[Cake] Recommendations for using cake in complex setup (wireguard + vlan + bond)

[Cake] Recommendations for using cake in complex setup (wireguard + vlan + bond)

[Alban]

[-- Attachment #1: Type: text/plain, Size: 2039 bytes --]

Hi everybody,

I am setting a new router with a non trivial setup and I really like to
get some recommendations on how to best use cake. First of all the
router is using VLAN on top of 2 bonded gigabit Ethernet interface:

                        +--> VLAN1 (LAN)
 eth0 <--+              |
         +---> bond0 <--+--> VLAN2 (WAN1)
 eth1 <--+              |
                        +--> VLAN3 (WAN2)

The bond is using LACP, but mainly for redundancy and not for the
increased bandwidth. Both WAN VLAN are going to ISP provided FritzBox
connected to 50/10Mbit VDSL2 lines.

As far as i understand I should use cake on the WAN VLAN interfaces.
But what about the bond and physical Ethernet interface? Per default
the Ethernet interfaces use the fq_codel qdisc, should I replace it
with noqueue if cake is running on the VLAN interface? Any other
recommendation regarding queuing in general with such layering of
interfaces?

But there is one more component, on each WAN interface there is a
wireguard tunnel which is used to encrypt most of the traffic going out
on the interface. Unlike unencrypted IP in IP tunnel the kernel flow
dissector is not able to distinguish the flows, so all the encrypted
traffic is just one big flow for cake. Ideally I would like to achieve a
setup where cake can handle the encrypted traffic just like unencrypted
traffic.

Looking at the wireguard code it seems that the incoming skb get
encrypted/encapsulated and resent again while still using the same skb.
This give me the hope that it might be possible to classify the traffic
entering the wireguard tunnel and somehow pass this information down to
the cake instance running on the lower device.

I have seen that cake can use classifier and that the tin can be passed
via fw mark, however I'm unsure if that would really be useful/usable in
this case. Any suggestion would be welcome, from what can be done with
the current code, up to what kind of changes would be needed to achieve
the ideal case.

Alban

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [Cake] Recommendations for using cake in complex setup (wireguard + vlan + bond)

[Toke Høiland-Jørgensen]

Alban <albeu@free.fr> writes:

> Hi everybody,
>
> I am setting a new router with a non trivial setup and I really like to
> get some recommendations on how to best use cake. First of all the
> router is using VLAN on top of 2 bonded gigabit Ethernet interface:
>
>                         +--> VLAN1 (LAN)
>  eth0 <--+              |
>          +---> bond0 <--+--> VLAN2 (WAN1)
>  eth1 <--+              |
>                         +--> VLAN3 (WAN2)
>
> The bond is using LACP, but mainly for redundancy and not for the
> increased bandwidth. Both WAN VLAN are going to ISP provided FritzBox
> connected to 50/10Mbit VDSL2 lines.

What are the physical interfaces connected to? How is the traffic
getting to the FritzBoxes?

-Toke

Re: [Cake] Recommendations for using cake in complex setup (wireguard + vlan + bond)

[Alban]

[-- Attachment #1: Type: text/plain, Size: 1652 bytes --]

On Mon, 01 Jul 2019 14:22:37 +0200
Toke Høiland-Jørgensen <toke@toke.dk> wrote:

> Alban <albeu@free.fr> writes:
> 
> > Hi everybody,
> >
> > I am setting a new router with a non trivial setup and I really
> > like to get some recommendations on how to best use cake. First of
> > all the router is using VLAN on top of 2 bonded gigabit Ethernet
> > interface:
> >
> >                         +--> VLAN1 (LAN)
> >  eth0 <--+              |
> >          +---> bond0 <--+--> VLAN2 (WAN1)
> >  eth1 <--+              |
> >                         +--> VLAN3 (WAN2)
> >
> > The bond is using LACP, but mainly for redundancy and not for the
> > increased bandwidth. Both WAN VLAN are going to ISP provided
> > FritzBox connected to 50/10Mbit VDSL2 lines.  
> 
> What are the physical interfaces connected to? How is the traffic
> getting to the FritzBoxes?

I should have mentioned that the above diagram depict the logical
interfaces inside the router. The router only physical connection
is via the bond to a switch stack, the logical separation of LAN and
WAN is done using VLANs.

The physical interfaces (eth0/1) are gigabit Ethernet, one FritzBox is
directly connected to the same switch, the second one is connected via
yet another switches as it is not in the same physical location. Like
this:

             (VLAN1)      (VLAN1)
             clients      clients
                |            |
             +-----+      +-----+
  Router <-->| SW1 |<---->| SW2 |
             +--+--+      +--+--+
                |            |
               FB1          FB2
             (VLAN2)      (VLAN3)

Alban

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [Cake] Recommendations for using cake in complex setup (wireguard + vlan + bond)

[David Lang]

As a general rule, you want to put Cake (or any other sqm system) just before 
your bottleneck link.

That's unlikely to be the LAN links, it's almost always going to be your WAN 
links.

If you have them there for redundancy, not for added bandwidth, I think the 
right thing to do is to put Cake on the bonded (logical) interface that they 
share, but set it to a bandwidth that either link can satisfy if the other is 
down.

David Lang