QoS strangeness

I'm having a difficult time figuring out how the QoS matcher settings work. 

**BUG** - It seems like even the global QoS setting, while the value is being saved, it is not being properly applied post reboot.  As seen in my screenshot I have a global QoS of 5000/5000 after a reboot, but I'm able to pull 30x30 up until i hit the save button on the global QoS area.

I've set a router up as shown in my attached png.  I cannot get a more specific Rate-limit to apply for a Destination IP address.  I've gotten the source address to work properly, right now my speedtests are coming back as 5x2.  I haven't been able to figure out exactly what the magic was but, I think there is some further issues with how this data is saved, as seemingly just saving the rule after the rule doesn't get it applied.  I think I had to save the global configuration again, to get all the matcher rules applied again as well.

Then for DST traffic destined for a NAT'd private IP just doesn't seem to hit the matcher. 

I'll do some more testing with different types of rules and what not, but if nothing else I think we could use some clarifications on the process of saving / applying QoS features as it hasn't been super intuitive, atleast to me.


Reproduction Steps:

1. Cleared ALL QoS settings and set to disabled. (72x90)

2.  Rebooted. Re-Enabled QoS, Set values to 5000.  Save. (74x94)

3. Rebooted.  (There is no prompt saying its required)  (71x93)

4.Saved Global QoS again.  (4x5)

5. Rebooted (73x92)

6. Saved Global QoS (5x5)

-----So thats all on getting the Global QoS working and when it breaks.... Continuing on from this config going into matchers now

7. Added src= (static lease via ARP bind) Rate_Limit=2000; Saved matcher rule.   (5x2)

8. Reboot (71x94)

9.  Saved Global Qos (5x2)
------So it seems part of my initial post was wrong in the specifics, it seems like it might be as simple as the router isn't remembering the value of QoS Enable = {X} after a reboot.

10. Added Dst= Rate_Limit=2000; Saved matcher rule (5x2)
-----Seeminly Its been proved that rebooting is not necessary for getting matcher rules to apply, so I'm going to forgo that action for now.

11. Deleted rule from '10' Added Interface=LAN1 Rate_Limit=2000; Saved matcher rule (5x2)

----I can't think of any other different ways to match traffic to limit the download speed of a specific host behind the LAN binding's NAT rule.  Anyone know if this is possible? 

Thanks for sharing your feedback and detailed results.

Following is the explanation for QoS Functionality in cnPilot-R200.

Please use firmware version 4.2-R4 for further testing. The  QoS setting for rate limit  working for Upstream traffic will be shown further. The “Dst. IP Address” is not for LAN port PC hence your testing results were not appropriate. Following is my test topology which I have used while testing.

  1. Topology

 Please configure R200 router in NAT mode. First of all  let me explain how cnPilot Router’s  QoS works. This router’s QoS setting rely  on iptables. Now in our configuration  traffic from LAN( weather  input stream or output stream –   configured policy below will be applied.

  2 QoS setting configured in following way:


Here I have configured two rules

  1. To drop ICMP ping  from source IP (PC1).
  2. To web access from “To” Dst. IP ( some web server – https traffic).

Following are my test results with above two configured policies.

  1. drop icmp ping


but when ping LAN from  other PC ,it also can pass-through

This is because the traffic does not reach LAN( port


 2. drop web access


Now I will explain how traffic rate limit works :

As the QoS setting Menu , I configured a upstream traffic of 10240 kbps (10M) ,Now  I am using PC1 to send 20M traffic to PC3.We will now observe that the WAN output stream will limit the upstream

as  per our QoS Rate limit configuration.


Now we can see that average traffic is 8.032 Mbps.

I hope I have clarified all your points. I will share release 4.2-R4 with you for further testing.

Please let me know if you need any further assistance.

1 Like

I definitely think I understand what you're saying I'm just going to paraphrase what you said to verify this.  So the QoS matcher can only match information in the packet originally destined for the router, and not any of the packet information post NAT.  In short DST= will never result in a match.

So if I want to manipulate traffic destined for PC1 I can only manipulate traffic destined for LAN with the QoS global setting or try to learn the SRC_IP of the traffic thats destined for PC1.

Is there any hope that the Webui will ever give us access to prerouting / post routing chains of Iptables so I could potentially build a solution using packet marks or something?

I've attached a topology of what I'm trying to accomplish but it definitely sounds like its not possible at the moment.