Can;t get my QOS to work

I am using the 20171107 build as I can;t get the 1.17 or the 1.1.8 RC2 to load on my bare metal.

OK I have 3 NICs configured for

eth0 - LAN
eth1 - Comcast
eth2 - Uverse

I had no problem getting load balancing set up across the 2 ISPs after reading and it works very well.

What I am struggling with is QOS. I se tup the following QOS rules on the LAN side to tag traffic for dscp based on source address.

This is basic info I have set up for load balancing:

set load-balancing wan enable-local-traffic
set load-balancing wan disable-source-nat
set load-balancing wan flush-connections


set policy route QOS_RULES
set policy route QOS_RULES description “QOS Rules”

set policy route QOS_RULES rule 100 source address 192.168.y.xxx/32
set policy route QOS_RULES rule 100 set dscp 38

set policy route QOS_RULES rule 131 source address 192.168.y.xxx/32
set policy route QOS_RULES rule 131 set dscp 26

set policy route QOS_RULES rule 132 source address 192.168.y.xxx/32
set policy route QOS_RULES rule 132 set dscp 26

set policy route QOS_RULES rule 133 source address 192.168.y.xxx/32
set policy route QOS_RULES rule 133 set dscp 26

set policy route QOS_RULES rule 134 source address 192.168.y.xxx/32
set policy route QOS_RULES rule 134 set dscp 26

set policy route QOS_RULES rule 135 source address 192.168.y.xxx/32
set policy route QOS_RULES rule 135 set dscp 26

set policy route QOS_RULES rule 136 source address 192.168.y.xxx/32
set policy route QOS_RULES rule 136 set dscp 26

set policy route QOS_RULES rule 161 source address 192.168.y.xxx/32
set policy route QOS_RULES rule 161 set dscp 14

set policy route QOS_RULES rule 162 source address 192.168.y.xxx/32
set policy route QOS_RULES rule 162 set dscp 14

set policy route QOS_RULES rule 171 source address 192.168.y.xxx/32
set policy route QOS_RULES rule 171 set dscp 10

set policy route QOS_RULES rule 199
set policy route QOS_RULES rule 199 source address 192.168.y.xxxx/24
set policy route QOS_RULES rule 199 set dscp 18

set interfaces ethernet eth0 policy route QOS_RULES


I know the rules are working becasue when I do a SHOW POLICY I can see traffic hitting the various rules which means the dscp should be applied. and it show the condition correctly.

I then use the traffic-policy shaper basically following the example from the vyatta manual and several other locations to apply the below:


set traffic-policy shaper Upload-Comcast description “Comcast Upload QOS”
set traffic-policy shaper Upload-Comcast bandwidth 29mbit

set traffic-policy shaper Upload-Comcast default bandwidth 40%
set traffic-policy shaper Upload-Comcast default ceiling 95%
rem set traffic-policy shaper Upload-Comcast default priority 4

set traffic-policy shaper Upload-Comcast class 10 description “Voice”
set traffic-policy shaper Upload-Comcast class 10 bandwidth 10%
set traffic-policy shaper Upload-Comcast class 10 ceiling 95%
set traffic-policy shaper Upload-Comcast class 10 match VOICE ip dscp 38

set traffic-policy shaper Upload-Comcast class 30 description “Video”
set traffic-policy shaper Upload-Comcast class 30 bandwidth 20%
set traffic-policy shaper Upload-Comcast class 30 ceiling 95%
set traffic-policy shaper Upload-Comcast class 30 match VIDEO ip dscp 26

set traffic-policy shaper Upload-Comcast class 60 description “Cloud Backups”
set traffic-policy shaper Upload-Comcast class 60 bandwidth 20%
set traffic-policy shaper Upload-Comcast class 60 ceiling 95%
set traffic-policy shaper Upload-Comcast class 60 match BACKUPS ip dscp 14

set traffic-policy shaper Upload-Comcast class 70 description “Bitorrent”
set traffic-policy shaper Upload-Comcast class 70 bandwidth 10%
set traffic-policy shaper Upload-Comcast class 70 ceiling 75%
set traffic-policy shaper Upload-Comcast class 70 match TORRENTS ip dscp 10

set interfaces ethernet eth1 traffic-policy out Upload-Comcast


The problem is when I use the SHOW QUEUEING ETHERNET command I get the below output which show me that the outbound is all going to default class. Any help would be appreciated as I have been racking my brain for a few days now.

eth0 Queueing:
Class Policy Sent Dropped Overlimit Backlog
root [mq] 1630574341 0 0 0
1 default 707717599 0 0 0
2 default 161641936 0 0 0
3 default 649818700 0 0 0
4 default 111396106 0 0 0

eth1 Queueing:
Class Policy Sent Dropped Overlimit Backlog
root shaper 204002131 1030 234407 0
10 fair-queue 0 0 0 0
30 fair-queue 0 0 0 0
60 fair-queue 0 0 0 0
70 fair-queue 0 0 0 0
default fair-queue 204002131 1030 0 0

eth2 Queueing:
Class Policy Sent Dropped Overlimit Backlog
root shaper 42596282 183 46425 0
10 fair-queue 0 0 0 0
30 fair-queue 0 0 0 0
60 fair-queue 0 0 0 0
70 fair-queue 0 0 0 0
default fair-queue 42596282 183 0 0

As an FYI I had copied some defualt stuff form my EdgeRouter Lite and maybe I don’t need it now:
set interfaces ethernet eth1 description COMCAST
set interfaces ethernet eth2 description UVERSE

set interfaces ethernet eth1 address dhcp
set interfaces ethernet eth2 address dhcp

set nat source rule 5001 outbound-interface eth1
set nat source rule 5001 description ‘NAT masquerade for WAN’
set nat source rule 5001 translation address masquerade

set nat source rule 5002 outbound-interface eth2
set nat source rule 5002 description ‘NAT masquerade for WAN’
set nat source rule 5002 translation address masquerade

Thasks in advance!

When I do a show policy route statistics I get the blow. The drop rule is added by default and can not be removed. Seems that most traffic hits that rule as well, I thought these were evaluated in order and then only acted on when they are encountered?

Active on (eth0,ROUTE)

rule packets bytes action source destination


100 0 0 192.168.0.161/32 0.0.0.0/0
131 0 0 192.168.0.181/32 0.0.0.0/0
132 1.36K 77.42K 192.168.0.182/32 0.0.0.0/0
133 11 1.96K 192.168.0.183/32 0.0.0.0/0
134 0 0 192.168.0.184/32 0.0.0.0/0
135 990 309.00K 192.168.0.185/32 0.0.0.0/0
136 0 0 192.168.0.186/32 0.0.0.0/0
161 19 3.24K 192.168.0.191/32 0.0.0.0/0
162 8 2.44K 192.168.0.192/32 0.0.0.0/0
171 66 18.35K 192.168.0.170/32 0.0.0.0/0
199 4.23K 618.99K 192.168.0.0/24 0.0.0.0/0
10000 4.23K 618.99K DROP 0.0.0.0/0 0.0.0.0/0

OK I did a test and think I figured this out. Seem the rules get processed in order regardless, so my rule 199 was basically setting everything back to 1 dscp. I added that rule to the beginning to set all packets to a default dscp then as they traverse the remaining rules they get set if they meet the match. I assumed the policy route rules were processed lieka firewall, btu it seems they all get processed on every packet. I now see traffic hitting the different outbound classes. Not to see if I can generate enough traffic to test them.

I think this goes all the way back to Vyatta 5. If a policy route rule matches the current packet, and that rule includes ‘set table’, then the subsequent policy rules are not considered. If that rule includes any other ‘set’ options (dscp, mark, tcp-mss), the packet is modified and the subsequent policy rules are considered. So you can do something like:

set policy route xx rule 2 $$MATCH_CONDITIONS
set policy route xx rule 2 set dscp 10
set policy route xx rule 3 $$MATCH_CONDITIONS
set policy route xx rule 3 set table main

where every rule is duplicated, and the second copy sets the routing table just as a way to stop the evaluation of the subsequent rules.

when u use route policy apply it to wan side eth1(comcast) that serve as a packet marking requesting from your lan(eth0) traffic,
then use destination address instead of source address because your tagging from inside your lan, then your traffic policy apply it to lan(eth0)traffic policy out.

eth0 = traffic policy out
eth1 = your route policy

hope it helps

afaik, action accept in modify ruleset also stops processing.
The misconception of “end at first match” also has bitten me.