Help me configure my SQM for videoconferencing and gaming

I need for my clients to have a WI-FI that works for teleworking and that their children can play at the console at the same time or not, I have to assign the dhcp and static to the PCs in lan and wifi

And my PS4 console in lan but several scenarios can play if their child plays in wifi is enough to assign in wifi the ps4 is it right?

this is my config

i'm precise is important for me have the wifi and lan for gaming and teleworking thanks for help in advance @segal_72 @dlakelan @EXREYFOX @moeller0 @dtaht

this is my config of firewall

config include
        option path '/etc/firewall.user'

config rule
        option name 'ZOOM TRAFFIC '
        list proto 'udp'
        option src 'wan'
        option src_port '3478-3479 8801-8802'
        option dest '*'
        option dest_port '3478-3479 8801-8802'
        option target 'DSCP'
        option set_dscp 'CS4'

config redirect
        option target 'DNAT'
        option name 'DMZ'
        option src 'wan'
        option src_dport '1-65535'
        option dest 'lan'
        option dest_ip '192.168.2.167'
        option dest_port '1-65535'

config rule
        option name 'GOOGLE MEET TRAFFIC'
        list proto 'udp'
        option src 'wan'
        option src_port '19302-19309'
        option dest '*'
        option dest_port '19302-19309'
        option target 'DSCP'
        option set_dscp 'CS4'

config rule
        option name 'WEBEX'
        list proto 'udp'
        option src 'wan'
        option src_port '9000'
        option dest_port '9000'
        option target 'DSCP'
        option set_dscp 'CS4'
        option dest '*'

config rule
        option name 'BOOST TEAMVIEWER'
        option src 'wan'
        option src_port '5938'
        option dest '*'
        option dest_port '5938'
        option target 'DSCP'
        option set_dscp 'CS4'

config rule
        option name 'COD UDP 1'
        option family 'ipv4'
        list proto 'udp'
        option src 'wan'
        option src_port '3074'
        option dest '*'
        option dest_port '30000-45000'
        option target 'DSCP'
        option set_dscp 'CS4'

config rule
        option name 'COD UDP 2'
        list proto 'udp'
        option src 'wan'
        option src_port '30000-45000'
        option dest '*'
        option dest_port '3074'
        option target 'DSCP'
        option set_dscp 'CS4'

config rule
        option name 'COD TCP 1'
        option family 'ipv4'
        list proto 'tcp'
        option src 'wan'
        option src_port '3074'
        option dest '*'
        option dest_port '50000-65000'
        option target 'DSCP'
        option set_dscp 'CS4'

config rule
        option name 'COD TCP 2'
        option family 'ipv4'
        list proto 'tcp'
        option src 'wan'
        option src_port '50000-65000'
        option dest '*'
        option dest_port '3074'
        option target 'DSCP'
        option set_dscp 'CS4'

config rule
        option name 'FIFA 20'
        option family 'ipv4'
        list proto 'udp'
        option src 'wan'
        option src_port '3659'
        option dest '*'
        option dest_port '3659'
        option target 'DSCP'
        option set_dscp 'CS4'

config rule
        option name 'FIFA UDP 3'
        option family 'ipv4'
        list proto 'udp'
        option src 'wan'
        option src_port '9999'
        option dest '*'
        option dest_port '9999'
        option target 'DSCP'
        option set_dscp 'CS4'

config rule
        option name 'FORNITE UDP 1'
        option family 'ipv4'
        option src 'wan'
        option src_port '9000-10000'
        option dest '*'
        option dest_port '50000-65000'
        option target 'DSCP'
        option set_dscp 'CS4'
        list proto 'udp'

config rule
        option name 'FORNITE UDP 2'
        option family 'ipv4'
        list proto 'udp'
        option src 'wan'
        option src_port '50000-65000'
        option dest_port '9000-10000'
        option target 'DSCP'
        option set_dscp 'CS4'
        option dest '*'

config rule
        option name 'ACK RULES COD 1'
        list proto 'tcp'
        option src 'wan'
        option src_port '80'
        option dest '*'
        option dest_port '50000-65000'
        option target 'DSCP'
        option set_dscp 'CS4'
        option family 'ipv4'
        option limit '128/second'

config rule
        option name 'ACK RULES COD 2'
        list proto 'tcp'
        option src 'wan'
        option src_port '50000-65000'
        option dest '*'
        option dest_port '80'
        option target 'DSCP'
        option set_dscp 'CS4'
        option family 'ipv4'
        option limit '128/second'

config rule
        option name 'SYN RULES COD 1'
        list proto 'tcp'
        option src 'wan'
        option src_port '443'
        option dest '*'
        option dest_port '50000-65000'
        option target 'DSCP'
        option set_dscp 'CS4'
        option family 'ipv4'
        option limit '1024/second'

config rule
        option name 'SYN RULES COD 2'
        option family 'ipv4'
        list proto 'tcp'
        option src 'wan'
        option src_port '50000-65000'
        option dest '*'
        option dest_port '443'
        option target 'DSCP'
        option set_dscp 'CS4'
        option limit '1024/second'

root@OpenWrt:~#

my config SQM now

root@OpenWrt:~# cat /etc/config/sqm

config queue 'eth1'
        option interface 'eth1'
        option qdisc 'cake'
        option script 'piece_of_cake.qos'
        option ingress_ecn 'ECN'
        option egress_ecn 'ECN'
        option itarget 'auto'
        option etarget 'auto'
        option enabled '1'
        option download '0'
        option upload '16000'
        option debug_logging '0'
        option verbosity '5'
        option qdisc_advanced '1'
        option squash_dscp '1'
        option squash_ingress '1'
        option qdisc_really_really_advanced '1'
        option iqdisc_opts 'nat dual-dsthost ingress'
        option eqdisc_opts 'nat dual-srchost ack-filter'
        option linklayer 'ethernet'
        option overhead '44'
        option linklayer_advanced '1'
        option tcMTU '2047'
        option tcTSIZE '128'
        option tcMPU '0'
        option linklayer_adaptation_mechanism 'cake'

config queue
        option enabled '1'
        option download '0'
        option upload '56000'
        option debug_logging '0'
        option verbosity '5'
        option qdisc 'cake'
        option script 'piece_of_cake.qos'
        option qdisc_advanced '1'
        option squash_dscp '1'
        option squash_ingress '1'
        option ingress_ecn 'ECN'
        option egress_ecn 'NOECN'
        option qdisc_really_really_advanced '1'
        option iqdisc_opts 'nat dual-dsthost ingress'
        option eqdisc_opts 'nat dual-srchost ack-filter'
        option linklayer 'ethernet'
        option overhead '44'
        option linklayer_advanced '1'
        option tcMTU '2047'
        option tcTSIZE '128'
        option tcMPU '0'
        option linklayer_adaptation_mechanism 'cake'
        option interface 'eth0'

config queue
        option enabled '1'
        option interface 'radio0.network1'
        option download '0'
        option upload '56000'
        option debug_logging '0'
        option verbosity '5'
        option qdisc 'cake'
        option script 'piece_of_cake.qos'
        option qdisc_advanced '1'
        option squash_dscp '1'
        option squash_ingress '1'
        option ingress_ecn 'ECN'
        option egress_ecn 'NOECN'
        option qdisc_really_really_advanced '1'
        option iqdisc_opts 'nat dual-dsthost ingress'
        option eqdisc_opts 'nat dual-srchost ack-filter'
        option linklayer 'ethernet'
        option overhead '44'
        option linklayer_advanced '1'
        option tcMTU '2047'
        option tcTSIZE '128'
        option tcMPU '0'
        option linklayer_adaptation_mechanism 'cake'

root@OpenWrt:~#

i playing often to COD and FPS and with this test and settings my gameplay is very very speed

i have never a gameplay fluide before my settings than use now
Test bufferbloat with my PC in wifi with my ps4 pluged and mode on

now my pc in lan always ps4 connected

i'm use a settings for COD and is very powerfull but just i'm not sure for ack rules but cod udp and cod TCP very fast when rules enabled

Capture d’écran 2021-02-02 à 14.22.381003×199 20.7 KB

Capture d’écran 2021-02-02 à 14.24.24983×217 15.1 KB

This seems like a good setup. If you use a console with static IP you might do 100% of UDP to/from console as CS4 it could help if you play different games where you don't have the ports listed.

Is there anything you find is not working well?

ok thank you for your info dlakelan

if it works well but i'm not sure for ack syn i set a packet limit of 1024 / sec for syn and 128 / ack
but I doubt this config like i view a wireshark traffic packet 3074 on call of duty ...

the question I am asking myself is how to avoid port conflict between different games,

your answer is clear, i should authorize according to you while udp and make every game for tcp ??

is it right

Yeah this seems not needed. It's good to keep the config simple, any rules that don't seem to make a difference should be removed so that rules are easy to understand

ok it's work very well

thanks for your fast response

Capture d’écran 2021-02-02 à 14.47.07979×150 10.2 KB

now i would like prioritize zoom teamviewer etc for my pc lan and wifi how make that please ?

i'm use other i suppose ? like CS5 or AF41

Capture d’écran 2021-02-02 à 14.48.10996×564 41.6 KB

I think CS4 probably works well for zoom, etc. You want it in WMM video queue not voice so I think CS4 works. If too much bandwidth goes in voice it breaks.

the cs4 rules made for team viewer etc and leave them in UDPGAME because if I add a lan address the dscp does not work and I have to add anyforward if not no traffic rules

it's just ?

config rules

team viewer zoom etc delete ...in traffic rule replaced by 100udpgame ?

Hello Juju , good job

Juju do you want to limit the flooding of ack? I think the game is more responsive with award winning ICMP ... iptables -t mangle -A FORWARD -p icmp -j DSCP --set-dscp-class EF ... icmp also as high priority, especially for the ACC ping time. or else iptables -t mangle -A FORWARD -p icmp -j DSCP --set-dscp-class CS6, iptables -t mangle -A POSTROUTING -p icmp -j DSCP --set-dscp-class CS6

The question is how well it works? No substitute for testing.

When I say 100% UDP for game machine I mean so you don't have to list ports. For zoom and TeamViewer etc you will have to list ports, that is ok.

ok so can i add like this ?

##jitsi

10000 udp src dst

zoom

sports 3478:3479,8801:8802 and dest

etc ...

a little like your script but direclty in traffic rules ??

It should work

Uploading: Capture d’écran 2021-02-02 à 15.26.18.png...

ok dlakelan so with udp games it's work

but packets not clasiified i will test with scr port destination port all and tcp

but my question is i'm exposed my pc to virus or not ?

like all port traffic rules or is different to port forward ... you understand my question ?? lol

If you are just changing tags it is not a security issue. Not like port forward.

Remember you don't see packets classified when they are recieved, only after they go through firewall and are then sent.

thanks a lot of it's work perfectly

I keep repeating my self (but since I love hearing myself, I am also enjoying it), but, ports approximately above port 1000 are ephemeral and any application can use them, so solely relying on port numbers carries a (small) risk. If possible it seems less risky to use IP address + port numbers, like the PS4's statically assigned IP address and the games known port number ranges seems much less likely to trigger false positive up-prioritizations of packets never intended for VIP treatment.

+1

I do think since anyone can be doing video conferencing you wind up needing to use known ports for jitsi/zoom/meet etc without ip address but fortunately those people do seem to have a narrow range they've chosen.

Also with IPv6 it can help to use "tokenized" ip assignment to identify important hosts for prioritization. Like set your gaming PC to ::abc:001 I hope to hell the Xbox and playstation people will enable IPv6 with tokenized addresses soon. Games are one of the huge wins for ipv6

+1; this is why I hedged with "If possible" ;).

Side-note, Deutsche Telekom some years ago prototyped a new all-IPv6 network architecture (with IPv4 runing as a service over IPv6 softwires), where they proposed to the take three or six bits (I don't remember the details) out of the space they could assign as prefix to end-customers, and use these their internal DSCP equivalents so that they could leave DSCPs untouched and potentially end-to-end.
Not sure whether they still aim for that though.

For IPv6 the challenge is more how to overcome IPv6 privacy extensions, and the fact that some devices only do SLAAC and ignore DHCPv6 (i am looking at you, android....)

DHCPv6 is I think only useful for server farms. I think the default should be privacy addresses with a very clear checkbox to enable "stable privacy". With that, if you need to be able to prioritize a device by IP you click the stable privacy checkbox. If the device doesn't need to have a well known IP you just use privacy addresses. This handles essentially 100% of cases. Even with servers stable privacy is "enough" most of the time.

Why? I already use static DHCPv4 assignments based on MAC addresses so that my logging allows me to use symbolic names instead of having to look up MAC addresses. Sure MAC addresses can be spoofed, but this is not really a security thing, but rather a convenience thing (symbolic names, and stable addresses to use in port forwards to make machines reachable fron the outside). I would love to do the same with IPv6 as well, my wish would be to keep the last 64bit under my control and get new prefixes whenever my ISP sees fit, so all I need is the current prefix and I can reach (seected) hosts from the outside. Not sure whether DHCPv6 would be overkill, but it certainly promises the right capabilities, until we hit the android devices...

At that point, it is not private anymore, the whole goal of privacy addresses is to cycle through random 64bit final address parts fast enough that outsiders have no real chance of brute forcing a connection to a known machine. Once a host has a stable address, privacy has left the building... at least that is my understanding.

If you are "just" proposing a mechanism for normal endusers to actually disable privacy extensions, I am with you I would appreciate something like that as well.

But sure for the low number of machines in my network, I am fine with reading of the randomly selected stable addresses from each host, DHCPv6's capability to configure the IPv6 address to MAC mappings on the router is nice to have but not really that much a time saver.

I admit that I actually do not think that I will ever consider to make any of the android devices accessible from the outside at all, mostly my ssh hosts and potentisally the router itself to VPN in over IPv6.