Hi @plorenz,
I just had time to change the firewall rules to run the 'direct exit on the router' tests.
Since I had to use a different application accessible from the router, the results are not comparable to my other tests. So I ran two sets of tests - one directly through the router, and one through an additional Linux tunneler. I measured page reload times. The reload had 127 requests and transferred 12.34 MB. It seems that all 127 requests are being tunneled through the same (HTTP/2) TCP session, as I only see one active TCP session with the web server.
Times through the router: 8.8s / 8.3s / 7.8s / 8.7s / 7.4s
Times through the tunneler: 24s / 20.1s / 16.5s / 18.7s / 18.5s
As you can see, it takes less than half of the time through the router.
But still, having a lock on the Recv/Send queues, we see data on the Recv-Q on the connection to the service:
But on the other side it seems that there is nothing queued on the 'outgoing' side to the client - all Send-Q's are 'empty'.
Cheers,
Chris