Separate out WAN/LAN <> router ingress/egress on br0

[Lynx]

How would I go about separating LAN <> router ingress/egress and WAN (VPN/bypassed) <> router ingress/egress (all presently on br0)?

I believe that one way is to create a veth pair - device veth0 and peer veth1, then add veth1 to br0, and then shift inbound WAN or tunX traffic to veth0 using ip rule / route commands.

If that is the best way, what might appropriate ip rule and route commands look like?

A modification to the above might be rather than divert the WAN traffic to veth0 to instead divert the LAN <> router IP traffic to veth0.

Entirely open to alternative suggestions like creating separate router IP.

The solution should be compatible with the stock routing and VPN Director.

FWIW the goal is to provide a single interface upon which to apply CAKE that sees only wan related traffic (including both tunX traffic and that bypassed to eth0 via PBR). BTW this practice is entirely routine and normal in terms of dealing with VPN PBR to ensure that CAKE instance sees all unencrypted flows with correct source and destinations (including traffic sent through VPN and that which bypasses it). And the beauty of it is that it will work regardless of the VPN settings.

 

[dave14305]

I think you were on the right track with OpenWrt. Not sure there is equivalent expertise here for such a complicated set of requirements.

SQM with WireGuard and PBR?

I have setup CAKE on my WireGuard interface. This seems to work well for the case that all traffic is sent through the WireGuard interface. But I need to enable PBR to allow Netflix and Amazon Prime traffic to bypass WireGuard through the WAN interface. So I suppose I need to also set up SQM on...

forum.openwrt.org

 

[Lynx]

Thanks. You initially put me on the right track for my Merlin RT-AX86u router with your 'br0'/'tun11' suggestion, for which I am very grateful. During my experimentation with OpenWrt I made further progress with the help of some of the experts there, but unfortunately still never managed to separate out the router <> LAN ingress/egress. And it seems the WiFi on the Asus RT-AX86u is a lot more stable, so I am intending to go back to it as our main router.

I think a technique along the above lines ought still to work on Asus Merlin though, right? Is 'Veth' available by default?

There is definitely some relevant strong IP route / tables experience on this forum:

Tutorial - LAN port isolation on Asus Merlin example

It would be great if Asus supported VLAN on their routers for all of us that want a quick way to configure LAN ports isolation. Until that time this is a quick way to use LAN bridge concepts to provide this functionality. I am using Asus RT-AC86U. I am sharing here my own setup where I have a...

www.snbforums.com

@eibgrad - are you able to help here in terms of how to isolate LAN <> router and WAN (VPN/bypassed) <> router? Either I need to shift the LAN traffic away from br0 or shift the WAN traffic away from br0. But whatever I do needs to not break the routing generated by VPN Director etc. I am very keen to find a way.

 

[sfx2000]

FWIW the goal is to provide a single interface upon which to apply CAKE that sees only wan related traffic (including both tunX traffic and that bypassed to eth0 via PBR)

IIRC - CAKE will shape VPN as a single flow, and not do any shaping of traffic inside the tunnel.

 

[Lynx]

I wrote a script to apply CAKE in the context of VPN PBR in OpenWrt. CAKE can consume identifiers enabling WireGuard upload flows to be differentiated following encryption. For download an IFB is created and the flows from the wan and WireGuard interfaces combined there.

root@OpenWrt:/etc/init.d# cat sqm-vpn-pbr
#!/bin/sh /etc/rc.common
# Copyright (C) 2007 OpenWrt.org

exec &> /tmp/sqm.log

START=50
STOP=4

start() {

        ip link add name ifb type ifb
        tc qdisc add dev wan root cake bandwidth 30Mbit besteffort flows nonat nowash no-ack-filter split-gso rtt 100ms noatm overhead 60

        tc qdisc add dev wan handle ffff: ingress
        tc qdisc add dev vpn handle ffff: ingress

        tc qdisc add dev ifb root cake bandwidth 30Mbit besteffort triple-isolate nonat wash no-ack-filter split-gso rtt 100ms noatm overhead 60

        ip link set ifb up

        tc filter add dev wan parent ffff: protocol ip prio 1 u32 match ip sport 51820 0xffff  action pass
        tc filter add dev wan parent ffff: prio 2 matchall action mirred egress redirect dev ifb
        tc filter add dev vpn parent ffff: matchall action mirred egress redirect dev ifb

}

stop() {
        tc qdisc del dev wan ingress
        tc qdisc del dev wan root
        tc qdisc del dev vpn ingress
        tc qdisc del dev ifb root
        ip link set ifb down
        ip link del ifb
}

The upload aspect won't work in Asus Wrt Merlin because there is no such special measure in respect of OpenVPN to allow CAKE to differentiate encrypted flows.

Does anyone know if it is possible to create an IFB that takes traffic in the other direction, i.e. separate ifbs for ingress and egress? If both ifb-ul and ifb-dl could be created based on br0 then it would be possible to tc filter out any local traffic between 192.168.1.0/24. And then apply CAKE on br0 without shaping router to LAN and LAN to router traffic.

In any case for any Asus Wrt Merlin users wanting to apply CAKE in the context of VPN PBR I would suggest just apply CAKE on br0 using my QoS script I posted on another thread and either just put up with throttling LAN to router and router to LAN or consider the above to tc filter out the local flow.