1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Disable Connection Tracking/Firewall...?

Discussion in 'Tomato Firmware' started by rodenta, Oct 18, 2007.

  1. rodenta

    rodenta Network Guru Member

    Is there a way to disable all of the extra features of the router such as connection tracking, NAT, firewall, iptables, or whatever it is actually called. Im still having issues with connections, slow browsing, and weird behavior when I have a lot of connections open so I would just want the router to simply split the internet connection.

    Thanks in advance...
     
  2. acidmelt

    acidmelt LI Guru Member

    These are essentialy the same thing, iptables is the program that does connection tracking, NAT and serves as a firewall you could disable the rules that make it a firewall but I doubt youll gain much performance out of it, disabling NAT or connection tracking would not allow the router to actually route packets, i'm sure you dont want that.

    Its possible that the low performance is due to excessive QoS rules, i'd look there first.

    Otherwise are you sure youre not choking your upstream (ie. p2p programs uploading at nearly the maximum speed)?
     
  3. mstombs

    mstombs Network Guru Member

  4. rodenta

    rodenta Network Guru Member

    What does the thing in that link do?

    And the problem I am having is after running p2p for a few days or so, it will be working fine throughout that time period, and then randomly, while using p2p, browsing will practially no longer work. I have tried using QoS, but it does the same exact thing. And I have max connections set to 2048 but even then it only gets up to around 500-1000. I always have plenty of free memory(At least 3mb after a few days) so I dont see why its doing this. Also, i have TCP timeouts set to "600 1800 120 60 120 120 10 60 30 120" , so that also should be fine.

    It is also definitely not an issue with my upload speed being saturated so that can be ruled out.

    Also, is this normal, im seeing this constantly as in many times per minute I think in the system log. I don't know why its leasing something every 10 minutes, is this supposed to be doing that?

    Oct 18 10:49:09 unknown local0.debug udhcpc[197]: Sending renew...
    Oct 18 10:51:00 unknown local0.debug udhcpc[197]: Sending renew...
    Oct 18 10:51:57 unknown local0.debug udhcpc[197]: Sending renew...
    Oct 18 10:52:25 unknown local0.debug udhcpc[197]: Sending renew...
    Oct 18 10:52:25 unknown local0.info udhcpc[197]: Lease of ***My IP*** obtained, lease time 600
    Oct 18 10:57:25 unknown local0.debug udhcpc[197]: Sending renew...
    Oct 18 10:59:16 unknown local0.debug udhcpc[197]: Sending renew...
    Oct 18 11:00:13 unknown local0.debug udhcpc[197]: Sending renew...
    Oct 18 11:00:40 unknown local0.debug udhcpc[197]: Sending renew...
    Oct 18 11:00:41 unknown local0.info udhcpc[197]: Lease of ***My IP*** obtained, lease time 600
    Oct 18 11:05:41 unknown local0.debug udhcpc[197]: Sending renew...
    Oct 18 11:05:41 unknown local0.info udhcpc[197]: Lease of ***My IP*** obtained, lease time 600
    Oct 18 11:08:49 unknown syslog.info -- MARK --
    Oct 18 11:10:41 unknown local0.debug udhcpc[197]: Sending renew...
    Oct 18 11:12:33 unknown local0.debug udhcpc[197]: Sending renew...
    Oct 18 11:12:33 unknown local0.info udhcpc[197]: Lease of ***My IP*** obtained, lease time 600
    Oct 18 11:17:33 unknown local0.debug udhcpc[197]: Sending renew...
    Oct 18 11:19:25 unknown local0.debug udhcpc[197]: Sending renew...
    Oct 18 11:20:21 unknown local0.debug udhcpc[197]: Sending renew...
    Oct 18 11:20:21 unknown local0.info udhcpc[197]: Lease of ***My IP*** obtained, lease time 600
    Oct 18 11:25:21 unknown local0.debug udhcpc[197]: Sending renew...




    I'm thinking something is filling up but I don't think its connections or anything.
    Thanks
     
  5. mstombs

    mstombs Network Guru Member

    The link was a straight through connector, without routing and firewall functions just replace the router with a link WAN to single LAN!

    From your log your WAN lease time is only 10 minutes and its having trouble renewing - I don't think your problem is the router. What ISP connection and modem do you have? I'm thinking half-bridge DSL modem also running NAT and you are running double-NAT? If its a 'zipb' modem then check your 'device list' for arp table overflow.

    Note it is standard for the renew to happen at half the lease time, if the lease ever runs out it is likely to cause a break in all connections, even if quickly renewed. Tomato has a check box to "reduce packet size" which may help the renew process.
     
  6. jon124

    jon124 LI Guru Member

  7. rodenta

    rodenta Network Guru Member


    I guess I should've noted that im using this in client mode. Im not sure exactly why the lease time is 10 minutes, and it does look like it has trouble renewing. But i don't think that is the problem because for the first few days or so, when I run p2p, browsing will be fine(or reasonable at least) with p2p no matter how many connections I am running. Then randomly, then maybe after 4 or 5 days or so, when I run p2p, it will totally kill browsing, but if i limit the max global connections to 50 or stop using p2p totally, browsing will be fine. So it is kind of like after a few days, it only supports a few connections whereas previously it allowed everything.
     
  8. mstombs

    mstombs Network Guru Member

    Sorry, I don't know about client mode - does that mean there is another router and wireless connections involved?

    For slow browsing also check out the need to patch tcpip.sys (lvllord patch) with XP SR2, I had this problem yonks ago with Azureus and Firefox 'FasterFox' addin -XP limits the speed at which the PC can open connections. I suspect P2P apps don't like being QOS'd which increases this problem.
     
  9. ifican

    ifican Network Guru Member

    I say stop p2p for now, reboot the router so its on a clean reboot and then just let it be for a week, if no problem rears its ugly head then its solely p2p based and you can deal strictly with that. What happens if you run p2p without the router in place for a week straight, perhaps its your computer thats getting gummed up and causing the symptoms?
     
  10. rodenta

    rodenta Network Guru Member

    When this occurs, all computers connected to the router have the same slow browsing symptoms. And yes, im like 90% sure its a router problem. It just doesn't really make sense to me, as once i reboot the router, everythings back to normal from what I see until a few days.

    If I didn't use p2p for a week, I think the connection would continue to be perfectly fine. I still think that it has something to do with the connection tracking. I would think this router is capable of at least the 2048 connections that it defaults as, so I dont see why these routers have so much trouble.

    Are other brands similar to this? Say a basic cheap Netgear or D-Link router, how many connections would you think they are capable of?

    And this is the second kind of third party firmware ive used and it pretty much did the same thing, although with Tomato, it is so much better and the problem doesn't occur as often, plus ive never seen it go below 3mb free ram with tomato so that shouldn't be related to any of the problems.
     
  11. ifican

    ifican Network Guru Member

    Hmm then you got me, i would have to agree that it is probably connection related but it sounds like you have looked at it from just about every angle, which is good. I dont run p2p so i cant say but I also dont use soho devices other then to play with 3rd party firmware.
     
  12. mraneri

    mraneri LI Guru Member

    What type of connections are building up?

    When the router is misbehaving, how many connections are actually active?

    Check in Advanced -> Conntrack/Netfilter. Click the text "[count current...]" and see how many are active. Also, which types have high counts? (i.e. established and time wait)

    How many connections for each of the ones that have high counts, and also list the TCP Timeout for those connections (edit: see you listed the timeouts above. Still may help to see how many of each type of connection, though). You may possibly be able to reduce the connection timeout to drop some unnecessary ones...

    Post what you get when the router is misbehaving, and maybe we can help you with the problem.

    - Mike
     
  13. rodenta

    rodenta Network Guru Member



    When browsing begins to be bad, 623 total connections, 575 in lowest setting in QoS with most of bandwidth being used. 215 connections in torrent program, netstat -s shows 230 connections.
    Pings are normal

    14.20 MB / 4,280.00 KB (29.44% free)

    At this point, if i go into torrent program and limit to 100 total connections, browsing seems to be mostly fine after a few minutes, but still might have some trouble loading some pages with a lot of content.

    With limited to 100 connections in torrent program:
    525 connections total in tomato(starting to drop in count)
    136 netstat -s

    Approximate values at this point:
    Established 250
    Syn Sent 40
    Time Wait 70
    Assured 110
     
  14. acidmelt

    acidmelt LI Guru Member

    The amount of connections is moderate but the router shouldn't have problems creating new conntrack entries, my WRT54GL has no problems with much more connections.

    What is your upload/download speed? and what are the values that you used in the QoS Inbound/Outbound Rate?

    Are you sure its not possible that your ISP is responsbile for these problems?
     
  15. mraneri

    mraneri LI Guru Member

    Yeah, these numbers really don't look too bad. The router shouldn't have any trouble keeping up.

    It will be hard to tell, but, I suspect there may be a QOS setup issue. Your ISP shouldn't be blocking your web browsing activity, even in the face of P2P traffic.

    I assume you really HAVE set your maximum upload in QOS at 85-90% of your bandwidth. As a test, try setting it to 50-75%. Your torrents will slow down, but if you have the same number of connections, and the performance for browsing is improved, then you're overloading your upstream bandwidth by having that limit set too high.

    Also, please report what's checked and not checked in the QOS Basic settings.
     

Share This Page