Coova chilli throughput #61
Comments
|
@gareth41 when you say coova-chilli 1.3.0, are you referring to the release from 2012 obtained from coova.org? |
|
Yes that's correct, using the 2012 version from coova.org. I'll try the latest code from git checkout tomorrow and report back |
|
I just tried to compile this for openwrt barrier_breaker, have added as a package with autoreconf in the makefile, but getting a stop error with no makefile found, am I missing something else that needs to be added? Edit: I have also edited redir.c to allow andriod/apple devices to stay connected to wifi without them bringing up the captive portal automatically on joining the network. Androids in particular will automatically disconnect from any public wifi hotspot after approximately 1 minute if the user doesn't log into the captive portal. Some users need longer than 1 minute to fill out register/payment forms on some public hotspots. The only caveat in doing this is the requirement for the user to then open their browser manually to bring up the captive portal. I can share this if anyone wants it. |
|
Maybe push the changes to your fork on github & mention it on the mailing list, you'll get a clear indication of if should be included mainline. |
|
Yes been testing different configuration etc... with no change. Still can't get any more than around 45mbits on the tp-link. Also tried the good old linksys wrt54gl just out of interest, and with coova-chilli it struggles to reach 11mbits due to its slow processor, straight nat lan to wan on this is around 40mbits though. Have also forked and made the changes to redir.c as per above. |
|
Great, well done :) |
|
Thanks, yes i've got a few spare boxes sitting around so will try this also. Also found a bug relating to the md checksum sent in the query string from the http aaa proxy to auth server. Chilli seems to hash the auth server URL without the port number added to the URL, chilli then adds the port to the http "Host" header later. I grab the auth server address using $_SERVER['HTTP_HOST'] in my auth server php code and have to remove ":80". Looking at main-proxy.c, an easy fix if using the standard port 80 is to change the following to exclude the port number in the http request. bassignformat(req->wbuf, |
|
recently, we test chilli(version 1.3.0 and master)
|
|
@bingyunxl same results on both 1.3.0 and baster? or the master results are due to come? |
|
@AndrewMargarit Almost two results are same, so....... |
|
@AndrewMargarit maybe, use kmod-tun and copy packets is this performance issue, when our team test chilli throughput,we found the CPU's user and sys is high than normal |
|
Same here the CPU tops out at close to 100% with high throughput over the tun/tap device. Apparently OpenVPN suffers the same problem as it too uses a tun/tap device which brings me to my next question: Is encryption enabled on the chilli tun/tap device, and if so why not disable it? This would allow somewhat better throughput than what is currently achieved. |
|
Using xt_coova makes a significant difference. |
|
@nzamps we will try xt_coova, when we finish build and test this issue, I will post the result here |
|
ive just finished building it on openwrt trunk and testing on the tplink again (TL-WR1043ND v2), with no difference, still 45mbits. I'm assuming it compiled without problems, no errors were displayed after compiling. "--with-nfcoova" was specified in the Makefile and kmod-ipt-coova selected in make menuconfig, chilli shows compiled with HAVE_NETFILTER_COOVA when run in ssh console. kmod-ipt-coova is also installed. I'm not sure if i'm missing something? |
|
Firewall rules for xt_coova most likely. Unfortunately, xt_coova is not an option that generally works without some changes. See: http://lists.coova.org/pipermail/chilli/2010-April/001239.html |
|
Thanks for the info, got it all loaded now however running into the same problem exactly as described here: http://lists.coova.org/pipermail/chilli/2014-April/002661.html Client is redirected to chilli webserver using http 302 but connection is reset when trying to access the login script. If I manually authenticate client, everything works and the throughput is significantly faster! There are also loads of ARP messages in the log: The coovachilli version i'm using is from 28-11-2014, commit b93de20. I haven't tried to compile anything newer with xt_coova as there's terrible memory problems in new versions as documented in issue #85. For now iv'e been sticking with the previous release 1.3.0 from 2012 for production as its rock solid for what we're using it for and has never experienced issues apart from the lack of throughput, hence this thread i'm posting in now. |
|
Might need to see your config and firewall rules. Ensure you have the dhcplisten IP on the LAN interface and the NAT'd address (e.g. 11.x) on the tun - on older versions the IP on the LAN interface was deleted on startup. |
|
Thanks, I checked the dhcplisten IP on LAN interface, it hasn't changed or been removed. Its set to 10.1.0.1. Also have 11.1.0.1 set on the tun. br-coova Link encap:Ethernet HWaddr XX tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 I have br-coova as the chilli lan interface, bridged to port 1 so I can test cabled devices, the other ports are bridged to the default br-lan so I can retain ssh access to the router while testing chilli. I'm also using chilli in httpaaa mode. Here is my config, i've only removed the info relating to the VPS where my auth server is located. THIS FILE IS AUTOMATICALLY GENERATEDcmdsocket /var/run/chilli.br-coova.sock root@OpenWrt:/etc/chilli# cat hs.conf |
|
Also I should have mentioned i've been running chilli with the --kname=on switch, without this everything works but all routing is still through chilli hence less throughput. with --kname=on I experience the issue described above |
|
Just had a quick look: For bridges you'd probably need to use the 'usetap' option or try without the bridge. |
|
Thanks i'll give it a try. I also added the following firewall rules: iptables -I FORWARD --src 11.0.0.0/8 -j ACCEPT I have the wan in bridge mode too, i'll also try this without bridging |
|
using xt_coova, the "data flow control" function will be disabled, Is't not a good idea |
|
@gareth41 : Hello, may I have the changes you did to redir.c to disable captive portal on Android & iPhone & let them connect to hotspot via browser in couple of minutes? I was looking for it since a long time & found your comment here regarding the same. Can you please help? |
|
https://github.com/gareth41/coova-chilli/blob/master/src/redir.c#L1551 These are the changes for android, the only reason I made these changes was due to Androids only giving their users approx 60sec to complete captive portal login before disconnecting the wifi. Some people need longer than 60sec if they are required to signup for an account or fill out paypal/credit card forms etc... Apple seems ok, well atleast with the newer ios versions, no timeout i've noticed. I can give you the changes for apple if you still want them. |
|
Thanks a ton @gareth41 I need it because there is an unusual behaviour on some Android Phones. Some show captive window & some doesn't. So I have developed an App for the users to login but this captive portal windows pops up on some phones & deceits the App purpose. I want to keep it simple, no Captive Window only login through App. |
|
Here's the code to trick ios devices, however I don't know about mac books etc as I don't have one to test. You could try running chilli in debug mode with -d -f switches and grab the redirect url from the log when you try to connect using a mac book. |
|
@ankitherocker @gareth41 Modifying redir.c in order to disable the captive portal behaviour on Android and Apple devices works, but it's not a smart solution. It's way better to detect all URLs that those devices are calling when connected (e.g. captive.apple.com), then put them in |
|
Yes I agree with that, but for android devices when allowing the urls they check, it seems to open up Google.com and other Google sites like YouTube. This also brings me to another but unrelated issue I discovered today, with the change in DNS of coova.org recently to a Google owned ip, chili seems to allow Google.com and a handful of other Google sites through its firewall because coova.org is automatically added to the uam domains regardless of config. I've written a patch to fix this, just a simple edit of functions.in to remove coova.org from uam domains |
|
@gareth41 : +1: This is the exact issue I faced. Thanks for the patch & for now it seems to be the only way to handle it. I also see 1 more problem with this patch though, if Google or Apple (iOS6 had only 1 & iOS8 has 7 url checks) adds more domains to the list. It is going to be a miss & compiling chilli & upgrading the production systems with the patch would be tuff. What say? |
|
@gareth41 : Also, did you find out the reason for the disparity in chilli throughput? I recently tested the same on OpenWrt + CoovaChilli v/s DD-Wrt + Chillispot & the latter wins the throughput. Still trying to figure out why throughput drops on the first combo ~ OpenWrt + Coovachill & I see no reason to it for now. |
|
I deployed a large scale coovachilli application on our city's telecom ISP network, we have a 1g fiber link to the base backbone device, about 300 vlans on the nic which links to lay2 switch and then downlink to several AC network aggregation devices. I found the CPU usage and overall load was so high, and I have done several tweaks to avoid the chilli server to stop function (on the radius side I can see the login amounts sharp decline and I have to manually start the service several times in a day). I mainly change the tcp options in the sysctrl.conf, now the server can continue running without a restart at least for one or two days, but the load is still high, the performance is my big concern, I have also tried the newest version from the github, no obvious improvement, can you guys point out a direction to optimise the operating system or coovachilli? BTW, I have 16g memory and 64g disk space on the server. |
|
Our company is considering the option of hiring an experienced developer to solve these issues, but is going to cost us cost us thousands hence any developments/fixes unfortunately will have to be kept within the company. My knowledge of c/c++ is still quite limited as I only started learning this year, I've always been a php/mysql person. I'm happy to try and fix these issues with the help of people like David Bird and work together for the benefit of everyone, but unfortunately I kindly say that he doesn't seem to have the dedication and time to put into this project as he once did many years ago, he hasn't even commented in this thread regarding throughput, nor most other threads/issues people have raised. The old Coova forums and mailing lists used to be full of comments from David helping people. |
|
The issue is well known, the cost of copying the packets to userspace (tuntap) is a major performance hit - the same hit you seen with OpenVPN etc. A solution to pass the authenticated packets through the kernel (like how xt_coova works) is the only real viable solution that doesn't involve rewriting everything to not use a tuntap. |
|
If that's the case why would chillispot's performance seems to be better in terms of througput? Regards, Sent from my iPhone
|
|
How much difference do you see ? - from our testing it was fairly marginal compared with the difference when not running coovachilli or chillispot. Regardless, the code base's are quite different now so not easy to do a straight comparison. |
|
Well, I dint get a chance to test it on a fiber, would be doing it next week. But, on BB connection I got the same speed as my WAN running ddwrt+chillispot as compared to openwrt+chilli where I got ~30% drop in bandwidth. Seems strange to me as well. Regards, Sent from my iPhone
|
|
Thus far, this issue hasn't really qualified as a bug (at best a vague feature request). Yes, there is a throughput hit using any chilli - or any tun/tap tunnel. A feature to feature comparison of chillispot is interesting (got numbers?) -- i'd hope coova-chilli is better, it has improvements in packet buffer management, etc. Of course, it depends greatly on what features in coova-chilli are used as well. Larger networks will often take chilli off the AP. Some use the "chilli-redir" feature on multi-core systems, and maybe remove logging (which is something we do need to improve in master -- to support compile time features to strip out logging meant for debugging). In the past, I have spent a lot of time with valgrind trying to squeeze out performance, and that will continue as work goes on. We should also spent time making xt_coova robust enough for default configurations. In terms of hiring someone to address problems, great! Even better if you give it back to the community. |
|
The CPU details of the hardware listed in the first post TP-Link TL-WR1043ND v2 Mikrotik RB951G-2hnd Ubiquiti Air-router |
|
I don't think it is a simple task to solve the performance problem of chilli |
|
it's better to use wifidog in MIPS router , to use chilli, at least in x86 platform |
|
Hello all.. Has the performance/speed issue ever been solved? |
|
I'm running 1.6 on mips64 with kernel 4.9.79, and despite being |
I'm on a 100mbit fiber optic line and have been testing throughput on coova-chilli 1.3.0 using different routers loaded with openwrt barrier-breaker. I've been using speedtest.net to get my results and cabling everything in, no tests over wifi. I'm getting around 45mbits on a TP-Link TL-WR1043ND v2, the CPU is 720Mhz with 64mb ram. I also tried on a Mikrotik RB951G-2hnd and got roughly the same. Ubiquiti Air-router gets less, about 30mbits. If I bypass chilli and use straight nat lan to wan on the routers with openwrt I get very close to my line speed of 100mbits. Is there anything that can be done to maximize throughput when using coova chilli? I also tried wifidog and there's no problems with throughput, I tested wifidog 1.2.1, the only problem is that it doesn't have all the features chilli does.
The text was updated successfully, but these errors were encountered: