Aren't active connections also a security risk in a sense? The firewall accepts packets for established and related connections. If connections linger around indefinitely, that might mean that even weeks later the firewall will accept these packets.
Also, eventually the conntrack table will be full and setting up new connections will be impossible.
Every session (connection) has a inactivity timeout on the conntrack table in firewall: if packets are being exchanged between session endpoints, timeout are reset to zero, but: firewall checks packets to see if they are valid for a certain session/connection (source, destination, ports, sequence number, etc) and if they are all valid, allows traffic.
Ok, so in that case it isn't a security risk. But no longer being able to initiate new connections definitely is an issue. Also, this is clearly a bug since I can see active connections to a PC that was shutdown 12 hours ago
That is strange and should be looked into. I personally do not have this problem so I cannot vouch nor help with it. What I can confirm is that the amount of connections active I've been seeing is because of the new dnscrypt-proxy 2.0 (new because it's based on Go) that I run on a different PC keeps active connections to every single DNS in the list that properly responds to queries. I thought I configured it to be its own DNS without asking the router for every single DNS query, but I guess not.
Wireguard 20180531 could work together with FLOWOFFLOAD finally. But it still has some bugs. Some websites can not load, or load slowly. If FLOWOFFLOAD disabled, or not visiting these sites through wireguard, they will be loaded quickly. All Google sites, connecting through QUIC, are not affected. I tried to do some research by wireshark, and found many tcp spurious retransmission.
Sorry for little information, maybe someone else could do more investigation.
I haven't seen such bugs. All websites that I visit load fine, both on LAN devices and on the devices that are connected via Wireguard. Do you have an example of websites that don't load properly?
Thanks for your feedback.
In fact, almost all the websites, except Google's sites which use QUIC. Maybe it's a TCP thing.
Could you give me some advice about how to diagnose it? I could ping these sites, but loading slowly in web browser. I have tried to lower the MTU of the wireguard device, but nothing changed.
Both kmod-wireguard and wireguard-tools are latest version 20180531.
In addition, my environment is:
computer (ipv4) → wireguard on router(dual stack wan) → 4in6 wireguard tunnel → remote wireguard peer (dual stack) → Internet
Everything is ok with FLOWOFFLAD disabled.
so this is already in the luci packages? does it select the proper modules? i have an archer c7 v2 that has hardware nat offloading will this be better than fast path? im currently using the original firmware because im quaranteed gigabit speeds due to hardware nat offloading.
It is already included in Luci, yes. And the modules will automatically be included in the build if it is supported. Software flow offloading (similar to fastpath) requires kernel 4.14 to function. Unfortunately, Archer c7 is still on kernel 4.9 and hence is not supported. They are working on it to bring it to kernel 4.14 in the future. Hw flow offloading is only supported on the mt7621 platform as it is a SOC specific implementation. It will be brought to other SOCs in the future if possible. Not sure whether the SOC in the Archer c7 is open enough to be supported in the future.
As i know it depends on the switch and not on the soc for c7...
And as i know qca8k dsa driver does support hw nat and the archer c7 devices had all an ar8327 or ar8337 switch.
So it should be supported in the near feature...
With software flow offloading on kernel 4.14 you will get close to gigabit ---> ~920 MBit/s
Don´t thik that with hw nat you will get a significant higher through put than that...