darksky
September 28, 2024, 2:47pm
1
Does anyone have some sysctl settings that can improve network performance/responsiveness? Router is x86/64, AMD Ryzen 7 5800U. Use case is home routing/firewall. Setup/services multiple interfaces with VLANs, wireguard, snort (IPS), samba4. Connection is symmetrical 1.0 Gbps. No complaints but if tweaking a queue size or a setting can make things better, like to know about it.
Here is what I have been using:
cat /etc/sysctl.d/100-mine.conf
# snort nfq
# https://forum.openwrt.org/t/ips-mode-of-snort3-is-not-dropping-traffic/161479/96
net.core.optmem_max=8388608
net.core.wmem_default=8388608
net.core.wmem_max=8388608
net.ipv4.tcp_rmem=1048576 4194304 16777216
net.ipv4.tcp_wmem=1048576 4194304 16777216
# general
net.core.netdev_max_backlog = 16384
vm.swappiness = 10
brada4
September 28, 2024, 3:22pm
3
Remove all your tweaks. Then gradually apply one a day to ADDRESS PROBLEMS.
Socket tunings do little about forwarding/mirroring.
For firewall:
committed 01:11PM - 03 Nov 23 UTC
Reduce ksoftirq load by half using more efficient reference to loopback
which al… ways has index equal to one.
Should help a lot with openwrt/openwrt#12914, openwrt/openwrt#12121 and
similar iperf3 cases clamping against 100% CPU usage.
Signed-off-by: Andris PE <neandris@gmail.com>
[fix S-o-b tag, fix commit author, rewrap commit message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
committed 10:13PM - 31 May 24 UTC
Let kernel heuristics take care of offloading decapsulation.
When software flow… offloading is requested, avoid manually resolving and
adding lower physical devices to the flow table in order to let kernel
heuristics deal with the proper offloading en/decapsulation.
Fixes: https://github.com/openwrt/openwrt/issues/13410
Ref: https://github.com/openwrt/openwrt/issues/10224
Submitted-by: Andris PE <neandris@gmail.com>
[refactor code, reword commit message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
committed 02:49PM - 03 Jun 24 UTC
In case interface configurations are present which refer to not existing
network… devices, such device names might end up in the flowtable list,
leading to `No such file or directory` errors when attempting to load
the resulting ruleset.
Solve this issue by testing for each netdev name whether it refers to
an existing device.
Fixes: e009588 ("fw4: do not add physical devices for soft offload")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(and enable software offload)
darksky
September 28, 2024, 3:23pm
4
No, thought I read somewhere that still applies to memory usage. The machine as 16 G and rarely goes over 1.5 G used.
brada4
September 28, 2024, 3:30pm
5
Follow the redhat guide for large scale system. Openwrt is squashed by default to utilize 64...128MB system at their best.
Also sysctl.d is not kept over sysupgrade, you have to use sysctl.conf
2 Likes
darksky
September 28, 2024, 5:37pm
6
Thanks all, solid advice.
brada4
September 29, 2024, 3:19pm
7
Could you share which settings were useful? Just to skip checklist for next passer by....
1 Like
darksky
September 29, 2024, 6:01pm
8
None beyond what I have above.
I did not have any dropped packets by the ethtool -S eth0|grep drop
output
I had a column of zeros from awk '{for (i=1; i<=NF; i++) printf strtonum("0x" $i) (i==NF?"\n":" ")}' /proc/net/softnet_stat | column -t
Zero dropped packets from tc -s qdisc show dev eth0 | grep drop
egrep "CPU|eth0" /proc/interrupts
Column of zeros from awk '{for (i=1; i<=NF; i++) printf strtonum("0x" $i) (i==NF?"\n":" ")}' /proc/net/softnet_stat
Able to saturate line with iperf
tests
1 Like
I’ve used this in my /etc/sysctl.conf
since 2020 that is related to nlbwmon
constantly erroring on:
daemon.err nlbwmon[1751]: Netlink receive failure: Out of memory
daemon.err nlbwmon[1751]: Unable to dump conntrack: No buffer space available
rp_filter = 2
net.core.rmem_default=1048576
net.core.wmem_default=1048576
net.core.rmem_max=1048576
net.core.wmem_max=1048576
Haven’t had a problem since.
1 Like
brada4
September 29, 2024, 6:32pm
10
Helps drawing @jow -s attention to this
I believe he has been aware of this for a while. I just haven’t been able to find that post yet.
1 Like