What's new

Wireguard Session Manager - Discussion (2nd) thread

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

ifconfig eth0
never really got what wg21 ipv6 prefix you were planning to use, so maybee you could fill in the wg21 address and the wg21Device Address (usually wg21 address +1):
Code:
1)    Add/check in /opt/etc/wireguard.d/wg21.conf (the PreUp must be with a #, it will be executed anyway):
AllowedIps = 10.50.1.2/32, <DeviceIpv6>/128
#PreUp = ip -6 address add dev wg21 <wg21Ipv6>/64
2)    Check /opt/etc/wireguard.d/device.conf (YourDeviceName.conf):
Address = 10.50.1.2/32, <DeviceIpv6>/128
3)    Restart wg21 and import new device config to client (i.e. Android phone or similar known working device).
4)    Check with ifconfig that wg21 has both ipv4 and ipv6 address
5)    Execute from the router shell (one by one):
ip6tables -t mangle -I FORWARD -o wg21 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment "WireGuard 'server'"
ip6tables -t mangle -I FORWARD -i wg21 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment "WireGuard 'server'"
ip6tables -t mangle -I FORWARD -o wg21 -j MARK --set-xmark 0x01/0x7 -m comment --comment "WireGuard 'server'"
ip6tables -t mangle -I PREROUTING -i wg21 -j MARK --set-xmark 0x01/0x7 -m comment --comment "WireGuard 'server'"
ip6tables -I INPUT -i wg21 -j ACCEPT -m comment --comment "WireGuard 'server'"
ip6tables -I FORWARD -i wg21 -j ACCEPT -m comment --comment "WireGuard 'server'"
ip6tables -I FORWARD -i br0 -o wg21 -j ACCEPT -m comment --comment "LAN to WireGuard 'server clients'"
ip6tables -I OUTPUT -o wg21 -j ACCEPT -m comment --comment "WireGuard 'server'"
6)    Check IPv4/IPv6 connection to Client (On Android use i.e. PingTools):
Ping wg21 ipv4
Ping wg21 ipv6
Ping internet client 2600::
7)    If all good, put the ip6tables commands in userscript /jffs/addons/wireguard/Scripts/wg21-up.sh (don’t forget the shebang and make it executable)
also remove the rules (Replace -I with -D) in userscript /jffs/addons/wireguard/Scripts/wg21-down.sh (don’t forget the shebang and make it executable)
It is working!!!

You're my hero :D

Please remind me how to make scripts executable.
 
It is working!!!

You're my hero :D

Please remind me how to make scripts executable.
Finally! Some progress at last!!!

Code:
chmod +x /jffs/ ...etc....

@Martineau perhaps 6-in-4 ipv6 should also enable rules and general wgm ipv6... it's just ppp tunnel much as WireGuard is. Basic setup works for static ips as shown by @pkoci
 
Testing with Ping 2600:: (2 sets of 3) from Android Ping - no PRE or POST ROUTING rules applied
ip6tables -nvL PREROUTING -t nat - No identified traffic at all
Code:
ip6tables -nvL PREROUTING -t nat
Chain PREROUTING (policy ACCEPT 12740 packets, 2455K bytes)
pkts bytes target     prot opt in     out     source               destination
Code:
admin@RT-AX88U-5050:/tmp/home/root# ip6tables -nvL PREROUTING -t nat
Chain PREROUTING (policy ACCEPT 12867 packets, 2483K bytes)
pkts bytes target     prot opt in     out     source               destination
ip6tables -nvL PREROUTING -t mangle
Code:
ip6tables -nvL PREROUTING -t mangle
Chain PREROUTING (policy ACCEPT 422K packets, 322M bytes)
pkts bytes target     prot opt in     out     source               destination
  155 17750 MARK       all      wg21   *       ::/0                 ::/0                 /* WireGuard 'server' */ MARK xset 0x1/0x7
Code:
ip6tables -nvL PREROUTING -t mangle
Chain PREROUTING (policy ACCEPT 423K packets, 322M bytes)
pkts bytes target     prot opt in     out     source               destination
  160 18270 MARK       all      wg21   *       ::/0                 ::/0                 /* WireGuard 'server' */ MARK xset 0x1/0x7
ip6tables -nvL FORWARD -t mangle - All empty
Code:
ip6tables -nvL FORWARD -t mangle
Chain FORWARD (policy ACCEPT 359K packets, 295M bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 MARK       all      *      wg21    ::/0                 ::/0                 /* WireGuard 'server' */ MARK xset 0x1/0x7
    0     0 TCPMSS     tcp      wg21   *       ::/0                 ::/0                 tcp flags:0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU
    0     0 TCPMSS     tcp      *      wg21    ::/0                 ::/0                 tcp flags:0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU
    0     0 DNSFILTERF  udp      br+    *       ::/0                 ::/0                 udp dpt:53
    0     0 DNSFILTERF  tcp      br+    *       ::/0                 ::/0                 tcp dpt:53
    0     0 DNSFILTER_DOT  tcp      br+    *       ::/0                 ::/0                 tcp dpt:853
Code:
ip6tables -nvL FORWARD -t mangle
Chain FORWARD (policy ACCEPT 360K packets, 296M bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 MARK       all      *      wg21    ::/0                 ::/0                 /* WireGuard 'server' */ MARK xset 0x1/0x7
    0     0 TCPMSS     tcp      wg21   *       ::/0                 ::/0                 tcp flags:0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU
    0     0 TCPMSS     tcp      *      wg21    ::/0                 ::/0                 tcp flags:0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU
    0     0 DNSFILTERF  udp      br+    *       ::/0                 ::/0                 udp dpt:53
    0     0 DNSFILTERF  tcp      br+    *       ::/0                 ::/0                 tcp dpt:53
    0     0 DNSFILTER_DOT  tcp      br+    *       ::/0                 ::/0                 tcp dpt:853
Packets ( ip -s link show wg21)
Code:
ip -s link show wg21
41: wg21: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/none
    RX: bytes  packets  errors  dropped missed  mcast
    9428324    40594    6       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    38355524   51784    2       0       0       0
Code:
ip -s link show wg21
41: wg21: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/none
    RX: bytes  packets  errors  dropped missed  mcast
    9433108    40633    6       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    38362676   51817    2       0       0       0
Looks like the package passes PREROUTING and never reaches FORWARD chain. Guess what happens in between: routing...

So ip route drops the package, altough there is a perfectly good route.

Must be some interface setting switch in the router somewhere. I'll dig and see what I can find during the evening.

Feel free to setup your wg clients, there should not be any problem forwarding packages to them, as this is your ultimate goal.

I'll let you know if I find anything.
 
This happens with every wgm restart. Does this mean something bad?

Code:
    Requesting WireGuard VPN Peer restart (wg21)

    Restarting Wireguard 'server' Peer (wg21)
ip6tables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
ip6tables: Bad rule (does a matching rule exist in that chain?).
ip6tables: Bad rule (does a matching rule exist in that chain?).
ip6tables: Bad rule (does a matching rule exist in that chain?).
ip6tables: Bad rule (does a matching rule exist in that chain?).
    wireguard-server1: Wireguard VPN 'Server' Peer (wg21) on 10.50.1.0:11501 (# RT-AX56U (IPv4/IPv6) Server 1) Terminated

Btw. I have to run command "fc disable" (Broadcom Packet Flow Cache learning via BLOG disabled) to avoid terrible throughput and extreme CPU usage. Do I miss anything?

What speeds are expected on RT-AX56U?
 
This happens with every wgm restart. Does this mean something bad?
No... it means that ip6tables rules are not found when trying to delete them. It means wgm is probably deleting 8 rules before your wg21-down.sh is executed so you could probably rename wg21-down as it is not needed. That would remove the errors.


Btw. I have to run command "fc disable" (Broadcom Packet Flow Cache learning via BLOG disabled) to avoid terrible throughput and extreme CPU usage. Do I miss anything?
Wgm does this for select models where reported needed... guess @Martineau will need to add AX-56U to the list.


What speeds are expected on RT-AX56U?
No idea, I would expect around 450Mbit/s something...
 
Testing with Ping 2600:: (2 sets of 3) from Android Ping - no PRE or POST ROUTING rules applied
ip6tables -nvL PREROUTING -t nat - No identified traffic at all
Code:
ip6tables -nvL PREROUTING -t nat
Chain PREROUTING (policy ACCEPT 12740 packets, 2455K bytes)
pkts bytes target     prot opt in     out     source               destination
Code:
admin@RT-AX88U-5050:/tmp/home/root# ip6tables -nvL PREROUTING -t nat
Chain PREROUTING (policy ACCEPT 12867 packets, 2483K bytes)
pkts bytes target     prot opt in     out     source               destination
ip6tables -nvL PREROUTING -t mangle
Code:
ip6tables -nvL PREROUTING -t mangle
Chain PREROUTING (policy ACCEPT 422K packets, 322M bytes)
pkts bytes target     prot opt in     out     source               destination
  155 17750 MARK       all      wg21   *       ::/0                 ::/0                 /* WireGuard 'server' */ MARK xset 0x1/0x7
Code:
ip6tables -nvL PREROUTING -t mangle
Chain PREROUTING (policy ACCEPT 423K packets, 322M bytes)
pkts bytes target     prot opt in     out     source               destination
  160 18270 MARK       all      wg21   *       ::/0                 ::/0                 /* WireGuard 'server' */ MARK xset 0x1/0x7
ip6tables -nvL FORWARD -t mangle - All empty
Code:
ip6tables -nvL FORWARD -t mangle
Chain FORWARD (policy ACCEPT 359K packets, 295M bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 MARK       all      *      wg21    ::/0                 ::/0                 /* WireGuard 'server' */ MARK xset 0x1/0x7
    0     0 TCPMSS     tcp      wg21   *       ::/0                 ::/0                 tcp flags:0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU
    0     0 TCPMSS     tcp      *      wg21    ::/0                 ::/0                 tcp flags:0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU
    0     0 DNSFILTERF  udp      br+    *       ::/0                 ::/0                 udp dpt:53
    0     0 DNSFILTERF  tcp      br+    *       ::/0                 ::/0                 tcp dpt:53
    0     0 DNSFILTER_DOT  tcp      br+    *       ::/0                 ::/0                 tcp dpt:853
Code:
ip6tables -nvL FORWARD -t mangle
Chain FORWARD (policy ACCEPT 360K packets, 296M bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 MARK       all      *      wg21    ::/0                 ::/0                 /* WireGuard 'server' */ MARK xset 0x1/0x7
    0     0 TCPMSS     tcp      wg21   *       ::/0                 ::/0                 tcp flags:0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU
    0     0 TCPMSS     tcp      *      wg21    ::/0                 ::/0                 tcp flags:0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU
    0     0 DNSFILTERF  udp      br+    *       ::/0                 ::/0                 udp dpt:53
    0     0 DNSFILTERF  tcp      br+    *       ::/0                 ::/0                 tcp dpt:53
    0     0 DNSFILTER_DOT  tcp      br+    *       ::/0                 ::/0                 tcp dpt:853
Packets ( ip -s link show wg21)
Code:
ip -s link show wg21
41: wg21: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/none
    RX: bytes  packets  errors  dropped missed  mcast
    9428324    40594    6       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    38355524   51784    2       0       0       0
Code:
ip -s link show wg21
41: wg21: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/none
    RX: bytes  packets  errors  dropped missed  mcast
    9433108    40633    6       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    38362676   51817    2       0       0       0
you could try to add a new route, in case there is some flag in the routing entry that prevents this routing from ULA, this rule should take priority over your default route as it is more specific:
Code:
ip -6 route add 2::/3 via fe80::4255:82ff:febd:9c3 dev eth0

Found some info here:
https://openwrt.org/docs/guide-user/network/ipv6/ipv6.nat6

now, I have no idea if it is relevant, but perhaps worth a try? They seem keen on setting up wan for temporary addresses by:
Code:
echo 2 > "/proc/sys/net/ipv6/conf/eth0/accept_ra"
echo 2 > "/proc/sys/net/ipv6/conf/eth0/use_tempaddr"

It should do the same on asuswrt and I checked, I have these variables. Whatever set here is reset at reboot so no worries about that. But before doing so, perhaps check what they are before changing so you could set them back if it don't work:
Code:
cat /proc/sys/net/ipv6/conf/eth0/accept_ra
cat /proc/sys/net/ipv6/conf/eth0/use_tempaddr

Another interesting thing to try:
The default ULA (Unique local address) prefix represents an address that is not globally routed on the internet by design. A lot of clients will prefer IPv4 over a ULA IPv6 address if there is no global IPv6 address assigned, so you may need to change your existing ULA prefix to indicate a global address to ensure traffic goes over IPv6 by default when possible.
When changing the ULA prefix, it doesn't necessarily have to start with d, but to avoid conflicts, you should use a prefix that is not being used yet. The letters are unassigned and therefore safe choices.
Wonder what happens if you replace your ula fd/fc prefix with something else, like fa or aa or just whatever.
 
Last edited:
I have to run command "fc disable" (Broadcom Packet Flow Cache learning via BLOG disabled) to avoid terrible throughput and extreme CPU usage.
I have uploaded wireguard_manager Beta v4.16b3

Flow Cache will be now be checked for model RT-AX56U and auto DISABLE Flow Cache

To apply the patch use
Code:
e  = Exit Script [?]

E:Option ==> uf dev
 
@Martineau perhaps 6-in-4 ipv6 should also enable rules and general wgm ipv6... it's just ppp tunnel much as WireGuard is. Basic setup works for static ips as shown by @pkoci
I have uploaded wireguard_manager Beta v4.16b3
To apply the patch use
Code:
e  = Exit Script [?]

E:Option ==> uf dev
 
you could try to add a new route, in case there is some flag in the routing entry that prevents this routing from ULA, this rule should take priority over your default route as it is more specific:
Code:
ip -6 route add 2::/3 via fe80::4255:82ff:febd:9c3 dev eth0

Found some info here:
https://openwrt.org/docs/guide-user/network/ipv6/ipv6.nat6

now, I have no idea if it is relevant, but perhaps worth a try? They seem keen on setting up wan for temporary addresses by:
Code:
echo 2 > "/proc/sys/net/ipv6/conf/eth0/accept_ra"
echo 2 > "/proc/sys/net/ipv6/conf/eth0/use_tempaddr"

It should do the same on asuswrt and I checked, I have these variables. Whatever set here is reset at reboot so no worries about that. But before doing so, perhaps check what they are before changing so you could set them back if it don't work:
Code:
cat /proc/sys/net/ipv6/conf/eth0/accept_ra
cat /proc/sys/net/ipv6/conf/eth0/use_tempaddr

Another interesting thing to try:

Wonder what happens if you replace your ula fd/fc prefix with something else, like fa or aa or just whatever.
I Have tried each of the above
Code:
ip -6 route add 2::/3 via fe80::4255:82ff:febd:9c3 dev eth0
Code:
echo 2 > "/proc/sys/net/ipv6/conf/eth0/accept_ra"
echo 2 > "/proc/sys/net/ipv6/conf/eth0/use_tempaddr"
and changing fd to fa and aa
None of these worked and the only solution that does work is using wan IPv6 address.

From a personal perspective this is not an issue as (a) my 'dynamic' IPV6 is not at all dynamic and (b) creating a new server + device + adding it to the phone takes no more than a couple of minutes. However, I am happy to keeping helping you find a solution for actual dynamic IPv6 if you are prepared to pursue this.
 
