1.: Where does traffic origin from when DNAT has been applied, from the perspective of zones? I.e. what set of firewalls is applied when I have traffic coming in on WAN which is DNAT to an internal ip on LAN?
The reason I’m asking is that it seems like I did not have to apply any firewall rules to allow the traffic, even though my from WAN rules for both LAN and LOCAL are default drop.
2.: What happens when multiple firewalls are applied to the same zone pair? Example: LAN from WAN has two different firewalls applied.
Are they merged or are they applied in some kind of order?
And here is a third bonus question: Does anyone know if there is any documentation on how to apply CAKE?
re 1: The zones only look at the ingress and egress interface. So if the ingress interface is in the WAN zone and the egress interface in the LAN zone the rule specified at zone LAN from WAN firewall name <name> is applied.
VyOS does not support CAKE, but you can have very similar results to CAKE by using HTB+FQ-CoDel. You can do so by embedding an FQ-Codel queue into a Shaper policy.
Just to note, VyOS CLI does not natively support CAKE but you can configure it the traditional “Linux” way. This is probably not encouraged or recommended. (?) However, I am using CAKE on my 1.2.6-S1. You can see what schedulers the kernel supports in /lib/modules/kernel-version/kernel/net/sched and then use tc to configure them. E.g. For CAKE I just add the following to my /config/scripts/vyos-postconfig-bootup.script so it loads on boot:
CAKE does offer enhancements over HTB + FQ_CoDel; see this link . However, in all practicality I have noticed both work decent at my Internet upload speeds (I do no bother to shape download). CAKE feels smoother but I cannot really quantify. Speed tests show that CAKE has a bit of a slower ramp up time but eventually stabilizes whereas HTB (‘traffic-policy shaper’ in VyOS speak) + FQ_CoDel seems to be a bit jittery. Increasing the target value seems to help but then I get what seem like weird connection “stalls” on certain flows. Another thing I have noticed is if setting FQ_CoDel quantum to the suggested 300 for my speed makes my video streaming poor whereas CAKE running quantum 300 ( you can’t change this, it’s auto set/calculated for you) does not have the same impact to my streams.
So, a lot of words to really say . . it depends on your particular traffic patterns and experience.