ASUS TUF-AX4200 cannot handle many connections

I connect to the internet through L2TP. I'm not behind NAT. I seed about 48000+ torrents, which create about 45000-75000 active connections. This is how it looks
image
My router is ASUS TUF-AX4200, my firmware is openwrt 23.05.4 240816.

It seems like router cannot handle all these connections. Occasionally connection to the L2TP server disconnects. It can happen on 32000 connections, it can happen on 78000 connections. I can't find a pattern. When i connect to the same L2TP server with KDE applet on my pc this connection seems stable. So for me it looks like my router, despite being one of the most powerful one on the market, still cannot handle this much connections.

Right now im using this reconnect script as workaround

 function check_connectivity() {

    local test_ip
    local test_count

    test_ip="8.8.8.8"
    test_count=1

    if ping -c ${test_count} ${test_ip} > /dev/null; then
       echo "Have internet connectivity"
    else
       echo "Do not have connectivity"
        sleep 5
        ifdown l2tp
        sleep 5
        ifup l2tp
    fi
 }

 check_connectivity

but its inconvenient. I dont want to decrease amount of active torrents, is there a way to tweak openwrt to help to handle all these connections? Maybe some sysctl options can help?

1 Like

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
cat /etc/sysctl.conf
sysctl net.netfilter

Try run htop and see if the cpu choke and how many cores that actually are active.

You cannot open "78000 connections" from single IP address.

1 Like

Not to mention how many bps are all these connections supposed to use since they are torrent downloads?

A 100Mbps connection will give 1,2kbps per connection in theory if they all get equal resources.

So in practical terms they do “stop and disconnect” when going full speed.


it doesnt look like cpu choke, it seems like all 4 cores are active.

i pay for 500 mbit/s connection, unfortunately it varies from 300 to 450 mbit/s.

many lines
{
	"kernel": "5.15.162",
	"hostname": "hostname",
	"system": "ARMv8 Processor rev 4",
	"model": "ASUS TUF-AX4200",
	"board_name": "asus,tuf-ax4200",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.4",
		"revision": "r24012-d8dd03c46f",
		"target": "mediatek/filogic",
		"description": "23.05.4 240816"
	}
}

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd80:::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config device
	option name 'lan1'
	option macaddr 'macaddr'

config device
	option name 'lan2'
	option macaddr 'macaddr'

config device
	option name 'lan3'
	option macaddr 'macaddr'

config device
	option name 'lan4'
	option macaddr 'macaddr'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr 'router_addr'
	option netmask 'netmask'
	option ip6assign '60'

config device
	option name 'eth1'
	option macaddr 'macaddr'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option peerdns '0'

config interface 'wwan'
	option proto 'dhcp'

config interface 'l2tp'
	option proto 'l2tp'
	option server 'l2tp.server'
	option username 'l2tp.login'
	option password 'l2tp.password'
	option ipv6 '0'
	option delegate '0'


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '0'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'
	option noresolv '1'
	option localuse '1'
	option authoritative '1'
	list server 'dns_server'
	list server 'dns_server2'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wwan'
	list network 'l2tp'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'service5'
	option src 'wan'
	option src_dport '63076'
	option dest_ip 'router_addr42'
	option dest_port '63076'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'service1'
	option src 'wan'
	option src_dport 'service1_port'
	option dest_ip 'host_lan1_ip'
	option dest_port 'service1_port'
	list proto 'tcp'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'service2'
	list proto 'tcp'
	option src 'wan'
	option src_dport 'service2_port'
	option dest_ip 'router_addr42'
	option dest_port 'service2_port'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Divert-DNS, port 53'
	option src 'wan'
	option src_dport '53'
	option dest_port '53'

config rule
	option name 'Reject-DoT,port 853'
	list proto 'tcp'
	option src 'lan'
	option dest 'wan'
	option dest_port '853'
	option target 'REJECT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Divert-DNS, port 5353'
	option src 'lan'
	option src_dport '5353'
	option dest_port '53'

config rule
	option name 'quic'
	list proto 'udp'
	option src 'lan'
	option dest 'wan'
	option dest_port '443'
	option target 'REJECT'
	list src_ip 'router_addr42'
	list src_ip 'host_lan2_ip'
	list src_ip 'host_lan1_ip'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'service3'
	list proto 'tcp'
	option src 'wan'
	option src_dport 'service3_port'
	option dest_ip 'host_lan1_ip'
	option dest_port 'service3_port'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'service4'
	list proto 'tcp'
	option src 'wan'
	option src_dport 'service4_port'
	option dest_ip 'host_lan1_ip'
	option dest_port 'service4_port'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'service5_host_lan1'
	option src 'wan'
	option src_dport 'service5_port'
	option dest_ip 'host_lan1_ip'
	option dest_port 'service5_port'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'service6_host_lan1'
	option src 'wan'
	option src_dport 'service6_port'
	option dest_ip 'host_lan1_ip'
	option dest_port 'service6_port'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'service7'
	option src 'wan'
	option src_dport 'service7_port'
	option dest_ip 'host_lan1_ip'
	option dest_port 'service7_port'

net.netfilter.nf_conntrack_max=524288
net.netfilter.nf_conntrack_helper=1
net.netfilter.nf_conntrack_acct=0
vm.swappiness=5
net.core.netdev_max_backlog=10000
net.core.somaxconn=262144
net.ipv4.tcp_max_syn_backlog=1048576
net.ipv4.tcp_max_tw_buckets=720000
net.core.wmem_max=33554432
net.core.rmem_max=33554432
net.core.rmem_default=8388608
net.core.wmem_default=4194394
net.ipv4.tcp_rmem=4096 8388608 16777216
net.ipv4.tcp_wmem=4096 4194394 16777216
net.netfilter.nf_conntrack_acct = 1
net.netfilter.nf_conntrack_buckets = 31232
net.netfilter.nf_conntrack_checksum = 0
net.netfilter.nf_conntrack_count = 54153
net.netfilter.nf_conntrack_events = 1
net.netfilter.nf_conntrack_expect_max = 488
net.netfilter.nf_conntrack_frag6_high_thresh = 4194304
net.netfilter.nf_conntrack_frag6_low_thresh = 3145728
net.netfilter.nf_conntrack_frag6_timeout = 60
net.netfilter.nf_conntrack_generic_timeout = 600
net.netfilter.nf_conntrack_gre_timeout = 30
net.netfilter.nf_conntrack_gre_timeout_stream = 180
net.netfilter.nf_conntrack_helper = 1
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_icmpv6_timeout = 30
net.netfilter.nf_conntrack_log_invalid = 0
net.netfilter.nf_conntrack_max = 524288
net.netfilter.nf_conntrack_tcp_be_liberal = 0
net.netfilter.nf_conntrack_tcp_ignore_invalid_rst = 0
net.netfilter.nf_conntrack_tcp_loose = 1
net.netfilter.nf_conntrack_tcp_max_retrans = 3
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 7440
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300
net.netfilter.nf_conntrack_udp_timeout = 60
net.netfilter.nf_conntrack_udp_timeout_stream = 180
net.netfilter.nf_flowtable_tcp_timeout = 30
net.netfilter.nf_flowtable_udp_timeout = 30
net.netfilter.nf_hooks_lwtunnel = 0
net.netfilter.nf_log.0 = NONE
net.netfilter.nf_log.1 = NONE
net.netfilter.nf_log.10 = nf_log_ipv6
net.netfilter.nf_log.11 = NONE
net.netfilter.nf_log.12 = NONE
net.netfilter.nf_log.2 = nf_log_ipv4
net.netfilter.nf_log.3 = nf_log_arp
net.netfilter.nf_log.4 = NONE
net.netfilter.nf_log.5 = nf_log_netdev
net.netfilter.nf_log.6 = NONE
net.netfilter.nf_log.7 = nf_log_bridge
net.netfilter.nf_log.8 = NONE
net.netfilter.nf_log.9 = NONE
net.netfilter.nf_log_all_netns = 0

Even with 500Mbps you still only get 6,4kbps if you divide it fair between 78000 torrent download connections.

