1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Using AES encryption causes ping spiking, while WEP does not (bridged E3000s)

Discussion in 'Tomato Firmware' started by Rodney Gilbert, Feb 17, 2013.

  1. Rodney Gilbert

    Rodney Gilbert Networkin' Nut Member

    I have two E3000 routers bridged together with this configuration:
    • Tomato Firmware v1.28.7501 MIPSR2Toastman-RT K26 USB VPN
    • N-only
    • 5GHz
    • channel 36 - 5.180 GHz
    • channel width: 40MHz
    • control sideband: lower
    • WPA2 Personal + AES
      • If I change to WEP, ping spike issue goes away
    • Advanced - > Wireless stuff all left as default from Toastman's Tomato
    Router 1 is AP
    Router 2 is Wireless ethernet bridge to Router 1
    They are ~ 4 meters apart

    Below is me pinging from router 2 to router 1 over wireless

    Using AES:

    64 bytes from 192.168.1.1: seq=1 ttl=64 time=1.304 ms
    64 bytes from 192.168.1.1: seq=2 ttl=64 time=1.370 ms
    64 bytes from 192.168.1.1: seq=3 ttl=64 time=1.363 ms
    64 bytes from 192.168.1.1: seq=4 ttl=64 time=1.415 ms
    64 bytes from 192.168.1.1: seq=5 ttl=64 time=479.650 ms
    64 bytes from 192.168.1.1: seq=6 ttl=64 time=1.428 ms
    64 bytes from 192.168.1.1: seq=7 ttl=64 time=1.424 ms
    64 bytes from 192.168.1.1: seq=8 ttl=64 time=1.424 ms
    64 bytes from 192.168.1.1: seq=9 ttl=64 time=939.534 ms
    64 bytes from 192.168.1.1: seq=10 ttl=64 time=1.630 ms
    64 bytes from 192.168.1.1: seq=11 ttl=64 time=1.433 ms
    64 bytes from 192.168.1.1: seq=12 ttl=64 time=1.424 ms
    64 bytes from 192.168.1.1: seq=13 ttl=64 time=1.427 ms
    64 bytes from 192.168.1.1: seq=14 ttl=64 time=390.035 ms
    64 bytes from 192.168.1.1: seq=15 ttl=64 time=1.359 ms
    64 bytes from 192.168.1.1: seq=16 ttl=64 time=1.347 ms
    64 bytes from 192.168.1.1: seq=17 ttl=64 time=1.370 ms
    64 bytes from 192.168.1.1: seq=18 ttl=64 time=849.709 ms
    64 bytes from 192.168.1.1: seq=19 ttl=64 time=1.369 ms
    64 bytes from 192.168.1.1: seq=20 ttl=64 time=1.430 ms

    Using WEP:

    64 bytes from 192.168.1.1: seq=265 ttl=64 time=1.094 ms
    64 bytes from 192.168.1.1: seq=266 ttl=64 time=1.072 ms
    64 bytes from 192.168.1.1: seq=267 ttl=64 time=0.993 ms
    64 bytes from 192.168.1.1: seq=268 ttl=64 time=1.048 ms
    64 bytes from 192.168.1.1: seq=269 ttl=64 time=1.022 ms
    64 bytes from 192.168.1.1: seq=270 ttl=64 time=1.063 ms
    64 bytes from 192.168.1.1: seq=271 ttl=64 time=1.105 ms
    64 bytes from 192.168.1.1: seq=272 ttl=64 time=1.055 ms
    64 bytes from 192.168.1.1: seq=273 ttl=64 time=1.079 ms
    64 bytes from 192.168.1.1: seq=274 ttl=64 time=1.007 ms
    64 bytes from 192.168.1.1: seq=275 ttl=64 time=1.071 ms
    64 bytes from 192.168.1.1: seq=276 ttl=64 time=1.052 ms
    64 bytes from 192.168.1.1: seq=277 ttl=64 time=1.001 ms
    64 bytes from 192.168.1.1: seq=278 ttl=64 time=1.005 ms
    64 bytes from 192.168.1.1: seq=279 ttl=64 time=0.980 ms
    64 bytes from 192.168.1.1: seq=280 ttl=64 time=1.104 ms
    64 bytes from 192.168.1.1: seq=281 ttl=64 time=1.003 ms
    64 bytes from 192.168.1.1: seq=282 ttl=64 time=1.007 ms
    64 bytes from 192.168.1.1: seq=283 ttl=64 time=1.089 ms
    64 bytes from 192.168.1.1: seq=284 ttl=64 time=1.028 ms

