[Release] FreshJR Adaptive QOS (Improvements / Custom Rules / and Inner workings)

[FreshJR]

My Question is how fix the reverse trafic on my guest network with the ip range 192.168.3.0/24
When I use this script

You would have to log traffic in iptables. (Mangle Table -- POSTROUTING chain)

See where the YazFi traffic passes and mark it appropriately so it is picked up by TC.

 

[HowIFix]

You would have to log traffic in iptables. (Mangle Table -- POSTROUTING chain)

See where the YazFi traffic passes and mark it appropriately so it is picked up by TC.

You can install the script (YazFi - enhanced Guest WiFi Networks) and use the IP 192.168.3.0/24 for the guest network, because if you do not, I have no idea how to do it


Other: (It has nothing to do with the guest network)
- Is there any way to fix upload category, just as you did with the download?

Edit: Sorry I had not read this

The upload mark assigned to upload traffic is completely lost after entering the VPN tunnel.
As a result, we have to lump ALL upload vpn traffic into a fixed user defined category.

I hope this update fix VPN bugs.

• ASUS RT-AC86U Firmware version 3.0.0.4.384.32797

 

[Jack Yaz]

01. You can install the script (YazFi - enhanced Guest WiFi Networks) and use the IP 192.168.3.0/24 for the guest network, because if you do not, I have no idea how to do it

02. Is there any way to fix upload category, just as you did with the download?

Can't say I've had this issue. If anything, on my AC87U the guest networks seemed to bypass QoS!

 

[HowIFix]

@FreshJR It is not necessary to add in the VPN upload rules "IP", "protocol" and "port".

I removed that part of the rule and it works without problem. (I don't know if I deleted too much)
- When I'm using VPN the uploads go to File Transferring category.
- When I'm not using VPN or I exclude an IP that does not use VPN, all the upload categories work as they should.

Download rules: (Now does not limit the LAN traffic and It is not necessary to add "IP")

Spoiler: Code

iptables -D POSTROUTING -t mangle -o br0 -m mark --mark 0x40000000/0xc0000000 -j MARK --set-xmark 0x80000000/0xC0000000 &> /dev/null       #Fix traffic when use VPN Client
iptables -A POSTROUTING -t mangle -o br0 -m mark --mark 0x40000000/0xc0000000 -j MARK --set-xmark 0x80000000/0xC0000000                    #Fix traffic when use VPN Client

Upload rules: (It is not necessary to add "IP", "Protocol" and "Port")

Spoiler: Code

iptables -D OUTPUT -t mangle -o $wan -j MARK --set-mark ${Downloads_mark_up} &> /dev/null       #Fix traffic when use VPN Client
iptables -A OUTPUT -t mangle -o $wan -j MARK --set-mark ${Downloads_mark_up}                    #Fix traffic when use VPN Client

I hope that I am not wrong.

 

[FreshJR]

It is not necessary to add in the VPN upload rules "IP", "protocol" and "port".

It is necessary. You now have extra LAN traffic in the upload section.

Edit:
Without it, all router generated outgoing traffic will go into "File Downloads".

This can be good or bad depending on how you look at it.

I like the fact that WITH extra parameters, router DNS requests bypass QOS for snappy lookups.

 

[HowIFix]

It is necessary. You now have extra LAN traffic in the upload section.

how can I test that, I do not look at any difference

 

[FreshJR]

how can I test that, I do not look at any difference

1) iptables -A POSTROUTING -t mangle -o eth0 -m limit --limit 1/s -j LOG

2) tail -f /tmp/syslog.log

3) << look at system log and see where packets are flowing >>

3) iptables -D POSTROUTING -t mangle -o eth0 -m limit --limit 1/s -j LOG

----

1) enable logging of random packet every second (on upload, eth0, interface)

2) view system log inside putty. This makes it so you can use a wide screen and not have entries take 2 lines. (easy to read on 1 line)

3) OBSERVE PACKETS and you will see both LAN and WAN packets.

4) disable logging

----

Your rule marks all packets on the eth0 interface. (edit: generated by the router since it is the OUTPUT chain, I thought we were in POSTROUTING)

You can use the same procedure to find YazFi packets.

People who read the first 3 posts can apply the VPN fix manually. If they are too lazy to read the post and miss the VPN fix, then its their loss. I am not concerned.

 

[HowIFix]

before I do that first I did this:

1. In adaptive QoS I have 0.5 upload and 0.5 download
2. I'm using the previous upload rules without ip, port or protocol
3. On the computer I am using the router's VPN
4. Pass a XXX movie from NAS to PC: LAN traffic is not limited
5. Now that same XXX movie copied from the PC to the NAS: LAN traffic is not limited
6. I did the same now without using VPN and this LAN traffic is not limited

I do not know if this is the correct way to do the test

 

[FreshJR]

When I tested it before, I saw more than a couple reoccurring local packets.
That's why I made the rule IP specific.

Feel free to use whatever you like. I have no plans on including it as a template rule outside the forum post.

Edit: Those packets mentioned were DNS requests made by the router itself during testing.

 

[HowIFix]

When I tested it before, I saw more than a couple reoccurring local packets.
That's why I made the rule IP specific.

Feel free to use whatever you like. I have no plans on including it as a template rule outside the forum post.

So is my test to copy and paste a movie from the NAS to the PC and after the PC to the NAS is bad?

in both tests I do not have the limited LAN traffic

 

[FreshJR]

So is my test to copy and paste a movie from the NAS to the PC and after the PC to the NAS is bad?

Re-read my edited post. I looked at the rule more closely.

 

[HowIFix]

@FreshJR please do my test and use those rules without ip, protocol and port in the script you will see that you are wrong.

Before, the LAN traffic was limited with the old VPN rules, but that is not limited now thanks to this fix that you proposed:

iptables -D POSTROUTING -t mangle -o br0 -m mark --mark 0x40000000/0xc0000000 -j MARK --set-xmark 0x80000000/0xC0000000 &> /dev/null
iptables -A POSTROUTING -t mangle -o br0 -m mark --mark 0x40000000/0xc0000000 -j MARK --set-xmark 0x80000000/0xC0000000

I assure you 100% these rules fixing LAN Traffic limited in download and upload. (no need add ip, protocol and port)

 

[FreshJR]

@FreshJR please do my test and use those rules without ip, protocol and port in the script you will see that you are wrong.

Edit: you are correct. I forgot that rule was in the output chain and not the postrouting chain.

I get that you are trying to make it easy.

I could have the script pull these configurable data fields from nvram ..... but seriously .... just let people read the instructions and fill in the parameters.

 

[HowIFix]

1) Take a non-VPN device.
2) Go to fast.com.
3) Upload data should be in "Video Streaming"
4) Your changes take all upload data into "File Downloads"

In adaptive QoS i have 0.5 value in download and upload + VPN upload rules without IP, protocol and port - VPN Client

in seconds a movie goes from the NAS to the PC and vice versa

 

[FreshJR]

no in upload filetranfer

Yes, and if you put the original rule. The data from a non-VPN client would correctly be in "Video Streaming".

 

[HowIFix]

Yes, and if you put the original rule. The data from a non-VPN client would correctly be in "Video Streaming".

That test is with VPN now I will do this without using VPN and you will see that it works without problems upload.

 

[FreshJR]

That test is with VPN now I will do this without using VPN and you will see that it works without problems upload.

I'll eat my hat if all your upload traffic doesn't incorrectly go into "File Downloads" for non-VPN clients.

 

[HowIFix]

The previous test was using VPN client is this I'm not using VPN client but I'm using the VPN upload rules without IP, protocol and port.

Upload to the same time in youtube and Virustotal with 0.5 value in Adaptive QoS without VPN client

 

[FreshJR]

The previous test was using VPN client is this I'm not using VPN client but I'm using the upload rules without IP, protocol and port.

Ahh, I forgot that I used the OUTPUT chain for the rule instead of POSTROUTING.

To answer your question.

DNS lookups, from the router itself, are NOT limited by QOS. (This is good).
If you remove the parameters from the VPN-rule, all of the routers outgoing traffic will go into "File Downloads".
This includes, router DNS lookups, which is bad, since you never want those limited!

I will update my posts. It's been a while since I tested that rule and forgot I used a different chain from the rest. Guess I have to eat my hat.

 

[HowIFix]

Thank you for having me patience in my confusing explanation

Download rules: (Now does not limit the LAN traffic and It is not necessary to add "IP")

iptables -D POSTROUTING -t mangle -o br0 -m mark --mark 0x40000000/0xc0000000 -j MARK --set-xmark 0x80000000/0xC0000000 &> /dev/null       #Fix traffic when use VPN Client
iptables -A POSTROUTING -t mangle -o br0 -m mark --mark 0x40000000/0xc0000000 -j MARK --set-xmark 0x80000000/0xC0000000                    #Fix traffic when use VPN Client

Upload rules: (It is not necessary to add "IP", "Protocol" and "Port")

iptables -D OUTPUT -t mangle -o $wan -j MARK --set-mark ${Downloads_mark_up} &> /dev/null       #Fix traffic when use VPN Client
iptables -A OUTPUT -t mangle -o $wan -j MARK --set-mark ${Downloads_mark_up}                    #Fix traffic when use VPN Client