From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 46E883BA8E for ; Thu, 6 Sep 2018 13:37:40 -0400 (EDT) Received: by mail-wm0-x230.google.com with SMTP id s12-v6so12246363wmc.0 for ; Thu, 06 Sep 2018 10:37:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heistp.net; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=ceTqb+MWEr415v8XXltfqZyMuVhprsL10jBvIYssDyU=; b=FuSZM+ZFi+7NmZn1CjnfTlngeadtZ75obwIyAvb3xI6ARJkbb6T+gCCnGuAUciIv9f UA1HS9Zxz26IROpUgmY+mcfgI4VGLi6frrUyGElm7fax3ZqwXgDN3AWmtND5I7O019eK G9+Wi/KFSG+b1eI7wXT3ULysAPzy91RgUgw5rRc0r0jW+hRHRhj56ZVSrqjVDyLHsHfH QIcrxG2eIxiNN1OW4IxpZpEZ2gSCYYwRjLOiH2KQ/Cn9T1HhVF0y/jY+I2lVPnhnVR/q szebyYXfrG7kEeP/9JD89Ocx46zhU9yWfSWokCNUoX+NF2PaIMmt+TdL5OhZBtsM5D3M 3zWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=ceTqb+MWEr415v8XXltfqZyMuVhprsL10jBvIYssDyU=; b=TzpKIAheUzPtQYSbLh0bbEoFgdU05jbh84RRTcM/ZI714m6uDFlfeIsx+xZ6Iah96p eGcIP4g4e1omiVYSxHXHmE1a32eMnR+z6Vn2khbhkVXXWAg9vSV7dwK3Ck4BE6xK5hFz YS23yImkty6Qinqx27Im0DV+vhUUlZVD4Nb74MzdOmVZGi8l85Ym+gxRgH3m8lf5ZH7i yRVlF+gEWd8fhBsWDkdnRBMmue9shf4XclZ0wZCRLMcfpbmYr70UNmshEJSZygveFVH2 nwUnRtHg3UmZ5h4+5hHaftan4S3+ELtm8KqkcXYjLwZuBeRI5T/yGtwE7uFdkXQ9MDc3 45fw== X-Gm-Message-State: APzg51AWx9dH6q2i+E6zYoCifM8b82GKQ+l+Tz3H5eTNyHEFuiwqRDHY dd9e/dbQPXeUbFka/gmR9+bsnA== X-Google-Smtp-Source: ANB0Vdby8H4ZutX89EAA93xY7GN4iXmthuYdwQMRz9bHFfpll5ZEWqBhZ6MZJqkQwDHp4mbca0UCHA== X-Received: by 2002:a1c:dc41:: with SMTP id t62-v6mr3041917wmg.137.1536255459286; Thu, 06 Sep 2018 10:37:39 -0700 (PDT) Received: from tron.luk.heistp.net (h-1169.lbcfree.net. [185.193.85.130]) by smtp.gmail.com with ESMTPSA id x125-v6sm5726573wmg.27.2018.09.06.10.37.38 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 06 Sep 2018 10:37:38 -0700 (PDT) From: Pete Heist Message-Id: <139B295B-7371-43DE-B472-DE629C9B8432@heistp.net> Content-Type: multipart/alternative; boundary="Apple-Mail=_22365586-6910-41D7-9974-0B44C207E091" Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Date: Thu, 6 Sep 2018 19:37:37 +0200 In-Reply-To: Cc: Cake List To: Georgios Amanakis References: <87zhwxzh8o.fsf@toke.dk> X-Mailer: Apple Mail (2.3445.9.1) Subject: Re: [Cake] Cake on elements of a bridge X-BeenThere: cake@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Cake - FQ_codel the next generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2018 17:37:40 -0000 --Apple-Mail=_22365586-6910-41D7-9974-0B44C207E091 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 I happen to also be working on a bridge setup, but it=E2=80=99s = different. For one, I used fq_codel on a transparent bridge for a couple = years in production and it worked well, so I trust it also would for = cake. But now, my neighbor will access the Internet through my CPE device, but = they must have a separate IP obtained through DHCP (i.e. a separate MAC = address as well), and I want to use cake to manage the queue for both of = us. I could do this with two routers and a transparent bridge, but I = want to see if I can make it work with as few devices as possible, = preferably just one EdgeRouter-X. I had two failures thus far: Fail #1: Do routing for the neighbors on their NS5AC Loco, and use the = ER-X=E2=80=99s internal switch to bridge the neighbor=E2=80=99s and my = WAN interfaces to the CPE. Doing cake on switch0 results in my WAN = traffic going through the qdisc, but unsurprisingly, the neighbor=E2=80=99= s traffic passes through the switch without going through the qdisc = layer. Fail #2: Use the ER-X=E2=80=99s pseudo-ethernet functionality to add a = second virtual Ethernet interface to the ER-X=E2=80=99s WAN interface. I = could use IFB if I got two WAN interfaces working on the same box. This = looks promising and I can pick up two DHCP addresses on one physical = interface, but the ER-X doesn=E2=80=99t handle the routing situation = where two interfaces have the same default router IP. (Using = policy-based routing, what does it do when next-hop is the same for two = different LAN subnets?) There will be a solution here, I just haven=E2=80=99t found it yet. = I=E2=80=99m now thinking of a setup with a smart switch / VLANs and a = transparent bridge through two physical interfaces of the ER-X (which = only has 5 ports total), but I=E2=80=99ll figure it out=E2=80=A6 :) > On Sep 4, 2018, at 2:01 PM, Georgios Amanakis = wrote: >=20 > Awesome, thanks to both of you!=20 > I am aware of the uselessness of nat (in terms of cake) in this setup. = It's good to know what Sebastian pointed out. I ran it for a couple of = hours and it seems to be working fine. I am going to finalize the setup = and will get back to you. >=20 > Georgios >=20 > On 4 Sep 2018 1:31 pm, "Toke H=C3=B8iland-J=C3=B8rgensen" = > wrote: > Georgios Amanakis > = writes: >=20 > > Dear All, > > > > I was giving a transparent firewall a try, and wondered whether cake > > can be applied on the interfaces of a bridge. I want to put an extra > > router in-line between clients and the ISP-modem-router. It will = have > > two interfaces (eth0 facing wan, eth1 facing lan), bridged together = as > > br0. > > > > Can I fearlessly apply cake on eth0 and eth1? Would this be = compatible > > with features like ingress, ack-filter or even nat? >=20 > Well, you wouldn't get much benefit from the nat feature, as the = machine > running CAKE would not be the one doing the nat'ing. But other than > that, it should work fine :) --Apple-Mail=_22365586-6910-41D7-9974-0B44C207E091 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 I = happen to also be working on a bridge setup, but it=E2=80=99s different. = For one, I used fq_codel on a transparent bridge for a couple years in = production and it worked well, so I trust it also would for cake.

But now, my neighbor = will access the Internet through my CPE device, but they must have a = separate IP obtained through DHCP (i.e. a separate MAC address as well), = and I want to use cake to manage the queue for both of us. I could do = this with two routers and a transparent bridge, but I want to see if I = can make it work with as few devices as possible, preferably just one = EdgeRouter-X. I had two failures thus far:

Fail #1: Do routing for the neighbors = on their NS5AC Loco, and use the ER-X=E2=80=99s internal switch to = bridge the neighbor=E2=80=99s and my WAN interfaces to the CPE. Doing = cake on switch0 results in my WAN traffic going through the qdisc, but = unsurprisingly, the neighbor=E2=80=99s traffic passes through the switch = without going through the qdisc layer.

Fail #2: Use the ER-X=E2=80=99s = pseudo-ethernet functionality to add a second virtual Ethernet interface = to the ER-X=E2=80=99s WAN interface. I could use IFB if I got two WAN = interfaces working on the same box. This looks promising and I can pick = up two DHCP addresses on one physical interface, but the ER-X doesn=E2=80=99= t handle the routing situation where two interfaces have the same = default router IP. (Using policy-based routing, what does it do when = next-hop is the same for two different LAN subnets?)

There will be a solution = here, I just haven=E2=80=99t found it yet. I=E2=80=99m now thinking of a = setup with a smart switch / VLANs and a transparent bridge through two = physical interfaces of the ER-X (which only has 5 ports total), but = I=E2=80=99ll figure it out=E2=80=A6 :)

On Sep 4, 2018, at 2:01 PM, Georgios Amanakis = <gamanakis@gmail.com> wrote:

Awesome, thanks to both of you! 
I am aware of the uselessness of nat (in terms of cake) in = this setup. It's good to know what Sebastian pointed out. I ran it for a = couple of hours and it seems to be working fine. I am going to finalize = the setup and will get back to you.

Georgios

On 4 Sep = 2018 1:31 pm, "Toke H=C3=B8iland-J=C3=B8rgensen" <toke@toke.dk> wrote:
Georgios = Amanakis <gamanakis@gmail.com> writes:

> Dear All,
>
> I was giving a transparent firewall a try, and wondered whether = cake
> can be applied on the interfaces of a bridge. I want to put an = extra
> router in-line between clients and the ISP-modem-router. It will = have
> two interfaces (eth0 facing wan, eth1 facing lan), bridged together = as
> br0.
>
> Can I fearlessly apply cake on eth0 and eth1? Would this be = compatible
> with features like ingress, ack-filter or even nat?

Well, you wouldn't get much benefit from the nat feature, as the = machine
running CAKE would not be the one doing the nat'ing. But other than
that, it should work fine = :)

= --Apple-Mail=_22365586-6910-41D7-9974-0B44C207E091--