Ipq806x NSS build (Netgear R7800 / TP-Link C2600 / Linksys EA8500)

See if the latest build fixes your C2600 problems.

What behavior are you seeing with that rule?

(What is it interfering with / causing issues with?)

DROP/REJECT rules wont work in forward chain, because that ACCEPT rule is in the #1 after reloading the firewall, but if you modify the firewall that's a must do thing. You have to restart the device (or delete the duplicated rules) to get it work.
like:

config rule
        option name 'Block_Xiaomi-traffic'
        option family 'ipv4'
        list proto 'all'
        option src 'lan'
        option src_ip '192.168.1.52'
        option dest 'wan'
        option target 'REJECT'

it's before the 'config include 'qcanssecm'' section, but since I have to reload the firewall, the previously added 'ACCEPT' (by qca-nss-ecm) rule didn't get deleted and since all other openwrt firewall rule deleted and this not, this become the #1 forward chain rule, so every rule which comes after that does nothing. (because its already accepted)

Yep, It's working now. What was the issue? Those 'mtd-mac-address' variables ?
Performance is quite decent for wired offloading. I have 600/60 Mb/s link and now device is able to managed more than 500 Mb/s with little effort from default cores on wired link. Wireless phone 866Mb/s link is able to pull 435Mb/s while core CPU's are used in 30-40% (mostly hostapd etc.). Was using Speedtest by Ookla. Next days i'll do iperf based lan-wan, lan-lan testing and test long term usage.

Thx for you effort.

Yep - just the mac address. Easy fix.

@dtaht - C2600 is working on the latest build if you want to give it a spin.

@directnupe - added in NSS-Crypto driver. The NSS-crypto driver offers limited improvements in performance per the NSS thread. Let me know what your VPN results look like.

1 Like

Dear ACwifidude,
Hello - and I hope that you are well. I installed R7800-20210207-MasterNSS and I am running that build right now as I write this to you. When I run the command # openssl engine -t -c - then what the readout is on this current build is below :

root@hawk:~# openssl engine -t -c
(dynamic) Dynamic engine loading support
     [ unavailable ]

To be clear when the engine is enabled the readout should be as follows below:

Enabled:

root@hawk:~# openssl engine -t -c
(dynamic) Dynamic engine loading support
     [ unavailable ]
(devcrypto) /dev/crypto engine
 [DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-ECB, AES-192-ECB, AES-256-ECB]
     [ available ]

So, maybe there is another step I need to enable devcrypto engine. Normally this is done by doing the following :

uncomment it in /etc/ssl/openssl.cnf under the [engine] block
see here for example:

[engines]
# To enable an engine, install the package, and uncomment it here:
#devcrypto=devcrypto
#afalg=afalg
#padlock=padlock

So should I uncomment #devcrypto=devcrypto in that file in order to get this working ? There is a way to enable this by default during the image building process. Perhaps, you did not do this - so must I manually enable the engine as described above in order to get this working ? Thanks and God Bless

PS - I just uncommented #devcrypto=devcrypto in the engines section - here is readout below :

root@hawk:~# openssl engine -t -c
(dynamic) Dynamic engine loading support
     [ unavailable ]

So - these are my findings - and as for as OpenVPN I do not see any change. See here how it is working on WRT routers on SkewedZeppelin builds :
No-nonsense Linksys WRT builds

Since the kmod package is in there - you should be able to add this package for openssl via opkg:

libopenssl-devcrypto

1 Like

@facboy - added your 5.4 => 5.8 patch to the latest r7800 build. I’ll try it on the nbg6817 next time too. Seems to get angry on ipq8064 devices for some reason. Appreciate the work!

5ghz, 80mhz wide channel, iphone 7 download speed looks about right (ignore the silly upload speed - internet is currently very busy):

2 Likes

OK - thanks I will install libopenssl-devcrypto and see what my mileage is and get back to you via PM
as I am getting nagged by forum popup notices about writing too many messages to you

1 Like

Dumb question - your patch likes latest ath10k firmware from github or the latest version in master (they updated it ~2 months ago.... I haven’t done any builds with the standard ath firmware). The version comparison between openwrt and the original is fun....

@wrtman01 what does it look like when you remove the CT firmware with opkg and add the ath firmware? You should be able to do that with the existing build. :sunglasses:

1 Like

Both works, I am currently using the one included in master.

I actually just started tinkering with firmware versions last night! I was directly replacing /lib/firmware/ath10k/QCA9984/hw1.0/firmware-5.bin with different versions from https://github.com/kvalo/ath10k-firmware/tree/master/QCA9984/hw1.0 . Does opkg essentially do the same thing, or are there other files I wasn't accounting for?

With firmware-5.bin_10.4-3.10-00047, 160 MHz channels actually work on channel 36! I also got my fastest combined upload/download with that configuration--my average result 400/825. Unfortunately, it's weirdly biased toward upload. It would be great if it were 825/400. Any idea why that might be and if's there's any way to change that?

I also tried firmware-5.bin_10.4-3.9.0.2-00135. While 160 Mhz channel don't work, 80 Mhz channels seem to be somewhat faster than in your build (though admittedly my testing so far has been short of scientific). I'm averaging 500/640, which for my wi-fi devices is preferable to 400/825.

First observations for my C2600.
Iperf3 direct test. AP - Laptop. Wireless 1300Mb/s link. (AC, 80 Mhz, 40 ch, clear channel).

Laptop -> AP TCP avg. 280-350 Mb/s.
AP -> Laptop TCP avg. 500 Mb/s
Laptop -> AP UDP avg. 125 Mb/s
AP -> Laptop UDP avg. 154 Mb/s

Higher CPU load is related to iperf3 process. Observable higher temperature (NSS cores probably)
UDP handling peaks overall CPU load.

dmesg durring tests:

wlan0: NSS TX failed with error: NSS_TX_FAILURE_QUEUE

It's not vanilla. There was about 12 devices connected at 2.4Ghz radio, 1 idlle device (excl. laptop) at 5Ghz. Overall seems to be stable.

1 Like

Testing with iperf or speedtest? (I’d test with both to rule out CPU limitations - I tend to prefer speedtest - find it offers a good synthetic bench for comparison across different configurations).

All the testing I did was with speedtest

1 Like

@ACwifidude and others

Hi everybody,

Thank you for your time, help and development.

I compile my own build from snapshot master but I wondered, if I want to the nss build, i saw here that some have cloned the repo of ACwifidude. When I compile my build, i do git pull in first and git checkout masterif i need + update feeds, so my question is, if I clone a repo here and use the build here to compile my own, after that, when I want to update feeds, patches etc like git pull, do i need to do the same or other commands?
( Assuming that I will have nss build root folder)

Thank you very much.

Device encountered reboot during night tine. Uptime was ~100h.
How do you handle logs recording? USB/remote syslog will help anyhow?

Did you attach something by USB port on your router during rebooting?

No. Why? There is pendrive attached to it so i can use it for dumpinng syslog etc. I do have remote syslog service as well.

I'm wondering my router with nss auto-reboot cause by attached usb device
because if no usb printer ,it looks my router will not auto-reboot for a long time

and Ialso can't handle logs recording after rebooting