CAKE Ingress and nat keyword

1 - What the ingress keyword do, and when should I use it.
2 - What the nat keyword do, and when should I use it.

1. ingress means “traffic arriving“. If you use SQM on a wan interface it’s download direction, traffic arriving from internet to the interface.

2. nat
   Instructs Cake to perform a NAT lookup before applying flow isolation rules, to determine the true addresses and port numbers of the packet, to improve fairness between hosts "inside" the NAT. This has no practical effect in "flowblind" or "flows" modes, or if NAT is performed on a different host.
   (from cake man page)

You might want to use luci-app-sqm for ease of initial configuration. There’s great detailed documentation in OpenWrt wiki:

• https://openwrt.org/docs/guide-user/network/traffic-shaping/sqm
• https://openwrt.org/docs/guide-user/network/traffic-shaping/sqm_configuration

Also check out this cake manual: https://man7.org/linux/man-pages/man8/tc-cake.8.html

1 - I know what ingress is, I speak reserved word ingress.
2 - I would like a more detailed explanation of how it works.

Wouldn't we all like that?

Here is a quick descdiption, when ingress is set, cake aims not to control the egress rate to the desired shaper rate, but the ingressing rate... the result is if flows play nice ingress will not do much, but if a flow starts becoming less reactive, cake is going to throttle this one more aggressively. The upshot of this is that cake can be configured with a lower safety margin to the real bottleneck rate, as cake will now deal better with under-responsive flows.
However one slightly unexpected consequence of this is that such under-responsive flows will not see an equal throughput as more responsive flows, that is viewed from the LAN side it might look like cake is not 'fair' anymore. In reality cake is just as fair as before, but it essentially now also accounts dropped packets against that flows capacity share...
Side note: as you might have noticed, this is not explained in man tc-cake.

2. As far as I understand it, in ingress direction, on wan interface and select flow isolation modes, as described on the man page:

• with no-nat option, cake sees only connections from wan to internet hosts. If you have 2 lan clients that connect to the same host, their connections will be visible as one traffic flow. If one client is sending/receiving much more than the other, there could be not enough bandwidth assigned for the other.
• with nat option, cake can differentiate which traffic is coming to which lan client, so both flows are now treated separately and guaranteed to get fair amount for bandwidth.

So would you recommend using it? I also saw that the word can be used in egress, would it change its effect?

Thank you for your help.

Try it out, all things considered I would recommend it, but be aware that it can affect observed fair sharing of traffic actually flowing into your network...

What if I use this keyword in egress do something different?

Good question, likely it will do exactly the same (I have not tried nor looked at the code, but am pretty confident, after all cake does not know about internet directions). However for egress/upload shaping this should not be needed. The difference is for egress our cake instance sits in front of the bottleneck, so controlling the egress rate is what we want as packets egress into the bottleneck. For ingress/download that is different, out cake instance sits behind the bottleneck link, so all packets we get are ingressing from the bottleneck. I hope that clarifies.

The shaper on egress doesn't count dropped packets, instead it looks in the queues to find a more worthy packet to occupy the space. https://openwrt.org/docs/guide-user/network/traffic-shaping/sqm-details#:~:text=The%20shaper%20on%20egress%20doesn't%20count%20dropped%20packets%2C%20instead%20it%20looks%20in%20the%20queues%20to%20find%20a%20more%20worthy%20packet%20to%20occupy%20the%20space. The only reference I found.