QoS between switch ports by changing vlan

Discussion in 'Tomato Firmware' started by tunasashimi, Mar 8, 2007.

  1. tunasashimi

    tunasashimi LI Guru Member


    Am I correct in assuming that Tomato's standard QoS settings will work between switch ports if I merely change the vlan tag of the ports I want QoSsed?

    In other words, if I execute:

    nvram set vlan0hwname=et0
    nvram set vlan0ports="2 3 4 5"
    nvram set vlan1hwname=et0
    nvram set vlan1ports="0 1 5"
    nvram commit

    Will QoS now be applied to traffic on both the WAN and the 1st port of the switch?
  2. tunasashimi

    tunasashimi LI Guru Member

    Doesn't seem to be that simple

    I have tried the above snippet, but it doesnt do much. Seems like I'll have to dig deeper........

    Maybe it has something to do with the fact that I'm not using any WAN configuration...

    I saw that vlan1 was actually down, so i did a
    ifconfig vlan1 up

    Then I ran /tmp/qos.sh

    Which completely dropped connection...... Still busy investigating...:sheesh:
  3. fastpakr

    fastpakr Network Guru Member

    If you figure this out, I'll be VERY happy. Nearly all of the Wireless Ethernet bridge links I've configured could reliably run internal IP phone traffic if I could prioritize it properly between the WLAN and wired LAN segments.
  4. tunasashimi

    tunasashimi LI Guru Member

    I'm up to adding vlan1 to the bridge manually with:
    brctl addif br0 vlan1

    You can now see the traffic counters on ifconfig, and traffic is bridged... but as yet no QoS... Going to look into the sources later tonight.

    It's trivial to just use tc to create your own script.. I think. Haven't tried it yet - as I like tomato's visual approach to monitoring everything....

    Will keep this tread posted....
  5. tunasashimi

    tunasashimi LI Guru Member


    :bounce: I haven't spent an awful lot of time on this, I've tried a few things, but I haven't had any luck yet... :bounce:
  6. tunasashimi

    tunasashimi LI Guru Member

    I'm up to getting each switch port on it's own vlan... vlan0..4

    Bridging works... time fire up some bash lines starting with "tc" ;)
  7. tunasashimi

    tunasashimi LI Guru Member


    Tomato has a very straightforward, but effect QoS mechanism.

    The web interface creates a script from data gathered at

    The script is output to:

    /tmp/etc/qos start
    /tmp/etc/qos stop

    Enables / Disables QoS. The file is very readable and easily editable.

    Q: Is there an intermediate place where Tomato stores it's QoS settings or does it parse /tmp/etc/qos?

    The following scripts analyse and graph QoS status:

    The hardware is as follows:
    <4>eth0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller
    <4>eth1: Broadcom BCM4320 802.11 Wireless Controller

    The default networking setup is as follows:

    vlan0: Switch on eth0, ports 0,1,2,3
    vlan1: Switch on eth0, port 4
    br0: vlan0, eth1, wds*

    WAN -> vlan1
    LAN -> br0

    NAT between br0 and vlan1

    All this, of course, is easily modifiable.

    By default, tomato only supports QoS on vlan1. In other words,
    data sent to vlan1 and recieved from vlan1 is shaped; However,
    none of the data travelling between the devices enslaved to br0.

    So, our goal is to come up with an alternate network setup, that will
    be friendly toward tomato's scripts as much as possible. (So far AFAIK
    this means allowing wds links on br0.) I'm not sure how doable that would
    be, but at least we'll be able to come up with a post-startup or post-wan
    script that could fix things.

    We have several requirements, and hardly ever use "WAN" functionality.

    What do we, ideally, want to shape, and how can that be accomplished?

    1) Any one of the switch ports, each on its own, depending on the maximum throughput.
    (Some links maximum througput vary predictably during the course of a week. If
    we can construct a set of scripts to take this into account, we can ensure
    low latency where required, always.)

    Possible Solution: Put each switch port on it's own vlan.
    Questions: Can a vlan be shaped, while enslaved to a bridge?

    2) Any WDS link.

    Possible Solution: Shape WDS link.
    Questions: Can a wds interface be shaped, while enslaved to a bridge?

    3) Any wireless client, individually.

    Possible Solution: shape by MAC

    Now, if these interfaces can be shaped, while on the bridge, things will be simple.
    If not, we're going to have to have to fry some tomato and onion. And maybe add some

    For Reference
    vlan0ports=3 2 1 0 5*
    vlan1ports=4 5
    # iptables -t nat -L -n
    Chain PREROUTING (policy ACCEPT)
    target     prot opt source               destination
    DROP       0    --  
    DNAT       icmp --          to:
    DNAT       tcp  --          tcp dpt:2222 to:
    upnp       0    --  
    Chain POSTROUTING (policy ACCEPT)
    target     prot opt source               destination
    MASQUERADE  0    --  
    MASQUERADE  0    --
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    Chain upnp (1 references)
    target     prot opt source               destination
    # iptables -L -n
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    DROP       0    --             state INVALID
    ACCEPT     0    --             state RELATED,ESTABLISHED
    ACCEPT     0    --  
    ACCEPT     0    --  
    ACCEPT     tcp  --           tcp dpt:22
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ACCEPT     0    --  
    DROP       0    --             state INVALID
    TCPMSS     tcp  --             tcp flags:0x06/0x02 tcpmss match 1461:65535 TCPMSS set 1460
    ACCEPT     0    --             state RELATED,ESTABLISHED
    wanin      0    --  
    wanout     0    --  
    ACCEPT     0    --  
    upnp       0    --  
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    Chain upnp (1 references)
    target     prot opt source               destination
    Chain wanin (1 references)
    target     prot opt source               destination
    Chain wanout (1 references)
    target     prot opt source               destination
  8. tunasashimi

    tunasashimi LI Guru Member

    So, if you want to start playing around, here's how to put each switch port on it's own VLAN. Wireless is just eth1.

    nvram set vlan0hwname=et0
    nvram set vlan0ports="0 5*"
    nvram set vlan1hwname=et0
    nvram set vlan1ports="1 5"
    nvram set vlan2hwname=et0
    nvram set vlan2ports="2 5"
    nvram set vlan3hwname=et0
    nvram set vlan3ports="3 5"
    nvram set vlan4hwname=et0
    nvram set vlan4ports="4 5"
    ifconfig vlan0 down
    ifconfig vlan1 down
    vconfig add eth0 2
    vconfig add eth0 3
    vconfig add eth0 4
    ifconfig vlan0 up
    ifconfig vlan1 up
    ifconfig vlan2 up
    ifconfig vlan3 up
    ifconfig vlan4 up
    So, if you want to goof around, edit "I=" at the top of /etc/tmp/qos...
    then run "qos start"

    I have no idea what will work and what won't, and what will interfere with what, and be listed on what web interface, but I'm about to find out...

    You now have "vlan0 .. 4", each switch port a different vlan.

    You can enslave them to br0, do what you like. Your WAN port is now probably the second port on the switch, though... so this numbering is not "legacy"-friendly.
  9. joesixpack

    joesixpack Guest

    Related: True DMZ via vlan separation

    I'm trying to do something related on my WRT54GL v1.1 running Tomato 1.07:

    I'm trying to separate two of the ethernet ports and put them on a separate vlan in order to acreate a true DMZ (I believe Tomato creates a "host DMZ" via an entry in iptables when the GUI DMZ option is used). This should be perfectly doable via e.g. a custom script since it appears to work for people running OpenWRT and dd-wrt. Right now I'm trying to debug my attempt and I have used the following script, set to run in the Firewall script section (since that is run later than the init script section, I read somewhere):

    nvram set vlan0ports="1 0 5*"
    ifconfig vlan0 down
    ifconfig vlan0 up
    nvram set vlan2ports="3 2 5"
    nvram set vlan2hwname=et0
    vconfig add eth0 2
    ifconfig vlan2 hw ether 00:1A:70:4E:C6:29
    ifconfig vlan2 netmask
    ifconfig vlan2 up
    iptables -I INPUT -i vlan2 -j ACCEPT
    iptables -I FORWARD -i vlan2 -o vlan1 -m state --state NEW -j ACCEPT
    iptables -I FORWARD -i br0 -o vlan2 -j DROP

    (The two last iptables lines probably need modification.) The hw address for the vlan2 interface is chosen outside the range that it used by the existing wan, lan and wireless interfaces. The above script brings up the vlan2 interface but the following happens:
    I can ping (and login via ssh) the router at ports 0 and 1, both via the original router interface br0 at and at the vlan2 interface above. On ports 2 and 3 i get nothing, however, no ping returns even. :confused:

    Any and all help to proceed with this is greatly appreciated. (I am all monkey see, monkey do, and I don't have a clue of what I'm doing here, really.)

    P.S. True DMZ could probably well go on the Tomato wishlist.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice