openwrt icon indicating copy to clipboard operation
openwrt copied to clipboard

Published 20 hours ago verified publisher icon openwrt

Routing/NAT hardware flow offloading only working temporarily with ramips/mt7621.

Open xervox opened this issue 2 years ago • 2 comments

Hi,

NAT offloading is causing one core max. CPU load after boot up resulting in ~200 Mbit/s max. speed via NAT port forward (or NAT rules) instead 1000 Mbit/s over that WAN interface. When changing any settings like "Enable SYN-flood protection" or "Drop invalid packets" and push "save&apply", the offload is working temporarily again. After some time it will disable again (cause unknown yet).

 PID  PPID USER     STAT   VSZ %VSZ %CPU COMMAND
   10     2 root     RW       0   0%  25% [ksoftirqd/0]

System: OpenWrt 22.03.0-rc5 r19523-bfd070e7fa / LuCI openwrt-22.03 branch git-22.167.28394-8a4486a Target: ramips/mt7621

Software based offloading for routing/NAT: ON Hardware flow offloading: ON Packet Steering: ON Port forwarding and NAT Rules tried. One VLAN Bridge with DSA VLAN filtering exists and two cusom VLAN IDs (802.1q) are added.

I hope you could look into this. The bug also exists at stable release before and was appearing since the DSA Networking was added.

Thx a lot.

xervox avatar Jul 29 '22 21:07 xervox

does https://github.com/openwrt/openwrt/pull/10238 help?

neheb avatar Aug 10 '22 21:08 neheb

I'm having a similar issue when running iperf3 on the Xiaomi Router 3G V1. I have my wan port tagged and lan1 and lan2 untagged as VLAN 200 and 300 with bridge filtering enabled.

Switching works fine and I get gigabit speeds (~890 mbit/s) on devices plugged to lan1/lan2. But running iperf3 on the router caps at around 300 mbit/s with high cpu usage on ksoftirqd. Is it because of no flow offload for br.200 bridge local VLAN interface or some other conntrack overhead?

I'm running OpenWrt 22.03.0-rc6 r19590-042d558536

nazar554 avatar Aug 10 '22 23:08 nazar554

@nazar554 AFAIK flow-offloads only works for non-local traffic. I.e. if the traffic originates from the router (i.e. local), it goes thru the entire netfilter chain and will not be processed by the PPE, and thus no off-load.

quarkysg avatar Sep 26 '22 04:09 quarkysg

@nazar554 yeah if you run speed tests directly on router the traffic enters wan interface but never leaves it, the offload only works if the traffic is passed between wan and lan interface so you have to test the speeds on some pc connected to the lan port

szero avatar Oct 19 '22 15:10 szero