Re: [Cake] Cake with Deep Packet Inspection

[Noah Causin <n0manletter@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 3441 bytes --]

I took an extra router I had and bridged two ports on the router's 
switch, so they just pass traffic. (eth0.2 and eth0.3)

Clients >-[Main Router] --[Extra Router]--[Cable-Modem]

The extra router is passive.  It acts like it's part of the Ethernet 
cable between the main router and cable modem.  It does not interfere.

The extra router needs these packages:

kmod-ebtables, kmod-ebtables-ipv4, kmod-crypto-pcompress and the two 
packages compiled from the Makefile I showed below (iptables-mod-ndpi 
and iptables-mod-ndpi)

I edited /etc/sysctl.conf and change the last two lines to this:

net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1

This enables bridge firewalling, so the traffic between the two ports 
can be marked.

I then added firewall rules to LuCIs custom firewall rules tab.

Example Rules, modify classes as desired:

iptables -t mangle -A FORWARD -m ndpi --steam -m mac ! --mac-source 
*Your Main Router's Mac Address* -j DSCP --set-dscp-class cs0
iptables -t mangle -A FORWARD -m ndpi --youtube -m mac ! --mac-source 
*Your Main Router's Mac Address* -j DSCP --set-dscp-class cs2

iptables -t mangle -A FORWARD -m ndpi --netflix -m mac ! --mac-source 
*Your Main Router's Mac Address* -j DSCP --set-dscp-class cs3
iptables -t mangle -A FORWARD -m ndpi --skype -m mac ! --mac-source 
*Your Main Router's Mac Address* -j DSCP --set-dscp-class cs4

Have your main router use some form of DiffServ for both upload and 
download on its WAN interface.  For upload traffic, you just need the 
two packages from the makefile to be installed on the main router and 
create firewall rules like this:

iptables -t mangle -A FORWARD -o eth2 -m ndpi --netflix -j DSCP 
--set-dscp-class cs3
iptables -t mangle -A FORWARD -o eth2 -m ndpi --skype -j DSCP 
--set-dscp-class cs4

If you need help building a custom firmware image, just let me know.


On 11/10/2016 9:06 PM, Outback Dingo wrote:
> On Fri, Nov 11, 2016 at 9:55 AM, Noah Causin <n0manletter@gmail.com> wrote:
>> I finally got my project working.
>>
>> I integrated the NDPI Deep Packet Inspection engine into my LEDE build, so I
>> could prioritize applications using Cake.
>>
>> http://www.ntop.org/products/deep-packet-inspection/ndpi/
>>
>> NDPI integrates into IPTables, which allows me to DSCP mark packets.  Cake
>> reads the DiffServ markings and puts the traffic into appropriate classes.
>>
>> I found a Makefile which successfully compiles:
>> https://github.com/981213/lede_src/blob/0d344bc2958838dcbc547a8f0a3d8842e6f6d2f8/package/my_package/ndpi-netfilter/Makefile
>>
>> The system works very well.  Steam traffic is deprioritized to allow
>> applications like YouTube, Netflix, and Skype to receive higher amounts of
>> the available bandwidth.
>>
>> What I do for ingress is bridge two ports on an extra router, enable bridge
>> firewalling, and create IPTables rules to mark downstream packets.  The
>> router I use is a D-Link DGL-5500, which is comparable to an Archer C7.
>>
>> IPv6 support is not available in this netfilter module, but the IPv4 support
>> is great.
>>
>> Noah Causin
> very nice.... however, can you describe a bit better how you
> configured for ingress ? a second router?  configuration file ? your
> high level description seems a bit confusing to me
>
>
>> _______________________________________________
>> Cake mailing list
>> Cake@lists.bufferbloat.net
>> https://lists.bufferbloat.net/listinfo/cake


[-- Attachment #2: Type: text/html, Size: 5278 bytes --]