NFtables and QoS in 2021

Installing and Using OpenWrt
61

I'm really glad this is just working on OpenWrt! nftables is the shizzle!

3 Likes
62

hmmm can't connexion to the online error

}

## masquerading for ipv4 output on WAN
table ip masq {
      map portmaps {
         type  inet_service : ipv4_addr
	 elements = {3074 : 192.168.2.160, 3659 : 192.168.2.160, 9308 : 192.168.2.160, } # set these up to map ports to specific internal IPs
      }
      chain masqout {
	    type nat hook postrouting priority 0; policy accept;
	    oifname $wan masquerade

	}

	## this empty table is required to make the kernel do the unmasquerading
	chain masqin {
	    type nat hook prerouting priority 0; policy accept;

	    dnat to tcp dport map @portmaps
	    dnat to udp dport map @portmaps
	}
	
}

root@OpenWrt:~# nft list tables
table inet filter
table ip masq
table inet tags

sorry is my fault

i don't have check the update :wink:

63

It's working now?

1 Like
64 
## masquerading for ipv4 output on WAN
table ip masq {
      map portmaps {
         type  inet_service : ipv4_addr
	 elements = {3074 : 192.168.2.160, 3659 : 192.168.2.160, 9308 : 192.168.2.160 } # set these up to map ports to specific internal IPs
      }
      chain masqout {
	    type nat hook postrouting priority 0; policy accept;
	    oifname $wan masquerade

	}

	## this empty table is required to make the kernel do the unmasquerading
	chain masqin {
	    type nat hook prerouting priority 0; policy accept;

	    dnat to tcp dport map @portmaps
	    dnat to udp dport map @portmaps
	}
	
}

no always not :confused:

65

what do you think of that ??

root@OpenWrt:/# nft list tables
table inet fw4
table inet miniupnpd
table ip miniupnpd
table ip6 miniupnpd
root@OpenWrt:/# nft list table inet miniupnpd
table inet miniupnpd {
	chain forward {
		type filter hook forward priority -25; policy accept;
		iif "wwan0" th dport 1234 @nh,128,32 3232236975 @nh,72,8 6 accept
		iif "wwan0" th dport 1234 @nh,128,32 3232236975 @nh,72,8 17 accept
	}
}
root@OpenWrt:/# nft list table ip miniupnpd
table ip miniupnpd {
	chain prerouting {
		type nat hook prerouting priority dstnat; policy accept;
		iif "wwan0" tcp dport 1234 dnat to 192.168.5.175:1234
		iif "wwan0" udp dport 1234 dnat to 192.168.5.175:1234
	}

	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
	}
}

an examples

table inet miniupnpd {
        chain forward {
                type filter hook forward priority -25; policy accept;
                iif "wan" th dport 3074 @nh,128,32 3232249379 @nh,72,8 17 accept
                iif "wan" th dport 3074 @nh,128,32 3232249379 @nh,72,8 17 accept
                iif "wan" th dport 3074 @nh,128,32 3232249379 @nh,72,8 17 accept
                iif "wan" th dport 3074 @nh,128,32 3232249379 @nh,72,8 17 accept
                iif "wan" th dport 3074 @nh,128,32 3232249379 @nh,72,8 17 accept
                iif "wan" th dport 3074 @nh,128,32 3232249379 @nh,72,8 17 accept
                iif "wan" th dport 3074 @nh,128,32 3232249379 @nh,72,8 17 accept
                iif "wan" th dport 3074 @nh,128,32 3232249379 @nh,72,8 17 accept
                iif "wan" th dport 3074 @nh,128,32 3232249379 @nh,72,8 17 accept
                iif "wan" th dport 3074 @nh,128,32 3232249379 @nh,72,8 17 accept
                iif "wan" th dport 3074 @nh,128,32 3232249379 @nh,72,8 17 accept
        }
}
table ip miniupnpd {
        chain prerouting {
                type nat hook prerouting priority dstnat; policy accept;
                iif "wan" udp dport 3074 dnat to 192.168.54.35:3074
                iif "wan" udp dport 3074 dnat to 192.168.54.35:3074
                iif "wan" udp dport 3074 dnat to 192.168.54.35:3074
                iif "wan" udp dport 3074 dnat to 192.168.54.35:3074
                iif "wan" udp dport 3074 dnat to 192.168.54.35:3074
                iif "wan" udp dport 3074 dnat to 192.168.54.35:3074
                iif "wan" udp dport 3074 dnat to 192.168.54.35:3074
                iif "wan" udp dport 3074 dnat to 192.168.54.35:3074
                iif "wan" udp dport 3074 dnat to 192.168.54.35:3074
                iif "wan" udp dport 3074 dnat to 192.168.54.35:3074
                iif "wan" udp dport 3074 dnat to 192.168.54.35:3074
        }

        chain postrouting {
                type nat hook postrouting priority srcnat; policy accept;
        }
}

see here

66

It might be best to iifname $wan dnat... in my rules.

1 Like
67 
}
      chain masqout {
	    type nat hook postrouting priority 0; policy accept;
	    iifname $wan dnat masquerade

/etc/nftables.conf:98:24-33: Error: syntax error, unexpected masquerade
            iifname $wan dnat masquerade
                              ^^^^^^^^^^
root@OpenWrt:~#
68

No, add iifname $wan here so it only dnats packets from the internet.

1 Like
69

Okay, I gotta compile a new OpenWrt, will it work from 21.02-SNAPSHOT or do I need master? I read about 5.10 requirements and I think 21.02-SNAPSHOT stills on 5.4.

Update: Answering my own question, master it is. Grrr.

70

ok like this

## masquerading for ipv4 output on WAN
table ip masq {
      map portmaps {
         type  inet_service : ipv4_addr
	 elements = {3074 : 192.168.2.160, 3659 : 192.168.2.160, 9308 : 192.168.2.160 } # set these up to map ports to specific internal IPs
      }
      chain masqout {
	    type nat hook postrouting priority 0; policy accept;
	    oifname $wan masquerade

	}

	## this empty table is required to make the kernel do the unmasquerading
	chain masqin {
	    type nat hook prerouting priority 0; policy accept;

	    iifname $wan dnat to tcp dport map @portmaps
	    iifname $wan dnat to udp dport map @portmaps
	}

i can connect now but i always nat moderate

71

I think its only for some convenience bits. It should work with snapshots, it works with release as well

1 Like
72

there may be some additional ports the games would prefer to have open. if you figure them out then you can add them to the map.

1 Like
73

for call of duty only two ports open in upnp the first when connecting the console the 9308 which corresponds to the psn and the second 3074 which corresponds to the game port

I am looking before going to sleep because already 6:30 am at home

hello i have open this port but always moderate nat ...

table ip masq {
      map portmaps {
         type  inet_service : ipv4_addr
	 elements = { 1935 : 192.168.2.160, 3480 : 192.168.2.160, 3074 : 192.168.2.160, 3075 : 192.168.2.160, 3076 : 192.168.2.160, 3077 : 192.168.2.160, 3478 : 192.168.2.160, 3479 : 192.168.2.160, 9308 : 192.168.2.160, 3659 : 192.168.2.160 } # set these up to map ports to specific internal IPs
      }
      chain masqout {
	    type nat hook postrouting priority 0; policy accept;
	    oifname $wan masquerade

	}

	## this empty table is required to make the kernel do the unmasquerading
	chain masqin {
	    type nat hook prerouting priority 0; policy accept;

	    iifname $wan dnat to tcp dport map @portmaps
	    iifname $wan dnat to udp dport map @portmaps
	}
	
}
74

hello I tried several things I really block on these port openings,
maybe we'll have to see that again?

75

Do you actually have any gaming issues, or just something says "moderate" on the screen somewhere? My feeling about those in-game assessments is they are often garbage. Does the game not play? You can't host? what happens?

1 Like
76

Yes you are 3 level nat strict nat moderate and nat open iam always nat open

Normally the config with luci in port forward is

Tcp udp

Wan
Port source1-65535
To

Lan
Port destination
Ip console

I come back to m'y home in ten min

77

Well, there you are just saying "Send all TCP and UDP traffic to my console". If you want that it's easy, but it's also a bad idea. I mean, people can now ssh to your console or send UDP floods or try to make it a botnet etc.

What actual game related problems do you have. Just having it say "nat moderate" is not by itself a problem.

If you want to replicate your iptables config you can do:

iifname $wan protocol {udp,tcp} dnat to 192.168.1.101 #or whatever your console is
78

The console is ps5 sony yes i will test in 5 min :slightly_smiling_face:

Thanks i keep will inform

79

The tests we really need are to play games and capture packets, see if the DSCP tagging is happening, try run speed test during game and see how latency behaves, see if the conntrack based udp slow-sending rate prioritization fails to capture something important and latency sensitive. Maybe try some zoom/teams/jitsi meeting while another PC runs a speed test, see if latency remains stable. Compare wifi performance with and without tagging (to see if WMM is helping) etc

1 Like
80

ok would you like to run a capture test like this?
tcpdump -i wan -w /tmp/capturesqmcakenfables.pcap

i delete that before

table ip masq {
      map portmaps {
         type  inet_service : ipv4_addr
	 elements = { 1935 : 192.168.2.160, 3480 : 192.168.2.160, 3074 : 192.168.2.160, 3075 : 192.168.2.160, 3076 : 192.168.2.160, 3077 : 192.168.2.160, 3478 : 192.168.2.160, 3479 : 192.168.2.160, 9308 : 192.168.2.160, 3659 : 192.168.2.160 } # set these up to map ports to specific internal IPs
      }
      chain masqout {
	    type nat hook postrouting priority 0; policy accept;
	    oifname $wan masquerade

	}

	## this empty table is required to make the kernel do the unmasquerading
	chain masqin {
	    type nat hook prerouting priority 0; policy accept;

	    iifname $wan dnat to tcp dport map @portmaps
	    iifname $wan dnat to udp dport map @portmaps
	}
	
}
replace only by 

iifname $wan protocol {udp,tcp} dnat to 192.168.1.101 #or whatever your console is```