Ultimate SQM settings: Layer_cake + DSCP marks (New Script!)

hisham2630 · January 20, 2020, 1:52pm

Hello.
The original thread is reference only now, you will also find the setup steps!
Please remove old script and use this one, port based script is not accurated and can cause more load on CPU.
Here is the latest DSCP marking script, you can name it DSCP.sh place it in /root then mark it as executable using Winscp or via terminal chmod 755 /root/DSCP.sh .

#!/bin/bash -x
IPT="iptables"
##########
#Veth start
##########
WANIF="pppoe-wan" #wan interface

tc qdisc add dev wlan0 root mq #setup multi queue for wifi device
## set up veth devices to handle inbound and outbound traffic
ip link show | grep veth0 || ip link add type veth

## get new veth interfaces up
ip link set veth0 up
ip link set veth1 up

## trun on promisc mode,sometimes it's needed to make bridge work
ip link set veth1 promisc on

## add veth1 to bridge
brctl addif br-lan veth1

## just to make sure there's nothing inside this table
ip rule del priority 100
ip route flush table 100

## add routing for veth0 this will handle all traffic
ip route add default dev veth0 table 100
ip rule add iif $WANIF table 100 priority 100
#########
#Veth end
#########
##ipset for streaming sites.they are being filled by dnsmasq
ipset create streaming hash:ip
ipset create usrcdn hash:ip
ipset create bulk hash:ip
ipset create latsens hash:ip

$IPT -t mangle -N dscp_mark > /dev/null 2>&1
$IPT -t mangle -F dscp_mark
## check if POSTROUTING already exits then jumps to our tables if not, add them

$IPT -t mangle -L POSTROUTING -n | grep dscp_mark || $IPT -t mangle -A POSTROUTING -j dscp_mark

iptmark(){
    $IPT -t mangle -A dscp_mark "$@"
}

## start by washing the dscp to CS0

iptmark -j DSCP --set-dscp 0

#A robust 2 rules to detect realtime traffic

# mark connections that go over 115 packets per second, not prioritized
iptmark -p udp -m hashlimit --hashlimit-name udp_high_prio --hashlimit-above 115/sec --hashlimit-burst 50 --hashlimit-mode srcip,srcport,dstip,dstport -j CONNMARK --set-mark 0x55 -m comment --comment "connmark for udp"

# unmarked UDP streams with small packets get CS6
iptmark -p udp -m connmark ! --mark 0x55 -m multiport ! --ports 22,25,53,67,68,123,143,161,162,514,5353,80,443,8080,60001 -m connbytes --connbytes 0:940 --connbytes-dir both --connbytes-mode avgpkt -j DSCP --set-dscp-class CS6 -m comment --comment "small udp connection gets CS6"

#large udp streams like video call get AF41
iptmark -p udp -m connmark ! --mark 0x55 -m multiport ! --ports 22,25,53,67,68,123,143,161,162,514,5353,80,443,8080,60001 -m connbytes --connbytes 940:1500 --connbytes-dir both --connbytes-mode avgpkt -j DSCP --set-dscp-class AF41 -m comment --comment "large udp connection gets AF41"

########################################
# Latency Sensitive (gaming/voip)
########################################
##ICMP, to prioritize pings
iptmark -p icmp -j DSCP --set-dscp-class CS5 -m comment --comment "ICMP-pings"

#DNS traffic both udp and tcp
iptmark -p udp -m multiport --port 53,5353,8888 -j DSCP --set-dscp-class CS5 -m comment --comment "DNS udp"
iptmark -p tcp -m multiport --port 53,5353,8888 -j DSCP --set-dscp-class CS5 -m comment --comment "DNS tcp"

#NTP
iptmark -p udp -m multiport --port 123 -j DSCP --set-dscp-class CS6 -m comment --comment "NTP udp"

