I had a problem with internet connection recently which I described here http://pastebin.com/WDtMGv6U
After several days of fighting with it I figured out that the problem should be with the router. Looking closely I've found that syn-flood protection is activated. Disabling it solved the problem.

So if this setting is activated by default it shall work properly. If if doesn't work correctly it shall not be activated at ALL! Because it wasn't obvious that there is a correlation between this setting and described problem.

but it shouldn't be if it breaks router functionality.
anyway who needs syn flood protection on a home router?

Sounds nasty. And I haven't encountered this problem so far. And others neither, or the forum would contain serious complains.

Thus I don't think it is synflood alone. => To quote you: "A wireless linux computer is not affected and works fine!"

Try a wired linux computer, to convince yourself, it is a windows problem. And it's got to be a specific one, since there are no other complains.

I've never changed any firewall settings. But I'm keeping a copy of the /etc/config/firewall for the next upgrade. So any changes made into this file will be overwritten by an older copy.  This change for instance was overwritten by an older version so I do not have the network section in my current config file.

here is my /etc/config/firewall

Now another question to ask - is it legal AT ALL to save older config files. Because devs are constantly changing interfaces without a warning and older config files may be easily drawn obsolete that could lead to such a problem.
(The first question was about syn flood protection be activated at all by default on a home router. I see no reason doing so)

bwt I've got r27199 installed on my router.

Did you try what I told you to? Plug the linux host into the wired port of the windows host? If this works, this would be another windows only problem.

I use OpenWrt because I can set things up as I want, the way I already learned when using Linux back in the day. The very first thing I set up was the firewall. If you do not like the pre-configured firewall, you should simply setup your own. I hope you do not need a permission for that.

While I do not mind welcoming and addressing beginners, there is no way around learning. That is the point in operating an OpenWrt-powered device, to learn and move on, instead of staying dumb with the crowd.

No I didn't try it because I don't give a shit if it works for a linux client. Even if it is windows only problem it is STILL a problem.

If it is a windows problem then it got nothing to do with OpenWrt and you (and others...) do not need to waste time with chasing this problem on OpenWrt.

BTW, I use Windows XP, and some friends do so as well. I have no problems, they do, but they got nothing to do with OpenWrt. Or else I would have addressed them already. Or confirmed your findings. I can do neither.

I also believe, that people are fed up with tip toeing around the IE6-shit. (The IE6 did not adhere to standards, and instead of ignoring this piece of shit software, people started changing they web-pages to adhere to the non-standard IE6).

you haven't been reading carefully what I'm saying. The problem is definitely on the router side. Most probably it is related to the firewall config file that has been extended with additional settings.

You may have ran into just that. Preserving old config files can be dangerous, when the underlying software modules and default settings change. You may well use either obsolete settings, or your config may miss essential parts.

I am comparing my own settings to the current defaults every now and then, and then modifying the config files, if necessary.

I would recommed to you that you start from scratch default settings for firewall, especially "if you have never changed any firewall settings". The firewall package has gone through major changes in the past year and some defaults have changed. (Especially if you are using Backfire, the whole firewall was changed from v1 to v2 dual stack firewall a few months ago, and all older firewall configs got pretty stale.)

EDIT: And the same goes also for other config files. I am flashing my own firmware version with default config files, and then I copy from USB stick just 5-6 files ( /etc/network, firewall, radvd, qos, wireless, ...). So, I am not even trying to think that all the automatically copied config files would stay valid for a very long time.

(Last edited by hnyman on 1 Sep 2011, 12:37)

@flux: I misunderstood your posting. You should have written:

1. I encountered this and that problem.
2. but only on Windows host connected so and so, but not on Linux host connected so and so
3. I suspect an issue with MY PERSONAL firewall settings AND syn flood protection (and maybe a Windows quirk, but I do not want to exclude that from the list of possible causes)

Would you check my configurations and solve my problem for me?

Instead you write:
1. that syn flood protection should be generally deactivated
2. that you dislike the fact that the UCI firewall is being developed (that includes changes in its configuration)

Yet we didn't ignore you, but pointed out how to solve your problem. Do it and be done with it.

1. I've written - "it shall be deactivated by default if it doesn't work correctly". Feel the difference. Additionally I wondered why this setting is even activated by default. Because in my opinion having it activated would only result in increasing cpu resources consumption for 99.999999999999999% firmware users.
2. I wouldn't care if it wouldn't break old interfaces.
3. you pointed out how to solve my problem? I didn't ask for that. I knew how to solve it creating the posting.

Sigh, well, FYI: Jow's last or penultimate posting here was: https://forum.openwrt.org/viewtopic.php … 37#p141237

So you should avoid to much criticism, and I should avoid "pushing" (=presenting) alternatives. (=flush everything and set up own configuration exactly how YOU want it to be = no more asking where to insert new rules which do not apply, no more syn flood bla, no more breaking, = no more complains!).

I really just tried to assist in solving a problem instead of opening old ones, but obviously sometimes I do misunderstand the intent of a posting.

I've made additional tests. I've added missing network setting into my firewall config file. Then I deactivated the 'Drop invalid packets' option and restarted the firewall. The problem is back. So the only working combination is - 'syn flood protection' is off, 'drop invalid packets' is on. All other combinations results in the described problem.

1. I didn't search for this, just noticed it en passant:

https://dev.openwrt.org/browser/trunk/p … ?rev=28148

fw_load_defaults() {
boolean syn_flood 0
boolean tcp_syncookies 1
}

2. The wiki article seems to be groomed by a couple of people:  http://wiki.openwrt.org/doc/uci/firewall?do=revisions

3. In Ticket https://dev.openwrt.org/ticket/10038 somebody made sane suggestions, and 2 hours later, they were applied. One could call this a prompt reaction. Unpaid work and so..

4. Now if anybody wants to discuss the pros and cons of this and that, you're welcome to do it on a technical level, but stop COMPLAINING.

Also keep in mind, that there are MANY MANY MANY Linux-Forums where questions and discussions find more audience than in this abandoned-looking forum full of spam. I wouldn't wonder, if somebody would discuss stuff regarding syn_protection in generic forums like http://www.linuxforums.org/forum/networking/ or http://www.linuxquestions.org/questions … working-3/ or .. and at the same time would refuse to do the same in a distribution specific forum. Who knows, right?

So if you do not like the answers you get here, feel free to try somewhere else.

5. I did bother to read this http://pastebin.com/WDtMGv6U (although for some people this may be already to much wild guessing) and you contradict yourself:
"I could think of:
- a router problem - working linux computer shows that it is not the router problem."

"3. you pointed out how to solve my problem? I didn't ask for that. I knew how to solve it creating the posting."

I further do not understand why you do not make any changes to the default firewall settings (you claimed that somewhere), and yet do not want to update it.

For various reasons I do not use the UCI firewall, and that's it. I do not COMPLAIN about it.

dude, your ventilator is brrrrrr all the time. Please stop it

Dude, that is not my ventilator, it's my tongue, and the chicks love it.

In germany we say: Bärensex - Steht vor dem Loch und brummt.

have you checked your firewall settings and also your anti virus program?

default settings are meant for the majority of users, i'm sorry to hear that you experienced issues.  However, SYN Flood protection is to help DDOS attacks to users homes (this is a real threat). 

There are risks involved in using it which you unfortunately ran into, this is why the "Drop invalid packets" is disabled by default.  However, I personally use this as well to avoid DDoS attacks.  You are correct that it will use a large amount of router CPU to keep up with this but with a dual core processor router i'm okay with that.