NFtables and QoS in 2021

Thanks,

Will try and provide feedback tomorrow

config queue 'eth1'
	option qdisc 'cake'
	option interface 'wan'
	option debug_logging '0'
	option verbosity '5'
	option linklayer 'ethernet'
	option overhead '44'
	option enabled '1'
	option download '0'
	option script 'layer_cake.qos'
	option qdisc_advanced '1'
	option squash_dscp '1'
	option squash_ingress '1'
	option ingress_ecn 'ECN'
	option egress_ecn 'NOECN'
	option qdisc_really_really_advanced '1'
	option eqdisc_opts 'diffserv4'
	option upload '16000'

config queue
	option enabled '1'
	option interface 'br-lan'
	option download '0'
	option upload '56000'
	option debug_logging '0'
	option verbosity '5'
	option qdisc 'cake'
	option script 'layer_cake.qos'
	option linklayer 'ethernet'
	option overhead '44'
	option qdisc_advanced '1'
	option squash_dscp '1'
	option squash_ingress '1'
	option ingress_ecn 'ECN'
	option egress_ecn 'NOECN'
	option qdisc_really_really_advanced '1'
	option eqdisc_opts 'diffserv4'

my colleague played wifi and i never know how to regulate wifi how do i know if for 2.4 ghz we put 20mhz or 40mhz in width?

@di_Niko you're playing wifi or wired

SQM drops packets during periods of congestion, so it's normal to have some packet loss during a speed test. Now it should be packet loss on the speed test, not on the game, but it depends, you should be using layer_cake with diffserv4 to take advantage of the packet marking.

1 Like

It's possible the ingress marking isn't worth it for the complexity, particularly when used with pppoe, and we can switch back to postrouting marking.

Only wired + 1ms monitor

1 Like

No, i dont use sqm at all, for me its enough with your dscp setup. I see benefit in sqm when you have a lot of devices and little internet line..
but i have noted a loss in speedtest with nftables, i have tried tweak some settings, but without luck
But in game everything is ok

1 Like

well DSCP by itself has no effect on anything without some queue management. You may have an ISP device that uses the DSCP tags, or you may get benefit from the WMM if you play on wifi, but if you're not using SQM or my gaming script and you're just tagging packets, it probably isn't doing anything.

The reason to do DSCP is basically so cake uses different priority queues for different kinds of packets.

1 Like

For any reason i thought there already a little priorization part in nftables code… than waiting for your gaming script for nftables!

The idea is that the nftables script provides the packet prioritization, but something has to act on that prioritization, so run SQM for now using diffserv4, it might not be as good as my gaming script but it should be better than nothing.

put one SQM queue on your WAN with only upload, and another SQM on your LAN interface using "upload" rate equal to your download rate.

1 Like

@di_Niko check my config sqm at two message in top :wink:

during the next openwrt update which should be in march the firewall will be base in nftables if I understand correctly? can we stay with the firewall and its iptables rules if we wish?

iptables will eventually just get translated into nftables commands. that's already how it works in Debian for example.

You should think of this whole setup as a way to get precise control over what you want to do. It's not intended that I set up a single firewall that works for everyone. Think of this an more examples you can use to make your own. Since everyone has different networks. Some people have multiple wans, multiple lans/iot networks etc, VPNs. The idea is by utilizing nftables you get more control over firewall and tagging and because nftables syntax is far better than iptables you get more power to do more complex things.

One thing you can do in nftables that you CAN NOT do in iptables is the tagging on ingress. This lets you use SQM IFB and still utilize tagging.

4 Likes

ok thanks for explanation daniel :slight_smile:

Good afternoon Daniel, in which part of the script exactly I have to change the priority? I have tried to change priority in dscpwashin for lan and wan, but still does not work.. not sure if im changing settings in right place.

Thanks!

Hi Julien,

Summary

config queue 'eth1'
	option qdisc 'cake'
	option ingress_ecn 'ECN'
	option enabled '1'
	option interface 'pppoe-wan'
	option download '0'
	option upload '1000000'
	option debug_logging '0'
	option verbosity '5'
	option script 'layer_cake.qos'
	option qdisc_advanced '1'
	option squash_dscp '0'
	option squash_ingress '0'
	option egress_ecn 'NOECN'
	option qdisc_really_really_advanced '1'
	option eqdisc_opts 'diffserv4 nat dual-srchost'
	option linklayer 'ethernet'
	option overhead '40'

config queue
	option enabled '1'
	option interface 'br-lan'
	option download '0'
	option upload '1000000'
	option debug_logging '0'
	option verbosity '5'
	option qdisc 'cake'
	option qdisc_advanced '1'
	option squash_dscp '0'
	option squash_ingress '0'
	option ingress_ecn 'ECN'
	option egress_ecn 'NOECN'
	option qdisc_really_really_advanced '1'
	option eqdisc_opts 'diffserv4 nat dual-dsthost'
	option linklayer 'ethernet'
	option overhead '40'
	option script 'layer_cake.qos'


Currently im trying this one, there are no squash and ignore, because we already have nftables doing the wash :slight_smile:

1 Like

In /etc/init.d/nftables change the START=10 line. Maybe try 19 (same as firewall3 and firewall4).

2 Likes

Yes and after changing the start priority, do:

/etc/init.d/nftables disable
/etc/init.d/nftables enable

Which should make the priority take effect.

But also we probably need a hot plug script since pppoe can drop and then be restarted dynamically. If we are doing ingress filters that may cause problems unless a hot plug script is available

2 Likes

@dlakelan is nftables compatible with qosify I have such performance with qosify that I find so good, thanks

I think they should work together fine but the tagging that qosify does will be overwritten by NF tables so I recommend only doing tagging in NF tables that doesn't interfere

1 Like

Since qosify is a eBPF filter applied by tc, wouldn’t it come after nftables, at least on egress? Ingress might be an interesting question to understand which gets processed last.

Yes I was thinking ingress since a bunch of our tagging is on ingress at the moment. I'm really not sure how ingress works in terms of the order I'm sure there's a diagram we could understand better

1 Like