Advice for firewall rules

Hello ....i want to use SQM with Cake and i dont know what rules to use to give to a destination ip with udp packets "first class" priority and all packets that has maximum packet length of 512 bytes a "second class" priority....anything packets that is bigger than 512 bytes goes to a "third class" priority queue.

Three or four queues with first priority queue ....destination ip+udp packets
Second queue with maximum packet length of 512 bytes
Third queue anything bigger than 512 bytes

The same for upload direction..source ip+udp packets ...first priority queue.
Second queue with maximum packet length of 512 bytes
Third queue anything bigger than 512 bytes

Example for settings from Gargoyle...


Hi Knomax,

sqm's idea of priorities is intricately linked to differentiate services (see for soe details and further references). So you would select one of the scripts that support DSCP markings (example combinations of scripts/qdiscs: simple.qos/fq_codel, layer_cake.qos/cake) and make sure the data packets are marked according to your preferences. Here are the DSCP to priority tins mappings that the typical differserv schemes in cake support:

static int cake_config_diffserv4(struct Qdisc sch)
Further pruned list of traffic classes for four-class system:

  •      Latency Sensitive  (CS7, CS6, EF, VA, CS5, CS4)
  •      Streaming Media    (AF4x, AF3x, CS3, AF2x, TOS4, CS2, TOS1)
  •      Best Effort        (CS0, AF1x, TOS2, and those not specified)
  •      Background Traffic (CS1)
  •          Total 4 traffic classes.


static int cake_config_diffserv3(struct Qdisc sch)
Simplified Diffserv structure with 3 tins.

  •          Low Priority            (CS1)
  •          Best Effort
  •          Latency Sensitive       (TOS4, VA, EF, CS6, CS7)


Since layer_cake defaults to diffserv3 you should first use "tc -s qdisc" to test that the three tins have sufficient bandwidth allotted and then mark all packets accordingly.

That still leaves the tricky bit of how to mark the packets, but you should be able to extract the lines that gargoyle uses under the hood and simply turn these into dscp setting operations. This might work reasonably well for egress traffic (by putting the marking system on all WLAN/LAN interfaces so outgoing packets are guaranteed to have the correct DSCPs when they reach your sqm inztance in the wan interface, but that will not work for ingress, since cake sees the packets for the system that would allow to change the dscp marks...)

1 Like

The purpose of cake is to be config free, you don't specify priority rules, it
works by keeping latency low and tries to avoid dropping packets for UDP and
short flows by forcing large flows to wait rather than filling the buffer.

Try it and see if the results are reasonable without any config, if not, report
the problems you are having and we'll see if there are any tweaks needed.

David Lang

Thank you..both of you for the help...i will try it.

Oh, I was under the impression, that you already implemented all the recommended sqm/cake tweaks? Could you please post the output of:

  1. cat /etc/config/sqm
  2. tc -s qdisc
  3. tc -d qdisc

just as a reminder of your current state...

Should be cat /etc/config/sqm

1 Like

Thanks for the correction! Yes config it should have been (corrected above.)

Best Regards

No worries...

I noticed it was posted 2 days ago, so I grabbed it.