When SFE is disabled, DNS stops working. How to reenable?

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
tkmds
DD-WRT User


Joined: 04 Sep 2011
Posts: 161
Location: SA

PostPosted: Sun Nov 27, 2022 6:34    Post subject: When SFE is disabled, DNS stops working. How to reenable? Reply with quote
As soon as I disable SFE, DNS stops working and external resolution fails. Internal works. I can ping the external DNS host 8.8.8.8 can connect using:

nc -vuz 8.8.8.8 53

yet no return reply exists from external DNS. Until I enable SFE that is, though I wish to disable SFE.

What do I need to do in place of SFE to allow external DNS resolution once more when SFE is disabled?

_________________
Cheers, TK
------------------------
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sun Nov 27, 2022 7:46    Post subject: Reply with quote
SFE has no relation to DNS.

A lot of people (including me) do not use SFE and have perfectly normal DNS.

So there might be something wrong in your setup.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Sun Nov 27, 2022 14:53    Post subject: Re: When SFE is disabled, DNS stops working. How to reenabl Reply with quote
tkmds wrote:
As soon as I disable SFE, DNS stops working and external resolution fails. Internal works. I can ping the external DNS host 8.8.8.8 can connect using:

nc -vuz 8.8.8.8 53

yet no return reply exists from external DNS. Until I enable SFE that is, though I wish to disable SFE.

What do I need to do in place of SFE to allow external DNS resolution once more when SFE is disabled?

Sometimes, services were not restarted properly after you altered certain settings. A reboot usually fixed it.

You might also try using Admin->Command to 'service start dnsmasq'. By default, DNSmasq serves both DHCP and DNS. This method requires knowledge about under the hood of DD-WRT.

In fact DD-WRT's WEBUI has no explicit buttons to restart various services. It totally trusts those enable/disable buttons. Wink

_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
tkmds
DD-WRT User


Joined: 04 Sep 2011
Posts: 161
Location: SA

PostPosted: Mon Nov 28, 2022 2:56    Post subject: Reply with quote
I would not have expected SFE to mess up DNS either TBH. Yet....it looks to do just so in my setup.

What I tried.....enabled DNSmasquerade two nights ago after I sent that reply, seeing how I used to have it earlier as well, and DNS resolution does work but it's very slow, likely due to caching from when SFE was enabled though. However, after a short while, DNS resolution stops.

Essentially, when I run an nslookup off the routers, just a short while after SFE is disabled, this is the result:

Code:
root@DD-WRT-INET:~# nslookup dd-wrt.com
nslookup: can't resolve '(null)'

nslookup: can't resolve 'dd-wrt.com'
root@DD-WRT-INET:~# cat /etc/resolv.conf
search dom.xyz
nameserver 192.168.0.100
nameserver 192.168.0.10
nameserver 192.168.0.11
nameserver 172.87.80.1
nameserver 172.87.81.1
root@DD-WRT-INET:~#


The main DNS server returns a Timed out indicating traffic on port 53 is blocked or just doesn't return:

Code:
C:\> nslookup dd-wrt.com
Server:  dns01.dom.xyz
Address:  192.168.0.220

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to dns01.dom.xyz timed-out
C:\>



192.168.0.100 being my main internal DNS server, which has caching enabled. Whereas off my laptop, it still resolves, maybe due to cache for the time being:

Code:
c:\>nslookup dd-wrt.com
Server:  UnKnown
Address:  172.20.10.1

Non-authoritative answer:
Name:    dd-wrt.com
Addresses:  2a05:a1c0:0:dd::111
          185.84.6.111
c:\>


when these two options are set on my main router for DNSmasquerade:

Code:
no-resolv
server=172.87.80.1,172.87.81.1


these being the external DNS servers of the provider. Though after so much back and fourth, I'm not longer 100% if the above setting had anything to do with my issues.

So SFE is definitely doing something with the routing at the least that is affecting DNS. Result of tcpdump on the router, shows that the packet from the DNS nslookup command is sent out but nothing returns. Whereas as soon as I enable SFE, this resolution works just fine. Lost packet example below:

Code:
root@DD-WRT-INET:~# tcpdump -s0 -na "port 53 and ( host 192.168.0.100 or host 192.168.0.101 or host 192.168.0.102) and host 8.8.8.8"
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
13:37:53.112919 IP 192.168.0.101.51396 > 8.8.8.8.53: Flags [SEW], seq 4266102126, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
13:37:56.114436 IP 192.168.0.101.51396 > 8.8.8.8.53: Flags [SEW], seq 4266102126, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
13:38:02.114027 IP 192.168.0.101.51396 > 8.8.8.8.53: Flags [S], seq 4266102126, win 8192, options [mss 1460,nop,nop,sackOK], length 0


The internal DNS servers responsible for resolving internal and external hosts:

Code:
192.168.0.100 (VIP)
192.168.0.101 (DNS01)
192.168.0.102 (DNS02)


Now, after some trial and error, reenabled SFE and this brings resolution back to a working state. While doing so, noticing SIRQ /SYS is super high as well once more:

Code:
Mem: 113776K used, 399940K free, 448K shrd, 9512K buff, 13488K cached
CPU0:  0.4% usr  0.4% sys  0.0% nic 97.9% idle  0.0% io  0.0% irq  1.0% sirq
CPU1:  0.0% usr 37.0% sys  0.0% nic  0.0% idle  0.0% io  0.0% irq 62.9% sirq
Load average: 2.87 1.34 0.57 2/142 5645
  PID  PPID USER     STAT   VSZ %VSZ CPU %CPU COMMAND
 5579  5491 root     R     2264  0.4   1 36.7 /sbin/service firewall start


I've poked around for a bit longer. The 3 DNS servers above are behind the router where I'm disabling SFE. I've now disabled DNSmasquerade as well. I've opened up the F/W as well on this router as it was showing dropped on port 53, yet ping works but DNS resolution still doesn't when SFE is disabled despite the F/W change. Tried DNSmasq options below:

Code:
server=172.87.80.1,172.87.81.1
dhcp-option=option:domain-search,dom.xyz,test1.dom.xyz,test2.dom.xyz


Doesn't work to fix DNS resolution either when SFE is turned off.

Fast forward a few hours of troubleshooting. Now when SFE is enabled again, the load is going up progressively. It's now 19+. Seems as if there is a process locking all this up raising both the load and SIRQ's. If I'm making sense. Can't save or kill anything on the router. "OSPF Router" setting keeps getting reverted to "vtysh OSPF BGP RIPD Zebra" router (appears briefly while load is high) which has been an issue for some time in the UI switching between the two modes inexplicably. This load/SIRQ behavior is new however. Can't SSH into the unit which is a hint SSH is waiting on something. Not yet sure what.

What's interesting, this happens when visiting news page off various networks, particularly the Yahoo home page, or any of the other popular news outlets like CNN, ABC, pages with plenty of advertisements etc.

Need to read more about SFE (Shortcut Forwarding Engine) to understand this DNS behavior better and a bit more on why SIRQ and LOAD is consistently climbing.

Very weird!

_________________
Cheers, TK
------------------------
tkmds
DD-WRT User


Joined: 04 Sep 2011
Posts: 161
Location: SA

PostPosted: Mon Nov 28, 2022 3:40    Post subject: Reply with quote
Quick update. Recabled around the main router. Now everything works much better. (See image please).

When cabled in the first diagram w/ SFE enabled, resolution is fast and SIRQ is kept to a minimal. Not yet 100% sure what was happening with the second cabling job. Need more time to dig into it then I had in this session.

Summary:
- Running tcpdump's certainly increases SIRQ's and load significantly. So does tailing log files and tracing connections it appears.
- A less then optimal (ad-hoc) cabling job will lead to a router's ever increasing load till it locks up. (Can probably fix with some software tweaks but who has time for that when things work). Not necessarily a router issue.
- Switching routers around AFTER originally setup in one topology, to another topology, will cause these issues.
- DNS caching works wonders for speed!

Thanks for taking a look and helping out guy's!



NetworkTopologyNov27-2022.PNG
 Description:
 Filesize:  71.45 KB
 Viewed:  2054 Time(s)

NetworkTopologyNov27-2022.PNG



_________________
Cheers, TK
------------------------
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Nov 28, 2022 7:22    Post subject: Reply with quote
SFE is getting confused in your setup and does not route properly, that can even happen when you are using a VAP or Portforwarding via more than one interface etc.

SFE only works reliably for a simple setup with one WAN interface and one LAN (br0) interface), in all other setups there is the risk of routing problems.

So SFE is masking the fact that there is something wrong in your setup.

I doubt SFE is compatible with using Zebra, Routing protocols are seldom used so no track record if they work reliably.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
tkmds
DD-WRT User


Joined: 04 Sep 2011
Posts: 161
Location: SA

PostPosted: Tue Nov 29, 2022 0:17    Post subject: Reply with quote
Would be good if I can drop SFE, but it doesn't want to go. Job security. Makes all my routing work for the time being. Smile

Need to know how SFE works first to see what it could be doing to affect things this significantly. Then I can disable it.

_________________
Cheers, TK
------------------------
tkmds
DD-WRT User


Joined: 04 Sep 2011
Posts: 161
Location: SA

PostPosted: Sat Dec 03, 2022 4:14    Post subject: Reply with quote
Out of curiosity, and for comparison to see if I'm way over where I should be, how many interrupt calls are folks here getting per 30 seconds?

# grep -Ei "eth0|br0|lo|eth1|eth2|eth3|wl0.1|wl1.1|vlan1|vlan2" /proc/interrupts; sleep 30; grep -Ei "eth0|br0|lo|eth1|eth2|eth3|wl0.1|wl1.1|vlan1|vlan2" /proc/interrupts
163: 7418529 0 GIC 163 Edge eth1
169: 30 801889 GIC 169 Edge eth2
179: 1924 80511174 GIC 179 Edge eth0

163: 7419459 0 GIC 163 Edge eth1
169: 30 802223 GIC 169 Edge eth2
179: 1924 80612649 GIC 179 Edge eth0


I'm at 101,475 every 30 seconds which is about 3382.5/s on idle. vlan2@eth0 is my internet facing NIC with the public IP.

_________________
Cheers, TK
------------------------
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sat Dec 03, 2022 8:06    Post subject: Reply with quote
100: 30792810 80819629 GIC-0 255 Level eth0
101: 26948843 6128520 GIC-0 258 Level eth1
100: 30793526 80819629 GIC-0 255 Level eth0
101: 26949022 6128520 GIC-0 258 Level eth1

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
tkmds
DD-WRT User


Joined: 04 Sep 2011
Posts: 161
Location: SA

PostPosted: Sat Dec 03, 2022 19:14    Post subject: Reply with quote
Quote:

100: 30792810 80819629 GIC-0 255 Level eth0
101: 26948843 6128520 GIC-0 258 Level eth1
100: 30793526 80819629 GIC-0 255 Level eth0
101: 26949022 6128520 GIC-0 258 Level eth1


eth0, field 1: 716/30s. 23.86/s
eth0, field 2: 0/30s. 0/s

eth1, field 1: 179/30s. 5.96/s
eth1, field 2: 0/30s. 0/s

Looks like I'm load testing DD-WRT quite well. LOL

_________________
Cheers, TK
------------------------
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sat Dec 03, 2022 19:24    Post subject: Reply with quote
Looks like it Smile
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
tkmds
DD-WRT User


Joined: 04 Sep 2011
Posts: 161
Location: SA

PostPosted: Sun Dec 04, 2022 5:48    Post subject: Reply with quote
I guess, I'm getting closer to figuring out how SFE routes traffic. Just to focus the discussion I've boiled this down to a simplified view and setup to figure the immediate 'ping' issue when SFE is disabled:

WEB -> INET / PRIMARY ROUTER ( 192.168.0.6 / 100.100.100.100 ) -> SECONDARY ROUTER ( 192.168.0.21 )

Included an image below. Running tcpdump in one windows and a ping in the other window on the INET / PRIMARY ROUTER (R1) router:

Code:
root@DD-WRT-INET:~# tcpdump -Xs0 -na "( host 9.9.9.9 )"
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes


Seeing ping replies running command below (Though strangely couldn't see ping requests in tcpdump ):

Code:
# ping 9.9.9.9


Code:
00:06:18.540662 IP 9.9.9.9 > 100.100.100.100: ICMP echo reply, id 3063, seq 0, length 64
        0x0000:  4500 0054 f0d8 0000 3601 a212 0909 0909  E..T....6.......
        0x0010:  6ca8 7304 0000 26e0 0bf7 0000 dca0 f087  l.s...&.........
        0x0020:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0050:  0000 0000                                ....
00:06:19.539662 IP 9.9.9.9 > 100.100.100.100: ICMP echo reply, id 3063, seq 1, length 64
        0x0000:  4500 0054 f127 0000 3601 a1c3 0909 0909  E..T.'..6.......
        0x0010:  6ca8 7304 0000 8d94 0bf7 0001 66eb ff87  l.s.........f...
        0x0020:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0050:  0000 0000                                ....
00:06:20.536398 IP 9.9.9.9 > 100.100.100.100: ICMP echo reply, id 3063, seq 2, length 64
        0x0000:  4500 0054 f28b 0000 3601 a05f 0909 0909  E..T....6.._....
        0x0010:  6ca8 7304 0000 2a48 0bf7 0002 ba36 0f88  l.s...*H.....6..
        0x0020:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0050:  0000 0000                                ....
00:06:21.546191 IP 9.9.9.9 > 100.100.100.100: ICMP echo reply, id 3063, seq 3, length 64
        0x0000:  4500 0054 f3e4 0000 3601 9f06 0909 0909  E..T....6.......
        0x0010:  6ca8 7304 0000 80df 0bf7 0003 549e 1e88  l.s.........T...
        0x0020:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0050:  0000 0000                                ....
00:06:22.563433 IP 9.9.9.9 > 100.100.100.100: ICMP echo reply, id 3063, seq 4, length 64
        0x0000:  4500 0054 f6dc 0000 3601 9c0e 0909 0909  E..T....6.......
        0x0010:  6ca8 7304 0000 d376 0bf7 0004 f205 2e88  l.s....v........
        0x0020:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0050:  0000 0000                                ....



Whereas if I run a ping from the SECONDARY ROUTER (R2):

Code:
# ping 9.9.9.9


I see requests but no replies meaning any machines behind the INET router, can't ping out when SFE is disabled, hence the DNS resolution issue (F/W is disabled or all permissive in the tests here):

Code:
00:06:30.321439 IP 192.168.0.21 > 9.9.9.9: ICMP echo request, id 9763, seq 0, length 64
        0x0000:  4500 0054 496c 4000 4001 1e6e c0a8 0015  E..TIl@.@..n....
        0x0010:  0909 0909 0800 d59b 2623 0000 55b8 a688  ........&#..U...
        0x0020:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0050:  0000 0000                                ....
00:06:31.321133 IP 192.168.0.21 > 9.9.9.9: ICMP echo request, id 9763, seq 1, length 64
        0x0000:  4500 0054 499c 4000 4001 1e3e c0a8 0015  E..TI.@.@..>....
        0x0010:  0909 0909 0800 3558 2623 0001 e6fa b588  ......5X&#......
        0x0020:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0050:  0000 0000                                ....
00:06:32.320854 IP 192.168.0.21 > 9.9.9.9: ICMP echo request, id 9763, seq 2, length 64
        0x0000:  4500 0054 49f8 4000 4001 1de2 c0a8 0015  E..TI.@.@.......
        0x0010:  0909 0909 0800 b514 2623 0002 573d c588  ........&#..W=..
        0x0020:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0050:  0000 0000                                ....
00:06:33.320562 IP 192.168.0.21 > 9.9.9.9: ICMP echo request, id 9763, seq 3, length 64
        0x0000:  4500 0054 4a3f 4000 4001 1d9b c0a8 0015  E..TJ?@.@.......
        0x0010:  0909 0909 0800 32d1 2623 0003 ca7f d488  ......2.&#......
        0x0020:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0050:  0000 0000                                ....
00:06:34.320269 IP 192.168.0.21 > 9.9.9.9: ICMP echo request, id 9763, seq 4, length 64
        0x0000:  4500 0054 4a7d 4000 4001 1d5d c0a8 0015  E..TJ}@.@..]....
        0x0010:  0909 0909 0800 b38d 2623 0004 3ac2 e388  ........&#..:...
        0x0020:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0050:  0000 0000                                ....


And therefore I think I need some NAT rules to replace what SFE removes. Tried a few but no luck. Will have to try and tinker with this tomorrow.

INET / PRIMARY ROUTER (R1) Interfaces:

Code:

# ip a
1: lo: <LOOPBACK,MULTICAST,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: teql0: <NOARP> mtu 1500 qdisc noop state DOWN qlen 100
    link/void
3: ctf0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 00:23:6a:00:00:00 brd ff:ff:ff:ff:ff:ff
4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 1000
    link/ether 2c:fd:a1:35:60:50 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::2efd:a1ff:fe35:6050/64 scope link
       valid_lft forever preferred_lft forever
5: vlan1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP qlen 1000
    link/ether 2c:fd:a1:35:60:50 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::2efd:a1ff:fe35:6050/64 scope link
       valid_lft forever preferred_lft forever
6: vlan2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1452 qdisc noqueue state UP qlen 1000
    link/ether 2c:fd:a1:35:60:51 brd ff:ff:ff:ff:ff:ff
    inet 100.100.100.100/27 brd 100.100.100.101 scope global vlan2    <<<<<<<<<<<<<<<<<<<<<<<<<<<<<
       valid_lft forever preferred_lft forever
    inet6 fe80::2efd:a1ff:fe35:6051/64 scope link
       valid_lft forever preferred_lft forever
7: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UNKNOWN qlen 1000
    link/ether 2c:fd:a1:35:60:50 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::2efd:a1ff:fe35:6050/64 scope link
       valid_lft forever preferred_lft forever
8: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UNKNOWN qlen 1000
    link/ether 2c:fd:a1:35:60:64 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::2efd:a1ff:fe35:6064/64 scope link
       valid_lft forever preferred_lft forever
9: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1
    link/sit 0.0.0.0 brd 0.0.0.0
10: ip6tnl0@NONE: <NOARP> mtu 1452 qdisc noop state DOWN qlen 1
    link/tunnel6 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 brd 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
11: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 2c:fd:a1:35:60:50 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.6/24 brd 192.168.0.255 scope global br0   <<<<<<<<<<<<<<<<<<<<<<<<<<<<<
       valid_lft forever preferred_lft forever
    inet6 fe80::2efd:a1ff:fe35:6050/64 scope link
       valid_lft forever preferred_lft forever
12: wl0.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 1000
    link/ether 2e:fd:a1:35:60:51 brd ff:ff:ff:ff:ff:ff
    inet 192.168.45.1/24 brd 192.168.45.255 scope global wl0.1
       valid_lft forever preferred_lft forever
    inet6 fe80::2cfd:a1ff:fe35:6051/64 scope link
       valid_lft forever preferred_lft forever
13: wl1.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 1000
    link/ether 2e:fd:a1:35:60:65 brd ff:ff:ff:ff:ff:ff
    inet 192.168.75.1/24 brd 192.168.75.255 scope global wl1.1
       valid_lft forever preferred_lft forever
    inet6 fe80::2cfd:a1ff:fe35:6065/64 scope link
       valid_lft forever preferred_lft forever



SECONDARY ROUTER (R2) Interfaces

Code:

# ip a
1: lo: <LOOPBACK,MULTICAST,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP qlen 532
    link/ether 60:38:e0:d0:d2:e8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::6238:e0ff:fed0:d2e8/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP qlen 532
    link/ether 60:38:e0:d0:d2:e9 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::6238:e0ff:fed0:d2e9/64 scope link
       valid_lft forever preferred_lft forever
4: teql0: <NOARP> mtu 1500 qdisc noop state DOWN qlen 100
    link/void
8: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1
    link/sit 0.0.0.0 brd 0.0.0.0
9: ip6tnl0@NONE: <NOARP> mtu 1452 qdisc noop state DOWN qlen 1
    link/tunnel6 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 brd 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
10: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1452 qdisc noqueue state UP qlen 1000
    link/ether 60:38:e0:d0:d2:e9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.21/24 brd 192.168.0.255 scope global br0   <<<<<<<<<<<<<<<<<<<<<<<<<<<<<
       valid_lft forever preferred_lft forever
    inet6 fdc8:29db:a9ed:0:6238:e0ff:fed0:d2e9/64 scope global dynamic flags 100
       valid_lft 6955sec preferred_lft 20sec
    inet6 fe80::6238:e0ff:fed0:d2e9/64 scope link
       valid_lft forever preferred_lft forever
11: wlan2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000
    link/ether 60:38:e0:d0:d2:eb brd ff:ff:ff:ff:ff:ff
12: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP qlen 1000
    link/ether 60:38:e0:d0:d2:eb brd ff:ff:ff:ff:ff:ff
    inet6 fe80::6238:e0ff:fed0:d2eb/64 scope link
       valid_lft forever preferred_lft forever
13: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP qlen 1000
    link/ether 60:38:e0:d0:d2:ea brd ff:ff:ff:ff:ff:ff
    inet6 fe80::6238:e0ff:fed0:d2ea/64 scope link
       valid_lft forever preferred_lft forever



simple-ping-problem.PNG
 Description:
 Filesize:  11.56 KB
 Viewed:  1711 Time(s)

simple-ping-problem.PNG



_________________
Cheers, TK
------------------------


Last edited by tkmds on Mon Dec 05, 2022 0:40; edited 2 times in total
tkmds
DD-WRT User


Joined: 04 Sep 2011
Posts: 161
Location: SA

PostPosted: Sun Dec 04, 2022 18:29    Post subject: Reply with quote
The goal for me is to eliminate the dependence on SFE to eliminate the high SIRQ SFE introduces. I need to find an alternative way to route traffic when SFE is disabled (ie DNSmasq or other means). Unable to find that yet.
_________________
Cheers, TK
------------------------
tkmds
DD-WRT User


Joined: 04 Sep 2011
Posts: 161
Location: SA

PostPosted: Tue Dec 06, 2022 4:19    Post subject: Reply with quote
Did a bit more interim digging after reaching even higher numbers. Interrupt delta spiked to 115,927/30s or 3864.23/s. Another sample revealed 154,341/30s which is 5144.7/s. (I suppose now I know what this router is capable of. Wink )

Then I disabled:

Security -> Log Management -> Log -> Firewall Log -> Disabled.

What I had was:

Enabled, High and Enabled for all Dropped, Rejected and Accepted.

I also had a handfull of 'logaccept' in my iptables which I just switched to 'accept'. Since I had remote logging enabled as well, the router was basically drinking from a fire hose everytime a page got loaded.

So things are stable and working well with SFE right now.

You'd suppose that would eliminate SFE as the culprit. I suppose. However, now that @egc put me up to removing SFE ( Wink ) I still would like to eliminate SFE to see what the behavior is like without it. I've disabled SFE from all my other DD-WRT routers but can't do so from the main one (INET / PRIMARY ROUTER) without loosing the ability to browse ( or in this case ping ) IP's from other connected routers such as the SECONDARY ROUTER in the above image.

_________________
Cheers, TK
------------------------
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum