QOS, connection and other stuff

Discussion in 'Tomato Firmware' started by Myriddin, Feb 21, 2007.

  1. Myriddin

    Myriddin LI Guru Member

    Hi all,

    I'm start playing with tomato,

    Yesterday i had more than 400 connection and as far as i understand i have some problem with my carrier on the number of connection.

    there is some way to apply a QoS to the number of connection?

    I also understand that the QoS does not apply to UDP connection, i find this example to limit the connection but i don't understand how it works:

    iptables -A FORWARD -p UDP -s [] -m limit --limit 20/s -j ACCEPT
    iptables -A FORWARD -p UDP -j DROP

    20/s means 20 connection per second? but is a time based limit not total does not apply to a max number of connections.

    There is some p2p specific value to grant the quality of the download and leave me some usability of the connection?

    Half of my connections typically are assured and leave for 180 second, it's a correct value? what does 'assured' means?

    And at the end: when i start emule my connection have high ID and the kad network is not firewalled, after some time (some hours) the kad network being firewalled and after a day i have a disconnetion from the server and gain a Low ID. If i shoutdown emule and wait some time that all the connection (I look at it with TCP-View program) are dropped and i restart emule i have the High ID and Unfirewalled state.

    can you help me?

    My network:
    1 PC with windows xp s2,
    Router Linksys
    router repeat-it
  2. t0m80

    t0m80 LI Guru Member

    what about just lowering the max connections in your p2p-software?
  3. Myriddin

    Myriddin LI Guru Member

    the problem on lowering in this side it's that i a fixed limit.

    I try to explain:
    if a had only emule i would like to use all the connetions for this service but if i would like to play with my xbox i prefer to drop some emule connection instead of xbox connections. Same think if i would like to play some pc online game o surf the web.

    and yes, now i have emule limited to 70 connection and utorrent to 50. i think that is a very low value but the problem of low id e firewalled kad is still present.
  4. der_Kief

    der_Kief Super Moderator Staff Member Member

    Hi Myriddin,

    i think thats a problem with yout "Port Forwarding" rules ! How do you configure your "Port Forwarding" ? For Kadmelia you have to forward the UDP port you have defined in emule.

  5. t0m80

    t0m80 LI Guru Member

    so you need a script that says:
    If there are more then 400 connections, drop those that emule made, so that xbox-live etc. aren't dropped.
    I don't know how to solve this. Sorry. Maybe someone else can help.
  6. pharma

    pharma Network Guru Member


    Is your problem emule low id?

    I think der_Kief is on the right track! If you do a google internet search you will find eMule low id is a common issue:


  7. Myriddin

    Myriddin LI Guru Member

    YESS in fact i have an High ID ans unfirewalled state when emule start.

    LowID and firewalled state happened after a lot of connection.

    and Yes, TCP for serever UDP for Kad.

    I already know that kad use UDP package, this is the reason why I ask to limit the UDP connection (i'm not sure that i'm following the right way)

    There some way to log this? maybe something like snmp trap? I'm thinking to put the smnp files on the web and use same kai-demon style to install every rooter boot.

    But i'm not sure that i will understand how manage the huge amount of data that i will have.
  8. Myriddin

    Myriddin LI Guru Member


    i think that can help but i'm not sure how to build this not only TCP based but most important on UDP packet.

    Probably i have to filter from source port and UDP/TCP protocol and limit connection but i'm not able to find an HOWTO iptables that explain how limit total connection (at this time i'm not sure that is possible)
  9. Myriddin

    Myriddin LI Guru Member

    Hi Pharma,

    i'm sorry but it's not this the problem, i get an High ID when emule start and i can see incoming connection to my emule port.

    if i make web emule test port I have a successful result.

    after some time in the same connetiond that i archive a HIGH ID i experience a server disconnection and during the new connection i get a LowID. Durin the same connection and without a ISP side disconnection. I can see my download and upload running.

    maybe I should analyze some router log but i'm not sure of what i'm have to look for.

    When i try a WEB test during LowID state I archive a failure, it seems that there is some situation that avoid my router to answer to the request but i don't understand.

    the stranger think is that i i wait for the graceful drop of the connection with emule close i can reach the port after a low ID without do nothing else that the shutdown of the emule program.
  10. pharma

    pharma Network Guru Member

    Sorry, it sounded similar to your issue.

    Someone else also asked for something similar: an "Intelligent" script to control bandwidth when VOIP was/wasn't in use and to SCALE back torrents appropiately. Hopefully someone will help you with the script ... :)

    I believe Qos DOES apply to both UDP and TCP.
  11. Myriddin

    Myriddin LI Guru Member

    I'm looking for this script, tnx for the hint :biggrin:

    This is generated by the QoS generator:
    #WRT54 Script Generator v1.01
    #(C) 2006-2007 Robert "Robson" Mytkowski
    TCA="tc class add dev br0"
    TFA="tc filter add dev br0"
    TQA="tc qdisc add dev br0"
    SFQ="sfq perturb 10"
    tc qdisc del dev br0 root
    tc qdisc add dev br0 root handle 1: htb
    tc class add dev br0 parent 1: classid 1:1 htb rate 1024kbit
    $TCA parent 1:1 classid 1:10 htb rate 512kbit ceil 1024kbit prio 0
    $TCA parent 1:1 classid 1:11 htb rate 204kbit ceil 1024kbit prio 1
    $TCA parent 1:1 classid 1:12 htb rate 204kbit ceil 1024kbit prio 2
    $TCA parent 1:1 classid 1:13 htb rate 102kbit ceil 716kbit prio 4
    $TQA parent 1:10 handle 10: $SFQ
    $TQA parent 1:11 handle 11: $SFQ
    $TQA parent 1:12 handle 12: $SFQ
    $TQA parent 1:13 handle 13: $SFQ
    $TFA parent 1:0 prio 0 protocol ip handle 10 fw flowid 1:10
    $TFA parent 1:0 prio 1 protocol ip handle 11 fw flowid 1:11
    $TFA parent 1:0 prio 2 protocol ip handle 12 fw flowid 1:12
    $TFA parent 1:0 prio 4 protocol ip handle 13 fw flowid 1:13
    iptables -t mangle -A POSTROUTING -p tcp --sport 80 -j MARK --set-mark 10
    iptables -t mangle -A POSTROUTING -p tcp --sport 443 -j MARK --set-mark 11
    iptables -t mangle -A POSTROUTING -p tcp --sport 110 -j MARK --set-mark 12
    iptables -t mangle -A POSTROUTING -p tcp --sport 1024:65535 -j MARK --set-mark 13
    iptables -I FORWARD -p tcp --dport 1024:65535 -m connlimit --connlimit-above 250 -j DROP

    as you can see iptables take only in consideration TPC traffic.

    N.B. this is not my QoS script.
  12. pharma

    pharma Network Guru Member

    I think that is how the "WRT54 Script Generator v1.01" was written. But remember that this is not Tomato's QOS!

    It's easy to see if you look at the Tomato QOS graphs and reports both UDP & TCP are being assigned/reported to the Tomato QOS categories you setup in Tomato.

    I don't use the Script Generator, but if you are using the Script Generator than it might be overwriting Tomato's QOS settings. I'm not sure which has precedence.
  13. Myriddin

    Myriddin LI Guru Member

    that's right :biggrin:

    this is my 7etc/qos script
    # cat qos
    SFQ="sfq perturb 10"
    TQA="tc qdisc add dev $I"
    TCA="tc class add dev $I"
    TFA="tc filter add dev $I"

    case "$1" in
    tc qdisc del dev $I root 2>/dev/null
    $TQA root handle 1: htb default 40
    $TCA parent 1: classid 1:1 htb rate 1024kbit ceil 1024kbit burst 4k
    # egress 0: 80-100%
    $TCA parent 1:1 classid 1:10 htb rate 819kbit ceil 1024kbit burst 2k prio 1 quantum 1500
    $TQA parent 1:10 handle 10: $SFQ
    $TFA parent 1: prio 10 protocol ip handle 1 fw flowid 1:10
    # egress 1: 10-100%
    $TCA parent 1:1 classid 1:20 htb rate 102kbit ceil 1024kbit burst 2k prio 2 quantum 1500
    $TQA parent 1:20 handle 20: $SFQ
    $TFA parent 1: prio 20 protocol ip handle 2 fw flowid 1:20
    # egress 3: 3-100%
    $TCA parent 1:1 classid 1:40 htb rate 30kbit ceil 1024kbit burst 2k prio 4 quantum 1500
    $TQA parent 1:40 handle 40: $SFQ
    $TFA parent 1: prio 40 protocol ip handle 4 fw flowid 1:40
    # egress 4: 2-95%
    $TCA parent 1:1 classid 1:50 htb rate 20kbit ceil 972kbit burst 2k prio 5 quantum 1500
    $TQA parent 1:50 handle 50: $SFQ
    $TFA parent 1: prio 50 protocol ip handle 5 fw flowid 1:50

    $TFA parent 1: prio 15 protocol ip u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0x
    ffc0 at 2 match u8 0x10 0xff at 33 flowid 1:10
    tc qdisc del dev $I root 2>/dev/null
    tc qdisc del dev $I ingress 2>/dev/null
    tc -s -d qdisc ls dev $I
    tc -s -d class ls dev $I

    i'm not sure how it works, it's very different from the previous script :frown:

    i'm really confused, i'm not able to find an howto QOS for Tomato :thumbdown:
  14. pharma

    pharma Network Guru Member

  15. der_Kief

    der_Kief Super Moderator Staff Member Member



    WRT Script Generator shape traffic on LAN and WLAN. QoS is shaping outgoing traffic on WAN. So they can co-exist without effect each other !

  16. Myriddin

    Myriddin LI Guru Member

    Tnx Pharma,

    but Can you give me more QOS stuff?[toc, link]
    Try Robson's WRT54 Script Generator.

    i read all of the information I'm able to manage QoS from the web interface but ...

    from the interface you cannot make any connection number rule so i switch to telnet session and to the script generator and... now i'm very confused :confused:

    in the scrip generator RobSon said that i should include the customization in the startup script.
  17. Myriddin

    Myriddin LI Guru Member


    so if I use the script generator i have to customize it to work on vlan0 and probably convert all from incoming to outgoing...

    it's an hard life :rolleyes:
  18. pharma

    pharma Network Guru Member

    I think Robson is using Tomato firmware for his router, but that doesn't matter for setting it up. If you need more info, I would try reading the thread dedicated to his Script Generator at HyperWRT forum -- even though it's a long thread I'm sure people ask the same questions you are ... :)

  19. fastpakr

    fastpakr Network Guru Member

    Is there a way to make the script generator prioritize traffic to/from a certain MAC across the WLAN? I've got a device acting as an AP and another as a wireless ethernet bridge. What I'd like to do is prioritize everything going to the MAC of the phone (on the AP end) and from the MAC of the phone (on the bridge end) so it works regardless of how slow the link might get in bad weather or with RF interference appearing. I fiddled a bit with the generator but it didn't seem to have any effect in this environment.
  20. der_Kief

    der_Kief Super Moderator Staff Member Member

    This is what robsonn mentioned about it in the forum pharma linked 2 posts before:

  21. fastpakr

    fastpakr Network Guru Member

    Thanks, I did miss that the first time. However, I've tried the script generator using the IP of the phone on both ends and it doesn't make any difference that way either.
  22. Myriddin

    Myriddin LI Guru Member

    Hi all,

    an update from yesterday.

    what I do:

    I add some space in the class A QoS space from 1% to 75%
    I move p2p traffic in this area
    I leave bulk traffic in the lowest area.

    I reduce from 180 to 120 the timeout for assured UDP connections.

    I disable DHT in the torrent client.

    What I archive:

    I have same total number of connection the yesterday (more or less 400) but seems more stable and seems that i can establish more persistent connection. Now i'm downloading from same source but ad higher speed.

    My thinking:

    It seems that my connection limit is about 400. Router limit is 2048.
    Probably when i have a huge number of connection i start missing ack so connection is not stable and being dropped. This explain also that i go in a LowID and firewalled state.

    Do you think that there is some gaps in my reasoning?
  23. Toastman

    Toastman Super Moderator Staff Member Member

    Scripts to limit P2P connections, UDP & TCP

    I am adding these scripts to this old thread for the sake of tying up loose ends!

    Here is a collection of useful scripts for limiting traffic:

    Put one or more of the following in the "Administration/Scripts/Firewall" box

    #Limit UDP from all users to 4 per second
    iptables -A FORWARD -p UDP -s -m limit --limit 4/s -j ACCEPT

    #Limit UDP connections per user
    iptables -I FORWARD -m iprange --src-range -p ! tcp -m connlimit --connlimit-above 50 -j DROP

    #Limit max TCP connections per user
    iptables -I FORWARD -p tcp --syn -m iprange --src-range -m connlimit --connlimit-above 250 -j DROP

    #Limit outgoing SMTP simultaneous connections to 10 (stops mail bombs)
    iptables -I FORWARD -p tcp --dport 25 -m connlimit --connlimit-above 10 -j DROP

    #Limit total TCP connections to 4000
    iptables -I FORWARD -p tcp --dport 1:65535 -m connlimit --connlimit-above 4000 -j DROP

    For those whose routers slow down and reboot when running P2P, the scripts to limit numbers of TCP and especially UDP connections will usually effect a cure. The mail limit prevents thousands of connections to port 25 when an email virus has taken over a user's PC to send spam...
