When both SNAT and an outbound traffic-policy have been configured, translations will happen before traffic policy comes into action. So, if a traffic-policy has been configured to classify traffic according to addresses, that will not work, as traffic-policy will see translated addresses. So very likely all the traffic will end up in its //default// class.
Fortunately there is a solution for it when SNAT is in place and we want to apply a traffic-policy to outbound traffic, it is explained [[ https://blog.vyos.io/using-the-policy-route-and-packet-marking-for-custom-qos-matches | here ]]. However, I have not found a CLI solution for incoming traffic when there is SNATAnd it is done through VyOS CLI.
Without SNAtT, there is also a solution for "ingress shaping", we do "ingress shaping" by usingit through IFB. [[ https://docs.vyos.io/en/latest/qos.html#the-case-of-ingress-shaping | Here ]] is the explanation, and it is done through VyOS CLI too.
It is also possible to have successfully have Ingress Shaping with SNAT, it is explained [[ https://wiki.archlinux.org/index.php/advanced_traffic_control#Example_of_ingress_traffic_shaping_with_SNAT | here ]] but I have not found the way to configure it through the CLIThe missing part is a CLI solution for an inbound traffic-policy when there is SNAT. Maybe withI have not found the way to conntrack-sync?figure it through CLI.
IMaybe it is possible through conntrack-sync?
As it is perfectly possible to successfully have Ingress Shaping with SNAT as explained [[ https://wiki.archlinux.org/index.php/advanced_traffic_control#Example_of_ingress_traffic_shaping_with_SNAT | here ]], it would be nice to havefill that missing partCLI gap in order to have a complete QoS solution for the most common scenarios.