PLEASE help me get QoS working to limit troll's bandwidth

Discussion in 'Tomato Firmware' started by Hogwild, Sep 23, 2011.

  1. Hogwild

    Hogwild LI Guru Member

    Hi everyone:

    First off, thanks for providing a great website. Tomato, and this website have made my life so much easier. Tomato for its stability, ease, and features, and this website for being
    a goldmine of information.

    I have a Buffalo WHR-HP-G54 with Tomato 1.28 on it.
    Attached are three wired clients and nothing else.
    The ADSL connection is rated at 5MB down/512up
    Repeated testing shows measured average-minimum is about 3.6 MB down/540K up.
    -I have set the QoS Outbound rate limit and Inbound Limit similarly.

    We have a tenant in the house who, in spite of repeated warnings, insists on frequently using about 97% of bandwidth because of Torrents. I read several articles on QoS, but can't say I understand them as well as I'd like.

    Originally, to reduce the tenant's traffic,I tried configuring a L7 filter for Torrents. That never seemed to work. So I erased the L7 rule.

    BTW, I'm fairly sure the tenant is not using Torrent encryption.

    I then read some articles on QoS, such as Toastman's wonderfully-written article, "Setting QoS Rates and Limits". (Thanks Toastman-we need true experts like you who can also EXPLAIN stuff clearly.) I understand some of it, but to be honest, I have health problems which give me trouble with comprehension and memory.

    I read Toastman's statement that what's important to consider in P2P connections is the RATIO of upload to download packets.

    So for my second attempt, under Classification I created a rule called "TenantTrafficLimit", specified the tenant's Source IP and set "Class" to lowest.

    Under the "Basic" QoS settings dialog, I set the "lowest" class to get 2%-15% of total upstream bandwidth.

    That seemed to work for a while, according to the real-time bandwidth charts, but lately seems to have stopped working. Instead, the Bandwidth screen shows something very different. I don't have a screenshot for this one, but today the bandwidth in use was close to 4MB/S, and only my machine and the tenant's were on. I checked my machine with TCPview and some utils. It was all the tenant's machine.

    This should work regardless of encryption, no? I mean, I set it to limit all the tenant's traffic, not just torrents.

    I've attached screenshots to explain what I mean. I'm sure I'm missing something very obvious here. It works for others-it should work for me.

    All I want to do is limit this person's IP to a low amount of bandwidth. I could do it by MAC address instead-I don't care, as long as I can limit his traffic. In this case, I know it's mostly Torrents that are causing the problem.

    Thanks for any advice. I'm really trying to properly understand how QoS works. I'm sure I'm missing something obvious here.


    Tomato QoS Basic.JPG Tomato QoS classification.JPG
  2. mraneri

    mraneri Network Guru Member

    Upgrade to one of Toastman's K24 releases. (Others may include it as well)
    It includes MAC Address/IP Address Bandwidth limiter.
    Cut the troll off.

    You can limit his bandwidth (downstream and upstream) to whatever you want.

    Of course, you could cut him off partially or completely with access restriction... (i.e. block everything but port 80 and 443) and if he circumvents that, just disable his access completely to teach him a lesson...

    I'm using v1.28.7625 NOUSB/VPN
    There are more recent versions that would probably work too. I've been using this one for a while with no issue.
  3. Hogwild

    Hogwild LI Guru Member

    Wow, thanks for the fast reply!
    I had never thought of limiting what ports he uses.
    Both good ideas. I'd prefer not to do firmware upgrades or port restrictions, except as a last resort, however.

    Will the stock 1.28 do what I'm asking? Maybe I misunderstood. Toastman didn't actually say in his
    tutorial that you required non-stock firmware. Again, if I'm mistaken, pls. set me straight, but I thought
    the stock 1.28 could do what I'm asking for.

    I'll definitely keep port access restrictions as a method if I can't get stock working the way I'm hoping for.



  4. mraneri

    mraneri Network Guru Member

    It is difficult to classify torrent traffic reliably.
    QOS is included in the stock firmware, as you know, however, the IP based bandwidth limiter is separate (but related to) QOS, and is not included in the stock firmware. If you want to specifically limit based on his IP, then you need one of the other firmwares.

    If you want to restrict his access, this is included in the stock firmware, I think.

    One more thought... You could just create a rule for his IP address. Give his MAC address a static IP address via "static DHCP" and set up a specific QOS rule that classifies ALL traffic to/from that IP address as low priority. (Actually, you can limit that to 5% or 10% too).

    It will use up one of your 10 classes, but may be worthwhile too. You can do this with stock firmware. Let us know if you don't know how. We can help you.
  5. Hogwild

    Hogwild LI Guru Member

    Hmm...a bit confusing, (not because of you, but I'm just not sure I understand correctly).
    The option is there in stock under QoS for "IP". Are you saying the menu option is there, but it
    doesn't function properly?

    Is what I did not the same as what you suggested? I've got his source IP (
    set to the "lowest" class. And the lowest class set to get no more than 15% upstream bandwidth. That's what's in my screenshots...I think.
    The tenant is way too lazy to learn computer theory, so he will never figure out how to change
    his existing static IP, believe me. Even if he does, I will deny dynamic IPs, so that's no problem.

    Thanks again.


  6. mraneri

    mraneri Network Guru Member

    Ahh. Yeah. I didn't catch that point in your first post.
    Make sure you use "View Details" to see how the connections are being classified.
    While he's using all the bandwidth, check the QOS charts, and see how the data is being classified (the largest piece of the pie). Then look at those connections (view details), and adjust the classifications until you're catching them, and they are assigned to "Lowest".
  7. mraneri

    mraneri Network Guru Member

    Also, looks like your max bandwidth listed (544kb) may be too high if your actual bandwidth is 512kb. You may have to drop it to something like 500. Although I suspect if you're limiting him to 15%, this will not affect you and it should still work.
  8. Hogwild

    Hogwild LI Guru Member


    Okay, we're on the same page now. Thanks again. So...I think that's what I tried to do many times.
    Now, on the QoS chart page, it would list "lowest" as being a high percentage of outbound
    traffic. Maybe 85% or 95%. It would read X number of Kilobits under "Bandwidth Distribution" under on the same page.
    HOWEVER, on the "Real-Time Bandwidth" page, it would show total bandwidth being
    used as, say, 4.3Megabits.What's going on there? If the total upstream was so low, why was the total downstream so high?


  9. mraneri

    mraneri Network Guru Member

    This percentage is not really important. It's listing the total percentage of the current USED bandwidth.. So, if he's the ONLY one using the connection, then it's going to be 100%, even if his bandwidth is limited. So this is ok. However, since your upstream rate limit is 544kbits and you've allocated him only 15%, then his maximum outbound data rate shouldn't ever go above 82 kbits/sec, or, say 9 kB/s. So, if his outbound stays below this, all is working well, and you have 85% of your bandwidth always available for others.

    Realtime bandwidth page showing the total is the TOTAL data transmitted over the course of the window (20 minutes?), So this is not data rate.
    Remember above, you're trying to limit his data rate to 82kbits/sec or lower. (15% of 544kbits)

    Finally, everything we've talked about is limiting his UPSTREAM, or upload speed. You don't show any limits on his downstream or download speed. You can limit this too. It's in the bottom section of the QOS Basic Setup (Inbound Limits)

    I'm having to go offline now. Will be on again in the morning. Good luck.
  10. Hogwild

    Hogwild LI Guru Member


    We are definitely on the same page, because I'm getting bleary-eyed. I will come back to this tomorrow, and thanks
    again. I will re-read your last post a few times to try to understand before I post again.

    Thanks so much!


  11. Toastman

    Toastman Super Moderator Staff Member Member

    Thought I'd just chip in with a few comments.

    Unfortunately, the old default rules that you show in your screenshot are completely useless, as you ought to have read in the QOS guide. Had you followed the guide, you would have seen that on the first post, and saved a lot of time and effort. You should immediately get rid of them. Also, there are many warnings about setting the incoming and outgoing maximum settings correctly. You haven't done so. Your QOS simply cannot work. And as mraneri has already told you, there are no discrepancies between the two pages, it is merely your understanding of them that is incorrect.

    If you use one of my builds, either load it and check the "erase nvram after flashing" box - or if already loaded, just erase nvram (thorough) from the config menu. Then you'll see my example rules appear as a new default. Examine the rules to see what they do and try to understand why they are there. You may find they already work reasonably well to control torrents IF you set your incoming and outgoing bandwidth maxima to the correct settings for your ISP's line. You still need to read up on QOS and adjust them to suit yourself. When the rules are loaded, you will be able to see at a glance what kind of traffic your tenant is engaged in by the rule ID attached to his traffic in the class details page, and it will also be apparent from the example rules how to throttle it. P2P cannot be controlled by a rule. It cannot be controlled by L7 or IPP2P filters either, they simply don't work well enough. In fact the L7 filters (such as skypeout) often work so badly that they actually give priority to P2P. The best way is to set up rules for everything that you do want to allow, and everything ELSE will bypass the rule and end up in the default class, which you then throttle. That is the only way you can classify P2P and other unknown, unwanted traffic, with any hope of success. That is one of the first thing covered in the QOS thread.

    [Suitable builds with QOS rules included are in the K2.4 MIPSR1 directory. Try 1.28.7628 Std. The newer builds will have better monitoring features, look at the Readme file.]

    With any build of Tomato, it is absolutely IMPERATIVE that you measure your bandwidth with an online speed tester and set your maximum outgoing bandwidth figure. QOS CANNOT WORK if this is set wrongly. Set it to around 66% of the LOWEST speed you measured for best QOS performance. If you have 512K outgoing bandwidth - measured - then set it to 350. If you actually measure it at say 400k, then you would set it to 270. The settings you have at the moment will not work.

    Given what you posted, you can probably set outgoing to 350 and incoming to 3600. You must take care of these fundamental things first.

    BTW - I wouldn't personally use the bandwidth limiter. If you do that, you also limit his speed for normal browsing etc. which isn't really what you want, is it? Use it as a last resort. QOS can, and should, take care of P2P without slowing up other applications much if you get it right.

    Good luck!
  12. Hogwild

    Hogwild LI Guru Member

    Hi Toastman:

    Great to see you here. There's nothing like getting it "straight from the horse's mouth",
    so to speak.

    I really am trying to avoid re-flashing with another firmware. Call me paranoid, but for now, I'd like to stick with what I've already got.

    EDIT: OH, OH, and what he said here:
    In other words, as the speed slowly "builds up", what number do I use as my speed on the test?

    I had actually tried earlier what you suggested in terms of lower outgoing and incoming bandwidth settings,
    and it didn't seem to make a diff. But now that I think about it, at the time, I had diff. rules
    as well.

    So I'll change the inbound and outbound maximums. What rules are you suggesting I use in order to just restrict his torrent traffic?


  13. Hogwild

    Hogwild LI Guru Member


    Hmm...well this morning, I tried entering the settings you recommended in your last post. I gave it about half an hour for the changes to take effect after hitting Save. That seemed to make no difference at all. Then I tried rebooting. Still no difference. This was with upload max=330, and download max=3600. The tenant's computer was obviously creating some kind of traffic activity (I don't know what for sure), that took up a lot of bandwidth.

    Of course, that depends which page in Tomato's firmware you believe. Acc. to the QoS graphs screen, there was basically almost zero KB traffic flowing.

    According to the chart on the Real Time Bandwidth screen, there was almost steady 4.4 MB/s flowing through the router.
    The only other machine on at the time was mine, and mine was creating almost zero traffic, according to TCPView on my machine and Windows' handy little network icon.

    Should I be assuming it's maybe not P2P traffic the tenant is creating, but instead streaming video or something else? Should I sniff traffic to see what's using all that bandwidth (when it's in use)?

    How could there be these crazy discrepancies between diff. pages on Tomato? Am I reading these things all wrong?
    Please help me get on the right track here-I know I'm missing something fundamental.


  14. kthaddock

    kthaddock Network Guru Member

  15. Toastman

    Toastman Super Moderator Staff Member Member

    Did you use one of my builds with QOS rules? You don't mention it. Guesswork and trial and error isn't gonna work.
  16. Hogwild

    Hogwild LI Guru Member

    No, as I said Toastman, I don't want to switch firmwares at this time.
    Perhaps if all else fails, but I don't think I've given this a proper shot yet.

    Toastman, you are saying "guesswork and trial and error isn't gonna work". Well, you also wrote that in your articles that each case is different and will require thought/planning. I'm not trying to sound snide, but isn't that, to some extent, trial and error. The exception, in my mind, would be if one is very experienced in the subject matter, (which I am obviously not).

    I've read lots of other posts of people who seem to have traffic under good control through stock Tomato. So I still think something is being missed here.

  17. Toastman

    Toastman Super Moderator Staff Member Member

    Never mind ;)
  18. Hogwild

    Hogwild LI Guru Member


    So, you're not willing to offer any more help?

  19. mraneri

    mraneri Network Guru Member

    My recommendation still stands. If the guy isn't cooperating, just throttle all of his bandwidth back.
    If it were me, I'd cut him off and block him completely for a week to teach him a lesson.

    Toastman provides so much help already. He helps so much by offering excellent support for his upgraded builds and is quite active over the last few days working on it. His firmware really probably would be helpful to you.

    Good luck.
  20. Hogwild

    Hogwild LI Guru Member


    I never questioned Toastman's dedication. That stands on its own.

    I'm just looking for help without changing firmware versions, unless
    it becomes absolutely necessary.

    As for disconnecting the tenant entirely, that is not my decision to make,
    as it is not my house. I probably should've mentioned that earlier.

    Can anyone offer any suggestions? If not, could someone at least suggest
    why my bandwidth numbers can be wildly diff. on the two diff. pages
    (real-time bandwidth and QoS View Graphs).


  21. eviltone

    eviltone Network Guru Member

    i think its to the point now that it totally requires the updated firmware release... with a complete NVRAM reset, as Toastman suggested. Lots of things have been completely rewritten by the Toastgod himself.... Toastie knows... you do what Toastie says... its nearly guaranteed to work.
  22. Hogwild

    Hogwild LI Guru Member

    So, no one wants to even guess at what is happening?

    Are these known bugs? Are they new to everyone?

    Hundreds, maybe thousands of other people have this working under stock Tomato.
    This firmware has been out for more than 15 months. I would think that's enough time to vet most known bugs.

    I have very few rules, and a pretty simple setup. I find this very puzzling.

  23. pharma

    pharma Network Guru Member

    Maybe you should switch to stock if that is running fine with other people. If you can't take advice people have given here and try newer versions of Tomato firmware, then continue to use your existing firmware. You may or may not be encountering bugs which people do not encounter with newer firmware versions, and the only way to find out is to co-operate with people trying to help you.

  24. Hogwild

    Hogwild LI Guru Member

    I'll look for answers elsewhere.

  25. mraneri

    mraneri Network Guru Member

    Sorry, I've not been that responsive lately. I am on the other side of the world this week.
    I have two thoughts on why the bandwidth numbers may be different.

    1) The QOS charts show UPSTREAM bandwidth ONLY. So only uploads show on these. No downloads... So you need to compare only the transmit bandwidth on the bandwidth chart to the total bandwidth on the QOS chart. Also, the polling interval for this appears to be different internally, so they are capturing different periods of time each. Overall this last part should average out over time, but any single data point discrepancy can be blamed on this.
    2) The other thing I would say is that if your troll is downloading via P2P heavily, (or by any method really) he is sending many ACKs on the upload bandwidth. I'm pretty sure these show up in the bandwidth charts, but I'm not sure if they show up in the QOS charts.

    One other thought I have about this user's QOS is that if you are having trouble limiting his bandwidth, you can use a transfer size based rule. So, you can add a classification rule (towards the top of your list of rules) that applies to all ports on his IP address which says if any single connection transfers more than say 1MB, classify that connection as "Class 5" and limit the upload and download rate to 15% (or whatever you want) on that connection. If he's doing P2P with many different peers, this may have only limited effect, but it's probably better than nothing. Also, this should not affect his regular browsing because it is not common to load large amounts of data on a single connection. This probably would affect his ability to stream videos, though (youtube).

    Given you don't want to change firmware (and I understand) I'm tapped out of ideas...
  26. Hogwild

    Hogwild LI Guru Member


    Thanks again for this. I'm going to read your post thoroughly several times. I think what you wrote about
    is really exactly what I've been struggling with. I have to get some sleep, but I'll reply tomorrow.

    Thanks again

  27. mikester

    mikester Network Guru Member

    You can also try limiting the maximum number of connections to each mac address using iptables. Torrents will max out your conlimit quickly. I've never tried it on the tomato but have made it work on other firewalls. Give him a max 100 connections. Also add a rule to block the words "announce" and "torrent"
  28. Hogwild

    Hogwild LI Guru Member


    All evidence to the contrary!

    Upon a second look, what seems to be happening, I think, is that the QoS is working, just not all the time. Can you see any reason why?
    I fiddled with the order of those QoS rules. Would that be causing trouble?

    Again, thanks for your help

  29. mraneri

    mraneri Network Guru Member

    So I re-read your first post. By the info in the first post, you are only limiting his UPSTREAM (upload) bandwidth (2%-15%). You are not attempting to limit his Downstream (download) BW. If you want to limit both, you need to set a cap in the download section for the "lowest" class. (Page down from where you put 2%-15% in. Are you trying to limit both, or just his upstream BW?

    Order on QOS rules is important. The rules are processed from top to bottom. Once a connection matches a rule, later rules do not process.

    As you know, I'm using one of the toastman firmwares which has much better tools to figure out which connections are using bandwidth. Since I don't have a router running stock firmware, my memory is a little hazy, but I believe you can do the following when he's monopolizing the connection:

    Start with QOS charts. You should see the Number of connections for the "lowest" class. Also you should see the upstream data rate for the lowest class. If he is monopolizing the connection, and the rule is working, the bulk of the pie should be the "lowest" class. If not, you have a rule problem and the connection using the bandwidth is being misclassified. You may be able to tell which rule is "triggering" based on which class is using all the bandwidth. Once you see which class is using all the bandwidth (or, "lowest" if the rule is working), you can "drill down" and see all the connections in that class. Click on the class name in the QOS Chart page to bring up a list of all connections for that particular class. Here you can see which IP's and which ports are involved with all connections associated with that class. This may help you better write rules to classify his different connection types if necessary.

    Note: Toastman firmwares can show transfer rates for each of these connections, which would be very helpful for you. But I don't believe this is available in stock firmware.
  30. Hogwild

    Hogwild LI Guru Member


    EDIT: formatting, grammar

    D'OH! I knew I was missing something stupid. Yep, that's probably it. I will set that lower immediately. I was so busy
    reading about how important it is to limit upstream, that I forgot not all traffic is Torrents, and I can just directly limit
    downstream. Should I enter similar numbers as upstream (assuming I want similar downstream?)

    I understand that concept, but I get lost when it comes to going over my own rules and applying that concept. When I look at my rules, nothing
    stands out, but I don't think I would notice it anyways. Does anything stand out to you?

    Yes, when I look at the QoS graphs, the bulk of the pie is typically in the "lowest" class. So that's as it should be. I will go back and click on the "lowest" piece of the pie and keep an eye on what type of connections the tenant is opening.

    Man, you guys really know how to tempt me with those mod firmwares. :D
    I just recently bought an Asus RT-N12 and I flashed TomatoUSB on it. I will play with that a little, and if it works smoothly, I will seriously consider flashing
    either the the RT-N12 or the Buffalo with a mod that supports some of the features you speak of.[/quote]

    Other than Toastman's (not criticizing, just wanna know all the choices) which mods support per-user transfer rates, and how is it presented in the GUI (graph, text, etc.)?

    I think things are coming along really nicely now, thanks to you.

    For future reference, though, since you mentioned the "KB transferred" option, I'm not clear how that is measured. Is it the total KB transferred for the whole open session? Is it limited to the first few seconds or some other time period? A real newbie question I know, but I had to ask.

    Thanks so so much! I'm learning a LOT here. And I think it's finally starting to sink in.

  31. Hogwild

    Hogwild LI Guru Member


    Can this be done with different amounts for each user? I assume not.
    I'm assuming you mean per user, but the same amount for ANY user, cause I don't see that in stock Tomato menus.

    I had not thought to block the Torrent keywords. That's a great idea. I don't think I'll need it yet,
    (I want this person to have as few clues as possible as to what's going on) but it will probably really come in handy
    later on.



  32. mraneri

    mraneri Network Guru Member

    You can limit the downstream as you wish. Set it to whatever % you want. Adjust as needed. Keep in mind you will be limiting ALL of his downstream, which is maybe what you want.
    I haven't re-reviewed them in detail. Perhaps you want to repost your Current rules. I think you've learned some here, and the rules you posted before probably are not what you're using now.
    Not sure. I only use Toastman's, and I think Toastman has spent the most time on QOS. Toastman's probably the best firmware for you. I originally switched to Toastman's because his lets us "rename" the different classes. So you can rename "Lowest" to "Troll" and your charts will be more meaningful.

    Toastman's Firmware (as far as I can tell) adds 3 colums to the "View Details" table:
    1) The rule number which is matched for that connection. (perhaps providing more information than just the class selected if you have multiple rules which feed into the same class... Very valuable for debugging your rules.)
    2) Bytes Out - Total bytes sent out over this connection since the establishment of the connection.
    3) Bytes In - Total bytes received over this connection since it was established.
    I believe if the connection is closed and reopened, #2 and #3 restart at zero.

    ALSO, Toastman's firmware adds at "Transfer Rates" table just below "View Details". This table has Protocol, Source/Port, Destination/Port, U/L Rate, and D/L Rate. I believe these rates are a "few seconds average transfer rate" for the connection. Rates are not "classified" here, but if you have one connection using lots of BW, you can probably figure out which connection it is in the "View Details" tab by matching the source/destination and ports to see how that rule is being classed.

    These adds are well worth the effort to reconfigure your router, in my opinion.
  33. Hogwild

    Hogwild LI Guru Member

    Will definitely do that in the next few days, as soon as I can find the time and energy. When I look at the pattern of traffic the tenant is using, there are dozens, if not hundreds of different ports in use. Isn't that usually a sign that P2P is in use? You're right-for now, I'll just limit all his bandwidth.

    Soon, I will be configuring a different router for someone. For her's, I'll just want to limit/shape a roommate's P2P for them. Once I've configured appropriate in and out settings and classes, if that doesn't work, do UDP/TCP timeouts come as the next thing to try? I know this may be the slower way, I just want to learn. If I ever wanted to...(again, just for the sake of learning), how hard would it be to sniff traffic coming across the router using a packet sniffer?


    I'll repost the next few days.

    Yes, I'm starting to see the value of Toastman's mod now. At first I thought it was mostly useful for people doing sophisticated QoS setups, and for people who just wanted a quick, easy solution. Now I see the features you've listed make it easier for anyone. Oh...and I wanted to learn, not just click. I feel like I'm nearing what I want with what we've accomplished here (THANKS!) but if I have any more trouble, I'll consider re-flashing.

    Oh, yeah-I can definitely see the value and convenience in these settings and options. I'll post back in a few days when I've adjusted settings the way you recommended above. And I'll keep working on it behind the scenes. I think I can get it right now.

    Thanks again.

  34. Monk E. Boy

    Monk E. Boy Network Guru Member

    Only thing that strikes me about your original rules is you have a rule stating that source traffic from his IP has the rule applied, but you also need a 2nd rule that specifies the destination as his IP. I would also change TCP/UDP to "Any" which makes it a simpler rule. I'd also make these source & destination rules to be #1 and #2 so his traffic gets sequestered ASAP and the router doesn't waste any more comparing it. IP/port rules are quick in any case, IPP2P rules take a little CPU time, and L7 rules take quite a bit, which is normally how I try to order my rules... IP/port rules first (top part of the list), then IPP2P (below that), then L7s (at the bottom) - that way traffic gets classified and on it's merry way as quickly as possible by the least intensive rule that it matches.
  35. jsmiddleton4

    jsmiddleton4 Network Guru Member

    I'm sorry but something about this thread and the OP is odd. Thinking not only is this not his home, this isn't his router? How hard is it to change firmware? In my setup with a person downloaded TV shows I don't have issues with my downloads being too slow. Something just seems fishy here.....
  36. Hogwild

    Hogwild LI Guru Member

    Monk E. Boy:

    Thanks. These are exactly the kind of things I don't know about. I added a downstream rule as well and in both rules, changed protocol to "any".
    I put the two rules at the top. Does it matter which rule comes first, the downstream or the upstream?

    I think many of you folks have at least some basic understanding of IPTABLES or at least routing or firewalling. I don't have much (as is obvious). Perhaps I should start reading about that to learn more.
    I also just noticed I think I've mixed top-posting and bottom posting here in this thread. My apologies if this offended at any point.


    edit: Added final sentence

    I'm completely stumped by your comment about the possibility that this is not my router or my home. Why on earth would I spend hours and hours (maliciously?) fine-tuning someone else's QoS settings? What the heck would I get out of doing that? And better yet, why would I post on the public Web to ask questions? I don't whether to laugh or ?? Oh, and I just stated that this appears to be (mostly) working, but might need some fine-tuning. So why would I need to change firmware unless I decided I wanted to?


  37. Monk E. Boy

    Monk E. Boy Network Guru Member

    It doesn't really matter which comes first, IP-based and port-based rules are processed very quickly, I just suggested those being the first because you know there's a ton of data flowing to & from their system.

    Back when I did my first IP-based rule years ago I got stumped like you, until it hit me like a sledgehammer that not all traffic is going to be coming from that system - it's also going to be sent to that system. Source means the system is sending the data, destination means data is being sent to it. Of course it was late at night and I realized what was wrong after sleeping on it, but the point's still the same - it's a learning process. And it happens to everyone.
  38. Hogwild

    Hogwild LI Guru Member

    Well, that was very helpful and I appreciate it more than you'll ever know. It's also really hard when you have
    serious health problems that can screw up your reading ability (though thankfully, not my critical thinking

    I will wait until said troll starts "testing the waters" again in the next few days and report back.



  39. Gaius

    Gaius Networkin' Nut Member

    This thread is a perfect example of how patient this forum can be. I was losing my mind watching the OP ask for help and then refuse to do what he was told. It could have been so much simpler and clearer for him if he simply upgraded his router but he kept acting as if it would be like ordering a new router online. Everything is so much clearer and loads more configurable with Toastman's 2.4 firmware on my old WRT54GL but no, the OP had to continue to keep things difficult for him to understand by not listening to Toastman, a person he had claimed to have respected in his original post.

    And look at his signature! He's running another router with a non-stock Tomato build yet he clung to the stock firmware as if it were a life raft. :mad:

    Next time, just do what people say. This thread made me want to pull my hair out.
    lancethepants likes this.
  40. Monk E. Boy

    Monk E. Boy Network Guru Member

    Well, let's just say my WRT-54GL is running vanilla 1.28. Then there's an RT-N12 and multiple RT-N16s running Teddy's last build at work. I intend on replacing the GL with an N16, then experimenting with multiple Toastman builds, but for the moment computer stuff is further down on the list of things that need to be done. Medical first, then transportation, then "toys." I had been out of work for a long time, so all three lists are pretty substantial... the toys list alone clocks in at around $1500 (the RT-N16 counts as a toy because the 54GL is fully functional). As for why I'm running old firmwares, well, when I installed them they were new... and when something isn't broken, you don't fix it. :)

    Of course, when I get the N16, and get comfortable with VLAN/SSID support, those routers at work likely going to get upgraded pronto. Spend $15,000 on a vendor solution, or roll my own for under $3000... decisions, decisions...

    I guess my point is, they're all Tomato, and they'll all work for basic tasks. But I'm also used to being flexible and patient, it's part of my job after all...
  41. smoocher

    smoocher Networkin' Nut Member

  42. Hogwild

    Hogwild LI Guru Member

    Things are working pretty well. I'm quite happy with the results.

    A big THANK YOU to all of you that helped.
    mraneri likes this.
  43. bawjkt

    bawjkt Networkin' Nut Member

    Just some commentary here...

    I realize blocking P2P traffic is very difficult; it's a constant arms race. All of us want unbridled torrents but also want to squash any other torrenters competing for our bandwidth. It's not child's play; it's highly complex and evolving in the time it takes me to complete this sentence.

    Session limiting is crude but effective. QOS would be nice but no so effective without session limits.

    It's 2012. Tomato, with its active QOS and IPP2P blocking is one of the last words to solve this problem. But there isn't a "Solve the Problem" button. It's hectic and complex QOS settings, tuned over time - months in some publicly posted, well-coached cases.

    Everyone has the exact same problem: some jagoff on their shared network (apartment building, house, containerized office at mine site) is maxing out the pipe with multisession traffic - iTunes, Bit Torrent, Rapidshare - isn't there some elegant way to fix this without two months' worth of forum threads?

    Or resorting to some of the more humorous solutions : call police and RIAA, cut power to the room, block the IP.

    I think what we all want is proactive QOS that allows full-bore multisession downloads (e.g. Torrent, iTunes, Rapidshare) at all times so as to saturate the connection at all times and not waste this precious resource, the unlimited shared connection we are paying for. It's not cheap, right?
    All of us want to max out our libraries on any connection that we are paying for - it's a wasted resource if we don't. Imagine if the 6Mbit unlimited (shared) connection we pay for was at zero most of the time ... a senseless waste of money. We should be running iTunes or Torrents to get everything we want and just as importantly, everything our friends want. There is never a reason to let up on the connection that we are paying for. To do so would simply be waste. We always bear the bountiful cornucopia of our harvest last week, right?


    it would be most equitable if, when any other client on our shared network as much as clears their throat, with a more important request, e.g. a Google search with likely browsing to follow, the router and its QOS would absolutely stomp on the Torrent to clear multimegabit space for the browsing traffic likely to follow.

    Even if there isn't any associated traffic to follow. Yes, stomp the torrent, early and often, upon every hint of priority traffic like a Skype bootup or YouTube visit. That applies equally to the iTunes, or Rapidshare, or any similar voracious python of a protocol sure to strangle the pipe.

    Torrents are an undesirable anyway, and always recover quickly given an inch - if there are any well-dressed priority customers stepping out of the elevator, absolutely kick Torrent to the curb. Always.

    The torrenter will wake up the next day and see what arrived, and won't really know or care if he's a gigabit behind. He runs these torrents 24/7 without a thought to anybody else anyway. Meanwhile, the other guy will flip out at midnight if he can't arrange his 3-party video-skype call with his sisters in foreign countries for his father's 90th birthday like he promised.

    Priorities. "Scrubs" episode a day late for a guy whose collection is growing a tera a month?
    or failing on Pops and Sisters on the 90th?

    Where is the single-button QOS setting for "savagely kick any bulk traffic to the curb, instantly" button in Tomato? With the "on even a slight hint of priority traffic to follow with 1.5 seconds?" The active throttling babysitter that says "kids are asleep and you can max out" but then says "I think I heard the garage door opener; you vaporize."

    I understand that doing one's own speedtesting and later manually max speed setting to 2/3s of those values will reserve such bandwidth. Basic to QOS for decades.

    But all of that seems to be stuff that can be automated really easily. Why are we asking people to do this?

    Why force people to manually set same if the optimal settings can be gleaned from actual traffic on their network, reported to a wizard, set, and updated as conditions change? Speedtests done, settings made?

    To radically oversimplify, why is there not a wizard with a "foil the jagoff" button because honestly, that's what most of the people posting in these forums want. Why in 2012 does it still take two months' worth of discourse and dozens of contributions from a lot of top minds?

    Perhaps the answer is "because it's that hard; this is not the Boy Scouts."

    Just a reality-check here in 2012 - seems like 'foil the jagoff' as a shared goal from so many people would be easier to hit. An app, perhaps. Many apps are a lot more ambitious than this. And bricking routers - can't there be an Android app that uploads proper files to certain defined routers, keeping people more brick-free?

    These "flashing trees" where one has to flash DD-WRT XXX then step on its shoulders to flash XYZ etcertera are the recipes that bricked devices are made of.

    Hogwild seems quite smart, patient and persistent, yet his basic 'foil the jagoff' problem took dozens of communiques to solve.

    All we are trying to do is to foil the jagoff (that is functionally and morally identical to us, but not us at that instant in time) that is maxing out the pipe with multisession traffic. She won't mind to be so throttled and neither will we. If forced to be equitable by a clever and equitable protocol, we will grudgingly submit.

    Where's the button ?

    Ben Whitaker
  44. Monk E. Boy

    Monk E. Boy Network Guru Member

    The button is waiting for you to make it.
  45. bawjkt

    bawjkt Networkin' Nut Member

    If we could somehow carry this into a app store model...

    certified brick-free is worth money - $5 is no problem for the verified solution. On an app store perhaps volume would be there.

    How many Tomato downloads have here been?

    Don't you agree that QOS is so 1902 right now? Where's the Henry Ford crank-start? No button ? 2012?

    Why do you have to be smart, communicative, persistent and prolific to solve this problem, which seems as published to be a solution of various rule sets via rote procedures as applied to your own measured data? Computers do that for all other categories.

    Farts alone have dozens of apps...why wouldn't something so fundamental have a more accessible solution?

    Just a bit shocked that nobody has taken this issue to the bank, $5 at a time.

    The current path risks router-bricking and no guaranteed support, with a lot of configuration on the back end that honestly a script could do better.
  46. quietsy

    quietsy Network Guru Member

    For those of you who are facing the same problem and just scroll to the end to see the solution, you can save months of trials and errors! I was facing the same problem and all it took me was 2 hours in which I flashed Toastman's firmware and followed his QoS thread EXACTLY as he instructed, it couldn't have been written better.
    lancethepants likes this.
  47. bluenote

    bluenote Addicted to LI Member

    I'm sure you understand this bawkt, but in case you don't, there is no guaranteed 'bulk traffic identifier' and with encryption and port hopping and maybe even VPN in the equation, there is NO reliable way of discerning non time sensitive traffic from time sensitive traffic.

    It's sort of like the criminal justice system. You have to let 100 criminals go free so you don't execute the 1 innocent.
  48. SteveF

    SteveF Serious Server Member

    Hogwild, this maybe too late and you already may have solved your issues, but I will show my solution here because it works for me and also it may help others.

    First here are my QoS Rules:

    The base was taken from a Toastman build I am using: tomato-ND-1.28.7633.3-Toastman-VLAN-IPT-ND-Std.trx (you can find this on the Toastman build site). It is the latest as of February 13, 2013.

    Then I modified it to my requirements and here are the key points:

    1. Look at rules No's. 1-4: here I disabled all IP addresses which are outside to my static IP address designations mainly just for security reasons.
    2. Rule No. 5: in my case I want to stop all P2P/File Sharing so I chose 'disabled' in this rule. If you want to enable it at a certain speed, then assign the speed designation required by you. The key is that you want to have this rule on the top, you want to catch P2P/File Sharing right off-the-bat and handle it accordingly. One caveat here: it will catch only unencrypted P2P/File Sharing (more on this in the next point).
    3. Rule No. 45: In case of encrypted P2P/File Sharing, this could be the rule which would stop it. Once all the rules prior to Rule 45 are passed (and this is possible only if the operation is a P2P/encrypted File Sharing operation), then this rule probably will stop the operation due to a wide number of ports being disabled. I used UDP-only protocol here since most P2P/File Sharing use UDP protocol. If you find that the P2P/File Sharing software uses TCP protocol (it is possible but not likely) then you can change the protocol to TCP/UDP. In addition if you find that the P2P/File Sharing is using ports lower than 1024, then you can change the port address range to 1-65535.

    I hope this helps you and others who may still have P2P/File Sharing problems with their roommate, renter, whatever.

    Let me know what you think. I know it may be late for you but it may help others.

  49. Monk E. Boy

    Monk E. Boy Network Guru Member

    Disabled QoS rules do not block traffic. It just disables the QoS rule. Rules 1-4 may as well be deleted, they're not affecting traffic flow at all.
  50. SteveF

    SteveF Serious Server Member

    Monk, OK, if you are 100% sure about 'Disabled' then you can assign a snail-pace speed like 'Crawl'. However, in this context I do not see the logic. Why would we have 'Disabled' in the same list with other speed values. If you want to disable it, you can simply remove it. But I see the other side as well, it may be easier to disable and then enable it again if you are experimenting.

    Regarding Rules No's 1-4: if I want to really disable these what parameter should I use instead of 'disabled'?
  51. Monk E. Boy

    Monk E. Boy Network Guru Member

    I am absolutely positive that Disabled just disables the rule, it doesn't affect traffic. If you've gone through the trouble of making a particularly painfully annoying rule, if you're going through diagnostics on a new problem you don't want to have to delete the rule and go back through that hell again recreating it if it wasn't the source of the problem, you just disable it. An alternative way to disabling rules is to create blanket "ANY" rule as the last QoS rule. Any packet type to any address gets classified as Crawl or P2P or whatever you want all unclassified traffic to be classified as (basically this is recreating the "default category" as an editable/movable rule). This is the ANY rule. Once you have that rule in place you can move the rule you want to check (/Disable) below your ANY rule and after you apply it's effectively disabled, since it will match the ANY rule before anything after it. I do this last bit quite frequently for L7 rules, since they're at the end of my rulebase and bumping them down a couple notches seems easier to me - though it's entirely personal preference.

    I didn't look at the rest of your rules to be honest, but you could make the Crawl category correspond to 1% min and 2% max for inbound and outbound, use the rule above it (P2P/Bulk) as your default traffic category, then just assign Crawl to rules 1-4.

    Alternately, and probably a lot easier if you're using every category already, is to just create some iptables rules that drops all traffic coming from those addresses. The downside is you have to remember that those iptables rules are in place when adding equipment to the network, since if you're like me on a bad day (sigh, I miss coffee) you'll pull your hair out long before you remember the iptables rules.
  52. SteveF

    SteveF Serious Server Member

    Monk, thanks. I hear what you are saying and will revise my rules. I will not use iptables, I will do without them. You suggestions were very valuable since I was on the wrong track having possibly false security regarding Rule No. 5. For Rule No. 45 I could also use the Crawl designation which I already ratcheted down to real slow speed.
  53. Monk E. Boy

    Monk E. Boy Network Guru Member

    I did a quick parse through your rules and thought of something. If you don't want to fight through iptables, you could recreate these rules in Access Restrictions. That's where I implement my IPP2P blocks (for your rule 5), and they support at least a single IP address (possibly multiple IP addresses) which would take care of 1-4.
  54. Monk E. Boy

    Monk E. Boy Network Guru Member

    Here's how to setup an IPP2P access restriction, be sure to click "add" after selecting "All IPP2P Filters" in IPP2P:

    You will have to create multiple rules, you can't have a single access restriction rule for both IPP2P and IP. By which I mean, this IPP2P filter rule covers all traffic from all devices. If you want to also restrict traffic from particular IP addresses then you would have to create an additional rule (or rules) separately. If you add them to this rule the restriction is cumulative... traffic would have to match both IPP2P Filter and the IP address to qualify for restriction.
  55. SteveF

    SteveF Serious Server Member

    Monk, thanks, really appreciate your suggestions. If I do Rule 5 here, could I remove it from QoS? In addition, I am not concerned about the unwanted IPs doing P2P, I just want to stop them completely. I am only concerned about 2 IPs doing P2P and I understand that I can also do here, under Access Restriction. I do understand that I will have to create here multiple rules, no problem with that. I can see that I can implement Rules 1-4 here and remove them from QoS. If implement Rule 5 here, could I leave it as well under Qos? Regarding Rule 45, I changed it to Crawl and leave it under QoS.
  56. Monk E. Boy

    Monk E. Boy Network Guru Member

    An IPP2P access restriction would block IPP2P traffic, accomplishing what you wanted to accomplish in your rule 5 in QoS, which also wouldn't have worked (because Disabled just disables the rule). I say any rule that isn't working under QoS should be removed, once you're sure the replacement is working. Since you have pictures you should be able to delete them (since the picture will help you recreate them in QoS if its necessary) - I tend to not delete anything until I'm absolutely sure I don't need it (which is why I have an "any" rule and shuffle rules down under it).

    If you wanted to block traffic from the other IPs and didn't want to sort through iptables then you could create additional entries under access restriction to block their traffic.

    I was trying to say that you can't create a single rule under access restriction to block multiple things. Everything in a rule must be matched for the access restriction to take effect. So if you have IPP2P alone then it has to trigger the IPP2P filter before it takes effect, but if you have IPP2P and an IP address then traffic has to be both from that IP address and trigger the IPP2P filter.

    The only downside I can see is that you may not be able to specify IP ranges under access restriction (which you can in iptables and QoS). When I add, for example,, to an access restriction it accepts it, but maybe when I OK to apply it, or reboot the router, it'll display an error. Or won't work at all. Definitely back up your configuration before playing with this, normally I have a spare router here to monkey with but its in use so I can't find out.

    Oh, and with rule 45 changed to Crawl, it will now classify matching traffic as Crawl.
  57. SteveF

    SteveF Serious Server Member

    Thanks again Monk.

    You first sentence implies that I can remove the IPP2P rule from QoS if I have it under Access Restriction. Is this correct?

    Two questions:

    1. Are you saying that under Access Restriction an IP range would not work or may not work? I already had a rule in place before, it specified a range and when I rebooted the router it did not complain. So I will try using the ranges and see what happen.

    2. Why would you not classify rule 45 as Crawl? I am assuming that rule is to catch encrypted P2P because the IPP2P rule either under QoS or Access Restriction would not catch it (am I correct saying this?). Are you saying that other operations other than P2P might use that port range with UDP protocol? If that is the case then I would restrict other operations as well and then I understand your statement. So can you be more specific why you made that statement?

  58. Toastman

    Toastman Super Moderator Staff Member Member

    I just read the posts by bawjkt again, and felt it might be useful to remind everyone that internet protocols were not actually created to make life easy for people. P2P is deliberately designed to make it hard to stop. Skype is a good example, also. You need a Magic Button? Go buy a commercial router. You know, the ones that promise the moon on the shiny box. It won't work, but what the hell? You bought it, the spiel on the box and all of the added crap that is in routers these days did it's job, which is not to route or to control traffic, it's to sell hardware. That's why more than a quarter of a million people flash Tomato - because of the nice QOS.

    Such a "Magic Button" already exists, if you think about it. It is the QOS enable/disable button! When enabled, a set of rules are used to control traffic. That's what any such button would have to do, but in Tomato the rule set is not hidden and it can be "tuned". Unfortunately, those rules would have to be extremely complex, if we really needed a 100% solution for everyone the rule list would have to be so long and complex we will need seriously fast hardware to run it. There is no "one rule" that we can label "just read my mind and make everything work the way I want it".

    There is only one guaranteed way to limit P2P and other troublesome applications. Prioritize everything you DO want, and let all the crap drop into a "catch-the-rest" class. IPP2P and L7 Filters are a "nice try" .... but they don't work 100%. You can't rely on them. Suppose they work 99% of the time. The 1% that is let through may be someone downloading the Lord of the Rings Trilogy in HD... Yes, it's complicated, and every person will have a different set of rules after some time. There are millions of permutations. Sorry to state the facts of life, guys!

    Like wise, the L7 and PPP2P filters overmatch. In other words, they will often let through some traffic that we don't want and it ends up being given priority. We accept that because the benefits outweigh the disadvantages.

    The sample ruleset in my builds is a good starting point. It will work well for the majority of people with normal needs, but they are designed to control any user, anywhere, who may connect to the router, and over whom we have no control other than QOS. i.e. We can't tell him to limit his P2P speeds in uTorrent etc. If you do have control over your clients, then you can do better.

    This forum exists because we are here to help each other, that is the best way to learn and contribute.

    Tip - when you test a rule, isolate it, and use the QOS graphs and Realtime/24 hour charts to see if it is really working.

    Good luck, guys!
  59. Monk E. Boy

    Monk E. Boy Network Guru Member

    Yes, because the QoS rule won't work at all, and the IPP2P Access Restriction will. No sense having rules in QoS that don't work, because (if you're like me) you'll come in much later and get puzzled over what they do/how they work.

    I don't know if it will or won't work because I've never tried it before. Obviously the best way to do it is to test. Setup an access restriction with a range and then change one of your system's IP addresses to be within that range. If you can still get out to the internet, change it to just be that IP address. Test again. If it only works with a single IP address, well... you can add multiple IP addresses. The "Applies To" field can contain multiple addresses and block traffic to/from all those addresses, it's down in Port/Application that you want to be ultra-careful about making sure you don't have too much info.

    Because you said in your previous post that you classified it as Crawl.

    I should say here that I agree with Toastman, that P2P traffic is insidiously difficult to block. I know from extensive testing that IPP2P filters do work, but only on unencrypted traffic. Most traffic is encrypted, especially these days, but there its better to slam a hammer on the few remaining packets. IPP2P filters are also extremely light in terms of CPU utilization (esp. compared to L7 filters), so there's very little downside to trying to block traffic this way.

    I have to make a best effort to block P2P traffic at my workplace, and I do it in the manner he describes. My default rule in QoS is crawl, which is set to 1-2%. I then go to great lengths to make sure that legitimate traffic, or at least the traffic we care about, is classified properly (note: this means many of Toastman's default rules are willfully and intentionally removed, since - for example - we don't care if Skype works, but we do care about other activities).

    Also, I find creating another Access Restriction rule for HTTP Request containing the names of P2P sites works quite well. It won't help for HTTPS requests (encryption rearing its head again) but its surprising how well a simple Access Restriction rule will work. Couple all of this with DNS-based blocking like OpenDNS, to block DNS lookups to P2P sites (and proxy/anonymizer/vpn sites), and while its far from perfect... between all the stumbling blocks you can at least piss them off, usually frustrating them sufficiently to give up and stop trying. Or, at least, it whittles their numbers down far enough that the ones who persist stand out - then you can track them down and let them have a nice chat with law enforcement.
  60. SteveF

    SteveF Serious Server Member

    Thanks Toastman for the reminder. I agree with you regarding QoS and I have an extensive rule set for what I want and at the end the remainders with P2P/Bulk speed classification. I use some rules under Access Restriction, such as IPP2P, but I realize that it would work only on unencrypted P2P, if at all. It is only for an added measure, might work in some cases. For the 'catch-the-rest' classification I use P2P/Bulk with 200 kbps upload speed and 1,000 Kbps download classification. At the bottom of my rules I have a UTP protocol for port range of 1024-65535 with the P2P/Bulk speed qualification This should work for encrypted P2P as well as other more minor operations but I do not care since the important ones are already specified earlier.

    Thanks again for your post.
  61. eahm

    eahm LI Guru Member

    Hogwild, I didn't read every post but:

    Test your bw here:, it's one of the most accurate since it uses your browser and not flash.

    Try a Shibby build and BWLimit his MAC address/es.
  62. SteveF

    SteveF Serious Server Member

    Monk, thanks for the detailed explanation. I followed most of your recommendation except the range specification under Access Restriction. This, whether work or not, I am not so concerned about. I removed the IPP2P rule from the top of my QoS and moved it to under Access Restriction. I specified P2P/Bulk speed for my rule 45, at the bottom (UDP/port range: 1024-65535). The P2P/Built upload speed is about 215 kbps and the download is about 1,000 Kbps. So this should catch encrypted P2P at a slower speed plus other not-so-important operations. Since I find that he is also using TCP possibly for Skype, I may add the TCP protocol to rule 45 (my last rule). I think I would let him Skype with P2P/Bulk speed, it should not do any harm. Since rule 45 is a port based rule, I think it should catch and slow down his Skype operation. It is an ongoing process, more like a cat-and-mouse game.
  63. SteveF

    SteveF Serious Server Member

    I think I might have found out what my renter has been using for file sharing: Akamai Net Session P2P File Sharing software. I found out when he logged in to "" site to start his session. It was logged in syslog. I put this keyword in Access Restriction and that seemed to stop him to start the session the next time. So, in this case whether the file sharing is encrypted or not, it does not matter, he can not start his session. Hopefully I am not wrong, I need more time to evaluate.

    Does anybody know about Akamai Net Session? It must be encrypted because my IPP2P rule under Access Restriction did not stop it earlier.

    PS: He just wanted to login again a few minutes ago and indeed he could not initiate the session. I could watch it on IPTraffic/Last 24 Hours. Indeed this seems to be the cleanest way to stop him.
  64. Monk E. Boy

    Monk E. Boy Network Guru Member

    Well, Akamai is a distributed service model, and is used for a lot of things (e.g. Apple software updates). One thing he might be using it for is Netflix.
  65. SteveF

    SteveF Serious Server Member

    Yeah, that is fine, now I know what he is doing, so I removed the rule for Akamai. He may download legal stuff (or may not) but I am not concerned about it, it is his baby as long as he does not hog the bandwidth, which he does not. Thanks!
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice