Hardware NAT For LEDE

Just making sure: is there any kmod package I should be selecting, or is flowoffload baked inside the base code? (or another package I'm not aware of)
I'm trying to replace NSS stack with this as a best option given that I'm not a programmer and can't port the R7800 version of the NSS stack to my device.

All tagets with >= 4.14 Kernel have offloading included.
You only have to set option flow_offloading 1 in firewall default config section.

1 Like

I'm trying to compile this feature in the the openwrt-18 snapshot. Does it need both of these kernel modules enabled?

kmod-ipt-offload
kmod-nft-offload

The ipt module is for iptables, the nft module is for nftables. Use the module for whatever firewall you are using. Lede uses iptables by default.

Is there a way to confirm offloading is running?

Who can help me to make right dts for this router Lava lr25g001 support (mt7620a+mt7610e+qca/ar8327), now work only 1.2.5port on qca8337 switch

Does Witi-mt7621 board has openwrt hardware nat support?
I use openwrt v18.06.0-rc1 from github.
In /etc/config/firewall at default section strings added are:
option flow_offloading 1
option flow_offloading_hw 1
kmod-ipt-offload compiled.
But I see 100% CPU utilization and network bandwidth is 4,8 Mb/sec at packets forwarding.

In /etc/config/firewall at default section strings added are:

You should enable flowoffloading in Network -> Firewall.
Modifying /etc/config files requires a reboot to apply changes.

I restart firewall by command: /etc/init.d/firewall restart and also do reboot.
The result is the same, high CPU utilization.

which connections are offloaded (soft offload) ?
Obviously connections that are are getting forwarded and are in ctstate RELATED,ESTABLISHED
But when i invoke:
cat /proc/net/nf_conntrack | grep ESTABLISHED | grep "wanip" | wc -l
That gives me around 110 connections atm.
cat /proc/net/nf_conntrack | grep OFFLOAD | wc -l
Shows 8 connections are being offloded.

So why is the number offloaded connections so low?

There is a setting for the number of packages on which a connection gets offloaded... So all non offloaded connection didn´t reach the minimum transmitted packages... At the moment i don´t know where to set the minimum needed transmitted packages, but i think the default value is ok.

I dont know...
The offloaded connections range from 2 to few thousands packets.
But the none offloaded connections also have few thousands packets.
So i don't know why they aren't offloaded.

You should enable flowoffloading in Network -> Firewall.

How to enable flowoffloading in Network -> Firewall
I don't see any flowoffloading here:

  < > arptables....................................... ARP firewalling software
  < > conntrack....................................... Connection tracking tool
  < > conntrackd.................................... Connection tracking daemon
  < > ebtables................. Ethernet bridge firewall administration utility
  <*> ip6tables.............................. IPv6 firewall administration tool
  -*- iptables................................. IP firewall administration tool
  [ ] Enable Connlabel support                                                 
  [ ] Enable Nftables support                                                  
  < > iptables-mod-checksum....................... IP CHECKSUM target extension
  < > iptables-mod-cluster............................. Match cluster extension
  < > iptables-mod-clusterip............................... Clusterip extension
  < > iptables-mod-conntrack-extra........ Extra connection tracking extensions
  < > iptables-mod-extra....................... Other extra iptables extensions
  < > iptables-mod-filter........................ Content inspection extensions
  < > iptables-mod-hashlimit................................ hashlimit matching
  < > iptables-mod-ipopt........................... IP/Packet option extensions
  < > iptables-mod-iprange.................................. IP range extension
  < > iptables-mod-ipsec...................................... IPsec extensions
  < > iptables-mod-led.......................... LED trigger iptables extension
  < > iptables-mod-nat-extra.............................. Extra NAT extensions
  < > iptables-mod-nflog................................ Netfilter NFLOG target
  < > iptables-mod-nfqueue............................ Netfilter NFQUEUE target
  < > iptables-mod-physdev.......................... physdev iptables extension
  < > iptables-mod-rpfilter........................ rpfilter iptables extension
  < > iptables-mod-tee................................. TEE iptables extensions
  < > iptables-mod-tproxy................ Transparent proxy iptables extensions
  < > iptables-mod-trace................................ Netfilter TRACE target
  < > iptables-mod-u32................................. U32 iptables extensions
  < > iptables-mod-ulog.............................. user-space packet logging
  < > nftables..................... nftables packet filtering userspace utility

He mean enable in LUCI not in menuconfig.
This kmod packages are enabled by default on all targets with 4.14 kernel.

on my erx a simple apply from LUCI on the firewall hardware nat options solves the problem, no reboot needed

Or you do a /etc/init.d/firewall reload

I 'm trying enabling hardware NAT from LUCI web interface, nothing changed.
Hardware NAT doesn't working on my Witi-mt7621 board.

Your witi dts file does include mt7621.dtsi and the latter does define the hwnat node, so it should work as on all other mt7621 devices...

Which image are you using? snapshot, 18.06 or self compiled?

Which image are you using? snapshot, 18.06 or self compiled?

I use Openwrt from https://github.com/openwrt/openwrt self compiled.
I try branch 'master' and 'v18.06.0-rc1'.
Now I look dts file target/linux/ramips/dts/mt7621.dts

hnat: hnat@1e100000 {
compatible = "mediatek,mt7623-hnat";
reg = <0x1e100000 0x10000>;
mtketh-ppd = "eth0";
mtketh-lan = "eth0";
mtketh-wan = "eth0";
resets = <&rstctrl 0>;
reset-names = "mtketh";
};

I am not sure that string compatible = "mediatek,mt7623-hnat"; is correct.
Maybe mt7621-hnat, I try recompile with this string but harrdware nat still doesn't work.

Now I tried image https://downloads.openwrt.org/releases/18.06.0-rc1/targets/ramips/mt7621/openwrt-18.06.0-rc1-ramips-mt7621-mqmaker_witi-256m-squashfs-sysupgrade.bin
Hardware NAT also not worked.