SPI? Tomato (Shibby) Very Slow VPN - E4200

Discussion in 'Tomato Firmware' started by eduncan911, Aug 8, 2014.

  1. eduncan911

    eduncan911 Reformed Router Member

    As mentioned in another thread that Tomato on an E4200 is slow on > 90 Mbps connections, recently I attempted to enable PPTP Server on Tomato Shibby (v120) and had horrible speed transfers. As a slight update, I am now at 150 / 150 with Verizon FiOS and disabled wireless and everything else but just a raw router - I can now see 120 Mbps down and 110 Mbps up through the router (the OEM Verizon FIOS router sees 165 Mbps down and 148 Mbps up by comparison).

    For the last several years, I've been using Windows Server RRAS for VPN/PPTP by forwarding port 1723 like normal to the server. I have achieved 8.5 MB/s, or about 95 Mbps upstream (that's Mega Bytes, not Bits, per second) transfer rate by forwarding port 1723 through the E4200 /Tomato Shibby v120 to my windows server.

    I thought, finally with my new E4200 and TomatoVPN, I can move the VPN auth to the router. Boy was that a mistake!

    The maximum speed I could achieve seemed to be around 1 MB/s upstream using Tomato VPN Shibby v120, and about 1.1 MB/s downstream (me uploading remotely to the E4200's location, so it was kind of a Download for it).

    SSH into the router, I see the CPU is maxed out with pptpd and some other service I didn't recognize, all taking up 99% of the CPU. Once I stopped the transfer, instantly the CPU goes back to a 0.1% idle state. If I slowly browse a network share over VPN, CPU jumps to around 15% usage by the pptpd. If I direct all TCP traffic over VPN (aka "Default Gateway" and try to open a simple webpage, pptpd spikes to ~30% CPU usage up and down.

    Apparently, Tomato can't handle the VPN.

    So I had a thought - with other router firmwares, I can disable SPI (stateful package inspection) on the firewall.

    Can I disable SPI with Tomato Shibby? That may actually help the bandwidth limitations as well.
  2. koitsu

    koitsu Network Guru Member

    All encryption is done CPU-side. ""Tomato"" can handle the VPN, it just doesn't give you the throughput you're hoping for because of the high CPU utilisation.

    Consumer routers are not CPU power horses like desktop systems. They are absolutely no where near that speed/capability. Their main goal is to forward packets, not to do encryption.

    Your goal (as indicated in other threads) is speed. You do not particularly care about anything else, all you're interested in is throughput. So in this case, do not run any kind of VPN on the router. Let the router do only one thing and that thing alone: forward packets. Which leads me to a final key piece of information:

    DO NOT DISABLE SPI. By disabling SPI you greatly diminish the security of your router, and in actuality can turn yourself into a DoS reflector! Please read the "Description" section of the Wikipedia link I linked for SPI. A proper, secure, and good firewall keeps track of connection states.

    Disabling SPI will not increase your throughput unless you have a state table consisting of, say, a billion entries (and even then it wouldn't get impacted that much due to use of hashed lookups). The most intensive part of SPI is during initial TCP connections, the rest is nominal.

    TL;DR -- Stick to using your desktop for VPN connectivity if you value throughput.
    Last edited by a moderator: Aug 9, 2014
    Monk E. Boy and Marcel Tunks like this.
  3. eduncan911

    eduncan911 Reformed Router Member

    I disagree with that reply on a number of topics which I will not address here.

    The fact is that the stock firmware works fine for all previous speed tests. It's Tomato having the speed problem, as I have indicated in other threads. It's on ongoing issue that many have reported; so perhaps your time and efforts into possibly finding a fix would be better utilized instead of telling me what to do.

    Thank you.
    Last edited by a moderator: Aug 9, 2014
  4. lancethepants

    lancethepants Network Guru Member

    @koitsu hits the nail on the head. Routers can route packets like nobodies business, but when you try to have the router do the heavy lifting by being the vpn end-point, it's going to buckle beneath the encryption/decryption it has to do. Services like VPN will always perform better if you offload it to another machine. 480mhz mipsel cpu is very insignificant compared to modern day x86.

