I'm using EasyTomato, and I've set up an OpenVPN client to route most traffic over vpn, but also allow incoming ssh over wan. Specifically, in mangle PREROUTING I'm setting a mark of 0x1 to packets coming in on vlan2 (wan), I filter them later as needed, I have a separate routing table called novpn which contains everything except tun11 rules, and an ip rule to use the novpn table when the packet mark is 0x1. That part is fine. Now I'd like to add QoS inside the VPN tunnel. Specifically, I'd like to use the instructions in this post: http://www.linksysinfo.org/index.php?threads/dev-requested-add-qos-for-openvpn-tunnels.69001/ However, I noticed that QoS also uses packet/connection marks to operate, which breaks my scheme about allowing incoming ssh over vlan2. My question is- Does anybody understand how QoS uses packet marks? IIUC, the marks are 32 bits wide, so all I would need is a bit that's guaranteed not to be used by QoS to implement the selective routing back over vlan2. Is there such an unused bit? I've looked around but I cannot find a description of what marks QoS is using. Thanks!