diff --git a/hosts/router/default.nix b/hosts/router/default.nix index 7b42fd7..2cebbaf 100644 --- a/hosts/router/default.nix +++ b/hosts/router/default.nix @@ -1,3 +1,5 @@ +{ pkgs, ... }: + { imports = [ ./hardware-configuration.nix @@ -15,6 +17,12 @@ kernel.sysctl = { "net.ipv4.conf.all.forwarding" = 1; }; + # Load kernel modules required for advanced QoS + kernelModules = [ + "sch_cake" # CAKE qdisc for modern AQM and traffic shaping + "sch_fq_codel" # Fair Queue CoDel for bufferbloat mitigation + "ifb" # Intermediate Functional Block for ingress shaping + ]; loader = { efi.canTouchEfiVariables = true; systemd-boot.enable = true; @@ -43,6 +51,204 @@ 443 ]; }; + + # Install packages required for QoS management + extraPackages = [ pkgs.ipset pkgs.iproute2 ]; + + # QoS configuration for prioritizing gaming, streaming, and real-time traffic + extraCommands = '' + ############################################################################## + # Quality of Service (QoS) Configuration + # + # Priority Tiers (DSCP Classes): + # - EF (Expedited Forwarding) : Voice chat, video calls (lowest latency) + # - CS6 (Class Selector 6) : Real-time gaming packets + # - CS5 (Class Selector 5) : Console gaming traffic + # - AF41 (Assured Forwarding 4.1) : Video streaming + # - CS3 (Class Selector 3) : Gaming/streaming CDNs, service discovery + # - CS1 (Class Selector 1) : Bulk downloads (lowest priority) + # - Default : Everything else + ############################################################################## + + # Create IP sets for different traffic classification with larger hash sizes + ipset create video_streaming hash:net family inet hashsize 4096 maxelem 65536 -exist + ipset create video_meet hash:net family inet hashsize 1024 maxelem 65536 -exist + ipset create gaming_services hash:net family inet hashsize 1024 maxelem 65536 -exist + + # Apply CAKE (Common Applications Kept Enhanced) queue discipline + # This provides modern Active Queue Management with built-in traffic prioritization + # Settings: + # bandwidth 1gbit - Set to your LAN bandwidth + # diffserv4 - Enable 4-tier traffic classification (Bulk, Best Effort, Video, Voice) + # dual-dsthost - Per-destination fairness to prevent one device from hogging bandwidth + # nat - Handle NAT properly for accurate flow tracking + # wash - Clear incoming DSCP marks to reclassify based on our rules + # ack-filter - Filter excessive TCP ACKs from downloads + # rtt 30ms - Optimize for typical gaming latency + tc qdisc replace dev lan root cake bandwidth 1gbit diffserv4 dual-dsthost nat wash ack-filter rtt 30ms + + ############################################################################## + # TIER 1 - HIGHEST PRIORITY: Real-time Gaming Traffic (CS6/CS5) + ############################################################################## + + # PlayStation Network + # TCP ports for authentication and matchmaking + iptables -t mangle -A FORWARD -i lan -p tcp -m multiport --dports 1935,3478:3480 \ + -j DSCP --set-dscp-class cs5 \ + -m comment --comment "PlayStation Network TCP" + + # UDP ports for gameplay and voice + iptables -t mangle -A FORWARD -i lan -p udp -m multiport --dports 3478:3479,3658 \ + -j DSCP --set-dscp-class cs5 \ + -m comment --comment "PlayStation Network UDP" + + # PS5 high UDP port range for game traffic + iptables -t mangle -A FORWARD -i lan -p udp --dport 49152:65535 -m length --length 0:500 \ + -j DSCP --set-dscp-class cs5 \ + -m comment --comment "PS5 game traffic (small packets)" + + # Xbox Live + # Primary multiplayer and party chat port + iptables -t mangle -A FORWARD -i lan -p tcp --dport 3074 \ + -j DSCP --set-dscp-class cs5 \ + -m comment --comment "Xbox Live TCP" + iptables -t mangle -A FORWARD -i lan -p udp --dport 3074 \ + -j DSCP --set-dscp-class cs5 \ + -m comment --comment "Xbox Live UDP" + + # Additional Xbox ports + iptables -t mangle -A FORWARD -i lan -p udp -m multiport --dports 88,500,3544,4500 \ + -j DSCP --set-dscp-class cs5 \ + -m comment --comment "Xbox Live additional ports" + + # Generic small gaming packets (likely real-time game data) + # Small UDP packets are typically game state updates that need lowest latency + iptables -t mangle -A FORWARD -i lan -p udp -m length --length 0:500 \ + -j DSCP --set-dscp-class cs6 \ + -m comment --comment "Small UDP packets (real-time gaming)" + + ############################################################################## + # TIER 2 - VOICE AND VIDEO CALLS: Expedited Forwarding (EF) + ############################################################################## + + # Console voice chat and Discord (small packets in high port range) + iptables -t mangle -A FORWARD -i lan -p udp --dport 50000:65535 -m length --length 0:250 \ + -j DSCP --set-dscp-class ef \ + -m comment --comment "Voice chat (Discord, console party chat)" + + # WebRTC media streams (used by Google Meet, other video conferencing) + iptables -t mangle -A FORWARD -i lan -p udp --dport 19302:19309 \ + -j DSCP --set-dscp-class ef \ + -m comment --comment "WebRTC media (Google Meet, etc)" + + # Zoom conferencing + iptables -t mangle -A FORWARD -i lan -p tcp -m multiport --dports 8801:8810 \ + -j DSCP --set-dscp-class ef \ + -m comment --comment "Zoom TCP" + iptables -t mangle -A FORWARD -i lan -p udp -m multiport --dports 8801:8810 \ + -j DSCP --set-dscp-class ef \ + -m comment --comment "Zoom UDP" + + # General VoIP/SIP traffic + iptables -t mangle -A FORWARD -i lan -p udp --dport 5060:5061 \ + -j DSCP --set-dscp-class ef \ + -m comment --comment "SIP signaling" + iptables -t mangle -A FORWARD -i lan -p udp --dport 10000:20000 \ + -j DSCP --set-dscp-class ef \ + -m comment --comment "RTP media streams" + + ############################################################################## + # TIER 3 - VIDEO STREAMING: Assured Forwarding (AF41) + ############################################################################## + + # QUIC protocol (HTTP/3) - Used by YouTube, Netflix + iptables -t mangle -A FORWARD -i lan -p udp --dport 443 \ + -j DSCP --set-dscp-class af41 \ + -m comment --comment "QUIC/HTTP3 video streaming" + + # Chromecast/Google TV + iptables -t mangle -A FORWARD -i lan -p tcp -m multiport --dports 8008:8009,8443 \ + -j DSCP --set-dscp-class af41 \ + -m comment --comment "Chromecast control" + + # Chromecast RTP media streams (large packets) + iptables -t mangle -A FORWARD -i lan -p udp --dport 32768:61000 -m length --length 1000:1500 \ + -j DSCP --set-dscp-class af41 \ + -m comment --comment "Chromecast media streams" + + # HTTPS video streaming (1MB-50MB connections) + # This catches most adaptive streaming video (HLS, DASH) + iptables -t mangle -A FORWARD -i lan -p tcp --dport 443 \ + -m connbytes --connbytes 1000000:50000000 --connbytes-dir both --connbytes-mode bytes \ + -j DSCP --set-dscp-class af41 \ + -m comment --comment "HTTPS video streams (1-50MB)" + + ############################################################################## + # TIER 4 - SERVICE DISCOVERY AND CDNS: Medium Priority (CS3) + ############################################################################## + + # mDNS for device discovery (important for casting, AirPlay) + iptables -t mangle -A FORWARD -i lan -p udp --dport 5353 \ + -j DSCP --set-dscp-class cs3 \ + -m comment --comment "mDNS service discovery" + + # Example gaming CDN ranges (uncomment and customize as needed) + # ipset add gaming_services 52.84.0.0/15 -exist # Amazon CloudFront + # ipset add gaming_services 23.32.0.0/11 -exist # Akamai + + # Mark traffic to gaming CDNs (if you add IPs to the set above) + iptables -t mangle -A FORWARD -i lan -m set --match-set gaming_services dst \ + -j DSCP --set-dscp-class cs3 \ + -m comment --comment "Gaming service CDNs" + + ############################################################################## + # TIER 5 - BULK DOWNLOADS: Lowest Priority (CS1) + ############################################################################## + + # Large HTTPS downloads (over 50MB) - game updates, OS updates, etc. + iptables -t mangle -A FORWARD -i lan -p tcp --dport 443 \ + -m connbytes --connbytes 50000000: --connbytes-dir both --connbytes-mode bytes \ + -j DSCP --set-dscp-class cs1 \ + -m comment --comment "Bulk HTTPS downloads (>50MB)" + + ############################################################################## + # DOMAIN-BASED CLASSIFICATION (Examples - expand as needed) + ############################################################################## + + # Note: These would be populated dynamically by DNS queries in a full implementation + # Example IP ranges (uncomment and customize as needed): + # Google Meet servers + # ipset add video_meet 74.125.0.0/16 -exist + # ipset add video_meet 142.250.0.0/15 -exist + + # Netflix CDN ranges + # ipset add video_streaming 23.246.0.0/18 -exist + # ipset add video_streaming 37.77.184.0/21 -exist + # ipset add video_streaming 45.57.0.0/17 -exist + + # Apply classifications to known service IPs (if you add IPs to the sets above) + iptables -t mangle -A FORWARD -i lan -m set --match-set video_meet dst \ + -j DSCP --set-dscp-class ef \ + -m comment --comment "Video conferencing services" + + iptables -t mangle -A FORWARD -i lan -m set --match-set video_streaming dst \ + -j DSCP --set-dscp-class af41 \ + -m comment --comment "Video streaming services" + ''; + + # Clean up QoS rules when firewall stops + extraStopCommands = '' + # Remove CAKE qdisc + tc qdisc del dev lan root 2>/dev/null || true + + # Clear mangle table rules + iptables -t mangle -F FORWARD 2>/dev/null || true + + # Destroy IP sets + ipset destroy video_streaming 2>/dev/null || true + ipset destroy video_meet 2>/dev/null || true + ipset destroy gaming_services 2>/dev/null || true + ''; }; useNetworkd = true; bridges = {