I connect to the internet through L2TP. I'm not behind NAT. I seed about 48000+ torrents, which create about 45000-75000 active connections. This is how it looks
My router is ASUS TUF-AX4200, my firmware is openwrt 23.05.4 240816.
It seems like router cannot handle all these connections. Occasionally connection to the L2TP server disconnects. It can happen on 32000 connections, it can happen on 78000 connections. I can't find a pattern. When i connect to the same L2TP server with KDE applet on my pc this connection seems stable. So for me it looks like my router, despite being one of the most powerful one on the market, still cannot handle this much connections.
Right now im using this reconnect script as workaround
function check_connectivity() {
local test_ip
local test_count
test_ip="8.8.8.8"
test_count=1
if ping -c ${test_count} ${test_ip} > /dev/null; then
echo "Have internet connectivity"
else
echo "Do not have connectivity"
sleep 5
ifdown l2tp
sleep 5
ifup l2tp
fi
}
check_connectivity
but its inconvenient. I dont want to decrease amount of active torrents, is there a way to tweak openwrt to help to handle all these connections? Maybe some sysctl options can help?
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
i limit my torrent connections but it lowers upload speed, making it lower than speed i pay for. what values for tcp_max_syn_backlog and net.netfilter.nf_conntrack_max you would suggest?
yeah but when i shut down torrent client my l2tp connections is stable. maybe there is some bottle neck in kernel or openwrt parameters that causes that connection unstability?
One bottle neck can be the way udp/tcp traffic works in the firewall, at least for IPv4.
As far as I know udp/tcp ports can only be divided on on a single 32-bit address range so both only get 16-bit to use which will give you in theory 65536 available ports of each type to make connections through depending if your torrents use udp or tcp, but not all those ports are available in the pool for outgoing traffic connections since a lot if ports is internationally pre-registered ports for other use.
The thing is that the OpenWrt firewall do actually work, you would be surprised how many firewalls on home routers that doesn’t even care about the higher pool ports and leave them open and uncontrolled.
That is why port scans always ping some random high ports also to see if the endpoint know what they are doing or not.
The limitation is not full conntrack, but running out of ports for outgoing connections. There is no limit (well it is uint32 for ct states each 200-some bytes) of nftables being reached. Yes, no limit on incoming connections.
Upgrade to 23.05.5
limit torrect client to 32k connections
remove extra unjustified tuning
net.netfilter.nf_conntrack_max=524288
+ net.netfilter.nf_conntrack_buckets=262144 # max
- net.netfilter.nf_conntrack_helper=1
- net.netfilter.nf_conntrack_acct=0
vm.swappiness=5
# no incoming connections, more considerate would be to rate limit incoming connections
# like synflood_protect in firewall
- net.core.netdev_max_backlog=10000
- net.core.somaxconn=262144
- net.ipv4.tcp_max_syn_backlog=1048576
# remember that uint16 port number? So dozenfold wait slots non needed
- net.ipv4.tcp_max_tw_buckets=720000
# default should be OK?
- net.core.wmem_max=33554432
- net.core.rmem_max=33554432
- net.core.rmem_default=8388608
- net.core.wmem_default=4194394
- net.ipv4.tcp_rmem=4096 8388608 16777216
- net.ipv4.tcp_wmem=4096 4194394 16777216
Show cat /proc/net/softnet_stat after few "disconnected" events or some hours of activity.
Ok, in firewall set wan input and forward to drop and enable syn flood protection.
Note this is only about tcp, if you get ton of udp packets turned connections you neef to mod the allow rule with rate limit. ( check conntrack -L > /tmp/connections, count tcp and udp.
i checked tcp connections with cat /proc/net/nf_conntrack | grep tcp | wc -l and it shows 29000-31000 connections. i checked udp connections with cat /proc/net/nf_conntrack | grep udp | wc -l and its about 8000 connections.
can you explain? where can i change this rate limit?