    I couldn't try TKIP because the web UI says it's not supported in wireless ethernet bridge mode. I am confident wireless interference is not an issue here, given that the only change is the encryption method.

    Is this a bug with tomato? Anything I can do here?
     
  2. Mangix

    Mangix Networkin' Nut Member

    I have no idea. In the advanced section, try setting the regulatory domain to US. I believe it to be better but who knows.

    A side note, 802.11n with WEP should absolutely not be possible. The 802.11n standard mandates WPA2-AES for n speeds and I have seen the speeds go back to g on 2.4GHz if WPA2-AES is not used. It's possible that although you set it to N only, it's actually doing A. Who knows.

    WPA2-AES in theory should work better as it's faster than WEP. AES takes off around 10% or less off of the throughput while WEP takes off 20%.
     
  3. Rodney Gilbert

    Rodney Gilbert Networkin' Nut Member

    Hi Mangix. It's already set to US which was the default.

    With WEP on 5GHz with 40MHz width, I was able to copy at 4-5MB/s ... at 2.4GHz 802.11g I could only do 1.7MB/s
    With WPA2 using the same configuration, I copy at 4-5MB/s ... except there is the occasional spike in latency as shown above which is fine for transfering data, but not for things like ssh session where things randomly freeze up
     
  4. Mangix

    Mangix Networkin' Nut Member

    I thought Toastman had Singapore as the default.

    I can't really imagine why there are latency spikes. The only thing I can think of is that the GTK is getting regenerated every few seconds. But by default it should happen once every hour...
     
  5. Rodney Gilbert

    Rodney Gilbert Networkin' Nut Member

    Yeah really strange...

    Note that this only happens if I ping from anything connected from router 2 over wireless ethernet bridge to router 1 ... but using my laptop connected to laptop 1 directly over wireless (5GHz 802.11n) as AP client, I have no latency issues ..

    So seems something specifically wrong with wireless ethernet bridge mode on N using AES encryption

    Are there any logs I can capture to help diagnose this?
     
  6. mvsgeek

    mvsgeek Addicted to LI Member

    I have a 2.4 GHz 802.11n wireless ethernet bridge using WPA + AES. No latency issues pinging from router 2 to router 1. I switched to WPA2, no change. Ping times were around 1-2 ms, very occasional spike around 8 ms, but very sporadic. Switched back to WPA, same results as WPA2. Haven't tried WEP or open. My hardware is Asus RT-N16 + RT-N12, so I'm restricted to 2.4 GHz.

    FWIW I'm using WPA, because when I switched my "production" environment to WPA2, only 1 or 2 of the 7 WDS slaves would connect => 5 or 6 unhappy customers:(.

    Maybe your issue is peculiar to 5GHz?
     
  7. Engineer

    Engineer Network Guru Member

    I just tried my Linksys E2000 with Shibby 1.04 (bridge) to my Belkin N600 with Shibby 1.01 (AP) running at 5GHz and there were no ping issues (all were 1ms for the 75 times that I ran it). Running WPA2 + AES. Have not tried others.
     
  8. Rodney Gilbert

    Rodney Gilbert Networkin' Nut Member

    Appreciate your testing, thanks guys. Did some more testing too...

    WPA and WPA2 exhibit the same ping latency issue (both on AES)
    However I also tried with encryption disabled (eg. open network) and it also had the latency spikes
    If I use WEP, the spikes go away...

