It turns out to save on cpu and deal with some broken clients,
conttrack doesn't checksum by default. I just turned it back on.

echo 1 > /proc/sys/net/netfilter/nf_conntrack_checksum
echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_checksum

I think leaving it on is a good idea and will probably do so in
a follow on release, but am open to opinions.

AND:

I think this is a bug in cero on larger networks. I have seen in the field
timeouts (far) lower than 3600, and I think the rfc is 7200, and I have no
idea
why I put this in there... except that I used to (before I switched to mosh)
maintain a lot of long running ssh sessions.

net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=432000

One behavior I've been battling, has been "after a while", a given radio
would be able to forward packets around the internal network just fine.

But: frequently you can get stuff through the gateway, but after a couple
hops
things would fail to return, so I first suspected crc (which I'm mostly
putting
down to the tcpdump tool not the network right now), then nat. So I can
see the above value exausting the nat table...

going to get rid of the double-nat today or tomorrow



-- 
Dave Täht

Fixing bufferbloat with cerowrt:
http://www.teklibre.com/cerowrt/subscribe.html