Does Firewall DSCP work with NAT Offloading?

RSHARM · August 1, 2023, 7:28am

firewall DSCp work

2.This is my QoS is it good-

3. Bufferbloat result is worse on Openwrt Router than my ONT

ONT
ONT790×647 50.4 KB

Openwrt Router with Qosify installed but disabled Notice low speeds
D-Link Openwrt 22.03.5926×783 68.7 KB

4. How to use QoSify and Firewall DSCP together ?

Packages

luci
luci-app-wireguard luci-app-pbr
stubby
qosify
luci-app-adblock (not configured)
banip (not configured)
kmod-ipt-geoip (not configured)
netdata
luci-app-nlbwmon
snort3 (not configured)
Netifyd (not configured)
iperf3
UDPspeeder
usbutils kmod-usb-storage-uas block-mount kmod-fs-ext4 kmod-usb-storage kmod-usb3 kmod-usb2 kmod-usb-core

dave14305 · August 1, 2023, 11:48am

Your qosify configurations would need to set DSCP using the + convention (e.g. +af41, +video) so that qosify only overrides the DSCP if it is still CS0.

With offloading, only the first packet of a connection will traverse the firewall rules, so the remaining packets won’t get marked. You can use methods used with the script below to use ctinfo to make it work however,

Lynx · August 1, 2023, 12:43pm

Is that what software offloading does or is it a side effect of enabling offloading?

dave14305 · August 1, 2023, 1:47pm

Yes, after the first packet, connection info is cached in the flowtable and bypasses the netfilter stack for future packets. But it seems to let the tc egress filter restore the DSCP on this subsequent packets (at least in my experience so far).

https://www.kernel.org/doc/html/latest/networking/nf_flowtable.html