(3 July 2019 update and TL;DR: the PPPoE server wasn't the problem; see my most recent post where I discuss MT bridges secretly resetting CoS on forwarded VLAN frames)
'lo all,
Let's hypothesize that I am running a PPPoE server on a 802.1q (ethertype 0x8100) VLAN. So, IP packets to be forwarded over a logical PPPoE interface come in as raw IP packets on one ethernet interface, and when they egress the router, they leave as VLAN-encapsulated PPPoE (0x8864 inside of 0x8100).
As the router forwards IP packets down a PPPoE tunnel, I want it to look at the DSCP field of the packet it is forwarding, and copy the top 3 bits to the VLAN CoS (802.1p) field. If no PPPoE server is involved, this works fine using IP Mangle rule with "action=set-priority new-priority=from-dscp-high-3-bits". But with a PPPoE server in the mix, it doesn't work. The IP Mangle rule's packet and byte counters DO increase, but I'm guessing that in this arrangement, the VLAN tag is not applied until after postrouting chain (because the PPPoE interface is the "out" interface for the purposes of forwarding, not the VLAN).
I can't simply drop the VLAN in a bridge, run the PPPoE server on the bridge interface, and set "use-ip-firewall-for-pppoe=yes", because as far as I can tell, IP Firewall only gets applied to bridged traffic that is being forwarded (actually bridged from one port to another), not traffic that is originating from the router itself (that is, when the router is performing the PPPoE encapsulation, not merely bridging already-encapsulated frames). I did try it anyway "just in case", but of course it didn't work. I also tried creating a bridge filter rule that "set priority" "from ingress" on the "output" bridge filter chain, but that made no difference.
I *CAN* get this to work by putting a second router PHYSICALLY IN FRONT OF the PPPoE server that terminates the VLAN, bridges that VLAN to another VLAN on a different ethernet port, and has "use-ip-firewall-for-pppoe=yes" set along with the appropriate IP Mangle rule. But I don't want to have to throw a dedicated piece of hardware at the problem *JUST* to do this one thing. I want the PPPoE server *itself* to apply the correct CoS to the VLAN frame.
What am I missing?
Thanks much!
-- Nathan