From: Noah Causin <n0manletter@gmail.com>
To: Outback Dingo <outbackdingo@gmail.com>
Cc: cake@lists.bufferbloat.net
Subject: Re: [Cake] Cake with Deep Packet Inspection
Date: Thu, 10 Nov 2016 21:42:43 -0500 [thread overview]
Message-ID: <46c0133b-b6f8-fe1f-4d2e-0cf6088e024d@gmail.com> (raw)
In-Reply-To: <CAKYr3zwOk=andE45Da1UvZuopm8DJ7ewYgLf4esvo28=39SMJw@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 3441 bytes --]
I took an extra router I had and bridged two ports on the router's
switch, so they just pass traffic. (eth0.2 and eth0.3)
Clients >-[Main Router] --[Extra Router]--[Cable-Modem]
The extra router is passive. It acts like it's part of the Ethernet
cable between the main router and cable modem. It does not interfere.
The extra router needs these packages:
kmod-ebtables, kmod-ebtables-ipv4, kmod-crypto-pcompress and the two
packages compiled from the Makefile I showed below (iptables-mod-ndpi
and iptables-mod-ndpi)
I edited /etc/sysctl.conf and change the last two lines to this:
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1
This enables bridge firewalling, so the traffic between the two ports
can be marked.
I then added firewall rules to LuCIs custom firewall rules tab.
Example Rules, modify classes as desired:
iptables -t mangle -A FORWARD -m ndpi --steam -m mac ! --mac-source
*Your Main Router's Mac Address* -j DSCP --set-dscp-class cs0
iptables -t mangle -A FORWARD -m ndpi --youtube -m mac ! --mac-source
*Your Main Router's Mac Address* -j DSCP --set-dscp-class cs2
iptables -t mangle -A FORWARD -m ndpi --netflix -m mac ! --mac-source
*Your Main Router's Mac Address* -j DSCP --set-dscp-class cs3
iptables -t mangle -A FORWARD -m ndpi --skype -m mac ! --mac-source
*Your Main Router's Mac Address* -j DSCP --set-dscp-class cs4
Have your main router use some form of DiffServ for both upload and
download on its WAN interface. For upload traffic, you just need the
two packages from the makefile to be installed on the main router and
create firewall rules like this:
iptables -t mangle -A FORWARD -o eth2 -m ndpi --netflix -j DSCP
--set-dscp-class cs3
iptables -t mangle -A FORWARD -o eth2 -m ndpi --skype -j DSCP
--set-dscp-class cs4
If you need help building a custom firmware image, just let me know.
On 11/10/2016 9:06 PM, Outback Dingo wrote:
> On Fri, Nov 11, 2016 at 9:55 AM, Noah Causin <n0manletter@gmail.com> wrote:
>> I finally got my project working.
>>
>> I integrated the NDPI Deep Packet Inspection engine into my LEDE build, so I
>> could prioritize applications using Cake.
>>
>> http://www.ntop.org/products/deep-packet-inspection/ndpi/
>>
>> NDPI integrates into IPTables, which allows me to DSCP mark packets. Cake
>> reads the DiffServ markings and puts the traffic into appropriate classes.
>>
>> I found a Makefile which successfully compiles:
>> https://github.com/981213/lede_src/blob/0d344bc2958838dcbc547a8f0a3d8842e6f6d2f8/package/my_package/ndpi-netfilter/Makefile
>>
>> The system works very well. Steam traffic is deprioritized to allow
>> applications like YouTube, Netflix, and Skype to receive higher amounts of
>> the available bandwidth.
>>
>> What I do for ingress is bridge two ports on an extra router, enable bridge
>> firewalling, and create IPTables rules to mark downstream packets. The
>> router I use is a D-Link DGL-5500, which is comparable to an Archer C7.
>>
>> IPv6 support is not available in this netfilter module, but the IPv4 support
>> is great.
>>
>> Noah Causin
> very nice.... however, can you describe a bit better how you
> configured for ingress ? a second router? configuration file ? your
> high level description seems a bit confusing to me
>
>
>> _______________________________________________
>> Cake mailing list
>> Cake@lists.bufferbloat.net
>> https://lists.bufferbloat.net/listinfo/cake
[-- Attachment #2: Type: text/html, Size: 5278 bytes --]
next prev parent reply other threads:[~2016-11-11 2:42 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-11 1:55 Noah Causin
2016-11-11 2:06 ` Outback Dingo
2016-11-11 2:42 ` Noah Causin [this message]
2016-11-11 2:52 ` Outback Dingo
2016-11-11 4:28 ` Outback Dingo
2016-11-11 13:04 ` Noah Causin
2016-11-11 14:08 ` Outback Dingo
2016-11-11 14:22 ` Noah Causin
2016-11-11 14:56 ` Outback Dingo
2016-11-11 17:38 ` Outback Dingo
2016-11-11 18:36 ` Jonathan Morton
2016-11-12 9:06 ` Outback Dingo
2016-11-12 14:51 ` Jonathan Morton
2016-11-13 8:28 ` Outback Dingo
2017-01-16 19:47 ` Dave Taht
2018-07-30 13:16 ` Outback Dingo
2016-11-11 3:15 ` Konstantin Shalygin
2016-11-11 3:38 ` Noah Causin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cake.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46c0133b-b6f8-fe1f-4d2e-0cf6088e024d@gmail.com \
--to=n0manletter@gmail.com \
--cc=cake@lists.bufferbloat.net \
--cc=outbackdingo@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox