birdfeedr
Premium,MVM
join:2001-08-11
Warwick, RI
 ·Verizon FIOS
| Steam on a router in the Actiontec DMZ
Using the method suggested by Cogdis  in this thread »Re: New MI424 firmware 4.0.16.1.56.0.10.11.3 pushed Dec. 18
I downloaded Steam.
First test: Actiontec Rev A (fw 10.7) is primary. Connected PC wired via DHCP to Actiontec LAN port. Other devices active: DLink DIR-655 is connected LAN-to-LAN, Actiontec is handling DHCP. STB and idle Slingbox on coax LAN.
Results: Refresh Server list. Stalled at approx 25 servers, hit Cancel Refresh. Unable to log into router admin at first, but within 30 seconds the router admin responded. Logged in, viewed Security Log, filled with "NAT Error : connection pool is full. No connection created".
Second test: Reconfigured DLink to static IP WAN 192.168.1.2 connected to Actiontec LAN port. PC connected via DHCP to LAN port on DLink. Actiontec configured to DMZ the DLink. No change in other devices connected.
Results: Refresh Server list. Stalled at 159 servers, then hit Cancel Refresh. Unable to log into Actiontec router admin at first, responded within 30 seconds. Security Log shows filled with NAT error messages. Date/time stamp on log entries correspond with activities.
Conclusion at this point: DMZ location may benefit some connection activities by allowing a smaller size connection record, but it appears the Actiontec is still limited by its NAT table in both configurations. DMZ does not appear to be a straight pass-through.
Running out of time this morning. Will set up test 3 tonight: DLink as primary. Also, will re-run test 2 and see if admin to the DLink is immediate. Admin to the Actiontec was definitely delayed in both instances, but not locked up. Test 2 recovery appeared faster than test 1.
It appears that P2P and Steam connections that stall may recover if the application can limit or cancel connection activity.
Further testing will involve new firmware 10.11.3 |
|
More Fiber
Premium,MVM
join:2005-09-26
West Chester, PA | Good info birdfeedr |
|
cdru
Go Colts
Premium,MVM
join:2003-05-14
Fort Wayne, IN
| reply to birdfeedr
said by birdfeedr :DMZ does not appear to be a straight pass-through. The DMZ is just a catch all for incoming connections. Instead of having to explicitly forward a port or range of ports to a particular host, you can put a machine in the DMZ and have any connections that don't match a particular port forwarding rule or existing connection get forwarded to that machine. The router still has to maintain the NAT mapping, thus your NAT table will fill up.
My guess is the difference between getting 25 servers and 159 servers wasn't the fact that you were using the DMZ, but rather what initial peers you were connecting to and the NAT table utilization prior to launching Steam. To get a more accurate gauge, I would reset the actiontec to ensure the NAT table was empty (or as reasonably empty as possible) as well as delete any cached data from within the application. Then repeat the process several times to get an average. |
|
birdfeedr
Premium,MVM
join:2001-08-11
Warwick, RI
·Verizon FIOS
| said by cdru :The DMZ is just a catch all for incoming connections. Instead of having to explicitly forward a port or range of ports to a particular host, you can put a machine in the DMZ and have any connections that don't match a particular port forwarding rule or existing connection get forwarded to that machine. The router still has to maintain the NAT mapping, thus your NAT table will fill up. My guess is the difference between getting 25 servers and 159 servers wasn't the fact that you were using the DMZ, but rather what initial peers you were connecting to and the NAT table utilization prior to launching Steam. To get a more accurate gauge, I would reset the actiontec to ensure the NAT table was empty (or as reasonably empty as possible) as well as delete any cached data from within the application. Then repeat the process several times to get an average. While I would ordinarily pursue something to the ends of the earth if I had a major interest in it, this exercise is merely for testing the NAT pool problem and a solution suggested by others.
One of the really nice things I like about the DLink DIR-655, it shows the contents of the connection table. I did a quick re-test of the #2 configuration as outlined above. First, I do not see an obvious way to clear the cached Steam data. In this latest try, I only got 4 servers listed. There is a difference between Quick Refresh and Refresh All. I think the DLink connection table should be a relative mirror of the Actiontec connection table because all the Steam requests are going through both. On this latest test there were 47 pages of about 38 connections listed for each PageDown in the DLink status page.
Interestingly enough, I was already logged in to the Actiontec admin page, as well as the DLink admin in another tab when I initiated the test. I was able to negotiate my way through the various status pages after the NAT pool errors occurred, just not able to make a new connection with DSLR web page right away.
