Qos over Nftables only for dedicated interface

Hi,

I have a question:

  • is possible to assign Qos over Nftables to dedicated interface (LAN, WAN, analogy to SQM, see attached picture 1)?

Background:

  • the network inside of LAN shall be fast (this means: without any limitations), limitations shall be set only for the 'slow' connection to the internet (wan), see picture 2.

Actually, the bandwidth limitations are set for each zone/interface, based on configured IP.
This is not useful.
The configuration can be as shown at picture 2 ;).

Best Regards
dyha

Yes.

Could you share perhaps...why not???

Hi,

useful?

My use case:

  • I make periodic a backup of a host - more GB of data. The backup server is in the LAN. The backup shall use the full network bandwidth, 1GBit (backup host is connected to the router directly).
  • but the host from previous step shall have only limited bandwidth to the Internet - WAN.

According to the actually implementation, the bandwidth limitation can not be set explicit to a interface (WAN or LAN or IP - as actually), it works for each interface (WAN and LAN and IP).
This is suboptimal.

It shall be possible to configure:

  • IP <--set-limit--> LAN or
  • IP <--set-limit--> WAN or
  • IP <--set-limit--> LAN + WAN

You write, it is possible to set the bandwidth limit to a interface - WAN or LAN.

How?

Best Regards
dyha

Where is the SRC and DST locations for each???

I think you may need to answer my question above.

:bulb: Remember: Traffic has to pass the routing plane in order to be QoSed. :wink:

Hi,
here is the simply topology of a network:

 192.168.0.25 (my_host)
        |
        |
        |LAN (br-lan), full seed rx/tx
        |
        |
        |
        |
        |_____ 192.168.0.X (any other host in this network)
        |
        |
        |      |-------192.168.0.10 (backup_server)
        |      |
        |      |  (switch via router ports)
        |      | 
   --------------------|
   |   WRT ROUTER      |--- USB DEVICE, SMB share
   | 192.168.0.1  (LAN)|
   | 192.168.1.10 (WAN)|
   |___________________|
       | 
       |
       |
       | WAN (eth 1.2), limited speed configurable per IP from LAN,
       |     rx/tx differently configurable - as curenntly
       |
       |_________ 192.168.1.10 my connection to the Internet

The full speed shall be for following routes:

  • my_host <-----> WRT ROUTER (for writing to SMB share)
  • my_host <-----> backup_server

The limited speed shall be for following route:

  • my_host <-----> WAN

For sure my /tmp/qos.nft:

#!/usr/sbin/nft -f
#

table inet nft-qos-static {
        chain upload {
                type filter hook prerouting priority 0; policy accept;
                ip saddr 192.168.0.25 limit rate over 128 kbytes/second drop
        }
        chain download {
                type filter hook postrouting priority 0; policy accept;
                ip daddr 192.168.0.25 limit rate over 1344 kbytes/second drop
        }
}
table netdev nft-qos-priority {
        chain filter {
                type filter hook ingress device eth1.2 priority 0; policy accept;
        }
}

I hope, this answers your question.

Best Regards
dyha

:confused:

This is local. There is no (routing) QoS to set.

I don't understand your QoS rule for this. Also, these host both have 192.168.0.0 network addresses - again this appears local and there's no routing QoS to set.

This makes sense...but should be set on the Internet router (I assume in the 192.168.1.0 network).

The solution I'd propose (separate these into routed subnets/interfaces/VLANs) would likely lower your desired 1 Gbps throughput because you'd actually begin to employ use of the Kernel and routing plane.

:bulb: You could add these rules to my_host.

Jeep, any rule, just LAN ("This is local") full speed.

This is not possible, see the "simple topology". WRT ist de facto my internet router.
WRT makes masquerading for network 192.168.0.X and I can manage only WRT router.
The other router from 192.168.1.x receives only one data link (from its 192.168.1.10) which contains all my internet traffic for all hosts (host 192.168.0.10 is just an example).

Back to the configuration file of nft:

  • the bandwidth limitation (rx/tx) is just set hard to IP, any route is given
  • this means, it works every time (and works correct, I can see it)

Bat this concludes:

  • it is not possible to set different traffic rules for bandwidth limits for LAN and WAN for the same IP/host:
    -- fast traffic inside of LAN
    -- bandwidth limitation if traffic to WAN

If somebody knows, how, then please help.

THIS IS MY FAKE RULE:

#!/usr/sbin/nft -f
#

table inet nft-qos-static {
    host ip 192.168.0.25
        chain upload {
                type filter hook prerouting priority 0; policy accept;
                saddr via **WAN** limit rate over 128 kbytes/second **drop**
                saddr via **LAN** limit rate **unlimited**
        }
        chain download {
                type filter hook postrouting priority 0; policy accept;
                daddr via **WAN** limit rate over 1344 kbytes/second **drop**
                daddr via **LAN** limit rate **unlimited**
        }
    }
}

:nerd_face:

Did you read my post?

Those would be improper conclusions.

  • Traffic inside LAN - obviously one cannot configure on a router as traffic doesn't pass it
  • Limitation to WAN - again, read post

Just because you desire to put a rule in the OpenWrt, doesn't mean that's where it actually needs to go.

LOL, so just ignore that you have a border router in the 192.168.1.0 network.

Well, again you can make a rule; but since it isnt you're border router nor the bottleneck for bandwidth, I'm not sure how effective it will be with setting at the OpenWrt device.

Hi,

I understand you. You are correct. If the traffic goes without the WRT ROUTER is full speed.

My description was not clean! I modified my picture of 'simply network'.

I describe the root problem:

  • if a bandwidth limitation was set for an LAN IP, then the rule is set at entry in to the router for affected host.
  • this causes, that the write access to the USB device is limited to the set bandwidth limitation for just writing client (I tested it: without bandwidth limitation: full write speed to the USB, with bandwidth limitation: write speed corresponds to the set limit).
  • I think, the same happens, if the backup_server is connected directly to the the LAN port atthe WRT ROUTER (WRT 1900ACS), but I had this not tested.

I hope, now is my description clean.

Now: the set speed limit shall be taken in to account only for traffic to WAN.

Best Regards
dyha

In the future, re-post a correction for continuity of the thread - now it makes the thread confusing for future readers. Nonetheless, your diagram still identifies the same scenario. I was not confused or unclear.

Correct, but the client and server both reside in LAN, correct?

If so, there is no QoS setting for a router. You can try setting this on the client or server.

Again, this is a LAN communication. Also, it could be the router's CPU - recall your OpenWrt is also running a file server and performing I/Os on the network and a USB device. :wink:

Correct, because it's still LAN.

:+1:

(Your description was always clean and clear.)

For LAN:

  1. set on Client; or

  2. set on server; or:

For WAN:

Hi,

Tested. This is not true. Write/read(!) rate in to USB is directly depend from the set bandwidth limit for the client.
I/O, smb at CPU, etc,. under 3% of CPU.
The USB device is put in to the WRT ROUTER.

YES, the WRT ROUTER is my internet router...

YES, WRT ROUTER is my border router and the bottleneck for bandwidth at 192.168.1.10 (16MBit IN/3 MBit OUT)

See please picture for better understanding.

sqm03

Sorry, how shall I set the rule only for WAN?

There?

or there?

Sorry, but I see any alternative to attach the bandwidth limit to LAN or WAN...
The limit is set hard for the IP, in this case LAN.

Best Regards
dyha