DSCP Markings only on incoming

can anyone help or explain what i have done wrong. i have setup sqm and have maked the ip address of 192.168.1.160 as cs6. I can see that it works with incoming packets as they are labeled 0xc0, but outgoing from that device they are set as 0x0. i have tried all manor of ways to try and get the outgoing packets labeled correctly but i have now run out of ideas. i am very new to openwrt and sqm-dscp markings so if i don't need them to be marked outgoing then please tell me as i have been going round and round in circles for days now.
what i see in tcpdump -i br-lan -v -n 'ip and host 192.168.1.160' is

03:15:53.033716 IP (tos 0x0, ttl 64, id 49502, offset 0, flags [DF], proto TCP (6), length 52)
192.168.1.160.55948 > 93.96.225.33.443: Flags [.], cksum 0x3a09 (correct), ack 118444, win 4579, options [nop,nop,TS val 15871652 ecr 1915725143], length 0
03:15:53.033811 IP (tos 0xc0, ttl 60, id 2100, offset 0, flags [DF], proto TCP (6), length 1486)
93.96.225.33.443 > 192.168.1.160.55948: Flags [.], cksum 0x1712 (correct), seq 125614:127048, ack 476, win 1432, options [nop,nop,TS val 1915725152 ecr 15871647], length 1434

my sqm file looks like this.
config queue 'eth1'
option enabled '1'
option interface 'eth1'
option download '34430' # 90% of your Line Rate - Downstream
option upload '7648' # 90% of your Line Rate - Upstream
option qdisc 'cake'
option script 'layer_cake_ct.qos'
option qdisc_advanced '1'
option ingress_ecn 'ECN'
option egress_ecn 'ECN'
option qdisc_really_really_advanced '1'
option itarget 'auto'
option etarget 'auto'
option linklayer 'ethernet'
option overhead '34'
option linklayer_advanced '1'
option tcMTU '2047'
option tcTSIZE '128'
option tcMPU '64'
option linklayer_adaptation_mechanism 'default'
option iqdisc_opts 'nat dual-dsthost ingress diffserv4'
option eqdisc_opts 'nat dual-srchost ack-filter diffserv4'
option debug_logging '1'
option verbosity '5'
option squash_dscp '0'
option squash_ingress '0'

and the firewall rules that deals with the 192.168.1.160 are
config rule
option name 'DSCP Marking for Sky Glass TV WAN'
option src 'wan'
option dest 'lan'
option target 'DSCP'
option set_dscp 'CS6'
list dest_ip '192.168.1.160'
list proto 'all'

config rule
option name 'DSCP Sky TV Out'
option src 'lan'
option dest 'wan'
option target 'DSCP'
option set_dscp 'CS6'
list src_ip '192.168.1.160'
list proto 'all'
If anyone can explain if i've done something wrong or this isn't how dscp markings work, much appreciated. as chatgpt is going around in circles and has twice killed my router.....
Thanks

oh and version i'm using
|---|---|
|Model|Raspberry Pi 4 Model B Rev 1.5|
|Architecture|ARMv8 Processor rev 3|
|Target Platform|bcm27xx/bcm2711|
|Firmware Version|OpenWrt SNAPSHOT r26801-e04533ae7b / LuCI Master 24.158.03388~a6f8361|
|Kernel Version|6.6.35|

That’s about right. When using tcpdump on br-lan, the packets from the LAN device to the router haven’t been processed by the firewall rules yet, so they likely will be CS0, as you see them.

Packets going from the router to your LAN device have been through the firewall and are marked as CS6.

To see the upload packets marked, you need to tcpdump on the eth1 wan interface, but the source private IP will already be natted to your public WAN IP, so you need to pay more attention to the remote IP for proof of DSCP marks in the output.

Thank you. That’s what I was wondering. As I said I’m pretty new to dscp markings and how they work, and as you explain it there I feel stupid for not realising that.... of course they won't be marked until they hit the firewall.....

Thank you.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.