two quetions on bcm_nat

Discussion in 'Tomato Firmware' started by rs232, Nov 6, 2013.

  1. rs232

    rs232 Network Guru Member

    Hi, I don't seem to be able to find detailed information on bcm_nat. Can anybody feed in what loading the module does exactly?

    Also ok on the improved throughput (always good!) but does it affect latency at all?

    darkknight93 likes this.
  2. shibby20

    shibby20 Network Guru Member

    just add "modprobe bcm_nat" to init script :)

    did you see this?
  3. rs232

    rs232 Network Guru Member

    Hi Shibby, thanks for the replay.

    Yes I did see the video, but I was looking for details on the technicalities behind the scenes
  4. tarmdjur

    tarmdjur Reformed Router Member

    As far as I've understood, "Fast-NAT" disables many functions and makes the router under some circumstances less stable, in exchange for WAN-LAN speed.

    Am i somewhat correct?
  5. mstombs

    mstombs Network Guru Member

    Broadcom make the chipset and the firmware that makes the Ethernet ports into smart switches, and also the binary wireless drivers. My understanding is that bcm_nat allows certain classes of traffic to be handled almost entirely within the the switch/wireless firmware binaries, bypassing the Linux OS and kernel netfilter (iptables configured) tables altogether. At high transfer rates with cpu a bottleneck every processing step (line of code) saved is a benefit, and is great for benchmark tables in magazine reviews! Shouldn't make router unstable but you can't expect QOS and IP accounting etc to work if bulk of traffic hidden from kernel!
    rs232 likes this.
  6. tarmdjur

    tarmdjur Reformed Router Member

    "As we also said, the bad thing about Fast-NAT doesn't track connections, which means it will not be able to do SNAT very well for whole networks, neither will it be able to NAT complex protocols such as FTP, IRC and other protocols that Netfilter-NAT is able to handle very well."
    rs232 likes this.
  7. juggie

    juggie Addicted to LI Member

    How does BCM_NAT affect things if QOS or BWLimiter is enabled? I presume it would override those features?
  8. gawd0wns

    gawd0wns Network Guru Member

    No OS and kernel netfilter? Doesn't this create a serious security risk?
  9. lightsword

    lightsword Serious Server Member

    Kind of depends on how bcm_nat firmware firewalls since it basically takes over from what I understand.
  10. mstombs

    mstombs Network Guru Member

    Should be OK, can imagine the link is setup by the OS its just all the subsequent traffic on that connection between the same lan client and remote host that bypasses. Just what you need if you are downloading a large file from remote site for a speedtest!

    But who knows for sure - since its closed source obviously containing no known GPL code.
  11. darkknight93

    darkknight93 Networkin' Nut Member

    as far as i can see the IPTrafficStats are broken/unaccurate with fast_nat enabled. QOS or BW limiter i do not use :)
  12. Elfew

    Elfew Network Guru Member

    It is normal... It is a side effect of fastnat
  13. Toastman

    Toastman Super Moderator Staff Member Member

    You might try to think of it in rather simplified terms.

    We buy a router to allow us to manipulate traffic and to support multiple clients. To do that, traffic has to be processed by the firmware inside the router, be it QOS or traffic stats or whatever. If we didn't need to process the traffic, then we are really in need of a switch.

    BCM-NAT effectively bypasses the router by handling most traffic inside the router's switch itself, the firmware doesn't see it any more.

    Therefore, you might say, under certain circumstances, we are no longer processing that traffic with our router. Effectively, we don't have a router any more, what we are doing is putting a simple switch in its place.

    Therefore, the numerous comments and complaints about devs 'fixing the problem" are somewhat pointless. It never was "a problem". We can't process anything that we can't even see.

    It is largely smoke and mirrors, to make hardware look good on the shiny box... as mstombs hinted previously. It's rather clever. Whether it suits you in your own environment, is open to debate.
    crashnburn likes this.
  14. juggie

    juggie Addicted to LI Member

    If nothing else the bcm_nat black magic does not appear to break port forwarding.
  15. crashnburn

    crashnburn Network Guru Member

    Great explanation.

    PS: If the above Init "enables" BCM_Nat, then how could I disable it (with & without rebooting)?
    I suspect, commenting it out with # in the Init would disable when rebooted.
    What way can it be enabled/ disabled on the fly (on demand/ when I want at certain times)?
  16. azdps

    azdps LI Guru Member

    modprobe bcm_nat (enables module)
    modprobe -r bcm_nat (disables module)

    Not sure if a router reboot is required to effectively enable or disable this particular module while the router is running since I can't test it at the moment. I'm using asuswrt-merlin firmware so I'm not sure what scheduling options tomato firmware has right now.

    Also lsmod will list the modules that are currently running on the router.
    crashnburn likes this.
  17. Tomato User

    Tomato User Network Newbie Member

    what about the security risk?
    Is there one?
  18. mstombs

    mstombs Network Guru Member

    Some folk prefer opensource so the code can be reviewed - do you trust Broadcom? No doubt the bcm_nat bypasses some Linux kernel filtering rules, so possibly could be exploited? But all it should do is fast-track established nat connections between closed source switch drivers reducing cpu load processing packets.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice