Posted: Thu Aug 17, 2017 8:29 Post subject: Shortcut Forwarding Engine?
I tried searching but didn't really come up with anything in a reasonable amount of time searching. What exactly is this feature on the main ddwrt page? I've only noticed it recently. I am using an R9000 with a 8/3/2017 BS build at the moment. Any insight and info on this would be much appreciated as well as recommendations to have it enabled or disabled and what are the pros and cons of each, thanks.
I run Yamon on my R9000 and cannot enable SFE because of it.
The R9000 does gigabit Internet without SFE enabled and is the reason I use them. _________________ Segment 1 XR700 10Gb LAN, 1Gb WAN ISP BS
Wired AP 1 Unifi Wifi 6 LR US 1Gb LAN
Wired AP 2 Unifi Wifi 6 LR US 1Gb LAN
Wired AP 3 Unifi Wifi 6 LR US 1Gb LAN
Syslog Services Asustor 7110T NAS 10GB
NetGear XS716T 10GB Switch
download1.dd-wrt.com/dd-wrtv2/downloads/betas/ (Brain Slayer)
YAMon https://usage-monitoring.com/index.php
I've been using it on and off all this year, and really haven't had any concrete evidence its been implemented/enabled as stated when I turn it on.
Has anyone here used it and saw a noticeable improvement on an underpowered router? I get around 70megabit with and without it with a 650mhz single core Atheros on wan to lan. Maybe its implementation is bugged on the Tplink 841?
When I swap in a gig router I get 120megabit. but that router is Broadcom and a POS for reliability.
SFE definitely makes a difference, but you need very fast Internet to see that difference.
I'm using a TEW-673GRU as my router (it has a single-core CPU running at 680MHz, so it's not exactly a powerful system; I have the WiFi disabled, though, since it's only 11n and I instead have a separate 11ac device that acts as my AP), and I have symmetric 1Gbps service from Google Fiber.
My speed tests cap out at around 300 Mbps without SFE. With SFE enabled, I get over 900 Mbps on the same speed test (it's actually slightly faster than the router provided by Google Fiber--I prefer to use my own device rather than the heavily-dumbed-down and restrictive one from Google).
So, yes, if you have Gigabit-class service, SFE makes a huge difference and you definitely need to have it enabled. But anything under 200Mbps, you probably won't notice anything different. And of course, you router must also have a Gigabit WAN port; I think one of the posters above was seeing only 70 Mbps because they're comparing a 100Mbit WAN to a Gb WAN. _________________ Buffalo WZR-1750DHP: 34311
TRENDnet TEW-673GRU: 34311
TRENDnet TEW-811DRU: 33986
SFE also reduces CPU utilisation as it bypasses unnecessary firewall checks once a connection has been established. I turned it on although I only have a 50mbps connection, as I need all available CPU cycles since I also use OpenVPN on my router, which is a CPU hog.
I'm sorry for reviving a 2 year dead thread, but I'd like to know if using the SFE has any security implications? I'm new to DDWRT so please state even the obvious. Google isn't producing very good results.
I'm sorry for reviving a 2 year dead thread, but I'd like to know if using the SFE has any security implications? I'm new to DDWRT so please state even the obvious. Google isn't producing very good results.
No it will not, think of it similar to cut through forwarding
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Mon Jun 15, 2020 22:12 Post subject:
tcabez wrote:
I'm sorry for reviving a 2 year dead thread, but I'd like to know if using the SFE has any security implications? I'm new to DDWRT so please state even the obvious. Google isn't producing very good results.
hmmm safe,....what is safe..define level of safe ???
What is your router / current build running?
in simple words...SFE in terms of security...in order to speed-up the traffic/packets trough the software NAT, it punches a hole in it...(as it doesn't check some packets), but its considered safe, unless someone targets that bit...in very tiny scenarios...
many other router software's has it, as well some routers come with hardware NAT acceleration 'witch is basically the same' but has a chip for it...
If you need SFE......to squeeze some more performance out of your router, than you use it , but its not a favourite thing to use... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
I'm running latest build for an R7000. Everyone is saying I need SFE to achieve gigabit as I have full gigabit fiber internet. I'm just concerned that since it punches a hole, that its allowing things to bypass checks that you want? I thought I read in an old Dev log from the guy from Qualcomm that came up with it, that it allowed some checks then it punches. But I just want to make sure I'm not opening a gaping hole to the outside world, or making it very easy for someone to remotely attack me easier.
This feature doubles bandwidth throughput on my LinkSys E2500 running the latest DD-WRT.
I have 120Mbps connection with Gigabit LAN router and I can achieve about 100-110Mbps with WireGuard VPN (on PC client) with that configuration, but that router is not considered to be safe and secure.
I chose to double-NAT with LinkSys E2500 running DD-WRT to keep myself more secure. LinkSys E2500 is a 100Mbps LAN router and with SFE disabled and WireGuard, I get about 40-50Mbps maximum speed. With SFE enabled, I get 75-85Mbps.
Is there more information about SFE? If it punches a NAT hole like STUN, ICE, and WebRTC, then it may not be worth it.
The Gigabit router is bad at filtering multicast and disabling UPnP correctly. Does SFE prevent DD-WRT from properly filtering multicast signals? Does SFE bypass other DD-WRT security measures?