hi, sorry but I put this on putty and it tells me this (tcpdump: listening on br-lan, link-type EN10MB (Ethernet), snapshot length 26214 4 bytes) now what should I do?
So tcpdump is now waiting for packets to arrive on your br-lan interface on port 500. If there is no activity on your br-lan on port 500 nothing will happen...
If you just want to test if tcpdump works just use a more common port.
tcpdump -i br-lan tcp port 443 -vv
For example port 443 (https) and then visit some websites over your lan devices and you should see some traffic...
thank you for your availability.
I want to check the packets that my Call of duty game sends, and understand which dscp it uses for the packets to give it priority on my router and send them back with the same tag (unfortunately as soon as I open Wireshark the call of duty app closes so I wanted to check all via router) and then I wanted to check both incoming and outgoing packets
another question, how do I understand which dscp is using? do I have to look at flags?
Try, something like:
tcpdump -i br-lan -v -n 'ip and (ip[1] & 0xfc) >> 2 != 0' and '(dst 192.168.42.249 or src 192.168.42.249)'
This will log all packets not DSCP 0 to and from the internal IPv4 address 192.168.42.249
If you replace != 0 with e.g. == 46 you only get packets carrying the decimal DSCP 46 (expedited forwarding EF).
If you add -s 128 -w my_current_capture.pcap to the end, you will save the first 128 bytes of each packet to disk, which will contain the IP header and hence the DSCP field.
ATTENTION, packet captures can get large fast, so do NOT do this on your router's flash, if you need to do this on the router connect a USB disk and write the capture file to that USB drive.
tcpdump produces packet capture files you can load into wireshark for closer inspection....
Here is a bit of example output from the invocation above:
14:56:39.888084 IP (tos 0x48, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
192.168.42.249.60784 > 192.168.42.1.22: Flags [.], cksum 0xf9a5 (correct), ack 3474520, win 2048, options [nop,nop,TS val 1819991603 ecr 1192665782], length 0
14:56:39.888084 IP (tos 0x48, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
192.168.42.249.60784 > 192.168.42.1.22: Flags [.], cksum 0xf881 (correct), ack 3474812, win 2048, options [nop,nop,TS val 1819991603 ecr 1192665782], length 0
14:56:39.888169 IP (tos 0x48, ttl 64, id 64680, offset 0, flags [DF], proto TCP (6), length 344)
192.168.42.1.22 > 192.168.42.249.60784: Flags [P.], cksum 0xd795 (incorrect -> 0xe295), seq 3475396:3475688, ack 4393, win 648, options [nop,nop,TS val 1192665783 ecr 1819991603], length 292
In this example tos 0x48 is the relavant information, if you look here you will find 8bit hexadecimal TOS 0x48 equals 6bit decimal DSCP 18 or af21....
If you need to do this for IPv6 the field to look at is called tclass (for traffic class) and the invocation becomes slightly more complicated (due to the position of the traffic class field in the IPv6 header):
# IPv6 TOS
tcpdump -v -n -i br-lan 'ip6 and (ip6[0:2] & 0xfc0) >> 4 == 184' # EF decimal 8bit TOS values
# IPv6 DSCP
tcpdump -v -n -i br-lan 'ip6 and (ip6[0:2] & 0xfc0) >> 6 == 46' # EF decimal 6bit DSCP values
hello everyone, I have a little problem, is it normal that in game, I have no packets marked on port 3074 ?
table inet dscpclassify {
chain static_classify {
meta l4proto { tcp, udp } ip saddr 192.168.1.0/24 counter packets 154 bytes 8867 goto ct_set_cs1 comment "iot"
meta l4proto { tcp, udp } ip daddr 192.168.1.0/24 counter packets 0 bytes 0 goto ct_set_cs1 comment "iot"
meta l4proto { tcp, udp } ip saddr @DowngradeServer counter packets 0 bytes 0 goto ct_set_cs1 comment "DowngradeServer"
meta l4proto { tcp, udp } th dport { 53, 54, 853, 5353 } counter packets 266 bytes 20707 goto ct_set_cs3 comment "DNS"
udp dport 123 counter packets 40 bytes 3040 goto ct_set_cs3 comment "NTP"
tcp dport 22 counter packets 0 bytes 0 goto ct_set_cs2 comment "SSH"
ip saddr 192.168.1.184 tcp sport 3074 counter packets 0 bytes 0 goto ct_set_cs3 comment "Cod TCP"
tcp dport 3074 ip saddr 192.168.1.184 counter packets 0 bytes 0 goto ct_set_cs3 comment "Cod TCP 2"
udp dport 30000-65535 ip saddr 192.168.1.184 udp sport 3074 counter packets 0 bytes 0 goto ct_set_cs4 comment "Cod UDP"
udp dport 22000-22020 ip saddr 192.168.1.184 counter packets 0 bytes 0 goto ct_set_cs4 comment "xdefiant"
tcp dport 443 ip saddr 192.168.1.184 counter packets 0 bytes 0 goto ct_set_cs3 comment "DirectAccesWork"
tcp dport 5938 ip saddr 192.168.1.184 counter packets 0 bytes 0 goto ct_set_cs3 comment "TeamViewer"
meta l4proto icmp counter packets 0 bytes 0 goto ct_set_cs3 comment "ICMP"
ip dscp != { cs0, cs6, cs7 } iifname != "wan" ip dscp vmap @dscp_ct
ip6 dscp != { cs0, cs6, cs7 } iifname != "wan" ip6 dscp vmap @dscp_ct
meta l4proto != { tcp, udp } goto ct_set_cs0
ct mark set ct mark & 0xffffff80 | 0x00000080
}
}
How can I use dscp ingress classification without applying cake on incoming packets?
Hi, how do I give high priority to port 3074 for Call of Duty PC game. I set sqm as it is written with diffserv4 and then I downloaded dscpclassify and modified this:
config rule # A rule which marks all non-HTTP UDP connections from a specific IP as cs4 and count new connection matches
option name 'Game Console non-HTTP'
option proto 'udp'
list src_ip '192.168.1.7'
list dest_port '3074'
list dest_port '27015'
list dest_port '27031-27036'
option class 'cs4'
option counter '1'
option enabled '0'
Should I set EF for highest priority?
I noticed that there are other settings with EF should I change the value to prioritize the game?
Something like this should work for cod:
config rule
option name 'Cod1'
option proto 'udp'
option dest_port '3074'
option class 'cs4'
option src_ip '192.168.1.208'
option counter '1'
config rule
option name 'Cod2'
option proto 'udp'
option dest_port '30000-65535'
option src_port '3074'
option src_ip '192.168.1.208'
option class 'cs4'
option counter '1'
Make sure to replace with the ip of your gaming device!
Within cake cs4 and ef will go into the same tin (voice), so it won't make any difference (assuming you play on lan)
Look here:
Thanks friend, I've been looking for the cake classification table for a long time, my settings at the moment are like this can you take a look?
config global 'global'
option class_bulk 'le'
option class_high_throughput 'af13'
option client_hints '1'
option threaded_client_min_bytes '10000'
option threaded_service_min_bytes '1000000'
option wmm '0'
config ipset
option name 'xcloud'
option interval '1'
list entry '13.104.0.0/14' # Western Europe
config ipset
option name 'xcloud6'
option family 'ipv6'
option interval '1'
list entry '2603:1000::/24' # Western Europe
config rule
option name 'DNS'
list proto 'tcp'
list proto 'udp'
list dest_port '53'
list dest_port '853'
list dest_port '5353'
option class 'cs5'
config rule
option name 'Cod TCP'
option proto 'tcp'
option src_port '3074'
option class 'cs3'
option src_ip '192.168.1.7'
option counter '1'
config rule
option name 'Cod TCP 2'
option proto 'tcp'
option dest_port '3074'
option class 'cs3'
option src_ip '192.168.1.7'
option counter '1'
config rule
option name 'Cod UDP'
option proto 'udp'
option dest_port '30000-65535'
option src_port '3074'
option src_ip '192.168.1.7'
option class 'cs4'
option counter '1'
config set
option name 'DowngradeServer'
option family 'ipv4'
option interval '1'
list entry '192.168.1.239'
config rule
option name 'DowngradeServer'
list proto 'tcp'
list proto 'udp'
option src_ip '@DowngradeServer'
option class 'cs1'
option family 'ipv4'
option counter '1'
config rule
option name 'DoH'
list proto 'tcp'
list proto 'udp'
list dest_ip '8.8.8.8' # Google
list dest_ip '8.8.4.4' # Google
list dest_ip '1.1.1.1' # Cloudflare
list dest_ip '1.0.0.1' # Cloudflare
list dest_ip '9.9.9.9' # Quad9 Secured
list dest_ip '149.112.112.112' # Quad9 Secured
list dest_ip '9.9.9.11' # Quad9 Secured w/ECS
list dest_ip '149.112.112.11' # Quad9 Secured w/ECS
list dest_ip '94.140.14.0/24' # AdGuard
list dest_ip '2001:4860:4860::8888' # Google
list dest_ip '2001:4860:4860::8844' # Google
list dest_ip '2606:4700:4700::1111' # Cloudflare
list dest_ip '2606:4700:4700::1001' # Cloudflare
list dest_ip '2620:fe::fe' # Quad9 Secured
list dest_ip '2620:fe::9' # Quad9 Secured
list dest_ip '2620:fe::11' # Quad9 Secured w/ECS
list dest_ip '2620:fe::fe:11' # Quad9 Secured w/ECS
list dest_ip '2a10:50c0::ad1:ff' # AdGuard
list dest_ip '2a10:50c0::ad2:ff' # AdGuard
list dest_ip '2a10:50c0::ded:ff' # AdGuard Dedicated
list dest_port '443'
option class 'cs5'
config rule
option name 'BOOTP/DHCP'
option proto 'udp'
list dest_port '67'
list dest_port '68'
option class 'cs5'
config rule
option name 'NTP'
option proto 'udp'
option dest_port '123'
option class 'cs5'
config rule
option name 'SSH'
option proto 'tcp'
option dest_port '22'
option class 'cs2'
config rule
option name 'Microsoft Teams voice'
option proto 'udp'
option src_port '50000-50019'
option dest_port '3478-3481'
list dest_ip '13.107.64.0/18'
list dest_ip '52.112.0.0/14'
list dest_ip '52.122.0.0/15'
list dest_ip '2603:1063::/39'
option class 'cs2'
config rule
option name 'Microsoft Teams video'
option proto 'udp'
option src_port '50020-50039'
option dest_port '3478-3481'
list dest_ip '13.107.64.0/18'
list dest_ip '52.112.0.0/14'
list dest_ip '52.122.0.0/15'
list dest_ip '2603:1063::/39'
option class 'af41'
config rule
option name 'Microsoft Teams sharing'
option proto 'udp'
option src_port '50040-50059'
option dest_port '3478-3481'
list dest_ip '13.107.64.0/18'
list dest_ip '52.112.0.0/14'
list dest_ip '52.122.0.0/15'
list dest_ip '2603:1063::/39'
option class 'af21'
config rule
option name 'ICMP'
list proto 'icmp'
list proto 'icmpv6'
option class 'cs3'
option enabled '0'
config rule # A rule which marks all non-HTTP UDP connections from a specific IP as cs4 and count new connection matches
option name 'Game Console non-HTTP'
option proto 'udp'
list src_ip '192.168.1.7'
list dest_port '!3074'
option class 'cs4'
option counter '1'
option enabled '0'
I add this and I should be fine
config rule
option name 'Cod1'
option proto 'udp'
option dest_port '3074'
option class 'cs4'
option src_ip '192.168.1.208'
option counter '1'
I have a mini PC with OpenWRT connected to the operator's ONT, on eth0 I have my PC and on eth2 I have another router in cascade connected with DHCP for the home wifi (I'm not interested in double nat etc, in fact this is better, it strains the processor of the router and not of the mini pc) so I put this for the rest of the house.
config set
option name 'DowngradeServer'
option family 'ipv4'
option interval '1'
list entry '192.168.1.239'
config rule
option name 'DowngradeServer'
list proto 'tcp'
list proto 'udp'
option src_ip '@DowngradeServer'
option class 'cs1'
option family 'ipv4'
option counter '1'```change to
option enabled '1'
Hi the outgoing packets are not marked why? do I have to do it from the PC?
01:03:26.058991 IP (tos 0x0, ttl 64, id 12205, offset 0, flags [none], proto UDP (17), length 60)
192.168.1.7.3074 > 109.200.199.132.31191: [udp sum ok] UDP, length 32
01:03:26.082609 IP (tos 0x80, ttl 58, id 62075, offset 0, flags [DF], proto UDP (17), length 60)
109.200.199.132.31191 > 192.168.1.7.3074: [udp sum ok] UDP, length 32
01:03:36.082586 IP (tos 0x0, ttl 64, id 12206, offset 0, flags [none], proto UDP (17), length 60)
192.168.1.7.3074 > 109.200.199.132.31191: [udp sum ok] UDP, length 32
01:03:36.105771 IP (tos 0x80, ttl 58, id 62371, offset 0, flags [DF], proto UDP (17), length 60)
109.200.199.132.31191 > 192.168.1.7.3074: [udp sum ok] UDP, length 32
01:03:39.526064 IP (tos 0x0, ttl 64, id 63038, offset 0, flags [none], proto UDP (17), length 57)
192.168.1.7.3074 > 185.34.107.128.3074: [udp sum ok] UDP, length 29
01:03:46.104189 IP (tos 0x0, ttl 64, id 12207, offset 0, flags [none], proto UDP (17), length 60)
192.168.1.7.3074 > 109.200.199.132.31191: [udp sum ok] UDP, length 32
01:03:46.127711 IP (tos 0x80, ttl 58, id 62938, offset 0, flags [DF], proto UDP (17), length 60)
109.200.199.132.31191 > 192.168.1.7.3074: [udp sum ok] UDP, length 32
01:03:54.562116 IP (tos 0x0, ttl 64, id 63039, offset 0, flags [none], proto UDP (17), length 57)
192.168.1.7.3074 > 185.34.107.128.3074: [udp sum ok] UDP, length 29
01:03:56.133664 IP (tos 0x0, ttl 64, id 12208, offset 0, flags [none], proto UDP (17), length 60)
192.168.1.7.3074 > 109.200.199.132.31191: [udp sum ok] UDP, length 32
01:03:56.157564 IP (tos 0x80, ttl 58, id 63541, offset 0, flags [DF], proto UDP (17), length 60)
109.200.199.132.31191 > 192.168.1.7.3074: [udp sum ok] UDP, length 32
You’re capturing them before they’ve been through the firewall rules. Capture on the WAN interface if you want to see the outbound DSCP marks.
4 Likes
The (nftables) dscp remapping happens sort of 'in the core', so on:
br-lan you only see the correctly remapped dscp for the internet download direction
wan you only see the remapped dscps for the internet upload direction (unless you removed these e.g. using cake's wash keyword)
So to see the full set of remapped dscps you need to look at two packetcaptures
1 Like
So does it make sense to set it from the PC? I did some tests considering what you said, and I noticed that incoming wan to LAN are marked in cs4 then from lan to wan they are not marked and then outgoing from the wan to the server they are marked in cs4. I did a test by setting the dscp from the PC and now on the test it gives me the marking in both directions on br-lan and on the wan only outgoing as it should be. In your opinion it is correct to do this
So here is the issue, nftables rules/action that can modify DSCPs happen on the path between
br-lan to wan, and we also know if things work as intended before qdisc(wan).
As long as you have no nftables rule to change DSCPs from your PC setting them on the PC is A-OK, however if such a rule exists the egress/upload DSCP you see on br-lan might not be the one that gets seen by cake...
Given that I am not a big QoS user, I would advise not to trust me too much on these issues 
But as I wrote unless there is an additional nftables rule to change DSCPs setting these from the end stations like a PC is quite convenient. However this gives end points the capability to select their desired priority level so if you have mischievous users in your network you might want to have some sanity remapping from the firewall, but that can be in additoin to setting DSCPs on the end points...
ive tried both cake simple qos and dscp classify and i cant seem for nothing to get my dscp markings on the inbound traffic..ive been fiddling with this all day 
port 3074
root@OpenWrt:~# tcpdump udp port 3074 -i br-lan -v -n
tcpdump: listening on br-lan, link-type EN10MB (Ethernet), snapshot length 26214 4 bytes
06:02:47.714258 IP (tos 0x4, ttl 48, id 21223, offset 0, flags [DF], proto UDP ( 17), length 1266)
96.30.200.220.30210 > 192.168.1.100.3074: UDP, length 1238
06:02:47.714749 IP (tos 0x4, ttl 48, id 21224, offset 0, flags [DF], proto UDP ( 17), length 142)
96.30.200.220.30210 > 192.168.1.100.3074: UDP, length 114
06:02:47.741094 IP (tos 0x0, ttl 64, id 25829, offset 0, flags [none], proto UDP (17), length 122)
192.168.1.100.3074 > 96.30.200.220.30210: UDP, length 94
06:02:47.841420 IP (tos 0x0, ttl 64, id 25803, offset 0, flags [none], proto UDP (17), length 68)
192.168.1.100.3074 > 96.30.200.220.30210: UDP, length 40
06:02:47.894310 IP (tos 0x4, ttl 48, id 21264, offset 0, flags [DF], proto UDP ( 17), length 63)
96.30.200.220.30210 > 192.168.1.100.3074: UDP, length 35
06:02:47.914355 IP (tos 0x4, ttl 48, id 21268, offset 0, flags [DF], proto UDP ( 17), length 64)
96.30.200.220.30210 > 192.168.1.100.3074: UDP, length 36
06:02:49.093821 IP (tos 0x0, ttl 64, id 35084, offset 0, flags [none], proto UDP (17), length 68)
192.168.1.100.3074 > 96.30.200.220.30210: UDP, length 40
06:02:49.146577 IP (tos 0x4, ttl 48, id 21353, offset 0, flags [DF], proto UDP ( 17), length 63)
96.30.200.220.30210 > 192.168.1.100.3074: UDP, length 35
06:02:50.348285 IP (tos 0x0, ttl 64, id 37341, offset 0, flags [none], proto UDP (17), length 68)
192.168.1.100.3074 > 96.30.200.220.30210: UDP, length 40
06:02:50.401329 IP (tos 0x4, ttl 48, id 21621, offset 0, flags [DF], proto UDP ( 17), length 63)
96.30.200.220.30210 > 192.168.1.100.3074: UDP, length 35
06:02:50.915821 IP (tos 0x0, ttl 64, id 44699, offset 0, flags [none], proto UDP (17), length 249)
192.168.1.100.3074 > 96.30.200.220.30210: UDP, length 221
06:02:50.966730 IP (tos 0x0, ttl 64, id 53788, offset 0, flags [none], proto UDP (17), length 248)
192.168.1.100.3074 > 96.30.200.220.30210: UDP, length 220
06:02:51.031676 IP (tos 0x0, ttl 64, id 9792, offset 0, flags [none], proto UDP (17), length 249)
192.168.1.100.3074 > 96.30.200.220.30210: UDP, length 221
06:02:51.084176 IP (tos 0x0, ttl 64, id 36166, offset 0, flags [none], proto UDP (17), length 250)
192.168.1.100.3074 > 96.30.200.220.30210: UDP, length 222
06:02:51.150237 IP (tos 0x0, ttl 64, id 15972, offset 0, flags [none], proto UDP (17), length 250)
192.168.1.100.3074 > 96.30.200.220.30210: UDP, length 222
06:02:51.218853 IP (tos 0x0, ttl 64, id 64152, offset 0, flags [none], proto UDP (17), length 247)
192.168.1.100.3074 > 96.30.200.220.30210: UDP, length 219
06:02:51.267683 IP (tos 0x0, ttl 64, id 29866, offset 0, flags [none], proto UDP (17), length 243)
192.168.1.100.3074 > 96.30.200.220.30210: UDP, length 215
06:02:51.333289 IP (tos 0x0, ttl 64, id 25620, offset 0, flags [none], proto UDP (17), length 241)
192.168.1.100.3074 > 96.30.200.220.30210: UDP, length 213
06:02:51.383372 IP (tos 0x0, ttl 64, id 48774, offset 0, flags [none], proto UDP (17), length 227)
192.168.1.100.3074 > 96.30.200.220.30210: UDP, length 199
06:02:51.450436 IP (tos 0x0, ttl 64, id 34345, offset 0, flags [none], proto UDP (17), length 201)
192.168.1.100.3074 > 96.30.200.220.30210: UDP, length 173
06:02:51.516517 IP (tos 0x0, ttl 64, id 26355, offset 0, flags [none], proto UDP (17), length 179)
192.168.1.100.3074 > 96.30.200.220.30210: UDP, length 151
06:02:51.569017 IP (tos 0x0, ttl 64, id 45348, offset 0, flags [none], proto UDP (17), length 225)
192.168.1.100.3074 > 96.30.200.220.30210: UDP, length 197
06:02:51.602230 IP (tos 0x0, ttl 64, id 28431, offset 0, flags [none], proto UDP (17), length 68)
192.168.1.100.3074 > 96.30.200.220.30210: UDP, length 40
06:02:51.635481 IP (tos 0x0, ttl 64, id 7952, offset 0, flags [none], proto UDP (17), length 240)
192.168.1.100.3074 > 96.30.200.220.30210: UDP, length 212
06:02:51.655080 IP (tos 0x4, ttl 48, id 21922, offset 0, flags [DF], proto UDP ( 17), length 63)
96.30.200.220.30210 > 192.168.1.100.3074: UDP, length 35
06:02:51.682535 IP (tos 0x0, ttl 64, id 58018, offset 0, flags [none], proto UDP (17), length 229)
192.168.1.100.3074 > 96.30.200.220.30210: UDP, length 201
06:02:51.750529 IP (tos 0x0, ttl 64, id 45305, offset 0, flags [none], proto UDP (17), length 189)
192.168.1.100.3074 > 96.30.200.220.30210: UDP, length 161
06:02:51.817277 IP (tos 0x0, ttl 64, id 58042, offset 0, flags [none], proto UDP (17), length 215)
192.168.1.100.3074 > 96.30.200.220.30210: UDP, length 187
06:02:51.867203 IP (tos 0x0, ttl 64, id 64933, offset 0, flags [none], proto UDP (17), length 240)
192.168.1.100.3074 > 96.30.200.220.30210: UDP, length 212
06:02:51.933417 IP (tos 0x0, ttl 64, id 19347, offset 0, flags [none], proto UDP (17), length 232)
192.168.1.100.3074 > 96.30.200.220.30210: UDP, length 204
06:02:51.984325 IP (tos 0x0, ttl 64, id 29949, offset 0, flags [none], proto UDP (17), length 250)
192.168.1.100.3074 > 96.30.200.220.30210: UDP, length 222
06:02:52.854903 IP (tos 0x0, ttl 64, id 62522, offset 0, flags [none], proto UDP (17), length 68)
192.168.1.100.3074 > 96.30.200.220.30210: UDP, length 40
06:02:52.908425 IP (tos 0x4, ttl 48, id 22077, offset 0, flags [DF], proto UDP (17), length 63)
96.30.200.220.30210 > 192.168.1.100.3074: UDP, length 35
06:02:53.507345 IP (tos 0x0, ttl 64, id 28081, offset 0, flags [none], proto UDP (17), length 60)
192.168.1.100.3074 > 45.77.192.217.32901: UDP, length 32
06:02:53.551994 IP (tos 0x4, ttl 50, id 43752, offset 0, flags [DF], proto UDP (17), length 60)
45.77.192.217.32901 > 192.168.1.100.3074: UDP, length 32
06:02:54.108953 IP (tos 0x0, ttl 64, id 56302, offset 0, flags [none], proto UDP (17), length 68)
192.168.1.100.3074 > 96.30.200.220.30210: UDP, length 40
06:02:54.162092 IP (tos 0x4, ttl 48, id 22140, offset 0, flags [DF], proto UDP (17), length 63)
96.30.200.220.30210 > 192.168.1.100.3074: UDP, length 35
06:02:55.362669 IP (tos 0x0, ttl 64, id 57049, offset 0, flags [none], proto UDP (17), length 68)
192.168.1.100.3074 > 96.30.200.220.30210: UDP, length 40
06:02:55.415293 IP (tos 0x4, ttl 48, id 22348, offset 0, flags [DF], proto UDP (17), length 63)
96.30.200.220.30210 > 192.168.1.100.3074: UDP, length 35
06:02:56.615841 IP (tos 0x0, ttl 64, id 47353, offset 0, flags [none], proto UDP (17), length 68)
192.168.1.100.3074 > 96.30.200.220.30210: UDP, length 40
06:02:56.668790 IP (tos 0x4, ttl 48, id 22425, offset 0, flags [DF], proto UDP (17), length 63)
96.30.200.220.30210 > 192.168.1.100.3074: UDP, length 35
06:02:57.869510 IP (tos 0x0, ttl 64, id 827, offset 0, flags [none], proto UDP (17), length 68)
192.168.1.100.3074 > 96.30.200.220.30210: UDP, length 40
06:02:57.922759 IP (tos 0x4, ttl 48, id 22621, offset 0, flags [DF], proto UDP (17), length 63)
96.30.200.220.30210 > 192.168.1.100.3074: UDP, length 35
06:02:58.301525 IP (tos 0x0, ttl 64, id 40819, offset 0, flags [none], proto UDP (17), length 101)
192.168.1.100.3074 > 96.30.200.220.30210: UDP, length 73
06:02:58.356262 IP (tos 0x4, ttl 48, id 22699, offset 0, flags [DF], proto UDP (17), length 64)
96.30.200.220.30210 > 192.168.1.100.3074: UDP, length 36
06:02:59.523921 IP (tos 0x0, ttl 64, id 53431, offset 0, flags [none], proto UDP (17), length 57)
192.168.1.100.3074 > 185.34.107.128.3074: UDP, length 29
Can you please show the output of:
cat /etc/config/dscpclassify
cat /etc/config/sqm
nft list table inet dscpclassify
tc filter show dev eth1 egress
replace "eth1" with you wan device
cat /etc/config/dscpclassify
config global 'global'
option class_bulk 'le'
option class_high_throughput 'af13'
option client_hints '1'
option threaded_client_min_bytes '10000'
option threaded_service_min_bytes '1000000'
option wmm '0'
config ipset
option name 'xcloud'
option interval '1'
list entry '13.104.0.0/14' # Western Europe
config ipset
option name 'xcloud6'
option family 'ipv6'
option interval '1'
list entry '2603:1000::/24' # Western Europe
config rule
option name 'DNS'
list proto 'tcp'
list proto 'udp'
list dest_port '53'
list dest_port '853'
list dest_port '5353'
option class 'cs5'
config rule
option name 'DoH'
list proto 'tcp'
list proto 'udp'
list dest_ip '8.8.8.8' # Google
list dest_ip '8.8.4.4' # Google
list dest_ip '1.1.1.1' # Cloudflare
list dest_ip '1.0.0.1' # Cloudflare
list dest_ip '9.9.9.9' # Quad9 Secured
list dest_ip '149.112.112.112' # Quad9 Secured
list dest_ip '9.9.9.11' # Quad9 Secured w/ECS
list dest_ip '149.112.112.11' # Quad9 Secured w/ECS
list dest_ip '94.140.14.0/24' # AdGuard
list dest_ip '2001:4860:4860::8888' # Google
list dest_ip '2001:4860:4860::8844' # Google
list dest_ip '2606:4700:4700::1111' # Cloudflare
list dest_ip '2606:4700:4700::1001' # Cloudflare
list dest_ip '2620:fe::fe' # Quad9 Secured
list dest_ip '2620:fe::9' # Quad9 Secured
list dest_ip '2620:fe::11' # Quad9 Secured w/ECS
list dest_ip '2620:fe::fe:11' # Quad9 Secured w/ECS
list dest_ip '2a10:50c0::ad1:ff' # AdGuard
list dest_ip '2a10:50c0::ad2:ff' # AdGuard
list dest_ip '2a10:50c0::ded:ff' # AdGuard Dedicated
list dest_port '443'
option class 'cs5'
config rule
option name 'BOOTP/DHCP'
option proto 'udp'
list dest_port '67'
list dest_port '68'
option class 'cs5'
config rule
option name 'NTP'
option proto 'udp'
option dest_port '123'
option class 'cs5'
config rule
option name 'SSH'
option proto 'tcp'
option dest_port '22'
option class 'cs2'
config rule
option name 'Xbox Cloud Gaming'
option proto 'udp'
option family 'ipv4'
list dest_port '30000-45000'
list dest_port '3074'
option class 'af41'
config rule
option name 'Xbox Cloud Gaming IPv6'
option proto 'udp'
option family 'ipv6'
list dest_port '30000-45000'
list dest_port '3074'
option class 'af41'
config rule
option name 'Microsoft Teams voice'
option proto 'udp'
option src_port '50000-50019'
option dest_port '3478-3481'
list dest_ip '13.107.64.0/18'
list dest_ip '52.112.0.0/14'
list dest_ip '52.122.0.0/15'
list dest_ip '2603:1063::/39'
option class 'ef'
config rule
option name 'Microsoft Teams video'
option proto 'udp'
option src_port '50020-50039'
option dest_port '3478-3481'
list dest_ip '13.107.64.0/18'
list dest_ip '52.112.0.0/14'
list dest_ip '52.122.0.0/15'
list dest_ip '2603:1063::/39'
option class 'af41'
config rule
option name 'Microsoft Teams sharing'
option proto 'udp'
option src_port '50040-50059'
option dest_port '3478-3481'
list dest_ip '13.107.64.0/18'
list dest_ip '52.112.0.0/14'
list dest_ip '52.122.0.0/15'
list dest_ip '2603:1063::/39'
option class 'af21'
config rule
option name 'ICMP'
list proto 'icmp'
list proto 'icmpv6'
option class 'cs5'
option enabled '0'
config rule # A rule which marks all non-HTTP UDP connections from a specific IP as cs4 and count new connection matches
option name 'Game Console non-HTTP'
option proto 'udp'
list src_ip '192.168.1.100'
list dest_port '!80'
list dest_port '!443'
option class 'cs4'
option counter '1'
option enabled '1'
cat /etc/config/sqm
config queue 'eth1'
option enabled '1'
option interface 'wan'
option download '20000'
option upload '20000'
option qdisc 'cake'
option script 'layer_cake_ct.qos'
option linklayer 'ethernet'
option debug_logging '0'
option verbosity '5'
option qdisc_advanced '1'
option squash_dscp '0'
option squash_ingress '0'
option ingress_ecn 'ECN'
option egress_ecn 'NOECN'
option qdisc_really_really_advanced '1'
option iqdisc_opts 'nat dual-dsthost ingress diffserv4'
option eqdisc_opts 'nat dual-srchost ack-filter diffserv4'
option overhead '44'
option linklayer_advanced '1'
option tcMTU '2047'
option tcTSIZE '128'
option tcMPU '64'
option linklayer_adaptation_mechanism 'default'
nft list table inet dscpclassify
root@OpenWrt:~# nft list table inet dscpclassify
table inet dscpclassify {
set threaded_clients {
type ipv4_addr . inet_service . inet_proto
size 65535
flags dynamic,timeout
}
set threaded_clients6 {
type ipv6_addr . inet_service . inet_proto
size 65535
flags dynamic,timeout
}
set threaded_services {
type ipv4_addr . ipv4_addr . inet_service . inet_proto
size 65535
flags dynamic,timeout
}
set threaded_services6 {
type ipv6_addr . ipv6_addr . inet_service . inet_proto
size 65535
flags dynamic,timeout
}
map ct_dscp {
type mark : verdict
elements = { 0x00000000 : goto dscp_set_cs0, 0x00000001 : goto dscp_set_le, 0x00000008 : goto dscp_set_cs1, 0x0000000a : goto dscp_set_af11, 0x0000000c : goto dscp_set_af12,
0x0000000e : goto dscp_set_af13, 0x00000010 : goto dscp_set_cs2, 0x00000012 : goto dscp_set_af21, 0x00000014 : goto dscp_set_af22, 0x00000016 : goto dscp_set_af23,
0x00000018 : goto dscp_set_cs3, 0x0000001a : goto dscp_set_af31, 0x0000001c : goto dscp_set_af32, 0x0000001e : goto dscp_set_af33, 0x00000020 : goto dscp_set_cs4,
0x00000022 : goto dscp_set_af41, 0x00000024 : goto dscp_set_af42, 0x00000026 : goto dscp_set_af43, 0x00000028 : goto dscp_set_cs5, 0x0000002c : goto dscp_set_va,
0x0000002e : goto dscp_set_ef, 0x00000030 : goto dscp_set_cs6, 0x00000038 : goto dscp_set_cs7 }
}
map ct_wmm {
type mark : verdict
elements = { 0x00000000 : goto dscp_set_cs0, 0x00000001 : goto dscp_set_le, 0x00000008 : goto dscp_set_cs1, 0x0000000a : goto dscp_set_cs0, 0x0000000c : goto dscp_set_cs0,
0x0000000e : goto dscp_set_cs0, 0x00000010 : goto dscp_set_cs0, 0x00000012 : goto dscp_set_cs3, 0x00000014 : goto dscp_set_cs3, 0x00000016 : goto dscp_set_cs3,
0x00000018 : goto dscp_set_cs4, 0x0000001a : goto dscp_set_cs4, 0x0000001c : goto dscp_set_cs4, 0x0000001e : goto dscp_set_cs4, 0x00000020 : goto dscp_set_cs4,
0x00000022 : goto dscp_set_cs4, 0x00000024 : goto dscp_set_cs4, 0x00000026 : goto dscp_set_cs4, 0x00000028 : goto dscp_set_cs5, 0x0000002c : goto dscp_set_cs6,
0x0000002e : goto dscp_set_cs6, 0x00000030 : goto dscp_set_cs7, 0x00000038 : goto dscp_set_cs7 }
}
map dscp_ct {
type dscp : verdict
elements = { cs0 : goto ct_set_cs0,
lephb : goto ct_set_le,
cs1 : goto ct_set_cs1,
af11 : goto ct_set_af11,
af12 : goto ct_set_af12,
af13 : goto ct_set_af13,
cs2 : goto ct_set_cs2,
af21 : goto ct_set_af21,
af22 : goto ct_set_af22,
af23 : goto ct_set_af23,
cs3 : goto ct_set_cs3,
af31 : goto ct_set_af31,
af32 : goto ct_set_af32,
af33 : goto ct_set_af33,
cs4 : goto ct_set_cs4,
af41 : goto ct_set_af41,
af42 : goto ct_set_af42,
af43 : goto ct_set_af43,
cs5 : goto ct_set_cs5,
va : goto ct_set_va,
ef : goto ct_set_ef,
cs6 : goto ct_set_cs6,
cs7 : goto ct_set_cs7 }
}
chain dscp_set_cs0 {
ip dscp set cs0
ip6 dscp set cs0
}
chain dscp_set_le {
ip dscp set lephb
ip6 dscp set lephb
}
chain dscp_set_cs1 {
ip dscp set cs1
ip6 dscp set cs1
}
chain dscp_set_af11 {
ip dscp set af11
ip6 dscp set af11
}
chain dscp_set_af12 {
ip dscp set af12
ip6 dscp set af12
}
chain dscp_set_af13 {
ip dscp set af13
ip6 dscp set af13
}
chain dscp_set_cs2 {
ip dscp set cs2
ip6 dscp set cs2
}
chain dscp_set_af21 {
ip dscp set af21
ip6 dscp set af21
}
chain dscp_set_af22 {
ip dscp set af22
ip6 dscp set af22
}
chain dscp_set_af23 {
ip dscp set af23
ip6 dscp set af23
}
chain dscp_set_cs3 {
ip dscp set cs3
ip6 dscp set cs3
}
chain dscp_set_af31 {
ip dscp set af31
ip6 dscp set af31
}
chain dscp_set_af32 {
ip dscp set af32
ip6 dscp set af32
}
chain dscp_set_af33 {
ip dscp set af33
ip6 dscp set af33
}
chain dscp_set_cs4 {
ip dscp set cs4
ip6 dscp set cs4
}
chain dscp_set_af41 {
ip dscp set af41
ip6 dscp set af41
}
chain dscp_set_af42 {
ip dscp set af42
ip6 dscp set af42
}
chain dscp_set_af43 {
ip dscp set af43
ip6 dscp set af43
}
chain dscp_set_cs5 {
ip dscp set cs5
ip6 dscp set cs5
}
chain dscp_set_va {
ip dscp set va
ip6 dscp set va
}
chain dscp_set_ef {
ip dscp set ef
ip6 dscp set ef
}
chain dscp_set_cs6 {
ip dscp set cs6
ip6 dscp set cs6
}
chain dscp_set_cs7 {
ip dscp set cs7
ip6 dscp set cs7
}
chain ct_set_cs0 {
ct mark set ct mark & 0xffffff40 | 0x00000040
}
chain ct_set_le {
ct mark set ct mark & 0xffffff01 | 0x00000001
}
chain ct_set_cs1 {
ct mark set ct mark & 0xffffff08 | 0x00000008
}
chain ct_set_af11 {
ct mark set ct mark & 0xffffff0a | 0x0000000a
}
chain ct_set_af12 {
ct mark set ct mark & 0xffffff0c | 0x0000000c
}
chain ct_set_af13 {
ct mark set ct mark & 0xffffff0e | 0x0000000e
}
chain ct_set_cs2 {
ct mark set ct mark & 0xffffff10 | 0x00000010
}
chain ct_set_af21 {
ct mark set ct mark & 0xffffff12 | 0x00000012
}
chain ct_set_af22 {
ct mark set ct mark & 0xffffff14 | 0x00000014
}
chain ct_set_af23 {
ct mark set ct mark & 0xffffff16 | 0x00000016
}
chain ct_set_cs3 {
ct mark set ct mark & 0xffffff18 | 0x00000018
}
chain ct_set_af31 {
ct mark set ct mark & 0xffffff1a | 0x0000001a
}
chain ct_set_af32 {
ct mark set ct mark & 0xffffff1c | 0x0000001c
}
chain ct_set_af33 {
ct mark set ct mark & 0xffffff1e | 0x0000001e
}
chain ct_set_cs4 {
ct mark set ct mark & 0xffffff20 | 0x00000020
}
chain ct_set_af41 {
ct mark set ct mark & 0xffffff22 | 0x00000022
}
chain ct_set_af42 {
ct mark set ct mark & 0xffffff24 | 0x00000024
}
chain ct_set_af43 {
ct mark set ct mark & 0xffffff26 | 0x00000026
}
chain ct_set_cs5 {
ct mark set ct mark & 0xffffff28 | 0x00000028
}
chain ct_set_va {
ct mark set ct mark & 0xffffff2c | 0x0000002c
}
chain ct_set_ef {
ct mark set ct mark & 0xffffff2e | 0x0000002e
}
chain ct_set_cs6 {
ct mark set ct mark & 0xffffff30 | 0x00000030
}
chain ct_set_cs7 {
ct mark set ct mark & 0xffffff38 | 0x00000038
}
chain input {
type filter hook input priority filter + 2; policy accept;
iifname "lo" return
ct mark & 0x000000ff == 0x00000000 ct direction original jump static_classify
ct mark & 0x00000080 == 0x00000080 jump dynamic_classify
}
chain postrouting {
type filter hook postrouting priority filter + 2; policy accept;
oifname "lo" return
ct mark & 0x000000ff == 0x00000000 ct direction original jump static_classify
ct mark & 0x00000080 == 0x00000080 jump dynamic_classify
ct mark & 0x0000003f vmap @ct_dscp
}
chain static_classify {
udp dport != { 80, 443 } ip saddr 192.168.2.100 counter packets 0 bytes 0 goto ct_set_af21 comment "Consoles ps5"
ip dscp != { cs0, cs6, cs7 } iifname != "wan" ip dscp vmap @dscp_ct
ip6 dscp != { cs0, cs6, cs7 } iifname != "wan" ip6 dscp vmap @dscp_ct
meta l4proto != { tcp, udp } goto ct_set_cs0
ct mark set ct mark & 0xffffff80 | 0x00000080
}
chain dynamic_classify {
ct status & seen-reply != seen-reply return
ct direction reply goto dynamic_classify_reply
ip saddr . th sport . meta l4proto @threaded_clients goto threaded_client
ip6 saddr . th sport . meta l4proto @threaded_clients6 goto threaded_client
ip saddr . ip daddr & 255.255.255.0 . th dport . meta l4proto @threaded_services goto threaded_service
ip6 saddr . ip6 daddr & ffff:ffff:ffff:: . th dport . meta l4proto @threaded_services6 goto threaded_service
}
chain dynamic_classify_reply {
ct reply packets 1 jump established_connection
ip daddr . th dport . meta l4proto @threaded_clients goto threaded_client_reply
ip6 daddr . th dport . meta l4proto @threaded_clients6 goto threaded_client_reply
ip daddr . ip saddr & 255.255.255.0 . th sport . meta l4proto @threaded_services goto threaded_service_reply
ip6 daddr . ip6 saddr & ffff:ffff:ffff:: . th sport . meta l4proto @threaded_services6 goto threaded_service_reply
}
chain established_connection {
meter tc_detect size 65535 { ip daddr . th dport . meta l4proto timeout 5s limit rate over 9/minute } add @threaded_clients { ip daddr . th dport . meta l4proto timeout 30s }
meter tc_detect6 size 65535 { ip6 daddr . th dport . meta l4proto timeout 5s limit rate over 9/minute } add @threaded_clients6 { ip6 daddr . th dport . meta l4proto timeout 30s }
meter ts_detect size 65535 { ip daddr . ip saddr & 255.255.255.0 . th sport . meta l4proto timeout 5s limit rate over 2/minute } add @threaded_services { ip daddr . ip saddr & 255.255.255.0 . th sport . meta l4proto timeout 30s }
meter ts_detect6 size 65535 { ip6 daddr . ip6 saddr & ffff:ffff:ffff:: . th sport . meta l4proto timeout 5s limit rate over 2/minute } add @threaded_services6 { ip6 daddr . ip6 saddr & ffff:ffff:ffff:: . th sport . meta l4proto timeout 30s }
}
chain threaded_client {
meter tc_orig_bulk size 65535 { ip saddr . th sport . meta l4proto timeout 5m limit rate over 9999 bytes/hour } update @threaded_clients { ip saddr . th sport . meta l4proto timeout 5m } goto ct_set_le
meter tc_orig_bulk6 size 65535 { ip6 saddr . th sport . meta l4proto timeout 5m limit rate over 9999 bytes/hour } update @threaded_clients6 { ip6 saddr . th sport . meta l4proto timeout 5m } goto ct_set_le
}
chain threaded_client_reply {
meter tc_reply_bulk size 65535 { ip daddr . th dport . meta l4proto timeout 5m limit rate over 9999 bytes/hour } update @threaded_clients { ip daddr . th dport . meta l4proto timeout 5m } goto ct_set_le
meter tc_reply_bulk6 size 65535 { ip6 daddr . th dport . meta l4proto timeout 5m limit rate over 9999 bytes/hour } update @threaded_clients6 { ip6 daddr . th dport . meta l4proto timeout 5m } goto ct_set_le
}
chain threaded_service {
ct original bytes < 1000000 return
update @threaded_services { ip saddr . ip daddr & 255.255.255.0 . th dport . meta l4proto timeout 5m }
update @threaded_services6 { ip6 saddr . ip6 daddr & ffff:ffff:ffff:: . th dport . meta l4proto timeout 5m }
goto ct_set_af13
}
chain threaded_service_reply {
ct reply bytes < 1000000 return
update @threaded_services { ip daddr . ip saddr & 255.255.255.0 . th sport . meta l4proto timeout 5m }
update @threaded_services6 { ip6 daddr . ip6 saddr & ffff:ffff:ffff:: . th sport . meta l4proto timeout 5m }
goto ct_set_af13
}
}
root@OpenWrt:~#
tc filter show dev wan egress
root@OpenWrt:~# tc filter show dev wan egress
filter parent ffff: protocol all pref 49152 matchall chain 0
filter parent ffff: protocol all pref 49152 matchall chain 0 handle 0x1
not_in_hw
action order 1: ctinfo zone 0 pipe
index 1 ref 1 bind 1 dscp 0x0000003f 0000000000
action order 2: mirred (Egress Redirect to device ifb4wan) stolen
index 1 ref 1 bind 1
root@OpenWrt:~#
It appears there is an issue with your static_classify chain. This nftables chain should include all the rules defined in /etc/config/dscpclassify, but currently, the only rule present is the non-HTTP traffic rule and it also has the incorrect IP address 192.168.2.100.
How did you edit the configuration file? Did you perhaps edit the file in Windows and save it with incorrect line endings?