1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

TomatoUSB(Toastman) Guest VLAN w/ tc&mangle BW Limit causes reboots

Discussion in 'Tomato Firmware' started by neoaeon, Feb 1, 2014.

  1. neoaeon

    neoaeon Reformed Router Member

    Greetings,

    Any assistance would be greatly appreciated. My applogies if this has been covered elsewhere, I can't find it through search.

    My goal; a bandwidth limited guest VLAN.

    I've got everything working as I want, except the bandwidth limit. Everytime I mess with it the router will randomly reboot in the next 10 minutes. My current assumption is some watchdog is triggering due to my messing w/ tables/tc?

    Hardware; Cisco e3000
    Build; tomato-E3000USB-NVRAM60K-1.28.0503.6MIPSR2Toastman-RT-N-VLAN-Ext
    Network; 2.4Ghz handled by ASUS RT-N16's on either end of the house. e3000 handles 5Ghz. e3000 is the router.
    Internet; DOCSIS 3.0 50/12.5

    Basics setup;
    Add a VLAN (3)
    Build a bridge (br1) with VLAN
    tie 2.4Ghz radio to br1 (native, no vSSID)
    setup LAN Access
    enable dhcp for br1 on unrelated range (x.x.x.0/27)

    At this point everything works at full bandwidth. br1 can't communicate with br0 devices. br1 has no UPnP access. This has functioned for 48+ hours.

    Now to limit the bandwidth;

    I've been experimenting with the below commands to limit the bandwidth. When these are in place, everything works as I want, guests are forced to 256kb/64kb, primary has no limits, it's beautiful, exactly what I want. But w/in the next 10 minutes the router will reboot w/o any error sysloged to my rsyslog server. It appears I can place all the tc rules I like, it's the iptables mangle rules that cause the reboots.

    As a test, I've even added the mangle rules for a minute, tested everything out, then flushed the mangle tables. As long as mangle is empty the router stays up.


    Code:
    # Add imq3
    rmmod imq; modprobe imq numdevs=4; service firewall restart
    
    # doesn't exist yet, but clean up incase of repaste
    tc qdisc del dev br1 root
    
    # stolen from older BW Limit threads DL
    tc qdisc add dev br1 root handle 1: htb
    tc class add dev br1 parent 1: classid 1:1 htb rate 51200kbit
    tc class add dev br1 parent 1:1 classid 1:10 htb rate 128kbit ceil 256kbit prio 2
    tc qdisc add dev br1 parent 1:10 handle 10: sfq perturb 10
    tc filter add dev br1 parent 1:0 prio 2 protocol ip handle 10 fw flowid 1:10
    
    # stolen from older BW Limit threads UL
    ip link set imq3 up
    tc qdisc del dev imq3 root
    tc qdisc add dev imq3 root handle 2: htb
    tc class add dev imq3 parent 2: classid 2:1 htb rate 12800kbit
    tc class add dev imq3 parent 2:1 classid 2:20 htb rate 64kbit ceil 128kbit prio 2
    tc qdisc add dev imq3 parent 2:20 handle 20: sfq perturb 10
    tc filter add dev imq3 parent 2:0 prio 3 protocol ip handle 20 fw flowid 2:20
    
    # in place DL
    iptables -t mangle -A POSTROUTING -o br1 -j MARK --set-mark 10
    
    # in place UL
    iptables -t mangle -A PREROUTING -i br1 -j MARK --set-mark 20
    iptables -t mangle -A PREROUTING -i br1 -j IMQ --todev 3
    
    # connection limits
    iptables -I FORWARD -i br1 -p tcp -m connlimit --connlimit-above 64 -j DROP
    iptables -I FORWARD -i br1 -p udp -m limit --limit 10/sec -j DROP
    
    I've also tried with CLASSIFY, though I can't get this to work anywhere. Not in POSTROUTING, FORWARD, nor OUTPUT. When I use this the router reboots almost instantly (w/in seconds) of placing the mangle rules in place. If I use the FORWARD mangle it'll lock up hard and requires a power cord pull.

    Code:
    tc qdisc del dev br1 root
    
    tc qdisc add dev br1 root handle 1: htb
    tc class add dev br1 parent 1: classid 1:1 htb rate 51200kbit
    tc class add dev br1 parent 1: classid 1:2 htb rate 12288kbit
    
    
    tc class add dev br1 parent 1:1 classid 1:10 htb rate 128kbit ceil 256kbit prio 2
    tc class add dev br1 parent 1:2 classid 1:20 htb rate 64kbit ceil 128kbit prio 2
    
    tc qdisc add dev br1 parent 1:10 handle 10: sfq perturb 10
    tc qdisc add dev br1 parent 1:20 handle 20: sfq perturb 10
    
    insmod xt_CLASSIFY
    iptables -t mangle -A POSTROUTING -j CLASSIFY --set-class 1:10 -d x.x.x.0/27
    iptables -t mangle -A POSTROUTING -j CLASSIFY --set-class 1:20 -s x.x.x.0/27
    
    iptables -I FORWARD -i br1 -p tcp -m connlimit --connlimit-above 128 -j DROP
    iptables -I FORWARD -i br1 -p udp -m limit --limit 10/sec -j DROP
    
    Any Idea's? I'm 90% of the way to my goal, I just need the bandwidth limiting to work.

    Thanks in advance,
    -neoaeon

    P.S. @Toastman, would it be possible to request a feature for the bandwidth limiter page to apply to a vlan or bridge? For those of us who'd like to use it for a guest network?

    EDIT: Looks like CLASSIFY may cause a kernel panic, and has been known for awhile http://tomatousb.org/forum/t-250571/iptables-classify-target-causes-kernel-panic
     
    Last edited: Feb 1, 2014
  2. neoaeon

    neoaeon Reformed Router Member

    Sorry for the quick bump,

    As a follow up, it appears I may have a greater issue in my first script; as DHCP doesn't function with that in place. I was testing while already on that network.

    Assuming that was part of the issue, I redid the script a bit to target just the src/dst of the network; further I used 2 imq's. This rig stayed up for 10 minutes or so, but it still ends up rebooting the router as well. Subsequent tests lasted only a few minutes, but at least DHCP functions and I can "join" the guest network while in place and up.

    Code:
    # Add imq3&4
    rmmod imq; modprobe imq numdevs=5; service firewall restart
    
    # doesn't exist yet, but clean up incase of repaste
    tc qdisc del dev imq3 root
    
    # stolen from older BW Limit threads DL
    ip link set imq3 up
    tc qdisc add dev imq3 root handle 1: htb
    tc class add dev imq3 parent 1: classid 1:1 htb rate 51200kbit
    tc class add dev imq3 parent 1:1 classid 1:10 htb rate 128kbit ceil 256kbit prio 2
    tc qdisc add dev imq3 parent 1:10 handle 10: sfq perturb 10
    tc filter add dev imq3 parent 1:0 prio 2 protocol ip handle 10 fw flowid 1:10
    
    # doesn't exist yet, but clean up incase of repaste
    tc qdisc del dev imq4 root
    
    # stolen from older BW Limit threads UL
    ip link set imq4 up
    tc qdisc add dev imq4 root handle 2: htb
    tc class add dev imq4 parent 2: classid 2:1 htb rate 12800kbit
    tc class add dev imq4 parent 2:1 classid 2:20 htb rate 64kbit ceil 128kbit prio 2
    tc qdisc add dev imq4 parent 2:20 handle 20: sfq perturb 10
    tc filter add dev imq4 parent 2:0 prio 3 protocol ip handle 20 fw flowid 2:20
    
    # in place DL
    iptables -t mangle -A POSTROUTING -o br1 -d x.x.x.0/27 -j MARK --set-mark 10
    iptables -t mangle -A POSTROUTING -o br1 -j IMQ --todev 3
    
    # in place UL
    iptables -t mangle -A PREROUTING -i br1 -s x.x.x.0/27 -j MARK --set-mark 20
    iptables -t mangle -A PREROUTING -i br1 -j IMQ --todev 4
    
    # connection limits
    iptables -I FORWARD -i br1 -s x.x.x.0/27 -p tcp -m connlimit --connlimit-above 64 -j DROP
    iptables -I FORWARD -i br1 -s x.x.x.0/27 -p udp -m limit --limit 10/sec -j DROP
    
     
  3. gutsman7

    gutsman7 Networkin' Nut Member

    Your reboot problem might be a result of your connlimit script command, this one.
    iptables -I FORWARD -i br1 -s x.x.x.0/27 -p tcp -m connlimit --connlimit-above 64 -j DROP
    tomato doesnt handle well connlimit in the FORWARD chain. Remove this command and see if it will still reboot.
     
  4. neoaeon

    neoaeon Reformed Router Member

    Thanks for the reply.

    Same result w/o the connlimit, reboot after a few minutes.

    Some more information; As I've been playing with it today, it appears to happen when there's traffic on the guest VLAN. If I put the rules in place w/ no clients on the VLAN it seems to stay up for a lot longer (30+ minutes during one test).

    Also, in case it's important. I have both the QoS and BW Limiter function turned off in the web interface while I test this function.
     
  5. neoaeon

    neoaeon Reformed Router Member

    Alright, I guess this is a bug in the BW Limit function.

    I started to try to "steal" the imq's from the built-in BW Limiter function, thinking I'd let Tomato setup all the qdiscs and imqs so I could stop fighting with the watchdog.

    When I turned on the BW Limiter via the web interface for my main network segment on a few hosts, my router instantly rebooted and got stuck in a boot loop. Had to reset and upload my config to get back.

    So, this appears to no longer be an issue with how or what I'm doing, and appears to be an issue w/ the BW Limiter function all together.

    EDIT: Created new thread dedicated to the B/W Limiter crashing http://www.linksysinfo.org/index.ph...-limiter-causes-reboots-and-boot-loops.69612/
     
    Last edited: Feb 2, 2014

Share This Page