Joined: 15 Jun 2020
|Posted: Sat Aug 15, 2020 13:40 Post subject: Archer C7v2 QoS on LAN1 in VLAN3 (eth0.3) up/down reversed
I have a basic guest configuration:
2 House (1 private, 1 guest house): In private house I have my main ISP modem and the main Archer C7v2 router.
In the guest house I have an AP connected to my Archer C7's LAN#1 port.
In the Archer I have a Guest VAP (ath0.1) enabled with 192.168.3.0/24 subnet in a separate br1 bridge and I also wanted my LAN1 port to be in that subnet and bridge so I added the port to VLAN3 and an if eth0.3 is created, I added it to br1 with these commands:
swconfig dev eth0 set enable_vlan 3
swconfig dev eth0 vlan 3 set ports "2 6t"
swconfig dev eth0 set apply
vconfig add eth0 3
brctl addif br1 eth0.3
ifconfig eth0.3 up
Went okay, next step is to add FW rule to isolate them:
iptables -I INPUT 2 -i br1 -m state --state NEW -j DROP
# Allow DNS and DHCP from guest LAN
iptables -I INPUT 2 -i br1 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT 2 -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT 2 -i br1 -p udp --dport 67 -j ACCEPT
# Allow any traffic from guest LAN not satisfying first 2 rules to be forwarded
iptables -I FORWARD 2 -i br1 -j ACCEPT
# Block traffic from being forwarded between private LAN and guest LAN
iptables -I FORWARD 2 -i br0 -o br1 -j DROP
iptables -I FORWARD 2 -i br1 -o br0 -j DROP
# Enable Internet and NAT for guest LAN, if sourced from guest LAN
iptables -I INPUT -p tcp --destination-port 51413 -j ACCEPT
iptables -I INPUT -p udp --destination-port 51413 -j ACCEPT
Okay, they can't mess with br0 anymore.
The guest subnet is needs to be managed with QoS to limit their bandwidth, and here I have a strange issue:
ISP bandwidth speed: ~10000 kbit/s Down, ~2400 kbit/s up
br1: ath0.1, eth0.3
In GUI I set the Downlink to 9600 kbit/s and Uplink to 1900 kbit/s
Packet Scheduler: HTB
Queuing Discipline: FQ_CODEL
I wanted to limit the 192.168.3.0/24 subnet with 2400 kbit/s down and 480 kbit/s up. Okay, I limited the subnet and went to test the speeds.
On ath0.1 it's okay, ~300 KB/s down and ~70 KB/s up, just what I wanted. (and I know it's very slow, but I don't want them to use up all of my slow network anyway, it's okay for them for Facebook, etc.)
But on eth0.3 (AP) it's somehow reversed(?) and the download speed is ~480 kbit/s and the upload speed is ~1900 kbit/s.
If I reverse the down/up values then the ath0.1 interface will be reversed and that's not good.
If I remove the upload limit the download speed is okay on eth0.3.
Then how should I manage the eth0.3 if?
Should I create a separate bridge for the LAN1 port?
For example ath0.1 is in br1 with 192.168.3.0/24, and eth0.3 (VLAN3) is in br2 with 192.168.4.0/24, and in QoS I limit not the subnets but the interfaces br1 with value 2400 down, 480 up, and br2 with 480 down, 2400 up? But the problem is it'll be limited because then the Uplink/Downlink settings are wrong for eth0.3.
Any help appreciated!
DD-WRT v3.0-r44187 std (08/13/20)