From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <me@lochnair.net>
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com
 [64.147.123.20])
 (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by lists.bufferbloat.net (Postfix) with ESMTPS id BAAF13B29E
 for <cake@lists.bufferbloat.net>; Thu, 20 May 2021 12:07:50 -0400 (EDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.west.internal (Postfix) with ESMTP id C860F1676
 for <cake@lists.bufferbloat.net>; Thu, 20 May 2021 12:07:49 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute3.internal (MEProxy); Thu, 20 May 2021 12:07:49 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lochnair.net; h=
 message-id:subject:from:to:date:content-type:mime-version
 :content-transfer-encoding; s=fm3; bh=MbX5bGwZ37ns66YpRGSRp6Waqg
 fgfa58wNpvGo9u/qY=; b=Se62zJRLY6h1YvLuP82AOJsd+baTQx+AqtOhg61rXO
 m7vwMHXvQ3ElBUzfn19qbLq0dNPoK2xFQH1dqoR2/qIgrcJx+oKw9wwKGBHPmhIH
 s8KUGo51zcgtQlrqcsWAlrM4zyROndlYS1XXj8MZ+wp3ec3BNYrbzR9pCJsQ/7Pu
 F1tj5LPlTF6w8aW+wtVllr2Ck8I/i0UupF4djhk2MQ5uJ4tZqRF0BoVfc7RZCAz9
 yNpC9erpu7Jc8Uq6L4S80yCLfP9/oIrx0DEeizBwhRm2sSE3J61odXwpxQLjItyx
 2gBmXmPZXtngSW/EG7/XTDGbsB7gpgulE/BrykgOyD9w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-transfer-encoding:content-type
 :date:from:message-id:mime-version:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=MbX5bG
 wZ37ns66YpRGSRp6Waqgfgfa58wNpvGo9u/qY=; b=X5tge3ffhf88ru3RoPHLh2
 4BwYQmqdwhCQ4/j4RV2GHXjeaFLxR0aaNqxAsV0CBZ+psyhjTdGZ4dkrs/+dfjR5
 psQO8Sz0xmy4+5xVbOVBKXD/LtboZNaZICQIlfW0ZfaeNsiAf/gnji8dylHigFtj
 kFwDIA/VliTne2K2Qb9tVZuQwpZiRbIqjiBjz8KhTsqBgxzUONgllTGHnAw8cCPv
 0N7BSWnZyJLd4FyNRT0bibRBmB42ehmNcEj+IsU/tUq1qNVgLkwQCvxxA6n/b9l4
 sAEbXW1vZsHZzdjSrxPy31CApon/+jQzB8CzFnlzzYmL8Q0UrtHUAQRoE2Kx6MAA
 ==
X-ME-Sender: <xms:VYmmYBpPv-MdJpGH0kCSvC4rsYbQB6rsEqsbSnDxbnNfEstWT2_fdA>
 <xme:VYmmYDomdJnp-Re2vspZS57I9tbydlBg3wxcKHKT_BnQuaS_O8fR-uUk_Ar_a_1DZ
 4pBN54BxhvIYqA9VQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdejuddgleekucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
 cujfgurhepkffuhffvffgtfggggfesthejredttderjeenucfhrhhomheppfhilhhsucet
 nhgurhgvrghsucfuvhgvvgcuoehmvgeslhhotghhnhgrihhrrdhnvghtqeenucggtffrrg
 htthgvrhhnpeetleeghfdvueejjeelvddtffevhfdtgfffgefhkeefleevvdetheettddv
 kedtfeenucfkphepudekhedrudejhedrheeirddvheefnecuvehluhhsthgvrhfuihiivg
 eptdenucfrrghrrghmpehmrghilhhfrhhomhepmhgvsehlohgthhhnrghirhdrnhgvth
X-ME-Proxy: <xmx:VYmmYOO6pDEQsljiVWRWeuc3KxZNAKcAyvqqwEmy8_3wQyHE_oMRXQ>
 <xmx:VYmmYM7wMosPYIri8ncaOVBjqiVsnkwxDOWi2sVmvJngX6umS-DkYA>
 <xmx:VYmmYA5gNecQliMOrKCYz2V7c1rHNGFEGaAyXa5OVv6Mq3Po_BySRg>
 <xmx:VYmmYCHD3E4EG8ck-yYn_YAukex48_e98r9L9jNCR5Bd-FTltmb58g>
Received: from [192.168.137.61] (gate.sveet.no [185.175.56.253])
 by mail.messagingengine.com (Postfix) with ESMTPA
 for <cake@lists.bufferbloat.net>; Thu, 20 May 2021 12:07:48 -0400 (EDT)
Message-ID: <91d484ec338c58f622c25285bf4ff8658fde4a03.camel@lochnair.net>
From: Nils Andreas Svee <me@lochnair.net>
To: CAKE list <cake@lists.bufferbloat.net>
Date: Thu, 20 May 2021 18:07:43 +0200
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.40.1 
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [Cake] CAKE host isolation modes with NAT - two routers
X-BeenThere: cake@lists.bufferbloat.net
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Cake - FQ_codel the next generation <cake.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cake>,
 <mailto:cake-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cake>
List-Post: <mailto:cake@lists.bufferbloat.net>
List-Help: <mailto:cake-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cake>,
 <mailto:cake-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Thu, 20 May 2021 16:07:50 -0000

Hi folks

Currently my setup looks something like this: LAN <-> EdgeRouter <->
WireGuard <-> VPS <-> Internet.

CAKE for upstream is running on the EdgeRouter and downstream on the
VPS.

The public IPs are all on the VPS per today, so that the host isolation
can do its job with NAT enabled.

Ideally I'd like to route the public IPs to each endpoint and handle
NAT-ing there, but then I'd obviously lose the ability to do proper
host isolation.

Now, I've been toying with the idea of using an userspace application
to extract conntrack information, to let the VPS know which host hash
it should use.

I might be way of here, but I'm thinking of using NFQUEUE to mark new
flows based on information from the EdgeRouter, and let tc filters set
the host hash based on that mark. For performance purposes only send
unmarked flows to NFQUEUE.

I realise this is kinda overkill, but it might we a fun weekend
project.

-- 
Best Regards,
Nils