Ultimate SQM settings: Layer_cake + DSCP marks

ok, this time try to add veth0 to lan zone instead of wan zone!

Well... everything is working normally again and the veth0 is in lan zone, I tried loading youtube videos from the smartphone and wifi keeps dropping, seems that it is caused by something else in the script rules, but I can live with that for now.

@dlakelan do you have an idea why this happen?

both ends of the veth should be in lan zone, they represent an Ethernet link to a managed switch, that just all happens to be in the same box. br-lan is the virtual managed switch so to speak.

why the wifi has problems I don't know

1 Like

i have an idea, now script is running right?
run this iptables -t mangle -F PREROUTING from terminal then see if this will fix wifi problem!
this command will delete all the dscp tagging rules, to know if the dscp rules have a problem!

One more thing you could try is to disable Disassociate On Low Acknowledgement, try to set beacon= 1000, DTIM Interval=255.

I already disabled Disassociate On Low Ack with no effect, I could try the other settings and deleting the dscp rules later tonight,

---edit----

changing beacon and dtim interval does not affect either, deleting the rules does fix the problem... but.. that's not the idea xD and it only happens with the smartphones, I've played online perfectly from my laptop and nintendo switch even with youtube videos been watched on other PCs and everything is flawless.

@hisham2630

Havent been around for a while,

Thank you for that realtime 'detection' and bulk with conntrack definately work nicely.

I assume the pre/post routing takes care of egress as well or no?

Edit: Question, I can get the UDP stream detection work for VOIP with discord but i see problem in the rules. Games like MWO and CSGO udp data seems to be detected as bulk. And when i disable (comment) the bulk detection stuff, it simply shows back to CS0 so the detect udp high priority rule doesnt seem to work nicely with these games.

Not sure what to do about it.

Not too rare though, most 'older' MMO's still all use realtime TCP streams for their data. I'll have to put in a rule in my iptables for that as well. Just need to make sure only these streams get picked up. I wonder how to extrapolate that data from Wireshark to reflect how to set up the rules with burst / rate sec

Here's my CSGO and MWO pcap files, both games actually don't play well at all with the UDP rule.
I'm not even sure if its realistically feasible to cover all realtime UDP apps with rules like this. Wish it was true!

But if anyone has any tips, by all means :slight_smile:

Can you try to delete the rules, like you did before, then start to copy rule one after one then past it into
terminal, each time you insert a rule check your smartphone if there's a problem.
By that we will know which rule cause the problem.
sorry for the late reply, i didn't get a notification when you edited your post!

Yeah, welcome!

you are welcome!

should take care of everything, but it turns out that prerouting is not needed at all, postrouting is eoungh, i'm working on new rules that's depends on postrouting only, still need testing!(you can try them).

Nice.

Can you provide me .pcap file so i can know what is going on.

you can download netlimiter, then open it and look at the rate that game is using.

Oh, many thanks that's will be very helpful!

EDIT:
Thanks for those pcap's, i see some packets are tagged CS6 and others still CS0.

Thanks for the reply! :slight_smile:

Just clarifying that the pcap's were with minimal background data so the majority of statistics should be from those games. I could potentially give you some more pcap's from other games if you consider it helpful.

I'd like to help/optimize your script so it works well for wide variety of real-time applications, so if there's anything I can do..

Edit: Here are a bunch of games including rate/protocol and the pcap files. (These are without your heuristics rule so please ignore DSCP)

Average stream rate in kilobytes: (Can fluctuate 25% either way)

CSGO (UDP): 50KB/s
MechWarrior Online (UDP): 15KB/s
Star Trek Online (TCP): 40KB/s
StarCitizen (UDP): 25KB/s
Crossout (UDP): 25KB/s

I hope its useful, I can test new heuristics rule once you made one.

1 Like

Great info, would you mind using bash?

@Emtee don't try the tcp game, try udp one first, after that i can make one for tcp.
@terry98 see if wifi problem is gone!
Here's a new script which is based on chain named dscp_mark which jump's to POSTROUTING, try it and let me know!
to run script "/root/qos.sh", bash will print everything on the terminal.