#High priority ipset, i use for pubgM
iptmark ! -p tcp -m set --match-set latsens src,dst -j DSCP --set-dscp-class CS6 -m comment --comment "latency sensitive ipset" ## set dscp tag for Latency Sensitive (latsens) ipset,udp

iptmark -p tcp -m set --match-set latsens src,dst -j DSCP --set-dscp-class CS5 -m comment --comment "latency sensitive ipset" ## set dscp tag for Latency Sensitive (latsens) ipset

########
##Browsing
########
## medium priority for browsing
iptmark -p tcp -m multiport --ports 80,443,8080 -j DSCP --set-dscp-class CS3 -m comment --comment "Browsing at CS3"

##################
#TCP SYN,ACK flows
##################
#Make sure ACK,SYN packets get priority (to avoid upload speed limiting our download speed)
iptmark -p tcp --tcp-flags ALL ACK -m length --length :128 -j DSCP --set-dscp-class CS3
iptmark -p tcp --tcp-flags ALL SYN -m length --length :666 -j DSCP --set-dscp-class CS3

#Small packet is probably interactive or flow control
iptmark -m dscp ! --dscp  24 -m dscp ! --dscp  18 -m dscp ! --dscp  34 -m dscp ! --dscp  40 -m dscp ! --dscp  48 -m length --length 0:500 -j DSCP --set-dscp-class CS3

#Small packet connections: multi purpose (don't harm since not maxed out)
iptmark -m dscp ! --dscp  24 -m dscp ! --dscp  18 -m dscp ! --dscp  34 -m dscp ! --dscp  40 -m dscp ! --dscp  48 -m connbytes --connbytes 0:250 --connbytes-dir both --connbytes-mode avgpkt -j DSCP --set-dscp-class CS3


########################################
# Streaming Media (videos/audios)
########################################
#Known video streams sites like netflix
iptmark -m set --match-set streaming src,dst -j DSCP --set-dscp-class AF41 -m comment --comment "video audio stream ipset"

# some iptv provider's use this port
iptmark -p tcp -m multiport --ports 1935,9982 -j DSCP --set-dscp-class AF41 -m comment --comment "some iptv streaming service"

#known usrcdn like google or akamai

iptmark -m set --match-set usrcdn src,dst -j DSCP --set-dscp-class AF21 -m comment --comment "usrcdn ipset"

#########################################
# Background Traffic (Bulk/file transfer)
#########################################
#bulk traffic ipset, like windows udates and steam updates/downloads
iptmark -p tcp -m set --match-set bulk src,dst -j DSCP --set-dscp-class CS1 -m comment --comment "bulk traffic ipset"
iptmark -p udp -m set --match-set bulk src,dst -j DSCP --set-dscp-class CS1 -m comment --comment "bulk traffic ipset"
iptmark -p tcp -m connbytes --connbytes 350000: --connbytes-dir both --connbytes-mode bytes -m dscp --dscp-class CS0 -j DSCP --set-dscp-class CS1 -m comment --comment "Downgrade CS0 to CS1 for bulk tcp traffic"
iptmark -p tcp -m connbytes --connbytes 350000: --connbytes-dir both --connbytes-mode bytes -m dscp --dscp-class CS3 -j DSCP --set-dscp-class CS1 -m comment --comment "Downgrade CS3 to CS1 for bulk tcp traffic"
iptmark -p udp -m multiport --port 60001 -j DSCP --set-dscp-class CS1 -m comment --comment "bulk torrent port UDP"


#tcpdump rule, copy and paste this rule into terminal, this rule is used to capture realtime traffic, you can change ip to what you like
#tcpdump -i br-lan host 192.168.1.126 and udp and portrange 1-65535 and !port 53 and ! port 80 and ! port 443 -vv -X -w /root/cap-name.pcap

Add the following lines at the end of
/etc/dnsmasq.conf :

##Latency Sensitive (gaming/voip)
ipset=/igamecj.com/gcloudcs.com/qos.gcloud.qq.com/latsens

##video/audio streams
# Youtube is also isolated by my isp
ipset=/googlevideo.com/*.googlevideo.com/streaming
# NetFlix
ipset=/nflxvideo.net/streaming
# AmazonVideo
ipset=/s3.ll.dash.row.aiv-cdn.net/d25xi40x97liuc.cloudfront.net/aiv-delivery.net/streaming
# Facebook
ipset=/fbcdn.net/streaming
# Twitch
ipset=/ttvnw.net/streaming
# VeVo
ipset=/vevo.com/streaming
# Spotify
ipset=/audio-fa.scdn.cot/streaming
# Deezer
ipset=/deezer.com/streaming
# SoundCloud
ipset=/sndcdn.com/streaming
# last.fm
ipset=/last.fm/streaming
#reddit videos
ipset=/v.redd.it/streaming
#twitch.tv
ipset=/ttvnw.net/streaming

##i have isolated speed for those cdn's 
ipset=/googletagmanager.com/googleusercontent.com/*.googleusercontent.com/google.com/fbcdn.net/*.fbcdn.net/akamaihd.net/*.akamaihd.net/whatsapp.net/*.whatsapp.net/whatsapp.com/*.whatsapp.com/www-cdn.whatsapp.net/googleapis.com/*.googleapis.com/ucy.ac.cy/1e100.net/hwcdn.net/usrcdn

## Bulk downloads
#qq download
ipset=/download.qq.com/bulk
# Steam Download
ipset=/steamcontent.com/bulk
# PSN Download
ipset=/gs2.ww.prod.dl.playstation.net/bulk
# DropBox
ipset=/dropbox.com/dropboxstatic.com/dropbox-dns.com/log.getdropbox.com/bulk
# Google Drive
ipset=/drive.google.com/drive-thirdparty.googleusercontent.com/bulk
# Google Docs
ipset=/docs.google.com/docs.googleusercontent.com/bulk
# PlayStore Download
ipset=/gvt1.com/bulk
# WhatsApp Files
ipset=/mmg-fna.whatsapp.net/bulk
# Youtube Upload
ipset=/upload.youtube.com/upload.video.google.com/bulk
# WindowsUpdate
ipset=/windowsupdate.com/update.microsoft.com/bulk

This script can work with both DIFFSERV4 and DIFFSERV8.

Further updates will be only on github: https://github.com/hisham2630/Ultimate-SQM-settings-Layer_cake-DSCP-marks-New-Script

hisham2630 · January 20, 2020, 3:27pm

Here's the script with ipv6 support, need testing cause i don't have ipv6!

#!/bin/bash -x
IPT="iptables"
IPT6="ip6tables"
###########
#Veth start
###########
WANIF="pppoe-wan" #wan interface name

tc qdisc add dev wlan0 root mq #setup multi queue for wifi device
## set up veth devices to handle inbound and outbound traffic
ip link show | grep veth0 || ip link add type veth

## get new veth interfaces up
ip link set veth0 up
ip link set veth1 up

## trun on promisc mode,sometimes it's needed to make bridge work
ip link set veth1 promisc on

## add veth1 to bridge
brctl addif br-lan veth1

## just to make sure there's nothing inside this table
ip rule del priority 100
ip route flush table 100
## add routing for veth0 this will handle all traffic
ip route add default dev veth0 table 100
ip rule add iif $WANIF table 100 priority 100

#########
#Veth end
#########

##ipset for streaming sites.they are being filled by dnsmasq
ipset create streaming hash:ip
ipset create streaming6 hash:ip family inet6

ipset create usrcdn hash:ip
ipset create usrcdn6 hash:ip family inet6

ipset create bulk hash:ip
ipset create bulk6 hash:ip family inet6

ipset create latsens hash:ip
ipset create latsens6 hash:ip family inet6

$IPT -t mangle -N dscp_mark > /dev/null 2>&1
$IPT6 -t mangle -N dscp_mark > /dev/null 2>&1

$IPT -t mangle -F dscp_mark
$IPT6 -t mangle -F dscp_mark

## check if POSTROUTING already exits then jumps to our tables if not, add them

$IPT -t mangle -L POSTROUTING -n | grep dscp_mark || $IPT -t mangle -A POSTROUTING -j dscp_mark

$IPT6 -t mangle -L POSTROUTING -n | grep dscp_mark || $IPT6 -t mangle -A POSTROUTING -j dscp_mark

iptmark() {
    $IPT -t mangle -A dscp_mark "$@"
}

ipt6mark() {
    $IPT6 -t mangle -A dscp_mark "$@"
}

## start by washing the dscp to CS0

iptmark -j DSCP --set-dscp 0
ipt6mark -j DSCP --set-dscp 0

#A robust 2 rules to detect realtime traffic

# mark connections that go over 115 packets per second, not prioritized
iptmark -p udp -m hashlimit --hashlimit-name udp_high_prio --hashlimit-above 115/sec --hashlimit-burst 50 --hashlimit-mode srcip,srcport,dstip,dstport -j CONNMARK --set-mark 0x55 -m comment --comment "connmark for udp"

ipt6mark -p udp -m hashlimit --hashlimit-name udp_high_prio --hashlimit-above 115/sec --hashlimit-burst 50 --hashlimit-mode srcip,srcport,dstip,dstport -j CONNMARK --set-mark 0x55 -m comment --comment "connmark for udp6"

# unmarked UDP streams with small packets get CS6
iptmark -p udp -m connmark ! --mark 0x55 -m multiport ! --ports 22,25,53,67,68,123,143,161,162,514,5353,80,443,8080,60001 -m connbytes --connbytes 0:940 --connbytes-dir both --connbytes-mode avgpkt -j DSCP --set-dscp-class CS6 -m comment --comment "small udp connection gets CS6"

ipt6mark -p udp -m connmark ! --mark 0x55 -m multiport ! --ports 22,25,53,67,68,123,143,161,162,514,5353,80,443,8080,60001 -m connbytes --connbytes 0:940 --connbytes-dir both --connbytes-mode avgpkt -j DSCP --set-dscp-class CS6 -m comment --comment "small udp6 connection gets CS6"

#large udp streams like video call get AF41
iptmark -p udp -m connmark ! --mark 0x55 -m multiport ! --ports 22,25,53,67,68,123,143,161,162,514,5353,80,443,8080,60001 -m connbytes --connbytes 940:1500 --connbytes-dir both --connbytes-mode avgpkt -j DSCP --set-dscp-class AF41 -m comment --comment "large udp connection gets AF41"

ipt6mark -p udp -m connmark ! --mark 0x55 -m multiport ! --ports 22,25,53,67,68,123,143,161,162,514,5353,80,443,8080,60001 -m connbytes --connbytes 940:1500 --connbytes-dir both --connbytes-mode avgpkt -j DSCP --set-dscp-class AF41 -m comment --comment "large udp6 connection gets AF41"

########################################
# Latency Sensitive (gaming/voip)
########################################
##ICMP, to prioritize pings
iptmark -p icmp -j DSCP --set-dscp-class CS5 -m comment --comment "ICMP-pings"
ipt6mark -p icmp -j DSCP --set-dscp-class CS5 -m comment --comment "ICMP6-pings"

#DNS traffic both udp and tcp
iptmark -p udp -m multiport --port 53,5353,8888 -j DSCP --set-dscp-class CS5 -m comment --comment "DNS udp"
ipt6mark -p udp -m multiport --port 53,5353,8888 -j DSCP --set-dscp-class CS5 -m comment --comment "DNS udp6"

iptmark -p tcp -m multiport --port 53,5353,8888 -j DSCP --set-dscp-class CS5 -m comment --comment "DNS tcp"
ipt6mark -p tcp -m multiport --port 53,5353,8888 -j DSCP --set-dscp-class CS5 -m comment --comment "DNS tcp6"

#NTP
iptmark -p udp -m multiport --port 123 -j DSCP --set-dscp-class CS6 -m comment --comment "NTP udp"
ipt6mark -p udp -m multiport --port 123 -j DSCP --set-dscp-class CS6 -m comment --comment "NTP6 udp"

#High priority ipset, i use for pubgM
iptmark ! -p tcp -m set --match-set latsens src,dst -j DSCP --set-dscp-class CS6 -m comment --comment "latency sensitive ipset" ## set dscp tag for Latency Sensitive (latsens) ipset,udp
ipt6mark ! -p tcp -m set --match-set latsens6 src,dst -j DSCP --set-dscp-class CS6 -m comment --comment "latency sensitive ipset6" ## set dscp tag for Latency Sensitive (latsens) ipset,udp

iptmark -p tcp -m set --match-set latsens src,dst -j DSCP --set-dscp-class CS5 -m comment --comment "latency sensitive ipset" ## set dscp tag for Latency Sensitive (latsens) ipset
ipt6mark -p tcp -m set --match-set latsens6 src,dst -j DSCP --set-dscp-class CS5 -m comment --comment "latency sensitive ipset6" ## set dscp tag for Latency Sensitive (latsens) ipset

###########
##Browsing
###########
## medium priority for browsing
iptmark -p tcp -m multiport --ports 80,443,8080 -j DSCP --set-dscp-class CS3 -m comment --comment "Browsing at CS3"

ipt6mark -p tcp -m multiport --ports 80,443,8080 -j DSCP --set-dscp-class CS3 -m comment --comment "Browsing6 at CS3"
##################
#TCP SYN,ACK flows
##################
#Make sure ACK,SYN packets get priority (to avoid upload speed limiting our download speed)
iptmark -p tcp --tcp-flags ALL ACK -m length --length :128 -j DSCP --set-dscp-class CS3
ipt6mark -p tcp --tcp-flags ALL ACK -m length --length :128 -j DSCP --set-dscp-class CS3

iptmark -p tcp --tcp-flags ALL SYN -m length --length :666 -j DSCP --set-dscp-class CS3
ipt6mark -p tcp --tcp-flags ALL SYN -m length --length :666 -j DSCP --set-dscp-class CS3

#Small packet is probably interactive or flow control
iptmark -m dscp ! --dscp  24 -m dscp ! --dscp  18 -m dscp ! --dscp  34 -m dscp ! --dscp  40 -m dscp ! --dscp  48 -m length --length 0:500 -j DSCP --set-dscp-class CS3
ipt6mark -m dscp ! --dscp  24 -m dscp ! --dscp  18 -m dscp ! --dscp  34 -m dscp ! --dscp  40 -m dscp ! --dscp  48 -m length --length 0:500 -j DSCP --set-dscp-class CS3

#Small packet connections: multi purpose (don't harm since not maxed out)
iptmark -m dscp ! --dscp  24 -m dscp ! --dscp  18 -m dscp ! --dscp  34 -m dscp ! --dscp  40 -m dscp ! --dscp  48 -m connbytes --connbytes 0:250 --connbytes-dir both --connbytes-mode avgpkt -j DSCP --set-dscp-class CS3
ipt6mark -m dscp ! --dscp  24 -m dscp ! --dscp  18 -m dscp ! --dscp  34 -m dscp ! --dscp  40 -m dscp ! --dscp  48 -m connbytes --connbytes 0:250 --connbytes-dir both --connbytes-mode avgpkt -j DSCP --set-dscp-class CS3

########################################
# Streaming Media (videos/audios)
########################################
#Known video streams sites like netflix
iptmark -m set --match-set streaming src,dst -j DSCP --set-dscp-class AF41 -m comment --comment "video audio stream ipset"
ipt6mark -m set --match-set streaming6 src,dst -j DSCP --set-dscp-class AF41 -m comment --comment "video audio stream ipset6"

# some iptv provider's use this port
iptmark -p tcp -m multiport --ports 1935,9982 -j DSCP --set-dscp-class AF41 -m comment --comment "some iptv streaming service"
ipt6mark -p tcp -m multiport --ports 1935,9982 -j DSCP --set-dscp-class AF41 -m comment --comment "some iptv streaming service6"

#known usrcdn like google or akamai
iptmark -m set --match-set usrcdn src,dst -j DSCP --set-dscp-class AF21 -m comment --comment "usrcdn ipset"
ipt6mark -m set --match-set usrcdn6 src,dst -j DSCP --set-dscp-class AF21 -m comment --comment "usrcdn ipset6"

#########################################
# Background Traffic (Bulk/file transfer)
#########################################
#bulk traffic ipset, like windows udates and steam updates/downloads
iptmark -p tcp -m set --match-set bulk src,dst -j DSCP --set-dscp-class CS1 -m comment --comment "bulk traffic ipset"
ipt6mark -p tcp -m set --match-set bulk6 src,dst -j DSCP --set-dscp-class CS1 -m comment --comment "bulk traffic ipset6"

iptmark -p udp -m set --match-set bulk src,dst -j DSCP --set-dscp-class CS1 -m comment --comment "bulk traffic ipset"
ipt6mark -p udp -m set --match-set bulk6 src,dst -j DSCP --set-dscp-class CS1 -m comment --comment "bulk traffic ipset6"

iptmark -p tcp -m connbytes --connbytes 350000: --connbytes-dir both --connbytes-mode bytes -m dscp --dscp-class CS0 -j DSCP --set-dscp-class CS1 -m comment --comment "Downgrade CS0 to CS1 for bulk tcp traffic"
ipt6mark -p tcp -m connbytes --connbytes 350000: --connbytes-dir both --connbytes-mode bytes -m dscp --dscp-class CS0 -j DSCP --set-dscp-class CS1 -m comment --comment "Downgrade CS0 to CS1 for bulk tcp traffic6"

iptmark -p tcp -m connbytes --connbytes 350000: --connbytes-dir both --connbytes-mode bytes -m dscp --dscp-class CS3 -j DSCP --set-dscp-class CS1 -m comment --comment "Downgrade CS3 to CS1 for bulk tcp traffic"
ipt6mark -p tcp -m connbytes --connbytes 350000: --connbytes-dir both --connbytes-mode bytes -m dscp --dscp-class CS3 -j DSCP --set-dscp-class CS1 -m comment --comment "Downgrade CS3 to CS1 for bulk tcp traffic6"

iptmark -p udp -m multiport --port 60001 -j DSCP --set-dscp-class CS1 -m comment --comment "bulk torrent port UDP"
ipt6mark -p udp -m multiport --port 60001 -j DSCP --set-dscp-class CS1 -m comment --comment "bulk torrent port UDP6"

#tcpdump rule, copy and paste this rule into terminal, this rule is used to capture realtime traffic, you can change ip to what you like
#tcpdump -i br-lan host 192.168.1.126 and udp and portrange 1-65535 and !port 53

dnsmasq.conf with IPV6 support
Add the following lines at the end of
/etc/dnsmasq.conf :

##Latency Sensitive (gaming/voip)
ipset=/igamecj.com/gcloudcs.com/qos.gcloud.qq.com/latsens,latsens6

##video/audio streams
# Youtube is also isolated by my isp
ipset=/googlevideo.com/*.googlevideo.com/streaming,streaming6
# NetFlix
ipset=/nflxvideo.net/streaming,streaming6
# AmazonVideo
ipset=/s3.ll.dash.row.aiv-cdn.net/d25xi40x97liuc.cloudfront.net/aiv-delivery.net/streaming,streaming6
# Facebook
ipset=/fbcdn.net/streaming,streaming6
# Twitch
ipset=/ttvnw.net/streaming,streaming6
# VeVo
ipset=/vevo.com/streaming,streaming6
# Spotify
ipset=/audio-fa.scdn.cot/streaming,streaming6
# Deezer
ipset=/deezer.com/streaming,streaming6
# SoundCloud
ipset=/sndcdn.com/streaming,streaming6
# last.fm
ipset=/last.fm/streaming,streaming6
#reddit videos
ipset=/v.redd.it/streaming,streaming6
#twitch.tv
ipset=/ttvnw.net/streaming,streaming6

##i have isolated speed for those cdn's 
ipset=/googletagmanager.com/googleusercontent.com/*.googleusercontent.com/google.com/fbcdn.net/*.fbcdn.net/akamaihd.net/*.akamaihd.net/whatsapp.net/*.whatsapp.net/whatsapp.com/*.whatsapp.com/www-cdn.whatsapp.net/googleapis.com/*.googleapis.com/ucy.ac.cy/1e100.net/hwcdn.net/usrcdn,usrcdn6

## Bulk downloads
#qq download
ipset=/download.qq.com/bulk,bulk6
# Steam Download
ipset=/steamcontent.com/bulk,bulk6
# PSN Download
ipset=/gs2.ww.prod.dl.playstation.net/bulk,bulk6
# DropBox
ipset=/dropbox.com/dropboxstatic.com/dropbox-dns.com/log.getdropbox.com/bulk,bulk6
# Google Drive
ipset=/drive.google.com/drive-thirdparty.googleusercontent.com/bulk,bulk6
# Google Docs
ipset=/docs.google.com/docs.googleusercontent.com/bulk,bulk6
# PlayStore Download
ipset=/gvt1.com/bulk,bulk6
# WhatsApp Files
ipset=/mmg-fna.whatsapp.net/bulk,bulk6
# Youtube Upload
ipset=/upload.youtube.com/upload.video.google.com/bulk,bulk6
# WindowsUpdate
ipset=/windowsupdate.com/update.microsoft.com/bulk,bulk6

Still under development!

LeTran · January 20, 2020, 11:46pm

what is your router setup @hisham2630? is it pc-->switch-->router-->modem-->internet? Do you use bridge in your setup?

hisham2630 · January 21, 2020, 6:19pm

Now i don't use openwrt as router anymore, just access point.
laptop/phones(via wifi)-->openwrt- access point -->Edgerouter-x-sfp (router)--> ONT-EPON(fiber optic)-->internet

No, Edge router have DSA architecture switch, Veth method is not needed!

dlakelan · January 21, 2020, 6:21pm

Even without DSA, because your access point is connected via ethernet, then there is a single exit point from your router. veth methods are needed when packets can leave the router either by ethernet or by wifi... so you want a single queue to feed into both of those exits.

fuller · January 21, 2020, 8:09pm

there is really nothing ultimate about this at all.
please stop beating a dead horse.

hisham2630 · January 21, 2020, 8:15pm

Maybe a something is not working for you, doesn't mean that it's not working for others.
instead post a something useful!

hisham2630 · January 21, 2020, 8:16pm

So if someone have an access point connected to his router that's mean he doesn't need Veth ?
Then he have only one sqm on wan interface?

EXREYFOX · January 21, 2020, 8:34pm

Hello i have fiber internet from an ONT to my wrt3200acm do i have to config this settings that you have in this post or i need to use the old post to config my sqm to use dscp plus layer cake.

dlakelan · January 21, 2020, 8:35pm

Right, any time you have a single interface that packets enter and a single interface that packets exit your router, then you are good to go without a veth... veth method basically just provides this within the router when you are using a bridge for the LAN.

moeller0 · January 21, 2020, 9:29pm

Just to pedantically elaborate, the issue is that for a router with wifi, a shaper on the CPU link to LAN (be it a single port or a switch) will also shape wifi traffic between LAN and WLAN and that is typically not what people want.

dlakelan · January 21, 2020, 9:44pm

Exactly, for example the path: WAN -> veth0 -> bridge{veth1,eth0,wlan0}

passes through the veth0 queue which can be set to the same rate as the WAN download, for shaping purposes.... but

wlan0 -> eth0 or eth0->wlan0 would go at full speed.

Any packet going say eth0 -> WAN or wlan0 -> WAN would go through the WAN exit queue, thereby shaping the upload

On the other hand, if you have a wired router, say eth1 on WAN and eth0 as LAN, with an AP connected as a cable... then

eth1 -> eth0

goes through the eth0 output queue and eth0 > WAN goes through the eth1 output queue, since these are the only ways traffic can travel, it fully shapes the WAN to use these two.

What gets tricky is if you have say a LAN and a GUEST network... now anything inbound on WAN could go out either LAN or GUEST... which makes your life hard.

The only way to solve that is to use a veth and a separate namespace... You can put the true WAN bridged to the veth0 in the other namespace, and keep the veth1 as your "apparent WAN" in the main namespace...

bridge{eth1,veth0} in namespace "prewan"

veth1 is your WAN in regular namespace....

you put shapers on veth0 and veth1 before you push veth0 into the other namespace and form the bridge...

but I don't think OpenWrt supports namespaces by default? at least it didn't a year ago or so.

Happi · January 22, 2020, 4:45am

So what happens to those Veth scripts if we are not running the veth method or our router dont need it? It appeares as veth play major role here as many of the scripts are linked to it, so what happen to these scripts if veth method isn't working or not needed? My setup usually have WAN set at eth1.2 and LAN at eth 0.1, should I be setting up something like 0kb upload in WAN, 4,000kb upload in LAN, 50,000 kb download in WAN, 0 kb download in LAN for QOS? I have 5 mbps up and 60mbps down cable connections.

dlakelan · January 22, 2020, 4:54am

if you have no wifi involved then set upload on wan to your upload, and set upload on lan to your wan download... with that you can use dscp tagging in the firewall to control the layer cake usage

Happi · January 22, 2020, 4:57am

How about in case of wifi is also running or needed for other wifi devices? I will also post my setting with these new update scripts for you guys to verify to see if everything was setup correctly.

dlakelan · January 22, 2020, 5:22am

in general it's hard to say anything definite, you could have a guest Network, a trusted lan, an IoT network, a surveillance camera network, two VPN networks, a gaming device network, two networks for your downstairs Airbnb apartment....

LeTran · January 23, 2020, 6:10am

how about pc-->router(as normal router, not use AP mode)-->router(as normal router but not allow to connect, no bridge)-->modem-->internet with iptable in my case? No need to use veth mothod correct? i will solve double nat later.
and I'm going to buy a mini pc for pfsense as main router. Pc-->wrt3200(openwrt)-->mini pc(pfsense)-->modem-->internet. Do i need to use veth method in this case?
Any recommendation for mini pc to handle torrent with minimal impact at latency. I still got an old 2 xeon cpus pc with 40 threads total use for 3d rendering but i afraid of electric bill

dlakelan · January 23, 2020, 6:19am

whenever packets enter on one interface and leave on one interface you don't need veth. so I think your cases all qualify.

the purpose of veth is to provide a single exit point for routers that use an internal bridge to connect multiple exit interfaces, such as several physical NICs or wifi cards

LeTran · January 23, 2020, 6:33am

So I should put only 1 shaper on wan eth1.2 or shaper on both lan eth0.1 and wan eth1.2? Thanks for swift response last time

Happi · January 23, 2020, 8:38am

do we still need to priority the xbox IP such as 192.168.1.107 and UDP/TCP

$IPT -t mangle -A PREROUTING -p tcp -m conntrack --ctorigsrc 192.168.1.107 -m multiport ! --ports 3074 -j DSCP --set-dscp-class CS6 -m comment --comment "XBOX1"

$IPT -t mangle -A PREROUTING -p udp -m conntrack --ctorigsrc 192.168.1.107 -m multiport ! --ports 3074 -j DSCP --set-dscp-class CS6 -m comment --comment "XBOX1"