This will configure the ingress qdisc to use besteffort instead of the default diffserv3. However the i/eqdisc opts will still override this*. The goal here is to simply ignore DSCPs by treating all DSCPs identical and avoid busywork, by first re-setting DSCPs and then still sort packets into the different tins (where all will end up in the besteffort tin once the DSCP has been changed to 0 anyways, so the sorting is useless work).
The way tc parses cake's options means that for any "class" of parameters the latest "wins", so with a sequence of diffserv3 ... besteffort ... diffserv4, diffserv4 will be selected.
Without any over-ride options configured the outcome is going to be:
squash_ingress = TRUE: diffserv3 ... besteffort` -> besteffort squash_ingress = FALSE: diffserv3 ...` -> diffserv3
I just checked, diffserv8 actually sorts AF11-3 into tin 1 while besteffort resides in tin 2, while diffserv3/4 treat AF11-3 exactly like CS0. So not sure how to concisely describe that, but "prioritised amongst Best Effort" seems not intuitive to say, priority <= besteffort, no?
The service config file now supports specifying the number of connections required to classify a client or service as threaded (i.e. P2P/multi connection Steam downloads).
Refactored the code to support service reloads using the current snapshot build nft binaries (versions >1.0.2)
I suspect it is in fact working for you That shell message would be generated by the status check I introduced for correctly handling service reload, line of code responsible below: service dscpclassify status 2>/dev/null
I'll supress this in a quick commit to avoid confusion (I'd already supressed stderr).
You can manually check if the service has started successfully and created the dscpclassify firewall table by running: nft list table inet dscpclassify
I added one rule so far for webex, although i dont think its perfect yet
config rule
option name 'Webex video/audio'
option proto 'udp'
option dest_port '9000'
option dest_port '5004'
list dest_ip '23.89.0.0/16'
list dest_ip '62.109.192.0/18'
list dest_ip '64.68.96.0/19'
list dest_ip '66.114.160.0/20'
list dest_ip '66.163.32.0/19'
list dest_ip '69.26.160.0/19'
list dest_ip '114.29.192.0/19'
list dest_ip '150.253.128.0/17'
list dest_ip '170.72.0.0/16'
list dest_ip '170.133.128.0/18'
list dest_ip '173.39.224.0/19'
list dest_ip '173.243.0.0/20'
list dest_ip '207.182.160.0/19'
list dest_ip '209.197.192.0/19'
list dest_ip '210.4.192.0/20'
list dest_ip '216.151.128.0/19'
option class 'af41'
although since my webex meetings are over vpn. I dont think its working as all my flows are going to best effort with a little going to voice probably for phone wifi calling.
Is the VPN on your client device or router? OpenWrt won't be able to see packet destinations/ports within a VPN connection established from a client device.
Should i be seeing traffic being passed into the different tins like bulk and video? I still do not see anything in these ones only a little in voice and most in best effort. Curious if your output is different then mine
Depends on what your DSCPCLASSIFY config looks like.
What is the output of:
cat /etc/config/sqm
cat /etc/config/dscpclassify
Also keep in mind that with the latest version there seems to be a bug with the automatic reload of DSCPCLASSIFY after a reboot or if an interface is down, so first check if it is running properly:
nft list table inet dscpclassify
or you can also check via luci Status/Firewall and search for "dscpclassify" or just scroll down...
config global 'global'
option class_bulk 'le'
option class_high_throughput 'af13'
option client_hints '1'
option threaded_client_min_bytes '10000'
option threaded_service_min_bytes '1000000'
option wmm '0'
config rule
option name 'DNS'
list proto 'tcp'
list proto 'udp'
list dest_port '53'
list dest_port '853'
list dest_port '5353'
option class 'cs5'
config rule
option name 'DoH'
list proto 'tcp'
list proto 'udp'
list dest_ip '8.8.8.8' # Google
list dest_ip '8.8.4.4' # Google
list dest_ip '1.1.1.1' # Cloudflare
list dest_ip '1.0.0.1' # Cloudflare
list dest_ip '9.9.9.9' # Quad9 Secured
list dest_ip '149.112.112.112' # Quad9 Secured
list dest_ip '9.9.9.11' # Quad9 Secured w/ECS
list dest_ip '149.112.112.11' # Quad9 Secured w/ECS
list dest_ip '94.140.14.0/24' # AdGuard
list dest_ip '2001:4860:4860::8888' # Google
list dest_ip '2001:4860:4860::8844' # Google
list dest_ip '2606:4700:4700::1111' # Cloudflare
list dest_ip '2606:4700:4700::1001' # Cloudflare
list dest_ip '2620:fe::fe' # Quad9 Secured
list dest_ip '2620:fe::9' # Quad9 Secured
list dest_ip '2620:fe::11' # Quad9 Secured w/ECS
list dest_ip '2620:fe::fe:11' # Quad9 Secured w/ECS
list dest_ip '2a10:50c0::ad1:ff' # AdGuard
list dest_ip '2a10:50c0::ad2:ff' # AdGuard
list dest_ip '2a10:50c0::ded:ff' # AdGuard Dedicated
list dest_port '443'
option class 'cs5'
config rule
option name 'BOOTP/DHCP'
option proto 'udp'
list dest_port '67'
list dest_port '68'
option class 'cs5'
config rule
option name 'NTP'
option proto 'udp'
option dest_port '123'
option class 'cs5'
config rule
option name 'SSH'
option proto 'tcp'
option dest_port '22'
option class 'cs2'
config rule
option name 'Microsoft Teams voice'
option proto 'udp'
option src_port '50000-50019'
list dest_ip '13.107.64.0/18'
list dest_ip '52.112.0.0/14'
list dest_ip '52.122.0.0/15'
list dest_ip '2603:1063::/39'
option class 'ef'
config rule
option name 'Microsoft Teams video'
option proto 'udp'
option src_port '50020-50039'
option dest_port '3478-3481'
list dest_ip '13.107.64.0/18'
list dest_ip '52.112.0.0/14'
list dest_ip '52.122.0.0/15'
list dest_ip '2603:1063::/39'
option class 'af41'
config rule
option name 'Microsoft Teams sharing'
option proto 'udp'
option src_port '50040-50059'
option dest_port '3478-3481'
list dest_ip '13.107.64.0/18'
list dest_ip '52.112.0.0/14'
list dest_ip '52.122.0.0/15'
list dest_ip '2603:1063::/39'
option class 'af21'
config rule
option name 'Webex video/audio'
option proto 'udp'
option dest_port '9000'
option dest_port '5004'
option dest_port '4501'
list dest_ip '23.89.0.0/16'
list dest_ip '62.109.192.0/18'
list dest_ip '64.68.96.0/19'
list dest_ip '66.114.160.0/20'
list dest_ip '66.163.32.0/19'
list dest_ip '69.26.160.0/19'
list dest_ip '114.29.192.0/19'
list dest_ip '150.253.128.0/17'
list dest_ip '170.72.0.0/16'
list dest_ip '170.133.128.0/18'
list dest_ip '173.39.224.0/19'
list dest_ip '173.243.0.0/20'
list dest_ip '207.182.160.0/19'
list dest_ip '209.197.192.0/19'
list dest_ip '210.4.192.0/20'
list dest_ip '216.151.128.0/19'
option class 'af41'
config rule # A rule which marks all non-HTTP UDP connections from a specific IP as cs4
option name 'Game Console non-HTTP'
option proto 'udp'
list src_ip '192.168.107.100'
list dest_port '!80'
list dest_port '!443'
option class 'cs4'
config rule
option name 'Google Meet'
option proto 'udp'
option dest_port '19302-19309'
list dest_ip '142.250.82.0/24'
option class 'af41'
nft list tablet inet dscpclassify command spits out the full config looks like
ive also been doing a restart of the service instead of reloads when changing the config.
i've been testing webex and thought i'd see the metrics in the video tin reflect it.
Within a VPN connection everything will be sent over one specific port to a fixed destination IP. Mostly port 1194 or 443 so you can’t really target one specific port or Ip.
You could try to establish the vpn connection directly from your router and use Policy Routing to just send traffic from your specific client over the vpn.
The config looks good to me, everything should work as expected… if you are unsure if it works you can just use a client which has no vpn connection and just ping 8.8.8.8 and make a rule to mark icmp or 8.8.8.8 to cakes video tin…
i was able to bump a webex session outside of the vpn to dst ip on port 4501 matching the webex rule in dscpclassfiy. However i would have expected to see the tin metrics increase for video no? Or is my af41 classification not mapping to this tin?