NOTE: Please do a reboot before trying the script to avoid conflicts :wink:

qos.sh:

Script

This text will be hidden

#!/bin/bash -x
IPT="iptables"
WANIF="pppoe-wan" #wan interface

tc qdisc add dev wlan0 root mq #setup multi queue for wifi device
## set up a pair of veth devices to handle inbound and outbound traffic
ip link show | grep veth0 || ip link add type veth

## get new veth interfaces up
ip link set veth0 up
ip link set veth1 up

## trun on promisc mode,sometimes it's needed to make bridge work
ip link set veth1 promisc on

## add veth1 to bridge
brctl addif br-lan veth1

## just to make sure there's nothing inside those 2 tables
ip rule del priority 100
ip route flush table 100

##ipset for streming sites.they are bening filled by dnsmasq
ipset create streaming hash:ip
ipset create usrcdn hash:ip
ipset create bulk hash:ip
ipset create latsens hash:ip


## add routing for veth0 this will handle all slow traffic
ip route add default dev veth0 table 100
ip rule add iif $WANIF table 100 priority 100

$IPT -t mangle -N dscp_mark > /dev/null 2>&1
$IPT -t mangle -F dscp_mark
## check if POSTROUTING already exits then jumps to our tables if not, add them

$IPT -t mangle -L POSTROUTING -n | grep dscp_mark || $IPT -t mangle -A POSTROUTING -j dscp_mark

iptmark(){
    $IPT -t mangle -A dscp_mark "$@"
}

## start by washing the dscp to CS0

iptmark -j DSCP --set-dscp 0

#A robust 2 rules to detect realtime traffic

# mark connections that go over 115 packets per second, not prioritized
iptmark -p udp -m hashlimit --hashlimit-name udp_high_prio --hashlimit-above 115/sec --hashlimit-burst 50 --hashlimit-mode srcip,srcport,dstip,dstport -j CONNMARK --set-mark 0x55 -m comment --comment "connmark for udp"

# unmarked UDP streams with small packets get CS6
iptmark -p udp -m connmark ! --mark 0x55 -m multiport ! --ports 22,25,53,67,68,123,143,161,162,514,5353,80,443,8080,60001 -m connbytes --connbytes 0:940 --connbytes-dir both --connbytes-mode avgpkt -j DSCP --set-dscp-class CS6 -m comment --comment "small udp connection gets CS6"

#large udp streams like video call get AF41
iptmark -p udp -m connmark ! --mark 0x55 -m multiport ! --ports 22,25,53,67,68,123,143,161,162,514,5353,80,443,8080,60001 -m connbytes --connbytes 940:1500 --connbytes-dir both --connbytes-mode avgpkt -j DSCP --set-dscp-class AF41 -m comment --comment "large udp connection gets AF41"

########################################
# Latency Sensitive (gaming/voip)
########################################
##ICMP, to prioritize pings
iptmark -p icmp -j DSCP --set-dscp-class CS5 -m comment --comment "ICMP-pings"

#DNS traffic both udp and tcp
iptmark -p udp -m multiport --port 53,5353,8888 -j DSCP --set-dscp-class CS5 -m comment --comment "DNS udp"
iptmark -p tcp -m multiport --port 53,5353,8888 -j DSCP --set-dscp-class CS5 -m comment --comment "DNS tcp"

#NTP
iptmark -p udp -m multiport --port 123 -j DSCP --set-dscp-class CS6 -m comment --comment "NTP udp"

#High priority ipset, i use for pubgM
iptmark ! -p tcp -m set --match-set latsens src,dst -j DSCP --set-dscp-class CS6 -m comment --comment "latency sensitive ipset" ## set dscp tag for Latency Sensitive (latsens) ipset,udp

iptmark -p tcp -m set --match-set latsens src,dst -j DSCP --set-dscp-class CS5 -m comment --comment "latency sensitive ipset" ## set dscp tag for Latency Sensitive (latsens) ipset

########
##Browsing
########
## medium priority for browsing
iptmark -p tcp -m multiport --ports 80,443,8080 -j DSCP --set-dscp-class CS3 -m comment --comment "Browsing at CS3"

##################
#TCP SYN,ACK flows
##################
#Make sure ACK,SYN packets get priority (to avoid upload speed limiting our download speed)
iptmark -p tcp --tcp-flags ALL ACK -m length --length :128 -j DSCP --set-dscp-class CS3
iptmark -p tcp --tcp-flags ALL SYN -m length --length :666 -j DSCP --set-dscp-class CS3

#Small packet is probably interactive or flow control
iptmark -m dscp ! --dscp  24 -m dscp ! --dscp  18 -m dscp ! --dscp  34 -m dscp ! --dscp  40 -m dscp ! --dscp  48 -m length --length 0:500 -j DSCP --set-dscp-class CS3

#Small packet connections: multi purpose (don't harm since not maxed out)
iptmark -m dscp ! --dscp  24 -m dscp ! --dscp  18 -m dscp ! --dscp  34 -m dscp ! --dscp  40 -m dscp ! --dscp  48 -m connbytes --connbytes 0:250 --connbytes-dir both --connbytes-mode avgpkt -j DSCP --set-dscp-class CS3


########################################
# Streaming Media (videos/audios)
########################################
#Known video streams sites like netflix
iptmark -m set --match-set streaming src,dst -j DSCP --set-dscp-class AF41 -m comment --comment "video audio stream ipset"

# some iptv provider's use this port
iptmark -p tcp -m multiport --ports 1935,9982 -j DSCP --set-dscp-class AF41 -m comment --comment "some iptv streaming service"

#known usrcdn like google or akamai

iptmark -m set --match-set usrcdn src,dst -j DSCP --set-dscp-class AF21 -m comment --comment "usrcdn ipset"

#########################################
# Background Traffic (Bulk/file transfer)
#########################################
#bulk traffic ipset, like windows udates and steam updates/downloads
iptmark -p tcp -m set --match-set bulk src,dst -j DSCP --set-dscp-class CS1 -m comment --comment "bulk traffic ipset"
iptmark -p udp -m set --match-set bulk src,dst -j DSCP --set-dscp-class CS1 -m comment --comment "bulk traffic ipset"
iptmark -p tcp -m connbytes --connbytes 350000: --connbytes-dir both --connbytes-mode bytes -m dscp --dscp-class CS0 -j DSCP --set-dscp-class CS1 -m comment --comment "Downgrade CS0 to CS1 for bulk tcp traffic"
iptmark -p tcp -m connbytes --connbytes 350000: --connbytes-dir both --connbytes-mode bytes -m dscp --dscp-class CS3 -j DSCP --set-dscp-class CS1 -m comment --comment "Downgrade CS3 to CS1 for bulk tcp traffic"
iptmark -p udp -m multiport --port 60001 -j DSCP --set-dscp-class CS1 -m comment --comment "bulk torrent port UDP"


#tcpdump rule, copy and paste this rule into terminal, this rule is used to capture realtime traffic, you can change ip to what you like
#tcpdump -i br-lan host 192.168.1.126 and udp and portrange 1-65535 and !port 53 and ! port 80 and ! port 443 -vv -X -w /root/cap-name.pcap

the new dnsmasq.conf:

dnsmasq
ipset=/igamecj.com/gcloudcs.com/qos.gcloud.qq.com/tencentgames.helpshift.com/latsens
ipset=/.googlevideo.com/youtube.com/streaming
ipset=/live.mp3quran.net/tiktokv.com/media-imdb.com/v.redd.it/last.fm/sndcdn.com/deezer.com/audio-fa.scdn.cot/vevo.com/ttvnw.net/s3.ll.dash.row.aiv-cdn.net/d25xi40x97liuc.cloudfront.net/aiv-delivery.net/nflxvideo.net/av.alarabiya.net/streaming
ipset=/.fbcdn.net/.whatsapp.net/.whatsapp.com/usrcdn
ipset=/lol.secure.dyn.riotcdn.net/lol.dyn.riotcdn.net/lol-promos.s3.amazonaws.com/.amazonaws.com/l3cdn.riotgames.com/.akamaihd.net/ucy.ac.cy/hwcdn.net/windowsupdate.com/update.microsoft.com/share.box/akamaized.net/usrcdn
ipset=/.google.com/googletagmanager.com/.googleusercontent.com/google.com/.googleapis.com/1e100.net/usrcdn
ipset=/dropbox.com/dropboxstatic.com/dropbox-dns.com/log.getdropbox.com/gs2.ww.prod.dl.playstation.net/steamcontent.com/download.qq.com/bulk

Hi! Tested so far:

CSGO and MWO work properly with the new heuristics rule, Star Citizen udp stream not affected and still CS0. (I have observed it anywhere from 50 to 150 packets per second variable)

Haven't had time to check the other games yet.

(I will do on bash next time and show u result tomorrow probably)

I think you did copy/paste the rule?

i will look into it, can you make another pcap, also you can use netlimiter to block other apps from
access internet.

thanks for doing testing!

Hey! thanks for the reply, i have tested your new script and unfortunately the smartphones (Pixel 2 XL and Nexus 6P) keeps dropping wifi but I have noticed that it is only while watching youtube, browsing normally will keep the wifi connected normally.

This script works good also, I haven't tested gaming though, I haven't tried testing line by line, I haven't had time to do it but I'll tell you when I do it.

1 Like

Sorry Hisham I'm going on vacation for 2 weeks so I doubt I have the time to test more stuff until then.

I'll be back tho :slight_smile:

No problem, enjoy your time i will wait for you

Hi everyone, i'm currently using fireqos on a single LAN device, which i use as Wireless AP connected with the cable to my main router. I was wondering if i could use this setup on my device without a wan interface and, if yes, what rules i do have to change in my firewall. I tried setting up cake with layer_cake and ignore_dscp_marking set to "Allow", and some inbound dscp marking but i saw that my settings where ignored. In fact tcpdumping with Wireshark gave me all packet flowing in my router to have CS0. I'm still a beginner so sorry for the dumbness of my question.