Update tiny network tweaks 99-cachyos-settings.conf #187
Conversation
SoongVilda
commented
Nov 20, 2025
SoongVilda
commented
- Stability: Reduced likelihood of dropped packets on wireless networks and stalled transfers inside VPN tunnels.
- Functionality: Enables full networking capabilities for Docker containers and VPN routing services.
- Performance: Improved handling of bursty traffic and high-connection counts.
1Naim
left a comment
1Naim
left a comment
There was a problem hiding this comment.
Aside from PTMUD, I don't think we need the other 2 that I posted comments on. Specifically for tcp_tw_reuse, if you really want to push for it then please provide concrete results that it helps performance in a desktop setting. Else its just another point of suspicion when there are bugs.
| # Enables IPv4 packet forwarding. | ||
| # Benefit: Necessary for functionality in Containers and VPN Mesh networks. | ||
| # Use Case: Required for Tailscale/ProtonVPN (Exit Nodes/Subnet Routers) and Docker/Podman containers. | ||
| net.ipv4.ip_forward = 1 |
There was a problem hiding this comment.
Isn't this mainly for servers that are trying to act as routers? I don't see why this should be enabled for desktops.
There was a problem hiding this comment.
We already had that enabled; I just moved this to the network section to have everything in one place.
If you are not using Docker, KVM virtualization, or VPN, then that is useless, correct.
The host kernel must forward packets from the virtual interface (e.g., docker0, virbr0) to your physical interface (e.g., Ethernet or Wi-Fi).
Since Docker, KVM, or VPN is used on the desktop, I think we should keep it enabled as we have it.
There was a problem hiding this comment.
I don't know about docker, but there's no need to enable this for KVM network access or using a VPN.
a. The virtual bridge for KVM works fine accessing the host network via dnsmasq without touching this setting.
b. No, you don't need this to use a VPN. It's needed if you're hosting a VPN server.
There was a problem hiding this comment.
Check this:
- https://docs.docker.com/engine/network/packet-filtering-firewalls/#docker-on-a-router
- Docker host need to have IP Forwarding enabled moby/moby#490
- alphagov/govuk-puppet@01c7f2a
- Fix core-dns issue for my local minikube cluster vadafoss/daily-updates#3 (comment)
net.ipv4.ip_forward = 1, so I think this one should still be there. I also noticed we have some Tailscale users on Discord, and Tailscale requires this one if you want to act as exit node, but yeah, that's small amount users, mostly needed for Docker.
There was a problem hiding this comment.
That's very software-specific. Rather useless for the average desktop user. If the value is enabled, it applies not only to Docker but globally(for security reasons, this should remain disabled (set to 0) unless the software explicitly). With this enable (1) packages can then be forwarded. The computer acts as a router. I think if someone is using Docker or other specific (server) software, they'll already know what they need and will have to adjust it manually.
Hope that helps. KISS
| # Allows reusing sockets in TIME_WAIT state for new connections. | ||
| # Benefit: Prevents "Port Exhaustion" during high connection turnover. | ||
| # Use Case: Improves performance for P2P apps (Syncthing/Torrents) and web servers. | ||
| net.ipv4.tcp_tw_reuse = 1 |
There was a problem hiding this comment.
This also seems to be only beneficial for busy servers. IOW, doesn't have much effect if at all on desktops.
There was a problem hiding this comment.
I agree this is a really edge-case parameter, which we could drop. It would be beneficial on desktop only for large torrenting.
There was a problem hiding this comment.
I can`t say much about that but:
https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
tcp_tw_reuse - INTEGER
Enable reuse of TIME-WAIT sockets for new connections when it is
safe from protocol viewpoint.
0 - disable
1 - global enable
2 - enable for loopback traffic only
It should not be changed without advice/request of technical
experts.
Default: 2
Hope that helps.
