Netfilter "Flow offload" / HW NAT

Might I ask which firewall rules need to be executed if we want to use IPSec with flow offload ?

iptables -A forwarding_rule -m policy --dir  in -j ACCEPT
iptables -A forwarding_rule -m policy --dir out -j ACCEPT

UPD: Opened a ticket with FS{bug} as well.

Since today's SNAPSHOT r10210-09c6885 enabling hardware offloading causes EdgeRouter X to boot-loop. Interestingly, if powercycled with only one eth port connected - it will stay alive.

I did a pcap before realizing it was bootlooping. Nothing of interest really. Router sent a broadcast to UDP 4919 saying Please press button now to enter failsafe. I'm presuming that's a usual event during the boot-up.

Here's the crash log.

Ya I can confirm this ipv6 break with software flow offload as well. Its consistent and easy to repro.

Hi,
recently, flow offload no longer working on my Archer C7 V5,
I experienced this since the kernel switched from 4.14 to 4.19 for my router on ath79,
can someone else confirm this?

It would seem to be the case

I have the same case, so i have rebuild master with 4.14 by editing the file and it works now

So there is an issue with 4.19 and flow offload of archer c7

For now, if I want to use flow offload, which one should i flash?, stable 18.06 ar71xx (25 June) or snapshot ar71xx (17 June)?,

My pc itself running Linux but i didn't try building Openwrt myself yet.

If there is a problem with the snapshot, neither will do.

I suggest to build 19.07.

Okay then, ill try your suggestion first and report back later, thank you.

Or you can wait a bit till RCs appear for download. That should be soon.

Alright, i shall wait, already flashed all recent snapshot this past 1-2 week, i can wait a little more, thank you.

I have issue with 5ghz with 19.07, do you have this too ?

It is the reason I had forked repo of master and rollback to 4.14 instead of 4.19

A few month back, I faced a random disconnection on 5ghz and cannot reconnect back,
usually happen when my devices(smartphone) sleep for a while,
after reading a few thread on forum, I suspect it happen after openwrt switch to ath10k-ct firmware,
but nowdays i didn't notice the same bug occuring, probally its fixed for my Archer C7 V5 5ghz card?

It's broken on 4.19 :sob:

hi, Archer C7 V5 user here. HW NAT works 50-100Mbps faster than SFE. Just that a game like Rainbox Six Siege sometimes hard to connect when the HW NAT is on. Otherwise, everything works smoothly (w/ upload slower abit perhaps due to SQM, around 20Mbps faster if HW NAT is off).

p/s: have to stick to SFE since I can't figure out how to make HW NAT works with the game.

Does anyone know if the 8deviecs Jalapeno supports enabling hardware nat? I am currently on OpenWrt 18.06.4 r7808-ef686b7292 / LuCI openwrt-18.06 branch (git-19.170.32094-4d6d8bc) and 4.14.131 but will update if required for hardware nat support.

Thanks!

Ubiquiti also have some difficulties with HW nat see the last update message: Beta forum: NEED A LOGIN!

11/09/2019 - UPDATE #3:
This update clarifies multiple networking failures reports that were posted in this thread. Networking failure reports were observed on ER-X/ER-X-SFP/ER-10X and EP-R6 models when offloading was enabled.

Preface:
Mediatek does not provide MT7621 SoC support for v4.14.x kernels that's why in EdgeOS firmware v2.0.1 we ported "hardware offload" functionality from OpenWRT. "Hardware offloading" for MT7621 from OpenWRT is in active developed by OpenWRT community and it works well in basic scenarios, however it does not support more advanced scenarios: vlan tags, vlan-aware forward, ECMP, LoadBalancing, IPv6 and IPSec. Until v2.0.7 EdgeOS firmware we were gradually adding missing functionality to "hardware offloading", but unfortunately we were not able to make "hardware offloading" stable enough and different bugs were always popping out in different places.
Conclusion:
This is the reason why we decided to remove OpenWRT's "hardware offloading" from EdgeOS and backport original proprietary "hwnat offloading" that proved to be stable from v1.10.x firmware to v2.0.x.

EdgeOS with backported "hwnat" will be published in v2.0.8-beta firmware.

Its usual UBNT behaviour, they will use OpenWrt and then complain about something not fitting them.
Even if they fixed it, I already see them ignoring GPL like always and refusing to publish those changes.

1 Like

I think they made a change in that policy.
They are releasing the GPL code as well see https://www.ui.com/download/edgemax/default/default/edgerouter-er-xer-x-sfpep-r6-firmware-v206