Configuring QoS with Managed Switch and OpenWrt


My 24-port switch has quite advanced QoS features which I'm trying to learn by looking through the manual and also asking on the Netgear community forums as it is completely out of my field at the moment. I actually have a CompTIA Network+ video course I purchased a couple of years ago but haven't found time to watch it yet... Ironic.

As mentioned in a few of my recent posts here on the OpenWrt forums, you will know that I'm trying to optimise my connection for gaming as it currently doesn't feel very responsive. When DSLReports allowed me to do speed tests on their website, with SQM enabled I could achieve A+ results across the board with 5% of bandwidth reduced from my total WAN speeds.

All of my wired devices connect to the 24-port switch and are configured on VLANs that match the VLAN and corresponding interfaces on the OpenWrt router. In regards to QoS, I'm trying to work out the path in which packets/data travels to and from the switches and OpenWrt router so that I can configure QoS properly. I want something simple setup for the time being so that I can get to the bottom of my dreadful online video gaming experience. Once I have some foundations in place and I find some free time I will then tinker with the other devices on my network such as my NAS, servers and vast amount of wireless clients etc and put bandwidth setups in place for those.

The 24-port switch is Netgear GS724Tv3 and has two QoS modes CoS (Class of Service) and DSCP. I have read that OpenWrt doesn't support 802.1p or CoS but only DSCP configured using iptables.

I've read on some of the OpenWrt forum posts with DSCP and it doesn't look difficult to setup on sepcific devices.

I've recently found out there is a bug in my Netgear switch which doesn't allow me to use the QoS features at all. I'm still waiting for a reply on the Netgear forums trying to find a possible fix.

My question is, between the 24-port switch, the 5-port switch and the OpenWrt router do all three need to be DSCP enabled for everything to work effectively or can OpenWrt handle it all?

Technically my OpenWrt is doing the routing as everything is managed by it, the interfaces have DHCP setup on them and my WAN IP address is also established on the OpenWrt router. From my basic understanding of the OSI network model routers work on layer 3, so in theory I don't need the QoS on my switches. Please correct me if I'm wrong.

All I want to do is give my PS3 and PS4 the highest priority and then verify the QoS is actually prioritising my games consoles' traffic. My switches do support port mirroring so I could in theory set that up and use Wireshark on my PC to look at the packets, correct?

Is DSCP using iptables under OpenWrt the way to go?

Any help appreciated.

ideally you have the switch tag packets coming into the ports that the gaming machines are on by altering the DSCP to something like CS5. then run layer cake with diffserv4 on OpenWrt egress, and you will get prioritization of your packets upstream.

to get prioritization downstream if you have sophisticated rules in the switch, you can set up a VLANs for WAN, run your ISP cable into the switch and your wan port on router into the switch, then the switch can DSCP tag certain UDP game packets, then diffserv4 on ingress of WAN will also work

Currently the QoS features don't work on my 24-port Netgear switch so my only options are to set DSCP marks on OpenWrt.

Would something like this not work? would be the IP address of my games console for example.

iptables -t mangle -N dscp_mark
ip6tables -t mangle -N dscp_mark
iptables -t mangle -F dscp_mark
ip6tables -t mangle -F dscp_mark

iptables -t mangle -A FORWARD -j dscp_mark
ip6tables -t mangle -A FORWARD -j dscp_mark

iptables -t mangle -A dscp-Mark -p all --src -j DSCP --set-dscp-class CS5

iptables -t mangle -A dscp-Mark -p all --dst192.168.1.200 -j DSCP --set-dscp-class CS5

something like that will work, once you've fixed typos etc. But you should be aware that what it will do is it will help in the upstream direction, but not the downstream direction. The iptables run after the ingress queue has already done its queuing so downstream isn't affected by the DSCP. However at least once your switch is fixed it will honor the DSCP.

have you tried upgrading the firmware on the netgear?

Unfortunately the switch is on the latest firmware version. Why can't I run the iptables before the ingress queue? Also when you refer to upstream direction, are you referring to the OpenWrt switches upload (the games consoles' download)?

In other words, if I flip the direction of traffic around the other way, the consoles' upload speed would be OpenWrt's downstream if that makes sense?

This is the OpenWrt forum with DSCP iptables marks I have been referring to > Creating DSCP markings with iptables?

Fundamentally the kernel does the queueing before it calls iptables. You can "fix" this by switching to nftables and attaching a table to the ingress hook, but it's not working 100% in OpenWrt these days.

the directions I mention are relative to the port that OpenWrt has the SQM on... if you put the SQM on WAN, then upload is "egress of the wan port" and download is "ingress of the wan port".

If I understand correctly SQM kicks in before the iptables?

Under Network > SQM > Queue Discipline tab will these options change anything?

SQM Options

1 Like

Sort of. In the download direction yes. What really happens is

(for download direction, redirect to intermediate functional block egress queue)
egress queue

So for packets sent from your LAN, they'll go through the iptables, get marked, and then egress on WAN through the queue (so priority will be utilized)

But for packets sent from WAN, they'll go through the IFB queue first, then get marked (so it's too late), then be sent out the LAN.

you can do some tricks to use a veth on your LAN, but it requires some level of sophistication to set up, you should be totally familiar with shell scripting and "ip" command.

as for "do not squash" this will preserve whatever DSCP comes in from your ISP, but there's no reason to think that it's a good DSCP... in general I recommend squashing DSCP from your ISP. As for Ignore DSCP on ingress, that lets you ignore it even though you aren't squashing it... but again, there's no reason to think that the DSCP is set up in a way that you will agree with.

If I took SQM out of the equation would the iptables work on both upload and download?

What I don't understand it why SQM was deigned to only work the one way. I would have thought iptables should taker higher priority if they are set on the system and then everything else follows.

SQM works fine both ways, but it will only respect DSCP if the packet has DSCP set. The linux kernel runs iptables in a particular way, and it runs after the SQM queues its packets. It's a linux kernel issue, there is no way for SQM to run after iptables.

if you use the modern nftables for a firewall, you can attach a table to the ingress so that it runs before the IFB gets the packet. So, yes, it's possible, it's just it requires a complete overhaul of the firewall system to use the more modern nftables.

1 Like

For testing purposes, if I disable SQM temporarily and set some DSCP marks for my PlayStation 4 on iptables I should expect them to work both on upload and download?

I have currently have my laptop hooked up to my 24-port switch with port mirroring and it's currently sniffing data between my PS4 and WAN VLAN. Currently my PS4 has CS0 under the DSCP column but hopefully I can change that.

If you're talking about whether the switch will honor DSCP then it is totally separate from SQM. You can keep SQM going, and use the switch's QoS with DSCP in addition to the queuing that SQM does.

Sorry I'm totally lost in regards to what you're replying back to. Switch could refer to my Netgear switche(s) or OpenWrt in my mind, and ingress/egress is too broad when there's no interface(s) specified. If you could be really over-the-top, specific with everything please that would be really appreciated. I'm trying to understand this all in a linear/sequential way; start to finish. I don't mean to be rude or awkward in anyway, I'm just trying to understand the route of everything.

Anyway I don't feel like I'm explaining myself very well so I will explain what I'm trying to accomplish.

I have my laptop connected to the 24-port switch and is currently port mirroring between the PS4 and the WAN port which goes off to my modem/ONT. The PS4 and WAN cable are separated by VLANs and connect to their interfaces setup on the OpenWrt router.

The best way of explaining my setup is. Think of two parallel lines, my WAN and LAN VLANs that don't talk to each other or cross paths whilst they're on the 24-port switch. The WAN connection and PS4 then both look towards the interfaces setup on OpenWrt where everything connects one another and the parallel lines merge. Once the routing has taken place they go back down the segmented paths to their destination. The path looks like this ==> and <== The tip of the less/greater than symbols are where the parallel lines merge and reference the OpenWrt router, whereas the equal symbols refer to the separate VLANs the PS4 and WAN are on. I apologise if this all sounds stupid but I'm just trying to visualise the connections.

This is where I want to setup iptables so that my PS4 and any other device connected can be prioritised above all other traffic. My 24-port Netgear switch acts like a un-managed switch but with segmentation from the VLAN feature so technically it's still a smart switch. I want OpenWrt to deal with everything including QoS using the iptables, hence you can call OpenWrt a router because, it is so to speak, 'routing'.

On my laptop that is port mirroring I'm using Wireshark to display the packets between the two devices. I have addded a column in the software to display DSCP. From a quick test I did last night setting ip.addr == (this IP address being my PS4) in the display filter box I could see that almost all of the traffic to and from the PS4 had CS0 except for the occasional ICMP which was CS6. I would like to setup iptables so that it shows CS6 for all of the traffic.

Once the traffic is prioritised on the specific devices I then want to put on SQM on the WAN VLAN which is eth1.10 in OpenWrt to smoothen out and remove the bufferfloat. If the SQM interferes with the iptables then I suppose I will have to look at using veth interfaces, but for the moment I just want to get my iptables working for ingress and egress traffic on the PS4 ignoring any SQM.

Many thanks so far.

which model is the Netgear switch?

The PS4 itself is not going to tag DSCP reliably, so you really need your switch to have a rule to say "tag all packets coming into the PS4 port as CS5". Similarly you probably want a rule saying "tag all packets coming into the WAN port that are UDP packets from certain ports as CS5"

with those rules in the switch (if that's possible in your switch) then SQM with diffserv4 would work well.

Otherwise, you need to tag things in the iptables, in which case they'll work well for packets sent from your PS4 which are routed towards the WAN (but only after being routed), but will not work for packets returning from the WAN because of the above mentioned issues regarding ingress queues.

The switch is a Netgear GS724Tv3.

This is my VLAN PVID page:-

Ports 10 & 12 are the PS3 & PS4. Port 24 is the port that goes off to modem/ONT. For any additional information that this may useful for, port 14 is the WAN VLAN trunk between OpenWrt, and port 15 is the LAN VLAN between OpenWrt. This means that ports 10 & 12 (the games consoles are untagged ports) on the same LAN VLAN.

This is the help document found on the VLAN section:-

Configurable Data

  • PVID (1 to 4093) - Specify the VLAN ID you want assigned to untagged or priority tagged frames received on this port. The factory default is 1.
  • Acceptable Frame Types - Specifies the types of frames that may be received on this port. The options are 'VLAN only' and 'Admit All'. When set to 'VLAN only', untagged frames or priority tagged frames received on this port are discarded. When set to 'Admit All', untagged frames or priority tagged frames received on this port are accepted and assigned the value of the Port VLAN ID for this port. With either option, VLAN tagged frames are forwarded in accordance to the 802.1Q VLAN specification.
  • Ingress Filtering - When enabled, the frame is discarded if this port is not a member of the VLAN with which this frame is associated. In a tagged frame, the VLAN is identified by the VLAN ID in the tag. In an untagged frame, the VLAN is the Port VLAN ID specified for the port that received this frame. When disabled, all frames are forwarded in accordance with the 802.1Q VLAN bridge specification. The factory default is disabled.
  • Port Priority (0 to 7) - Specifies the default 802.1p priority assigned to untagged packets arriving at the port. The possible value is from 0 to 7.

This is the basic QoS page where you set either untrusted, 802.11p or DSCP across all interfaces (ports):-

This is the interface configuration page:-

I have tried countless times including factory resetting, trying different browsers etc and I cannot set ports 10 & 12 independently to Queue ID 3. The result is all 24 ports being set to 3. But even then, because it's broken, going off that page and coming back it doesn't even save despite fully well knowing I did press the Apply button in the bottom right corner.

What I'm trying to get my head around is, if I took the 24-port switch out completely and connected to the games consoles directly to the back of my OpenWrt router or connected it to an un-managed switch then connected it to the OpenWrt router, how would I set this up?

You would add DSCP tagging to the iptables, and you would accept that DSCP would be in effect only in the egress of the OpenWrt WAN port.

Or, you would do a fancy veth system and that would also enable DSCP for packets heading towards the LAN.

I wouldn't mind trying both. I want to try and get the port mirroring to show DSCP being applied.

Is this the correct iptables syntax?

I've got the first bit of iptables iptables -t mangle but I'm not sure what chain to use and whether I should be using dst or src against the PS4 IP address.

I've come up with something like this

iptables -t mangle -A PREROUTING -p all --dst -j DSCP --set-dscp-class CS5

In Wireshark I have the filter set to ip.src == && udp to I should be only seeing traffic originating from the PS4, the egress correct? However, I'm still seeing CS0.

first off, only packets emitted by your router will have the DSCP tags. So you need to mirror the port/ports that the router is connected to.

second of all you'll probably want both --dst and --src matches, since you'll want to set anything go to or coming from the PS4... Finally the router will be doing NAT so on the WAN side everything will have src address equal to the routers WAN address.

If you're doing filtering in wireshark based on the LAN IP since on the WAN side it's all NATted you will have to filter by just "udp" or some such thing.

hope those help.

Sorry I'm getting really lost with this.

My OpenWrt router is connected to the switch via two ports, 14 and 16.

Port 14 is a VLAN that communicates with the software VLAN in OpenWrt. This is connected to the physical WAN port on my router and is shown in the screenshot below.

Port 16 contains a VLAN trunk with a private and guest LAN and this connects to the physical LAN port 1 on my router.

There are the VLANs in OpenWrt:-

Could you possibly write out some dummy iptables for src, dst and WAN that you were talking about in paragraph 2 please?

Many thanks

This is fine, just add another one replacing --dst with --src

Mirror port 14 and 16 to your laptop and capture all of those packets. with the above two rules you should be seeing the DSCP on any packet headed TOWARD or any packet headed toward the internet that is a NATted version of something coming FROM