Issues with Tomato - QoS and Wireless

Discussion in 'Tomato Firmware' started by ng12345, Dec 2, 2007.

  1. ng12345

    ng12345 LI Guru Member

    Hey everyone,

    Have been using tomato for a little over a month now -- been upgrading diligently (currently on 1.11 on a linksys wrt54gl). i switched from dd-wrt and the main reason for the switch was due to the crap qos on dd-wrt and the good ratings i heard about the qos (simplicity and efficacy) on tomato. one of my house mates is a p2p maniac and he hogs the internet connection whenever he "thinks no one else at home." this means there are weekends/days where the internet connection is totally shot cuz of his stuff. thus i put in tomato and its qos so that everyone could use the internet even when he decided to try and max out the connection.

    QoS was working great the first few weeks -- but now it is as if it is being bypassed.

    My settings are very basic:
    Default = Lowest
    Outbound 400kb/s
    Highest 90-100%
    High 90-95%
    Lowest 3-95%
    Inbound 6000kb/s
    Highest 99%
    High 97%
    Lowest 95%

    Highest- DNS
    High - http,https

    At midnight to 1 am I notice that my internet comes to a halt. After checking the QoS graph I notice that my outbound connections are hitting up to 357 kb/s. No matter what the http traffic can't sneak through until I put a hard upper limit on the lowest setting to about 30% Then I can use the internet at a normal speed

    My understanding of my QoS settings is that the Lowest classification should ramp down as I use a higher prioritized service -- this does not seem to be happening. Any suggestions?

    On a second and more minor note, I have noticed that the wireless service seems really flaky once I switched to tomato. on my thinkpad t42 i am constantly getting disconnected and reconnected to my ssid, despite 5 bars in windows network config, and the ssid being listed on channel 1 where there are the lowest number of neighboring ssids. Just to clarify, because of the instability of the wireless connection, I use a wired connection, and am experiencing the above problems
  2. rcordorica

    rcordorica Network Guru Member

    I recommend you test your real bandwidth.

    Try different servers. And try different times of the day.

    I know my 10Mb/1Mb connection fluctuates and I get 5Mb/780Kb during peak usage hours, so I had to adjust my QoS to reflect my actual bandwidth.

    You may also want to make sure the router isn't getting bogged down with too many connections. I noticed my WRT54GL runs out of memory around 2000 connections. But even before that point latency become unbearably bad. The router simply needs more memory to keep up.

    A easy fix for that scenario is to limit connections to a low number, around 1400 connections, so that the router simply drops the connections it can't handle. Then your browser can request a new connection instead of waiting in a queue that will never get run time.
  3. ng12345

    ng12345 LI Guru Member

    Thanks for the tips -- I think the connections idea is spot on -- I'm going to try and limit that to 1500 (it was at 2048).

    any ideas on the wireless issue or do you think that could be connection related also? i do remember that whenever i would start dropping -- the memory on the router would be low also

    why is it that neither of these issues were encountered on the dd-wrt firmware (my settings were the same)?

    lastly -- is there a way for qos to adapt to the variation in max speed (by changing settings on a schedule or some other method)?
  4. ng12345

    ng12345 LI Guru Member

    So still having issues with QoS

    decided putting default at lowest made all rdp vnc and any other types of connections useless.

    switched around my settings to make default high and put in a rule for bittorrent

    however -- neither the ipp2p nor the l7 rules are catching anything! i think the torrent data may be encrypted -- is this the issue? if data is encrypted -- what is the best way to single out bittorrent -- i tried putting filters on the incoming ports but that still doesn't help.
  5. Maggard

    Maggard LI Guru Member

    Why not apply QOS rules specifically to the problematic port, or MAC address? Ignore the content, manage the overall bandwidth.
  6. ng12345

    ng12345 LI Guru Member

    i tried putting it on the ports -- but i guess the way bittorrent works is that it only uses the incoming port to determine that a connection can occur ... but then it uses every other port to actually make the connection. In the view details element of tomato QoS, you can see that almost every port is being used without any rhyme or reason for BT activities.

    I can't really limit a MAC address or specific IP since we are all equally paying for the internet connection and everyone does a little bit of p2p here and there. It isn't really fair to cripple his connection -- though at the same time it isn't fair for him to cripple ours. Filtering by MAC however will make it so ALL of his internet connections are slow, not just p2p
  7. Maggard

    Maggard LI Guru Member

    Actually I was referring to the physical port, effectively the same as by MAC address.

    If the L7 filters aren’t picking up BT traffic then try updating to the latest version of Tomato, these are regularly improved. However there is an armsrace about hiding torrent traffic, so the filters may not be keeping up.

    But perhaps instead of trying to manage things purely technologically you would all be better off setting some ground rules, such as:
    1. Agree to limit the number of connections a P2P client opens, to housemates/2048.
    2. Specify what port ranges P2P is to happen over, and then QOS down those specifically.
    3. No P2P in prime hours. Nearly all modern clients support timed services.
    4. Consider designating one machine the P2P box and all queuing jobs on it’s P2P client.
    5. Move the Tomato traffic page on the router webserver to where it can be seen by everyone sans password, so it is trivial to monitor overall load.
    An alternative strategy would be to simply put ‘the hog’ at a low priority so he gets everything if nobody else is using; if they are he gets what is left over. If he doesn’t like this then perhaps he should get his own connection.

    While you’re at it, as suggested by others, run a few checks and determine what you are really getting for service, at different times of day, using different means. It does read like you’re over-allocating. 6000/400 might really be 4000/256 sustained.

    Lastly, not to be Debbie Downer but everyone is aware that the person’s whose name is on the account is responsible for it? Legally responsible for it? That if tomorrow the MPAA or RIAA wants a pound of flesh (assuming any housemate were to somehow mistakenly download a torrent or two of illicit material) that’s who will have it forcibly excised, no matter that it could of been any of you?

    Great folks, fantastic housemates, but when the bill is $10,000-$50,000 who is on the hook for it? Comfortable with that?
  8. ng12345

    ng12345 LI Guru Member

    Thanks for the suggestions. They are very helpful. It definitely makes sense to forget about Tomato QoS and do a "social QoS"

    I guess I was trying to figure out a way to please everyone in the house
  9. dougisfunny

    dougisfunny LI Guru Member

    I'd say a technical solution would be possible, on a "whitelist" type basis.

    Two classifications, both based on mac.

    1st classification (whitelist) with a higher priority, for port 1-1024
    2nd classification with a low priority for 1024-65535

    The 1st classification would take care of his http ftp and most normal browsing
    most p2p are in the 2nd classification.
  10. rcordorica

    rcordorica Network Guru Member

    Here are some thoughts:
    1. Most P2P traffic now has the option of encryption, which means L7 and IPP2P filters will not help at all.

    2. L7 and IPP2P filters are memory intensive in high connection situations. When I do a Server Listing with Steam, it usually grabs a list of Server that number in the hundreds if not thousands. With a single L7 filter Tomato complains that the Conntrack table has run out of memory (when pinging all the servers).

    3. I use a white list approach. Only classify connections you need, and let everything else fall off the end of the list to your "Default Classification." That way all p2p traffic gets lowest priority without you having to set anything up.

    4. Disable unneeded NAT Helpers. Disable Prioritize ACK (really important for p2p which has a lot of ACK's). Disable inbound L7.

    5. I give my Lowest classification 1%/80%. Because even though the QoS should always give priority to higher classifications, it needs time to adjust, so you will want a buffer zone where higher classed connections can get through.
  11. ng12345

    ng12345 LI Guru Member

    thank you for the last post it is really helpful

    the only problem with a default "catch all" classification that is set to "lowest" is that this catches logmein connections

    does anyone know what port / how to create a classification rule for logmein -- i couldn't find any answers through google -- it uses more than just port 80 or 443
  12. rcordorica

    rcordorica Network Guru Member

    According to logmein, it only uses port 80 and 443 (as you already said). Unless you are using the Hamachi version which uses ports 12975 and 32976.

    The rule should be simple, HIGH, SRC or DST, TCP/UDP (it may use UDP).

    Make sure you have strict rule ordering on, and that you have your logmein/www classification 2nd on the list (after DNS).

    If you already have all of that, then maybe your QoS bandwidth settings don't reflect the actual bandwidth your connection is getting.

    I don't understand why your http and https connections are put in the default classification. From what you described, your QoS rules are simple.

    Post a screenshot of your QoS settings?
  13. ndoggac

    ndoggac Network Guru Member

    Couple thoughts....

    Tomato institutes the classification rules in a top down manner, so I always put the rule that's going to catch the largest number of connections at the top of the list, in this case my torrent rule setting to lowest. That way the most connections are caught first, so your router doesn't have to do as many rule compares to classify your torrent connections. I've noticed when changing any settings and the service has to be restarted, that the connections are classified much faster using this approach.

    I do all classifications by MAC address, since I have a separate machine doing torrents, but there is a way (in utorrent at least, not sure about Azureus) to set your outgoing port to a single value (I have both my incoming and outgoing port set to the same value), then you can have your qos set anything from that ip and port to the lowest class.

    If you're encrypting in your torrent client but still allowing legacy connections and using IPP2p layer qos, you will only classify the legacy (unencrypted) connections. The IP and hard port approach will work much better.

    If at all possible I recommend classifying by MAC address only. It's your best option followed by IP only, then IP & Port. Any IPP2P stuff, and the router has to perform a more intense packet inspection which sucks resources.
  14. ng12345

    ng12345 LI Guru Member

    Thanks for the additional information

    though logmein's site says that they only use 80 and 443, I used ethereal and it shows that random ports are being accessed to mantain the logmein connection at both ends.

    unfortunately there are no l7 rules for logmein.

    when i enable qos, with a default of lowest, the logmein connection happens very quickly (since www is classified as high), but then interacting with the console is very slow -- since the connection is now on a random port which is classified as low.
  15. Kiwi8

    Kiwi8 LI Guru Member

    Putting the rule that's going to catch the largest number of connections at the top of the list is wrong, since those connections are going to be sorted by that rule and the other rules down the list will be ignored for those connections.

    The better rules for the top of the list should be the most specific of rules, and getting less specific down the list and finally a catch all at the end of the list.
  16. ndoggac

    ndoggac Network Guru Member

    kiwi8, why is this wrong? every established connection made is going to be put through the rule list for classification. It's a top down method (assuming strict ordering is enabled), so for every new connection,

    compare to rule #1 (at top of list),
    if no match,
    then compare to rule #2
    if no match
    then compare to rule #3
    if not match
    then compare to rule #n (bottom of list)
    if no match for any rule
    =default classification

    if you're running hundreds or thousands of connections for torrents, you don't want to run through the entire rule list for every connection. you would want the largest number of connections to trigger from the first rule, hence saving unnecessary rule compares and limiting the executions performed by the router. the catchall is the default class setting.

    i've tested both ways, and i feel that the 1000+ torrent connections get classified much quicker into the lowest category. I have web and dns rules directly after that to classify into the highest category. granted it's probably going to be a negligible difference, but with a thousand + connections i think it makes a difference.

    perhaps i'm wrong, i'm open to your interpretation, but i feel your comment "connections are going to be sorted by that rule and the other rules down the list will be ignored for those connections" just proves my point that program executions will be avoided my way. Maybe every rule is compared no matter what, but my understanding was once a rule is positively matched, the connection is classified and that's it, it doesn't compare rules after that...maybe that's a bad assumption???

    Further details from the tomato wiki qos details:
    Sticky rules: IPP2P/L7 are sticky in that once they match, no other rules are processed.
    IP/MAC/port-only matches can also be sticky if there are no IPP2P/L7/KB matches above them.

    Precedence: The rules are checked in the same order as they appear in the GUI, from top to bottom. The first rule that matches sets the class. If you disable "strict ordering", rules with IPP2P, L7 and KB matches are grouped in one set and are checked first, the rest in another.

    so for the largest number of connections produced...only one rule is compared, saving compare executions??
  17. Kiwi8

    Kiwi8 LI Guru Member

    If u just want to put your BT traffic as the lowest priority, what u can do is this:

    Set your BT client (uTorrent for example) to use only a single port for outgoing and incoming. Then u can set a qos rule at the top of the list that specifies that port, so those BT traffic will be classified lowest.
  18. rcordorica

    rcordorica Network Guru Member

    if this really is logmein's behavior then I would say its broken, because it obviously doesn't live up to its advertising that it "Works almost anywhere" since it uses http and https. I don't see any other references about logmein using random ports, except for the Hamachi version (which is configurable in the preferences).

    You can't really QoS a program that uses random ports unless there is an L7 filter (capture some packets, look for similarities). Or unless you create classification rules for every port.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice