FlexQoS FlexQoS 1.5.2 - Flexible QoS Enhancement Script for Adaptive QoS

[dave14305]

It's telling me i cant install this because I have a wifi 7 router (gt-be98). Thing is, i only use the router for ethernet connections, not the wifi 7. Is there a way to install this and use it just for ethernet?

No. It’s not the WiFi part that is a problem. The problem is that all WiFi 7 routers have a newer, broken Adaptive QoS implementation that prevents this script from working.

 

[xTc2k]

Hi,

I found out that with a VPN Router config file on my AX88U-Pro AsusWRT-Merlin, FlexQoS is not identifying traffic correctly.

- OpenVPN config Proton VPN file -> all traffic in the FlexQoS graph stays at ~ 0 KB/s.
- WireGuard .conf Proton VPN file -> Download traffic is identified correctly, but Upload is always identified as "Router VPN Outbound Traffic" though the VPN is enabled on the Router and not on the device/computer. (This leads to other devices in my network having slow upload when e.g. my backup server is uploading data at the same time)
- NordVPN Router .ovpn showing no Download traffic and only "Router Outbound" Upload traffic again

I tried this with www.speedtest.net set to "Net Control Packets" in FlexQoS.

Is there any known fix to this so the traffic is identified correctly?

Edit: It seems to be device-related as it is working with my android phone. I will do further testing tomorrow.

 

[dave14305]

Upload is always identified as "Router VPN Outbound Traffic" though the VPN is enabled on the Router and not on the device/computer.

Yes, that makes sense since the upload traffic is already encrypted in the VPN tunnel when it passes through QoS, so it’s not possible to identify the traffic.

 

[xTc2k]

Hi again, I think you misunderstood me. When the VPN is only enabled on my router, it should work and identify traffic in FlexQoS correctly because the traffic is NOT vpn encrypted on the end device thus reaching the router un-tunneled. But however, as soon as I enable the VPN on the router, the above described traffic misidentification occurs. Without router vpn, the traffic is correctly identified.
Of course, as soon as I enable VPN on my end device, the traffic is identified as "Router Outbound". But I don't have VPN on my end device enabled in this case.

However again I did some testing and found out the misidentification only occurs on my 2 windows computers. On my android phone as well as on Ubuntu on the computer, it is fully working with correct identification in FlexQoS. I tried different browsers on Windows but all don't work correctly as described with FlexQoS + VPN on Router.

/Edit: I narrowed down the issue and found out only on Windows and WiFi my issues happen, not when connected via LAN cable, both being connected to Router VPN.

--> /Edit 2: It seems I found the cause which is IPv6. It needs to be enabled on both Windows WiFi adapter hardware settings as well as on AsusWRT Merlin Router. Every other combination will cause the misidentification in FlexQoS for me. I can reproduce this on 2 different windows machines.

 

[dave14305]

When the VPN is only enabled on my router, it should work and identify traffic in FlexQoS correctly because the traffic is NOT vpn encrypted on the end device thus reaching the router un-tunneled.

It doesn’t work that way, unfortunately. The traffic arrives at the router unencrypted, but gets encrypted by the router’s VPN client before being sent out through the WAN interface. Even if Adaptive QoS was able to classify it early, it could not apply the correct QoS priority as it leaves the router, since it’s all just a single encrypted stream of traffic to the VPN provider.

seems I found the cause which is IPv6. It needs to be enabled on both Windows WiFi adapter hardware settings as well as on AsusWRT Merlin Router. Every other combination will cause the misidentification in FlexQoS for me

I don’t see how this is relevant except to wonder if IPv6 traffic is bypassing your VPN client? Do you have VPN rules that are only IPv4-based?

 

[xTc2k]

I only care about the QoS inside the router and not about what happens with the traffic beyond WAN. It is working now with the IPv6 enabled though I don't know why. And on my Ubuntu system and Android smartphones - where IPv6 is disabled I think - it also works, too, so I also wonder why on Windows this seems to be a problem. I changed WiFi adapter properties in Windows and disabled as much programs as possible to narrow down the issue and ended up with this IPv6 setting.
I use Merlins VPN Director with static DHCP IP addresses for my devices. Or what do you mean with IPv4 based VPN? I just downloaded the OpenVPN or Wireguard configuration files and uploaded them into the VPN Client Merlin tab.
Also, the traffic is not bypassing my Router VPN client - at least I think so because in speedtests etc. I see the Router VPN IP and not my ISP one's, and between this sits FlexQoS correctly identifying my traffic.
However, I still have VPN software installed on some of my end devices though I wouldn't need it because I would have 2 VPNs ("double VPN" computer + router) simultaneously then, but I think that when I need to change my IP from router VPN's IP to a different server IP on my computer VPN software that I have benefits like maybe unblock some particular websites or so. This is because the end device's IP is preferred even though it still goes through the Router VPN afterwards (speedtest.net check).
I am experimenting with Merlin and FlexQoS for about 1 year now but I am no super expert in this of course.

The background of all this is that I wanted to use high-priority network tasks like Cloud-Gaming or Streaming to be prioritized over my other devices in the same WiFi network which for example regularly transfer backup data to my cloud storage providers and I got this to work only with Merlin and FlexQoS and now added a VPN on the router because if I would use the VPN on my end device, it is always identified as "Router Outbound" or "Web Surfing" no matter if it is Streaming or File Transferring and using the "split-tunneling" function of my VPN software would work but is of course not VPN-protected then. Now, I combined all of these features.

 

[ExtremeFiretop]

I only care about the QoS inside the router

I'm thinking you may misunderstand QoS by the above sentence.

Think of: Device → Router → VPN Client → QoS → Internet
And Not: Device → Router → QoS → VPN Client → Internet

When you turn on a VPN client on the router, the router puts all your traffic into one “big envelope” (the VPN tunnel) before it sends it to QoS and out the internet.
Not on the LAN side "inside the router" as you said above. By the time traffic reaches the QoS point, it’s already inside that one big VPN envelope. Which is what @dave14305 is explaining.

So the router can’t reliably tell: “this traffic is Netflix, this part is gaming, this part is backups”. It mostly sees: "this is the VPN tunnel upload/download”
That’s why “Router VPN Outbound Traffic” behavior is expected with the router QoS implementation.

Yes, you’re right that device → router traffic arrives unencrypted.
But the part that doesn’t follow is: “therefore FlexQoS should classify it correctly even with router VPN.” As you mentioned here:

When the VPN is only enabled on my router, it should work and identify traffic in FlexQoS correctly because the traffic is NOT vpn encrypted on the end device

Simply put, it should not matter if the device VPN client established the VPN connection or the router VPN client does, because in both cases, traffic is encrypted before it reaches QoS on the WAN side for priority shaping.
Classification would only help if QoS is applied before the traffic gets stuffed into the big VPN envelope, and Adaptive QoS/FlexQoS does it differently, on the way out of the WAN side, which you say you don't care about:

not about what happens with the traffic beyond WAN.

With IPv6, that can change things because some IPv6 traffic might bypass/leak through the VPN (if rules are effectively IPv4-only).
That can make behavior look inconsistent, but it doesn’t change the main point which is the VPN turns everything into one tunnel at the point QoS is shaping.

 

[xTc2k]

Okay, I am really overwhelmed now because I spent about 200 hours into this and still don't understand it as it seems.
I just wonder why for example speedtest.net shows the Router VPN IP (v4 address) but can still be classified in FlexQoS (I set it to Net Control). When I run a streaming app on the same PC, I set it to "Streaming" and I guess it uses the Router VPN, too, and in FlexQoS I have both traffic identified.
Sorry if I am annoying you.

 

[ExtremeFiretop]

Okay, I am really overwhelmed now because I spent about 200 hours into this and still don't understand it as it seems.
I just wonder why for example speedtest.net shows the Router VPN IP (v4 address) but can still be classified in FlexQoS (I set it to Net Control). When I run a streaming app on the same PC, I set it to "Streaming" and I guess it uses the Router VPN, too, and in FlexQoS I have both traffic identified.
Sorry if I am annoying you.

Your not annoying anyone, we are just trying to explain why VPN traffic is not correctly classified.

If you believe otherwise, please set the record straight and show us screenshots of what your describing, so we can better assist.

For example, Speedtest.net can be run from devices or from the router. So we need to know in which instance your referencing.

Also show us screenshots of your VPN Director rules, VPN Configuration, and we may be better able to assist.