Reformat and add reference link.
This commit is contained in:
parent
6bb2c006fc
commit
a679ce100b
1 changed files with 33 additions and 31 deletions
|
@ -1,3 +1,5 @@
|
||||||
|
# Partially inspired by https://krutonium.ca/posts/building-a-nixos-router/ and others.
|
||||||
|
|
||||||
{ pkgs, ... }:
|
{ pkgs, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
|
@ -19,9 +21,9 @@
|
||||||
};
|
};
|
||||||
# Load kernel modules required for advanced QoS
|
# Load kernel modules required for advanced QoS
|
||||||
kernelModules = [
|
kernelModules = [
|
||||||
"sch_cake" # CAKE qdisc for modern AQM and traffic shaping
|
"sch_cake" # CAKE qdisc for modern AQM and traffic shaping
|
||||||
"sch_fq_codel" # Fair Queue CoDel for bufferbloat mitigation
|
"sch_fq_codel" # Fair Queue CoDel for bufferbloat mitigation
|
||||||
"ifb" # Intermediate Functional Block for ingress shaping
|
"ifb" # Intermediate Functional Block for ingress shaping
|
||||||
];
|
];
|
||||||
loader = {
|
loader = {
|
||||||
efi.canTouchEfiVariables = true;
|
efi.canTouchEfiVariables = true;
|
||||||
|
@ -51,10 +53,10 @@
|
||||||
443
|
443
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
# Install packages required for QoS management
|
# Install packages required for QoS management
|
||||||
extraPackages = [ pkgs.iproute2 ];
|
extraPackages = [ pkgs.iproute2 ];
|
||||||
|
|
||||||
# QoS configuration for prioritizing gaming, streaming, and real-time traffic
|
# QoS configuration for prioritizing gaming, streaming, and real-time traffic
|
||||||
extraCommands = ''
|
extraCommands = ''
|
||||||
##############################################################################
|
##############################################################################
|
||||||
|
@ -69,8 +71,8 @@
|
||||||
# - CS1 (Class Selector 1) : Bulk downloads (lowest priority)
|
# - CS1 (Class Selector 1) : Bulk downloads (lowest priority)
|
||||||
# - Default : Everything else
|
# - Default : Everything else
|
||||||
##############################################################################
|
##############################################################################
|
||||||
|
|
||||||
|
|
||||||
# Apply CAKE (Common Applications Kept Enhanced) queue discipline
|
# Apply CAKE (Common Applications Kept Enhanced) queue discipline
|
||||||
# This provides modern Active Queue Management with built-in traffic prioritization
|
# This provides modern Active Queue Management with built-in traffic prioritization
|
||||||
# Settings:
|
# Settings:
|
||||||
|
@ -82,27 +84,27 @@
|
||||||
# ack-filter - Filter excessive TCP ACKs from downloads
|
# ack-filter - Filter excessive TCP ACKs from downloads
|
||||||
# rtt 30ms - Optimize for typical gaming latency
|
# rtt 30ms - Optimize for typical gaming latency
|
||||||
tc qdisc replace dev lan root cake bandwidth 1gbit diffserv4 dual-dsthost nat wash ack-filter rtt 30ms
|
tc qdisc replace dev lan root cake bandwidth 1gbit diffserv4 dual-dsthost nat wash ack-filter rtt 30ms
|
||||||
|
|
||||||
##############################################################################
|
##############################################################################
|
||||||
# TIER 1 - HIGHEST PRIORITY: Real-time Gaming Traffic (CS6/CS5)
|
# TIER 1 - HIGHEST PRIORITY: Real-time Gaming Traffic (CS6/CS5)
|
||||||
##############################################################################
|
##############################################################################
|
||||||
|
|
||||||
# PlayStation Network
|
# PlayStation Network
|
||||||
# TCP ports for authentication and matchmaking
|
# TCP ports for authentication and matchmaking
|
||||||
iptables -t mangle -A FORWARD -i lan -p tcp -m multiport --dports 1935,3478:3480 \
|
iptables -t mangle -A FORWARD -i lan -p tcp -m multiport --dports 1935,3478:3480 \
|
||||||
-j DSCP --set-dscp-class cs5 \
|
-j DSCP --set-dscp-class cs5 \
|
||||||
-m comment --comment "PlayStation Network TCP"
|
-m comment --comment "PlayStation Network TCP"
|
||||||
|
|
||||||
# UDP ports for gameplay and voice
|
# UDP ports for gameplay and voice
|
||||||
iptables -t mangle -A FORWARD -i lan -p udp -m multiport --dports 3478:3479,3658 \
|
iptables -t mangle -A FORWARD -i lan -p udp -m multiport --dports 3478:3479,3658 \
|
||||||
-j DSCP --set-dscp-class cs5 \
|
-j DSCP --set-dscp-class cs5 \
|
||||||
-m comment --comment "PlayStation Network UDP"
|
-m comment --comment "PlayStation Network UDP"
|
||||||
|
|
||||||
# PS5 high UDP port range for game traffic
|
# PS5 high UDP port range for game traffic
|
||||||
iptables -t mangle -A FORWARD -i lan -p udp --dport 49152:65535 -m length --length 0:500 \
|
iptables -t mangle -A FORWARD -i lan -p udp --dport 49152:65535 -m length --length 0:500 \
|
||||||
-j DSCP --set-dscp-class cs5 \
|
-j DSCP --set-dscp-class cs5 \
|
||||||
-m comment --comment "PS5 game traffic (small packets)"
|
-m comment --comment "PS5 game traffic (small packets)"
|
||||||
|
|
||||||
# Xbox Live
|
# Xbox Live
|
||||||
# Primary multiplayer and party chat port
|
# Primary multiplayer and party chat port
|
||||||
iptables -t mangle -A FORWARD -i lan -p tcp --dport 3074 \
|
iptables -t mangle -A FORWARD -i lan -p tcp --dport 3074 \
|
||||||
|
@ -111,32 +113,32 @@
|
||||||
iptables -t mangle -A FORWARD -i lan -p udp --dport 3074 \
|
iptables -t mangle -A FORWARD -i lan -p udp --dport 3074 \
|
||||||
-j DSCP --set-dscp-class cs5 \
|
-j DSCP --set-dscp-class cs5 \
|
||||||
-m comment --comment "Xbox Live UDP"
|
-m comment --comment "Xbox Live UDP"
|
||||||
|
|
||||||
# Additional Xbox ports
|
# Additional Xbox ports
|
||||||
iptables -t mangle -A FORWARD -i lan -p udp -m multiport --dports 88,500,3544,4500 \
|
iptables -t mangle -A FORWARD -i lan -p udp -m multiport --dports 88,500,3544,4500 \
|
||||||
-j DSCP --set-dscp-class cs5 \
|
-j DSCP --set-dscp-class cs5 \
|
||||||
-m comment --comment "Xbox Live additional ports"
|
-m comment --comment "Xbox Live additional ports"
|
||||||
|
|
||||||
# Generic small gaming packets (likely real-time game data)
|
# Generic small gaming packets (likely real-time game data)
|
||||||
# Small UDP packets are typically game state updates that need lowest latency
|
# Small UDP packets are typically game state updates that need lowest latency
|
||||||
iptables -t mangle -A FORWARD -i lan -p udp -m length --length 0:500 \
|
iptables -t mangle -A FORWARD -i lan -p udp -m length --length 0:500 \
|
||||||
-j DSCP --set-dscp-class cs6 \
|
-j DSCP --set-dscp-class cs6 \
|
||||||
-m comment --comment "Small UDP packets (real-time gaming)"
|
-m comment --comment "Small UDP packets (real-time gaming)"
|
||||||
|
|
||||||
##############################################################################
|
##############################################################################
|
||||||
# TIER 2 - VOICE AND VIDEO CALLS: Expedited Forwarding (EF)
|
# TIER 2 - VOICE AND VIDEO CALLS: Expedited Forwarding (EF)
|
||||||
##############################################################################
|
##############################################################################
|
||||||
|
|
||||||
# Console voice chat and Discord (small packets in high port range)
|
# Console voice chat and Discord (small packets in high port range)
|
||||||
iptables -t mangle -A FORWARD -i lan -p udp --dport 50000:65535 -m length --length 0:250 \
|
iptables -t mangle -A FORWARD -i lan -p udp --dport 50000:65535 -m length --length 0:250 \
|
||||||
-j DSCP --set-dscp-class ef \
|
-j DSCP --set-dscp-class ef \
|
||||||
-m comment --comment "Voice chat (Discord, console party chat)"
|
-m comment --comment "Voice chat (Discord, console party chat)"
|
||||||
|
|
||||||
# WebRTC media streams (used by Google Meet, other video conferencing)
|
# WebRTC media streams (used by Google Meet, other video conferencing)
|
||||||
iptables -t mangle -A FORWARD -i lan -p udp --dport 19302:19309 \
|
iptables -t mangle -A FORWARD -i lan -p udp --dport 19302:19309 \
|
||||||
-j DSCP --set-dscp-class ef \
|
-j DSCP --set-dscp-class ef \
|
||||||
-m comment --comment "WebRTC media (Google Meet, etc)"
|
-m comment --comment "WebRTC media (Google Meet, etc)"
|
||||||
|
|
||||||
# Zoom conferencing
|
# Zoom conferencing
|
||||||
iptables -t mangle -A FORWARD -i lan -p tcp -m multiport --dports 8801:8810 \
|
iptables -t mangle -A FORWARD -i lan -p tcp -m multiport --dports 8801:8810 \
|
||||||
-j DSCP --set-dscp-class ef \
|
-j DSCP --set-dscp-class ef \
|
||||||
|
@ -144,7 +146,7 @@
|
||||||
iptables -t mangle -A FORWARD -i lan -p udp -m multiport --dports 8801:8810 \
|
iptables -t mangle -A FORWARD -i lan -p udp -m multiport --dports 8801:8810 \
|
||||||
-j DSCP --set-dscp-class ef \
|
-j DSCP --set-dscp-class ef \
|
||||||
-m comment --comment "Zoom UDP"
|
-m comment --comment "Zoom UDP"
|
||||||
|
|
||||||
# General VoIP/SIP traffic
|
# General VoIP/SIP traffic
|
||||||
iptables -t mangle -A FORWARD -i lan -p udp --dport 5060:5061 \
|
iptables -t mangle -A FORWARD -i lan -p udp --dport 5060:5061 \
|
||||||
-j DSCP --set-dscp-class ef \
|
-j DSCP --set-dscp-class ef \
|
||||||
|
@ -152,60 +154,60 @@
|
||||||
iptables -t mangle -A FORWARD -i lan -p udp --dport 10000:20000 \
|
iptables -t mangle -A FORWARD -i lan -p udp --dport 10000:20000 \
|
||||||
-j DSCP --set-dscp-class ef \
|
-j DSCP --set-dscp-class ef \
|
||||||
-m comment --comment "RTP media streams"
|
-m comment --comment "RTP media streams"
|
||||||
|
|
||||||
##############################################################################
|
##############################################################################
|
||||||
# TIER 3 - VIDEO STREAMING: Assured Forwarding (AF41)
|
# TIER 3 - VIDEO STREAMING: Assured Forwarding (AF41)
|
||||||
##############################################################################
|
##############################################################################
|
||||||
|
|
||||||
# QUIC protocol (HTTP/3) - Used by YouTube, Netflix
|
# QUIC protocol (HTTP/3) - Used by YouTube, Netflix
|
||||||
iptables -t mangle -A FORWARD -i lan -p udp --dport 443 \
|
iptables -t mangle -A FORWARD -i lan -p udp --dport 443 \
|
||||||
-j DSCP --set-dscp-class af41 \
|
-j DSCP --set-dscp-class af41 \
|
||||||
-m comment --comment "QUIC/HTTP3 video streaming"
|
-m comment --comment "QUIC/HTTP3 video streaming"
|
||||||
|
|
||||||
# Chromecast/Google TV
|
# Chromecast/Google TV
|
||||||
iptables -t mangle -A FORWARD -i lan -p tcp -m multiport --dports 8008:8009,8443 \
|
iptables -t mangle -A FORWARD -i lan -p tcp -m multiport --dports 8008:8009,8443 \
|
||||||
-j DSCP --set-dscp-class af41 \
|
-j DSCP --set-dscp-class af41 \
|
||||||
-m comment --comment "Chromecast control"
|
-m comment --comment "Chromecast control"
|
||||||
|
|
||||||
# Chromecast RTP media streams (large packets)
|
# Chromecast RTP media streams (large packets)
|
||||||
iptables -t mangle -A FORWARD -i lan -p udp --dport 32768:61000 -m length --length 1000:1500 \
|
iptables -t mangle -A FORWARD -i lan -p udp --dport 32768:61000 -m length --length 1000:1500 \
|
||||||
-j DSCP --set-dscp-class af41 \
|
-j DSCP --set-dscp-class af41 \
|
||||||
-m comment --comment "Chromecast media streams"
|
-m comment --comment "Chromecast media streams"
|
||||||
|
|
||||||
# HTTPS video streaming (1MB-50MB connections)
|
# HTTPS video streaming (1MB-50MB connections)
|
||||||
# This catches most adaptive streaming video (HLS, DASH)
|
# This catches most adaptive streaming video (HLS, DASH)
|
||||||
iptables -t mangle -A FORWARD -i lan -p tcp --dport 443 \
|
iptables -t mangle -A FORWARD -i lan -p tcp --dport 443 \
|
||||||
-m connbytes --connbytes 1000000:50000000 --connbytes-dir both --connbytes-mode bytes \
|
-m connbytes --connbytes 1000000:50000000 --connbytes-dir both --connbytes-mode bytes \
|
||||||
-j DSCP --set-dscp-class af41 \
|
-j DSCP --set-dscp-class af41 \
|
||||||
-m comment --comment "HTTPS video streams (1-50MB)"
|
-m comment --comment "HTTPS video streams (1-50MB)"
|
||||||
|
|
||||||
##############################################################################
|
##############################################################################
|
||||||
# TIER 4 - SERVICE DISCOVERY: Medium Priority (CS3)
|
# TIER 4 - SERVICE DISCOVERY: Medium Priority (CS3)
|
||||||
##############################################################################
|
##############################################################################
|
||||||
|
|
||||||
# mDNS for device discovery (important for casting, AirPlay)
|
# mDNS for device discovery (important for casting, AirPlay)
|
||||||
iptables -t mangle -A FORWARD -i lan -p udp --dport 5353 \
|
iptables -t mangle -A FORWARD -i lan -p udp --dport 5353 \
|
||||||
-j DSCP --set-dscp-class cs3 \
|
-j DSCP --set-dscp-class cs3 \
|
||||||
-m comment --comment "mDNS service discovery"
|
-m comment --comment "mDNS service discovery"
|
||||||
|
|
||||||
|
|
||||||
##############################################################################
|
##############################################################################
|
||||||
# TIER 5 - BULK DOWNLOADS: Lowest Priority (CS1)
|
# TIER 5 - BULK DOWNLOADS: Lowest Priority (CS1)
|
||||||
##############################################################################
|
##############################################################################
|
||||||
|
|
||||||
# Large HTTPS downloads (over 50MB) - game updates, OS updates, etc.
|
# Large HTTPS downloads (over 50MB) - game updates, OS updates, etc.
|
||||||
iptables -t mangle -A FORWARD -i lan -p tcp --dport 443 \
|
iptables -t mangle -A FORWARD -i lan -p tcp --dport 443 \
|
||||||
-m connbytes --connbytes 50000000: --connbytes-dir both --connbytes-mode bytes \
|
-m connbytes --connbytes 50000000: --connbytes-dir both --connbytes-mode bytes \
|
||||||
-j DSCP --set-dscp-class cs1 \
|
-j DSCP --set-dscp-class cs1 \
|
||||||
-m comment --comment "Bulk HTTPS downloads (>50MB)"
|
-m comment --comment "Bulk HTTPS downloads (>50MB)"
|
||||||
|
|
||||||
'';
|
'';
|
||||||
|
|
||||||
# Clean up QoS rules when firewall stops
|
# Clean up QoS rules when firewall stops
|
||||||
extraStopCommands = ''
|
extraStopCommands = ''
|
||||||
# Remove CAKE qdisc
|
# Remove CAKE qdisc
|
||||||
tc qdisc del dev lan root 2>/dev/null || true
|
tc qdisc del dev lan root 2>/dev/null || true
|
||||||
|
|
||||||
# Clear mangle table rules
|
# Clear mangle table rules
|
||||||
iptables -t mangle -F FORWARD 2>/dev/null || true
|
iptables -t mangle -F FORWARD 2>/dev/null || true
|
||||||
'';
|
'';
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue