hisham2630 Thank you for the feedback
I'm sorry I asked the wrong question. Obviously the traffic is already tagged as normal traffic and shaped on the wan, lan through layer_cake and again through piece of cake on the lan on the ingress for wifi.
What I meant to ask was how would I assign 1 MAC address priority over all other WAN traffic through iptables? Maybe it does not matter as long as the UDP and ICMP is prioritized in iptables.
no problem, its all about what do you want to achieve, if you already prioritied ping and udp thats enough.
Why do i have "iptables v1.6.2: Couldn't load match `hashlimit':No such file or directory" while setting this rule in the script? Am i missing some packages?
$IPT -t mangle -A POSTROUTING -p udp -m hashlimit --hashlimit-name udp_high_prio --hashlimit-above 120/sec --hashlimit-burst 50 --hashlimit-mode srcip,srcport,dstip,dstport -j CONNMARK --set-mark 0x55 -m comment --comment "connmark for udp"
not in front of a router at the moment but just search packages for kmod related to Hashlimit. probably kmod-ipt-hashlimit or something similar
I will follow the second set of instructions setting up a veth pair. The first set I almost bricked my router lol.....
EDIT:
When layer_cake is enabled on pppoe-wan egress, eth0.1(lan) ingress my bufferbloat on both links stays under 10
When I:
add veth1 to br-lan
layer_cake egress veth0, layer_cake ingress veth1
apply these rules
iptables -A FORWARD -i eth1.2 -o veth0 -j ACCEPT
iptables -A FORWARD -s -i eth1.2 -d br-lan -o veth0 -j ACCEPT
my bufferbloat stays above 25 for download
my bufferbloat stays at 15 for upload
Have I done the setup correctly?
those iptables rules bypass your firewall entirely, get rid of them. what you need is changes to the routing table, not iptables
Ok to set up veth pair I do not use any iptables rules.
I will be putting the script to change the openwrt routingtable in network >firewall>custom scripts correct? Forgive me, but I do not know how to construct this script. Would you provide a step by step guide through this process for OpenWrt?
I managed to figure out how to follow these steps in OpenWrt.
I created veth-pair.
I created interface prewan and set protocol: unmanaged, cover the following interface: veth0
I bridged prewan(veth0) and Switch VLAN "eth0.1" (lan)
I set WAN(pppoe-wan) interface physical settings: veth1
With the first set of instructions this is not functional for me. My pppoe will not connect.
With the second set of instructions I am not successful setting this bit properly in OpenWrt Network>Firewall>Firewall - Zone Settings.
I also attempted to edit this script to work with my OpenWrt and I am not able successfully sqm.
the prewan idea requires namespaces and they are not included in openwrt kernels afaik. it works on Debian for example.
124 src/my_layer_cake.qos
@@ -0,0 +1,124 @@
#!/bin/sh
# Cero3 Shaper
# A cake shaper and AQM solution that allows several diffserv marking schemes
# for ethernet gateways
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation.
#
# Copyright (C) 2012-5 Michael D. Taht, Toke Høiland-Jørgensen, Sebastian Moeller
#sm: TODO pass in the cake diffserv keyword
. ${SQM_LIB_DIR}/defaults.sh
QDISC=cake
# Default traffic classication is passed in INGRESS_CAKE_OPTS and EGRESS_CAKE_OPTS, defined in defaults.sh now
egress() {
SILENT=1 $TC qdisc del dev $IFACE root
$TC qdisc add dev $IFACE root handle cacf: $( get_stab_string ) cake \
bandwidth ${UPLINK}kbit $( get_cake_lla_string ) ${EGRESS_CAKE_OPTS} ${EQDISC_OPTS}
# put an action on the egress interface to set DSCP from the stored connmark.
# this seems counter intuitive but it ensures once the mark is set that all
# subsequent egress packets have the same stored DSCP avoiding iptables rules
# to mark every packet, ctinfo does it for us and then CAKE is happy using the
# DSCP
$TC filter add dev $IFACE protocol all prio 10 u32 match u32 0 0 flowid 1:1 action \
ctinfo dscp 0xfc000000/0x01000000
}
ingress() {
SILENT=1 $TC qdisc del dev $IFACE handle ffff: ingress
$TC qdisc add dev $IFACE handle ffff: ingress
SILENT=1 $TC qdisc del dev $DEV root
[ "$IGNORE_DSCP_INGRESS" -eq "1" ] && INGRESS_CAKE_OPTS="$INGRESS_CAKE_OPTS besteffort"
[ "$ZERO_DSCP_INGRESS" -eq "1" ] && INGRESS_CAKE_OPTS="$INGRESS_CAKE_OPTS wash"
$TC qdisc add dev $DEV root handle cace: $( get_stab_string ) cake \
bandwidth ${DOWNLINK}kbit $( get_cake_lla_string ) ${INGRESS_CAKE_OPTS} ${IQDISC_OPTS}
$IP link set dev $DEV up
# redirect all IP packets arriving in $IFACE to ifb0
# set DSCP from conntrack mark
$TC filter add dev $IFACE parent ffff: protocol all prio 10 u32 \
match u32 0 0 flowid 1:1 action \
ctinfo dscp 0xfc000000/0x01000000 \
mirred egress redirect dev $DEV
# Configure iptables chain to mark packets
ipt -t mangle -N QOS_MARK_${IFACE}
# Change DSCP of relevant hosts/packets
# and save the DSCP to the connmark using savedscp
iptables -t mangle -A QOS_MARK_${IFACE} -p tcp -s 192.168.219.5 -m comment --comment "Skybox DSCP CS1 Bulk" -j DSCP --set-dscp-class CS1
iptables -t mangle -A QOS_MARK_${IFACE} -p udp -s 192.168.219.5 -m comment --comment "Skybox DSCP CS1 Bulk" -j DSCP --set-dscp-class CS1
iptables -t mangle -A QOS_MARK_${IFACE} -p tcp -s 192.168.219.10 -m comment --comment "Bluray DSCP CS3 Video" -j DSCP --set-dscp-class CS3
iptables -t mangle -A QOS_MARK_${IFACE} -p udp -s 192.168.219.10 -m comment --comment "Bluray DSCP CS3 Video" -j DSCP --set-dscp-class CS3
iptables -t mangle -A QOS_MARK_${IFACE} -p tcp -s 192.168.219.12 -m tcp --sport 6981 -m comment --comment "BT DSCP CS1 Bulk" -j DSCP --set-dscp-class CS1
iptables -t mangle -A QOS_MARK_${IFACE} -p udp -s 192.168.219.12 -m udp --sport 6981 -m comment --comment "BT DSCP CS1 Bulk" -j DSCP --set-dscp-class CS1
iptables -t mangle -A QOS_MARK_${IFACE} -p tcp -s 192.168.219.12 -m tcp --dport 4443 -m comment --comment "BT DSCP CS1 Bulk" -j DSCP --set-dscp-class CS1
#iptables -t mangle -A QOS_MARK_${IFACE} -p tcp -s 192.168.219.12 -m tcp --dport 443 -m comment --comment "HTTPS uploads DSCP CS1 Bulk" -j DSCP --set-dscp-class CS1
iptables -t mangle -A QOS_MARK_${IFACE} -m set --match-set Bulk4 dst -j DSCP --set-dscp-class CS1 -m comment --comment "Bulk CS1 ipset"
iptables -t mangle -A QOS_MARK_${IFACE} -m set --match-set Vid4 dst -j DSCP --set-dscp-class CS3 -m comment --comment "Vid CS3 ipset"
iptables -t mangle -A QOS_MARK_${IFACE} -m set --match-set Voice4 dst -j DSCP --set-dscp-class CS4 -m comment --comment "Voice CS4 ipset"
ip6tables -t mangle -A QOS_MARK_${IFACE} -p tcp -s ::c/::ffff:ffff:ffff:ffff -m tcp --sport 6981 -m comment --comment "BT DSCP CS1 Bulk" -j DSCP --set-dscp-class CS1
ip6tables -t mangle -A QOS_MARK_${IFACE} -p udp -s ::c/::ffff:ffff:ffff:ffff -m udp --sport 6981 -m comment --comment "BT DSCP CS1 Bulk" -j DSCP --set-dscp-class CS1
ip6tables -t mangle -A QOS_MARK_${IFACE} -p tcp -s ::c/::ffff:ffff:ffff:ffff -m tcp --dport 4443 -m comment --comment "BT DSCP CS1 Bulk" -j DSCP --set-dscp-class CS1
#ip6tables -t mangle -A QOS_MARK_${IFACE} -p tcp -s ::c/::ffff:ffff:ffff:ffff -m tcp --dport 443 -m comment --comment "HTTPS uploads DSCP CS1 Bulk" -j DSCP --set-dscp-class CS1
ip6tables -t mangle -A QOS_MARK_${IFACE} -m set --match-set Bulk6 dst -j DSCP --set-dscp-class CS1 -m comment --comment "Bulk CS1 ipset"
ip6tables -t mangle -A QOS_MARK_${IFACE} -m set --match-set Vid6 dst -j DSCP --set-dscp-class CS3 -m comment --comment "Vid CS3 ipset"
ip6tables -t mangle -A QOS_MARK_${IFACE} -m set --match-set Voice6 dst -j DSCP --set-dscp-class CS4 -m comment --comment "Voice CS4 ipset"
ipt -A QOS_MARK_eth0 -t mangle -j CONNMARK --savedscp-mark 0xfc000000/0x01000000
# Send unmarked connections to the marking chain
# top 6 bits are DSCP, LSB is DSCP is valid flag
# ipt -t mangle -A PREROUTING -i $IFACE -m connmark --mark 0x00000000/0x01000000 -g QOS_MARK_${IFACE}
ipt -t mangle -A POSTROUTING -o $IFACE -m connmark --mark 0x00000000/0x01000000 -g QOS_MARK_${IFACE}
#you could just send every packet to the marking chain and update the stored DSCP for every packet
#which should work for dynamic type marking but at a cpu cost
}
sqm_start() {
[ -n "$IFACE" ] || return 1
do_modules
verify_qdisc $QDISC "cake" || return 1
sqm_debug "Starting ${SCRIPT}"
[ -z "$DEV" ] && DEV=$( get_ifb_for_if ${IFACE} )
if [ "${UPLINK}" -ne 0 ];
then
egress
sqm_debug "egress shaping activated"
else
sqm_debug "egress shaping deactivated"
SILENT=1 $TC qdisc del dev ${IFACE} root
fi
if [ "${DOWNLINK}" -ne 0 ];
then
verify_qdisc ingress "ingress" || return 1
ingress
sqm_debug "ingress shaping activated"
else
sqm_debug "ingress shaping deactivated"
SILENT=1 $TC qdisc del dev ${DEV} root
SILENT=1 $TC qdisc del dev ${IFACE} ingress
fi
return 0
}
Would someone explain the process of how I can fully implement this into OpenWrt?
Can I use both the script and the patch? What is the process of installing the patches and the scripts?
Uh, isnt that a older version of what now exists in the luci-apps-sqm package? As in the "layer cake" script?
That is what I figured.
##packetlimit
iptables -t mangle -A FORWARD -p udp -m hashlimit --hashlimit-name gamingudp --hashlimit-above 220/sec --hashlimit-burst 100 --hashlimit-mode srcip,srcport,dstip,dstport -j CONNMARK --set-mark 0x55
iptables -t mangle -A FORWARD -p udp -m connmark ! --mark 0x55 -m multiport ! --ports 53,5353,60887 -m connbytes --connbytes 0:512 --connbytes-dir both --connbytes-mode avgpkt -j DSCP --set-dscp-class CS6
Is it required to use both of these rules, or can I just use the first one, because matching the packets by 512 I don't feel comfortable doing I am getting huge packet retransmissions. How do I estimate the average packet size in wireshark between a client and host i.e my and game server?
Edit: Found wireshark > packetlengths… 90% of my ethernet traffic during a game of pubg was under 650 bytes but do Iuse both of these rules?
Q: I enabled cake on a wrt32x at 80% speeds but I don't see any difference in real world performance compared to any other router. If I download a game patch while watching twitch, the video will still skip. So do I need to be giving up on the idea of automatic QOS and be doing something with manual rules like the OP did here? Is there a website with standard QOS rules that everyone uses?
This indicates that one of the two does not play along the rules. I would guess the patch download comes from a close by CDN and those are known to favor bandwidth-to-the-customer over everything else... What I would do, if possible is to activate cake's per-internal-IP-fairness mode on the router*, and watch the video from another IP address than downloading the patches (either different computer, or different VMs/containers )if both applications absolutely need to run on the same host), or configure that host to restrict the bandwidth of the patch downloads. You can also go and follow the route described in this thread to custom tailor your router to enforce your idea of QoS (just be aware that most rules are based on heuristics and hence need to be continuously checked to see whether they still apply, for most people wanting detailed QoS that is something they do anyway, but it is not a simple configure-once-and-forget kind of affair).
*) This promises to distribute the available bandwidth more or less equally between the concurrently active internal IP addresses and helps a lot in isolating the effect of badly behaving applications to single computers.
Hello, how can I run your script with no NAT and no WAN interface? I set my "WAN" interface in shell script to br-lan, I tried "fw3 print" to see if the rules are added, they aren't.
Logs show this - "kern.info kernel: [ 2518.248667] xt_hashlimit: overflow, try lower: 8333/50" and "RTNETLINK: No such file or directory" and "iptables: Result not representable."
it's not possible to run script on br-lan(bridge interface have no queue).
Hmm, so what can I do to get this script working? Do it on veth somehow? I'm quite new to networking and openwrt, so I don't know 
cFos speed, how do those work compared vs the windows DSCP priority marks? Does the cFos really work independtly from the modem such as the old gaming ethernet cards were supposed to - "fowarding packets directly to the application"
Are the $500 motherboards with the noise cancelling design to improve network static worth investing in?
Do the VPN servers work for shortening lodes? Such as https://www.vyprvpn.com/
Are these legitimate softwares/hardwares to purchase. Are there any other type of software to improve network efficiency worth paying for beside OpenWrt enabled modems? Would anyone care to debunk some of these claims and maybe provide some insight as how to optimize a rural line.
My example - 300 ft from node, copper 17a vdsl line no higher than 10mpbs up which means I can't twitch stream 1080p, with atleast 3 different nodes stretching the entire state before it my packets start to get routed out of state and no optic wire in sight within 5 years, OpenWrt configured and network configured but I I'd like to know if I am missing anything here
Some motherboard manufactures (I don't know which ones exactly) had a software packaged together with their motherboard that claimed to boost online gaming experience.
If I remember correctly it was actually cfos speed under the hood.
It installs a new "service provider/driver" (Sorry I don't know the actual proper translation) onto your nic.
Which handles all the traffic shaping.
Then you have a GUI to manage all the traffic shaping rules and other settings.
It uses "classic" priority scheme. You can classify traffic by either the application.exe or through ports (but not sure about this one anymore) and assign the traffic into different classes.
I think it also has L7 layer detection mechanism.
It doesn't support DSCP marks. (But I'm not sure about this one 
)
//edit
It does through own filter expressions:
The problem is cfos speed only works on windows. (and even DOS?)
And it needs to be installed on every machine that needs traffic shaping.
(it actually has a feature that allows each cfos instance to communicate over the network to manage traffic distribution between the machines called "Net Talk")
It automatically does calibrate max down/up rate threshold.
Has " Ping Variance" mode to adapt for fluctuating line speeds.