Skip to content

Instantly share code, notes, and snippets.

@heri16

heri16/README.md

Last active March 29, 2024 02:43
Show Gist options
  • Star 10 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save heri16/06c94b40f0d30f11e3a82166eca718f3 to your computer and use it in GitHub Desktop.
Save heri16/06c94b40f0d30f11e3a82166eca718f3 to your computer and use it in GitHub Desktop.
Download ZIP
Openwrt: Uses CAKE's diffserv4 classifications: Bulk, Best Effort, Video, Voice in combination with act_ctinfo and CONNMARK --set-dscpmark to restore DSCP classifications on ingress.
Raw
README.md

Smart Queue

Initial Setup

opkg update
opkg install luci-app-sqm kmod-sched-ctinfo iptables-mod-hashlimit ipset nano

# Install modified layer_cake to sqm-scripts
wget https://gist.githubusercontent.com/heri16/06c94b40f0d30f11e3a82166eca718f3/raw/layer_cake_ct.qos -O /usr/lib/sqm/layer_cake_ct.qos
wget https://gist.github.com/heri16/06c94b40f0d30f11e3a82166eca718f3/raw/layer_cake_ct.qos.help -O /usr/lib/sqm/layer_cake_ct.qos.help

opkg remove dnsmasq
opkg install dnsmasq-full

# Download example ruleset
cat /etc/dnsmasq.conf | grep "ipset=/steamcontent.com/bulk4,bulk6" > /dev/null || wget https://gist.github.com/heri16/06c94b40f0d30f11e3a82166eca718f3/raw/dnsmasq.conf -O - >> /etc/dnsmasq.conf
cat /etc/config/firewall | grep "option name 'bulk4'" > /dev/null || wget https://gist.github.com/heri16/06c94b40f0d30f11e3a82166eca718f3/raw/firewall.ipset -O - >> /etc/config/firewall
cat /etc/firewall.user | grep "dscp_iptables" > /dev/null || wget https://gist.github.com/heri16/06c94b40f0d30f11e3a82166eca718f3/raw/firewall.user -O - >> /etc/firewall.user

# Edit IFACE in /etc/firewall.user (if needed)
nano /etc/firewall.user

# Apply changes
/etc/init.d/firewall restart
/etc/init.d/dnsmasq restart

# Verify that iptables-rules & ipset-members are populated
iptables -t mangle -vL
ipset list usrcdn

# Add/edit these lines in /etc/config/sqm:
#	option qdisc 'cake'
#	option script 'layer_cake_ct.qos'
#	option qdisc_advanced '1'
#	option squash_dscp '0'
#	option squash_ingress '0'
#	option qdisc_really_really_advanced '1'
#	option iqdisc_opts 'diffserv4 dual-dsthost nat ingress'
#	option eqdisc_opts 'diffserv4 dual-srchost nat ack-filter ingress'
#	option linklayer 'ethernet'
#	option overhead '8'
nano /etc/config/sqm

# Apply changes
/etc/init.d/sqm restart

# Verify that sqm is updated/working (see "bytes")
tc -d qdisc
tc -s qdisc

SQM Overhead

  • VLAN: 4 bytes
  • PPPoE: 8 bytes

References

VPN

Initial Setup of VPN Server

# Install wireguard
opkg update
opkg install luci-app-wireguard qrencode

# Network parameters
WG_IF="vpn"
WG_PORT="51820"
WG_ADDR="192.168.9.1/24"
WG_ADDR6="fdf1:e8a1:8d3f:9::1/64"

# Generate wireguard server key
WG_SERVER_KEY="$(wg genkey)"

# Add wireguard server to /etc/config/network
uci -q delete network.${WG_IF}
uci set network.${WG_IF}="interface"
uci set network.${WG_IF}.proto="wireguard"
uci set network.${WG_IF}.private_key="${WG_SERVER_KEY}"
uci set network.${WG_IF}.listen_port="${WG_PORT}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR6}"
uci show network.${WG_IF}
uci commit network
/etc/init.d/network restart

# Add vpn to lan zone
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.lan.network="${WG_IF}"
uci add_list firewall.lan.network="${WG_IF}"
uci show firewall.lan.network
uci commit firewall

# Configure firewall exception
uci -q delete firewall.wg
uci set firewall.wg="rule"
uci set firewall.wg.name="Allow-WireGuard"
uci set firewall.wg.src="wan"
uci set firewall.wg.dest_port="${WG_PORT}"
uci set firewall.wg.proto="udp"
uci set firewall.wg.target="ACCEPT"
uci show firewall.wg
uci commit firewall

# Restart firewall (apply changes)
/etc/init.d/firewall restart

# Unset sensitive variables
unset WG_SERVER_KEY

Add New VPN User

# Change WG_ID and WG_IP to avoid conflict
WG_ID="heri"
WG_IP=2

# Network parameters
WG_IF="vpn"
WG_HOST="villagrandavenue.sims5.dev"
WG_PORT="51820"
WG_ADDR="$(uci get network.vpn.addresses | cut -d' ' -f1)"
WG_ADDR6="$(uci get network.vpn.addresses | cut -d' ' -f2)"
WG_SERVER_PUB="$(uci get network.vpn.private_key | wg pubkey)"

# Generate wireguard client key
WG_KEY="$(wg genkey)"
WG_PUB="$(echo ${WG_KEY} | wg pubkey)"
WG_PSK="$(wg genpsk)"

# Generate client config & QR-code
cat <<-EOF | tee /dev/tty | qrencode -t ansiutf8
[Interface]
PrivateKey = ${WG_KEY}
Address = ${WG_ADDR%.*}.${WG_IP}/24, ${WG_ADDR6%:*}:${WG_IP}/64
DNS = ${WG_ADDR%/*}, ${WG_ADDR6%/*}

[Peer]
PublicKey = ${WG_SERVER_PUB}
PresharedKey = ${WG_PSK}
AllowedIPs = 0.0.0.0/0, ${WG_ADDR6%:*}:/64
Endpoint = ${WG_HOST}:${WG_PORT}
EOF

# Add wireguard client to /etc/config/network
uci -q delete network.wgclient_${WG_ID}
uci set network.wgclient_${WG_ID}="wireguard_${WG_IF}"
uci set network.wgclient_${WG_ID}.public_key="${WG_PUB}"
uci set network.wgclient_${WG_ID}.preshared_key="${WG_PSK}"
uci set network.wgclient_${WG_ID}.description="${WG_ID}"
uci add_list network.wgclient_${WG_ID}.allowed_ips="${WG_ADDR%.*}.${WG_IP}/32"
uci add_list network.wgclient_${WG_ID}.allowed_ips="${WG_ADDR6%:*}:${WG_IP}/128"
uci show network.wgclient_${WG_ID}
uci commit network
/etc/init.d/network restart

# Unset sensitive variables
unset WG_KEY WG_PSK WG_ID WG_IP
Raw
dnsmasq.conf
### BEGIN ipset ###
# From: https://github.com/hisham2630/Ultimate-SQM-settings-Layer_cake-DSCP-marks-New-Script/blob/master/dnsmasq.conf-ipv6/dnsmasq.conf
##Latency Sensitive (gaming/voip)
ipset=/igamecj.com/gcloudcs.com/qos.gcloud.qq.com/latsens4,latsens6
##video/audio streams
# Youtube is also isolated by my isp
ipset=/googlevideo.com/*.googlevideo.com/streaming4,streaming6
# NetFlix
ipset=/nflxvideo.net/streaming4,streaming6
# AmazonVideo
ipset=/s3.ll.dash.row.aiv-cdn.net/d25xi40x97liuc.cloudfront.net/aiv-delivery.net/streaming4,streaming6
# Facebook
ipset=/fbcdn.net/streaming4,streaming6
# Twitch
ipset=/ttvnw.net/streaming4,streaming6
# VeVo
ipset=/vevo.com/streaming4,streaming6
# Spotify
ipset=/audio-fa.scdn.cot/streaming4,streaming6
# Deezer
ipset=/deezer.com/streaming4,streaming6
# SoundCloud
ipset=/sndcdn.com/streaming4,streaming6
# last.fm
ipset=/last.fm/streaming4,streaming6
#reddit videos
ipset=/v.redd.it/streaming4,streaming6
#twitch.tv
ipset=/ttvnw.net/streaming4,streaming6
##i have isolated speed for those cdn's
ipset=/googletagmanager.com/googleusercontent.com/*.googleusercontent.com/google.com/fbcdn.net/*.fbcdn.net/akamaihd.net/*.akamaihd.net/whatsapp.net/*.whatsapp.net/whatsapp.com/*.whatsapp.com/www-cdn.whatsapp.net/googleapis.com/*.googleapis.com/ucy.ac.cy/1e100.net/hwcdn.net/usrcdn4,usrcdn6
## Bulk downloads
#qq download
ipset=/download.qq.com/bulk4,bulk6
# Steam Download
ipset=/steamcontent.com/bulk4,bulk6
# PSN Download
ipset=/gs2.ww.prod.dl.playstation.net/bulk4,bulk6
# DropBox
ipset=/dropbox.com/dropboxstatic.com/dropbox-dns.com/log.getdropbox.com/bulk4,bulk6
# Google Drive
ipset=/drive.google.com/drive-thirdparty.googleusercontent.com/bulk4,bulk6
# Google Docs
ipset=/docs.google.com/docs.googleusercontent.com/bulk4,bulk6
# PlayStore Download
ipset=/gvt1.com/bulk4,bulk6
# WhatsApp Files
ipset=/mmg-fna.whatsapp.net/bulk4,bulk6
# Youtube Upload
ipset=/upload.youtube.com/upload.video.google.com/bulk4,bulk6
# WindowsUpdate
ipset=/windowsupdate.com/update.microsoft.com/bulk4,bulk6
# AppleUpdate
ipset=/appldnld.apple.com/gg.apple.com/gnf-mdn.apple.com/gnf-mr.apple.com/gs.apple.com/ig.apple.com/mesu.apple.com/ns.itunes.apple.com/oscdn.apple.com/osrecovery.apple.com/skl.apple.com/swcdn.apple.com/swdist.apple.com/swdownload.apple.com/swpost.apple.com/swscan.apple.com/updates-http.cdn-apple.com/updates.cdn-apple.com/xp.apple.com/bulk4,bulk6
### END ipset ###
Raw
firewall.ipset
config ipset
option enabled '1'
option name 'streaming4'
option storage 'hash'
option match 'ip'
option family 'ipv4'
option timeout '86400'
config ipset
option enabled '1'
option name 'streaming6'
option storage 'hash'
option match 'ip'
option family 'ipv6'
option timeout '86400'
config ipset
option enabled '1'
option name 'usrcdn4'
option storage 'hash'
option match 'ip'
option family 'ipv4'
option timeout '86400'
config ipset
option enabled '1'
option name 'usrcdn6'
option storage 'hash'
option match 'ip'
option family 'ipv6'
option timeout '86400'
config ipset
option enabled '1'
option name 'bulk4'
option storage 'hash'
option match 'ip'
option family 'ipv4'
option timeout '86400'
config ipset
option enabled '1'
option name 'bulk6'
option storage 'hash'
option match 'ip'
option family 'ipv6'
option timeout '86400'
config ipset
option enabled '1'
option name 'latsens4'
option storage 'hash'
option match 'ip'
option family 'ipv4'
option timeout '86400'
config ipset
option enabled '1'
option name 'latsens6'
option storage 'hash'
option match 'ip'
option family 'ipv6'
option timeout '86400'
config ipset
option enabled '1'
option name 'vcall4'
option storage 'hash'
option match 'ip'
option family 'ipv4'
option timeout '86400'
config ipset
option enabled '1'
option name 'vcall6'
option storage 'hash'
option match 'ip'
option family 'ipv6'
option timeout '86400'
Raw
firewall.user
IFACE="pppoe-wan"
IPTABLES="iptables"
IP6TABLES="ip6tables"
dscp_rules() {
# Define iptable rules that needs to be evaluated for new/unmarked connection
# See: https://github.com/hisham2630/Ultimate-SQM-settings-Layer_cake-DSCP-marks-New-Script/blob/master/DSCP-ipv4.sh#L48
CHAIN="$1"
iptmark() {
$IPTABLES -t mangle -A ${CHAIN} "$@"
$IP6TABLES -t mangle -A ${CHAIN} "$@"
}
iptmark4() {
$IPTABLES -t mangle -A ${CHAIN} "$@"
}
iptmark6() {
$IP6TABLES -t mangle -A ${CHAIN} "$@"
}
# Example How to limit video to 200ko/s in case you're on quota ( 4G/LTE )
# first clean all :
#iptables -F forwarding_rule
#iptables -A forwarding_rule -m set --match-set vidstream src -m hashlimit --hashlimit-mode srcip,dstip --hashlimit-name "videolimit" --hashlimit-above 200kb/s -j DROP
#iptables -A forwarding_rule -s 64.18.0.0/20,64.233.160.0/19,66.102.0.0/20,66.249.80.0/20,72.14.192.0/18,74.125.0.0/16,173.194.0.0/16,207.126.144.0/20,209.85.128.0/17,216.58.208.0/20,216.239.32.0/19 -m hashlimit --hashlimit-mode srcip,dstip --hashlimit-name "videolimit" --hashlimit-above 200kb/s -j DROP
## start by washing the dscp to CS0
iptmark -j DSCP --set-dscp 0
########################################
# Latency Sensitive (ping/ntp/gaming)
########################################
# ICMP, to prioritize pings
iptmark -p icmp -j DSCP --set-dscp-class CS5 -m comment --comment "ICMP-pings"
# DNS traffic both udp and tcp
iptmark -p udp -m multiport --port 53,853,5353,9953 -j DSCP --set-dscp-class CS5 -m comment --comment "DNS udp"
iptmark -p tcp -m multiport --port 53,853,5353,9953 -j DSCP --set-dscp-class CS5 -m comment --comment "DNS tcp"
# NTP
iptmark -p udp -m multiport --port 123 -j DSCP --set-dscp-class CS6 -m comment --comment "NTP udp"
iptmark -p tcp -m multiport --port 123,3333:3390,4444,12020,14444,24443 -j DSCP --set-dscp-class CS6 -m comment --comment "NTP tcp"
# High priority ipset (e.g. game servers)
iptmark4 ! -p tcp -m set --match-set latsens4 dst -j DSCP --set-dscp-class CS6 -m comment --comment "latency sensitive ipset" ## set dscp tag for Latency Sensitive ipset,udp
iptmark6 ! -p tcp -m set --match-set latsens6 dst -j DSCP --set-dscp-class CS6 -m comment --comment "latency sensitive ipset" ## set dscp tag for Latency Sensitive ipset,udp
iptmark4 -p tcp -m set --match-set latsens4 dst -j DSCP --set-dscp-class CS5 -m comment --comment "latency sensitive ipset" ## set dscp tag for Latency Sensitive ipset
iptmark6 -p tcp -m set --match-set latsens6 dst -j DSCP --set-dscp-class CS5 -m comment --comment "latency sensitive ipset" ## set dscp tag for Latency Sensitive ipset
##########
# Browsing
##########
# medium priority for browsing
iptmark -p tcp -m multiport --ports 80,443,8080,8443 -j DSCP --set-dscp-class CS3 -m comment --comment "Browsing at CS3"
#################################
# Streaming Media (videos/audios)
#################################
# Known video streams sites like netflix
iptmark4 -m set --match-set streaming4 dst -j DSCP --set-dscp-class AF41 -m comment --comment "video audio stream ipset"
iptmark6 -m set --match-set streaming6 dst -j DSCP --set-dscp-class AF41 -m comment --comment "video audio stream ipset"
# some iptv provider's use this port
iptmark -p tcp -m multiport --ports 1935,9982 -j DSCP --set-dscp-class AF41 -m comment --comment "some iptv streaming service"
# known usrcdn like google or akamai
iptmark4 -m set --match-set usrcdn4 dst -j DSCP --set-dscp-class AF21 -m comment --comment "usrcdn ipset"
iptmark6 -m set --match-set usrcdn6 dst -j DSCP --set-dscp-class AF21 -m comment --comment "usrcdn ipset"
#########################################
# Background Traffic (Bulk/file transfer)
#########################################
# bulk traffic ipset, like windows udates and steam updates/downloads
iptmark4 -p tcp -m set --match-set bulk4 dst -j DSCP --set-dscp-class CS1 -m comment --comment "bulk traffic ipset"
iptmark6 -p tcp -m set --match-set bulk6 dst -j DSCP --set-dscp-class CS1 -m comment --comment "bulk traffic ipset"
iptmark4 -p udp -m set --match-set bulk4 dst -j DSCP --set-dscp-class CS1 -m comment --comment "bulk traffic ipset"
iptmark6 -p udp -m set --match-set bulk6 dst -j DSCP --set-dscp-class CS1 -m comment --comment "bulk traffic ipset"
iptmark -p udp -m multiport --port 60001 -j DSCP --set-dscp-class CS1 -m comment --comment "bulk torrent port UDP"
}
dscp_dynamic_rules() {
# Define iptable rules that needs to be evaluated for every packet
CHAIN="$1"
iptmark() {
$IPTABLES -t mangle -A ${CHAIN} "$@"
$IP6TABLES -t mangle -A ${CHAIN} "$@"
}
###################################################
# Detect Bulk TCP traffic (downgrade file transfer)
###################################################
iptmark -p tcp -m connbytes --connbytes 350000: --connbytes-dir both --connbytes-mode bytes -m dscp --dscp-class CS0 -j DSCP --set-dscp-class CS1 -m comment --comment "Downgrade CS0 to CS1 for bulk tcp traffic"
iptmark -p tcp -m connbytes --connbytes 350000: --connbytes-dir both --connbytes-mode bytes -m dscp --dscp-class CS3 -j DSCP --set-dscp-class CS1 -m comment --comment "Downgrade CS3 to CS1 for bulk tcp traffic"
#################################################
# Detect Realtime UDP (upgrade video/voice calls)
#################################################
# A robust 2 rules to detect realtime traffic
# mark connections that go over 115 packets per second, not prioritized
iptmark -p udp -m hashlimit --hashlimit-name udp_high_prio --hashlimit-above 115/sec --hashlimit-burst 50 --hashlimit-mode srcip,srcport,dstip,dstport -j CONNMARK --set-mark 0x55 -m comment --comment "connmark for udp"
# unmarked UDP streams with small packets get CS6
iptmark -p udp -m connmark ! --mark 0x55 -m multiport ! --ports 22,25,53,67,68,123,143,161,162,514,5353,80,443,8080,8443 -m connbytes --connbytes 0:940 --connbytes-dir both --connbytes-mode avgpkt -j DSCP --set-dscp-class CS6 -m comment --comment "small udp connection gets CS6"
# large udp streams like video call get AF41
iptmark -p udp -m connmark ! --mark 0x55 -m multiport ! --ports 22,25,53,67,68,123,143,161,162,514,5353,80,443,8080,8443 -m connbytes --connbytes 940:1500 --connbytes-dir both --connbytes-mode avgpkt -j DSCP --set-dscp-class AF41 -m comment --comment "large udp connection gets AF41"
}
dscp_ephemeral_rules() {
# Define iptable rules that should not be saved to connmark (does not affect ingress)
CHAIN="$1"
iptmark() {
$IPTABLES -t mangle -A ${CHAIN} "$@"
$IP6TABLES -t mangle -A ${CHAIN} "$@"
}
###################
# TCP SYN,ACK flows
###################
# Make sure ACK,SYN packets get priority (to avoid upload speed limiting our download speed)
iptmark -p tcp --tcp-flags ALL ACK -m length --length :128 -j DSCP --set-dscp-class CS3
iptmark -p tcp --tcp-flags ALL SYN -m length --length :666 -j DSCP --set-dscp-class CS3
# Small packet is probably interactive or flow control
iptmark -m dscp ! --dscp 24 -m dscp ! --dscp 18 -m dscp ! --dscp 34 -m dscp ! --dscp 40 -m dscp ! --dscp 48 -m length --length 0:500 -j DSCP --set-dscp-class CS3
# Small packet connections: multi purpose (don't harm since not maxed out)
iptmark -m dscp ! --dscp 24 -m dscp ! --dscp 18 -m dscp ! --dscp 34 -m dscp ! --dscp 40 -m dscp ! --dscp 48 -m connbytes --connbytes 0:250 --connbytes-dir both --connbytes-mode avgpkt -j DSCP --set-dscp-class CS3
}
dscp_chains() {
# Setup iptable chains to mark DSCP for QoS
# See: https://forum.openwrt.org/t/ultimate-sqm-settings-layer-cake-dscp-marks/25832/698
iptmangle() {
$IPTABLES -t mangle "$@"
$IP6TABLES -t mangle "$@"
}
# Configure iptables chain to mark packets
iptmangle -N QOS_MARK_${IFACE} > /dev/null 2>&1
iptmangle -F QOS_MARK_${IFACE}
iptmangle -N QOS_MARK_NEW_${IFACE} > /dev/null 2>&1
iptmangle -F QOS_MARK_NEW_${IFACE}
## check if POSTROUTING already exits then jumps to our tables if not, add them
# Send unmarked connections to the marking chain
# top 6 bits are DSCP, LSB is DSCP is valid flag
#iptmangle -L PREROUTING -n | grep QOS_MARK_${IFACE} > /dev/null || iptmangle -A PREROUTING -i $IFACE -m connmark --mark 0x00000000/0x01000000 -j QOS_MARK_${IFACE}
#iptmangle -L POSTROUTING -n | grep QOS_MARK_${IFACE} > /dev/null || iptmangle -A POSTROUTING -o $IFACE -m connmark --mark 0x00000000/0x01000000 -j QOS_MARK_${IFACE}
# You could just send every packet to the marking chain and update the stored DSCP for every packet
# which should work for dynamic type marking but at a cpu cost
iptmangle -L POSTROUTING -n | grep QOS_MARK_${IFACE} > /dev/null || iptmangle -A POSTROUTING -o $IFACE -j QOS_MARK_${IFACE}
# Set initial DSCP of new/unmarked connections
iptmangle -A QOS_MARK_${IFACE} -m connmark --mark 0x00000000/0x01000000 -j QOS_MARK_NEW_${IFACE}
dscp_rules QOS_MARK_NEW_${IFACE}
# Upgrade/Downgrade DSCP of existing connections
#dscp_dynamic_rules QOS_MARK_${IFACE}
# Save the DSCP to the connmark using savedscp
iptmangle -A QOS_MARK_${IFACE} -j CONNMARK --set-dscpmark 0xfc000000/0x01000000
# Change DSCP of egress packets (without saving dscp to connmark)
dscp_ephemeral_rules QOS_MARK_${IFACE}
}
dscp_chains
Raw
layer_cake_ct.qos
# Cero3 Shaper
# A cake shaper and AQM solution that allows several diffserv marking schemes
# for ethernet gateways in both egress and ingress directions (kmod-sched-ctinfo)
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation.
#
# Copyright (C) 2012-5 Michael D. Taht, Toke Høiland-Jørgensen, Sebastian Moeller
#sm: TODO pass in the cake diffserv keyword
. ${SQM_LIB_DIR}/defaults.sh
QDISC=cake
# Default traffic classication is passed in INGRESS_CAKE_OPTS and EGRESS_CAKE_OPTS, defined in defaults.sh now
egress() {
SILENT=1 $TC qdisc del dev $IFACE root
$TC qdisc add dev $IFACE root $( get_stab_string ) cake \
bandwidth ${UPLINK}kbit $( get_cake_lla_string ) ${EGRESS_CAKE_OPTS} ${EQDISC_OPTS}
# put an action on the egress interface to set DSCP from the stored connmark.
# this seems counter intuitive but it ensures once the mark is set that all
# subsequent egress packets have the same stored DSCP avoiding iptables rules
# to mark every packet, ctinfo does it for us and then CAKE is happy using the
# DSCP
$TC filter add dev $IFACE protocol all prio 10 u32 \
match u32 0 0 flowid 1:1 action \
ctinfo dscp 0xfc000000 0x01000000
}
ingress() {
SILENT=1 $TC qdisc del dev $IFACE handle ffff: ingress
$TC qdisc add dev $IFACE handle ffff: ingress
SILENT=1 $TC qdisc del dev $DEV root
[ "$IGNORE_DSCP_INGRESS" -eq "1" ] && INGRESS_CAKE_OPTS="$INGRESS_CAKE_OPTS besteffort"
[ "$ZERO_DSCP_INGRESS" -eq "1" ] && INGRESS_CAKE_OPTS="$INGRESS_CAKE_OPTS wash"
$TC qdisc add dev $DEV root $( get_stab_string ) cake \
bandwidth ${DOWNLINK}kbit $( get_cake_lla_string ) ${INGRESS_CAKE_OPTS} ${IQDISC_OPTS}
$IP link set dev $DEV up
# redirect all IP packets arriving in $IFACE to ifb0
$TC filter add dev $IFACE parent ffff: protocol all prio 10 u32 \
match u32 0 0 flowid 1:1 action \
ctinfo dscp 0xfc000000 0x01000000 \
mirred egress redirect dev $DEV
}
sqm_prepare_script() {
do_modules
verify_qdisc $QDISC "cake" || return 1
}
Raw
layer_cake_ct.qos.diff
*** /usr/lib/sqm/layer_cake.qos Fri Jan 1 00:28:15 2021
--- /usr/lib/sqm/layer_cake_ct.qos Thu Mar 4 12:13:41 2021
***************
*** 1,6 ****
# Cero3 Shaper
# A cake shaper and AQM solution that allows several diffserv marking schemes
! # for ethernet gateways
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
--- 1,6 ----
# Cero3 Shaper
# A cake shaper and AQM solution that allows several diffserv marking schemes
! # for ethernet gateways in both egress and ingress directions (kmod-sched-ctinfo)
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
***************
*** 22,27 ****
--- 22,35 ----
$TC qdisc add dev $IFACE root $( get_stab_string ) cake \
bandwidth ${UPLINK}kbit $( get_cake_lla_string ) ${EGRESS_CAKE_OPTS} ${EQDISC_OPTS}
+ # put an action on the egress interface to set DSCP from the stored connmark.
+ # this seems counter intuitive but it ensures once the mark is set that all
+ # subsequent egress packets have the same stored DSCP avoiding iptables rules
+ # to mark every packet, ctinfo does it for us and then CAKE is happy using the
+ # DSCP
+ $TC filter add dev $IFACE protocol all prio 10 u32 \
+ match u32 0 0 flowid 1:1 action \
+ ctinfo dscp 0xfc000000 0x01000000
}
***************
*** 43,49 ****
# redirect all IP packets arriving in $IFACE to ifb0
$TC filter add dev $IFACE parent ffff: protocol all prio 10 u32 \
! match u32 0 0 flowid 1:1 action mirred egress redirect dev $DEV
}
sqm_prepare_script() {
--- 51,59 ----
# redirect all IP packets arriving in $IFACE to ifb0
$TC filter add dev $IFACE parent ffff: protocol all prio 10 u32 \
! match u32 0 0 flowid 1:1 action \
! ctinfo dscp 0xfc000000 0x01000000 \
! mirred egress redirect dev $DEV
}
sqm_prepare_script() {
Raw
layer_cake_ct.qos.help
Uses CAKE's diffserv4 classifications: Bulk, Best Effort, Video, Voice in
combination with act_ctinfo and CONNMARK --set-dscpmark to restore
DSCP classifications on ingress.
This script requires that cake is selected as qdisc, and forces its usage.
Raw
sqm
# /etc/config/sqm
config queue 'eth1'
option enabled '1'
option interface 'pppoe-wan'
option download '68000'
option upload '45000'
option qdisc 'cake'
option script 'layer_cake_ct.qos'
option qdisc_advanced '1'
option ingress_ecn 'ECN'
option egress_ecn 'ECN'
option squash_dscp '0'
option squash_ingress '0'
option qdisc_really_really_advanced '1'
option iqdisc_opts 'diffserv4 dual-dsthost nat ingress'
option eqdisc_opts 'diffserv4 dual-srchost nat ack-filter ingress'
option linklayer 'ethernet'
option overhead '8'
option debug_logging '0'
Raw
stubby
config stubby 'global'
option manual '0'
option trigger 'wan'
list dns_transport 'GETDNS_TRANSPORT_TLS'
option tls_authentication '1'
option tls_query_padding_blocksize '128'
option appdata_dir '/var/lib/stubby'
option edns_client_subnet_private '0'
option idle_timeout '10000'
option round_robin_upstreams '0'
list listen_address '127.0.0.1@5453'
list listen_address '0::1@5453'
config resolver 'dns6a'
option address '2001:4860:4860::8888'
option tls_auth_name 'dns.google'
config resolver 'dns6b'
option address '2001:4860:4860::8844'
option tls_auth_name 'dns.google'
config resolver 'dns6c'
option address '2620:fe::11'
option tls_auth_name 'dns11.quad9.net'
config resolver 'dns6d'
option address '2620:fe::fe:11'
option tls_auth_name 'dns11.quad9.net'
config resolver 'dnsa'
option address '8.8.8.8'
option tls_auth_name 'dns.google'
config resolver 'dnsb'
option address '8.8.4.4'
option tls_auth_name 'dns.google'
config resolver 'dnsc'
option address '9.9.9.11'
option tls_auth_name 'dns11.quad9.net'
config resolver 'dnsd'
option address '149.112.112.11'
option tls_auth_name 'dns11.quad9.net'
@heri16
Copy link
Author

heri16 commented Mar 9, 2021
edited

Initial config

ssh root@192.168.1.1

/etc/config/network

config interface 'wan'
	option ifname 'eth0'
	option proto 'pppoe'
	option username 'villagrandavenue'
	option password 'tFMpny8r'
	option ipv6 'auto'

config device 'wan_eth0_dev'
	option name 'eth0'
	option macaddr 'c6:ea:ae:d1:2b:33'

# Connect to the internet (e.g. DHCP or PPPoe)
opkg info ppp && opkg info kmod-pppoe && opkg info ppp-mod-pppoe
vi /etc/config/network
/etc/init.d/network restart
ping 8.8.8.8 -c 3
nslookup google.com

# Install packages
opkg update
#opkg install ppp kmod-pppoe ppp-mod-pppoe
opkg install luci-ssl
opkg install luci-app-sqm kmod-sched-ctinfo iptables-mod-hashlimit ipset nano
opkg install luci-app-statistics collectd-mod-sqm collectd-mod-thermal
opkg install luci-app-ddns
#opkg install luci-app-acme acme-dnsapi

opkg remove dnsmasq
opkg install dnsmasq-full

opkg install luci-app-wireguard qrencode

Before update new firmware

# Backup opkg state to uci
opkg backup

# Check the free RAM 
free

# Download firmware
cd /tmp
wget https://downloads.openwrt.org/snapshots/targets/rockchip/armv8/openwrt-rockchip-armv8-friendlyarm_nanopi-r2s-squashfs-sysupgrade.img.gz
wget https://downloads.openwrt.org/snapshots/targets/rockchip/armv8/sha256sums

# Flash new firmware
sha256sum -c sha256sums 2> /dev/null | grep OK && sysupgrade -v -i /tmp/openwrt-rockchip-armv8-friendlyarm_nanopi-r2s-squashfs-sysupgrade.img.gz

After update new firmware

Install opkg-extras from here: https://openwrt.org/docs/guide-user/advanced/opkg_extras

# Verify has diff
opkg update
opkg install diffutils
diff /rom/usr/lib/opkg/status /usr/lib/opkg/status

# Revert to opkg state to rom (factory-defaults)
opkg allrevert
#reboot

# Verify no diff
opkg update
opkg install diffutils
cp /rom/usr/lib/opkg/status /usr/lib/opkg/status

# Restore opkg state to overlay
opkg restore

# Backup opkg state to uci
opkg backup

Update config after restore packages

Install uci-extras from here: https://openwrt.org/docs/guide-user/advanced/uci_extras

Reference: https://openwrt.org/docs/guide-user/installation/generic.sysupgrade#configure_user-installed_packages

# Install packages
opkg update
opkg install diffutils
 
# Find new configurations
opkg newconf
 
# Compare UCI configurations (for each)
uci diff dhcp
 
# Replace the current config with the new one
mv /etc/config/dhcp-opkg /etc/config/dhcp

# Or Merge needed changes to the current config
nano /etc/config/dhcp
rm /etc/config/dhcp-opkg
 
# Apply new configuration
/etc/init.d/dnsmasq restart

@Dopam-IT
Copy link

hello can you add https://github.com/ldir-EDB0/sqm-scripts/tree/sqmqosnfa

is similar thanks

@heri16
Copy link
Author

heri16 commented May 17, 2022

@neilsan1366 Do you mean pulling the 5 layer cake scripts from there and using it here?

@Dopam-IT
Copy link

Yes if is possible but now i'm use qosify for qos thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment