What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

CakeQOS CakeQoS-Merlin v2.1.1

I'm going to revisit the possibility to instantiate CAKE on br0. The previous complaints were that it would limit LAN-to-LAN traffic. But if I do it like the firmware and put a HTB on br0 with 1 class for LAN-to-LAN and another class for WAN-to-LAN, then it should work.

Some gotchas I can think of already:
  1. Guest network #1 br1 and br2 would be missed
  2. There is no #2 yet.
 
So far I'm liking this capability using ipsets. I want to use an ipset for everything now. :)

One application that eluded inbound tinning was Facetime. It doesn't seem to use a dedicated DNS name like other services. So I played with a bitmap:port ipset containing all the Facetime udp ports (3478-3497,16384-16402). Then added another tc filter putting all that into Video. I debated putting it into Voice, but left Voice for WiFi calling.
Code:
ipset create videoports bitmap:port range 3400-17000
ipset add videoports 3478-3497
ipset add videoports 16384-16402
ipset create voiceports bitmap:port range 500-4500
ipset add voiceports 500
ipset add voiceports 4500
handle="$(tc qdisc show dev ifb4eth0 root | awk ' { print $3 } ')"
tc filter add dev ifb4eth0 parent $handle protocol all prio 31 basic match 'ipset(videoports src)' action skbedit priority ${handle}3
tc filter add dev ifb4eth0 parent $handle protocol all prio 41 basic match 'ipset(voiceports src)' action skbedit priority ${handle}4
You could also add Zoom ports 8801-8810 as well, but I think Zoom will get added dynamically by the DNS names, if added to dnsmasq.conf.add.

Anyway, still a lot of experimenting to do. And a reminder that you don't need to classify everything -- just the stuff that is very important or very unimportant. Everything else can linger in besteffort without any extra effort.
Is this something that will become part of cake itself, or will we need to add this to a file ourselves to get this feature?

FWIW, I ran it from the command line and it seemed to work.
 
Is this something that will become part of cake itself, or will we need to add this to a file ourselves to get this feature?

FWIW, I ran it from the command line and it seemed to work.
Haven’t decided how it would/should work for general purposes. I’m currently running at home with CAKE on br0 instead of ifb4eth0, so I could just iptables all the incoming traffic instead of tc filtering it. But that would be farther in the future (my experiments are many, my positive results are few).

I need to avoid storing a large amount of user-specific configuration data (e.g. domain names, ports, etc.) in the Addon custom_settings.txt file, since space is scarce (limited to 8KB total for all addons). That’s why there’s not likely to be a UI for the dnsmasq ipsets. I might look at how thelonelycoder or Jack Yaz save data via custom_settings.txt, but then purge it after writing it to their own config file.
 
Are you using diffserv4 for download, or just upload? Since streaming is primarily a download activity, and we don’t yet have a simple way to classify download traffic, many people stick with besteffort for download.
I've spent quite a few hours at peak usage testing them all, including with custom configurations. I tweak QoS as I predominantly play UDP based AFPS, it's very obvious when QoS isn't coping both through the way the games react and the in game network graph. Thank you very much for your work on this, I'm looking forward to seeing if there is any improvement with the 2.2.0 beta during high use.
 
For anyone new to this I didn't spot anyone mentioning that you need to restart dnsmasq for any changes to /jffs/configs/dnsmasq.conf.add to take hold:

service restart_dnsmasq

You can check the entries that have been included by viewing dnsmasq.conf:
cat /etc/dnsmasq.conf
 
So what’s everyone’s experience with using the beta with dnsmasq ipsets?
 
So what’s everyone’s experience with using the beta with dnsmasq ipsets?
It seemed fine when I was using it, but filtering by specific rules just felt like a lot of work.
I am using your beta CakeFlexQoS solution and finding it an absolute dream.

Rock solid stable and great ping results.
 
Code:
ipset list -n
iptables -t mangle -S CakeQOS-Merlin
ip6tables -t mangle -S CakeQOS-Merlin
tc -s filter show dev ifb4eth0
tc -s qdisc show dev eth0
tc -s qdisc show dev ifb4eth0
grep ^ipset= /jffs/configs/dnsmasq.conf.add
I played with this some awhile back, using your ipset list. Just watching netflix , everything still goes to besteffort. Figured I had some user error somewhere. But text file attached. This is on the dreaded AX86u

EDIT: This was a pihole issue on my end. All working now.
 

Attachments

Last edited:
CakeFlexQoS? What madness is this? :)
Hehehe, technically it isn't quite in FlexQoS yet, but it is a planned feature.

It's basically using the Cake QoS but with the Adaptive QoS packet classification to prioritise certain traffic types.

It combines the best features of both Cake and Adaptive. I am running the test script on my router and it works very well on my slow WAN connection.

This solution is like regular Cake in that it cannot be hardware accelerated, and it operates on the br0 interface, rather than the WAN interface, so I think there are certain limitations there too.
 
  • Like
Reactions: pdc
So what’s everyone’s experience with using the beta with dnsmasq ipsets?
I am using (and are a big fan of) Unbound. Can I use this version or will Unbound not honor the ipsets?
 
I am using (and are a big fan of) Unbound. Can I use this version or will Unbound not honor the ipsets?

As long as queries go through dnsmasq to Unbound, it will work. I have successfully tested that setup.

I suggest setting dnsmasq's cache-size to 0 in that arrangement, so its cache doesn't disrupt Unbound's prefetch feature.

I use a file called dnsmasq.postconf in /jffs/scripts/ with this in it:

Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_replace "cache-size=1500" "cache-size=0" $CONFIG

There may be other ways to accomplish the same goal, but I was already using that to modify the dnsmasq configuration.
 
I tried

Code:
ipset=/googlevideo.com/amazonaws.com/netflix.com/nflxext.com/nflximg.net/nflxso.net/nflxvideo.net/dvd.netflix.com/aiv-cdn.net/r.cloudfront.net/aiv-delivery.net/video_4,video_6
ipset=/zoom.us/skype.com/voice_4,voice_6
ipset=/backblaze.com/backblazeb2.com/bulk_4,bulk_6
ipset=/ms-acdc.office.com/windowsupdate.com/update.microsoft.com/bulk_4,bulk_6
ipset=/onedrive.com/1drv.ms/1drv.com/bulk_4,bulk_6

Unfortunately I still can't see any sign that netflix (via FireTV, or SmartTV in the UK) is actually coming up in the video tin. I can't sniff what they're using currently, so it's quite likely I just don't have the right domains covered rather any errors in the setup, I'd had to hunt for suggestions from various forums.
 
Last edited:
I tried

Code:
ipset=/googlevideo.com/amazonaws.com/netflix.com/nflxext.com/nflximg.net/nflxso.net/nflxvideo.net/dvd.netflix.com/aiv-cdn.net/r.cloudfront.net/aiv-delivery.net/video_4,video_6
ipset=/zoom.us/skype.com/voice_4,voice_6
ipset=/backblaze.com/backblazeb2.com/bulk_4,bulk_6
ipset=/ms-acdc.office.com/windowsupdate.com/update.microsoft.com/bulk_4,bulk_6
ipset=/onedrive.com/1drv.ms/1drv.com/bulk_4,bulk_6

Unfortunately I still can't see any sign that netflix (via FireTV, or SmartTV in the UK) is actually coming up in the video tin. I can't sniff what they're using currently, so it's quite likely I just don't have the right domains covered rather any errors in the setup, I'd had to hunt for suggestions from various forums.
Are you using DNSFilter? You probably need to make sure the FireTV is using the router DNS. I’d also suggest using Diversion just to be able to turn on logging so you can watch the queries and responses from the FireTV.
 
As long as queries go through dnsmasq to Unbound, it will work. I have successfully tested that setup.

I suggest setting dnsmasq's cache-size to 0 in that arrangement, so its cache doesn't disrupt Unbound's prefetch feature.

I use a file called dnsmasq.postconf in /jffs/scripts/ with this in it:

Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_replace "cache-size=1500" "cache-size=0" $CONFIG

There may be other ways to accomplish the same goal, but I was already using that to modify the dnsmasq configuration.
Thanks again. BTW, I did notice that the cache-size setting in /etc/dnsmasq.conf is already set to 0. It seems ubound_managerd.sh already took care of this for me!
Thanks @Martineau !
I have added @dave14305 ipsets to dnsmasq.conf.add and they do show up in /etc/dnsmasq.conf.

I must not have cake-qos configured correctly. Playing a video on Netflix shows packets in Best Effort.

Capture.JPG
 
I have added @dave14305 ipsets to dnsmasq.conf.add and they do show up in /etc/dnsmasq.conf.

I must not have cake-qos configured correctly. Playing a video on Netflix shows packets in Best Effort.
I canceled Netflix a few months ago, so I wasn't able to test it with real videos, but fast.com speedtests do belong under the nflxvideo.net domain.

See if anything is in the ipsets:
Code:
ipset list video_4
ipset list video_6
ipset list video
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Back
Top