[solved] How to optimize a NAS running OpenWRT?

AleXSR700 · October 15, 2023, 1:31pm

Hello everyone,
I have been running OpenWRT on my NAS devices (Zyxel NSA325v2) for a while and I always had the feeling that it is not reaching its full potential.

I was wondering if there a not a whole bunch of features a router would need that I could/should disable to achieve maximum performance as a NAS.

For instance, OpenWRT creates 2 interfaces LAN and LAN6, but I only use IPv4, so would there be a benefit to deleting LAN6? Are there any routing or Firewall features running in the background without me having set them up?

Essentially it is one LAN port with static IPv4 and I am using SSH/SFTP as the only transfer protocol.

Any recommendations would be appreciated

Thank you
Alex

ncompact · October 15, 2023, 2:40pm

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

slh · October 15, 2023, 9:12pm

None of the topics you mentioned will have any detrimental effect on NAS performance. A firewall will only require CPU cycles, if packets are passing through it, if everything is on LAN, there is no filtering or routing going on and (almost) zero CPU cost (just a few KB used RAM, negligible). IPv6 is not a (potential) reason for performance issues either, your clients select which IP protocol they want to use - and they'll only use either of them.

AleXSR700 · October 16, 2023, 8:26am

Happy to

BusyBox v1.35.0 (2023-01-03 00:24:21 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 22.03.3, r20028-43d71ad93e
 -----------------------------------------------------
e]0;root@NSA325v2_1: ~aroot@NSA325v2_1:~# ubus call system board
{
	"kernel": "5.10.161",
	"hostname": "NSA325v2_1",
	"system": "Feroceon 88FR131 rev 1 (v5l)",
	"model": "ZyXEL NSA325",
	"board_name": "zyxel,nsa325",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.3",
		"revision": "r20028-43d71ad93e",
		"target": "kirkwood/generic",
		"description": "OpenWrt 22.03.3 r20028-43d71ad93e"
	}
}
e]0;root@NSA325v2_1: ~aroot@NSA325v2_1:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd8e:b985:c36f::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.0.101'
	option netmask '255.255.255.0'
	option gateway '192.168.0.1'
	list dns '192.168.0.1'

config interface 'lan6'
	option device 'br-lan'
	option proto 'dhcpv6'

e]0;root@NSA325v2_1: ~aroot@NSA325v2_1:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'disabled'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

e]0;root@NSA325v2_1: ~aroot@NSA325v2_1:~# cat /etc/config/firewall
config defaults
	option syn_flood	1
	option input		ACCEPT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT


### EXAMPLE CONFIG SECTIONS
deleted due to redundancy
e]0;root@NSA325v2_1: ~aroot@NSA325v2_1:~# exit

ncompact · October 16, 2023, 8:33am

This NAS is configured as a DUMP AP
then you can disable the firewall,

but it won't change anything in the overall performance

cp /etc/config/firewall /etc/config/firewall.backup
echo "" > /etc/config/firewall
/etc/init.d/firewall disable
/etc/init.d/firewall stop

view answer:

view:
https://openwrt.org/docs/guide-user/network/wifi/dumbap#step_3disable_dhcp_server
https://openwrt.org/docs/guide-user/network/wifi/dumbap#step_5disable_firewall

Mijzelf · October 16, 2023, 9:30am

That is a performance sink. The encryption costs far more than all other aspects of the data transfer. When I remember well the original firmware could do around 40MB/sec using samba, while using an ssh tunnel lowered the throughput to 1~2MB/sec, at a CPU load of 100%.

Try FTP instead. And if you can't, because of evil internet, try FTP in combination with wireguard. Wireguard is also encryption, but much cheaper than ssh.

system · October 26, 2023, 9:32am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.