Using TC / netem on outgoing traffic without WAN port

Compact · July 13, 2019, 8:45am

Hello.

I'm trying to use my router as a switch to avoid having double NAT. The thing is, I wanted to play around with tc and netem on outgoing packets. With WAN port, it was simple - just use tc qdisc on WAN interface. I don't know how to do it without WAN port. I thought of maybe making some new VLAN interface, where internet cable will be connected and forwarding outgoing packets to that vlan, but I don't know if that even makes sense and I tried to do something like this, but without success.

Any tips for me? Thanks.

lleachii · July 17, 2019, 5:29pm

That should work. But you can also avoid double NAT by adding a static route on the upstream router - to the LAN subnet on the OpenWrt, then disabling masquerade on OpenWrt's WAN.

Compact · July 18, 2019, 6:21am

Thank you for your answer.

My main router is an ISP provided one(it's some sagecom with broadcom chipset) and I can't do anything like bridging or making static routes on that router, it doesn't support this. That's why I decided to go this route.
My router which I am using as switch / dumb AP - WNDR3700 v2.

What should I do to correctly forward the traffic? These are my config files.

cat /etc/config/network

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7a:ad22:abe3::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.10'
        option gateway '192.168.1.1'
        option dns '192.168.1.1'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'
        option blinkrate '2'
        option enable_vlan4k '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 5t'

config switch_port
        option device 'switch0'
        option port '1'
        option led '6'

config switch_port
        option device 'switch0'
        option port '2'
        option led '9'

config switch_port
        option device 'switch0'
        option port '5'
        option led '2'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '3 5t'

config interface 'VLAN2'
        option proto 'none'
        option ifname 'eth0.2'
        option auto '1'

cat /etc/config/firewall

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option name 'VLAN'
        option forward 'ACCEPT'
        option network 'VLAN2'

config rule
        option target 'ACCEPT'
        option src 'VLAN'
        option name 'VLAN'
        option dest 'lan'

config rule
        option enabled '1'
        option target 'ACCEPT'
        option src 'lan'
        option name 'LAN - VLAN'
        option dest 'VLAN'

fw3 print

iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t filter -N reject
iptables -t filter -N input_rule
iptables -t filter -N output_rule
iptables -t filter -N forwarding_rule
iptables -t filter -N zone_lan_input
iptables -t filter -N zone_lan_output
iptables -t filter -N zone_lan_forward
iptables -t filter -N zone_lan_src_ACCEPT
iptables -t filter -N zone_lan_dest_ACCEPT
iptables -t filter -N input_lan_rule
iptables -t filter -N output_lan_rule
iptables -t filter -N forwarding_lan_rule
iptables -t filter -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
iptables -t filter -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
iptables -t filter -N zone_wan_input
iptables -t filter -N zone_wan_output
iptables -t filter -N zone_wan_forward
iptables -t filter -N zone_wan_src_REJECT
iptables -t filter -N zone_wan_dest_ACCEPT
iptables -t filter -N zone_wan_dest_REJECT
iptables -t filter -N input_wan_rule
iptables -t filter -N output_wan_rule
iptables -t filter -N forwarding_wan_rule
iptables -t filter -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
iptables -t filter -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
iptables -t filter -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
iptables -t filter -N zone_VLAN_input
iptables -t filter -N zone_VLAN_output
iptables -t filter -N zone_VLAN_forward
iptables -t filter -N zone_VLAN_src_ACCEPT
iptables -t filter -N zone_VLAN_dest_ACCEPT
iptables -t filter -N input_VLAN_rule
iptables -t filter -N output_VLAN_rule
iptables -t filter -N forwarding_VLAN_rule
iptables -t filter -A zone_VLAN_input -m comment --comment "!fw3: Custom VLAN input rule chain" -j input_VLAN_rule
iptables -t filter -A zone_VLAN_output -m comment --comment "!fw3: Custom VLAN output rule chain" -j output_VLAN_rule
iptables -t filter -A zone_VLAN_forward -m comment --comment "!fw3: Custom VLAN forwarding rule chain" -j forwarding_VLAN_rule
iptables -t filter -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
iptables -t filter -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
iptables -t filter -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
iptables -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
iptables -t filter -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
iptables -t filter -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
iptables -t filter -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
iptables -t filter -A zone_wan_input -p 2 -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
iptables -t filter -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_VLAN_forward -m comment --comment "!fw3: VLAN" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3: LAN - VLAN" -j zone_VLAN_dest_ACCEPT
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
iptables -t filter -A zone_VLAN_forward -m comment --comment "!fw3: Zone VLAN to lan forwarding policy" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3: Zone lan to VLAN forwarding policy" -j zone_VLAN_dest_ACCEPT
iptables -t filter -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
iptables -t filter -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
iptables -t filter -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
iptables -t filter -D zone_lan_src_ACCEPT -i eth0.1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_lan_src_ACCEPT -i eth0.1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_lan_dest_ACCEPT -o eth0.1 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_lan_dest_ACCEPT -o eth0.1 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D INPUT -i eth0.1 -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -A INPUT -i eth0.1 -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -D OUTPUT -o eth0.1 -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -A OUTPUT -o eth0.1 -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -D FORWARD -i eth0.1 -m comment --comment "!fw3" -j zone_lan_forward
iptables -t filter -A FORWARD -i eth0.1 -m comment --comment "!fw3" -j zone_lan_forward
iptables -t filter -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
iptables -t filter -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
iptables -t filter -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
iptables -t filter -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
iptables -t filter -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -D zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -D INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -D OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -D FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -D zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -D INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -D OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -D FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A zone_VLAN_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
iptables -t filter -A zone_VLAN_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
iptables -t filter -A zone_VLAN_input -m comment --comment "!fw3" -j zone_VLAN_src_ACCEPT
iptables -t filter -A zone_VLAN_forward -m comment --comment "!fw3" -j zone_VLAN_dest_ACCEPT
iptables -t filter -A zone_VLAN_output -m comment --comment "!fw3" -j zone_VLAN_dest_ACCEPT
iptables -t filter -D zone_VLAN_src_ACCEPT -i eth0.2 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_VLAN_src_ACCEPT -i eth0.2 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_VLAN_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_VLAN_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_VLAN_input
iptables -t filter -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_VLAN_input
iptables -t filter -D OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_VLAN_output
iptables -t filter -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_VLAN_output
iptables -t filter -D FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_VLAN_forward
iptables -t filter -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_VLAN_forward
iptables -t filter -A FORWARD -m comment --comment "!fw3" -j reject
iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule
iptables -t nat -N zone_lan_postrouting
iptables -t nat -N zone_lan_prerouting
iptables -t nat -N prerouting_lan_rule
iptables -t nat -N postrouting_lan_rule
iptables -t nat -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
iptables -t nat -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
iptables -t nat -N zone_wan_postrouting
iptables -t nat -N zone_wan_prerouting
iptables -t nat -N prerouting_wan_rule
iptables -t nat -N postrouting_wan_rule
iptables -t nat -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
iptables -t nat -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
iptables -t nat -N zone_VLAN_postrouting
iptables -t nat -N zone_VLAN_prerouting
iptables -t nat -N prerouting_VLAN_rule
iptables -t nat -N postrouting_VLAN_rule
iptables -t nat -A zone_VLAN_prerouting -m comment --comment "!fw3: Custom VLAN prerouting rule chain" -j prerouting_VLAN_rule
iptables -t nat -A zone_VLAN_postrouting -m comment --comment "!fw3: Custom VLAN postrouting rule chain" -j postrouting_VLAN_rule
iptables -t nat -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
iptables -t nat -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
iptables -t nat -D PREROUTING -i eth0.1 -m comment --comment "!fw3" -j zone_lan_prerouting
iptables -t nat -A PREROUTING -i eth0.1 -m comment --comment "!fw3" -j zone_lan_prerouting
iptables -t nat -D POSTROUTING -o eth0.1 -m comment --comment "!fw3" -j zone_lan_postrouting
iptables -t nat -A POSTROUTING -o eth0.1 -m comment --comment "!fw3" -j zone_lan_postrouting
iptables -t nat -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
iptables -t nat -D PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -D POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -D PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -D POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -D PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_VLAN_prerouting
iptables -t nat -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_VLAN_prerouting
iptables -t nat -D POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_VLAN_postrouting
iptables -t nat -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_VLAN_postrouting
iptables -t mangle -D FORWARD -p tcp -o eth1 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A FORWARD -p tcp -o eth1 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -D FORWARD -p tcp -o eth1 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A FORWARD -p tcp -o eth1 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu

I have my internet cable connected to port 2(port 3 in config).