[UNSOLVED] Asus RT-N18U: CTF and port-fowarding

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Sat Aug 20, 2022 12:57    Post subject: [UNSOLVED] Asus RT-N18U: CTF and port-fowarding Reply with quote
Does CTF work in Asus RT-N18U? It seemed that only Netgear routers could get it working properly with port-forwarding.

After switching from STE to CTF, port-forwarding no longer worked. The firewall did register traffic into the port to be forwarded, but there was no response out of it.

Do I need to wipe all settings to make it work? I am using DD-WRT v3.0-r49792 std (08/20/22).

One interesting observation: after enabling CTF and CTF+FA, the test results of DNS over TLS (Unbound DNS server) was a lot more consistent. With SFE, the result jumped between Yes and No sometimes.

https://1.1.1.1/help#
https://www.cloudflare.com/ssl/encrypted-sni/

Code:
# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 796 packets, 92191 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       icmp --  *      *       0.0.0.0/0            110.235.6.9          to:192.168.1.1
   56  3499 DNAT       tcp  --  *      *       0.0.0.0/0            110.235.6.9          tcp dpt:8080 to:192.168.1.100
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            110.235.6.9          udp dpt:8080 to:192.168.1.100
   67  6341 TRIGGER    all  --  *      *       0.0.0.0/0            110.235.6.9         TRIGGER type:dnat match:0 relate:0

_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw


Last edited by mwchang on Mon Aug 22, 2022 4:53; edited 1 time in total
Sponsor
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Sat Aug 20, 2022 13:29    Post subject: Reply with quote
This is known default behavior for CTF, because it bypasses all manners of traffic shaping to accelerate NAT.

Im surprised by this topic from you mwchang, its the sort of thing one expects to see from new community members not by battle hardened hardcore DD-WRT'ers, and not the first topic about it either or ticket on trac.

So for your prize you win a trip to this link https://svn.dd-wrt.com/ticket/7472 and read down to egc's post for solution.

You should NOT enable CTF & FA unless you have Gigabit WAN ISP service because it has more caveats than CTF.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Sat Aug 20, 2022 13:41    Post subject: Reply with quote
the-joker wrote:
This is known default behavior for CTF, because it bypasses all manners of traffic shaping to accelerate NAT.

Im surprised by this topic from you mwchang, its the sort of thing one expects to see from new community members not by battle hardened hardcore DD-WRT'ers, and not the first topic about it either or ticket on trac.

I did understand that port-forwarding would not work with CTF. I did read through those posts and that SVN found via Google Search.

Then I was hoping for a miracle, so I asked. Smile


_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Sat Aug 20, 2022 14:48    Post subject: Reply with quote
egc posted the miracle, should work TM
_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Sun Aug 21, 2022 3:09    Post subject: Reply with quote
the-joker wrote:
egc posted the miracle, should work TM

Then I failed to find the solution! It's NOT yet solved for Asus RT-N18U, but maybe Netgear routers. I suspect SVN #7472 was incorrectly treated as solved. I think it's just closed, not solved. Also, thread #330016 didn't conclude as solved.

This morning (HKT), I went all the way to refresh firmware 49792 WITH reset. On first boot, only SFE option was visible, which is kind of normal. I added ranged port-forwarding (suggested by the SVN) and everything just worked. In the process, I enabled system logging.

Then I set SFE to Disabled and rebooted, both CTF and CTF+FA options became visible. I turned them both on, and DD-WRT rebooted twice. Afterwards, port-forwarding no longer worked.

I then add the following rule to the firewall script, rebooted, port-forwarding still failed to work!
Code:
iptables -I PREROUTING -t mangle -p tcp --dport 8080 -j MARK --set-mark 0x1

I then turned off and on the router, still no port-forwarding.

I don't think NAT loopback (mentioned by one of the replies in the SVN) was relevant since my DD-WRT had a factory reset.

What else should I do try, if I missed something?

(If CTF could break port-forwarding, DD-WRT should warn users in the WEBUI!)


Related:

#7472 (Cut Through Forwarding breaks non-standard port forwarding - r47206 and r47474) – DD-WRT
https://svn.dd-wrt.com/ticket/7472

DD-WRT :: View topic - How to bypass CTF (Port Forward rule not working)
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=330016

DD-WRT :: View topic - Port Forwarding not working
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=329561

DD-WRT :: View topic - First draft of Flow Acceleration wiki entry
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=329251

CTF and/or SFE on FreshTomato | LinksysInfo.org
https://www.linksysinfo.org/index.php?threads/ctf-and-or-sfe-on-freshtomato.75967/

DD-WRT :: View topic - Port Forwarding is not working
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1261207

Forum: CTF Cut-Through Forwarding vs Broadcom FastNAT (modprobe bcm_nat) - OpenLinksys
https://openlinksys.info/forum/viewthread.php?thread_id=22318


_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw


Last edited by mwchang on Mon Aug 22, 2022 9:15; edited 6 times in total
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Sun Aug 21, 2022 10:10    Post subject: Reply with quote
DO you really need CTF & FA? Cant you try CTF just CTF?

Re: warning;

What may happen is finally add some documentation about it in HSetup.asp but even if it existed right now, when was the last time you clicked the more link for any help page in DD-WRT? Be honest now Wink

We have many functions that aren't documented and most people can use search engines but dont instead try to use others like their personal search engines. The top link when searching for NAT acceleration. I suggest you give that a read.

Any documentation DD-WRT side will likely just be a reduced/condensed version of that.

CTF and CTF & FA do something and by design some things wont work as documented above, if the workaround egc posted doesn't help you then the only solution is get a router that is fast enough, non broadcom to give you Gigabit WAN speeds with SFE only.

CTF & CTF & FA are closed source as you know not that it matters because the reason it works the way it does is by bypassing many default behaviors and other features,

This may sound like a complaint, but its not, anyone can contribute to DD-WRT help files, besides myself there is no one else to do it some people have plainly said why bother. That said built in help pages need much love and DD-WRT needs volunteers, as the old saying goes, many hands make hard work lighter.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Sun Aug 21, 2022 11:05    Post subject: Reply with quote
the-joker wrote:
DO you really need CTF & FA? Cant you try CTF just CTF?

I tried all combinations and only SFE could work with port-forwarding.
Quote:
Re: warning;

What may happen is finally add some documentation about it in HSetup.asp but even if it existed right now, when was the last time you clicked the more link for any help page in DD-WRT? Be honest now Wink

....

This may sound like a complaint, but its not, anyone can contribute to DD-WRT help files, besides myself there is no one else to do it some people have plainly said why bother. That said built in help pages need much love and DD-WRT needs volunteers, as the old saying goes, many hands make hard work lighter.

Acknowledge and understand! CTF isn't affecting all iptables rules, just port-forwarding. If SFE works fine with port-forwarding, CTF should be able to do the same. It's strange that it's not right now.

I would try again many builds later! Later!! Smile

_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Sun Aug 21, 2022 12:27    Post subject: Reply with quote
Nothing will change build wise, its closed source and I doubt even with access to the source code which I'm sure Brainslayer has that this will be any kind of priority right now. get this, it works as designed by Broadcom, so its not even a bug.

This guy explains it well see 3.

But sure must be a way around it, search engines are your friend. It doesn't matter what router it is either, if its Broadcom and has CTF / CTF & FA the modules are identical, any workaround should work in any. Also its strange egc claims it works for him on the trac ticket.

SFE is opensource, and while its analogous to CFT for software NAT acceleration, its not the same design.

If you cant get a workaround the only solution long term is a beefy non Broadcom router which can handle Gigabit WAN via SFE.

Perhaps now is the time that you share your setup screenshots with egc's workaround and any related screenshots to see if there is any setup faux pas.

Sorry I cant test, my needs and current setup dont require port forwarding anymore and while Ive tested CTF to improve the br0 performance and get the benefits wifi side, I saw there is no such need as my WAN speed is 100Mbps/10Mbps only and my wifi clients dont benefit from any improved performance speed wise.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Sun Aug 21, 2022 18:02    Post subject: Reply with quote
Gratuitous further reading instead of taking some redditor's comment without valid linked information.
Chaos energy to expand that entire thread for all comments, too much noise and possible misinformation.
Broadcom BCM47xx - OpenWRT Wiki
[OpenWrt-Devel] Understanding/reimplementing forwarding acceleration used by Broadcom (ctf) - Narkive
Understanding/reimplementing forwarding acceleration used by Broadcom (ctf) - marc.info->linux-netdev
QoS and the "Broadcom Cut Through Forwarding feature" - Netgear Community

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Mon Aug 22, 2022 3:22    Post subject: Reply with quote
kernel-panic69 wrote:
Gratuitous further reading instead of taking some redditor's comment without valid linked information.
Chaos energy to expand that entire thread for all comments, too much noise and possible misinformation.

I just wanna find out whether the latest DD-WRT build for Asus RT-N18U could enable CTF to work with port-forwarding auto-magically. I did expect this to fail.

I am less interested in the mechanism of CTF. Thank you for the links, though they didn't talk about iptables nor port-forwarding as a user.

Source codes did mention NetFilter(nf_) aka iptables, but I am not ready for them. ctf_mark looked promising, but I didn't see use of it in the diff view.

'Understanding/reimplementing forwarding acceleration used by Broadcom (ctf)' - MARC
https://marc.info/?l=linux-netdev&m=137735759932646

Anyway, I will attempt again many builds later and update this thread.


_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Aug 22, 2022 11:13    Post subject: Reply with quote
I am running build 49792 on my R7000 and I can port forward with CTF+FA enabled and it also works with CTF without FA.

I SSH into my NAS using port 2222

My phone is on cellular, my main router port forwards to the the R7000 which is reset to defaults and in normal gateway mode on its own subnet

The R7000 port forwards to my NAS, so I actually double port forward but it appears to work, I can SSH into my NAS.
Maybe my testing is flawed and I have a secret hole?

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Mon Aug 22, 2022 11:39    Post subject: Reply with quote
egc wrote:
I am running build 49792 on my R7000 and I can port forward with CTF+FA enabled and it also works with CTF without FA.
....
Maybe my testing is flawed and I have a secret hole?

The Broadcom chip in your R7000 should be newer and faster than my old RT-N18U. Yours a dual-core processor and supports 802.11ac. Maybe that's the reason??

Another maybe: Could slow Broadcom processor take advantage of CTF & FA?

_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Aug 22, 2022 12:38    Post subject: Reply with quote
mwchang wrote:

The Broadcom chip in your R7000 should be newer and faster than my old RT-N18U. Yours a dual-core processor and supports 802.11ac. Maybe that's the reason??


That is certainly possible do you have FA at all?
If not you certainly have an older chip

mwchang wrote:

Another maybe: Could slow Broadcom processor take advantage of CTF & FA?


I know only the newer CPU have FA , my E2000 (MIPS) does have CTF but no FA

But like already noted it is a black box so we keep guessing

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Mon Sep 05, 2022 11:33    Post subject: Reply with quote
egc wrote:
That is certainly possible do you have FA at all?
If not you certainly have an older chip
I know only the newer CPU have FA , my E2000 (MIPS) does have CTF but no FA
But like already noted it is a black box so we keep guessing

Still no port-forwarding with build 50057, firmware upgrade and factory reset! Just CTF enabled, no FA.

Will keep trying in future builds without hoping for anything. Would ctf_mark help? Smile

_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Tue Sep 06, 2022 7:53    Post subject: Reply with quote
Following log entries looked interesting: there was no entry like "nf_port_forward".

Also, I didn't enable VPN, did these entries explained why my port-forwarding failed? That I needed to enable VPN for port-forwarding to work with CTF? Well...
Code:
# grep -i -E 'ctf|servicemanager' /var/log/messages

Sep  6 15:44:22 RT-N18U-HST user.info : [ctf] : fast path forwarding successfully started
Sep  6 15:44:23 RT-N18U-HST user.info : [vpn modules] : vpn modules successfully unloaded
Sep  6 15:44:23 RT-N18U-HST user.info : [vpn modules] : nf_conntrack_proto_gre successfully loaded
Sep  6 15:44:23 RT-N18U-HST user.info : [vpn modules] : nf_nat_proto_gre successfully loaded
Sep  6 15:44:23 RT-N18U-HST user.info : [vpn modules] : nf_conntrack_pptp successfully loaded
Sep  6 15:44:24 RT-N18U-HST user.info : [vpn modules] : nf_nat_pptp successfully loaded
Sep  6 15:44:24 RT-N18U-HST user.info : [ctf] : fast path forwarding successfully started
Sep  6 15:44:24 RT-N18U-HST user.info : [ctf] : fast path forwarding successfully started

Tail of my log:
Code:
Sep  6 15:44:22 RT-N18U-HST user.info : [servicemanager] : waiting for services to finish (5)...
Sep  6 15:44:22 RT-N18U-HST user.info : [nas] : daemon successfully stopped
Sep  6 15:44:22 RT-N18U-HST user.info : [ipv6] : successfully stopped
Sep  6 15:44:22 RT-N18U-HST user.info : [pptpd] : daemon successfully stopped
Sep  6 15:44:22 RT-N18U-HST user.info : [ctf] : fast path forwarding successfully started
Sep  6 15:44:23 RT-N18U-HST user.info : [vpn modules] : vpn modules successfully unloaded
Sep  6 15:44:23 RT-N18U-HST user.info : [vpn modules] : nf_conntrack_proto_gre successfully loaded
Sep  6 15:44:23 RT-N18U-HST user.info : [vpn modules] : nf_nat_proto_gre successfully loaded
Sep  6 15:44:23 RT-N18U-HST user.info : [vpn modules] : nf_conntrack_pptp successfully loaded
Sep  6 15:44:24 RT-N18U-HST user.info : [vpn modules] : nf_nat_pptp successfully loaded
Sep  6 15:44:24 RT-N18U-HST user.info : [ctf] : fast path forwarding successfully started
Sep  6 15:44:24 RT-N18U-HST user.info : [ctf] : fast path forwarding successfully started
Sep  6 15:44:24 RT-N18U-HST user.info : [wland] : daemon successfully stopped
Sep  6 15:44:24 RT-N18U-HST user.info : [wland] : successfully started
Sep  6 15:44:25 RT-N18U-HST user.info : [nas] : start nas lan
Sep  6 15:44:25 RT-N18U-HST user.info : [nas] : start nas for wl0
Sep  6 15:44:25 RT-N18U-HST user.info : [nas] : NAS lan (wl0 interface) successfully started
Sep  6 15:44:25 RT-N18U-HST user.info : [nas] : successfully started
Sep  6 15:44:26 RT-N18U-HST daemon.info httpd[3464]: [httpd] : httpd server shutdown
Sep  6 15:44:26 RT-N18U-HST user.info : [httpd] : daemon successfully stopped
Sep  6 15:44:26 RT-N18U-HST daemon.info httpd[4474]: [httpd] : httpd server started at port 80
Sep  6 15:44:26 RT-N18U-HST user.info : [httpd] : successfully started


_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum