Traffic shaping (SQM scripts) on a SBC with a single ethernet port

Hi

I have OpenWrt installed on a NanoPI 2 Fire SBC (http://wiki.friendlyarm.com/wiki/index.php/NanoPi_2_Fire) that I'm currently using as a DNS server and adblocker. I would like to also use it for traffic shaping with SQM scripts since it has a lot of spare CPU power. This is my current LAN topology:

  • 192.168.1.1: wr1043nd, LAN gateway connected to my ISP modem
  • 192.168.1.2: NanoPI SBC running Unbound/adblock
  • 192.168.1.3: A second wr1043nd which is running a DHCP server

This board has one gigabit ethernet port and one usb 2.0 port, so one option I have is to buy an USB ethernet adapter and use it as the LAN gateway, replacing the WR1043 which is currently connected to the ISP modem.

What I would rather do is change the LAN gateway (provided by the DHCP server) to be 192.168.1.2 and somehow "split" the SBC ethernet port into a LAN/WAN virtual devices, where any packets coming from the LAN is sent to the WAN virtual device and then forwarded to 192.168.1.1 (traffic from/to the ISP gateway would go through the SBC). Which would allow me to enable SQM on the virtual WAN device.

I imagine this would be possible by creating a custom TUN device, but it is not clear what is the best way to accomplish this with OpenWrt. Any suggestions are welcome.

Best way is to get the usb2eth.
Other solutions are to use macvlans or vlans and a managed switch.

1 Like

I am not sure but if wr1043nd supports, you may be able to use it as a plain managed switch and your nanopi as a router on a stick.

2 Likes

I'm not an expert in networking configuration but some research suggests this is what I need. I found a tutorial that explains how to do it with a raspberry pi 4 (https://www.maroonmed.com/berry-on-a-bush-router-on-a-stick-raspberry-pi-4-inter-vlan-openwrt-router/), which I will try to adapt for my SBC.

Thanks for the tip.

Usually, the hardest part is setting up WR1043nd as a managed switch. Setting up your SBC running openwrt as router on a stick should be easy.

Another option (note that this involves double NAT) is to set up your SBC as 'router/gateway' in your HDCP server. With this, your LAN devices should sent packets to SBC and then SBC can NAT and send them to your actual router/firewall. All packets coming from the internet will go to SBC due NAT. I did this to run ntopng on my Rpi4 to do traffic analysis, but I imagine, you should be able to use this for QOS purpose as well. Note that NAT happens at SBC and at your internet-facing router as well. This is definitely lot easier to set up!

I just tested the "router on a stick" approach and it worked very well.

Setting up WR1043 as a managed switch was not all that hard, I will leave /etc/config/network for wr1043nd here as a reference to any future readers:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda7:af9e:a756::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.100'
        option proto 'static'
        option ipaddr '192.168.1.2'
        option gateway '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '192.168.1.1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '100'
        option ports '0t 1t 2 3 4'
        option vid '100'

config switch_vlan
        option device 'switch0'
        option vlan '10'
        option ports '0t 1t 5'
        option vid '10'

The above sets up port 4 for the SBC "router on a stick" (port 4 is numered "1" in the config"). Configuring the NanoPi was also quite simple:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc2:2831:0440::/48'

config interface 'lan'
        option ifname 'eth0.100'
        option proto 'static'
        option broadcast '192.168.1.255'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'

config interface 'wan'
        option ifname 'eth0.10'
        option proto 'pppoe'
        option password 'MyPassword'
        option ipv6 'auto'
        option username 'MyUsername'
        option macaddr '84:16:f9:e8:d1:d1'

Note that the original wr1043nd config had this defining the WAN device:

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr '84:16:f9:e8:d1:d1'

It used a random macaddr on the virtual WAN device since the same card was shared by all ports. All I did was copy the macaddr when defining the WAN device in the NanoPI. Also changed the WAN VLAN id to 10 from 2, following the same pattern used in the reference tutorial for Raspberry PI.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.