7.1.13. Advanced Settings

You can find the Advanced Settings at System → Settings → Advanced.

Advanced Settings Advanced Settings Advanced Settings

You can configure Firewall timeouts for

  • ICMP
  • ICMPv6
  • TCP
  • UDP
  • GRE

as well as the conntrack states table size.

7.1.13.1. Firewall Helper

Advanced Settings

There are 4 firewall helper that help with protocols that need to open up additional random ports

  • SIP
  • FTP
  • TFTP
  • SNMP

You can enable each helper individually and the firewall will try to track any additional port that a connection of one of those protocols opens without you adding a new firewall rule for it.

7.1.13.2. Network Interfaces

Advanced Settings

You can disable hardware and software offload features here.

  • GRO (Generic Receive Offload)
  • GSO (Generic Segmentation Offload)
  • TSO (TCP Segmentation Offload)
  • UFO (UDP Fragmentation Offload)
  • TX/RX Checksum Offload

A restart is not required to disable or enable any of the settings.

7.1.13.3. Allowlisting

Advanced Settings

You can add multiple IPv4 or IPv6 addresses or networks which will not be blocked at the VT AIR login, when the username or password are incorrect. Otherwise the login is secured with a blocking function after 3 unsuccessful logins.

7.1.13.4. ARP Table

Here you can define the ARP Table cache threshold for IPv4 and IPv6, as well as for GC1, GC2 and GC3. The default values are: 1024 for GC1, 2048 for GC2 and 4096 for GC3. When you have a large amount of clients you might need to increase the values.

7.1.13.5. Miscellaneous

Advanced Settings

Gateway Change Kill States can be enabled or disabled. When enabled it will kill all States on Gateway change. This is useful when you want to force a gateway change. Be careful, it disrupts all connections though.

Clear Auditlog Weeks defines how long the auditlogs shall be kept with the System Action. Default is 52 weeks.

CPU Mitigation can be enabled or disabled. It enables a CPU mitigation like Spectre v2. This usually costs around 20% performance.

CPU Profile sets the systems CPU performance and power profile. Performance gives you the maximum speed but also uses more energy and might produce more heat. Dynamic (schedutil) will reduce the CPU speed or put CPUs to sleep if they are not needed. It might be slower to use this profile or it takes longer for CPUs to be ready to perform work. On the other hand your system will use less energy and might stay cooler.

VRRP Start Mode is either Master or Backup. The master VT AIR should be master and all other VT AIR backup. If not set to master the VRRP IPs will disappear upon changes/service reloads for a few seconds.

7.1.13.6. Firewall Flowtable

Flowtable is a fast forwarding path for TCP/UDP packages that pass the firewall. Packages first traverse the firewall on the normal way. After a state is established the connection is added to the flowtable. Any incoming package will now be sent from the incoming to the outgoing interface directly, bypassing the firewall infrastructure and therefore saving a lot of processing time.

This feature allows for 2-3 times faster package processing and it is compatible with QoS and logging. It is enabled by default. If you enable IDS/IPS only bypassed traffic will be offloaded to the flowtable. If you enable the limiter inside a firewall rule the matching traffic will not be added to the Flowtable as there is no limiter functionality. If you encounter any issues, please disable this feature.

MTU must be the same on all involved interfaces. Otherwise you might see very low throughput on connections.

Netfilter hooks and flowtable interactions

Fig.1: Netfilter hooks and flowtable interactions

7.1.13.7. PCrypt Encryption Acceleration

Advanced Settings

VT AIR has support to parallelize in kernel encryption for IPSec and Wireguard. IPSec SAs are bound to a single CPU and therefore usually the encryption of that SA is also bound to one CPU which might become a bottleneck.

PCrypt allows to parallelize the encryption/decryption on multiple CPUs which speeds up the entire tunnel.

By default AES-GCM and AES-CBC are enabled.

7.1.13.8. General Troubleshooting

In case of very slow download or upload speeds you can go to System → Settings → Advanced and disable Firewall Flowtable and/or enable Disable GRO. This might improve the speed.

Warning

While disabling GRO and Flowtable Offload might improve network speeds, your Firewall will become much slower with a configuration like this!