I do need help setting up SQM on my router, in particular I have three questions:
My connection is FO to the building and I just have an ethernet port in my condo. What should I select for "Link layer adaptation"?
Good question, that really depends on the encapsulation used by your ISP, I would start out with none or ethernet (really ATM is only ever sane on a true ATM link using AAL5). So on cable systems the built-in shaping system will shape on ethernet frames with frame check sequence (so overhead 18 bytes in both upstream and downstream), but typically one does not really know what exact speed-limit the ISP configured in its systems (cable ISPs tend to over deliver, so the contractual rates probably are a decent first approximation). Also once the cable system encounters congestion all shaping at the CPE end will be sub-optimal (as the effective speed-limit drops without notification).
Almost everything is routed out thru the VPN client, so what should I select for the interface name -- the real WAN port or the OpenVPN interface?
This is a policy question you need to decide on: on the real wan interface your shaping will be "deterministic", but it will probably treat the VPN traffic like one single flow (and balances the fairness with all other non-VPN flows, less than ideal). If your VPN software does proper AQM inside itself that might work. The alternative would be to set up an sqm instance on the openvpn interface with less than 100% of the true bandwidth (so leave some room stochastically for non-VPN traffic) you should get a few packet captures on the true wan interface to get an idea about the overhead that openvpn adds, as you will need to account for that (in addition to the 18 bytes that DOCSIS will drag in).
Now you could create an outer sqm instance with a special tier for the one VPN flow (sized appropriately) and also run a sqm instance on the openvpn interface to get fairness inside the VPN-tunnel. But that will require some manual work which especially on ingress will be a PITA.
If former -- should I seed the speed up/down to the realistic speeds I get over VPN or the true WAN speed?
The true WAN speed is ever only an upper limit for the shaper settings, after accounting for the correct overhead. In reality, especially for ingress shaping, one often needs to shape lower as otherwise the upstream end of the true bottleneck will fill its buffers causing unwanted delay; on egress one can sometimes get away with setting the shaper at 100%. But this can be quite nicely solved empirically by cycling through a few settings while performing stresstests, and then simply picking the bandwidth that result in acceptable latency under load increases.
Thanks for your reply. I understand there're some unknowns (like my ISP encapsulation) and I guess I'll have to try all 3 options to figure out which works best for me. But considering that all vpn traffic is encrypted, would it make any difference to enable SQM on VPN interface? Or is it a different layer?
My connection is 100/100, but with VPN enabled, I get about a third of my true WAN speed, so what would be the optimal settings without mucking too much?
You've mentioned in your thread that your build comes with PIA OpenVPN presets, are you getting those speeds via OpenVPN interface?
Mmmh, if the VPN interface sees the packets before encryption it would be quite a good idea, as that way fairness inside the encrypted tunnel would be maintained, The challenge is more that you mix encrypted and nencrypted traffic on your link, so need a shaper on the physical link to avoid over filling the buffers of upstream and/or CP equipment, but the VPN traffic can be variable (not a very hard problem, but you will need a new tier for the VPN traffic with appropriate bandwidth assigned). But once your VPN traffic maxes out, how much CPU cycles will still be available for sqm? That needs testing... But if most of your traffic flows through the VPN I would certainly try to get a sqm instance active on the unencrypted traffic there to maintain flow fairness...
Well, that's why I'm seeking the advice from the experts! You've brought a very valid concern about CPU maxing out on VPN and not having enough power left for SQM.
So given encryption and the CPU usage (ipq806x-ARM) I would still welcome suggestions from other experts on specific settings for SQM for 100/100Mbit WAN connection with VPN maxing out at about a third of that.
@stangri funny to find you in this thread too... I guess it's two of us with the same needs. I'm curious what router you have? I have a WRT3200ACM and I just enabled HW acceleration, getting 50+ Mbps down now. My peak load is ~100% even with HW acceleration, so I'm guessing I will not benefit from SQM. In my testing, results are about the same, at least on the VPN traffic.
I'm still on Linksys EA8500, I'd like to use a single box and there's no stable wifi driver for WRT3200ACM. When you say HW acceleration -- do you mean hardware NAT? I didn't know it was available for WRT3200ACM.
Have you tried setting SQM on both WAN and VPN interfaces like @moeller0 suggested?
no home router with an arm CPU will be able to give those kinds of speed over VPN.