SQM CABLE DOCSIS 3.1 Settings + Packet Prioritization

Silly questions:

A) If the IFB goes away for what ever reason (say the underlaying pppoe interface ceased to exist) the action will also be gone for good? Or put differently is there anything else required than a $TC qdisc del dev $DEV root to get rid of the action?

B) What requirement for additional packets exists for using this (I would like to add this great capability to a variant of layer_cake.qos in the main repository, but want to make it safe even on systems lacking the requirements)

Please note: my idea is to keep actual egress marking rules out of the scripts and delegate users to using the firewalls DSCP classification action to set egress DSCPs to their hearts content, so all we need would be two additional tc lines guarded by a check whether the required functionality exists on the system...

config rule
	option name 'CS4 gaming'
	list proto 'udp'
	option src '*'
	option dest 'lan'
	list dest_ip '192.168.2.160'
	option target 'DSCP'
	option set_dscp 'CS4'
	option enabled '0'

config rule
	option name 'BROADCAST VIDEO'
	list proto 'tcp'
	option src '*'
	option src_port '1935 1936 2935 2396'
	option dest 'lan'
	list dest_ip '192.168.2.160'
	option target 'DSCP'
	option set_dscp 'CS3'
	option enabled '0'

A big +1 for this concept.

Using the firewall traffic rules UI is straightforward enough to personalize the markings.

And having the ingress traffic mirror the outgoing DSCP is a big win, and much simpler (and I'd guess, more efficient) than veth and other approaches.

Hrm, that is a bit of a show stopper for me right now, as my iptables tells me:

root@turris:~# iptables -t mangle -A MANGLE_CHAIN_HERE -j CONNMARK --set-dscpmark help
iptables v1.8.3 (legacy): unknown option "--set-dscpmark"
Try `iptables -h' or 'iptables --help' for more information.

Yes, the command would fail as exercised anyway, but I guess unknown option "--set-dscpmark" also tells my that my iptables is not usable right now, which makes testing a tad tricky...

Also, if I want to use the firewall GUI to set the marking rules, I guess (naively?) that I need a generic mangle rule here that copies the existing DSCP into the connmark somehow.

Ignore me: @ldir laid things out in a way even I can understand here:
https://lore.kernel.org/netfilter-devel/20191203160652.44396-2-ldir@darbyshire-bryant.me.uk/

I still need to get a version of OpenWrt on a testing device that sports the modified iptables version...

hey @moeller0 is this post from you still relevant ?

why should someone do point 4. - 6.1 when it says :
Show Advanced Linklayer Options, (only needed if MTU > 1500)

what will these commands do then ?

image448×581 13.1 KB

did i set up everything correct for low latency gaming ?

image962×758 39 KB

image484×777 15.1 KB

root@OpenWrt:~# tc -s qdisc
qdisc noqueue 0: dev lo root refcnt 2 
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0
qdisc cake 8039: dev eth0 root refcnt 9 bandwidth 42Mbit besteffort dual-srchost nat nowash ack-filter split-gso rtt 100ms noatm overhead 18 mpu 64 
 Sent 557716 bytes 2136 pkt (dropped 1, overlimits 503 requeues 0) 
 backlog 0b 0p requeues 0
 memory used: 99668b of 4Mb
 capacity estimate: 42Mbit
 min/max network layer size:           28 /    1500
 min/max overhead-adjusted size:       64 /    1518
 average network hdr offset:           14

                  Tin 0
  thresh         42Mbit
  target            5ms
  interval        100ms
  pk_delay        248us
  av_delay         22us
  sp_delay          8us
  backlog            0b
  pkts             2137
  bytes          559230
  way_inds            0
  way_miss          218
  way_cols            0
  drops               1
  marks               0
  ack_drop            0
  sp_flows            1
  bk_flows            1
  un_flows            0
  max_len         17301
  quantum          1281

qdisc ingress ffff: dev eth0 parent ffff:fff1 ---------------- 
 Sent 5015802 bytes 55734 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0
qdisc fq_codel 0: dev eth1 root refcnt 2 limit 10240p flows 1024 quantum 1514 target 5ms interval 100ms memory_limit 4Mb ecn drop_batch 64 
 Sent 9269453949 bytes 6920256 pkt (dropped 5753, overlimits 0 requeues 89363) 
 backlog 0b 0p requeues 89363
  maxpacket 1514 drop_overlimit 4864 new_flow_count 17581 ecn_mark 0 drop_overmemory 4864
  new_flows_len 0 old_flows_len 0
qdisc noqueue 0: dev br-lan root refcnt 2 
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0
qdisc cake 803a: dev ifb4eth0 root refcnt 2 bandwidth 850Mbit besteffort dual-dsthost nat wash no-ack-filter split-gso rtt 100ms noatm overhead 18 mpu 64 
 Sent 5809566 bytes 55734 pkt (dropped 0, overlimits 679 requeues 0) 
 backlog 0b 0p requeues 0
 memory used: 32358b of 15140Kb
 capacity estimate: 850Mbit
 min/max network layer size:           46 /    1500
 min/max overhead-adjusted size:       64 /    1518
 average network hdr offset:           14

                  Tin 0
  thresh        850Mbit
  target            5ms
  interval        100ms
  pk_delay         14us
  av_delay          7us
  sp_delay          1us
  backlog            0b
  pkts            55734
  bytes         5809566
  way_inds            2
  way_miss          218
  way_cols            0
  drops               0
  marks               0
  ack_drop            0
  sp_flows            0
  bk_flows            1
  un_flows            0
  max_len         21852
  quantum          1514

That is the actual text in the GUI, which admittedly is not correct, since adjusting the MPU is required as the default of 0 is correct only increasingly rarely (on some ATM encapsulations).
For cable/DOCSIS you really should set mpu 64 how you do that, via the e/ingress options or via the GUI does not matter anymore (cake will honor the mpu value in the GUI.

As a non-gamer I would say probably, I might try to add the ingress keyword to the advanced option string for ingress, but that is all I can see. However if gaming sucks you might want to switch to layer_cake.qos and carefully up-priritize only the gaming packets. But that is a whole different kettle of fish.
Personally I would always first try without prioritization, but then I stopped reaction-time gated gaming shortly after the original quake came around, so have little first hand experience to base my recommendations on.

Same here. For various reasons, I need to stay on 19.07.x, is there a patch I can apply to that version of iptables (1.8.3 in my case) that would add in the set-dscpmark function ?

even if it's not reaction time gated... it can still suffer a lot from lag and lost packets. Something like Minecraft or Rocket League, you can get rubber-banding or crashing into things that you don't know are there or it doesn't register a jump... etc if that happens often enough even a game that can be played without fast reactions will be no fun.

@N1K - I (perhaps mistakenly) assume that since you're gaming, you're using a Windows desktop or laptop. If so, and if you're using a professional version of Windows, you can fairly easily add DSCP markings to the outgoing traffic by using gpedit.msc, the Group Policy Editor.

image820×635 34.5 KB

im using windows 10 home but on my next pc i will install professional so thanks for the tip

I think you can use the following in powershell under windows10/11:

New-NetQosPolicy -Name "putty" -AppPathNameMatchCondition "putty.exe" -PolicyStore ActiveStore -NetworkProfile All -DSCPAction 46

Get-NetQosPolicy -Store ActiveStore

Name           : putty_ps
Owner          : PowerShell / WMI
NetworkProfile : All
Precedence     : 127
AppPathName    : putty.exe
JobObject      :
DSCPValue      : 46

Remove-NetQosPolicy -Name "putty_ps" -PolicyStore ActiveStore

Seems to work, and I confirmed via tcpdump that putty's ssh packet originating from the windows VM host actually used DSCP 46 (aka EF). I note that powershell needs to be run as administrator, and the policies do not end up visible in Local Group Policy Editor. "-PolicyStore ActiveStore" will not survive a reboot, but for novice users that might be nice so a reboot cleans the slate in good windows tradition. I assume that after initial testing one could omit the "-PolicyStore ActiveStore" directive and store tested configs more permanently.

so its not necessary to tick this pox ?:

If you use the option string to pass mpu 64 to cake you do not check this. However for fq_codel ypu need that checkbox and the mpu setting there.

@Dopam-IT_1987 how do you see the call of duty ports ? my game (cod warzone) always crashes because of wireshark but csgo and wireshark is working perfectly.

with a device sniffer i use

hewlett packard the model

i'm use script modified by me

like the screen

can u tell me the port range that warzone uses ? i have read in the netduma forum udp 30000-45000 and udp3074

Yep, like moeller0 said, you can do it this way, or by including "mpu 64" in the advanced options strings for ingress and egress. I would point out dont do it in both spots, you will end up setting it to 128! (64+64) At least it used to do this years ago, as I found out to my embarrassment.

You could run tcpdump on the router's br-lan interface to see internal IP addresses and ports, no need to use wireshark on the gaming computer to capture the packets.
You can even direct tcpdump to write to file, and the use wireshark to load that file so you can use wireshark's convenient GUI and tooling.

I have not tried that myself, for the overhead keywords that behavior is intended, so that one can request accounting for vlan tags in addition to any other encapsulations, not sure why the same also applies to mpu, but I guess there is no good reason to request the same mpu twice....