Set packet TOS to 0 even on CTF mode?

[Andres Rodriguez]

Hey,

I found that my ISP is dropping all traffic that has the Type of Service packet field set to anything other than 0.

An easy way to test this was to start a VOIP app (discord in my case), then:

• Whenever I talk no one can hear me, but I can hear other people
• Set "iptables -A POSTROUTING -t mangle -j TOS --set-tos 0" on my local system
• Other users can hear me now
  
• Delete the rule above
• Other users can no longer hear me

Applying the same rule on the router doesn't seem to have any effect. And I assume it is because CTF is enabled so iptables never gets to touch the packets.

After disabling CTF on the router everything works OK. The mangle rule is not required as I'm assuming the TOS is stripped by default.

So my question is, would it be possible to enable TOS stripping even with CTF enabled? I'm not sure if the NAT acceleration HW would allow it.

Extra speculation: I think their modem used to take care of zero'ing the TOS field before sending it out to the WAN network (even on PPPoE passthrough). Since I only started having issues when I got rid of their modem and started using an MCL+SFP instead.

HW info: I'm on an AC87U

 

[Andres Rodriguez]

For a bit of extra context:
https://www.dslreports.com/forum/r31242116-SOLVED-Bypassed-HH3K-voip-packets-getting-dropped

 

[RMerlin]

I recommend testing it with CTF disabled.

Also look at the detailed statistics to confirm that your rule does get hit:

iptables -L -t mangle -v

Look at the packet count next to your rule.

 

[Andres Rodriguez]

Thanks for the reply Merlin.

The rule does get hit if I enable it and have CTF disabled:

Chain POSTROUTING (policy ACCEPT 982 packets, 254K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  982  254K TOS        all  --  any    any     anywhere             anywhere             TOS and 0x00

Is my understanding correct that with CTF enabled the iptables rules will be skipped?

 

[Andres Rodriguez]

I'm curious whether this can be accomplished with CTF enabled, because my CPU usage hits 100% without NAT HW acceleration.

Also, if this isn't possible on the AC87U, but it would be possible on other hardware I'm open to recommendations.

 

[RMerlin]

Is my understanding correct that with CTF enabled the iptables rules will be skipped?

Some chains are being skipped (like the FORWARD chain), but I do not know specifically which parts of iptables are being bypassed.