    When I use inSSIDer, it shows the WEP networking with max rate 300 on channel 40 + 36 ... so full speed N over WEP does seem to work somehow.

    So:

    (no ping latency with): WEP
    (ping latency issue observed with): WPA, WPA2, no-encryption
     
  9. Rodney Gilbert

    Rodney Gilbert Networkin' Nut Member

    Hmm perhaps I should try Shibby to compare
     
  10. koitsu

    koitsu Network Guru Member

    Rodney, what you don't seem to be taking into consideration is that the issue could also be on the client side (either driver-level issues or features in the driver which are implemented oddly/badly). There really aren't any "logs" or "captures" you can do for this kind of thing (rather not go into why). What you're effectively trying to do is profile an entire wireless network *and* two operating systems (client and server) -- this is a huge, huge task.
     
  11. Rodney Gilbert

    Rodney Gilbert Networkin' Nut Member

    Doesn't apply. What I did was:
    1. telnet 192.168.1.2 (router 2)
    2. from within telnet:
      1. ping 192.168.1.1 (router 1)
    So I am isolating air interface between the two routers.
     
  12. Mangix

    Mangix Networkin' Nut Member

    I'd be curious to see a wireless packet capture of WEP vs. WPA2 to see what's going on between the router and client.

    As for telnet, I don't remember if latency between router to client also affects the results. I remember something similar with SSH but I could be wrong. In any case, a serial connection is the best you'd be able to do which is probably impractical.
     
  13. Rodney Gilbert

    Rodney Gilbert Networkin' Nut Member

    Check this out:
    http://www.dd-wrt.com/phpBB2/viewtopic.php?p=717832

    Someone with E3000 with similiar problem on WPA2+AES ... he dropped to WPA2+TKIP and the latency went away.

    Gave Shibby a whirl just to rule out toastman build, and the behaviour is the same.
     
  14. mvsgeek

    mvsgeek Addicted to LI Member

    What happens when you switch to 2.4 vs. 5 GHz? Is this an option with your hardware/firmware? I don't have 5 GHz capability, so can't test that scenario.
     
  15. Rodney Gilbert

    Rodney Gilbert Networkin' Nut Member

    Still on Shibby right now, it seemed to let me do 40MHz on 2.4GHz range WPA2+AES.
    It exhibited the same ping latency spiking behaviour. Tried a few different channels as well.
     
  16. Rodney Gilbert

    Rodney Gilbert Networkin' Nut Member

    A Break Through !!! Looks like the bug is specific to using the "Wireless Ethernet Bridge" mode.

    I changed router 2 to be a "Wireless Client" instead, and now ping spiking is gone !! I have only confirmed this on Toastman 1.28.7501.2 I imagine this bug is shared among all tomato fw variants.

    Toastman, hope you see this thread. Is there any testing or logs I can capture to help with this bug?
     
  17. Engineer

    Engineer Network Guru Member

    I am using 5GHz Wireless Ethernet Bridge and have been for over a year. Shibby 1.04 (Bridge) and Shibby 1.01 on the AP. As I said, no ping spikes here on the 5GHz band using WPA2 with AES.

    While on that note, what is the difference between "Client" and "Bridge"?
     
  18. Rodney Gilbert

    Rodney Gilbert Networkin' Nut Member

    Hi Engineer, I believe you ... I wonder if this is related to using E3000's... really not sure. I did try latest shibby on both routers and the behaviour was the same.

    To answer your question 'client' vs' bridge', see this other post, or google:
    http://www.linksysinfo.org/index.php?threads/wireless-client-vs-wireless-ethernet-bridge.23783/

    I'd rather do bridge, as I want it to be transparent and all PCs on the same subnet - alas, until we can figure out why bridge mode doesn't work, I'm stuck running two subnets in my intranet :(

    It's a reasonable workaround though until we can get to the bottom of why ethernet bridge doesn't work in this scenario.

    I am happy to see 1ms pings and 6.2MB/s thruput though :)
     
  19. Rodney Gilbert

    Rodney Gilbert Networkin' Nut Member

  20. Mangix

    Mangix Networkin' Nut Member

    probably some broadcom wireless driver bug. dd-wrt and tomato use different drivers.
     
  21. eahm

    eahm LI Guru Member

  22. Rodney Gilbert

    Rodney Gilbert Networkin' Nut Member

    I already tried Shibby, as stated a few times in my earlier posts.

    Just tried WDS ... seems to work but performance is a lot worse than client bridge mode. I get 3.7MB/s instead of 6.2MB/s using "Wireless Client" mode
     
  23. Rodney Gilbert

    Rodney Gilbert Networkin' Nut Member

    Can anyone explain why "wireless ethernet bridge" mode has random ping spikes, given that there are no RF issues as evidenced by previous posts?
     
  24. Rodney Gilbert

    Rodney Gilbert Networkin' Nut Member

    Here is all my data quickly summarized. These were tested between router 1 and router 2 (two Linksys E3000, running very latest Tomato Firmware v1.28.7501 MIPSR2Toastman-RT K26 USB VPN
    with the intent to bridge them wirelessly). All RF info is the same, running on 5GHz.

    Channel 36, 40MHz width, WPA2+AES, Auto, WDS
    - 1.0ms constant ping
    - 30.8Mb/s (iperf)

    Channel 36, 40MHz width, WPA2+AES, Auto, Wireless Ethernet Bridge
    - 1.4ms constant + random 500ms+ spiking every 4-5 seconds
    - 47.1MB/s (iperf)

    Channel 36, 40MHz width, WPA2+AES, Auto, Wireless AP Client
    - 1.3ms constant
    - 64.5MB/s (iperf)


    ^^^ Clearly Wireless AP client is the best, excellent thruput and doesn't have the ping spikes that bridging does, however the major con is that you now need two subnets (eg. 192.168.2.X and 192.168.1.X).

    Wireless Ethernet Bridge would be great, but the random ping spiking kills it. Okay for data transfer, but NOT for gaming or SSH sessions etc. WDS thruput is too shitty.
     
  25. Mangix

    Mangix Networkin' Nut Member

    Here's a boring answer: The Broadcom wireless drivers are closed source and whatever performance you get, there is nothing you can do about it. The only thing you can do is move to a newer driver(will happen in a few months with tomato i think based on the latest asus firmware beta).

    In your original post, you mentioned that you were using the RT series of builds for the E3000. Toastman also makes RT-N versions of his builds for the E3000 which might also work(shibby's builds apparently won't). You also might brick the router. I'm not sure. You'd have to ask Toastman. The RT-N series of builds have newer wireless drivers and may perform better(they usually do for me). I also just realized that my previous comments about newer wireless drivers only apply to the RT-N series.

    There is also experimental support for the E3000 in OpenWRT. I can make a build but I can make no guarantees that it will ever work. OpenWRT btw uses a newer Kernel and open source drivers. This should be considered a last resort if you really want this working. I'd try RT-N first.
     
  26. Engineer

    Engineer Network Guru Member

  27. Rodney Gilbert

    Rodney Gilbert Networkin' Nut Member

    Thanks guys. I'll give RT-N a shot and see what happens, will report back.
     
  28. Engineer

    Engineer Network Guru Member

    Rodney,

    If you like, you could post your "BASIC" - "NETWORK" settings page, your "FIREWALL" page, your "ROUTING" page (I think that's what it's called - has the GATEWAY mode, RIP, etc) and your "WIRELESS" (settings) pages and I'll compare to mine to see if there is anything that sticks out.
     
  29. Rodney Gilbert

    Rodney Gilbert Networkin' Nut Member

    Sure will do ... at work now but I'll post tonight. I didn't change anything explicitly in those areas ... whenever I load new FW I always do thorough NVRAM erase.
     
  30. Rodney Gilbert

    Rodney Gilbert Networkin' Nut Member

  31. Engineer

    Engineer Network Guru Member

    Have you tried entering your gateway IP into the Wireless Ethernet Bridge (currently set to 0.0.0.0) to see if it makes some sort of difference?

    (one of the few things different than mine).
     
  32. Rodney Gilbert

    Rodney Gilbert Networkin' Nut Member

    ahh yes, forgot to switch that after I flashed back to RT, I usually set that. No difference observed.
     
  33. Engineer

    Engineer Network Guru Member

    I'm assuming that your main access point is actually connected directly to the internet?

    If so, have you tried disconnecting everything from it and just pinging from the wireless Ethernet bridge to the main AP?

    I'll admit that I don't know lots about this stuff but I'm really intrigued by this one, especially since I've run basically the same setup (different hardware) for several years with zero issues like yours.

    Also, I'm assuming that you've looked through your logs and nothing "recurring" is happening while you're pinging?
     
  34. Rodney Gilbert

    Rodney Gilbert Networkin' Nut Member

    Yeah nothing looks bad in logs. All my tests have been directly between the two routers.

    Indeed strange ... stumped.
     
  35. Engineer

    Engineer Network Guru Member

  36. Rodney Gilbert

    Rodney Gilbert Networkin' Nut Member

    hmm but i see the same if I ping behaviour from my macbook air (osx) over wifi. he also claims that his issues were with WAN (internet), not LAN.
     
  37. Rodney Gilbert

    Rodney Gilbert Networkin' Nut Member

    Is there any way I can run in AP client mode, but somehow get the two segments onto the same subnet?
     
  38. Engineer

    Engineer Network Guru Member

    I've been trying that for the last hour with no luck. Strange enough, I can see the cable modem (192.168.100.1) from the client side but not the rest of the network.

    I just tinkered around with it and got it working. I can ping and access the other PC's/Printers/Routers on the network even though they are on a different subnet.

    Main access point: 192.168.5.1

    I set my router to Client Bridge.
    WAN to Static
    Set an IP under WAN in the same subnet as the main access point (192.168.5.89)
    Set gateway to 192.168.5.1

    Set LAN IP to 192.168.4.1 with subnet of 255.255.255.0
    Set DHCP (LAN) to ON
    Set DHCP range to 192.168.4.20-192.168.4.50

    Saved

    Release/Renewed IP and it all worked.
     
  39. Rodney Gilbert

    Rodney Gilbert Networkin' Nut Member

    nice.. yeah that's the same setup I had, but they are still on separate subnets. It's not a deal breaker, but it means things like extra dhcp server, port forwarding... services which broadcast won't see PCs across the bridge, etc.

    WDS also works, but thruput isn't as sweet as client AP mode.

    What kind of thruput do you get between routers?
     
  40. Engineer

    Engineer Network Guru Member

    In Ethernet bridge mode, I get between 15-20MB(ytes)/sec transfer rates or so (PC to PC transfer rate that's connected to the AP and the bridge). I'll test client mode out later today.
     
  41. Rodney Gilbert

    Rodney Gilbert Networkin' Nut Member

    wow... that's fast. Is your config any different from mine? Does my E3000 suck or something? lol

    How did you test?
     
  42. Engineer

    Engineer Network Guru Member

    That's just a large file transfer from one PC to another from time to time. If I transfer multiple files (i.e. a folder with lots of small files), it drops quite a bit but I assume that's Windows doing it's thing more than the wireless speed. Config is a dual band Belkin N600 ($29.99 from Slickdeals) and a refurbished Linksys E2000 (bridge - $19.99 from Slickdeals). Both flashed with Tomato (1.01 on the Belkin and 1.04 on the E2000).

    My routers are about 10 feet apart but the AP is downstairs while the bridge is upstairs.

    Oh, and I can't see the rest of the network with Client Mode. I can ping certain things (printer for example) but I cannot see anything on the network. I've tried to manually assign IP addresses while changing the subnet but I don't know enough about networking to make it work. Sorry.

    Edit: Just ran another test in Ethernet bridge mode (1 GB file) and it average 18.2MB/sec.
     

Share This Page