Just limit your torrent connections?

This makes no sense at all, your conntrak will die out quarter way.

tcp_max_syn_backlog=1048576
net.netfilter.nf_conntrack_max=524288

i limit my torrent connections but it lowers upload speed, making it lower than speed i pay for. what values for tcp_max_syn_backlog and net.netfilter.nf_conntrack_max you would suggest?

yeah but when i shut down torrent client my l2tp connections is stable. maybe there is some bottle neck in kernel or openwrt parameters that causes that connection unstability?

The limitation is uint16 port number. once all is taken by connected sockets no more are accepted.

Do you have IPv4 or IPv6?

One bottle neck can be the way udp/tcp traffic works in the firewall, at least for IPv4.
As far as I know udp/tcp ports can only be divided on on a single 32-bit address range so both only get 16-bit to use which will give you in theory 65536 available ports of each type to make connections through depending if your torrents use udp or tcp, but not all those ports are available in the pool for outgoing traffic connections since a lot if ports is internationally pre-registered ports for other use.

The thing is that the OpenWrt firewall do actually work, you would be surprised how many firewalls on home routers that doesn’t even care about the higher pool ports and leave them open and uncontrolled.
That is why port scans always ping some random high ports also to see if the endpoint know what they are doing or not.

The limitation is not full conntrack, but running out of ports for outgoing connections. There is no limit (well it is uint32 for ct states each 200-some bytes) of nftables being reached. Yes, no limit on incoming connections.

  • Upgrade to 23.05.5
  • limit torrect client to 32k connections
  • remove extra unjustified tuning
net.netfilter.nf_conntrack_max=524288
+ net.netfilter.nf_conntrack_buckets=262144 # max
- net.netfilter.nf_conntrack_helper=1
- net.netfilter.nf_conntrack_acct=0
vm.swappiness=5
# no incoming connections, more considerate would be to rate limit incoming connections
# like synflood_protect in firewall
- net.core.netdev_max_backlog=10000
- net.core.somaxconn=262144
- net.ipv4.tcp_max_syn_backlog=1048576
# remember that uint16 port number? So dozenfold wait slots non needed
- net.ipv4.tcp_max_tw_buckets=720000
# default should be OK?
- net.core.wmem_max=33554432
- net.core.rmem_max=33554432
- net.core.rmem_default=8388608
- net.core.wmem_default=4194394
- net.ipv4.tcp_rmem=4096 8388608 16777216
- net.ipv4.tcp_wmem=4096 4194394 16777216

Show cat /proc/net/softnet_stat after few "disconnected" events or some hours of activity.

i limited torrent client to 150 connections in qbittorrent settings, but it still creates 45000-50000 connections.

i also upgraded to 23.05.5 and removed everything you told me to remove.
here is cat /proc/net/softnet_stat output right after disconnect

root@rt:~# cat /proc/net/softnet_stat
0102c060 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
031f0164 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000001
032f0ba6 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000002
02f2dc77 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000003

here is output several minutes later

root@rt:~# cat /proc/net/softnet_stat
0129b840 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
03567942 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000001
0371d17f 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000002
033aaff8 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000003

i use ipv4.

1 Like

Ok, in firewall set wan input and forward to drop and enable syn flood protection.
Note this is only about tcp, if you get ton of udp packets turned connections you neef to mod the allow rule with rate limit. ( check conntrack -L > /tmp/connections, count tcp and udp.

like this?

i checked tcp connections with cat /proc/net/nf_conntrack | grep tcp | wc -l and it shows 29000-31000 connections. i checked udp connections with cat /proc/net/nf_conntrack | grep udp | wc -l and its about 8000 connections.

can you explain? where can i change this rate limit?

There is one in allow or forward rules avbanced tab, limit is in connections per second, not packets.