I took an extra router I had
and bridged two ports on the router's switch, so they just pass
traffic. (eth0.2 and eth0.3)
Clients >-[Main Router] --[Extra
Router]--[Cable-Modem]
The extra router is passive. It acts
like it's part of the Ethernet cable between the main router and
cable modem. It does not interfere.
The extra router needs these packages:
kmod-ebtables, kmod-ebtables-ipv4, kmod-crypto-pcompress and the two packages compiled from the Makefile I showed below (iptables-mod-ndpi and iptables-mod-ndpi)
I edited /etc/sysctl.conf and change the last two lines to this:
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1
This enables bridge firewalling, so the
traffic between the two ports can be marked.
I then added firewall rules to LuCIs custom firewall rules tab.
Example Rules, modify classes as
desired:
iptables -t mangle -A FORWARD -m ndpi
--steam -m mac ! --mac-source Your Main Router's Mac Address
-j DSCP
--set-dscp-class cs0
iptables -t mangle -A FORWARD -m ndpi
--youtube -m mac ! --mac-source Your Main Router's Mac Address
-j DSCP
--set-dscp-class cs2
iptables -t mangle -A FORWARD -m ndpi
--netflix -m mac ! --mac-source Your Main Router's Mac Address
-j DSCP
--set-dscp-class cs3
iptables -t mangle -A FORWARD -m ndpi
--skype -m mac ! --mac-source Your Main Router's Mac Address
-j DSCP
--set-dscp-class cs4
Have your main router use some form of DiffServ for both upload and download on its WAN interface. For upload traffic, you just need the two packages from the makefile to be installed on the main router and create firewall rules like this:
iptables -t mangle -A FORWARD -o eth2
-m ndpi --netflix -j DSCP --set-dscp-class cs3
iptables -t mangle -A FORWARD -o eth2 -m ndpi --skype -j DSCP
--set-dscp-class cs4
If you need help building a custom
firmware image, just let me know.
On Fri, Nov 11, 2016 at 9:55 AM, Noah Causin <n0manletter@gmail.com> wrote:I finally got my project working. I integrated the NDPI Deep Packet Inspection engine into my LEDE build, so I could prioritize applications using Cake. http://www.ntop.org/products/deep-packet-inspection/ndpi/ NDPI integrates into IPTables, which allows me to DSCP mark packets. Cake reads the DiffServ markings and puts the traffic into appropriate classes. I found a Makefile which successfully compiles: https://github.com/981213/lede_src/blob/0d344bc2958838dcbc547a8f0a3d8842e6f6d2f8/package/my_package/ndpi-netfilter/Makefile The system works very well. Steam traffic is deprioritized to allow applications like YouTube, Netflix, and Skype to receive higher amounts of the available bandwidth. What I do for ingress is bridge two ports on an extra router, enable bridge firewalling, and create IPTables rules to mark downstream packets. The router I use is a D-Link DGL-5500, which is comparable to an Archer C7. IPv6 support is not available in this netfilter module, but the IPv4 support is great. Noah Causinvery nice.... however, can you describe a bit better how you configured for ingress ? a second router? configuration file ? your high level description seems a bit confusing to me_______________________________________________ Cake mailing list Cake@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cake