      Bridge table: filter

      Bridge chain: INPUT, entries: 0, policy: ACCEPT

      Bridge chain: FORWARD, entries: 0, policy: ACCEPT

      Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

4. If Step 3. is successful it means the 'ebtables' binary is working for your router. Proceed to override your router's existing binary with the uploaded one with the command below:

    mount --bind /tmp/root/ebtables /usr/sbin/ebtables


That should do it. Do note tho that the above will not survive a router restart as the ebtables binary is stored in the router's RAM. A restart will wipe it off. To make it persistent across router reboots, you need to upload the ebtables to a USB thumb drive or the JFFS partition in your router and add the command in Step 4. to your router's startup script, adjusting the path to the location of the uploaded ebtables binary.

Hope the above Step is clear enough for those who would like to try.



ebtables.gz
 Description:
ebtables binary for ARM CPU on Linux 4.4.x

Download
 Filename:  ebtables.gz
 Filesize:  30.89 KB
 Downloaded:  652 Time(s)

mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1476
Location: Canada

PostPosted: Fri Nov 10, 2017 22:36    Post subject: Reply with quote
I know with Kongac Builds it has working ebtables. So it must BrainSlayer Builds that have these issues. Thanks quarksg for your solutions!
_________________
Home Network on Telus PureFibre - 10GbE Copper Backbone
3x R7800 - Gateway WiFi 6xWireGuard - DDWRT r42803 Std
WHR-HP-G54 - Internal Routing - DDWRT r35531 std-special
2x E3000 - Gateway Wired IPTV - DDWRT r35531 Mega
E3000 - TRAVEL Wireless Client WireGuard(30Mbit/s) - DDWRT r42803 Mega

Off Site 1

R7000 - Gateway, WiFi & OpenVPN - KONGAC 39855M
WRT610Nv1 - Client Bridge - DDWRT r33679 Mega K2.4

Off Site 2

R7000 - Gateway & WiFi - KONGAC 39855M
E2000 - Wired PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2
JohnS@
DD-WRT User


Joined: 10 Jun 2006
Posts: 311

PostPosted: Sat Nov 11, 2017 9:52    Post subject: Reply with quote
quarkysg wrote:
I've attached the ebtables binary for ARM CPU routers. [...] allow you to try out the attached ebtables executable [...] Do note tho that the above will not survive a router restart [...] Hope the above Step is clear enough for those who would like to try.


quarkysg: THANK YOU!
egc, mwchang: Thanks for your inputs as well.

I can confirm that replacing the ebtables binary with quarkysg's properly compiled one makes OpenVPN client-mode (TAP) work in the new releases (I used 33679).

For the moment I've used the following crude startup script (prerequisite is that you have jffs enabled and put quarkysg's binary to /jffs/tmp/ - follow his instructions and/or adapt paths according to your setup):

Code:
## script for replacing broken ebtables binary from jffs
#!/bin/sh
sleep 30
killall ebtables
mount --bind /jffs/tmp/ebtables /usr/sbin/ebtables
logger "ebtables binary replaced (workaround)"


I've updated Trac 5807 accordingly.

Guys, what do you think is the best way to get this likely simple fix permanently included in the upcoming BrainSlayer builds? Can we do more that documenting it in Trac?


Last edited by JohnS@ on Sat Nov 11, 2017 12:32; edited 1 time in total
Goto page 1, 2, 3  Next Display posts from previous:    Page 1 of 3
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum