From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-it0-x242.google.com (mail-it0-x242.google.com [IPv6:2607:f8b0:4001:c0b::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 5BB363B260 for ; Thu, 10 Nov 2016 21:42:46 -0500 (EST) Received: by mail-it0-x242.google.com with SMTP id n68so7593697itn.3 for ; Thu, 10 Nov 2016 18:42:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to; bh=Q3O7LtBJptKbZNXenO3XxKKVWxR5jucK48ZyVmy87hA=; b=A+2HKVjRotm1Sjundgm82jgWq9BVxhq6HJV5X2o5rylY/jsf04ShgJpUMuHOBoV9qE VqryFhH0teL6k1CQKiRQyW7HHdwwzi9uLi+E38j7RbeDQ+c1BsG3SKMgCKua7QzwB9PM ahM9wvIoCyYUxD245SJCpBXpjVR7cZW77rviS7Gq/dIDXqIVd7xULm5hVr02veTm7mWF 0KGi3QVbJEYarM+Bsvq+pU/GLyPNY9PvHA4oPeHDGlg8OIYcrl+Lv185PxefD0gKSt3Y viEzMCUAjNmXbLdqSegasEV+/P0tJHvrn14EG0sIb3+aPo5t9RmQ/MAFAKiiqjr69DUi HJzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to; bh=Q3O7LtBJptKbZNXenO3XxKKVWxR5jucK48ZyVmy87hA=; b=KaTY3/grNFUnqysuz+Y28dNJvdwy0jdKZG53VOl6nqO4+7PM8Ou80EoDOwAkrR0d4r Ea3IngSp1eJ0wXEJ0QRoNyAk/DLrGB2p62Sj3odhomzD2mnOpkfdlYJAU4fP6imNAqTJ g46bvEN7tW/0I94r5mtpD9mxy/l2q8tvkPm8eCY6mBnchIQ0I7zWbHfMUQyCqFFMGD/P CayEfr4LHXhAXII6d+8qf6Qnk7oklIJIO5HjiZnljrkxYNLvTuxwlUwmLFgUYRZ7yPcK wVa9pFuPDv1d2NlwIbqvgV9x2m2dkDfLs7Ik5DOwsg5MJDjV7QacfJN7YYlwz7A4O65h LjUA== X-Gm-Message-State: ABUngvcuwExLnOYeUSLiBOVhe5T3jxz1jnV20HuixTccrFitQ31FRFQ/Rv8fZZiZ/yXFDQ== X-Received: by 10.36.22.212 with SMTP id a203mr19721166ita.3.1478832165701; Thu, 10 Nov 2016 18:42:45 -0800 (PST) Received: from [10.0.0.5] (c-68-42-142-136.hsd1.mi.comcast.net. [68.42.142.136]) by smtp.gmail.com with ESMTPSA id o71sm3144866ita.6.2016.11.10.18.42.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 10 Nov 2016 18:42:45 -0800 (PST) To: Outback Dingo References: <3e5942d2-6d6b-0e01-8aa6-98c3535c26ef@gmail.com> Cc: cake@lists.bufferbloat.net From: Noah Causin Message-ID: <46c0133b-b6f8-fe1f-4d2e-0cf6088e024d@gmail.com> Date: Thu, 10 Nov 2016 21:42:43 -0500 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------521F8FE066160133C2E8437A" Subject: Re: [Cake] Cake with Deep Packet Inspection X-BeenThere: cake@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Cake - FQ_codel the next generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Nov 2016 02:42:46 -0000 This is a multi-part message in MIME format. --------------521F8FE066160133C2E8437A Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit I took an extra router I had and bridged two ports on the router's switch, so they just pass traffic. (eth0.2 and eth0.3) Clients >-[Main Router] --[Extra Router]--[Cable-Modem] The extra router is passive. It acts like it's part of the Ethernet cable between the main router and cable modem. It does not interfere. The extra router needs these packages: kmod-ebtables, kmod-ebtables-ipv4, kmod-crypto-pcompress and the two packages compiled from the Makefile I showed below (iptables-mod-ndpi and iptables-mod-ndpi) I edited /etc/sysctl.conf and change the last two lines to this: net.bridge.bridge-nf-call-ip6tables=1 net.bridge.bridge-nf-call-iptables=1 This enables bridge firewalling, so the traffic between the two ports can be marked. I then added firewall rules to LuCIs custom firewall rules tab. Example Rules, modify classes as desired: iptables -t mangle -A FORWARD -m ndpi --steam -m mac ! --mac-source *Your Main Router's Mac Address* -j DSCP --set-dscp-class cs0 iptables -t mangle -A FORWARD -m ndpi --youtube -m mac ! --mac-source *Your Main Router's Mac Address* -j DSCP --set-dscp-class cs2 iptables -t mangle -A FORWARD -m ndpi --netflix -m mac ! --mac-source *Your Main Router's Mac Address* -j DSCP --set-dscp-class cs3 iptables -t mangle -A FORWARD -m ndpi --skype -m mac ! --mac-source *Your Main Router's Mac Address* -j DSCP --set-dscp-class cs4 Have your main router use some form of DiffServ for both upload and download on its WAN interface. For upload traffic, you just need the two packages from the makefile to be installed on the main router and create firewall rules like this: iptables -t mangle -A FORWARD -o eth2 -m ndpi --netflix -j DSCP --set-dscp-class cs3 iptables -t mangle -A FORWARD -o eth2 -m ndpi --skype -j DSCP --set-dscp-class cs4 If you need help building a custom firmware image, just let me know. On 11/10/2016 9:06 PM, Outback Dingo wrote: > On Fri, Nov 11, 2016 at 9:55 AM, Noah Causin wrote: >> I finally got my project working. >> >> I integrated the NDPI Deep Packet Inspection engine into my LEDE build, so I >> could prioritize applications using Cake. >> >> http://www.ntop.org/products/deep-packet-inspection/ndpi/ >> >> NDPI integrates into IPTables, which allows me to DSCP mark packets. Cake >> reads the DiffServ markings and puts the traffic into appropriate classes. >> >> I found a Makefile which successfully compiles: >> https://github.com/981213/lede_src/blob/0d344bc2958838dcbc547a8f0a3d8842e6f6d2f8/package/my_package/ndpi-netfilter/Makefile >> >> The system works very well. Steam traffic is deprioritized to allow >> applications like YouTube, Netflix, and Skype to receive higher amounts of >> the available bandwidth. >> >> What I do for ingress is bridge two ports on an extra router, enable bridge >> firewalling, and create IPTables rules to mark downstream packets. The >> router I use is a D-Link DGL-5500, which is comparable to an Archer C7. >> >> IPv6 support is not available in this netfilter module, but the IPv4 support >> is great. >> >> Noah Causin > very nice.... however, can you describe a bit better how you > configured for ingress ? a second router? configuration file ? your > high level description seems a bit confusing to me > > >> _______________________________________________ >> Cake mailing list >> Cake@lists.bufferbloat.net >> https://lists.bufferbloat.net/listinfo/cake --------------521F8FE066160133C2E8437A Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit

I took an extra router I had and bridged two ports on the router's switch, so they just pass traffic. (eth0.2 and eth0.3)

Clients >-[Main Router] --[Extra Router]--[Cable-Modem]

The extra router is passive.  It acts like it's part of the Ethernet cable between the main router and cable modem.  It does not interfere.

The extra router needs these packages:

kmod-ebtables, kmod-ebtables-ipv4, kmod-crypto-pcompress and the two packages compiled from the Makefile I showed below (iptables-mod-ndpi and iptables-mod-ndpi)

I edited /etc/sysctl.conf and change the last two lines to this:

net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1

This enables bridge firewalling, so the traffic between the two ports can be marked.

I then added firewall rules to LuCIs custom firewall rules tab.

Example Rules, modify classes as desired:

iptables -t mangle -A FORWARD -m ndpi --steam -m mac ! --mac-source Your Main Router's Mac Address -j DSCP --set-dscp-class cs0
iptables -t mangle -A FORWARD -m ndpi --youtube -m mac ! --mac-source Your Main Router's Mac Address -j DSCP --set-dscp-class cs2

iptables -t mangle -A FORWARD -m ndpi --netflix -m mac ! --mac-source Your Main Router's Mac Address -j DSCP --set-dscp-class cs3
iptables -t mangle -A FORWARD -m ndpi --skype -m mac ! --mac-source Your Main Router's Mac Address -j DSCP --set-dscp-class cs4

Have your main router use some form of DiffServ for both upload and download on its WAN interface.  For upload traffic, you just need the two packages from the makefile to be installed on the main router and create firewall rules like this:

iptables -t mangle -A FORWARD -o eth2 -m ndpi --netflix -j DSCP --set-dscp-class cs3
iptables -t mangle -A FORWARD -o eth2 -m ndpi --skype -j DSCP --set-dscp-class cs4

If you need help building a custom firmware image, just let me know.


On 11/10/2016 9:06 PM, Outback Dingo wrote:
On Fri, Nov 11, 2016 at 9:55 AM, Noah Causin <n0manletter@gmail.com> wrote:
I finally got my project working.

I integrated the NDPI Deep Packet Inspection engine into my LEDE build, so I
could prioritize applications using Cake.

http://www.ntop.org/products/deep-packet-inspection/ndpi/

NDPI integrates into IPTables, which allows me to DSCP mark packets.  Cake
reads the DiffServ markings and puts the traffic into appropriate classes.

I found a Makefile which successfully compiles:
https://github.com/981213/lede_src/blob/0d344bc2958838dcbc547a8f0a3d8842e6f6d2f8/package/my_package/ndpi-netfilter/Makefile

The system works very well.  Steam traffic is deprioritized to allow
applications like YouTube, Netflix, and Skype to receive higher amounts of
the available bandwidth.

What I do for ingress is bridge two ports on an extra router, enable bridge
firewalling, and create IPTables rules to mark downstream packets.  The
router I use is a D-Link DGL-5500, which is comparable to an Archer C7.

IPv6 support is not available in this netfilter module, but the IPv4 support
is great.

Noah Causin
very nice.... however, can you describe a bit better how you
configured for ingress ? a second router?  configuration file ? your
high level description seems a bit confusing to me


_______________________________________________
Cake mailing list
Cake@lists.bufferbloat.net
https://lists.bufferbloat.net/listinfo/cake

--------------521F8FE066160133C2E8437A--