i also renamed the community title to Qualcommax from ipq807x

Im working on a NSS build to replace my current custom build for the dynalink wrx36. I've made several working ones, but am being picky about the one I publish publically so Im still tweaking stuff.

EDIT: I finally built one that Im all-around pretty happy with, so Ive officially updated my custom dynalink dl-wrx36 build to one that is NSS enabled. here is a link to the github repo.

I've currently installed SQM NSS on the dl-wrx36. I have FQ-CoDel set as the qdisc and nss-rk.qos as the queue setup script. When i set my upload and download limits the shaper only seems to work on my upstream and doesn't have any effect on my downstream. I have all the relevant kernel dependencies installed too. Is this normal behaviour or should the shaper work on my downstream as well?

This my sqm config:

config queue
	option enabled '1'
	option interface 'wan'
	option download '85000'
	option upload '85000'
	option debug_logging '0'
	option verbosity '5'
	option qdisc 'fq_codel'
	option script 'nss-rk.qos'
	option linklayer 'none'

I noticed in the description for nss-rk.qos that says the nss scripts only works on eth0/eth1 and i dont seem to have this as an option on the dl-wrx32.

root@OpenWrt-Router:~# tc -s qdisc show dev eth0
Cannot find device "eth0"
root@OpenWrt-Router:~# tc -s qdisc show dev nssifb
Cannot find device "nssifb"

The one for nss-rk.qos is actually targeted for ipq806x.

You'll need to use my fork for ipq807x:

https://github.com/qosmio/sqm-scripts-nss

The SQM script is nss-zk.qos

Great Qosimo!. I've just set everything up with your scripts and all is working! Highly appreciate the help and work from yourself and all that are contributing to the NSS build for the ipq807x: I'm currently on a 1.2gb/100mb plan so will be carrying out some test to see how well sqm works with this internet plan.

Again. Much appreciated.

Excellent to hear! It's a great community of folks on here. Feel free to open an issue request on my repo or PR if you have any suggestions.

Cheers

Man you guys are actually kinda crazy with this stuff lol much appreciated!
I'm definitely going to give your build a go here soon but I have a few questions if you've got a minute.
Specifically with your build:

1. I see the luci-sqm ipk, is that the same as the nss-sqm package that qosmio linked below or would it be the regular sqm that you have modified for this build?

2. Would it be possible/advisable to use adguard home instead of adblock? I have used adguard home before, but haven't used adblock on openwrt and my wife uses a lot of sites for work (google analytics, etc) that are typically blocked by blocklists so I want her to be able to unblock whatever site she needs easily.

General Questions:
For the IoT lan/subnet would I be better off putting my home server on the router I install there? It runs my plex and all that stuff but also home assistant which I'm pretty new to (common theme lol)

Hi. I have a fork that builds for Xiaomi AX3600 with adguardhome, and I'm very happy with it. But there's some details you need to look, running in a device with less than 1GB of RAM, like:

• you can not select lots of big blocking lists, and there's a good chance it crashes when updating the lists if the memory is on the limit. But this build has more free mem than official openwrt and I don't remember seeing it crashing.
• I have manually installed/ upgraded adguardhome to v0.8 build and make it be saved when backup settings or upgrade openwrt.
• I also have edited /etc/init.d/adguardhome with settings to use less RAM and auto restart in case of crash.

You probably should read this topic, it's where it was all discussed and we avoid polluting this thread.

One more note, in case you want to look/ modify my fork: I removed dnsmasq and odhcp because I use adguardhome for that (my home network is simple).

LuCI SQM is just the front end. The core of SQM for NSS https://github.com/qosmio/sqm-scripts-nss is what actually does the shaping. Specifically the script "nss-zk.qos". I forked it from rickkdotnet's script, ("nss-rk.qos") but it's essentially a rewrite for IPQ807x (works on all routers with that CPU).

I used to use AdBlock, then Adguard Home, and recently switched to Adblock-Fast (dnsmasq for local dhcp + unbound for WAN). Although AGH provides a nice UI to unblock certain domains, I found it a bit too heavy and unnecessary. Adblock-fast has a few default whitelists that include things like Google Analytics, and certain things that require Facebook for tracking that should help ease any issues your wife might run into.

If her primary use is on a laptop, highly advise using Brave browser and using the built in privacy plugins there. That's what I currently have. Minimal adblocking, and banip for known junk subnets at the router level and full blown adblocker on the computers themselves.

the luci-sqm package just gives you a GUI interface to manage SQM from within LUCI. The build includes @qosmio 's nss-sqm scripts as well as the standard sqm scripts. You can enable either the normal or the NSS versions in LUCI or via ssh.

Possible? yes, Id imagine so. OpenWrt has a package for adguard home. I havent used it personally, but it does exist.

Advisable? Probably not. Theres nothing wrong with adguard home, but Id argue unbound + adblock is better for a few reasons.

From what I know of adguard home, it is basically a forwarding / stub resolver that redirects all your DNS queries to adguard's DNS resolver.

Unbound is setup as a caching recursive resolver. It pre-loads a bunch of the root DNS zone and adds to the cache as you make more DNS requests. When it needs to lookup something not in its cache it queries the authorative DNS servers until it finds it...it doesnt query someone elses DNS resolver. This has the advantage that:

1. You arent giving some (for-profit) company a list of ALL your DNS traffic, which is a huge plus in terms of privacy.
2. You arent sharing your DNS resolver with potentially millions of other people. A bunch of people using the same DNS resolver makes it a prime target for things like DNS cache poisoning attacks (e.g., going to your banking website doesnt bring you to your bank website's IP address, but instead brings you to an identical looking website IP address that is run by shady people in Nigeria). Unless you specifically are being targeted by some bad actor you are basically immune to all DNS-based threats.

Adblock works by setting up a blacklist in unbound's config, so unbound is really what is doing the adblocking. This means there is no speed penalty for including adblocking (even with a blocklist of 600,000 entries, like what is default in my firmware).

Its also worth noting that you can choose which block lists to use in the luci app (there are many builtin options, and you can add your own if you want). You can also whitelist/blacklist individual domains. I wouldnt be surprised if somewhere out there an "adguard home blocklist" is floating around and could be added to adblock.

If it gives you issues then by all means switch over to adguard home, but Id at least try out unbound+adblock first and see if it works for your usage needs.

for ax3600, using qosmio repo
is it possible to build WITHOUT the QCA9887 IOT radio and ath10K?

tia

try this:

in your .config file, add following lines

# CONFIG_PACKAGE_ath10k-ct-smallbuffers is not set
# CONFIG_PACKAGE_ath10k-firmware-qca9887-ct is not set
# CONFIG_PACKAGE_MAC80211_NSS_REDIRECT is not set

@qosmio hello, is it possible to setup more than one nssifb interface?
I have 2 different isp pppoe lines, using mwan3, I'm looking for a way to setup sqm on that 2 interfaces. Thanks

You ever try using unbound+odhcpd and dropping dnsmasq entirely? Its been a few years since I first set up unbound, but when I was setting things up I got much better performance and stability using unbound+odhcpd than I did with unbound+dnsmasq.

In terms of performance:

• DNS-Bench tells me that im getting uncached name lookups in ~50ms and DotCom lookups in 40-45 ms. Note that this is with the "test DNSSEC" option enabled in DNS-Bench.
• Unbound stats (for 125k queries) tell me that recursion times were 135 ms average / 87 ms median and that im getting cache hit rates of ~78% (making the overall average for all queries around 30 ms)

I find it sorts neat how it works too...unbound sets up a "local intranet dns zone" in unbound, and for each DHCP client unbound creates DNS records for that device (an "A" record + <...>.in-addr.arpa PTR for ip4, an "AAAA" record + <...>.ip6.arpa PTR for ip6) and loads these records into unbound on-the-fly via unbound-control.

Also, what are your thoughts on adblock vs adblock-fast?

I briefly tried adblock fast several months ago, but it was a bit buggy and I already had a good working adblock configuration and I figured that since adblock just configures a blacklist for unbound and then exits and its unbound that is doing the actual DNS-level blocking I didnt see how "adblock-fast" could actually be "faster"....so I just went back to adblock.

Also, +1 for brave browser. Tempest browser is another good one as well (though is windows only IIRC).

The latest commit of the master branch cannot start ecm.

Wed Apr 24 20:12:33 2024 daemon.notice procd: /etc/rc.d/S19qca-nss-ecm: Failed to find ecm. Maybe it is a built in module ?
Wed Apr 24 20:12:33 2024 daemon.notice procd: /etc/rc.d/S19qca-nss-ecm: /etc/rc.common: line 100: can't create /sys/kernel/debug/ecm/ecm_classifier_default/accel_delay_pkts: nonexistent directory
Wed Apr 24 20:12:33 2024 daemon.notice procd: /etc/rc.d/S19qca-nss-ecm: /etc/rc.common: line 108: can't create /sys/kernel/debug/ecm/ecm_db/defunct_all: nonexistent directory

Just a friendly note, I've been noticing you go a bit heavy on the exclamation marks and urgency in your replies here and on Github issues. I understand that English might not be your first language (it's my third), and we're community of folks from all over the world... but I wanted to gently suggest that using exclamation marks excessively or making everything sound urgent might come across as a bit intense or alarming to others.

I'm also just a volunteer providing my work to the community. If you're having issues, please ensure you're following the proper steps to troubleshoot as outlined several times in this thread, and if still having issues, please open an issues request on the git repo and I'll be happy to take a look when I am able.

Thanks

Thanks you.

What is this commit? Latest means nothing.

Let me correct you here. Adguard Home uses whatever dns resolver you want, and as many as you want. It also caches the queries, so next queries are faster and private too.

The major drawback is it is memory hungry.