CakeQOS CakeQoS-Merlin v2.1.1

[dave14305]

The three major video sources here, youtube, amazon prime video, and netflix aren't registering as video using diffserv4, is there an easy way to do that?

Are you using diffserv4 for download, or just upload? Since streaming is primarily a download activity, and we don’t yet have a simple way to classify download traffic, many people stick with besteffort for download.

There are alternatives available using ipsets and tc filters with skbedit, or else moving cake from ifb4eth0 to br0, but there are trade offs to both.

 

[Morris]

The three major video sources here, youtube, amazon prime video, and netflix aren't registering as video using diffserv4, is there an easy way to do that?

Using tins defeats the simplicity and beauty of CAKE QOS. Simply use besteffort in and out. Streams will get priority and bandwidth hogs will be slowed to allow the streams to work great.

Morris

 

[Tekneek]

One note about DSCP for those who might be running bind9 or unbound DNS servers on their network. Both make it very simple to set those values in the config, if the default 0/"best effort" doesn't meet your needs.

These examples set the DSCP value to 40/CS5/

bind9 example for your config:

dscp 40;

unbound example for your config:

ip-dscp: 40

 

[Yakumo]

Using tins defeats the simplicity and beauty of CAKE QOS. Simply use besteffort in and out. Streams will get priority and bandwidth hogs will be slowed to allow the streams to work great.

Morris

Then why are the tin options there at all?
Also, they diffserv options do usually perform better for my needs.

 

[Morris]

Then why are the tin options there at all?

To try and help those facing the uphill battle of insufficient bandwidth. One could prioritize VOIP over video. The better solution is to provision more bandwidth so both VOIP and video work well yet this is not always possible.

Morris

 

[Yakumo]

To try and help those facing the uphill battle of insufficient bandwidth. One could prioritize VOIP over video. The better solution is to provision more bandwidth so both VOIP and video work well yet this is not always possible.

Morris

Which is exactly why I asked my initial question, providing more bandwidth here isn't an option, hence the need for QoS in the first place.

 

[Morris]

Which is exactly why I asked my initial question, providing more bandwidth here isn't an option, hence the need for QoS in the first place.

Classifying sources is a losing battle. You will face constant changes, particularly for YouTube as they obfuscate source to avoid theft and advertising. If you must clarify marking what is low priority, usually file transfers is much easier. If you have enough bandwidth for video streaming and oversubscription is caused by bandwidth hogs, then best effort is all you need

Morris

 

[alchemy]

Usually the way to fix issues when using Cake is to just reduce your Download and Upload value. I know people don't like giving up the bandwidth they're paying for, but Cake must be the bottleneck/limiter! Cake with too high of Down Up values will be attempting to share and split bandwidth your network does not even have available. Likely causing lots of dropped packets and network lag/delays. I have a 50/10 connection but I put 48/9 in Cake.

@Yakumo Like many features found on routers, Cake tins/diffserv make sense in theory but may not work as well in reality. On my network I found almost nothing gets tin'd automatically using diffserv4 on Down and Up (with or without wash). So I recommend using best effort on both Down and Up (with dual-dsthost + dual-srchost). Your answer is likely to lower your bandwidth values until your network becomes more stable and responsive. Best effort and Diffserv should perform nearly the same with proper values. Are you sure tins are working? In SSH you can check your Cake status (packets tin'd, dropped etc) with: "cake_qos status download" and "cake_qos status upload".

You can try also testing your bufferbloat (you should be getting A's):
Good ol speed test, has bufferbloat analysis: https://www.dslreports.com/speedtest
Newer bufferbloat test: https://www.waveform.com/tools/bufferbloat
Found this one, it's interesting (and helps test 300 pings a second! lol): https://packetlosstest.com/

 

[dave14305]

This week I’m going to take my best shot at implementing dnsmasq-based ipset rules for inbound/outbound tin classification.

Looking for input before I get too deep in the rat hole.

 

[Morris]

This week I’m going to take my best shot at implementing dnsmasq-based ipset rules for inbound/outbound tin classification.

Looking for input before I get too deep in the rat hole.

That's an interesting approach Dave. What will you do about YouTube messing with source IPs?

 

[dave14305]

That's an interesting approach Dave. What will you do about YouTube messing with source IPs?

As dnsmasq resolves YouTube domains, the ipset will be updated with the current IP. Same approach used by many scripts at OpenWrt. I just figure we should be as good as they are.

 

[Treadler]

This week I’m going to take my best shot at implementing dnsmasq-based ipset rules for inbound/outbound tin classification.

Looking for input before I get too deep in the rat hole.

So, if implemented, this would be an add on to the router’s Cake?
or, FlexQos?

 

[dave14305]

So, if implemented, this would be an add on to the router’s Cake?
or, FlexQos?

It would be part of the CakeQoS Addon. I don’t think it’s as applicable to Adaptive QoS, but depending how it goes, it could also find its way into FlexQoS.

 

[Tekneek]

As dnsmasq resolves YouTube domains, the ipset will be updated with the current IP. Same approach used by many scripts at OpenWrt. I just figure we should be as good as they are.

Would this require the router be used for DNS by the network?

 

[dave14305]

Would this require the router be used for DNS by the network?

That is the intention. Clients request a domain name from the router's DNS. dnsmasq looks it up. dnsmasq adds the resulting IP to a ipset (e.g. bulk, voice, video). Outbound traffic to IPs within the ipsets get marked with the DSCP that would put the traffic in the intended CAKE tin. Inbound traffic from IPs within the ipsets get forcibly assigned (via skbedit) to the appropriate tin for their ipset (e.g. bulk, voice, video).

It's the inbound traffic that's always been elusive. I had some ideas to try the veth method used a lot at OpenWrt, but it doesn't look like veth is compiled in the ASUS / Merlin kernels.

 

[Milan]

This week I’m going to take my best shot at implementing dnsmasq-based ipset rules for inbound/outbound tin classification.

Looking for input before I get too deep in the rat hole.

So, users with unbound are out of game .... Or ?

 

[Tekneek]

That is the intention. Clients request a domain name from the router's DNS. dnsmasq looks it up. dnsmasq adds the resulting IP to a ipset (e.g. bulk, voice, video). Outbound traffic to IPs within the ipsets get marked with the DSCP that would put the traffic in the intended CAKE tin. Inbound traffic from IPs within the ipsets get forcibly assigned (via skbedit) to the appropriate tin for their ipset (e.g. bulk, voice, video).

It's the inbound traffic that's always been elusive. I had some ideas to try the veth method used a lot at OpenWrt, but it doesn't look like veth is compiled in the ASUS / Merlin kernels.

It sounds compelling. Doesn't work for my network, as it functions today, but looking forward to seeing how your progress goes!

 

[dave14305]

So, users with unbound are out of game .... Or ?

Unbound users can probably mimic the behavior by using its native ipset functionality. But I think there will be some trouble with the user privileges with Unbound running as nobody.

unbound/doc/example.conf.in at ce39d5ad17fa11dd6dbc9951be0be9c41dcd1f68 · NLnetLabs/unbound

Unbound is a validating, recursive, and caching DNS resolver. - NLnetLabs/unbound

github.com

unbound/doc/example.conf.in at ce39d5ad17fa11dd6dbc9951be0be9c41dcd1f68 · NLnetLabs/unbound

Unbound is a validating, recursive, and caching DNS resolver. - NLnetLabs/unbound

github.com

If dnsmasq forwards to Unbound, then dnsmasq should still be able to populate the ipsets with Unbound's results.

 

[Tekneek]

And that won't change too much of the functionality, although probably would want to set dnsmasq's cache-size to 0 so Unbound's pre-fetch feature isn't neutralized.

In my situation, I have two pi-holes backed by bind9/unbound. Having the router handle DNS requests loses per-device metrics on the pi-holes, but that trade-off could be worth it.

 

[dave14305]

Beta 2.20 available on develop branch!

This has the initial groundwork for ipset-based classification for upload and download traffic. How you populate the ipsets is up to you, but I expect most of us to use dnsmasq functionality.

Example /jffs/configs/dnsmasq.conf.add (just created for my testing, not exhaustive or meant to be your starting point):

ipset=/googlevideo.com/nflxvideo.net/aiv-cdn.net/r.cloudfront.net/aiv-delivery.net/video_4,video_6
ipset=/zoom.us/skype.com/voice_4,voice_6
ipset=/backblaze.com/backblazeb2.com/bulk_4,bulk_6
ipset=/ms-acdc.office.com/windowsupdate.com/update.microsoft.com/bulk_4,bulk_6
ipset=/onedrive.com/1drv.ms/1drv.com/bulk_4,bulk_6

The ipset names that CakeQOS-Merlin creates depend on which prioritization scheme you use:

• besteffort: (none created)
• diffserv3: bulk_4, besteffort_4, voice_4 (optionally bulk_6, besteffort_6, voice_6 if IPv6 enabled)
• diffserv4: bulk_4, besteffort_4, video_4, voice_4 (optionally bulk_6, besteffort_6, video_6, voice_6 if IPv6 enabled)
• diffserv8: tin0_4, tin1_4, tin2_4, ... tin7_4 (and IPv6 equivalents)

There is no user interface for this, at least for now. I'm not certain yet that I want to take on the responsibility to manage dnsmasq options in CakeQOS-Merlin. But it's pretty darn easy to setup yourself, thanks to the dnsmasq.conf customizations available in Merlin.

The hardest part may be to find and isolate which domain names you really need to track via the ipset. For example, youtube.com won't give you what you really want (i.e. googlevideo.com), so I strongly suggest using Diversion with logging enabled to look for the domains of interest.

Interested users can switch to the develop branch by re-running the installer for that branch:

mkdir -p /jffs/addons/cake-qos && /usr/sbin/curl -s "https://raw.githubusercontent.com/ttgapers/cakeqos-merlin/develop/cake-qos.sh" -o "/jffs/addons/cake-qos/cake-qos" && chmod 755 /jffs/addons/cake-qos/cake-qos && sh /jffs/addons/cake-qos/cake-qos install

Troubleshooting / Debugging:
Please report issues and include the outputs of these commands:

ipset list -n
iptables -t mangle -S CakeQOS-Merlin
ip6tables -t mangle -S CakeQOS-Merlin
tc -s filter show dev ifb4eth0
tc -s qdisc show dev eth0
tc -s qdisc show dev ifb4eth0
grep ^ipset= /jffs/configs/dnsmasq.conf.add