I Have tried each of the above
Code:
ip -6 route add 2::/3 via fe80::4255:82ff:febd:9c3 dev eth0
Code:
echo 2 > "/proc/sys/net/ipv6/conf/eth0/accept_ra"
echo 2 > "/proc/sys/net/ipv6/conf/eth0/use_tempaddr"
and changing fd to fa and aa
None of these worked and the only solution that does work is using wan IPv6 address.

From a personal perspective this is not an issue as (a) my 'dynamic' IPV6 is not at all dynamic and (b) creating a new server + device + adding it to the phone takes no more than a couple of minutes. However, I am happy to keeping helping you find a solution for actual dynamic IPv6 if you are prepared to pursue this.
crap... I dont really find anything that would do this, and without having this myself, it is extremely hard to debug.

The only thing left could be to find the scope of the problem. meaning how much of you prefix could you change. while you accidently encountered the bug, you used a /48 prefix instead of your /64, so you changed 4 more numbers than your prefix allowed. this package got forwarded to eth0 successfully. so could you change more, like
2a02:c7f:: -->?
2a02:: -->?

to speed up testing, just check if the packages arrives out on eth0 (using tcpdump), but dont expect any reply. to create an ULA with 2 as prefix is risky as it could cause conflict with ips on the internet. but A.F.A.I.K only ips starting with 2 is used today, so if we could just change something:
2 = 0b0010 /4
so if the limit is /3 then perhaps 3 could be used as well as:
3 = 0b0011 /3
or can we change just one more bit:
4 = 0b0000 /2
best case, maybee even another:
6 = 0b0110 /1
finally:
a = 0b1010 (already checked this to not work)

so the full list to test would be something like:
2a02:c7f:: -->?
2a02:: -->? (/16)
2a00:: -->? (/12)
2af0:: --> ? (/8)
2000:: -->? (/4)
3000:: -->? (/3)
4000:: --> ? (/2)
6000:: --> ? (/1)
a000:: --> dont work /0

I know it is a lot of testing and will probably take like half an hour to go through. on the other hand, you could do by successive approximation, start in the middle (2000::) and if it works, continue down if not continue up. Hopefully we could find a prefix that we could use that is not used on the internet.

whenever you found the smallest amount, try to use this with your masquarading rule (change the -s address accordingly) and hopefully it should work so you get a reply.

To finally resolve this, we probably need someone who has deeper knowledge on kernel routing than me.
 
None of these worked and the only solution that does work is using wan IPv6 address.

From a personal perspective this is not an issue as (a) my 'dynamic' IPV6 is not at all dynamic and (b) creating a new server + device + adding it to the phone takes no more than a couple of minutes. However, I am happy to keeping helping you find a solution for actual dynamic IPv6 if you are prepared to pursue this.
So just to recap...

Your 'client' Peer is the Android SGS20?...if it is ..... is the Endpoint in the SGS20 defined as the explicit IPv6 address ofthe router, or are you using a DDNS name?

Given my post regarding Android using/preferring IPv4, can/have you tried say a Win laptop as the IPv6 client?
 
I have uploaded wireguard_manager Beta v4.16b3
To apply the patch use
Code:
e  = Exit Script [?]

E:Option ==> uf dev

Thank you for your work.

If I run fc disable, my internet speed is a way slower (around 300mbit down/100mbit up) than should be (1g down/100mbit up). Is this normal behavior? I've found that "fc disable" is somehow related to hw acceleration. Correct?
 
So just to recap...

Your 'client' Peer is the Android SGS20?...if it is ..... is the Endpoint in the SGS20 defined as the explicit IPv6 address ofthe router, or are you using a DDNS name?

Given my post regarding Android using/preferring IPv4, can/have you tried say a Win laptop as the IPv6 client?
As noted above if the server is configured using assigned WAN address (the 2a02::...) address then IPv6 works fine. This issue is that it stops working with a ULA (non 2...) address. As my IPv6 is dynamic, rather then static, it would be preferable find how to use a ULA address.

The endpoint on the SGS20 is the DDNS_name: port. My challenge for (all suggestions welcome) is how best to test on a laptop. I mainly work from home and while I can add a client to a laptop, I don't want to be on the home LAN when testing - at least with the phone I can just disable wi-fi.

I could try tethering the laptop and phone (something new to learn), but that adds an extra layer of routing. I will give a try later.
 
Last edited:
it would be preferable find how to use a ULA address.
Agreed, but you dont HAVE to use an ULA. You only need something that you know never will conflict with anything online. So in theory you could borrow a portion of someone else static ipv6 that you know you will never contact online. You will anyway masquarade it so it wont be used online.

The problem is that if I.e. Google start using the same address as you choose, any lan clients wanting to visit google sites will end up at wg21, were no such services exist.

If you could find an address space not used today it would be the second best thing.
 
As noted above if the server is configured using assigned WAN address (the 2a02::...) address then IPv6 works fine. This issue is that it stops working with a ULA (non 2...) address. As my IPv6 is dynamic, rather then static, it would be preferable find how to use a ULA address.

The endpoint on the SGS20 is the DDNS_name: port. My challenge for (all suggestions welcome) is how best to test on a laptop. I mainly work from home and while I can add a client to a laptop, I don't want to be on the home LAN when testing - at least with the phone I can just disable wi-fi.

I could try tethering the laptop and phone (something new to learn), but that adds an extra layer of routing. I will give a try later.
I would hope that forcing the Endpoint on the SGS20 to the actual IPv6 2a02:: address, should then allow ULA addresses to be statically used by the 'server' Peer and its 'client' Peers...albeit with the ugly IPv6 NAT rule.
 
Thank you for your work.

If I run fc disable, my internet speed is a way slower (around 300mbit down/100mbit up) than should be (1g down/100mbit up). Is this normal behavior? I've found that "fc disable" is somehow related to hw acceleration. Correct?
As currently enabled (and I have no idea if it will change) this is normal. As I understand it, If you want to run the more secure VPN options on the router (not PP2P or Instant Guard) then you have a trade off between more resource heavy solution such as OpenVPN which can work with hardware acceleration and resource light WireGuard that cannot. @RMerlin is the best person to advise here.

Which will give the best throughput is down to the router. For me I would like to work with WireGuard as it seems to (should) deal with IPv6 better than OpenVPN. If you want to run either VPN 'flat out' with a 1g link without running it on your PCs / laptops, etc, then you will need to move it onto a device with a lot more raw power.

As I have Cake enabled (which also disables HW acceleration) and a much slower ISP (80/20) I had not checked whether wgm was looking at runner/flow cache. I have just switched off Cake and restarted a server instance and noted that both (runner/flow cache) are showing as enabled in Sysinfo. While the memory usage seems higher, all CPU stats are still very low, so it doesn't seem to be an issue (yet).
 
OpenVPN which can work with hardware acceleration and resource light WireGuard that cannot. @RMerlin is the best person to advise here.
Already has.... December 2021

1647006248412.png


and I can personally verify that when I loaded ASUS 386 Beta RC3-3 Public Beta onto my RT-AX86U it was indeed disabled when WireGuard was configured, but cannot vouch for other AX models such as your RT-AX88U
 
Last edited:
Thank you for your work.

If I run fc disable, my internet speed is a way slower (around 300mbit down/100mbit up) than should be (1g down/100mbit up). Is this normal behavior? I've found that "fc disable" is somehow related to hw acceleration. Correct?
@Odkrys Who made the initial compilation put in xmark rules in the firewall to bypass hardware acceleration only for wireguard packages. These seem to work on ac86u and ax88u so we can run with hw acceleration enabled. But they don't seem to work well on newer models. I don't know where/how @Odkrys got these marks and if there are other marks that works for the newer models but none that this community seems to be aware of.

Guess it would be possible to setup a script to brute-force test through marks and write in a log which seems to atleast get rid of syslog events but who knows what some marks do...
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top