Configuring router for large amount of connections (EA8500)

I am trying to figure out how I have to configure the router for reliable work with a large number of active connections. Now I have approximately 60-70K of connections, and the internet works badly: according to the collected data, the ICMP drop rate often equals 50%, see screenshot attached.

CPU and RAM shouldn't be the bottleneck, I haven't reached the limit of them:

The kernel log looks fine, no issues were there during the abnormal ICMP drop rate.

Oh, yes, sorry.
My internet is 1Gbps in/out, fibre optic.
My application needs for a lot of connections, that's why I did some search and I've already increased

net.netfilter.nf_conntrack_max = 249856
net.netfilter.nf_conntrack_buckets = 62464

I have a swap at external HDD connected by eSATA, load average smaller than 2 (2-core CPU), but why packets are dropping?

@eduperez @OldNavyGuy @kt368 @flygarn12 @pavelgl


@kt368 - I think it best if you didn't state your reason or intents here. However, your request for technical assistance is reasonable. Please consider editing your posting to remove any political leanings.


Just for your reference, my ea8500 only connected <20 devices as my ISP router, I have already removed all unnecessary modules from the build, likes DDNS/QOS/SQM/statistics/Adblock/nlbwon/openvpn/collectd/....all removed to lower the cpu usages.

you have 60000 more connections, too heave loading.....drop something is normal, and lucky is not hangup.

You have 60.000 - 70.000 active connections, and TCP has 65.536 ports... Perhaps you have reached the limit of what NAT can do?

The OP originally admitted that he wants to launch a DDoS attack on Russian propaganda sites.

This ^^^^ persuaded him to remove it.

Thread should be deleted.

1 Like

Completely agree.. I just got here after the political comment has been removed.

Even if the DDOS statement has been removed: The OpenWrt forum doesn't endorse, condone or support abuse of the internet for DDOS against anybody. Closing this topic now.