I've setup a friend's Archer C7 with OpenWRT but it's struggling to handle their network load and internet speed. I've tested using SFO to help the CPU load but reading up on the feature suggests that SFO partially bypasses the firewall. Is there a general consenus on SFO's security profile?
Flow offloading starts after the connection establishes which requires the initial packets to be accepted by the firewall, so the attack surface is minimal unless someone manages to defeat Linux conntrack.
3 Likes
Archet C7 comes in five different versions. Some with 2 CPU ports, some with ath10k 2.4GHz radio....
That SoC does not support VLAN offload, so some speed can be re-gained untagging VLAN on CPU port (and setting WAN connection backend untagged on CPU port). If it is the revision with 2 SoC/CPU ports you can also untag one LAN subnet. This time from wifi.
The visible limitation with offload is that if set up between real hardware endpoints aka hardware offload, supported or not by real hardware, it transforms packets between hardware interfaces without considering route / arp / swotch port changes and old connections linger between same interfaces for a minute after client moves, for example making wifi roaming freeze.
Besides fixated connections, it is different code path, it can have own set of bugs independent from normal firewall passing each packet through all rules. But assessment works both ways.
2 Likes
Thier variant is the C7 V5.
What does untagging the VLAN do exactly? Any security concerns in that regard?
Just pessimal defaults for performance.
OK, one SoC port - you can un-tag only WAN (eth0.2 -> eth0) , ath9k in 2.4GHz - just the fact of life, not worse or better than ath10k.