Joined: 26 Mar 2013 Posts: 1855 Location: Hung Hom, Hong Kong
Posted: Sat Aug 20, 2022 12:57 Post subject: [UNSOLVED] Asus RT-N18U: CTF and port-fowarding
Does CTF work in Asus RT-N18U? It seemed that only Netgear routers could get it working properly with port-forwarding.
After switching from STE to CTF, port-forwarding no longer worked. The firewall did register traffic into the port to be forwarded, but there was no response out of it.
Do I need to wipe all settings to make it work? I am using DD-WRT v3.0-r49792 std (08/20/22).
One interesting observation: after enabling CTF and CTF+FA, the test results of DNS over TLS (Unbound DNS server) was a lot more consistent. With SFE, the result jumped between Yes and No sometimes.
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Sat Aug 20, 2022 13:29 Post subject:
This is known default behavior for CTF, because it bypasses all manners of traffic shaping to accelerate NAT.
Im surprised by this topic from you mwchang, its the sort of thing one expects to see from new community members not by battle hardened hardcore DD-WRT'ers, and not the first topic about it either or ticket on trac.
Joined: 26 Mar 2013 Posts: 1855 Location: Hung Hom, Hong Kong
Posted: Sat Aug 20, 2022 13:41 Post subject:
the-joker wrote:
This is known default behavior for CTF, because it bypasses all manners of traffic shaping to accelerate NAT.
Im surprised by this topic from you mwchang, its the sort of thing one expects to see from new community members not by battle hardened hardcore DD-WRT'ers, and not the first topic about it either or ticket on trac.
I did understand that port-forwarding would not work with CTF. I did read through those posts and that SVN found via Google Search.
Then I was hoping for a miracle, so I asked.
_________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!
Joined: 26 Mar 2013 Posts: 1855 Location: Hung Hom, Hong Kong
Posted: Sun Aug 21, 2022 3:09 Post subject:
the-joker wrote:
egc posted the miracle, should work TM
Then I failed to find the solution! It's NOT yet solved for Asus RT-N18U, but maybe Netgear routers. I suspect SVN #7472 was incorrectly treated as solved. I think it's just closed, not solved. Also, thread #330016 didn't conclude as solved.
This morning (HKT), I went all the way to refresh firmware 49792 WITH reset. On first boot, only SFE option was visible, which is kind of normal. I added ranged port-forwarding (suggested by the SVN) and everything just worked. In the process, I enabled system logging.
Then I set SFE to Disabled and rebooted, both CTF and CTF+FA options became visible. I turned them both on, and DD-WRT rebooted twice. Afterwards, port-forwarding no longer worked.
I then add the following rule to the firewall script, rebooted, port-forwarding still failed to work!
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Sun Aug 21, 2022 10:10 Post subject:
DO you really need CTF & FA? Cant you try CTF just CTF?
Re: warning;
What may happen is finally add some documentation about it in HSetup.asp but even if it existed right now, when was the last time you clicked the more link for any help page in DD-WRT? Be honest now
We have many functions that aren't documented and most people can use search engines but dont instead try to use others like their personal search engines. The top link when searching for NAT acceleration. I suggest you give that a read.
Any documentation DD-WRT side will likely just be a reduced/condensed version of that.
CTF and CTF & FA do something and by design some things wont work as documented above, if the workaround egc posted doesn't help you then the only solution is get a router that is fast enough, non broadcom to give you Gigabit WAN speeds with SFE only.
CTF & CTF & FA are closed source as you know not that it matters because the reason it works the way it does is by bypassing many default behaviors and other features,
Joined: 26 Mar 2013 Posts: 1855 Location: Hung Hom, Hong Kong
Posted: Sun Aug 21, 2022 11:05 Post subject:
the-joker wrote:
DO you really need CTF & FA? Cant you try CTF just CTF?
I tried all combinations and only SFE could work with port-forwarding.
Quote:
Re: warning;
What may happen is finally add some documentation about it in HSetup.asp but even if it existed right now, when was the last time you clicked the more link for any help page in DD-WRT? Be honest now
....
This may sound like a complaint, but its not, anyone can contribute to DD-WRT help files, besides myself there is no one else to do it some people have plainly said why bother. That said built in help pages need much love and DD-WRT needs volunteers, as the old saying goes, many hands make hard work lighter.
Acknowledge and understand! CTF isn't affecting all iptables rules, just port-forwarding. If SFE works fine with port-forwarding, CTF should be able to do the same. It's strange that it's not right now.
I would try again many builds later! Later!!
_________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Sun Aug 21, 2022 12:27 Post subject:
Nothing will change build wise, its closed source and I doubt even with access to the source code which I'm sure Brainslayer has that this will be any kind of priority right now. get this, it works as designed by Broadcom, so its not even a bug.
But sure must be a way around it, search engines are your friend. It doesn't matter what router it is either, if its Broadcom and has CTF / CTF & FA the modules are identical, any workaround should work in any. Also its strange egc claims it works for him on the trac ticket.
SFE is opensource, and while its analogous to CFT for software NAT acceleration, its not the same design.
If you cant get a workaround the only solution long term is a beefy non Broadcom router which can handle Gigabit WAN via SFE.
Perhaps now is the time that you share your setup screenshots with egc's workaround and any related screenshots to see if there is any setup faux pas.
Joined: 26 Mar 2013 Posts: 1855 Location: Hung Hom, Hong Kong
Posted: Mon Aug 22, 2022 3:22 Post subject:
kernel-panic69 wrote:
Gratuitous further reading instead of taking some redditor's comment without valid linked information.
Chaos energy to expand that entire thread for all comments, too much noise and possible misinformation.
I just wanna find out whether the latest DD-WRT build for Asus RT-N18U could enable CTF to work with port-forwarding auto-magically. I did expect this to fail.
I am less interested in the mechanism of CTF. Thank you for the links, though they didn't talk about iptables nor port-forwarding as a user.
Source codes did mention NetFilter(nf_) aka iptables, but I am not ready for them. ctf_mark looked promising, but I didn't see use of it in the diff view.
Joined: 26 Mar 2013 Posts: 1855 Location: Hung Hom, Hong Kong
Posted: Mon Aug 22, 2022 11:39 Post subject:
egc wrote:
I am running build 49792 on my R7000 and I can port forward with CTF+FA enabled and it also works with CTF without FA.
....
Maybe my testing is flawed and I have a secret hole?
The Broadcom chip in your R7000 should be newer and faster than my old RT-N18U. Yours a dual-core processor and supports 802.11ac. Maybe that's the reason??
Another maybe: Could slow Broadcom processor take advantage of CTF & FA?
_________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!
Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Mon Aug 22, 2022 12:38 Post subject:
mwchang wrote:
The Broadcom chip in your R7000 should be newer and faster than my old RT-N18U. Yours a dual-core processor and supports 802.11ac. Maybe that's the reason??
That is certainly possible do you have FA at all?
If not you certainly have an older chip
mwchang wrote:
Another maybe: Could slow Broadcom processor take advantage of CTF & FA?
I know only the newer CPU have FA , my E2000 (MIPS) does have CTF but no FA
Joined: 26 Mar 2013 Posts: 1855 Location: Hung Hom, Hong Kong
Posted: Mon Sep 05, 2022 11:33 Post subject:
egc wrote:
That is certainly possible do you have FA at all?
If not you certainly have an older chip
I know only the newer CPU have FA , my E2000 (MIPS) does have CTF but no FA
But like already noted it is a black box so we keep guessing
Still no port-forwarding with build 50057, firmware upgrade and factory reset! Just CTF enabled, no FA.
Will keep trying in future builds without hoping for anything. Would ctf_mark help?
_________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!
Joined: 26 Mar 2013 Posts: 1855 Location: Hung Hom, Hong Kong
Posted: Tue Sep 06, 2022 7:53 Post subject:
Following log entries looked interesting: there was no entry like "nf_port_forward".
Also, I didn't enable VPN, did these entries explained why my port-forwarding failed? That I needed to enable VPN for port-forwarding to work with CTF? Well...