1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

[Release] FreshJR Adaptive QOS (Improvements / Custom Rules / and Inner workings)

Discussion in 'Asuswrt-Merlin' started by FreshJR, Jan 12, 2017.

  1. FreshJR

    FreshJR Very Senior Member

    Joined:
    Oct 8, 2016
    Messages:
    915
    Appreciate the dedication!! I will update the first post stating that reading the first three posts and last few pages in this thread is sufficient!

    The reason that above situation happens is that appdb gives the original destination of traffic per the Asus default unmodified setup.

    After installing the script with default settings, it redirected most of "Net Control" into Web Surfing. This is because most https + other encrypted traffic was sorted into "Net Control" and I didn't agree with that priority level!

    If you have more questions, dont hesitate to ask! Hope this explanation was clear.

    EDIT: You can still redirect it into any category you desire with the above mark & prio!

    ( Maybe I should remove the "Cat: " field to reduce future confusion or rename it "Original QOS Cat before script:" ?? )
     
    Last edited: Oct 26, 2018
    JohnSmith likes this.
  2. morden

    morden Occasional Visitor

    Joined:
    Mar 5, 2012
    Messages:
    48
    192.168.2.100/32 should be changed to match the iprange of your tunneled devices

    @FreshJR I have a question regarding iprange, what does the /32 represent? and how do I know what the IP range of my tunneled devices is? Sorry for the newb question!

    EDIT: Never mind, I googled it and got the answer! LOL
     
    Last edited: Oct 27, 2018
  3. GxlactusDa

    GxlactusDa New Around Here

    Joined:
    Oct 26, 2018
    Messages:
    4
    FreshJr can you help me prioritize my game packets on traditional QoS specifically in the section ‘User Defined QoS Rules’. Can’t use Adaptive QoS since Adaptive QoS won’t identify them and there’s a routing issue with the upload speed on 86u ‘adaptive QoS’, the game is Black Ops 4. I use Merlin Firmware (384.7_2) and have an 86u.
     
    Last edited: Oct 28, 2018
  4. JohnSmith

    JohnSmith Occasional Visitor

    Joined:
    May 2, 2018
    Messages:
    35
    Location:
    Canada

    Thanks for the response FreshJR. As I have one machine that I would like to redirect to the "File Transferring" category, do I need to do the following:

    1. Create a TC Filter for this APP in the "tc_redirection_down_rules"
    2. Create a TC Filter for this APP in the "tc_redirection_up_rules"
    3. Create an iptables -D & - A in the "DOWNLOAD (INCOMING TRAFFIC) CUSTOM RULES START HERE" section for this specific machine
    4. Create an iptables -D & - A in the "UPLOAD (UPLOAD TRAFFIC) CUSTOM RULES START HERE" section for this specific machine
     
  5. strangeluck

    strangeluck Regular Contributor

    Joined:
    Aug 11, 2015
    Messages:
    57
    I recently started using stubby for DNS over TLS and noticed that DNS requests were no longer going into "Net Control". I have added the following custom rules for Cloudflare DNS to correctly route this traffic. I believe this should cover all traffic to the DNS servers be it standard DNS, DNS over TLS, or DNS over HTTPS.

    Code:
    #DOWNLOAD
    
               iptables -D POSTROUTING -t mangle -o br0 -s 1.1.1.1/32 -j MARK --set-mark ${Net_mark_down} &> /dev/null
               iptables -A POSTROUTING -t mangle -o br0 -s 1.1.1.1/32 -j MARK --set-mark ${Net_mark_down}
               iptables -D POSTROUTING -t mangle -o br0 -s 1.0.0.1/32 -j MARK --set-mark ${Net_mark_down} &> /dev/null
               iptables -A POSTROUTING -t mangle -o br0 -s 1.0.0.1/32 -j MARK --set-mark ${Net_mark_down}
               ip6tables -D POSTROUTING -t mangle -o br0 -s 2606:4700:4700::1111 -j MARK --set-mark ${Net_mark_down} &> /dev/null
               ip6tables -A POSTROUTING -t mangle -o br0 -s 2606:4700:4700::1111 -j MARK --set-mark ${Net_mark_down}
               ip6tables -D POSTROUTING -t mangle -o br0 -s 2606:4700:4700::1001 -j MARK --set-mark ${Net_mark_down} &> /dev/null
               ip6tables -A POSTROUTING -t mangle -o br0 -s 2606:4700:4700::1001 -j MARK --set-mark ${Net_mark_down}
    
    #UPLOAD
    
               iptables -D POSTROUTING -t mangle -o $wan -d 1.1.1.1/32 -j MARK --set-mark ${Net_mark_up} &> /dev/null
               iptables -A POSTROUTING -t mangle -o $wan -d 1.1.1.1/32 -j MARK --set-mark ${Net_mark_up}
               iptables -D POSTROUTING -t mangle -o $wan -d 1.0.0.1/32 -j MARK --set-mark ${Net_mark_up} &> /dev/null
               iptables -A POSTROUTING -t mangle -o $wan -d 1.0.0.1/32 -j MARK --set-mark ${Net_mark_up}
               ip6tables -D POSTROUTING -t mangle -o $wan -d 2606:4700:4700::1111 -j MARK --set-mark ${Net_mark_up} &> /dev/null
               ip6tables -A POSTROUTING -t mangle -o $wan -d 2606:4700:4700::1111 -j MARK --set-mark ${Net_mark_up}
               ip6tables -D POSTROUTING -t mangle -o $wan -d 2606:4700:4700::1001 -j MARK --set-mark ${Net_mark_up} &> /dev/null
               ip6tables -A POSTROUTING -t mangle -o $wan -d 2606:4700:4700::1001 -j MARK --set-mark ${Net_mark_up}
    
    I have noticed that after adding these rules, in QoS statistics I still see very little "Net Control" data in Download. I do see "Net Control" data increasing for Upload however.
     
    Last edited: Oct 29, 2018
  6. FreshJR

    FreshJR Very Senior Member

    Joined:
    Oct 8, 2016
    Messages:
    915
    @morden

    192.168.1.100 should be changed to the local ip address of the device that is going to be directed through the VPN tunnel

    /32 means 1 device, see CIDR calculator section in the initial posts

    You only need to perform steps 3 & 4 if want to categorize all traffic from a specific machine into "File Transferring".

    In fact rule template #2 within the scripts header description does exactly what you seek to accomplish.


    @strangeluck

    DNS responses will follow a different path through iptables depending if stubby is installed on the router or on the PC.

    Code:
    Eg.
    If Router makes the request.  The DNS response  will follow this path. PREROUTING -> INPUT  (this is higher priority than net control as this traffic bypasses QOS limiting entirely).
    If the PC makes the request.  The DNS response will follow this path. PREROUTING -> FORWARD -> POSTROUTING
    
    If stubby is installed on the PC try either of these two sets of rules to visually see via the system log if your iptable rule is hitting correctly.

    Code:
    iptables -D POSTROUTING -t mangle -o br0 -s 1.1.1.1 -j LOG
    iptables -A POSTROUTING -t mangle -o br0 -s 1.1.1.1 -j LOG
    
    iptables -D POSTROUTING -t mangle -o br0 -s 1.1.1.1 -m limit --limit 1/s -j LOG
    iptables -A POSTROUTING -t mangle -o br0 -s 1.1.1.1 -m limit --limit 1/s -j LOG
    
    the first set of rules logs every matching packet.
    the second set of rules is the same as the first but it rate limits entries into system log as to not freeze up the router or spam the log if there are too many simultaneous entries.

    If your rule is not hitting at all, then you can log all br0 traffic destined to a very low traffic, stubby enabled, PC and pick out DNS resposes.
    You can then try to visually see why your rule wasn't hitting correctly with the original fields specified.
     
    Last edited: Oct 30, 2018
  7. strangeluck

    strangeluck Regular Contributor

    Joined:
    Aug 11, 2015
    Messages:
    57
    Thank you for the response. Stubby is running on the router and the higher priority must be why I am not seeing much net control traffic in the monitor. Appreciate the info. Not that it would likely affect performance, but it makes me feel better knowing that secure dns queries aren't being lumped in with web surfing.
     
  8. JohnSmith

    JohnSmith Occasional Visitor

    Joined:
    May 2, 2018
    Messages:
    35
    Location:
    Canada
    Thanks for the response FreshJR.

    So I added the following lines to my "DOWNLOAD CUSTOM RULES" - "IP address is valid, just removed for security, and NO quotes in actual line"

    Code:
    iptables -D POSTROUTING -t mangle -o br0 -d "IP Address"/32 -j MARK --set-mark ${Downloads_mark_down} &> /dev/null
    
    iptables -A POSTROUTING -t mangle -o br0 -d "IP Address"/32 -j MARK --set-mark ${Downloads_mark_down}
    The traffic still wants to go into the "Web Surfing" Category. I thought that with the above command, basically all traffic being downloaded to this IP address should go to the "File Transferring" Category now. Any idea why it does not?
     
  9. Kingp1n

    Kingp1n Regular Contributor

    Joined:
    Feb 27, 2018
    Messages:
    88
    @FreshJR , is there a rule I can create to add to the script for my Nest Hello doorbell? It seems when I set the video quality to "high" it seems it drops the wifi more often than when it's set to normal quality. According to some forums, this can be a problem with Nest however, I was trying to test out a specific rule I may be able to add to your script. It's currently connected to my 2.4 wifi and I have not tried the 5G at this time. Thanks!
     
  10. FreshJR

    FreshJR Very Senior Member

    Joined:
    Oct 8, 2016
    Messages:
    915
    @JohnSmith

    Are you sure you are using the correct IP?? I just retested the rule and it still works.

    Send me the output of
    Code:
    iptables -vL -t mangle
    
    Don't worry about posting the IP. The IP in the rule is your local LAN ip, not your public internet facing IP.

    Everyone has the same range for the local IP's and they contain no identifiable information.

    @Kingp1n

    you can stick it into netcontrol and see if it improves.

    Either the wifi is flakey on it, or your upload speed is not sufficient enough for high quality.
     
  11. JohnSmith

    JohnSmith Occasional Visitor

    Joined:
    May 2, 2018
    Messages:
    35
    Location:
    Canada
    Here you go...


    ASUSWRT-Merlin RT-AC3100 384.8-alpha1-g9ac9c80d7 Tue Oct 23 04:17:59 UTC 2018
    [email protected]:/tmp/home/root# iptables -vL -t mangle
    Chain PREROUTING (policy ACCEPT 9576K packets, 9907M bytes)
    pkts bytes target prot opt in out source destination

    Chain INPUT (policy ACCEPT 289K packets, 40M bytes)
    pkts bytes target prot opt in out source destination

    Chain FORWARD (policy ACCEPT 9224K packets, 9846M bytes)
    pkts bytes target prot opt in out source destination

    Chain OUTPUT (policy ACCEPT 227K packets, 65M bytes)
    pkts bytes target prot opt in out source destination

    Chain POSTROUTING (policy ACCEPT 9451K packets, 9911M bytes)
    pkts bytes target prot opt in out source destination

    Chain BWDPI_FILTER (0 references)
    pkts bytes target prot opt in out source destination
     
  12. FreshJR

    FreshJR Very Senior Member

    Joined:
    Oct 8, 2016
    Messages:
    915
    There weren't more entries in the chains?

    As it stands neither the script nor QOS seem to be enabled from the above entries.

    Does system log show the following?

    Code:
    Oct 30 12:14:40 adaptive QOS: Applying - Iptable Down Rules
    Oct 30 12:14:40 adaptive QOS: Applying - Iptable Up   Rules (eth0)
    Oct 30 12:14:40 adaptive QOS: TC Modification Delayed Start (5min)
    Oct 30 12:19:44 adaptive QOS: Applying  TC Down Rules
    Oct 30 12:19:44 adaptive QOS: Applying  TC Up   Rules
    Oct 30 12:19:44 adaptive QOS: Modifying TC Class Rates
    
     
    Last edited: Oct 30, 2018
  13. JohnSmith

    JohnSmith Occasional Visitor

    Joined:
    May 2, 2018
    Messages:
    35
    Location:
    Canada
    that is weird, as I just tried it again, and it came back with the same result.

    Using the command:

    Code:
    /jffs/scripts/FreshJR_QOS -debug
    I get:

    [email protected]:/tmp/home/root# /jffs/scripts/FreshJR_QOS -debug
    adaptive QOS: Undf Prio: 2
    adaptive QOS: Undf FlowID: 1:13
    adaptive QOS: Classes Present: 8
    adaptive QOS: Down Band: 184320
    adaptive QOS: Up Band : 14336
    adaptive QOS: ***********
    adaptive QOS: Net = 1:10
    adaptive QOS: VOIP = 1:11
    adaptive QOS: Gaming = 1:12
    adaptive QOS: Others = 1:13
    adaptive QOS: Web = 1:14
    adaptive QOS: Streaming = 1:15
    adaptive QOS: Downloads = 1:16
    adaptive QOS: Defaults = 1:17
    adaptive QOS: ***********
    adaptive QOS: Downrates -- 9216, 36864, 27648, 18432, 18432, 55296, 9216, 9216
    adaptive QOS: Downbursts -- 11197b, 44789b, 22394b, 11195b, 7994b, 6386b, 3197b, 3197b
    adaptive QOS: DownCbursts -- 225Kb, 225Kb, 225Kb, 225Kb, 225Kb, 225Kb, 225Kb, 225Kb
    adaptive QOS: ***********
    adaptive QOS: Uprates -- 716, 2867, 2150, 4300, 1433, 1433, 716, 716
    adaptive QOS: Upbursts -- 3198b, 3198b, 3198b, 3198b, 3198b, 3198b, 3198b, 3198b
    adaptive QOS: UpCbursts -- 17593b, 17593b, 17593b, 17593b, 17593b, 17593b, 17593b, 17593b

    Also, the System Log only shows the following:

    Code:
    Oct 30 08:29:02 adaptive QOS: Scheduled Persistence Check -> Reapplying Changes
    Oct 30 08:29:05 adaptive QOS: Applying  TC Down Rules
    Oct 30 08:29:05 adaptive QOS: Applying  TC Up   Rules
    Oct 30 08:29:05 adaptive QOS: Modifying TC Class Rates
    Oct 30 08:29:05 kernel: HTB: quantum of class 10011 is big. Consider r2q change.
    Oct 30 08:29:05 kernel: HTB: quantum of class 10012 is big. Consider r2q change.
    Oct 30 08:29:05 kernel: HTB: quantum of class 10013 is big. Consider r2q change.
    Oct 30 08:29:05 kernel: HTB: quantum of class 10014 is big. Consider r2q change.
    Oct 30 08:29:05 kernel: HTB: quantum of class 10015 is big. Consider r2q change.
    and that was only after issuing the following command, as FreshJR QOS does not seem to start on its own:

    Code:
    /jffs/scripts/FreshJR_QOS -check
    Here is what I got on a cold reboot this morning in the System Log:

    Code:
    Oct 30 08:25:50 rc_service: httpd 347:notify_rc restart_qos;restart_firewall
    Oct 30 08:26:05 BWDPI: fun bitmap = 1ff
    Oct 30 08:26:06 A.QoS: qos_count=0, qos_check=0
    Oct 30 08:26:06 A.QoS: qos rule is less than 22
    Oct 30 08:26:06 A.QoS: restart A.QoS because set_qos_conf / set_qos_on / setup rule fail
    Oct 30 08:26:07 A.QoS: qos_count=0, qos_check=1
    Oct 30 08:26:10 A.QoS: qos rule is less than 22
    Oct 30 08:26:10 A.QoS: restart A.QoS because set_qos_conf / set_qos_on / setup rule fail
    Oct 30 08:26:11 A.QoS: qos_count=1, qos_check=1
    Oct 30 08:26:14 A.QoS: qos rule is less than 22
    Oct 30 08:26:14 A.QoS: restart A.QoS because set_qos_conf / set_qos_on / setup rule fail
    Oct 30 08:26:15 A.QoS: qos_count=2, qos_check=1
    Oct 30 08:26:16 A.QoS: qos rule is less than 22
    Oct 30 08:26:16 A.QoS: restart A.QoS because set_qos_conf / set_qos_on / setup rule fail
    Oct 30 08:26:16 miniupnpd[29449]: shutting down MiniUPnPd
    Oct 30 08:26:16 nat: apply nat rules (/tmp/nat_rules_eth0_eth0)
    Oct 30 08:26:16 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
    Oct 30 08:26:16 miniupnpd[31674]: HTTP listening on port 54876
    Oct 30 08:26:16 miniupnpd[31674]: Listening for NAT-PMP/PCP traffic on port 5351
    Oct 30 08:26:17 admin: /jffs/scripts/firewall-start: Configuring wl0.1
    
     
    Last edited: Oct 30, 2018
  14. FreshJR

    FreshJR Very Senior Member

    Joined:
    Oct 8, 2016
    Messages:
    915
    Im stumped.

    The TC portion of the modifications is working correctly.
    The iptable portion of modifications is non existant.

    These are the results for a more or less vanilla configuration.

    Code:
    [email protected]:/tmp/home/root# iptables -vL -t mangle
    Chain PREROUTING (policy ACCEPT 219K packets, 702M bytes)
     pkts bytes target     prot opt in     out     source               destination
     1170  484K BWDPI_FILTER  udp  --  eth0   any     anywhere             anywhere
    Chain INPUT (policy ACCEPT 196K packets, 698M bytes)
     pkts bytes target     prot opt in     out     source               destination
    Chain FORWARD (policy ACCEPT 22684 packets, 3793K bytes)
     pkts bytes target     prot opt in     out     source               destination
        0     0 MARK       all  --  any    br0     192.168.2.0/24       192.168.2.0/24       MARK xset 0x1/0x7
    Chain OUTPUT (policy ACCEPT 352K packets, 55M bytes)
     pkts bytes target     prot opt in     out     source               destination
    Chain POSTROUTING (policy ACCEPT 375K packets, 59M bytes)
     pkts bytes target     prot opt in     out     source               destination
        0     0 MARK       udp  --  any    br0     anywhere             anywhere             udp spt:4500 MARK set 0x80060001
        0     0 ACCEPT     udp  --  any    br0     anywhere             anywhere             udp spt:4500
        0     0 MARK       udp  --  any    eth0    anywhere             anywhere             udp dpt:4500 MARK set 0x40060001
        0     0 ACCEPT     udp  --  any    eth0    anywhere             anywhere             udp dpt:4500
        0     0 MARK       udp  --  any    br0     anywhere             anywhere             udp spt:500 MARK set 0x80060001
        0     0 ACCEPT     udp  --  any    br0     anywhere             anywhere             udp spt:500
        0     0 MARK       udp  --  any    eth0    anywhere             anywhere             udp dpt:500 MARK set 0x40060001
        0     0 ACCEPT     udp  --  any    eth0    anywhere             anywhere             udp dpt:500
        0     0 MARK       udp  --  any    br0     anywhere             anywhere             udp dpts:16384:16415 MARK set 0x80060001
        0     0 MARK       tcp  --  any    br0     anywhere             anywhere             mark match 0x80080000/0xc03f0000 tcp spt:www MARK set 0x803f0001
        0     0 MARK       tcp  --  any    br0     anywhere             anywhere             mark match 0x80080000/0xc03f0000 tcp spt:https MARK set 0x803f0001
        0     0 MARK       udp  --  any    eth0    anywhere             anywhere             udp spts:16384:16415 MARK set 0x40060001
        0     0 MARK       tcp  --  any    eth0    anywhere             anywhere             mark match 0x40080000/0xc03f0000 tcp spt:www MARK set 0x403f0001
        0     0 MARK       tcp  --  any    eth0    anywhere             anywhere             mark match 0x40080000/0xc03f0000 tcp spt:https MARK set 0x403f0001
    Chain BWDPI_FILTER (1 references)
     pkts bytes target     prot opt in     out     source               destination
        0     0 DROP       udp  --  eth0   any     anywhere             anywhere             udp spt:bootpc dpt:bootps
        3   984 DROP       udp  --  eth0   any     anywhere             anywhere             udp spt:bootps dpt:bootpc
    
    
     
  15. JohnSmith

    JohnSmith Occasional Visitor

    Joined:
    May 2, 2018
    Messages:
    35
    Location:
    Canada
    Thanks for the output FreshJR so I can see what it should look like.

    Two possible things in my setup could be accountable for this issue that I can think of so far:

    1. Currently using the latest Merlin Alpha version of ASUSWRT-Merlin as per my signature, which may be a culprit.

    2. I also have a guest wireless network setup, that uses a "firewall-start" file as well. I noticed your script tries to add "FreshJR_QOS" info in there to start, but my "firewall-start" file does not have that in it. Wondering if this could have anything to do with it?
     
  16. FreshJR

    FreshJR Very Senior Member

    Joined:
    Oct 8, 2016
    Messages:
    915
    That is exactally the issue I am seeing from your cold boot system log.
    The firewall-start entry for FreshQOS is missing so the script never runs.

    When you run the initial

    ./FreshJR_QOS -install command line, it does a few to create a firewall-start file

    Code:
    If firewall-start exists and has a correct header
    --> add FreshQOS into firewall start
    If firewall-start exists and has an incorrect header
    --> fix header
    --> add FreshQOS into firewall start
    If firewall-start does not exist
    --> create firewall-start
    --> set permissions of firewall-start
    --> create correct header of firewall-start
    --> add FreshQOS into firewall start.
    
    If you installed your other script after FreshQOS, its likely you are overwriting the FreshQOS entry.

    By default I never delete the firewall-start file or remove any existing entries (besides mine) when installing this script.

    I simply append the FreshQOS entry into firewall-start if it exists. You have to fix that issue.

    Simply rerun

    Code:
    /jffs/scripts/FreshJR_QOS -install
    
    and it should correct the entry.

    --

    Side note, your iptables configuration is also missing additional entries that should be there from Asus and not from my script. Those are also required for QOS. Are you sure you are not wiping all of iptables with your other script??

    --

    The scheduled persistance check that you saw occurring is triggered by a scheduler at 3:30 and not a firewall-start entry.

    The scheduled persistence check only checks TC structure has not been modified. It does not attempt to parse iptables for entries. (I could change it so it delete and recreate the relevate iptable entries if the TC structure gets changed in future releases of the script but it hasn't been a problem too date)
     
    Last edited: Oct 30, 2018
  17. JohnSmith

    JohnSmith Occasional Visitor

    Joined:
    May 2, 2018
    Messages:
    35
    Location:
    Canada
    Thanks for all your help FreshJR. I believe I am getting closer to resolving this. I now have entries in the POSTROUTING when running:

    Code:
    iptables -vL -t mangle
    Just a quick note, that on your

    Code:
    /jffs/scripts/FreshJR_QOS -install
    
    it did go and add the line

    Code:
    /jffs/scripts/FreshJR_QOS -start $1 &
    but it added it to the very end of the "firewall-start" file, which unfortunately has

    Code:
    exit 0
    which would finish the executing of the code, and would not run your command. I moved your command above "exit 0", and it works now.

    Not sure if in your script, you can test for "exit 0" at the end of the "firewall-start" script, and if so, to add your line above that so it gets executed


    I tried to add the code that I am using for the guest network, but it would not allow me to post it here, but here is the link that I got it from originally:

    https://www.snbforums.com/threads/guest-networks-and-dhcp.14141/page-2#post-286748
     
  18. JohnSmith

    JohnSmith Occasional Visitor

    Joined:
    May 2, 2018
    Messages:
    35
    Location:
    Canada
    Just saw what you wrote here at the end, and I like the idea of it saying "Original QOS Cat before FreshJR script:" :)

    Side Note: No code changed where it says DONT Modify, but I decided to test this by updating your ECHO lines, and it works for me:

    Code:
    [email protected]:/jffs/scripts# /jffs/scripts/FreshJR_QOS -appdb "Lets Encrypt"
    Lets Encrypt
     Original QOS Cat before FreshJR script:  Net Control
     Mark: 0x801400c2 0xc03fffff
     Prio: 22
    
    
     
    Last edited: Oct 31, 2018
  19. JohnSmith

    JohnSmith Occasional Visitor

    Joined:
    May 2, 2018
    Messages:
    35
    Location:
    Canada
    So FreshJR, I was able to get my Downloads into the "File Transferring/Downloads" Classification for this ONE computer from https://www.snbforums.com/threads/r...and-inner-workings.36836/page-107#post-440141 , but my Uploads for "Lets Encrypt" still go into "Web Surfing", instead of "File Transferring/Downloads"

    Here are the two attempts I tried to make this work under the UPLOAD Custom Rules (IP Address marked out):

    Code:
    iptables -D POSTROUTING -t mangle -o $wan -s X.X.X.X/32 -m mark --mark 0x801400c2/0xc03fffff -p tcp --dport 563 -j MARK --set-mark ${Downloads_mark_up} &> /dev/null
    iptables -A POSTROUTING -t mangle -o $wan -s X.X.X.X/32 -m mark --mark 0x801400c2/0xc03fffff -p tcp --dport 563 -j MARK --set-mark ${Downloads_mark_up}
    
    Code:
    iptables -D POSTROUTING -t mangle -o $wan -s X.X.X.X/32 -m mark --mark 0x801400c2/0xc03fffff -p tcp --dport 49152:65535 -j MARK --set-mark ${Downloads_mark_up} &> /dev/null
    iptables -A POSTROUTING -t mangle -o $wan -s X.X.X.X/32 -m mark --mark 0x801400c2/0xc03fffff -p tcp --dport 49152:65535 -j MARK --set-mark ${Downloads_mark_up}
    Neither of these classified the packets for this computer to the right classification on the Upload.

    The only way I could make this work was to do the following on the Upload, and then Upload Classification work by putting "Web Surfing" into "Downloads" for this computer:

    Code:
    iptables -D POSTROUTING -t mangle -o $wan -s X.X.X.X/32 -j MARK --set-mark ${Downloads_mark_up} &> /dev/null
    iptables -A POSTROUTING -t mangle -o $wan -s X.X.X.X/32 -j MARK --set-mark ${Downloads_mark_up}
    FreshJR, and thoughts on troubleshooting this?

    BTW Thanks for all your time and dedication to this project and helping others as well as myself.
     
  20. FreshJR

    FreshJR Very Senior Member

    Joined:
    Oct 8, 2016
    Messages:
    915
    You sure you didn't mess up dport & sport on the upload rule?
    You sure its tcp instead of udp?

    I wrote a pretty comprehensive guide for creating port rules available via link located within the first three posts.