Posted: Mon Jun 14, 2021 0:48 Post subject: Only 3mbps speed from web server behind R7800 over WAN
Hi,
I'm using this firmware
DD-WRT v3.0-r41813 std (c) 2019 NewMedia-NET GmbH
Release: 12/29/19
Board: Netgear R7800
I forwarded TCP/80 port to web server.
My computer is 1500 km away from DD-WRT router.
Download speeds from web server to my computer (file is hosted in RAM)
TEST 1: Server 2 -> Router = 800mbps
TEST 2: Server 2 -> WAN -> Computer = 30mbps
TEST 3: Server 1 -> Router = 800mbps
TEST 4: Server 1 -> WAN -> Computer using 15 connections = 15mbps
TEST 5: Server 1 -> WAN -> Computer = 3mbps (the issue!)
Any ideas how would you go to improve DNAT/WAN speed?
CPU and RAM is almost idling.
I've reviewed sysctl -a kernel parameters and tried to get newest version of iptables using opkg without any luck.
So what else could be wrong?
I've reviewed sysctl -a kernel parameters and tried to get newest version of iptables using opkg without any luck.
update the router to a current dd-wrt version?
Quote:
Server 1 - it has 4.6 load average. Server 1 also handles around 500-1000 connections for other things outside of tests
test server 1 without additional load?
Quote:
Router - westwood
i use cubic everywhere
otherwise the whole sysctl values are no longer correct anyway, they have changed a few months ago
Many thanks for your input as 10y+ of admin/devops experience doesn't lead me to the root cause.
I have three DD-WRT units in different locations connected via VPN (running Kubernetes successfully, just performance is not good - VPN is out of scope of this issue - UDP performs fine).
The DD-WRT version I'm using is completely stable, it's excellent.
While it's easier to tune existing firmware on remote units, may I ask you which firmware do you recommend to upgrade to?
I've tried to reduce load on server 1 by 70% and download speed didn't improve at all.
Definitely will try cubic as this seems default nowadays.
Last edited by LaimisV on Mon Jun 14, 2021 12:43; edited 1 time in total
Although not directly related to your topic, if you are running OpenVPN on the router you might consider upgrading to a recent build and use Chacha-Poly for encryption.
You might even consider WireGuard which is a lot faster.
I have WireGuard in my to do list to replace OpenVPN. To not change everything in one go, will OpenVPN 2.4 (older firmware) work with latest DD-WRT firmware for R7800? The exact firmware which you can recommend for stability/performance. I guess OpenVPN is upgraded to 2.5.
If that is possible to connect 2.4 and 2.5, I can keep 2 of 3 routers running while upgrading 1. In Kubernetes/clusters terms it's keeping quorum.
Of course, I can switch off everything, but usually it takes longer to get everything in balance and working perfectly (issues could appear in a day, week or so).
Joined: 18 Mar 2014 Posts: 12888 Location: Netherlands
Posted: Mon Jun 14, 2021 12:18 Post subject:
OpenVPN 2.5.2 which we are now running should be backwards compatible with 2.4.
Chacha-poly is only available in 2.5, you should be able to use GCM ciphers for both 2.4 and 2.5 which are more efficient than CBC.
In my signature at the bottom links to documentation for OpenVPN and WireGuard (In the advanced setup guide is an example of a site-to-site setup between 3 sites)
OpenVPN 2.5.2 which we are now running should be backwards compatible with 2.4.
Chacha-poly is only available in 2.5, you should be able to use GCM ciphers for both 2.4 and 2.5 which are more efficient than CBC.
In my signature at the bottom links to documentation for OpenVPN and WireGuard (In the advanced setup guide is an example of a site-to-site setup between 3 sites)
My R7800 (which is just lightly taxed) does about 85 Mb/s OpenVPN and 270 Mb/s for WireGuard, usually WG has about 3 times the performance of OpenVPN YMMV.
Excellent info, thanks for documentations too!
Still off topic, but does Wireguard use 1 core? In my case there are two processes per router:
OpenVPN server A -> OpenVPN client B
OpenVPN server B -> OpenVPN client C
OpenVPN server C -> OpenVPN client A
So maybe I can assign first core to Wireguard link 1 and second core to link 2.
To get back to TCP performance question, does latest R7800 have cubic by default (...and probably more parameters re-optimised for better performance)?
To get back to TCP performance question, does latest R7800 have cubic by default (...and probably more parameters re-optimised for better performance)?
the TCP congestion control , can actually be set in the WebIF for a very long time ( tab "administration > management")
the sysctl parameter were adjusted (can be adjusted in current images comfortably via "adminstration > sysctl")
at the moment I'm still running build v3.0-r46395 (without any problems) because I currently have little time to test alphas and betas...
so I don't know what to recommend you there, basically every image probably has some bugs (they do not have to bother you personally)
just read the release threads, test one of the current (latest) images...
otherwise the whole sysctl values are no longer correct anyway, they have changed a few months ago
please elaborate ...!?
I use Vegas...this is so far the best compatible with my ISP, as those depend on what ISP is running...if im not wrong...
So why cubic and where that is messing with sysctl values...??
i use cubic because i have made good experiences/ tests with it and it is the standard for most clients
especially older clients have only cubic or reno
the TCP congestion control on your router only affects TCP traffic that terminates at your router
it doesn't change the forwarded traffic at all and only affects connections that are directed to your router itself
with the sysctl values everything is ok, but the thread creator refers to 2 years old values that are no longer up to date. (in the link above to serverfault)
Using 'TCP Congestion Control' bbr on the EA8500 for year or so without problems
AND
r46885 been doing really good for me using ath10k 'VANILLA' firmware
TCP BBR is not present on all routers...at least not on R7000 that i use atm _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
and terminates at the router...correct