WRT1200ac does not work Softoffloading

I have a WRT1200ac with 23.05.4 openwrt version, and when i enable the softoffload the pages can´t be opened, keep stuck , i can ping to the hosts, but are not able to opened

1 Like

Can you ssh or connect luci after enabling soft offload or it is loop of failsafe resets you are fighting?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

It be borked with current kernel

You mean 23.05.4 is broken vs what was previous version working or that snapshot is broken?

root@WRT1200:~# ubus call system board
{
	"kernel": "5.15.150",
	"hostname": "WRT1200",
	"system": "ARMv7 Processor rev 1 (v7l)",
	"model": "Linksys WRT1200AC",
	"board_name": "linksys,wrt1200ac",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23809-234f1a2efa",
		"target": "mvebu/cortexa9",
		"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
	}
}
root@WRT1200:~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc2:290a:ce56::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option delegate '0'
	list dns '208.67.222.222'
	list dns '208.67.220.220'

config device
	option name 'wan'
	option macaddr '62:38:e0:0a:1f:69'

config interface 'wan'
	option device 'wan'
	option proto 'static'
	option ipaddr '192.168.1.100'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option sourcefilter '0'

root@WRT1200:~# cat /etc/config/wireless

config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
option channel '36'
option country 'MX'

config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'AXTEL XTREMO'
option encryption 'psk2'

option ifname 'if5g'
option max_inactivity '86400'
option disassoc_low_ack '0'
option dtim_period '3'
option ieee80211w '1'
option skip_inactivity_poll '1'
option wpa_group_rekey '86400'

config wifi-device 'radio1'
option type 'mac80211'
option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
option channel 'auto'
option band '2g'
option htmode 'HT20'
option cell_density '0'
option country 'MX'

config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'AXTEL XTREMO'
option encryption 'psk2'

option ifname 'if2g'
option max_inactivity '86400'
option disassoc_low_ack '0'
option dtim_period '3'
option skip_inactivity_poll '1'
option wpa_group_rekey '86400'

config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option ssid 'Mega_2.4G_A2DF'
option encryption 'psk2'

option ifname 'if2ga2df'
option skip_inactivity_poll '1'
option disassoc_low_ack '0'
option network 'lan'

config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid 'Mega_5G_A2DF'
option encryption 'psk2'

option ifname 'if5ga2df'
option skip_inactivity_poll '1'
option disassoc_low_ack '0'
option network 'lan'

root@WRT1200:~#
root@WRT1200:~# cat /etc/config/dhcp

config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option dhcpscript '/etc/hotplug.d/dhcp/99-notify.sh'
list interface 'lan'
option min_cache_ttl '300'
option max_cache_ttl '3600'
option dnsforwardmax '600'
list server '/mask.icloud.com/'
list server '/mask-h2.icloud.com/'
list server '/use-application-dns.net/'
list server '127.0.0.1#5053'
option nonegcache '1'
option allservers '1'
option doh_backup_noresolv '-1'
option noresolv '1'
list doh_backup_server '208.67.222.222'
list doh_backup_server '208.67.220.220'
list doh_server '127.0.0.1#5053'
option serversfile '/var/run/adblock-fast/dnsmasq.servers'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '24h'
option dhcpv4 'server'
option ra 'server'
option dhcpv6 'server'
list dhcp_option '42,192.168.3.1'

config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option limit '150'
option leasetime '12h'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '3'

root@WRT1200:~# cat /etc/config/firewall

config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option synflood_protect '1'
option drop_invalid '1'

config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'

config zone 'wan'
option name 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'

root@WRT1200:~#

type or paste code here

Also, in the 23.05.3 did not work either, I thought with next release can be fixed

Run fw4 check -> report if you find any errors displayed
Add hardware offload to config file without enabling

config defaults
    ...
        option flow_offloading '1'

   

Run fw4 check again -> report if any
Comment line out for now.

It is rather surprising, sw offload does not do more than basic firewall, it actually does less copying packets from interface to interface.

Double nat is pessimal, like adding few milliseconds latency per step, but does not impair connectivity in entirety.

Unrelated:
Your firewall config looks pretty generic, you can improve wifi by setting 5ghz channel to auto (at least that does not make it worse in the very worst case)

software offload was borked with the 5.16 push and has never been resolved.

2 Likes
root@WRT1200:~# fw4 check
Ruleset passes nftables check.
root@WRT1200:~# cd /etc/config
root@WRT1200:/etc/config# nano firewall 
root@WRT1200:/etc/config# fw4 check
Ruleset passes nftables check.
root@WRT1200:/etc/config# cat firewall | grep offloading
        option flow_offloading '1'
root@WRT1200:/etc/config# 

Try to upload raw fw4.uc from https://github.com/openwrt/firewall4/commit/dfbcc1cd127c78fc61bb870d36d2512b571d223b -> on top right show file, get link to raw file and wget to device, compare if it is the uc script vs html formatted, then replace fw4.uc and try again. Essence - it will not manipulate ethernet SKB-s, only switch software ones. Maybe needs "br-wan" configured too to handle other side. Thats my best guess from seeing ethernet patches in kernel update commit.
@ja167791 - wait till we test if my workaround is viable, comment line for now.

Ok, i will wait. Thanks

While suggested is latest version should be

wget -O /usr/share/ucode/fw4.uc https://github.com/openwrt/firewall4/raw/master/root/usr/share/ucode/fw4.uc

Thanks it is working now

Worth reporting defect in network driver via github.
Please post complete /etc/config/network enclosed in tripple backticks ```
And output of ip link removing MAC and IP addresses from both.
That will help pinpoint the proken piece.

Seems to work, diff -y --suppress-common-line fw4.org fw4.test differences from current, I think I noticed some new errors in logs, need to check.

It excludes physical interfaces from soft offload targets, as much as I am concerned permits wifi roaming without disrupting all connections on lower end routers that dont get any speed mandating offload.
PS I am in part author of that patch, I know perfectly what diff encompasses.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc2:290a:ce56::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option delegate '0'
	list dns '208.67.222.222'
	list dns '208.67.220.220'

config device
	option name 'wan'
	

config interface 'wan'
	option device 'wan'
	option proto 'static'
	option ipaddr '192.168.1.100'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option sourcefilter '0'


1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1508 qdisc mq state UP qlen 1024
   
3: lan4@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    
4: lan3@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
    
5: lan2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    
6: lan1@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
    l
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    
14: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    
17: if2g: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    
19: if2ga2df: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    
20: if5g: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    
21: if5ga2df: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    

It is all DSA, likely other patch enabling that for mvebu, not exactly 5.15 import.
One day fw4 will be upgraded and mask this problem for good.

Thanks for you support

Has to be reported on github, it is here more focused than initial report saying whole 5.15 is at fault.