A Debian Wifi Router: Kernel tuning

So it turns out that if you go with the default kernel parameters on the device you won’t get much throughput. I’m currently paying my ISP for a 25Mbit/s pipe both ways, which is bloody awesome.

I was having problems with throughput and network jitter, though. I was able to have a fast connection from my devices to the router and the router had the full connection available to itself; problems were the router was not able to make the full connection bandwidth available to its clients and the bandwidth would go from 25Mbit/s all the way down to 5Mbit/s all the time.

This is really damn annoying when you’re putting in a good match on Unreal Tournament, let me tell you.

Thinking it could be something related to hostapd I played around with a few more settings but nothing really made a difference. I’m having problems with reception and throughput in my bedroom but that’s for another post, I guess. Suffice to say that with a direct line of sight to the router everything works about as expected.

So it wasn’t hostapd. Played around with iwconfig and iw but neither made much of a difference. That left the network interfaces themselves and the kernel.

Dug around and found plenty of links and articles on what settings to adjust and how to adjust them but all of them are geared towards servers of some sort. There isn’t much information that a home/office IT guy would be able to use for tuning the kernel for bandwidths of less than 100Mbit/s, which is what I’m attempting to do here. The most popular post (which I basically copied into my configuration) is using settings for 1Gbit/s connections that I then changed with the one entry that matched from the Ars Technica post.

Here’s sysctl.conf as I have it right now:

# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com

# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3

##############################################################3
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1


###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#
# Kernel parameter adjustments
# 2016/09/12 02:59:32: http://www.nateware.com/linux-network-tuning-for-2013.html
# http://arstechnica.com/gadgets/2016/04/the-ars-guide-to-building-a-linux-router-from-scratch/
#
kernel.sem = 250 256000 100 1024

# Increase system file descriptor limit
 fs.file-max = 100000
#
# # Discourage Linux from swapping idle processes to disk (default = 60)
 vm.swappiness = 10
#
# # Increase ephermeral IP ports
 net.ipv4.ip_local_port_range = 10000 65000
#
# Increase Linux autotuning TCP buffer limits
# Set max to 16MB for 1GE and 32M (33554432) or 54M (56623104) for 10GE
# Don't set tcp_mem itself! Let the kernel scale it based on RAM.
net.core.rmem_default = 4194304
net.core.rmem_max = 4194304
net.core.wmem_max = 4194304
net.core.rmem_default = 4194304
net.core.wmem_default = 4194304
net.core.optmem_max = 40960
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 65536 4194304

# Make room for more TIME_WAIT sockets due to more clients,
# and allow them to be reused if we run out of sockets
# Also increase the max packet backlog
net.core.netdev_max_backlog = 25000
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_max_tw_buckets = 200000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 10

# Disable TCP slow start on idle connections
net.ipv4.tcp_slow_start_after_idle = 0

# If your servers talk UDP, also up these limits
net.ipv4.udp_rmem_min = 8192
net.ipv4.udp_wmem_min = 8192

# Disable source routing and redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0

# Log packets with impossible addresses for security
net.ipv4.conf.all.log_martians = 1

Everything in here I’m sure can be tuned further and the file itself is so damn ugly to look at but for now at least I have a starting point I can use.

All this tomfoolery is turning me into a network wonk.