From mboxrd@z Thu Jan  1 00:00:00 1970
From: Daniel Santos <mutator@tango.lu>
Date: Fri, 27 Apr 2018 12:50:04 +0000
Subject: Advanced QoS camera traffic inside VPN on Asus router
Message-Id: <5b8ba23d113f27676ccd354c8d0f5399@tango.lu>
List-Id: <lartc.vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: lartc@vger.kernel.org

Hello List,

I have a difficult QoS issue to solve on a DSL-AC52U router.
I have some ip cameras on a network which send out massive traffic to a 
video server on another side of a layer 2 VPN.
This VPN carries other data SSH/RDP/VNC which needs to be prioritized 
over the ip camera traffic and to complicate things
there are regular network protocols which are non-vpn SSH/RDP/VNC again 
and pretty much everything else which also
needs to be prioritized against the camera traffic.

Is this even possible to merge the queue of 2 interfaces into one and 
prioritize by that?

To make it even more complex the traffic from the Camera-(ra0 2Ghz wifi) 
 > VPN (tap15) is bridged.

# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.d017c30d90f0       no              ra0
                                                         elan.1
                                                         elan.2
                                                         elan.3
                                                         elan.4
                                                         rai0
                                                         tap15

Therefore the packets never enter the mangle chain.
I don't care about any services on the camera therefore I could just put 
that whole IP to the lowest priority QoS queue.

For example:

iptables -t mangle -I FORWARD -s 10.0.0.10 -j MARK --set-mark 1
iptables -t mangle -I PREROUTING -s 10.0.0.10  -j MARK --set-mark 1

Has absolutely no effect.

ebtables -I FORWARD -p IPv4 -o tap15+ -s 00:18:39:6b:ab:12 -j DROP

works using the camera's Wifi mac:

Bridge chain: FORWARD, entries: 1, policy: ACCEPT
-p IPv4 -s 0:18:39:6b:ab:12 -o tap15+ -j DROP , pcnt = 160 -- bcnt = 
35702

Ebtables however it seems is not able to mark the packets :(
It has an option: mark - "Matches frames with the given unsigned mark 
value." but it is a matching not marking.

What is the best solution/workaround for this issue?

The only one I can think of is to setup a second VPN tunnel between the 
2 locations (same router<>same server) on a different port and put that 
second VPN tunnel into the lowest priority traffic.