Hi,
I'm migrating routers from openwrt 15.05 to 17.01.4, including wnr2200 and ArcherC20i
I'm experiencing an important problem. With 17.01.4 when I have an high traffic on Lan, ksoftirqd starts using all the processor resources, and ends up limiting throughput.
I'm using a captive portail: coova-chilli with xt_coova.
I did not have this problem on 15.05 both with wnr2200 and ArcherC20i.
Do you have any idea how to solve that?
Pierre.
What kind of LAN traffic? From one device to another device in the same subset? And could you post the result of cat /etc/config/network and cat /etc/config/firewall?
What kind of LAN traffic?
Speed test: http://openspeedtest.com
From one device to another device in the same subset?
From another device
/etc/config/network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'config globals 'globals'
option ula_prefix 'fdd8:4b7f:93f0::/48'config interface 'lan'
option ifname 'eth0.1'
option force_link '1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.182.1'config interface PA
option 'ifname' 'br-lan'
option 'proto' 'static'
option 'ipaddr' '192.168.5.1'
option 'netmask' '255.255.255.0'config interface 'lan2'
option ifname 'eth0.6'
option force_link '1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '172.16.0.1'config interface 'wan'
option ifname 'eth0.2'
option force_link '1'
option proto 'dhcp'config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'###############################
Vlan
###############################
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'config switch_vlan
option device 'switch0'
option vlan '5'
option ports '1t 2t 3t 4t 6t'config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 6t'config switch_vlan
option device 'switch0'
option vlan '6'
option ports '6t'config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
/etc/config/firewall:
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config rule
option src wan
option proto tcp
option dest_port 22
option target ACCEPT
config rule
option src wan
option proto tcp
option dest_port 2502
option target ACCEPT
config rule
option src wan
option proto tcp
option dest_port 80
option target ACCEPT
config rule
option src wan
option proto tcp
option dest_port 443
option target ACCEPT
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fe80::/10
option src_port 547
option dest_ip fe80::/10
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
# option src lan
# option src_ip 192.168.45.2
# option dest wan
# option proto tcp
# option target REJECT
# block a specific mac on wan
#config rule
# option dest wan
# option src_mac 00:11:22:33:44:66
# option target REJECT
# block incoming ICMP traffic on a zone
#config rule
# option src lan
# option proto ICMP
# option target DROP
# port redirect port coming in on wan to lan
#config redirect
# option src wan
# option src_dport 80
# option dest lan
# option dest_ip 192.168.16.235
# option dest_port 80
# option proto tcp
# port redirect of remapped ssh port (22001) on wan
#config redirect
# option src wan
# option src_dport 22001
# option dest lan
# option dest_port 22
# option proto tcp
# allow IPsec/ESP and ISAKMP passthrough
#config rule
# option src wan
# option dest lan
# option protocol esp
# option target ACCEPT
#config rule
# option src wan
# option dest lan
# option src_port 500
# option dest_port 500
# option proto udp
# option target ACCEPT
### FULL CONFIG SECTIONS
#config rule
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 80
# option dest wan
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
# option target REJECT
#config redirect
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 1024
# option src_dport 80
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
Also might be useful:
ifconfig
br-lan Link encap:Ethernet HWaddr C4:6E:1F:C3:44:08
inet addr:192.168.182.1 Bcast:192.168.182.255 Mask:255.255.255.0
inet6 addr: fe80::c66e:1fff:fec3:4408/64 Scope:Link
inet6 addr: fdd8:4b7f:93f0::1/60 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1549 errors:0 dropped:0 overruns:0 frame:0
TX packets:1186 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:351530 (343.2 KiB) TX bytes:305081 (297.9 KiB)
br-lan2 Link encap:Ethernet HWaddr C4:6E:1F:C3:44:08
inet addr:172.16.0.1 Bcast:172.16.0.255 Mask:255.255.255.0
inet6 addr: fdd8:4b7f:93f0:10::1/60 Scope:Global
inet6 addr: fe80::c66e:1fff:fec3:4408/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:1196 (1.1 KiB)
eth0 Link encap:Ethernet HWaddr C4:6E:1F:C3:44:08
inet6 addr: fe80::c66e:1fff:fec3:4408/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12911 errors:0 dropped:0 overruns:0 frame:0
TX packets:7191 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2237923 (2.1 MiB) TX bytes:1008596 (984.9 KiB)
Interrupt:5
eth0.1 Link encap:Ethernet HWaddr C4:6E:1F:C3:44:08
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:235 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:17831 (17.4 KiB)
eth0.2 Link encap:Ethernet HWaddr C4:6E:1F:C3:44:08
inet addr:192.168.1.36 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::c66e:1fff:fec3:4408/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12777 errors:0 dropped:0 overruns:0 frame:0
TX packets:6783 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1992414 (1.8 MiB) TX bytes:934486 (912.5 KiB)
eth0.6 Link encap:Ethernet HWaddr C4:6E:1F:C3:44:08
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:1196 (1.1 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:881 errors:0 dropped:0 overruns:0 frame:0
TX packets:881 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:61912 (60.4 KiB) TX bytes:61912 (60.4 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.111.1 P-t-P:192.168.111.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING MTU:12800 Metric:1
RX packets:1185 errors:0 dropped:0 overruns:0 frame:0
TX packets:805 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:256428 (250.4 KiB) TX bytes:207016 (202.1 KiB)
wlan0 Link encap:Ethernet HWaddr C4:6E:1F:C3:44:00
inet6 addr: fe80::c66e:1fff:fec3:4400/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1533 errors:0 dropped:0 overruns:0 frame:0
TX packets:1158 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:372896 (364.1 KiB) TX bytes:325727 (318.0 KiB)
Forward iptables:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
934 101K coova_forward_table tcp -- br-lan * 0.0.0.0/0 0.0.0.0/0 multiport dports 1:1024,1194,1701,1723,3990,4090,8543,8080,10000:10009,11143
84 71298 coova_forward_table udp -- br-lan * 0.0.0.0/0 0.0.0.0/0 multiport dports 1:1024,1194,3478,4090,4343,4500,5222,7500,10000,48888,62901
0 0 coova_forward_table 47 -- br-lan * 0.0.0.0/0 0.0.0.0/0
0 0 coova_forward_table icmp -- br-lan * 0.0.0.0/0 0.0.0.0/0
149 58599 coova_forward_table all -- * br-lan 0.0.0.0/0 0.0.0.0/0
22 1320 REJECT all -- br-lan * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
105 12015 DROP all -- tun0 * 0.0.0.0/0 194.110.208.200
8 595 ACCEPT all -- * tun0 0.0.0.0/0 0.0.0.0/0
4 323 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-lan2 * 0.0.0.0/0 0.0.0.0/0
0 0 forwarding_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: user chain for forwarding */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED /* !fw3 */
0 0 zone_lan_forward all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_forward all -- eth0.2 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain coova_forward_table (5 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- br-lan * 0.0.0.0/0 1.1.1.1
6 765 DROP all -- br-lan * 0.0.0.0/0 192.168.182.0/24
0 0 DROP all -- br-lan * 0.0.0.0/0 172.16.0.0/12
0 0 DROP all -- br-lan * 0.0.0.0/0 10.0.0.0/8
4 253 DROP all -- br-lan * 0.0.0.0/0 192.168.0.0/16
0 0 ACCEPT all -- * br-lan 0.0.0.0/0 0.0.0.0/0 coova: name: chilli side: dest
0 0 ACCEPT all -- br-lan * 0.0.0.0/0 0.0.0.0/0 coova: name: chilli side: source
56 10101 DROP all -- * br-lan 0.0.0.0/0 0.0.0.0/0
887 154K DROP all -- br-lan * 0.0.0.0/0 0.0.0.0/0Note that I just made the test: I seem to have similar problem without a captive portal.
I had never experience such a thing with 15.05. I just made a test, in exact same situation ksoftirqd never exceeds 2-3% of CPU usage.
I will do more tests.
Important Note: I do not get the problem on stocks firmware. I guess it's because of my particular configuration, I'll keep investigating.
What's the difference in throughput between 15.05 and 17.01.4?
Witth coova-chilli (& xt-coova) enabled on 15.05, I get 97-98Mbs. On Lede I get 40 to 80 Mbps.
I'll keep investigating.
It may also be possible that the real cause of the problem is around coova-chilli, even if it's the exact same version that in openwrt 15.05
There is indeed a significant delta in LAN to WAN performance between BB and latest LEDE, not sure where in the stack that comes from, but we discussed and reported results related to SQM in this thread: SQM - BB vs LEDE - major diff in performance
I'm having a similar issue with ksoftirqd eatting up all the CPU and reducing max throughput of my RT-N16 on a 100/50Mbps link. I'm trying out LEDE for the first time and I've got a mostly stock install. Only changes are "kmod-b43" replaced with "kmod-brcm-wl" to keep it from crashing every couple of minutes as well as "luci-app-sqm". Ironically SQM seems to have no impact on performance. I tested with it enabled and disabled and the speed is pretty much the same. I've used Toastman's fork of TomatoUSB for the past few years with no performance issues except when using QoS. Is the RT-N16 simply not able to handle these kinds of speeds with LEDE? I should mention that my connection uses PPPoE if that affects CPU load at all.
Normally got 98-99 Mbps download with TomatoUSB. Is there a package I should be uninstalling or something?