Thanks. This seems like a fun challenge and may be helpful for other users in the same boat.
Any chance you could draw me a sketch of the veth-based solution in terms of how the veths are linked up with br-lan and br-guest?
I tried just working with my existing setup, but having veth-br made a part of both br-lan (192.168.1.1) and br-guest (192.168.2.1), but that failed. It seems a veth end can only be a part of one interface and not more than one interface.
Regarding the IFB-based solution, I got pretty far with that during my earlier attempt:
So that grabs all the br-lan wan/VPN but then I wouldn't know how to also grab the br-guest wan/VPN as well. Assuming the goal would be to create IFB that grabs all br-lan wan/VPN combined with all br-guest wan/VPN.
Or can I just stack the br-guest to the common IFB by repeating the lines for the br-guest? Like this:
ip link add name ifb type ifb
tc qdisc add dev ifb root cake bandwidth 30Mbit diffserv3 triple-isolate nonat nowash no-ack-filter split-gso rtt 100ms noatm overhead 60
tc qdisc add dev br-lan handle ffff: ingress
tc qdisc add dev br-guest handle ffff: ingress
ip link set ifb up
tc filter add dev br-lan parent ffff: protocol ip prio 1 u32 match ip dst 192.168.1.0/24 action pass
tc filter add dev br-lan parent ffff: prio 2 matchall action mirred egress redirect dev ifb
tc filter add dev br-guest parent ffff: protocol ip prio 1 u32 match ip dst 192.168.2.0/24 action pass
tc filter add dev br-guest parent ffff: prio 2 matchall action mirred egress redirect dev ifb