    Also, it's pretty much a fact that stock firmware will always outperform 3rd party firmware. It's a tradeoff you can pretty much expect, but people do it for the richer features toamto can give.
    If a router can't handle the connection with the desired firmware, then a more powerful router is required. Tomato now has some ARM support, which should greatly outperform mips.
    I don't expect devs will place any more focus on outdated hardware like the e4200 when better hardware is available.
    Monk E. Boy and eduncan911 like this.
  5. eduncan911

    eduncan911 Reformed Router Member

    Thanks @lancethepants. Yeah, just hurts that the performance is 3x behind after all of these years. Sure, throwing faster hardware at the problem may solve it (e.g. an R7000).
  6. lancethepants

    lancethepants Network Guru Member

    Here's an infomative thread, maybe you've already seen.

    Stock firmware uses "fastnat" or "CTF" which helps with throughput. This can be disabled in Tomato if you use features that need more advanced firewall. I think with fastnat you are limited to basic port-forwarding.

    Arm routers look pretty appealing, here are some numbers here.

    The throughput numbers will be with "fastnat" or whatver they name it, enabled. Tomato I believe is in the same ballpark, unless fastnat needs to be disabled for some reason. Even disabled it should handle your connection, for basic routing. I'm sure it will doing much better than the e4200 at being a VPN endpoint. I'm guessing it would still lag your windows server numbers though.
    Monk E. Boy and koitsu like this.
  7. eduncan911

    eduncan911 Reformed Router Member

    In the original post, I linked to the exact thread of where I detail how to, step by step, enable CTF on Tomato Shibby - and it fails (constantly reboots the router).


    I tried it under a default config, multiple configs, etc. This process works as I can enable other modules on the USB stick using the same procedure.

    It was my attempt at getting the faster throughput.

    Yes, ARM routers (R7000) does look good as I mentioned - but, it's just throwing more hardware at a fundamental problem with Tomato itself.
  8. RMerlin

    RMerlin Network Guru Member

    VPN, because of the crypto involved, will always be a CPU-bound process. This isn't a "fundamental problem" with Tomato, it's simply the limits reached by the router's CPU (which was not designed to do VPN crypto - routers designed for such purposes come with specialized hardware that handles part of the encryption/decryption workload).

    CTF only has an effect on NAT and routing, it does not affect crypto performance in any way.

    The only solution to improve VPN performance is to upgrade to a router with faster hardware, or move the VPN server to a machine that has the required CPU power. The only thing that could be improved at Tomato's level would be saving a few CPU cycles here and there, giving you maybe 2-3% of throughout improvements at best.
    TyShawn, Monk E. Boy and koitsu like this.
  9. kamaaina

    kamaaina Serious Server Member

    I don't know if that is true but I read somewhere that the OpenVPN clients in all of the router firmwares are only doing single thread, so they don't take advantage of the second core in the router. Supposedly that's how it was written initially. So, if some clever OpenSSL/OpenVPN developers would be able to adapt it to use multicore then we could get to a level where the performance and convenience on the newer ARM boxes would maybe be "good enough" for most people. I think the newer R8000 or Asus even has extra cores for wireless and stuff, who knows where we will end up. Maybe there will be quad core R9000 in a year that could handle quite some mainstream VPN for most users.

    That said, it's not going to beat any recent dual-core PC/Mac.
  10. RMerlin

    RMerlin Network Guru Member

    Multithreading/SMP support is something the OpenVPN developers said they would look at for version 3.x.
  11. kamaaina

    kamaaina Serious Server Member

    Thanks RMerlin, good to know, but I guess that is quite some time away until this makes its way into the real world and then into third party firmware. Still good to know it's not ruled out.
  12. Annita

    Annita Networkin' Nut Member

    Hi all,
    Any news on this one? I now have a 300/30 Mbps connection and all I can get with my E4200v1 with Shibby v130 is 120/30... :(
  13. eduncan911

    eduncan911 Reformed Router Member

    As we posted over in the other thread... Nope, still slow. People have just basically upgraded to the 1 Ghz routers and continue to live with the inefficiencies.
  14. fonos

    fonos Serious Server Member

    On a dual-core router, it is possble to assign routine tasks and SIRQ to one core and place OpenVPN on the second core. This isn't multi-threading but it does help to balance the load better across the two cores and noticeably improves VPN throughput.

    The current crop of ARM processors are using the ARMv7 architecture. ARMv8 architecture incorporates some AES-dedicated instructions, a bit like the Intel AES-NI instruction set, that should certainly help to speed things up.
  15. Monk E. Boy

    Monk E. Boy Network Guru Member

    Well, that, or maybe MIPS devices aren't as powerful as you think they are.

    If you want the features of Tomato you can't have fastnat/ctf. As it was in the beginning, will now and ever shall be...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice