From a679ce100bc3da4f0d1c8537925ed9f346907907 Mon Sep 17 00:00:00 2001 From: Nolan Darilek Date: Mon, 21 Jul 2025 17:10:40 -0400 Subject: [PATCH] Reformat and add reference link. --- hosts/router/default.nix | 64 +++++++++++++++++++++------------------- 1 file changed, 33 insertions(+), 31 deletions(-) diff --git a/hosts/router/default.nix b/hosts/router/default.nix index b7c73ad..0ff6dbd 100644 --- a/hosts/router/default.nix +++ b/hosts/router/default.nix @@ -1,3 +1,5 @@ +# Partially inspired by https://krutonium.ca/posts/building-a-nixos-router/ and others. + { pkgs, ... }: { @@ -19,9 +21,9 @@ }; # Load kernel modules required for advanced QoS kernelModules = [ - "sch_cake" # CAKE qdisc for modern AQM and traffic shaping + "sch_cake" # CAKE qdisc for modern AQM and traffic shaping "sch_fq_codel" # Fair Queue CoDel for bufferbloat mitigation - "ifb" # Intermediate Functional Block for ingress shaping + "ifb" # Intermediate Functional Block for ingress shaping ]; loader = { efi.canTouchEfiVariables = true; @@ -51,10 +53,10 @@ 443 ]; }; - + # Install packages required for QoS management extraPackages = [ pkgs.iproute2 ]; - + # QoS configuration for prioritizing gaming, streaming, and real-time traffic extraCommands = '' ############################################################################## @@ -69,8 +71,8 @@ # - CS1 (Class Selector 1) : Bulk downloads (lowest priority) # - Default : Everything else ############################################################################## - - + + # Apply CAKE (Common Applications Kept Enhanced) queue discipline # This provides modern Active Queue Management with built-in traffic prioritization # Settings: @@ -82,27 +84,27 @@ # ack-filter - Filter excessive TCP ACKs from downloads # rtt 30ms - Optimize for typical gaming latency tc qdisc replace dev lan root cake bandwidth 1gbit diffserv4 dual-dsthost nat wash ack-filter rtt 30ms - + ############################################################################## # TIER 1 - HIGHEST PRIORITY: Real-time Gaming Traffic (CS6/CS5) ############################################################################## - + # PlayStation Network # TCP ports for authentication and matchmaking iptables -t mangle -A FORWARD -i lan -p tcp -m multiport --dports 1935,3478:3480 \ -j DSCP --set-dscp-class cs5 \ -m comment --comment "PlayStation Network TCP" - + # UDP ports for gameplay and voice iptables -t mangle -A FORWARD -i lan -p udp -m multiport --dports 3478:3479,3658 \ -j DSCP --set-dscp-class cs5 \ -m comment --comment "PlayStation Network UDP" - + # PS5 high UDP port range for game traffic iptables -t mangle -A FORWARD -i lan -p udp --dport 49152:65535 -m length --length 0:500 \ -j DSCP --set-dscp-class cs5 \ -m comment --comment "PS5 game traffic (small packets)" - + # Xbox Live # Primary multiplayer and party chat port iptables -t mangle -A FORWARD -i lan -p tcp --dport 3074 \ @@ -111,32 +113,32 @@ iptables -t mangle -A FORWARD -i lan -p udp --dport 3074 \ -j DSCP --set-dscp-class cs5 \ -m comment --comment "Xbox Live UDP" - + # Additional Xbox ports iptables -t mangle -A FORWARD -i lan -p udp -m multiport --dports 88,500,3544,4500 \ -j DSCP --set-dscp-class cs5 \ -m comment --comment "Xbox Live additional ports" - + # Generic small gaming packets (likely real-time game data) # Small UDP packets are typically game state updates that need lowest latency iptables -t mangle -A FORWARD -i lan -p udp -m length --length 0:500 \ -j DSCP --set-dscp-class cs6 \ -m comment --comment "Small UDP packets (real-time gaming)" - + ############################################################################## # TIER 2 - VOICE AND VIDEO CALLS: Expedited Forwarding (EF) ############################################################################## - + # Console voice chat and Discord (small packets in high port range) iptables -t mangle -A FORWARD -i lan -p udp --dport 50000:65535 -m length --length 0:250 \ -j DSCP --set-dscp-class ef \ -m comment --comment "Voice chat (Discord, console party chat)" - + # WebRTC media streams (used by Google Meet, other video conferencing) iptables -t mangle -A FORWARD -i lan -p udp --dport 19302:19309 \ -j DSCP --set-dscp-class ef \ -m comment --comment "WebRTC media (Google Meet, etc)" - + # Zoom conferencing iptables -t mangle -A FORWARD -i lan -p tcp -m multiport --dports 8801:8810 \ -j DSCP --set-dscp-class ef \ @@ -144,7 +146,7 @@ iptables -t mangle -A FORWARD -i lan -p udp -m multiport --dports 8801:8810 \ -j DSCP --set-dscp-class ef \ -m comment --comment "Zoom UDP" - + # General VoIP/SIP traffic iptables -t mangle -A FORWARD -i lan -p udp --dport 5060:5061 \ -j DSCP --set-dscp-class ef \ @@ -152,60 +154,60 @@ iptables -t mangle -A FORWARD -i lan -p udp --dport 10000:20000 \ -j DSCP --set-dscp-class ef \ -m comment --comment "RTP media streams" - + ############################################################################## # TIER 3 - VIDEO STREAMING: Assured Forwarding (AF41) ############################################################################## - + # QUIC protocol (HTTP/3) - Used by YouTube, Netflix iptables -t mangle -A FORWARD -i lan -p udp --dport 443 \ -j DSCP --set-dscp-class af41 \ -m comment --comment "QUIC/HTTP3 video streaming" - + # Chromecast/Google TV iptables -t mangle -A FORWARD -i lan -p tcp -m multiport --dports 8008:8009,8443 \ -j DSCP --set-dscp-class af41 \ -m comment --comment "Chromecast control" - + # Chromecast RTP media streams (large packets) iptables -t mangle -A FORWARD -i lan -p udp --dport 32768:61000 -m length --length 1000:1500 \ -j DSCP --set-dscp-class af41 \ -m comment --comment "Chromecast media streams" - + # HTTPS video streaming (1MB-50MB connections) # This catches most adaptive streaming video (HLS, DASH) iptables -t mangle -A FORWARD -i lan -p tcp --dport 443 \ -m connbytes --connbytes 1000000:50000000 --connbytes-dir both --connbytes-mode bytes \ -j DSCP --set-dscp-class af41 \ -m comment --comment "HTTPS video streams (1-50MB)" - + ############################################################################## # TIER 4 - SERVICE DISCOVERY: Medium Priority (CS3) ############################################################################## - + # mDNS for device discovery (important for casting, AirPlay) iptables -t mangle -A FORWARD -i lan -p udp --dport 5353 \ -j DSCP --set-dscp-class cs3 \ -m comment --comment "mDNS service discovery" - - + + ############################################################################## # TIER 5 - BULK DOWNLOADS: Lowest Priority (CS1) ############################################################################## - + # Large HTTPS downloads (over 50MB) - game updates, OS updates, etc. iptables -t mangle -A FORWARD -i lan -p tcp --dport 443 \ -m connbytes --connbytes 50000000: --connbytes-dir both --connbytes-mode bytes \ -j DSCP --set-dscp-class cs1 \ -m comment --comment "Bulk HTTPS downloads (>50MB)" - + ''; - + # Clean up QoS rules when firewall stops extraStopCommands = '' # Remove CAKE qdisc tc qdisc del dev lan root 2>/dev/null || true - + # Clear mangle table rules iptables -t mangle -F FORWARD 2>/dev/null || true '';