traffic shaping on vlan make wireguard stop working

Mon Jun 10 21:58:06 CEST 2019

Hello list!

i tried to applied tc traffic shaping rules to limit outgoing traffic (independent of wireguard or not) on external vlan interface but after short time i applied that rules i can't even ping the other host through wg0 interface.

I have following setup:

eth0: external link
    eth0.1: vlan1 fast uplink (primary)
    eth0.2: vlan2 slow uplink (backup)

wg0: wireguard interface

eth1: internal link

My goals was to shape all traffic goes to one of the 2 vlan interfaces witch has different speeds. So i applied the rules on eth0.1 (and eth0.2):
    tc qdisc del dev eth0.1 root 2>/dev/null
    tc qdisc add dev eth0.1 root handle 1: htb default 17
    tc class add dev eth0.1 parent 1: classid 1:1 htb rate 10mbit
    tc class add dev eth0.1 parent 1:1 classid 1:16 htb rate 2mbit ceil 10mbit burst 4m
    tc class add dev eth0.1 parent 1:1 classid 1:17 htb rate 8mbit ceil 10mbit burst 4m
    tc qdisc add dev eth0.1 parent 1:16 handle 16: sfq perturb 10
    tc qdisc add dev eth0.1 parent 1:17 handle 17: sfq perturb 10
    tc filter add dev eth0.1 parent 1: protocol ip handle 0x64 fw flowid 1:16
    iptables -t mangle -A OUTPUT -o 'wg+' -j MARK --set-mark 0x64

In iptables i see that packets are marked and packet counters count up, also in in tc:
    tc -s class ls dev eth0.1

On server side udp packetes are still received.

Any hints whats i'm doing wrong with this kind of setup?
Thanks for help!