Traffic Shaping (simulate packet delay and loss) on Linux Wi-FI Access Point

Question

I have a Pi 3 B+ setup as Wi-Fi access point and would like to simulate packet delays and packet loss for connected devices communicating through the AP. I thought that I could achieve this using tc and iptables to cause packet jitter and loss for connected devices communicating through the AP but those packets are unaffected. The only packets that are affected are packets from a connected device who's destination IP is the AP or AP packets who's destination who's destination IP is a connected device. Any insight on how to affect connected devices communicating through the AP would be greatly appreciated. Also I cannot modify the software or configuration on the devices connected to the AP. I tried commands similar to the ones below on the AP without success.

tc qdisc change dev wlan0 root netem delay 100ms 10ms

tc qdisc change dev wlan0 root netem loss 0.1

iptables -D INPUT -m statistic --mode random --probability 0.2 -j DROP

iptables -D OUTPUT -m statistic --mode random --probability 0.2 -j DROP

iptables -D FORWARD -m statistic --mode random --probability 0.2 -j DROP

Answer 1

You should be able to use netem for this purpose, without requiring iptables. You can combine the delay and loss you require in a single netem instance.

However, each qdisc only handles outgoing traffic on its interface by default. Incoming traffic involves a different path, and you have to put a separate qdisc on that path to influence them. You could either attach a second netem instance to the Ethernet interface, or direct the Wifi ingress traffic to pass through a virtual intermediate device. The latter requires:

ifconfig ifb0 up
tc qdisc add dev wlan0 handle ffff: ingress
tc filter add dev wlan0 parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev ifb0
tc qdisc add dev ifb0 root netem ...

One reason why iptables might not be working for you is that, by default, bridged traffic does not pass through it for efficiency reasons, only routed traffic does. There is a compile-time kernel configuration option to send bridged traffic through iptables as well, but I don't think that's necessary in your case.