Gargoyle 1.15.x OpenWrt 24.10 beta - 2025-08-03

[rg66]

Definitely the latest version, commit b51aa6f from base_on_openwrt_2410. Last night I did a 'make distclean' and a new build to make sure everything was up to date and had the same issues. I might have been wrong about the bandwidth monitor, it was working in the tests I did but quotas was still broken as per the previous post.

Another issue I noticed was with the quota for the dhcp range. With a static IP outside of the dhcp range, some of the bandwidth I used was added to the quota usage. At 100% usage, I get full bandwith during a speed test for a few seconds then it slowly drops close to the quota Mb/s limit.

Thanks

[Lantis]

I think I have a handle on a fix for the first issue, give me a bit of time on that.

Tell me more about the IP outside the DHCP range issue.
So you've got a DHCP range say 100-255, and you're applying a quota to that range?
If you then have a device that is 192.168.1.50, some of that devices traffic counts to the quota and you get limited?
Can you send me some config grabs for that as well please?

Does the device in question also have an IPv6 address? I'm thinking this might be a problem where the v6 traffic is being caught up and catching on the quota when it shouldn't.

[rg66]

The dhcp range is 192.168.1.200 - .220 and my laptop forced static IP is .100, IPv6 is disabled.

I made a quota for the dhcp range so after 1MB usage it throttles down to 2MB/s up and down. Here is where it gets strange. Myself and my sons PC, who is also on forced static (.120), get a little less than the throttled speed limit but his phone which is in the dhcp range gets a bit above the throttled speed. When I'm using data, a small percentage gets added to the quota usage even though I'm not in the quota IP range.

If I add any other IP to the quota, quotas stop working and all devices get full bandwidth and quota usage in the web gui is blank.

I've uploaded some config files and screen shots here: https://mega.nz/folder/c0hCAIYJ#dEZA1WkdkRulPprzmrP-ow

I appreciate the trouble shooting, let me know if you need anything else.

Thanks

[Lantis]

The dhcp range is 192.168.1.200 - .220 and my laptop forced static IP is .100, IPv6 is disabled.

I made a quota for the dhcp range so after 1MB usage it throttles down to 2MB/s up and down. Here is where it gets strange. Myself and my sons PC, who is also on forced static (.120), get a little less than the throttled speed limit but his phone which is in the dhcp range gets a bit above the throttled speed. When I'm using data, a small percentage gets added to the quota usage even though I'm not in the quota IP range.

If I add any other IP to the quota, quotas stop working and all devices get full bandwidth and quota usage in the web gui is blank.

I've uploaded some config files and screen shots here: https://mega.nz/folder/c0hCAIYJ#dEZA1WkdkRulPprzmrP-ow

I appreciate the trouble shooting, let me know if you need anything else.

Thanks

Thanks, I think the nftables commands are cutoff quite early due to that segfault which might be contributing.
Are you in a position to build off https://github.com/ericpaulbishop/gargo ... 4d1a539f20 ?
I'd like to test again to make sure that your first issue is resolved, and then repeat the findings for a non-included IP contributing to the quota if that is also still occurring.

If you need me to supply a build let me know.

[rg66]

Not a problem, will do a build and test tonight.

Thanks

[rg66]

Did a new build yesterday evening, I can add an IP to an existing quota now and it keeps working.

I added my static IP to the dhcp range quota and it throttled my bandwidth fairly close to the upload limit but download speed was anywhere from 1.5 to 2 x the limit. When I removed my IP I was still being throttled, even after a reboot. Strangely, my son (static) was also being throttled until I disabled the quota.

Something I've been wondering about for some time is, are static IPs supposed to be listed in Current DHCP Leases? My sons always is (.120), but mine (.100) is sometimes listed but usually not. Screenshot here: https://mega.nz/file/hx5QGJwb#mc9G7S-8h ... Q542lFmNuI

I did limited testing as my son wasn't too happy about the re-configs and reboots, and it was a double header MotoGP/WorldSBK weekend and motorcycle racing always gets priority. Will do more testing on Monday when my son is at school.

Cheers

[rg66]

After more testing I can confirm everything from my last post, my speed is throttled if my IP is in the quota or not. When I'm not in the quota, it only seems to effect download speed, upload speed is normal. My IP is not listed in Current DHCP Leases. The same happens to my sons PC, his IP is in the Current DHCP Leases list. Dhcp client speed seems to adhere to the quota more or less.

Cheers

[Lantis]

There's two things going on (I think...)
Firstly, I believe the behaviour you're seeing is caused by stale entries in the connection tracking.
1. You exceed the quota, we mark all of your connections with a flag
2. When that flag is seen, bandwidth throttling occurs

When you then remove your IP from the quota, there is nothing that goes and removes that flag, so throttling will still happen.
Those entries will expire on their own. Any new connections should not be throttled.
I am testing some extra rules which will clear these marks. I just need to try to check all the other interactions and that I'm not clobbering anything.

Secondly, when I rewrote the rules from iptables to nftables, I wasn't able to fully represent some of the connection marking (due to a kernel limitation). I thought I might get away with it, in hindsight this was never going to work out.
This has been fixed in linux kernel 6.13 which is newer than even what OpenWrt are using in their master branch (6.12). I've backported this code now and tested it, looks to be working great.
The symptoms of this would be asymmetric throttling or throttling that floats a little higher than expected. This is because the connection flags are rapidly turning on and off acting a bit like a duty cycle between full speed and throttled.
This I have a fix for already.
A simple recompile won't cut it as I have added a new top level patch. The patch is simple enough to just apply to your existing tree if you are adventurous. Otherwise a FULL_BUILD=true will take care of it.

So give me a bit longer to explore this flag/mark resetting and see if that helps things, but the behaviour on my setup is already much improved.

[rg66]

Thanks for looking into this, it sounds like you can reproduce this behavior and it's not just me.

I assume your busy and I'm not in a rush. At the moment I'm using QoS and when the quota is reached dhcp clients got to the slow class. It seems to work OK but I think it only applies when at high bandwidth usage, good enough for now.

I'm willing to try a patch and do another build anytime.

Cheers

[Lantis]

Alright I think these two commits are worth testing.
Backport kernel/nftables/libnftnl support for bitwise mask xor operation
gargoyle-firewall-util: Clear marks on packets to avoid lingering quotas applying

As mentioned the first one will either require a FULL_BUILD=true to repatch, or you can manually apply patches-generic/024-backport_nftables_bitwise_mask_xor.patch to your build root and then a normal make will suffice.

If we can get good results out of these, I intend to bump the OpenWrt version to the latest 24.10.3 and then do another build available for everyone inclusive of these fixes.