[UNSOLVED] Asus RT-N18U: CTF and port-fowarding

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2
Author Message
jacdc
DD-WRT Novice


Joined: 19 May 2021
Posts: 37

PostPosted: Mon Sep 26, 2022 0:06    Post subject: Possible fix for port forwarding Reply with quote
Router - Netgear R7000
DDWRT build - r49934

Observed behavior knowing CTF/FA would be interfering with port forwarding - consistent dropping of traffic especially to internal Plex Media Server:

None of my port forward rules would work ( I confirmed too that they were present in iptables with iptables -vnL -t nat etc.). Traffic would hit the router but packets would either not make it through to the internal LAN destinations or get through but get dropped on the way out (this was particularly true with an FTP/Explicit TLS and Passive port config.)

I knew that disabling SFE/CTF/FA would "fix" this behavior but I did not want to give up ~ 1gb up/down WAN speeds for a couple of services I needed access to externally. I do have Wireguard as well but that is extra overhead on an already overburdened 6-7 year old (specs.-wise) home router.

Finally, I think I have a found a good compromise (seems stable so far) and that is by keeping all the same port forward rules I created and changing the following options in the Setup page:

Shortcut Forwarding Engine: CTF
Flow Acceleration: CTF
(as always a restart is required for these options to take effect)

These changes result in slightly slower throughput (50-100 Mbit lower depending on time of day and network load) but MUCH better than the 350-400 Mbit speed I was getting with SFE or both of these options 'Disabled'.

Flow Acceleration: CTF + FA results in the fastest and closest to advertise speed of my WAN/ISP but I lose port forwarding and then some. I have tried @egc's previous posts (https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=330016) about messing with the mangle table - didn't work with CTF+FA enabled. My Plex Media Server would go in/out of connecting to Plex's server too. This may be the best option and still requires some tweaks to DNSMasq (adding this option to my DNSMasq config:
https://svn.dd-wrt.com/ticket/7472) in order to access my FTP externally.

As others have pointed out...I wouldn't get my hopes up of getting full NAT/Port forwarding support with the CTF+FA NAT modules that are included in the current DDWRT builds - they are taxing as is (spiking my R7000's dual core processor to 30% during speed tests) and the code is "maybe" known by 1-2 people who are busy supporting ddwrt. As others have suggested, it will be time soon (for me) to consider an actual purpose-built device for routing (and not the overpriced Cisco kind either) so here is my $.02 for Firewalla Gig/Multigig router/firewall appliances Smile

Hope this helps someone still running "old" SOHO wifi routers like mine with ddwrt.
Sponsor
jacdc
DD-WRT Novice


Joined: 19 May 2021
Posts: 37

PostPosted: Mon Sep 26, 2022 6:46    Post subject: Re: Possible fix for port forwarding Reply with quote
Spoke too soon...LAN NAT traversal works for FTPS(Explicit with Passive) on local network but gets hung up again coming from outside. Plex is still hit and miss (this may just be Plex). Oh well...current build suffices for now with Wireguard as needed but need to upgrade this soon...ddwrt was great while it lasted and caused more than a few sleepless nights troubleshooting.

Recent work that spurred this testing was realizing my VAP wifi setup was not as secure as it should be...more reading and recent developments on the VAP wifi front (finally doing away with the need to restart VAP wifi interfaces everytime router config. was Applied...not fun) prompted me to upgrade and with that a possible glimmer of hope to finally get NAT/Port forwarding working with CTF/FA... Sad

J
jacdc wrote:
Router - Netgear R7000
DDWRT build - r49934

Observed behavior knowing CTF/FA would be interfering with port forwarding - consistent dropping of traffic especially to internal Plex Media Server:

None of my port forward rules would work ( I confirmed too that they were present in iptables with iptables -vnL -t nat etc.). Traffic would hit the router but packets would either not make it through to the internal LAN destinations or get through but get dropped on the way out (this was particularly true with an FTP/Explicit TLS and Passive port config.)

I knew that disabling SFE/CTF/FA would "fix" this behavior but I did not want to give up ~ 1gb up/down WAN speeds for a couple of services I needed access to externally. I do have Wireguard as well but that is extra overhead on an already overburdened 6-7 year old (specs.-wise) home router.

Finally, I think I have a found a good compromise (seems stable so far) and that is by keeping all the same port forward rules I created and changing the following options in the Setup page:

Shortcut Forwarding Engine: CTF
Flow Acceleration: CTF
(as always a restart is required for these options to take effect)

These changes result in slightly slower throughput (50-100 Mbit lower depending on time of day and network load) but MUCH better than the 350-400 Mbit speed I was getting with SFE or both of these options 'Disabled'.

Flow Acceleration: CTF + FA results in the fastest and closest to advertise speed of my WAN/ISP but I lose port forwarding and then some. I have tried @egc's previous posts (https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=330016) about messing with the mangle table - didn't work with CTF+FA enabled. My Plex Media Server would go in/out of connecting to Plex's server too. This may be the best option and still requires some tweaks to DNSMasq (adding this option to my DNSMasq config:
https://svn.dd-wrt.com/ticket/7472) in order to access my FTP externally.

As others have pointed out...I wouldn't get my hopes up of getting full NAT/Port forwarding support with the CTF+FA NAT modules that are included in the current DDWRT builds - they are taxing as is (spiking my R7000's dual core processor to 30% during speed tests) and the code is "maybe" known by 1-2 people who are busy supporting ddwrt. As others have suggested, it will be time soon (for me) to consider an actual purpose-built device for routing (and not the overpriced Cisco kind either) so here is my $.02 for Firewalla Gig/Multigig router/firewall appliances Smile

Hope this helps someone still running "old" SOHO wifi routers like mine with ddwrt.
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Sat Oct 08, 2022 9:48    Post subject: Reply with quote
Update:

It seemed that a solution was suggested correctly... It's again about timing, after sysinit!

DD-WRT :: View topic - How to bypass CTF (Port Forward rule not working)
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=330016&start=42
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=330016&start=45

_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Sat Nov 12, 2022 7:29    Post subject: Reply with quote
Found something weird regarding CTF:

DD-WRT :: View topic - Asus RT-N18U and CTF+FA: "eth%d"? "%d"?
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=333299

_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Sun Jul 30, 2023 14:06    Post subject: Reply with quote
SO I copied the following 3 rules from Asus RT-N18U's official fimware:
Code:
$iptb -A FORWARD -s 192.168.1.0/24 -d 192.168.1.0/24 -o $(nvram get lan_ifname) -j MARK --set-xmark 0x1/0x7
$iptb -A FORWARD -p udp -m udp --dport 5060 -j MARK --set-xmark 0x1/0x7
$iptb -A FORWARD -p tcp -m tcp --dport 5060 -j MARK --set-xmark 0x1/0x7

Port-forwarding over CTF still didn't work. Switching "5060" to the port number being forwarded also didn't work.

The 3 rules seemed to work when used with official fimware, though I dunno whether the official firmware was actually using CTF, let alone CTF+FA. But the kernel 2.6.36.4brcmarm of official firmware was tainted. It's older than DD-WRT's kernel 4.4.302-st40. And DD-WRT's kernel might not be tainted.

DD-WRT :: View topic - Something about CTF in Asus RT-N18U's official firmware
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=334883&start=5

_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum