Issues on policy route

Dear sir,

I am trying to set the mark packet in policy route for CDN bandwidth but it has some issues
I wants to find where is the wrong configuration in my router

eth3 vif 350 is WAN interface
eth0 is Lan interface
my source ip address is 192.168.20.18/29 where i wants to allow 100mbit bandwidth as CDN and 20mbps for international
my router configuration look like following firewall {

vyos@vyos# sh firewall
all-ping enable
broadcast-ping disable
config-trap disable
group {
network-group CDN-LIST {
network 103.211.148.0/22
network 103.94.252.192/26
network 43.228.195.0/25
network 103.94.254.192/26
network 43.228.192.192/26
network 43.228.195.128/26
network 103.94.252.128/26
network 103.94.254.128/26
network 43.228.194.0/25
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
[edit]
vyos@vyos# sh policy route
route CDN-ADD {
rule 100 {
destination {
group {
network-group CDN-LIST
}
}
set {
mark 20
}
source {
}
}
}
[edit]
vyos@vyos#
limiter ISP-IN {
class 10 {
bandwidth 20mbit
burst 2mbit
match HOST-20MB-IN {
ip {
destination {
address 192.168.20.18/32
}
}
}
}
default {
bandwidth 200mbit
}
}
shaper CDN {
class 11 {
bandwidth 100mbit
burst 2mbit
match CDN-BYPASS {
ip {
destination {
address 192.168.20.18/32
}
source {
address 192.168.20.18/32
}
}
mark 10
}
}
default {
bandwidth 100%
}
}
shaper ISP-OUT {
bandwidth auto
class 10 {
bandwidth 20mbit
match HOST-20M {
ip {
source {
address 192.168.20.18/32
}
}
}
}
default {
bandwidth 100%
}
}
[edit]

traffic policy applied in wan interface for international bandwidth
for CDN trafffic policy applied in eth0 as shaper
policy route applied in eth0 lan

regards
Arun tamrakar

Policy is applied to WAN interface, and matches on LAN addresses.
If sNAT is involved, you can’t match on LAN addresses.
(You could move policy to LAN interface, or use packet markings)
Also, using limiting is bad practice. Either use ifb to redirect, so you can use shaping instead. Or move policy to LAN interface, so policy applies to outgoing packets and can use shaping