DLink shows the Timeout values for the connections in the table. Next in-depth test will be to see if there is a direct correlation in DLink timeouts and when the Actiontec clears up.
So far, I have not locked up the Actiontec, it's only been delayed. |
|
birdfeedr
Premium,MVM
join:2001-08-11
Warwick, RI
·Verizon FIOS
| reply to birdfeedr
Maybe the connection list is time sensitive. In test mode #2 the following was noted.
At 08:15, 860 connections (guessing), 159 refreshed.
At 12:15, 2021 connections were displayed, 4 refreshed.
At 16:45, 3655 connections were displayed, 13 refreshed.
# of servers refreshed will be a function of the number of replies that make it back to be counted.
Methodology: Have three browser tabs open and current: DLink connections list, Actiontec security log already cleared, DSLR forum page loaded.
Steam running. It initially automatically does a refresh all. Cancel it and wait 300 seconds for all the connections to be cleared from the DLink list.
That leaves 50 connections in the DLink list, which seems normal for this setup.
1. Refresh Steam Servers.
2. Refresh DSLR web page, when the progress bar stops (seems to be about 5 or 10 seconds) and hour glass spins,
3. Cancel Server Refresh.
4. Refresh DLink connections list, and count PageDowns. There's 43 items on each page.
DSLR page finishes refreshing anywhere from 30 seconds to under a minute. Nevertheless, from click in step 1 to refresh of DSLR web page is less than 300 seconds timeout for all the UDP connections.
There are vastly more UDP connections than TCP. Would this be a factor in the behavior seen so far? |
|
More Fiber
Premium,MVM
join:2005-09-26
West Chester, PA
 ·Bay Area Internet ..
| said by birdfeedr :There are vastly more UDP connections than TCP. Would this be a factor in the behavior seen so far? It could be. UDP is not a session oriented protocol like TCP, so a UDP NAT entry can be deleted as soon as a reply is received. TCP entries will be deleted only when the socket is torn down. |
|
aaronwt
Premium
join:2004-11-07
Woodbridge, VA
·Verizon FIOS
1 edit | reply to birdfeedr
I just tried this STEAM test and refreshed the server list four times. First it showed 3184, then 3212, then 3418, and then 3438 servers.
I was able to log into my ActionTec like normal during all of this, it popped up quick as usual. Nothing is in the ActionTec log except the hourly IP renewal which is normal. I was also able to get into the Dlink router with no problems each time. That log does show bunch of entries.
But the whole time this was going on the only thing I noticed was when I refreshed the DSLR page instead of popping up in a split second it would take 5 to 10 seconds. Other sites I tried would either do the same thing or pop up right away. And then of course as soon as I stopped the server refresh all pages would pop up in a split second.
What should I look for specifically in the Dlink logs?
From a user stand point it just slowed down loading a few sites. My three VUDU boxes were still uploading during all of this at around 300kbs for each one which is normal, and my two squeeze boxes didn't have any problem streaming internet music during all of this either. And of course my internal network was fine. My transfers from my TiVos were still fine during this to my TiVo Server. |
|
birdfeedr
Premium,MVM
join:2001-08-11
Warwick, RI
·Verizon FIOS
| Moved reply to best topic to continue discussion.
said by aaronwt :1. First it showed 3184, then 3212, then 3418, and then 3438 servers. 2. I was able to log into my ActionTec like normal during all of this, it popped up quick as usual. Nothing is in the ActionTec log except the hourly IP renewal which is normal. 3. I was also able to get into the Dlink router with no problems each time. That log does show bunch of entries. 4. But the whole time this was going on the only thing I noticed was when I refreshed the DSLR page instead of popping up in a split second it would take 5 to 10 seconds. 5. Other sites I tried would either do the same thing or pop up right away. And then of course as soon as I stopped the server refresh all pages would pop up in a split second. 6. What should I look for specifically in the Dlink logs? From a user stand point it just slowed down loading a few sites. My three VUDU boxes were still uploading during all of this at around 300kbs for each one which is normal, and my squeeze boxes didn't have any problem streaming music during all of this either. And of course my internal network was fine. My transfers from my TiVos were still fine during this to my TiVo Server. Broke your response up and numbered for clarity.
1. You got a lot further in servers updated than I could. the most I ever reached was 25, only 4 in one test.
2. I was able to login to the Actiontec, or refresh DSLR pages, only *after* I canceled Refresh Servers. All attempts stalled until then. Logging In to the Actiontec is a new connection. Note: already logged in to Actiontec was ok, could change to another page without problem. Refreshing an existing open DSLR page probably initiated a new connection to i.dslr.com server which is why that page stalled.
3. Look in the Firewall Security log. That's where the NAT pool messages appear.
4. Don't worry about the DLink, because that's not an issue. It can handle all that traffic and more, which is why some people want to ditch the Actiontec.
5. Refreshing DSLR page occurs for me only *after* canceling server refresh. Probably because it initiates a new connection to one of the embedded server links.
6. The DLink status page / Internet Sessions list will show, as best as I can determine, the connection count which appears to be the limitation some have experienced. My screen lists 43 on a page, I counted PageDown keypresses to get to the bottom. I did not break it out by TCP / UDP which may be a factor. If I explore this issue further that will be something I'll look into. By your account, you did experience some measure of what I posted about. The only thing I can surmise why you are not feeling the effects as severely may be because your 50/20 is faster and has a 40% upload bandwidth ratio, compared to my 20/5 with a 20% upload bandwidth ratio.
Except for some of the game-friendly features in the DGL-4500, your DLink is fairly close in performance specs as my DIR-655. Both of them out-perform the Actiontec.
I'm still not convinced the Actiontec DMZ will give everyone a free pass. |
|
birdfeedr
Premium,MVM
join:2001-08-11
Warwick, RI
·Verizon FIOS
| reply to birdfeedr
@ aaronwt: I will try to establish additional benchmark tests to explore the NAT table problem. My Actiontec is not currently running the new 10.11.3 firmware. Is yours?
I'm just trying to find the differences between your setup and mine to explain why you have different results. Perhaps internal perormace of the DGL is also a factor. |
|
aaronwt
Premium
join:2004-11-07
Woodbridge, VA
·Verizon FIOS
| said by birdfeedr :@ aaronwt: I will try to establish additional benchmark tests to explore the NAT table problem. My Actiontec is not currently running the new 10.11.3 firmware. Is yours? I'm just trying to find the differences between your setup and mine to explain why you have different results. Perhaps internal perormace of the DGL is also a factor. My firmware shows
Version: 4.0.16.1.56.0.10.11.3
Release Date: Dec 15 2008
Platform: MI424-WR |
|
birdfeedr
Premium,MVM
join:2001-08-11
Warwick, RI
·Verizon FIOS
1 edit | reply to birdfeedr
Very interesting. The 10.11.3 firmware no longer logs the "NAT error connection pool is full" error message.
Under the new firmware with DLink connected LAN-to-LAN, the Steam application exhibits the same behavior already reported. It seems it took longer to recover once I canceled the Steam Server Refresh.
[edit to add]Confirmed. Same behavior when DLink is LAN-to-LAN in the DMZ. Reverted to 10.7, and error messages reappear. No change in Log settings from one firmware to the next. |
|
aaronwt
Premium
join:2004-11-07
Woodbridge, VA
·Verizon FIOS
| said by birdfeedr :Very interesting. The 10.11.3 firmware no longer logs the "NAT error connection pool is full" error message. Under the new firmware with DLink connected LAN-to-LAN, the Steam application exhibits the same behavior already reported. It seems it took longer to recover once I canceled the Steam Server Refresh. [edit to add]Confirmed. Same behavior when DLink is LAN-to-LAN in the DMZ. Reverted to 10.7, and error messages reappear. No change in Log settings from one firmware to the next. I connect my DLINK WAN port to the Actiontec LAN port. Would that create any differences? |
|
birdfeedr
Premium,MVM
join:2001-08-11
Warwick, RI
·Verizon FIOS
| said by aaronwt :I connect my DLINK WAN port to the Actiontec LAN port. Would that create any differences? Original test last Friday was double natted. That's the only way to get a connection count on the DLink. It does not create a table for LAN-to-LAN configuration because there's no WAN traffic. LAN-to-WAN with the new firmware will be my next test tonight. |
|
birdfeedr
Premium,MVM
join:2001-08-11
Warwick, RI
·Verizon FIOS
| Steam server refresh with DMZ'd double NAT gives me a gazillion connections, stalled WAN traffic, poor internet performance until I cancel the refresh and wait a short time. Less than 1 minute for Actiontec status to refresh. New firmware does not log NAT pool errors. Only got as far as 35 servers updated in Steam.
aaronwt's connection and performance is not the same as mine.
Next step is to put the DLink as primary, and try the test again. |
|
