Using QOS - Tutorial and discussion


Thanks Toastman.... I think I will experiment with deleting the Games class and putting all my VOIP stuff in the High class.
Click to expand...

Use the games class for VOIP?

Another question though.... I notice the percentages in the Highest and High class are fairly low i.e. 5-20%. This runs very contrary to the default setting of Tomato which if I remember is Highest 80-100%, High 10-100%. In my case the 5-20% on a 1MB outbound line gives 42 - 170 kbit/s. My VOIP alone needs around 100kbit/sec.

Can you explain the reasoning around this relatively low figure for the high/highest categories, or direct me to a previous post that does? I don't doubt you, am just wondering how it works. Would I be safe to change it upwards, or how else should I guarantee bandwidth for my VOIP?
Click to expand...

In my case VOIP isn't given any priority as we don't encourage people to use our bandwidth for phone calls in a shared environment. So it's sufficient. You can up this to suit your own use. My experiments in actually giving it priority have actually been quite positive, and I am adding VOIP to the Games class - which will now become Game/VOIP. Another important reason not to allow that class to take 100% if it's not needed, is that on occasions P2P can and will use those ports, and perhaps hog your bandwidth, without you realizing why.

Do you have any idea how best to classify Skype? Are the L7 rules effective? Or port-based ones? I used to use both a port-based rule for the Skype port and an L7 rule, high up on the list, but I'm not sure if it was effective or not.
Click to expand...

Not too confident of this, as I don't use skype myself, but the L7 rules seem to work quite well these days. The skype-to-skype L7 rule is OK, but the skypeout filter (to POTS telephone) allows so much P2P past that it's useless, and has to be disabled. You just have to experiment. Note - on the ASUS RT-N16 quite a few L7 rules can be loaded without any problem, but on a WRT54GL etc. too many will result in a noticeable slowdown of the router.

Also, when I'm looking at the connections graphs under your setup, I'm seeing a lot of "unclassified" connections. I am pretty certain these are mostly bittorrent as most of them have 6881 as src or dst port. I tried to add a rule at the bottom TCP/UDP Src or Dst Port = 6881 > Class D. However I still see a lot of these connections unclassified. What I don't understand is if I can see the src or destination port as 6881 in the Graphs/Details.... then how come they're not getting classified? I hasten to say I had the same with my previous setup.
Click to expand...

Normally most unclassified connections are incoming attempts to connect to ports that have already been closed. Remote P2P clients etc. keep trying to connect regardless. They eventually give up but there will always be more opening. There's nothing you can do to stop this, it's just how it is.

Be aware that some of these may be TEREDO or other connections associated with IPv6 (windows Vista, and 7) which is enabled by default. You should perhaps disable it on your PC by command line:

netsh
interface
teredo
set state disabled
 
double - just have to be patient. firmware.mooo.com is a server on my main desktop machine. If that's off then it won't be available. Having said that, usually it will be on 24/7.

fei2010 - distribution of the inbound traffic is something that Tomato lacks - and it would be really nice to have it. Tomato's incoming QOS is incomplete - there's no overall bandwidth limit and no incoming pie chart or graphs. Anyone fancy doing it?

Qwert - you're on your own with that one!
 
one more question, how about the traffic start from router? do I need to set up rule? I have asterisk installed on the route and want to allocate necessary bandwidth to allow smooth voip calls.
 
No idea about that. I believe it might be difficult - there have been several similar posts recently, take a look at the forum posts.
 
ty for your qos rules toastman.
unfortunately i can't play any team fortress 2 nor bad company 2. it's lagging like hell. it worked fine w/ my dirty old qos setup. any suggestions?

--
you might wanna check your machine:
http://safebrowsing.clients.google....rmware.mooo.com/&client=googlechrome&hl=en-US

this is what i get if try to access firmware.mooo.com
why don't you use dropbox to host the files?
you can create a public folder w/the newest beta, just like your current setup, except that it's more secure for you and the visitors and it will be available 24/7

should you need a dropbox account, feel free to give me and yourself more space:
https://www.dropbox.com/referrals/NTI1MjU4MzQ5
 
Noted..

If your games lag like hell, obviously any QOS rules you have for the games and correct control of any others are not working properly. In my experience most games can be successfully prioritized by port. There are also some L7 filters for games that work.

Re the server ... I am not responsible for Google's blackmail. There are no trojans on this computer. And most certainly not in the very small directory FIRMWARE. Neither are there 288 pages and Google has no access to anything outside this directory. Therefore I would suggest that Google's warning is total CR*P because it is actually referring to the complete mooo.com domain which consists of many, many websites. Many of them are porn sites and wares distribution sites. But to imply all websites are malware - that's ridiculous and unnecessary scaremongering - one might even call it sabotage. Google have gotten too big for their boots with this and with their cookies and espionage. Pretty soon I expect they'll start blocking anyone that doesn't allow access to their damned adservers. Even now, 50% of web pages are slow to load because they are waiting for googleanalytics ... thanks a bunch Google for trashing the internet ....

I have no idea at all what this line means or how it is relevant "Malicious software includes 38 trojan(s). Malicious software is hosted on 1 domain(s), including freemovies.hut.ru/ " ---- WTF has this domain got to do with firmware.moo.com?


Feel free to contact them if you wish. Nevertheless, firmware.mooo.com is now taken offline as of 15th July 2010, because I don't need this BS :)

Screw Google.

Anyone who wishes for latest compiles, feel free to compile your own versions with class labels from the source code I have already uploaded to repo.or.cz. I won't be uploading to any other site, nor will I be spending any more time on this - yhh.

T.
 
Hi ...

i have some question and hope you can give more bright to me ...
in front of my wrt54gl is transparent proxy server ... so my router is client that proxy
how about qos value should i have use for inbound and outbound ?
as far i know main connection is 3 mbps down and 512 kbps up

i ask this because it look wrt54gl+tomato act as primary gateway for connection
thanks
 
I use L7 flash blocking to limit youtube traffic on my network. But it isn't effective, seems like the rule is doing nothing. Is it possible to have a rule which lets youtube use only 50% of my bandwidth, however many users try to access it. Because youtube traffic uses port 80, is there any way to prioritize usual http traffic (web pages) over youtube traffic?
 
Can QOS control Spambots?

A couple days ago something happened to me that has never happened before. Time Warner shut off my cable modem! When I finally figured out what happened (swapped out two routers, and then tried another cable modem that worked fine) I got a hold of TWC and they said they had suspended the road runner account because a computer on the network had contracted an "undetectable" virus that makes the PC send a continuous stream of emails. They said that the virus can be contracted when someone sees a popup on Facebook or Myspace that requests the user to install a virus software. Anyway, they said I have to bypass the router completely and hook up every client PC to the modem one at a time, run "whatismyip.com" and then check if that IP is blocked at "cbl.abuseat.org". After 24 hours I can run another PC into the cable modem until i find the offending computer.

Doesn't make much sense to me. If a client PC is indeed infected, how would TWC know the IP address of the PC if the PC is getting an IP from Tomato?

Anyway, has anyone heard of something like this before? TWC says if they have to suspend the modem 3 times they can block the account forever (the rep admitted they've never actually done that). Can a QOS or firewall script take care of a spambot problem like this? I have Toastman's QOS post #135 settings as well as firewall scripts running. Level 3 tier support said this particular virus is not picked up by any antivirus software and the only fix is a total reformat of the client PC's hard drive.
 
I'd recommend blocking port 25 outbound unless you're actually running a MTA.

Yes, this _can_ happen, it happened to me. However, the compromised machine didn't have to be reformatted, and it's completely undetectable...though it does stealth from the vast majority of known AV software using explorer spoofing. Rootkits can be nasty stuff. Fortunately, Vista and 7 64-bit's driver-signing model make this form of attack all but impossible, so there's hope for the future. ;)

If you're running XP (32-bit), there's a very good rootkit detector out there that might be able to help, but since it does present some risk, I'd prefer not to discuss it on-forum. PM me if you want to explore that further.

Rodney
 
Thanks for the tip. If I block 25, does that mean no one will be able to send outgoing mail unless they use web-based mail? And how do I actually do that, just drop 25 from the QOS rule for mail? That still leaves 465,563,587,110,119,143,220,993 and 995 on toastman's example, could the mail be coming through those ports instead?
 
Hrm...I'm assuming that this blast of outbound e-mails are going direct and not through your normal mailhop (something along the lines of smtp.twc.net). If that be the case, it should be reasonably simple to block "unauthorized" outbound e-mail via port 25 (I've yet to see a rootkit not use 25, since it's the SMTP standard port and easiest to use), since you can block all outbound connections to that port where the destination IP *isn't* the one you're actually using with your clients.

It has nothing to do with QoS - it will be a hand-crafted set of iptables rules that go in the Firewall script section.

Rodney
 
Ah, got it. OK I'm willing to try it. Right now the only scripts I have are in the firewall section to limit connections (again, per toastman's suggestions). Can you give me a pointer on what to type in to restrict unauthorized use of port 25? Sorry, I'm not a programmer just a harried and hassled landlord with college student tenants who should know better! Thanks so much (and sorry for taking this thread OT since I know it's really supposed to be about QOS).
 
Do you know the name or IP address of your ISP's outbound SMTP server (i.e. the one everyone "should" be using as their mail relay)?

Rodney
 
I'd advise something like the following in the Firewall script page:

Code: 
iptables -t filter -A wanout -p tcp -d smtp-server.woh.rr.com --dport 25 -j ACCEPT
iptables -t filter -A wanout -p tcp --dport 25 -j LOG
iptables -t filter -A wanout -p tcp --dport 25 -j DROP

This will log all outbound attempts that fail, so you should be able to isolate (by IP/MAC) which machine is infected as well (or attempting to legitimately connect and in need of another rule!).

Rodney
 
Toastman said:
Here is the latest QOS setup used here for everyone, from home users right up to 400 room residential blocks. .
Click to expand...

Could you post the output of this command: "nvram export --quote | grep qos_ " for us. Then somebody can directly import these settings, instead of having to go thru the GUI.
 
ray123 said:
Could you post the output of this command: "nvram export --quote | grep qos_ " for us. Then somebody can directly import these settings, instead of having to go thru the GUI.
Click to expand...

Hey Ray I ended up doing it all manually. Here's an export for anyone who wants to import it. It's not the "exact" word for word layout but it's all there functionality wise. The class names are obviously different from Toastman's named builds. The conntrack settings are not included so be sure to set them manually.

toastman_qos.bak

Contents of file:
Code: 
"qos_reset=1"
"qos_irates=0,90,80,70,70,70,60,10,10,1"
"qos_rst=1"
"qos_inuse=1023"
"qos_orules=0<<-1<d<53,37,123,3445<0<<0:10<7<DNS,Time,NTP,RSVP>0<<6<s<80<0<<<1<Remote Web Access>0<<-1<d<11999,2300:2400,6073,28800:29100,47624<0<<0:50<8<Some well known games>0<<-1<a<<0<flash<<6<Flash Video (Youtube, etc...)>0<<-1<a<<0<httpvideo<<6<HTTP Video (Youtube, etc...)>0<<6<a<<0<shoutcast<<6<Shoutcast>0<<-1<d<554,1755,5004,5005,6970:7170,8554<0<<<6<RTP,RTSP>0<<-1<d<1935,5060:5063,1719,1720,3478,3479,15000<0<<<6<RTMP,MMS,SIP,H323,STUN>0<<6<d<80,443<0<<0:256<0<WWW,SSL>0<<-1<d<25,465,563,587,110,119,143,220,993,995<0<<<3<Mail (SMTP,POP3,IMAP)>0<<-1<d<1220,1234,5100,6005,6970<0<<<6<QT,Camfrog,VLC>0<<-1<d<1502:1503,1863,3389,5061,5190:5193,7001<0<<<4<MSGR1 - Windows Live>0<<-1<d<194,1720,1730:1732,6660:6669,22555<0<<<4<MSGR2 - Chat Services>0<<-1<d<5000:5010,5050,5100,5222,5223,8000:8002<0<<<4<MSGR3 - Chat Services>0<<-1<x<20:23,6571,6891:6901<0<<256:<5<FTP,SFTP,WLM File Transfers>0<<6<d<80,443<0<<256:<5<HTTP, SSL File Transfers>0<<17<d<1:65535<0<<<9<P2P (uTP, UDP)"
"qos_ibw=8000"
"qos_syn=1"
"qos_ack=0"
"qos_burst0="
"qos_burst1="
"qos_icmp=1"
"qos_pfifo=0"
"qos_enable=1"
"qos_obw=800"
"qos_default=2"
"qos_orates=10-80,5-80,5-90,20-80,5-80,5-80,5-25,5-20,5-20,1-1"
"qos_fin=1"
 
Scratch that previous post, I think this is a better way to set up Toastman's QoS settings without having to manually enter them in to the GUI which can take a very long time.

In the GUI, navigate to (Tools > System) and paste the following lines in:
Code: 
nvram set "ct_tcp_timeout=0 1200 20 20 20 20 10 20 20 0"
nvram set "ct_udp_timeout=10 10"
nvram set "qos_enable=1"
nvram set "qos_ack=0"
nvram set "qos_default=8"
nvram set "qos_fin=1"
nvram set "qos_icmp=1"
nvram set "qos_irates=10,10,60,90,0,70,70,70,80,1"
nvram set "qos_orates=5-20,5-20,5-25,5-80,10-80,20-80,5-80,5-80,5-90,1-1"
nvram set "qos_orules=0<<-1<d<53,37,123,3445<0<<0:10<0<DNS,Time,NTP,RSVP>0<<6<s<80<0<<<3<Remote Web Access>0<<-1<d<11999,2300:2400,6073,28800:29100,47624<0<<0:50<1<Some well known games>0<<-1<a<<0<flash<<2<Flash Video (Youtube, etc...)>0<<-1<a<<0<httpvideo<<2<HTTP Video (Youtube, etc...)>0<<6<a<<0<shoutcast<<2<Shoutcast>0<<-1<d<554,1755,5004,5005,6970:7170,8554<0<<<2<RTP,RTSP>0<<-1<d<1935,5060:5063,1719,1720,3478,3479,15000<0<<<2<RTMP,MMS,SIP,H323,STUN>0<<6<d<80,443<0<<0:256<4<WWW,SSL>0<<-1<d<25,465,563,587,110,119,143,220,993,995<0<<<5<Mail (SMTP,POP3,IMAP)>0<<-1<d<1220,1234,5100,6005,6970<0<<<2<QT,Camfrog,VLC>0<<-1<d<1502:1503,1863,3389,5061,5190:5193,7001<0<<<6<MSGR1 - Windows Live>0<<-1<d<194,1720,1730:1732,6660:6669,22555<0<<<6<MSGR2 - Chat Services>0<<-1<d<5000:5010,5050,5100,5222,5223,8000:8002<0<<<6<MSGR3 - Chat Services>0<<-1<x<20:23,6571,6891:6901<0<<256:<7<FTP,SFTP,WLM File Transfers>0<<6<d<80,443<0<<256:<7<HTTP, SSL File Transfers>0<<17<d<1:65535<0<<<9<P2P (uTP, UDP)"
nvram set "qos_pfifo=0"
nvram set "qos_reset=1"
nvram set "qos_rst=1"
nvram set "qos_syn=1"
sleep 2
nvram commit
sleep 10
reboot

Now click the "Execute" button and let the magic happen.

Note:
The Sleep timeouts may or may not really be necessary but I put them in just to be safe.

**EDIT**
Sorry I forgot that the (Tools > System) section does not exist in the Standard build of Tomato. For Standard build users you can just SSH in to your router and paste those lines one by one. It's still easier than filling all of that out. Just skip the Sleep lines if you're doing it this way because there's no reason to enter those.
 
You must log in or register to reply here.

Back
Top