Why is SFE not disabled when WAN is set to disabled?

Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions
Goto page 1, 2  Next
Author Message
AsX
DD-WRT User


Joined: 15 Jun 2010
Posts: 54

PostPosted: Thu Jul 25, 2024 17:18    Post subject: Why is SFE not disabled when WAN is set to disabled? Reply with quote
I always wondered why SFE options are enabled in GUI if WAN is set to Disabled. A lot of other GUI options do change, but not SFE. Isn't SFE irrelevant without WAN? Maybe should be corrected to avoid confusion...
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 15225
Location: Texas, USA

PostPosted: Thu Jul 25, 2024 21:33    Post subject: Reply with quote
Split your question out of the other thread because it is not platform-specific and so I can email BrainSlayer with your question.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9354

PostPosted: Fri Jul 26, 2024 3:03    Post subject: Reply with quote
Probably for the same reason the Operating Mode remains in its current setting (usually Gateway) when the WAN is disabled. The router simply isn't 100% accurate in how it presents the GUI given various settings. Seems to me there should also be a Disabled setting for Operation Mode when the WAN is disabled. Or perhaps it shouldn't be a visible option at all. Or even better, perhaps there should be an AP option under Operating Mode, which disables the WAN, disables the firewall, disables the DHCP server, etc.

IOW, the router doesn't officially recognize AP mode. It puts the burden on YOU to know what buttons to push and strings to pull in order to get the desired behavior. And because it doesn't, you get other oddities where neither enabling NAT'ing nor Net Isolation w/ the GUI works w/ an unbridged VAP. OTOH, Forced DNS Redirection does! And all of these rely on the firewall. It's completely inconsistent.

The router simply isn't smart enough to recognize the user's intentions, which is to NAT the VAP over the LAN (br0), NOT the WAN, while still denying access between the VAP and LAN (br0). The firewall just remains empty (except for the DNS redirection). And w/o NAT'ing, and no static routing for the VAP's ip network upstream, there's no internet access from the VAP either. No reported errors. No nothing. It just doesn't work.

So how do *I* make it all work? Years of experience knowing where the router is going to fail me, and manually correcting it.

IMO, the router could benefit from an overhaul in this area so the setting of options was more consistent w/ the users intentions. Because it is lacking, we end up having to fix the same misconfigurations over and over. Fortunately @egc's excellent online manuals have helped mitigate the situation. But even so, it would be nice to see more thought put into the whole business of configuring Gateway vs. Router vs. AP mode so the GUI worked properly. And formally adding an AP mode would be a good place to start. A lot of other subsystems could also benefit from *explicitly* being informed of AP mode being active, such as the VPNs.

JMTC

_________________
ddwrt-bind-static-routes-to-wan.sh (UPDATED! 11/12/24) * ddwrt-blacklist-domains.sh * ddwrt-dns-monitor.sh * ddwrt-ovpn-client-backup.sh * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-server-watchdog.sh * ddwrt-ovpn-split-advanced.sh * ddwrt-ovpn-split-basic.sh * ddwrt-mount-usb-drives.sh * ddwrt-wol-port-forward.sh
lexridge
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 1659
Location: WV, USA

PostPosted: Fri Jul 26, 2024 3:25    Post subject: Reply with quote
Wow, you put some time into that post. Good knowledge, well said and I agree the WebUI should be "smarter". It's not a priority I am sure as we only have one developer, for the most part and workarounds exist, while still a PiTA.

Among other things, SFE options should totally disappear when WAN is disabled and WAN goes to br0 automatically (I think it does already on most routers). This may be different with routers with built in switches and those than do not. I have not checked.

This would potentially be a huge change and probably never going to happen without a year of serious debugging.

_________________
- Linksys EA8500: I-Gateway, WAP/VAP 5ghz only. Features: WDS-AP, VLANs, Samba, WG, Entware - r58662
- Linksys EA8500: 802.11s Secondary w/VLAN Trunk - r58662
- Linksys MX4300: 802.11s Primary w/VLAN Trunk over 5ghz. 2.4ghz WAP/VAP only - r58662
- Linksys MX4300 (WAP/VAP (7)) Multiple VLANs over single trunk port. Entware/Samba r58662
- Linksys MR7350: Testing r58662
- Linksys Velop WHW03v1 x2: OpenWRT w/GRETAP tunnel for VLANs on VAPs
- OSes: Fedora 39, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '95, never having owned a Windows PC.

- Forum member #248
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 15225
Location: Texas, USA

PostPosted: Fri Jul 26, 2024 3:28    Post subject: Reply with quote
The problem with gateway mode vs router mode when WAN is disabled is most likely because of SFE option, among other
things. No telling who broke the original functionality of Linksys Firmware / Sveasoft. Possibly related to the old fullswitch
function that was removed. In original Linksys firmware, all you had to do was set LAN (router) IP and disable the DHCP
server. I'll have to check to see if WAN port is still functional on my old WRT160Nv2 (RT2880 4/16) device, but still, it was
an easier, simpler process. No word back from BS on this query and I haven't taken the time to look through the code repo.

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
lexridge
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 1659
Location: WV, USA

PostPosted: Fri Jul 26, 2024 3:33    Post subject: Reply with quote
SFE should not be enabled by default. I have said this many times and I would love to know the reasoning of why it is enabled. Makes zero sense.
_________________
- Linksys EA8500: I-Gateway, WAP/VAP 5ghz only. Features: WDS-AP, VLANs, Samba, WG, Entware - r58662
- Linksys EA8500: 802.11s Secondary w/VLAN Trunk - r58662
- Linksys MX4300: 802.11s Primary w/VLAN Trunk over 5ghz. 2.4ghz WAP/VAP only - r58662
- Linksys MX4300 (WAP/VAP (7)) Multiple VLANs over single trunk port. Entware/Samba r58662
- Linksys MR7350: Testing r58662
- Linksys Velop WHW03v1 x2: OpenWRT w/GRETAP tunnel for VLANs on VAPs
- OSes: Fedora 39, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '95, never having owned a Windows PC.

- Forum member #248
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 15225
Location: Texas, USA

PostPosted: Fri Jul 26, 2024 3:39    Post subject: Reply with quote
That has been an on-again, off-again dilemma. Especially during the transition to 4.x and 6.x kernels.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9354

PostPosted: Fri Jul 26, 2024 3:57    Post subject: Reply with quote
lexridge wrote:
SFE should not be enabled by default. I have said this many times and I would love to know the reasoning of why it is enabled. Makes zero sense.


Because like most things w/ the router, proper functionality and compatibility take a backseat to performance. No one wants to put out a product that defaults w/ lower performance. Instead, you let the user experience the most the router can deliver, THEN wait for things to break as he begins to configure other features and introduces those incompatibilities.

I wouldn't have a problem w/ that *if* the router automatically disabled SFE/CTF/FA when incompatibile features were enabled. If that was the case, you wouldn't even need to expose these options in the first place. It's a technology most users don't understand, and they simply toggle it ON/OFF (usually at our direction) to see the effects, good or bad. Better to keep it where it belongs; hidden and managed by the router itself, NOT the end-user.

For example, if the user enables QoS, you just *silently* disable SFE/CTF/FA.

_________________
ddwrt-bind-static-routes-to-wan.sh (UPDATED! 11/12/24) * ddwrt-blacklist-domains.sh * ddwrt-dns-monitor.sh * ddwrt-ovpn-client-backup.sh * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-server-watchdog.sh * ddwrt-ovpn-split-advanced.sh * ddwrt-ovpn-split-basic.sh * ddwrt-mount-usb-drives.sh * ddwrt-wol-port-forward.sh
lexridge
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 1659
Location: WV, USA

PostPosted: Fri Jul 26, 2024 4:17    Post subject: Reply with quote
eibgrad wrote:

Because like most things w/ the router, proper functionality and compatibility take a backseat to performance. No one wants to put out a product that defaults w/ lower performance. Instead, you let the user experience the most the router can deliver, THEN wait for things to break as he begins to configure other features and introduces those incompatibilities.

You are correct, when commercial companies are involved, I would have doubts about DD-WRT being guilty of this. I am sure BS has his reasons, but I would be surprised if this is one of them.
eibgrad wrote:
I wouldn't have a problem w/ that *if* the router automatically disabled SFE/CTF/FA when incompatibile features were enabled. If that was the case, you wouldn't even need to expose these options in the first place. It's a technology most users don't understand, and they simply toggle it ON/OFF (usually at our direction) to see the effects, good or bad. Better to keep it where it belongs; hidden and managed by the router itself, NOT the end-user.


It all comes down to not being able to fully boot on bad builds w/SFE enabled. This totally fscks normal users who cannot tftp or even know what a serial port is. If you don't have a dual boot partition you are done. Toss it in the trash can, for most folks.

_________________
- Linksys EA8500: I-Gateway, WAP/VAP 5ghz only. Features: WDS-AP, VLANs, Samba, WG, Entware - r58662
- Linksys EA8500: 802.11s Secondary w/VLAN Trunk - r58662
- Linksys MX4300: 802.11s Primary w/VLAN Trunk over 5ghz. 2.4ghz WAP/VAP only - r58662
- Linksys MX4300 (WAP/VAP (7)) Multiple VLANs over single trunk port. Entware/Samba r58662
- Linksys MR7350: Testing r58662
- Linksys Velop WHW03v1 x2: OpenWRT w/GRETAP tunnel for VLANs on VAPs
- OSes: Fedora 39, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '95, never having owned a Windows PC.

- Forum member #248
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9354

PostPosted: Fri Jul 26, 2024 4:20    Post subject: Reply with quote
lexridge wrote:
This would potentially be a huge change and probably never going to happen without a year of serious debugging.


I don't think it would be as difficult or require as much time to implement as you believe. Once AP mode is made known, it just amounts to conditional implementation of various settings (if AP mode, do X, else do Y). What makes it difficult is not KNOWING the user is effectively in AP mode (i.e., bridged). But once you do, I just don't see it being all that complex.

Whatever the effort required, part of the problem here is that the limited resources of the project are spent primarily on making sure every Tom, Dick, and Harry router known to mankind is supported, including those from the early 2000's. What I'd prefer to see is a little less focus on THAT (even just a brief hiatus) and more time spent on solving these kinds of pesky UI issues.

Fortunately other devs, like @egc and company, have taken up the slack in recent years to make a lot of this happen (the project has never looked and worked better in many respects), but there are still a lot of lingering issues that need attention.

_________________
ddwrt-bind-static-routes-to-wan.sh (UPDATED! 11/12/24) * ddwrt-blacklist-domains.sh * ddwrt-dns-monitor.sh * ddwrt-ovpn-client-backup.sh * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-server-watchdog.sh * ddwrt-ovpn-split-advanced.sh * ddwrt-ovpn-split-basic.sh * ddwrt-mount-usb-drives.sh * ddwrt-wol-port-forward.sh
lexridge
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 1659
Location: WV, USA

PostPosted: Fri Jul 26, 2024 4:35    Post subject: Reply with quote
eibgrad wrote:
What makes it difficult is not KNOWING the user is effectively in AP mode (i.e., bridged). But once you do, I just don't see it being all that complex.

This may be the show stopper.
eibgrad wrote:

Whatever the effort required, part of the problem here is that the limited resources of the project are spent primarily on making sure every Tom, Dick, and Harry router known to mankind is supported, including those from the early 2000's. What I'd prefer to see is a little less focus on THAT (even just a brief hiatus) and more time spent on solving these kinds of pesky UI issues.


Trust me, there has been no major (but a few minor) attention paid to these old 2006-2012 routers in many years. The kernels are no longer supported at all. It' honestly a waste of build resources, but some people still have them including myself. I don't use them but pull them out once or twice a year and upgrade them, or try anyway. Some builds are atrocious.
Quote:

Fortunately other devs, like @egc and company, have taken up the slack in recent years to make a lot of this happen (the project has never looked and worked better in many respects), but there are still a lot of lingering issues that need attention.


It's a very small crew. Not anything like openwrt, but better in the end I think. I love it regardless of the issues. I have used it for 18 years. I know the quarks and workarounds.

_________________
- Linksys EA8500: I-Gateway, WAP/VAP 5ghz only. Features: WDS-AP, VLANs, Samba, WG, Entware - r58662
- Linksys EA8500: 802.11s Secondary w/VLAN Trunk - r58662
- Linksys MX4300: 802.11s Primary w/VLAN Trunk over 5ghz. 2.4ghz WAP/VAP only - r58662
- Linksys MX4300 (WAP/VAP (7)) Multiple VLANs over single trunk port. Entware/Samba r58662
- Linksys MR7350: Testing r58662
- Linksys Velop WHW03v1 x2: OpenWRT w/GRETAP tunnel for VLANs on VAPs
- OSes: Fedora 39, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '95, never having owned a Windows PC.

- Forum member #248
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 3372
Location: Germany

PostPosted: Fri Jul 26, 2024 7:16    Post subject: Reply with quote
lexridge wrote:
Among other things, SFE options should totally disappear when WAN is disabled and WAN goes to br0 automatically (I think it does already on most routers). This may be different with routers with built in switches and those than do not. I have not checked.


Most routers apart from x86 and a few AX devices have an integrated switch.

On these devices, the switch must be reconfigured and the WAN port does not have to be bridged with the LAN.

This must be changed at switch level then the traffic is also handled by the switch fabric.
If you simply bridge the WAN port then all traffic flows through the processor. (and this is not desirable on old routers with little CPU power)

secondly, SFE/NSS/CTF/FA should not be hidden in principle if the WAN is deactivated.
The NSS stuff can at least do WIFI offloading. (no idea if it works in the latest build - so far I haven't noticed anything)

The R7800 does not manage 1gbit WLAN throughput (TX) without NSS offoading because the CPU with 100% load is the bottleneck.
I have tested various NSS firmwares in the past and they managed 1Gbit (TX) with 50-75% load.

If WIFI offloading works then it also makes sense that the option is available with deactivated WAN.

_________________
Quickstart guides:
use Pi-Hole as simple DNS-Server with DD-WRT
VLAN configuration via GUI - 1 CPU port
VLAN configuration via GUI - 2 CPU ports (R7800, EA8500 etc)

Routers
Marvell OCTEON TX2 - QHora-322 - OpenWrt 23.05.3 - Gateway
Qualcomm IPQ8065 - R7800 - DD-WRT - WAP
lexridge
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 1659
Location: WV, USA

PostPosted: Fri Jul 26, 2024 14:55    Post subject: Reply with quote
I remember the EA8500 (among many others) once had a checkbox to make WAN part of the LAN whenever WAN was disabled. This disappeared quite some time ago and simply disabling the WAN made it a regular switch port. Then with the updated switch config, we had to move the WAN to VLAN1 to make it part of the switch.

With that said, much has changed since then, including the much needed major upgrades to the Switch Config page. Perhaps this was when the check box disappeared?

Had no idea NSS could also handle WiFi. I assumed, like many others it was WAN only. Thanks for that info. So I guess the question is, how does one utilize that? Is it automatic?

_________________
- Linksys EA8500: I-Gateway, WAP/VAP 5ghz only. Features: WDS-AP, VLANs, Samba, WG, Entware - r58662
- Linksys EA8500: 802.11s Secondary w/VLAN Trunk - r58662
- Linksys MX4300: 802.11s Primary w/VLAN Trunk over 5ghz. 2.4ghz WAP/VAP only - r58662
- Linksys MX4300 (WAP/VAP (7)) Multiple VLANs over single trunk port. Entware/Samba r58662
- Linksys MR7350: Testing r58662
- Linksys Velop WHW03v1 x2: OpenWRT w/GRETAP tunnel for VLANs on VAPs
- OSes: Fedora 39, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '95, never having owned a Windows PC.

- Forum member #248
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 3372
Location: Germany

PostPosted: Fri Jul 26, 2024 16:27    Post subject: Reply with quote
https://github.com/qosmio/openwrt-ipq/commit/c3f668c2408c89567afb5f4ae04d9ab24da587f9

I don't have much of a clue.
We couldn't experiment with the dd-wrt firmware for years.
But I know that some wifi things can be offloaded, the NSS wifi offload was already available on ath10k and I am pretty sure that the stock firmware also uses some offload functions.
It has pretty low load and high throughput.

_________________
Quickstart guides:
use Pi-Hole as simple DNS-Server with DD-WRT
VLAN configuration via GUI - 1 CPU port
VLAN configuration via GUI - 2 CPU ports (R7800, EA8500 etc)

Routers
Marvell OCTEON TX2 - QHora-322 - OpenWrt 23.05.3 - Gateway
Qualcomm IPQ8065 - R7800 - DD-WRT - WAP
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 15225
Location: Texas, USA

PostPosted: Fri Jul 26, 2024 21:26    Post subject: Reply with quote
lexridge wrote:
I remember the EA8500 (among many others) once had a checkbox to make WAN part of the LAN whenever WAN was disabled. This disappeared quite some time ago and simply disabling the WAN made it a regular switch port. Then with the updated switch config, we had to move the WAN to VLAN1 to make it part of the switch.

With that said, much has changed since then, including the much needed major upgrades to the Switch Config page. Perhaps this was when the check box disappeared?

This was part of the fullswitch function I've mentioned. I do believe that it coincided with Broadom switching over to SWCONFIG and the VLANs page fixes that sir @ho1Aetoo so diligently assisted with.

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum