1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

QoS + VPN

Discussion in 'Tomato Firmware' started by tji, Sep 3, 2014.

  1. tji

    tji Network Guru Member

    I have a fast internet connection -- faster inbound than outbound. But, still ran into issues where a single user uploading a massive file could kill performance for everyone else.

    I enabled QoS, and it solved that problem. However, it also had the side effect of causing very poor performance for remote OpenVPN users - even when the network was not under load.

    I'm sure others have already ran into this. Any pointers on workable solutions?

    Also, the only thing I need out of QoS is to throttle back the big bandwidth hogging session. I don't need different classes of service or protocol-sepecific settings. A simple solution like the old Cisco weighted fair queueing would be great. Can Tomato's QoS work in that mode (for both outbound and VPN/tun interfaces)?
     
  2. Monk E. Boy

    Monk E. Boy Network Guru Member

    What's probably happening is that QoS is classifying your VPN traffic as a lower priority, possibly Bulk or P2P, and it's losing out to higher priority traffic.

    I would try to create a pair of QoS classification rules that apply to traffic coming from and going to VPN clients, move these QoS rules up the list until they're before web browsing and other traffic, and assign these rules to either the first or second class (classes listed under QoS/basic settings - the top QoS class has priority over the second QoS class, which has priority over the third, etc.). You may have to rework both class and classification to fit this VPN class in, but for a quick 'n dirty test you can hijack web browsing, etc. - something high up on the list with a lot of bandwidth assigned to it (web browsing?).

    If that solves your performance problem, then you can try moving the rules down the classification list, so that all traffic leaving your router from VPN clients doesn't always have this absurdly high priority.
     
  3. tji

    tji Network Guru Member

    Thanks for the response. I have tried to reconfigure this a few times, but whenever I enable QoS my inbound VPN performance takes a big drop.

    As I mentioned, I don't really need the sophisticated QoS with the different classes of service. So, I'm now trying a basic kernel fair queueing. After turning it on my VPN performance is unaffected. But, I have only done some basic testing with overloaded outbound bandwidth. It seems promising, but I need to test more.

    The command I used is: "/usr/sbin/tc qdisc add dev br0 root sfq perturb 10"

    The full QoS feature seems great for people with really limited bandwidth. But, for those of us with big pipes just wanting to keep one user from slowing everyone down, SFQ seems like just what is needed. But.. it can't be that easy. Has anyone spent more time with SFQ and ran into limitations?
     
  4. Porter

    Porter LI Guru Member

    @tji
    Using Tomato's QoS-system is not a bad choice because it makes administration a bit easier than a custom script.

    From what you have written in your initial post I can deduce that you didn't add a custom filter for your VPN traffic on QoS/Classisifaction. From what I've just found out about OpenVPN you can just add some standard port filter(s) for UDP and TCP and be done with it. Use the 'Remote' class and group thos new filter(s) up with the other Remote ones in the list. Check how much bandwidth your Remote class gets in QoS/Basic Settings. Don't forget to measure your bandwidth and deduct a safety margin depending on whether you use ADSL (15-30% when you are not using the overhead calculation feature) or cable (maybe 10% to start with).

    If your router can't handle QoS, I do have a script which would allow you to just have basic shaping of your WAN interface in both directions. The downside to this is that you will sill be vulnerable to users who torrent or who just use several connections to upload.
     
  5. Monk E. Boy

    Monk E. Boy Network Guru Member

    When a user is connected, you can see how traffic to/from their system is classified. More than likely your VPN traffic is being dropped into the default P2P or Bulk category. You need to create rules that will classify their traffic at a higher priority. You can see and react to this in real time.

    You'll soon discover why QoS exists, and it's not for people with low bandwidth connections. It's to ensure the traffic you want prioritized gets prioritized over traffic you don't care about as much. All it takes is a couple clients spawning off a few hundred P2P-like connections to clog up your upstream link and you'll discover your VPN users will have trouble connecting, much less transferring data...
     
  6. Porter

    Porter LI Guru Member

  7. tji

    tji Network Guru Member

    Thanks for the responses.. I will do some more testing based on those suggestiongs.

    I did add QoS classifiers for my VPN traffic, but I didn't see the stats to confirm the correct classification. I'll try that tonight. What I did see was on an empty 75/35Mbps connection, after enabling QoS my test www pages loaded slowly. So, I was surprised that even if mis-classified that it would be slow. My router is an Asus RT-N66U, so it should have plenty of horsepower.

    Porter: I saw some scripts in the link you posted. Is that the script you mentioned, or is there a more specific one that I can try out. I'm not concerned about the P2P case, this is in a small office without that type of traffic. The problem we've had is with legitimate huge (single TCP connection) file xfers. One person needs to upload a 4GB image to S3, and Internet access for everyone slows to a crawl. It seems like SFQ is a good solution for this.
     
  8. Porter

    Porter LI Guru Member

    @tji
    Please take some screenshots of your new filters so I can rule out a config error. Probably upload some shots of QoS/Basic Settings, too.

    Yes, please check with the QoS Graphs whether your VPN traffic shows up there and ends up in the correct class.

    I'm not always sure how much cpu power certain routers have, but with a line like yours, you might run into problems. Just keep an eye out for high loads and cpu usage and check Status/Overview.

    The script you saw in one of the links is not suitable for your use case since it enable QoS for _inside_ the VPN-tunnel. I'll happily provide the script for your use case but please try adding the right filters first, using the conventional way. Using the normal QoS-system also provides a much more efficient way to limit large uploads which are hindering your work so much.
     

Share This Page