From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id B36703CB35 for ; Mon, 10 Sep 2018 15:29:12 -0400 (EDT) Received: by mail-wr1-x42a.google.com with SMTP id z96-v6so23171144wrb.8 for ; Mon, 10 Sep 2018 12:29:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heistp.net; s=google; h=from:mime-version:subject:date:references:to:in-reply-to:message-id; bh=Ez4lCCAIgG8EfAhCY2l5iBx3YGBy0ksZp73TktTjaOc=; b=YLAHc+u0n9M67m3jIKaWTQrSS8xJTfevcZlUwAm7FlVsYhwmykK9SKl7AV1ym2jWJP KsUO51iSpNyfBlVdZl3vBlEpWkXIyUq/p9YrCKxW2gGzvY2CCv5C0vFZB+NT9aubB6DD hFvAbIb91p5vjPOoyEART3DqJDVD8Vtoi5tmXBABvjFiyT2Ot7mK97ipjKh8da6VRi1Z L/gyBvS4t0TtZBFmBpCJdaIypn19j7ZtzwCiAeW06pc9N+FvsUmLITs+nuhpMHc7Ymd4 1f4849AZbbRT+SJvBrluUSGdAwQrx+CS0MvoNz2M+UoIQK00dp+3HVglaY7vGmTvoPVP oE4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:date:references:to :in-reply-to:message-id; bh=Ez4lCCAIgG8EfAhCY2l5iBx3YGBy0ksZp73TktTjaOc=; b=U//u8hQYSJHZBOeCxcBWUJ+Gs+H3jhNRSJoAQ4mD3JqaCnwarM8SUjDCLex5/MH87E ePevTSUhmP2o4yxiDydheB9yqniOoYAbdRhWn7xkxV55B67ifxMCCiIvEnpvSSD3ltP0 UVyB1RESKONpGBnHXfCO+5rXaKhuSfCdEhKYDDC7v61CeZOc9+oq9Y9Eccs3om3+7zqw HTeuqJMKQ7X2LU2NbZ8T13XbivJMA+/dp/1BTRl/5McdhmSCHrLeYOJfKCFNLQeVbrqO aUa0RrWKfihBwD7HMB8J+SGcZhm/dCEvZIWc5iYtf475oiQ5FY+hcCM5va3/5F665QLV ttzg== X-Gm-Message-State: APzg51D0tmIbcttHrIuHwhikMiEwRljiatovf9Id2J3QfTNew2038pju DMeqcU/5xYdRBfw3EEQbJnI4vypV6/c= X-Google-Smtp-Source: ANB0VdYE+ibgBZxuniLLcm+SOpJK5oPbAHo+vojrLcFRdEkSM5uyCIkySv5QCQbri2qQ03tTk7r0gQ== X-Received: by 2002:adf:be81:: with SMTP id i1-v6mr14702749wrh.235.1536607751506; Mon, 10 Sep 2018 12:29:11 -0700 (PDT) Received: from tron.luk.heistp.net (h-1169.lbcfree.net. [185.193.85.130]) by smtp.gmail.com with ESMTPSA id v133-v6sm23414633wma.36.2018.09.10.12.29.10 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 10 Sep 2018 12:29:11 -0700 (PDT) From: Pete Heist Content-Type: multipart/alternative; boundary="Apple-Mail=_E3783E39-CE56-4285-9138-0482C219AA2E" Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Date: Mon, 10 Sep 2018 21:29:09 +0200 References: <87zhwxzh8o.fsf@toke.dk> <139B295B-7371-43DE-B472-DE629C9B8432@heistp.net> <87efe65wol.fsf@toke.dk> <6C556301-015B-4903-AE5A-F22D3517FFCC@heistp.net> To: Cake List In-Reply-To: <6C556301-015B-4903-AE5A-F22D3517FFCC@heistp.net> Message-Id: X-Mailer: Apple Mail (2.3445.9.1) Subject: Re: [Cake] Cake on elements of a bridge X-BeenThere: cake@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Cake - FQ_codel the next generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Sep 2018 19:29:13 -0000 --Apple-Mail=_E3783E39-CE56-4285-9138-0482C219AA2E Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Sep 6, 2018, at 8:51 PM, Pete Heist wrote: >=20 >> On Sep 6, 2018, at 8:04 PM, Toke H=C3=B8iland-J=C3=B8rgensen = > wrote: >>=20 >> Pete Heist > writes: >>=20 >>> But now, my neighbor will access the Internet through my CPE device, >>> but they must have a separate IP obtained through DHCP (i.e. a >>> separate MAC address as well), and I want to use cake to manage the >>> queue for both of us. I could do this with two routers and a >>> transparent bridge, but I want to see if I can make it work with as >>> few devices as possible, preferably just one EdgeRouter-X. I had two >>> failures thus far: >>=20 >> DHCP relay and normal routing? Or bridging with a kernel software = bridge >> rather than the hardware switch? >=20 > I bet a regular software bridge would work. I=E2=80=99ll try it. >=20 > It looks like I=E2=80=99ll also need to do stateful firewalling for = the neighbors. I was able to get my transparent bridge to do this with = net.bridge.bridge-nf-call-iptables=3D1, I believe, so this should also = theoretically work fine, somehow=E2=80=A6 :) For anyone who followed this, yes, the regular soft bridge (i.e. set = interfaces bridge br0) works fine on the ER-X, as I suspect it would on = most any Linux. A few notes about it: - Your qdisc must be added to the physical interface (e.g. eth4), not = the bridge interface - Unlike the hardware bridge which has its own MAC, the soft bridge = seems to take the MAC of the lowest (or first listed?) interface port - On ER-X, bridge-nf-call-iptables=3D1 is the default so nothing needs = to be changed there for firewalling - When firewalling the bridged WAN interface, =E2=80=98in=E2=80=99 = corresponds to bridged traffic and =E2=80=98local=E2=80=99 to routed = traffic, which is different from the semantics for ordinary routed = traffic - I can do stateful firewalling for bridged hosts with =E2=80=9Caccept = established and related=E2=80=9D, but have to explicitly allow DHCP (UDP = source/dest port 67-68) in the WAN interface=E2=80=99s =E2=80=98in=E2=80=99= rules for DHCP traffic to pass through the bridge Performance: Using Cake with this setup, the fun ends at around 110 Mbit with = ksoftirqd thrashing. Unsurprisingly, there=E2=80=99s probably some = overhead here with the soft bridge. For my purposes though (50 Mbit), = it=E2=80=99s enough, barely=E2=80=A6 --Apple-Mail=_E3783E39-CE56-4285-9138-0482C219AA2E Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
On = Sep 6, 2018, at 8:51 PM, Pete Heist <pete@heistp.net> wrote:

On Sep 6, 2018, at 8:04 PM, = Toke H=C3=B8iland-J=C3=B8rgensen <toke@toke.dk> wrote:

Pete Heist <pete@heistp.net> writes:

But = now, my neighbor will access the Internet through my CPE device,
but they must have a separate IP obtained through DHCP (i.e. = a
separate MAC address as well), and I want to use cake to = manage the
queue for both of us. I could do this with two = routers and a
transparent bridge, but I want to see if I = can make it work with as
few devices as possible, = preferably just one EdgeRouter-X. I had two
failures thus = far:

DHCP relay and normal routing? Or bridging with a kernel = software bridge
rather than the hardware switch?

I bet = a regular software bridge would work. I=E2=80=99ll try it.

It looks like I=E2=80=99ll= also need to do stateful firewalling for the neighbors. I was able to = get my transparent bridge to do this with = net.bridge.bridge-nf-call-iptables=3D1, I believe, so this should also = theoretically work fine, somehow=E2=80=A6 = :)

For = anyone who followed this, yes, the regular soft bridge (i.e. set = interfaces bridge br0) works fine on the ER-X, as I suspect it would on = most any Linux. A few notes about it:

- Your qdisc must be added to the = physical interface (e.g. eth4), not the bridge interface
- Unlike the hardware bridge which has its own MAC, the soft = bridge seems to take the MAC of the lowest (or first listed?) interface = port
- On ER-X, bridge-nf-call-iptables=3D1 is the = default so nothing needs to be changed there for firewalling
- When firewalling the bridged WAN interface, =E2=80=98in=E2=80= =99 corresponds to bridged traffic and =E2=80=98local=E2=80=99 to routed = traffic, which is different from the semantics for ordinary routed = traffic
- I can do stateful firewalling for bridged = hosts with =E2=80=9Caccept established and related=E2=80=9D, but have to = explicitly allow DHCP (UDP source/dest port 67-68) in the WAN = interface=E2=80=99s =E2=80=98in=E2=80=99 rules for DHCP traffic to pass = through the bridge

Performance:

Using Cake with this setup, the fun ends at around 110 Mbit = with ksoftirqd thrashing. Unsurprisingly, there=E2=80=99s probably some = overhead here with the soft bridge. For my purposes though (50 Mbit), = it=E2=80=99s enough, barely=E2=80=A6

= --Apple-Mail=_E3783E39-CE56-4285-9138-0482C219AA2E--