Using QOS - Tutorial and discussion

Discussion in 'Tomato Firmware' started by Toastman, Dec 24, 2008.

  1. srouquette

    srouquette Network Guru Member

    Sorry for the crosspost, but I have some problems when I try to use your settings with a VPN Mod.
    Did someone already report it here?
    I have 10k left in nvram with SgtPepperKSU's build.
  2. Toastman

    Toastman Super Moderator Staff Member Member

    I have no experience of using VPN, (too slow for me) so can't offer any help. It is probably NVRAM out of space or a memory issue. If it works when you delete the QOS rules for example, which frees up some memory, that might be an indicator.

    Old unused nvram variables might also be a cause, if you are often tinkering with your setup. Often, deleting nvram and setting up again from scratch will get back 10k or more.
  3. srouquette

    srouquette Network Guru Member

    When I disable QoS, VPN works fine. Could it be a problem with L7 rules?
    Is there some features which take more memory?
  4. Toastman

    Toastman Super Moderator Staff Member Member

    I suppose the best thing to do would be to take a backup of the config, then delete rules that you suspect one by one. Keep going until it works - might just be an accumulative effect of too many rules for the memory space on a GL. VPN being quite big, this problem is always more likely to happen.
  5. Toastman

    Toastman Super Moderator Staff Member Member

    New compiles 1.28.7432 for MIPSr2 - RT-N16 etc - based on Fedor's beta23 now reposted after testing
    Now with additional versions for Linksys E2000 and E3000
    All versions also with original class labels. And yes, VPN is there too...

    and what's in it?

    All the features of Teddy Bear's RT-N16 version of USBmod, version beta23
    Toastman Class Labels making it much easier to get confused
    Toastman comprehensive class rules for you to experiment with until the cows come home
    Fast Conntrack timeout values to thrill your heart as you watch your router struggling with P2P
    Fast page refresh times on Webmon, QOS graphs etc. for better realtime snooping on your clients
    Can load UPnP config file from JFFS to enable UPnP and NAT-PMP for vlans (see post above)
    And a nice pretty kinaree instead of that blasted penguin.

    NOVEMBER 6th 2010 1.28.7433 now has a good selection of safe working CPU clock speeds from a drop-down menu. Not sure if this is a good idea or not - but following several mails from people who've bricked their routers, and others who tried using the unstable 532MHz on the RT-N16 etc. I thought I'd try it out. What do you think?
  6. peyton

    peyton Network Guru Member

    great news
  7. srouquette

    srouquette Network Guru Member

    I don't know if someone is interested, but here are the rules I use for gaming.

    UDP: 88,3075,3478,3658,4379-4380,27000-27030
    TCP/UDP: 2300-2400,3074,4000,5223,6112-6119,7777-7788

    Added 27014-27050 to Downloads

    I got these ports from this site:
    These rules allow games from Blizzard and Valve, and should work for xbox360 and ps3.

    edit: updated with Azuse remarks.
  8. Azuse

    Azuse LI Guru Member

    Steam uses udp 27000-27030 for games, 27014-27050 tcp is downloads. Udp 3478, 4379 & 4380 is steam p2p/voip* Gfwl default is udp 3074 but uses upnp making that port useless. Xbox should simply have all udp traffic from their ip set as high (probably ps3 also).

    * Never could work out which was the voip
  9. srouquette

    srouquette Network Guru Member

  10. Toastman

    Toastman Super Moderator Staff Member Member

    Yes, the ports are rather strange, mostly they were old Microsoft games plus some local Thai ones that everyone used to play - just there for example really. In a big place like mine, with people playing literally hundreds of games, you would end up with so many ports it wouldn't be very practicable. XBOX and PS3 are nice because the games all use the same ports. If only there was some agreement to do this globally it would be great. I must admit I don't play games myself and therefore I am not up to date with the different games platforms and boxes.

    It isn't really very practical to give examples of game ports, because everyone has his own preferences and they also change frequently, so the thread would be full of port lists from different people. Looking at the port list you posted, there are hundreds, maybe thousands, of different ports.

    That portforward site actually looks extremely useful though, there's lot of info in an easy to read format!

    What are ports 27014-27050 for? 36 ports for downloads? When I tried them just, they filled up with P2P almost immediately. They don't appear on the normal lists of well-known ports.

    It would be a good idea to start a "Games Ports" thread - purely for gamers, with examples of what ports are in use for the different games.
  11. srouquette

    srouquette Network Guru Member

    I'm not really sure about 27014-27050, I followed Azuse's advice.
    On, they are used by the steam client and other games.
    Should I leave them in games?

    I agree it's a case by case, we can't really list all the ports for every games, but it's still better to have some popular ones (WoW, SC2, L4D2, TF2, Xbox360, PS3...) :)
  12. Azuse

    Azuse LI Guru Member

    27014-27050 TCP are steam downloads i.e. valve games/patches & updates and should not be under games. Technically 27000-27015 udp are games, but since valve lets admins set their server on whatever port they want you will probably have to add the odd port for any obscure servers you regularly use (3 tf2 in may case). That said 27000-27030 udp will catch the majority of servers on steam, just make sure you separate the tcp ports into downloads/bulk.

    Still not sure about the voip port tho (I think 4380 udp) & toastman, it's the first result in google :p
  13. myersw

    myersw Network Guru Member

    Toastman, loaded your latest ext on my RT-N16 and everything is just working!! Just the way I would like. Also love the pretty kinaree. Much prettier the the penguin ;-)
  14. Dashiell

    Dashiell Network Guru Member

    Thank you, Toastman!

    I'm a netadmin for four separate networks. I've been using tomato on all the routers and APs for years. The RT-N16s are a godsend. However, I found one network had grown too large and required more routing power/options. I moved on to a Mikrotik RB450G.

    I just wanted to say thanks to Toastman, this thread and examples I was able to successfully adapt the "latest and best" version of the QoS rules to the Mangle Rules/Queue Tree on a routerboard. It took a while, but it is now performing exactly the way it did on Tomato. I could not have done it without the help of this forum!

    I'm still using Tomato on the other three networks, and likely will be for years.

  15. Toastman

    Toastman Super Moderator Staff Member Member

    You're welcome! Be interesting to hear a bit more about your routerboard !
  16. Dashiell

    Dashiell Network Guru Member

    I would post the config export, but I can't think of anything more off-topic than that! :)
  17. Toastman

    Toastman Super Moderator Staff Member Member

    I was looking at the spec, and it didn't seem much more than an RT - that's what I was wondering.
  18. Dashiell

    Dashiell Network Guru Member

    Well, yes... that's true in a way. The spec of a 450G:

    CPU AR7161 680MHz
    Memory 256MB DDR SDRAM onboard memory
    Data storage 512MB onboard NAND memory chip, microSD slot on back side
    Ethernet Five 10/100/1000 Mbit/s Ethernet ports with Auto-MDI/X (each port is wholly independent)

    However, what sets them apart is the absolute versatility of RouterOS. I've read that the best part of RouterOS is that "it's an infinitely configurable routing platform." and the worst part of it is that "it's an infinitely configurable routing platform."

    It's very reminiscent of a Cisco device. There are some unique philosophy differences in the way things are done, but it's definitely there.

    It basically starts you with a blank slate and you must configure EVERYTHING. From the ground up. Interfaces, IPS, Firewall, etc... it's all up to you. The beauty of it is that you can really design it to meet your needs.

    You can also plug a tomato router into it as an access point for instant wireless, or choose a different model and add wireless boards. I chose the 450G because of the 1ghz ethernet. I understand there are new models available to accommodate everything.
  19. kalel90

    kalel90 Addicted to LI Member

    Ok here is an interesting problem for you to solve lol. Say i am downloading a large file through http (from a filehost such as rapidshare etc.) how could i make it affect the latency of xbox live less without also slowing down my general web browsing. Before you say use the size limits that doesn't catch the download at all the only size i can set and it actually catch the download is 8kb as the min size but that also catches my web browsing so im at a loss.
  20. Toastman

    Toastman Super Moderator Staff Member Member

    Games/VOIP latency

    The size limits are not applied to incoming data, they take effect only when the outgoing data for that connection exceeds a particular size. You can't use it for this purpose.

    Here are some tips to making your games/VOIP more responsive. You need fast ping response times - that means incoming data needs to arrive quickly and not be stuck in a queue waiting to be sent to your router from the ISP.

    Common things that affect this latency:

    1) An overly large amount of incoming data piling up at the ISP - with your desired packet stuck somewhere in the queue. Could be caused by P2P, uncontrolled downloads, etc. This may be enough to cause several seconds delay.

    This is controlled by correct classification and priority of applications, with the rate and limit settings adjusted for optimum settings for your particular needs on outgoing data classes. And and then - this is VERY important - set LIMITS on incoming classes to ensure that the total doesn't exceed your available bandwidth. You must make sure that there is always spare bandwidth available. The incoming limits use the TCP backoff timers in the distant servers to slow down the connections. If you don't know where to start, set e.g. 25% limit on all of your incoming classes and see if things improve, then play around with the settings.

    2) Normal delay caused by a normal amount of traffic. Consider - if there is nothing at the ISP waiting to be sent to you, then any arriving game/VOIP packet is delivered immediately with NO delay at all. But if your incoming data is close to your maximum bandwidth, say, 15Mbps on a 16 Mbps line, and that packet is at the rear of the queue, then there will obviously be a longer delay. This isn't usually very much longer and usually we don't worry too much about it. You can't do anything about that except restrict the amount of incoming data - trading bandwidth for speed. The smaller the queue, the faster your ping return will be, for example.

    There has been some research done on the subject of VOIP - a general rule of thumb is to keep 33% of your incoming bandwidth empty for best results.

    3) Router overload and lack of memory mostly caused by too many connections. Controlled by fast expiration times in Conntrack/netfilter. There is a conflict here - short timeouts work best for P2P, but they may break VOIP connections. An assured timeout setting of 300 seconds may be necessary in some instances, but try to find a compromise that works.

    4) Other variables on the internet - about which you can't do anything. You will occasionally see ping spikes caused by factors outside your control and just have to live with it. A lot of the time it is the game server itself that is responsible.

    This graph shows a serialization delay relationship for common ADSL speeds and MTU. You can figure out from this the likely fastest ping times that are possible for your particular setup.

    For a better explanation as to how and why things work, read the full thread.
  21. nyonya

    nyonya Addicted to LI Member

    Hey Toastman, just a heads up, this was happening to me using your most recent K26 MIPSR2 Ext build (1.28.7433). Everything else seemed to be working fine. Build 52 of Teddy_bear's firmware fixed this issue.

    Hey guys, so weird issue I'm having. Finally decided to format my external drive as ext3 to improve transfer speeds (had been using NTFS). Formatted it once through the gparted boot CD on my laptop, and once through the tools included in the extras build. Both times, same issue - if I try to transfer more than about 7MB of data, it hangs, and eventually I get a message that the folder can't be accessed. Then generally the hard drive disappears from the USB page in the browser GUI, and eventually comes back - or restarting the drive works. I've searched but haven't seen mention of this issue.

    Using a WNR3500L, running the latest Toastman build, Windows 7 64-bit on the laptop. Didn't have issues when it was formatted as NTFS, just went slowly. Any ideas?
  22. Toastman

    Toastman Super Moderator Staff Member Member

    Interesting, thanks! Don't know why it should be any different. C'est la vie ...

    A warning to anyone trying the E2000 E3000 etc versions of the latest firmware. Some parts of this mod have not been tested. Especially beware of the 60K NVRAM version - please don't flash this unless you are prepared to unbrick your router. If you do try it, please tell us how you found it. (Apparently some people did try it already).

    Teddy Bear will not be releasing a version for these routers until dual-band wireless changes are complete.
  23. Kisch

    Kisch LI Guru Member

    Today I discovered strange problem with Victek 1.28, Asus WL500gP and QOS. If I run rtorrent and seeding file to my friend at the same time from my NAS, lower P2P traffic class eats bandwith and Download class with higher priority (sedding file from NAS to friend through wan port) gets only little. If I stop rtorrent client in NAS, seeding file in Download class is at max. speed. If I start rtorrent again, priority goes to hell and lower class gets higher priority. Class detection is OK. I think I will go back to 1.25 victek-thor version. P.S: Sorry for my english, not my native language.
  24. Toastman

    Toastman Super Moderator Staff Member Member

    uTorrent uTP Protocol

    No idea what is going on there.

    On a related note...

    After uTorrent's love affair with uTP, I've been doing some experiments to see if they've improved it yet since the early days. Following the reports by many ISP's of increased loads and equipment failure caused by the reduced packet size and increased PPS rate, there have been several modifications to the protocol. It is claimed that it's much improved. I used the most recent and "best" uTorrent v2.04 build 22150 to take another look.

    So what did I find?

    Turning off TCP and using uTP (no DHT) got me around 1100kbps download speed. At the same time my entire uplink bandwidth of 1002kbps was taken up with uTorrent - and web browsing was therefore extremely sluggish, taking several seconds to respond. VOIP, video, and shoutcast were completely unusable.

    Turning off uTP and using TCP only, quickly resulted in 3736kbps downloads and only 221kbps uplink speed, web browsing was snappy and downloads about 3 times faster.

    Yes, look again. TCP alone gives almost 3 times the download speed and less than a quarter of the bandwidth!

    Repeating these experiments over a period of 2 weeks always confirms the above. A whole day of uTP downloading resulted in less than a quarter of the normal downloads. Not very impressive, so 2.04 doesn't seem any better to me. No wonder the global ISP's are up in arms.

    I saw no evidence whatsoever that uTP is backing off to allow other protocols to get a look in. The outgoing bandwidth taken up by uTP is still extremely high for no observed benefit to downloads. Nothing has changed. There is no observable congestion control taking place but there is still a large increase in UDP traffic. I have reverted to dumping UDP into the crawl class and killing it dead. uTP is still a bandwidth hog.

    Interestingly, these days, the majority of people sharing torrents (public) are using uTorrent 2.04 which has uTP - but they don't have it enabled. They have deliberately turned it off - you can see this by the missing "P" in the flags. That's interesting too.

    Indeed, looking at the "peers" readout, most of those which DO have a "P" in their flags (uTP) contribute only a few kbps to a download. The bulk of downloads always come from TCP. All of the residents I have spoken to in these blocks agree that TCP still provides better downloads. What the residents don't see, of course, is the sheer amount of uTP traffic load hitting the router. Some ISP's have even likened uTP to a DOS attack and many are blocking uTP.
  25. Azuse

    Azuse LI Guru Member

    Every subsequent release has reduced the utp overheads, and there's not a huge amount of tcp going around in the uk (relativity speaking) any more, although iirc then the dht table uses tcp. Still, it improved things around here and the more people use it the better it becomes but I assume, as with the first time you brought this up, your international pings aren't great which will have quite an impact unless you have plenty of local seeds (<100ms).

    My download speeds (on slow torrents) increased with utp but we have good international pipes here. We also have most isps in some chronic torrent throttling campaigns because it's easier than charging users a realistic price for the bandwidth they use :( As far as qos goes it seems easier, at least when I use 1/1.5k connections. I can raise the inbound limit slightly above the tcp threshold but leaving it to it's own devices doesn't work since the 100ms target it too high for most people. Leave it in the same class as tcp and it should be fine.
  26. Kisch

    Kisch LI Guru Member

    I returned back to my previous Thor USB mod of Victek 1.25 version and it is working again. And yes, I always did NVRAM erase after flash.
  27. Toastman

    Toastman Super Moderator Staff Member Member

    Kisch, perhaps you should report that on Victek's thread and see if anyone can help.
  28. peyton

    peyton Network Guru Member

    thanks !
  29. Toastman

    Toastman Super Moderator Staff Member Member

    Please update to 7437 to 7438 which corrects an omission in data-jsx file - thanks T/B !

    [New version 7438 based on latest tomato-RT version 9054 Beta - Toastman and original class label compiles.]

    November 3rd

    Added a refresh timer to tools/system page - this makes it very useful for realtime monitoring - for example, netstat can be refreshed automatically.
  30. Suva

    Suva LI Guru Member

    Where can I get this version 7438?

  31. peyton

    peyton Network Guru Member

    Follow Toastman's signature
  32. Toastman

    Toastman Super Moderator Staff Member Member

    I've just made a new, very experimental build 7800 for MIPSr2 from source code posted by Wes Campaigne.

    1) QOS / View Details page now has per-connection inbound / outbound traffic counter columns

    2) New QOS / View Transfers page with per-connection upload / download rates

    This is really useful. Within minutes I was able to see something that I'd not been able to see before - a client sending out immense volumes of unclassified broadcast traffic to port 889. You can never have too many diagnostics tools!

    As usual, I have to add - this build may work for you, but it isn't guaranteed and may not be at all stable. "Caveat Emptor"

    Thank you Wes!!
  33. peyton

    peyton Network Guru Member

    Will wait a bit before upgrade.. :)

    Thanks Toastman !
  34. Toastman

    Toastman Super Moderator Staff Member Member

    Seems fine, running 2 days on several RT-N16 routers.
  35. Toink

    Toink Network Guru Member

    Yup seems to be running fine for 24hrs now on my E3000/WRT610Nv2. Thank you, Toast! :)
  36. peyton

    peyton Network Guru Member

    Running for more than 22h, no prob so far.
  37. Toastman

    Toastman Super Moderator Staff Member Member

    Now another great tool from Wes. The QOS/Details page now identifies which rule was responsible for classifying a connection.

    (R# column, 255 = default)

    Experimental build 7801 replaces 7800 - posted .....
  38. miracle2k

    miracle2k Networkin' Nut Member

    I'm so glad I found this, because I was just about set to implement (1) myself (and I wouldn't even know how to approach (2)).

    Since I've always been confused about the Tomato development process (there being apparently no mailinglist, bug tracker or anything of that sort) - do you know what the chances of this being merged into mainline are?

    Also, I've recently switched to your QoS rule setup, and so far, it works better than anything I've been able to come up on my own. However, I notice that using those rules, I'm never really fully using the max bandwith limit I have specified (not to mention my actual bandwith limit).

    Since my connection is pretty slow to start with (3mbit), I'd like to attempt to tune this. Here's the part where I notice that I don't really understand the Tomato QoS settings. I do think I understand how QoS works in the backend (qdiscs, dropping packets to control inbound traffic, all that), I guess just not how it's abstracted in the UI.

    Specifically, "rate" vs "limit". I understand limit, but what does "rate" mean? If I have a single connection in a single class, it would transfer the limit of that class, correct? If I have two connections in two different classes, how would the available bandwith be divided between the two connections (in theory, optimal circumstances etc) based on the classes rate/limit settings? There must be some kind of formula.

    Or to use a specific example, what makes the "service" class in your rule set be considered "high priority", if all actual limits given are actually equal or lower than, say, "P2P/Bulk".

    I'd love it if someone could help me grasp this.
  39. Toastman

    Toastman Super Moderator Staff Member Member

    Probably none of the latest developments will be added to the mainstream "official" Tomato because Join Zarate seems to be busy these days and is not working on it so much. The mainstream version nowadays is really "TomatoUSBmod" - the main developers are Teddy Bear and Ray123 - which you no doubt are familiar with. My version is just bits stuck on top of it, borrowed from here and there because people asked me for it ... but the credit goes to the real developers in the "About" page.

    About your QOS questions. Did you read right through this thread?


    First, the priority of the class is what a class is all about. You need to think of a class as it's priority in the order of sending to the ISP. Internally, the classes bear numbers in order of priority, the labels we put on them in the GUI are just that - labels to help us to remember what they are.

    Each packet sent is examined by your class rules, and marked with a tag (that number) showing what "priority" you allocated for it. It then enters the transmit queue waiting to be sent to the ISP. There are ten classes in Tomato. The top class on the page has the highest priority. Packets will be taken out of the queue (dequeued) according to priority. The highest priority packets in the queue are sent first, followed by the lower priority packets, if any, in the queue. There are also some other considerations for fairness of picking out and sending these prioritized classes, but we won't go into that here.

    Packets in the queue are also subject to some extra conditions:

    The "rate" is the guaranteed bandwidth that will be allocated to that priority "class". The "limit" is the maximum bandwidth that class is allowed to use by borrowing it from other classes if they are not in use. So something with a rate of 5% and limit of 100% is allocated a guaranteed bandwidth of 5% (even if it is the lowest class) but can use 100% of the bandwidth by borrowing from other classes, if they are not in use.

    The sum of the ten class "rates" should not exceed 100% of course, if it does, it will be scaled down.


    Now, the incoming process is easier to understand. It's only real function is to place a limit on a class - beyond this limit, TCP packets will be dropped, forcing the remote server to back off and thus slow down the link.

    Firstly, note that the "Max Bandwidth" figure is ONLY used to calculate the percentages for the individual classes - it is not an overall limit, although it is implied. (That is why in my version I changed the heading to "Incoming CLASS limits" and put a warning about this so that people don't misunderstand.)

    Now, if two classes, for example, start using bandwidth, the bandwidth will be shared equally between them, so in your case, each class could get no more than 1.5Mbps.

    But we can limit each class, however, this helps us only so much.

    The incoming (ingress) system unfortunately has no system to borrow" bandwidth from other classes. All it has is a bandwidth limit on each individual, class. In fact in this sense, there are no "priority" classes here at all - the names are indeed just labels. That's it. So it isn't as flexible and that gives us a few problems which do need to be considered.

    We may have, for example, to set a limit of 2Mbps on P2P to make sure it doesn't swamp our web browsing. But that limit is fixed. It can't rise above 2Mbps even if no other classes are using the bandwidth at all. Likewise, we may need to put limits on other classes, even if it's only because P2P ***MAY*** try to use ports etc in that class and take it over.

    BUT if we do this, we now have a problem.

    The sum of the individual limits may add up more bandwidth than we have available, allowing incoming data to choke our link, at which point the QOS fails to work. There needs to be an overall limit to stop this happening, but there isn't one :frown: . Instead we are forced to set our limits lower than we would like, so that the sum doesn't EVER exceed the maximum ISP bandwidth. We have traded bandwidth for stability, but we had to overdo it!

    You can see from this that Tomato's QOS could be improved by adding some extra complexity, allowing class borrowing, this would give us an overall limit too. I have done several experiments at creating an overall limit and it does indeed make a HUGE improvement in bandwidth utilization.

    There is a good thread about the QOS ingress mechanism:

    You have to experiment to find the best compromises. Things will become rather more efficient at using bandwidth if a better ingress system is added to Tomato, but it hasn't happened yet. In the meantime, do the best you can. Take my rules as examples of what I had to do and change them to suit yourself.

    EDIT - A new IMQ based ingress system now exists in Toastman Tomato, now most of the limitations mentioned above have been addressed. Others will undoubtedly add these changes to the other mods too.
  40. wats6831

    wats6831 Networkin' Nut Member

    Hi, I read the QoS thread. I thought i understood most of it. So I went ahead and used your example setup with a few modifications to the rules based on what i use. However, my High or "online games" class/rule doesn't appear to be working at all. Even when I have all my bandwidth available, games that use the ports in my rule don't appear to be functioning at all and seem to hang on connection. I think it may have to do with the "transferred" setting in the rule. I don't know what that setting does or what it means and i didn't see any explanation for it. I've tried several different values for that setting in my "high" rule for the gaming ports, but i still have the same problem.

    Attached Files:

    • QoS.jpg
      File size:
      21.6 KB
  41. miracle2k

    miracle2k Networkin' Nut Member

    Aaah, that was the missing part. Somehow, especially with the renamed classes, I forgot about the packet priorization. Thanks.
  42. Toastman

    Toastman Super Moderator Staff Member Member

    wats6831, - Very difficult to see this jpeg cos it's too small, you need to upload to e.g. imageshack and link to the jpeg to get bigger sizes. Anyway, I think I see a game rule with 256k+ transferred? That won't be doing anything. What that does is tell QOS to place the connection under that class rule if it transfers more than 256K of information. Games typically only send small amounts so it might take a long time before anything happened, if ever. Remove the 256k bit and it will probably do something. It looks like you deleted the games rule along with many others, but difficult to see what.

    I think you may need to start again.
  43. occamsrazor

    occamsrazor Network Guru Member

    Hey Toastman,

    I remember a while back, I think it was in another thread but I can't find it now, that there was some brief discussion over the possibility of having user-defined class names ("Games", "VOIP", "Bulk", etc), rather than hard-coded ones.

    Did anything ever come of that?

  44. Toastman

    Toastman Super Moderator Staff Member Member

    Well, I'm sure it would be pretty easy to do, but I am an idiot - I can't do it. I'd also like that option. But hardcoding was the best I could do :-(

    There was a discussion about this recently on - you might look over there.

    EDIT - maybe I'm not such an idiot as I thought - managed to do it - see later in the thread :D
  45. Toastman

    Toastman Super Moderator Staff Member Member

    Experimental build 7800 was stable, so it's now replaced by v. 7439. This is based on current git code with latest code fixes and also has an addition checkbox to hide inactive connections in the "rates" page, and a new "test" IPv6 GUI. For MIPSr2 only at the moment, both standard and Toastman class label versions.

    Please remember that the IPv6 has not been released yet and is highly experimental. Please report any problems on
  46. peyton

    peyton Network Guru Member

    Great !
  47. phuque99

    phuque99 LI Guru Member

    Is anyone familiar how iptables chains are processed in Tomato? The only workflow I found for wrt related iptables are:

    I would like to add additional iptables rules to drop malformed packets, both into the router and to forwarded ports. I'm curious to know for Tomato, is the WANPREROUTING or PREROUTING chain is the best place to add such rules:

    # drop new packets that are not syn, drop Xmas scans:
    iptables -I PREROUTING -p tcp ! --syn -m state --state NEW -j DROP
    iptables -I PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
    A full iptables dump from Tomato shows that it has 2 pre-routing chains, WANPREROUTING and PREROUTING, so I'm curious about their difference and the order that they are being processed.
  48. rhester72

    rhester72 Network Guru Member

    WANPREROUTING is traversed as the first chain inside PREROUTING. If you're trying to protect against such scans internally *and* externally, your rules are fine. If you're worried only about WAN, WANPREROUTING will also work.

  49. phuque99

    phuque99 LI Guru Member

    Thanks for the pointer. I tested and confirmed that rules in the PREROUTING chain would drop malformed tcp packets (from nmap especially) from both LAN and WAN. Now based on how each chain is processed, in theory Toastman's original iptables rules below (example snippet):

    iptables -I FORWARD -p tcp --syn -m iprange --src-range -m connlimit --connlimit-above 80 -j DROP
    iptables -I INPUT -p tcp --syn -m iprange --src-range -m connlimit --connlimit-above 100 -j DROP
    #Limit UDP packet opens from all users - UDP to Router
    iptables -I INPUT -p udp -m limit --limit 10/s --limit-burst 20 -j ACCEPT
    #Limit UDP packet opens from all users - UDP out to WAN
    iptables -I FORWARD -p udp -m limit --limit 10/s --limit-burst 20 -j ACCEPT
    Could be reduced into:

    iptables -t nat -I PREROUTING -p tcp --syn -m iprange --src-range -m connlimit --connlimit-above 80 -j DROP
    iptables -t nat -I PREROUTING -p udp -m limit --limit 10/s --limit-burst 20 -j ACCEPT
    This may well reduce the number of iptables the kernel needs to have in memory and maybe more efficient since these packets could be dropped earlier.
  50. Toastman

    Toastman Super Moderator Staff Member Member

    phuque99, I will try that on the offending network and tell you what happens. It's dropping incoming packets on occasions now, I'm waiting for someone on the LAN to start some monkey business.

    EDIT - your malformed packet rule above - I tried entering also that but I don't see it show up in any table. What does yours look like?
  51. phuque99

    phuque99 LI Guru Member

    Sorry I pasted them not in the correct syntax. They should inserted into the "nat" table on PREROUTING chain in the following manner:

    ## Block malformed packets
    # Drop xmas, syn/rst, syn/fin, ack/fin and null scan
    iptables -t nat -I PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
    iptables -t nat -I PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
    iptables -t nat -I PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
    iptables -t nat -I PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
    iptables -t nat -I PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
    iptables -t nat -I PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
    # Drop new packet with no SYN flags
    iptables -t nat -I PREROUTING -p tcp ! --syn -m state --state NEW -j DROP
    Based on what I've seen in the last 24 hours, the no SYN flag rule (last line) blocked everything "bad". I'm curious to know if your traffic throttle rules on the PREROUTING chain may solve your random reboot problems.
  52. Toastman

    Toastman Super Moderator Staff Member Member

    Me too! I do believe I've tried it in the past, and had no success, but I will try again. I agree with you that the less the stuff has to traverse, the less resources would be taken.

    New scripts look interesting! I will try them out also.
  53. phuque99

    phuque99 LI Guru Member

    Do note that the "malformed" packet script is still kinda work in progress. They will drop malformed packets on WAN -> router or LAN -> router.

    Bad packets on WAN -> forwarded ports will be dropped by a default INVALID packet iptables rule inserted by Tomato. So adding them offers no additional protection to forwarded ports. I've yet to confirm if they protect outgoing port scan attacks from LAN -> public IP.


    I just confirmed with a test partner, that this rule caught all probes and port scanning (except for the use of valid SYN packets to test for open ports):

    iptables -t nat -I PREROUTING -p tcp ! --syn -m state --state NEW -j DROP
    It will block invalid probe packets on:
    1. WAN -> router
    2. LAN -> router
    3. LAN -> external IP

    Although it will also block bad packets from WAN -> forwarded LAN machines, existing INVALID iptables rule in the FORWARD chain will drop them by default. I'm not any expert in setting up iptables firewall, so this would probably need a peer review by someone more experienced or knowledgeable.
  54. Toastman

    Toastman Super Moderator Staff Member Member

    Well, you seem to be doing pretty well to me !! Better than I am. Anyway, so far, the router has not crashed. If it stays up for more than a few days, that will be the test.
  55. phuque99

    phuque99 LI Guru Member

    @Toastman: When you're experimenting, please exclude those "malformed" iptables. I realized now that they are waste of time and totally redundant. While experimenting more on my own, I discovered quite a number of packets with illegal / bad tcp flags were dropped by the "INVALID" iptables rules inside the INPUT and FORWARD chain. This were inserted as the default firewall by Tomato.

    I looked further into the Linux source code in the file:

    Line 814 - 820 checks if a packet's tcp flags are valid. If they are not, they get dropped and logged as being invalid.

    That function called "tcp_valid_flags[tcpflags]" that is defined in line 757. Here you can see that it checks for all combination of valid tcp flags. Thus it will handle anything that looks funny.

    TL;DR version: There's no need for additional iptables rules to check for invalid TCP packets, they are already handled by the kernel module.
  56. Toastman

    Toastman Super Moderator Staff Member Member

    Yes, I agree with you. I experimented a few months ago with some similar rules that people had tried to use, that were taken from a commercial firewall - and wondered why they seemed to have no extra effect. It seems that a few other people haven't looked in the source code :biggrin: . Thanks for making the reason clearer.

    It's still too early to be sure, but the router is still up. I will let it run a few more days and then reinstate the old rules. If it then begins to reboot again, that I think it's a fair assumption that the change in chain means the rules are working now. It's a pity it's not possible to run a proper control on this, but with all of the random monkey business coming from 120 computers which can change every day, I can't think of a better way.

    The rules I am testing are these:

    iptables -t nat -I PREROUTING -p tcp --syn -m iprange --src-range -m connlimit --connlimit-above 150 -j DROP
    iptables -t nat -I PREROUTING -p ! tcp -m iprange --src-range -m connlimit --connlimit-above 100 -j DROP
    iptables -t nat -I PREROUTING -p tcp --dport 25 -m connlimit --connlimit-above 5 -j DROP
  57. phuque99

    phuque99 LI Guru Member

    I do see debugging flags all over the kernel source code. If you suspect that the netfilter rules could be rebooting the router, you could compile a custom firmware with verbose debug logging, and log /var/log/messages to remote syslogd server.
  58. Toastman

    Toastman Super Moderator Staff Member Member


    I ran two days with the old rules in the forward chain and had a return to rebooting. So based on that, although as yet it isn't 100% proven, I believe this may indeed be THE solution! I've placed the prerouting rules on several sites and will monitor them to see how it goes now. Thank you very much for your help, and your friend too for his testing.

    The implication of this isn't so good. Looks like the firewall, as it stands, probably causes more problems than it cures because tradition is to place many rules in the forward chain. Maybe not just in Tomato, but many other implementations too. It really needs someone very knowledgeable to take a look.
  59. Toastman

    Toastman Super Moderator Staff Member Member

    New version 7440 has changes in the pppoe which attempt to give greater stability. Improvements to qos rates and details pages Additions to ipv6. DNS entries for ipv6 GUI, and other updates from source. Posted ...

    Comments on the ppoe stability would probably be very useful to Teddy Bear, so please let me know how you find it.

    Please also note that the IPv6 stuff is very much experimental and as such, don't complain too much (!!). However, if you have any interesting observations or comment, Teddy Bear and Wes Campaigne would appreciate the feedback.
  60. Toink

    Toink Network Guru Member

    Thanks, Toast! Looking forward to flashing my routers as soon as your f/w 's up!

    Merry Christmas and a Prosperous New Year! :smile:
  61. fun.k

    fun.k Addicted to LI Member

    Thanks for pushing this forward Tman :)

    I just flashed to TomatoUSB and I have a question. I read that TomatoUSB incorporates SpeedMod goodness. Reading some more on Rodney's blog I see that he implemented tc-atm patch for proper adsl QoS.

    Does this mean that TomatoUSB comes with tc-atm too and we have to enter the relevant values in the firewall script?

    Happy Holidays!
  62. Toastman

    Toastman Super Moderator Staff Member Member

    I don't believe that the tc-atm patch got into Teddy Bear's releases yet. I am interested in this somewhat myself, because the idea looks good in theory. You could add it all yourself, or like me, wait until it is done and incorporated into the build. Maybe T/B will see this thread and make a comment when he has time.

  63. laobo

    laobo LI Guru Member

    can add mppe encryption ?
  64. occamsrazor

    occamsrazor Network Guru Member

    Hi Toastman,

    Am currently running K26 RAF v1.28.8623+USB+VPN... and liking your recent work with the addition of the Wes Campaigne QoS. I think Victek has included that in this build, judging by the QoS > Transfer rates page.

    What's the "new ppoe module" mentioned in your 1.28.7440 build? Is this anything to do with the tc-atm patch, or something different?

    I have to say keeping track of and understanding the different builds these days, between Teddybear, Victek, and yours, and on this forum and tomatousb and Victek's site, has gotten awfully hard. I guess it's a necessary consequence of all the new developments and experimentation, which is obviously cool, but it makes trying to decide which build to go for a little hard. I remember the same was happening a year or so ago before Thor responded to my proposal for an All-in-One build to consolidate a lot of different functionality.

    Anyway, I guess it's somewhat inevitable... and my E3000 should arrive soon which will open up my choice to the latest MIPSR2 builds :) :)
  65. Toastman

    Toastman Super Moderator Staff Member Member

    As far as I am a aware there is as yet no attempt to add the tc-atm patch to tomato. All I know is that there have been for a long time, some occasional PPPOE problems that a few users have reported with some ISP's - poor stability, dropouts, failure to reconnect, and so on. Teddy Bear has been running through several variations of the pppoe section, to find the best solution.

    As far as all the different builds being confusing - it is even worse trying to describe every little thing that has been done to a new compile, with different builds for different routers, with or without VPN, and so on. My advice is simply download ones that look interesting and flash them. I flash about 20 every week here just to look at and test. It's the only real way to see what you're getting.

    Quite probably my builds are the closest you'll get to that all-in-one build at this moment. But I'm not going to start adding all manner of servers and things like torrent downloaders to it, I believe that a router should route. I am sure that one day someone will start adding too much useless junk and the whole thing will grind to a halt.

    There will probably always be separate compiles from different modders, which means people have a choice. And that's how it should be, I think.
  66. occamsrazor

    occamsrazor Network Guru Member

    Hi, what speed do you recommend overclocking the WL-500GPv2 to, staying on the safe side?
    On another note, I read some of your Increasing power with WRT54GL - pros and cons thread, but couldn't find any recommended settings for WL-500GPv2 - what do you recommend? Currently I'm just using 0=hardware default.
  67. occamsrazor

    occamsrazor Network Guru Member

    I'm currently using the following code in the firewall script to access my modem at, while my router is at and all LAN devices have 192.168.0.x addresses:

    iptables -I POSTROUTING -t nat -o vlan1 -d -j MASQUERADE
    ip addr add dev vlan1 brd +
    Sometimes I find that if the ADSL link is down, I can't access the modem, but when ADSL is up, I can. Is this because I don't have the "ip addr......" line in the init script like you? Your solution seems much more elegant, acquiring the info from NVRAM. What would be the equivalent code for my Router=, Modem= setup?

    PS - Sorry for all the questions! I'm in a Tomato-tinkering mood today and catching up on some previous posts... :)
  68. Toastman

    Toastman Super Moderator Staff Member Member

    Well, I don't specifically "recommend" anything for power, because it depends on your own needs, but if it helps, 150mW is the setting I run my WL500gP v2's at in these reinforced concrete buildings for best performance. All that has been said about the WRT54GL applies equally to the transmitter on the WL500gP v2 as it uses the same power amplifier chip.

    The WL-500GPv2 can't be overclocked as far as I'm aware because of it's brain dead AIO chipset. Nevertheless it performs OK, if a little sluggish. It's already at 240.

    Re. accessing the modem, I have always found it to be very hit and miss on any installation I have ever tried, if you look back through my posts you'll always find me making a comment that people shouldn't be surprised if the modem doesn't respond. What works one day doesn't work the next, and so on. As it's usually of no importance, I've not bothered much with it.
  69. Toastman

    Toastman Super Moderator Staff Member Member

    New version 7617 MIPSR1 K24 for WRT54 series and similar, based on latest TomatoUSBmod from Teddy Bear, with Toastman features such as QOS Labels, Victek's RAF mods, and the new additional dignostics from Wes Campaigne. Seems OK - GUI is almost instant, speed seems fast - but please treat this as BETA firmware.

    Please note that there has been no official release of the IPv6 additions yet, this is very much experimental, untested and will have bugs in it, so please don't drive anyone mad by complaining about it if it doesn't do as you expected. If you have any sensible suggestions please post them for Teddy Bear to comment on.

    Phuque99 - should you read this: apart from when I did so myself, none of my test routers have rebooted at all since the rules were placed in the prerouting chain. I've now implemented the same rules on every site. Thanks for the assistance!

    EDIT - As of January 20 2011 - not a single router has rebooted, that's almost a month now. QED !
  70. phuque99

    phuque99 LI Guru Member

    My original aim was to streamline my iptables firewall and reduce resource usage. But I'm glad that my suggestion fixed a major issue for you. Lucky I don't have a lot of "funny business" traffic to content with on my end.
  71. mhook

    mhook Networkin' Nut Member

    I have a WRT54GL with tomato running on it. I'm using VOIP alot and it's choppy when you download a file or browse the web at the same time. I'd like to implement QoS but I haven't been that successful. Looks like I need to use the TC-ATM patch because I have my router doing PPPoE through a Draytek Vigor 120 configured in PPPoA to PPPoE transparent pass-through. The modem is configured as PPPoA/VC MUX.

    As it turns out I have a build of tomato with the the speedmod patch built in but I am not savvy with the using QoS from the command line as TC-ATM is not pulled into the UI. Are there some links for setting this up?

    "Quick set up QoS & TC-ATM for the impatient"
  72. Toastman

    Toastman Super Moderator Staff Member Member

    Almost nobody uses that mod for the same reason, but it has nothing to do with why you have choppy VOIP. If your QOS isn't working correctly you just need to read up on how it operates and try to find out the reason.
  73. Porter

    Porter LI Guru Member


    I basically agree with Toastman. The first step is to configure QoS properly. If you are still having problems after this, you could look into using the atm-patches.

    On some adsl-lines it's simply a problem of too little upstream bandwidth to sustain a VoIP-stream and sending out enough ACKs to saturate your downlink.

    If you are further interested look at this thread about the Speedmod with atm-patches where I have posted some of my experiences, including my QoS-script and advice on how to find out your overhead values:
  74. mhook

    mhook Networkin' Nut Member

    Thanks for the feedback guys. I think it was my classification that wasn't working quite right. I've now cut out all the rules and just loaded up the ones I actually need.

    I'm merely a home user with 2 - 3 computers connected. Not bittorrent. Watch youtube and listen to online media streams. 1x Linksys PAP2T for VOIP.

    I currently have a cutdown version of toastman's classifiers. I'm classifying the PAP2T by MAC Address.

    So far so good.

    What I do want to ask though, why is it that the connections distribution shows so many packets as unclassified when they are clearly in the classification section. e.g. ALL UDP DNS port 53 are set to highest. However, click on the unclassified section of the connections distribution pie graph and it shows DNS packets that I would have thought would be classified.

    I'm using the vectek mod.
  75. mhook

    mhook Networkin' Nut Member

    Never mind about the unclassified connections.. I've just realised they are all connections and DNS queries that are directed to the Tomato router itself.
  76. mhook

    mhook Networkin' Nut Member

    I wonder whether tomato should even show connections directed at itself. It makes the pie graph look wrong when there are very few connections.

    I'm a programmer, and quite familiar with networking protocols and firewalling. Although I've never played with QoS until the last week or so.

    I program under Linux, so cross compiling the code should be a breeze.

    If I get the time I'm interested in modifying tomato. Maybe we can do some joint effort here.

    There are two things I'd like to see added.
    1) The ability to name the classes.
    2) Ability to access TC-ATM for those with ADSL.
  77. Toastman

    Toastman Super Moderator Staff Member Member

    BTW if you see something that needs an explanation take a look in the "common tomato topics" link below, often there's a tip somewhere in there.

    If you're into programming, sure there's no reason why not join in and contribute. A check box "display unclassified connections" maybe? Adding the ability to specify class names should also be simple enough. There's also the outstanding problem with the incoming part of QOS that needs some attention. Several other little improvements we'd like to see too. Take a look at this thread in it's entirety and add your bits to the bottom!
  78. proudnoob

    proudnoob Networkin' Nut Member

    Hey Toastman, I have read your QOS over and over and i'm a little confused.I would be willing to pay you for your time to help me setup everything i need.Please help me just bought new e3000 last night and loaded tomato.Thanks.
  79. Toastman

    Toastman Super Moderator Staff Member Member

    Post details of your ISP, bandwidth (measured) up and down, and what you are trying to do. I might help or I might not. As for paying me to do the work for you, sorry, you can't pay me enough.

    The forum is about learning how to do it yourself.
  80. proudnoob

    proudnoob Networkin' Nut Member

    DOSCIS 3.0 modem -bandwidth up 6Mb / down 30Mb,Fiber Optic Cable. I want to setup the best settings for priototy only for my xbox. I host 18 player online games Halo/modernwarfare.I can hardwire the xbox to router (2) feet away from it or wireless whatever is best.I only have my desktop connection and one wireless client connected to my internet.I need you to help me setup everything for the best possible settings to the XBOX only.QOS/port fowarding ect.I hardly use desktop and phone is on wireless 2.4.Whatever i can do for you to help me $$ please halp me and I can help you $$ what ever it takes thanks.I tried to PM you it wont let me.
  81. Toastman

    Toastman Super Moderator Staff Member Member

    You have a very simple setup that probably doesn't need QOS at all. Depends on what the PC on your wireless connection does of course, but unless you use P2P or huge downloads I wouldn't expect it to make much difference. In any event, just make a QOS rule to prioritize your xbox by its MAC address and place it in your HIGH class, and that will take care of the xbox. Next, all other traffic should have less priority, you may also need to set limits on it's incoming bandwidth to prevent other traffic from being affected. The rest is down to you to experiment.

    It is also vitally important for gaming and VOIP that you set outgoing maximum bandwidth to say 66% or less of your measured uplink.
  82. proudnoob

    proudnoob Networkin' Nut Member

    desktop is off majority of time.Wireless is for phone data only.I need help for how to do the 66 percent thing?for QOS and so on setting it up..My goal is to eliminate everything and make only the xbox get the best settings possible.
  83. peyton

    peyton Network Guru Member

    Cool thx !

    edit : can't access url, will try again tonight
  84. Hey Toastman, are there any plans on releasing a MIPSR1 version with IPv6 support? For routers like WRT54GL.
  85. haschid

    haschid Networkin' Nut Member

    QoS wrongly applying classes in large transfers?

    Is there a way to verify what's the class applied to each connection? I mean, besides the graphs?

    I think I'm having a issue with qos.

    I'm using tomato RAF version 1.28.8515 Lite in a dlink dir-320.
    I have the following classes:

    Dst Port: 80,443,8080
    Transferred: 0 - 512KB
    Class: WWW

    Dst Port: 80,443,8080
    Transferred: 512KB+
    Class: Download

    If I transfer a large file, like ubuntu linux iso, the qos graphs only show a change in class, from WWW to Download, after 40MB have been transferred. Is this a bug in the graphs? Or the classes are being wrongly applied?

    I had the same issue when using Tomato USB version 1.27.8745 Ext.
  86. rhester72

    rhester72 Network Guru Member

    You understand the classes are triggered by -uploaded- traffic, yes? So until you *upload* more than 512KB of URIs and ACKs to a single web connection, the shift to download will not be triggered.

  87. Toastman

    Toastman Super Moderator Staff Member Member

    gijs73 - Because of the limited resources of the last generation of router, it's quite likely that the ipv6 support won't be implemented. There's some discussion going on about it. My own personal feeling is that it would be a bad idea.
  88. cannuck_bob

    cannuck_bob Networkin' Nut Member

    I have a problem getting all of my uTorrent traffic getting recognised in the right class. I followed the configuration proposed on the first page, but added exeptions for STEAM and other games, in the appropriate class)
    I gave uT Class D with the following settings (Port 39148, DHT disabled, Encryption enabled, UPNP & NAT-PMP enabled, 1000 max global , 500 max connections per torrent)

    TCP/UDP | Class D | uTorrent
    Port: 39148

    Now, the default set class is Class C, because I don't want uT to hurt misc apps and odd games that need to access the web.

    The problem is that a lot of uT traffic (about half) is recognised as Class C, on a range of srcPorts from 58000 to 62000 (estimated). I used Microsoft Network Monitor 3.4 to look at all connections on my NIC. No other computers are on use on the network.

    So, Does anyone experienced the same thing ? Is it a bad idea to set the default class higher than uT ?

    Edit: I doubled the TCT connection timout times from your suggestions. It gave me problems with steam Games.
  89. Toastman

    Toastman Super Moderator Staff Member Member

    You have changed the default class to something quite high, and are now trying to classify Torrents with a port number? This is a very bad move and as you can see it doesn't work. You don't need a rule for torrents, that is the purpose of the default class, and why it is set to a low priority. Any traffic NOT explicitly covered by a rule will end up there, this is the only way to trap [almost] all P2P traffic. You should read through the QOS thread again if this isn't clear. You may find a small amount of P2P traffic "leaks" into another class - this usually isn't a big deal.
  90. Toink

    Toink Network Guru Member

    Hey Toast! What's the ETA on the fixed build to 7441? :) Based on what I read, it's the PPPoE mode that has issues, am I correct? Thanks!
  91. cannuck_bob

    cannuck_bob Networkin' Nut Member

    Ok, I re-configures the default class as Class D. I still get an annoying problem with Game ping, even if it is the only app using bandwith, I get ridiculously high pings (200+ms vs 24-32 before) with games, even if it is effectively recognized as high priority. Ping goes down after I disable QoS. Any idea ?
  92. Toastman

    Toastman Super Moderator Staff Member Member

    cannuck_bob - No idea, but clearly your QOS isn't working. If you need help then you must post your QOS setup and full details of your ISP connection, and measured up and down speeds.

    Toink - the ppoe/httpd issue is fixed but waiting for Vic, who is fixing the RAF IP/MAC section. There's nothing special to upgrade for, so I'm in no hurry.
  93. cannuck_bob

    cannuck_bob Networkin' Nut Member It's a cable connection (Videotron) with Motorola SB5100 modem. Speed measured is constant at all time.
    Down: 8.38Mbps
    Up: 1.05Mbps

    [​IMG] [​IMG]

    My goal was to give high priority for Steam and Killing Floor.

    Thanks for your help Toastman.
  94. Toink

    Toink Network Guru Member

    Ah! No problem though. I'm not in a hurry, too! Thank you for the updates and your great builds :)

  95. Toastman

    Toastman Super Moderator Staff Member Member

    CB - Try the following:

    a) Set Outbound Max Bandwidth Limit at 650 kbit/s - This is important.
    b) Inbound Max Bandwidth 8000
    c) To begin with, set your P2P class rate to 5% and limit to 10%
    d) Next, set all incoming class limits to 50% except for Highest and HIGH, leave these at 100%.

    You should now see some improvement and have somewhere to start with your adjustments.

    I suspect that you may not have set a) correctly, or maybe your class limits, because most of the rules you have should be reasonably OK.

    Now, I see you've made an extra rule for torrents using L7 filter. The L7 bittorrent filter doesn't work well, and it can actually make things worse by preventing connections entering the default class - or it may help. You must test this yourself. Normally, you would delete that rule and make sure your default class is D. Now, as you are probably aware, this means that ANYTHING not expressly covered by a rule will end up in the default class. This is the only way to address P2P in any meaningful way if you don't know the machine and/or port numbers in use. In your case, you do for at least one machine, hence your rule for uTorrent.

    However, you will find that a P2P application like uTorrent CAN and WILL use ports that are covered by other rules. There will always be some of those and you just have to accept some "leakage". For example the skypeout L7 filter lets a lot of P2P though which will get the priority you intended for skype(out). It is better to prioritize skype by the IP or MAC of the machine in use. Minimizing the number of ports you prioritize in the rules will cut down the number that can be "poached" by P2P. I see at a quick glance that you are in fact prioritizing around 1000 ports, mostly in the high class. That is a recipe for disaster.

    The next thing is to set proper rates and limit on outgoing stuff and also limit the incoming classes so that traffic congestion is unlikely to occur. You didn't post your settings though so I can't comment.

    Best way to set things up is to find your ISP gateway IP and set up a continuous ping to it. (-t)
    It's not much use to ping the gameserver since the path to it will continually change and the results won't be clear. The gateway IP is the closest to you and that is what you need.

    Adjust the setting you wish to experiment with and then save it. Watch the ping time and see how it responds.

    Since your ping time (to the gameserver?) is very long, traffic congestion is occurring. It's probably due to P2P. Firstly, make sure it isn't occurring on your outgoing data by setting limits below 650 on that class, then adjust the incoming class limit. To begin with, set limits low, say 50%. Once things begin to work, experiment with increasing them. Don't set any limit on the important classes, highest and high in your case.

    For best latency for games and VOIP, it is important not to allow the incoming data stream to exceed about 66% of your incoming bandwidth, which is about 5Mbps in your case. You can check that with the realtime and 24 hour graphs. Yes, I know that means a lot of your bandwidth is not being used. That's why it is available for your VOIP when it needs it.

    You might find it helps to move your steam and KF rules higher in the list (below DNS) so they don't have to traverse all the rules.

    Note that Port 3478 is already covered in the 9th rule, so is going into MEDIUM class. 28852 is in rule 3.

    Now it's down to you to make the adjustments for your particular setup. You can get help by reading through the QOS thread below.
  96. carlstar

    carlstar Networkin' Nut Member

    I notice this last night that when I tried to set games like steam (counterstrike) under Class High, it gets classified at Class E. Is there an error for port 27015? It seems like I'm unable to set it as High. No matter what I've tried, it ends up being Class E. Any clue?
  97. Toastman

    Toastman Super Moderator Staff Member Member

    Without seeing a complete post of your QOS setup, it's impossible to say, but I don't see any reason for that.
  98. Mojonba

    Mojonba Network Guru Member


    Ive been playing with QOS for a while and have it all under control, especially torrents, however when Im leeching via Usenet I see a spike in DNS traffic between DNS servers and the router. By spike I mean around 10KB/sec. Are these acknowledgment packets? Keep in mind that my download is saturated (max out). What is the best way to deal with this scenario?

  99. ptmurphy

    ptmurphy Networkin' Nut Member

    I guess I am a bit confused or misinterpret on the graphs that Tomato presents.

    I have a VOIP phone system that I have given a fixed IP address to ( I have two classification rules setup, both in the Highest class - one is for all "To" traffic on all ports for TCP/UDP. The other is for all "From" traffic, all ports.

    However, when I look at the graphs and click on the lowest category it will show entries like this...

    Protocol: UDP
    S Port: 1194
    Destination: some external IP
    D Port: 1194
    Class: Lowest

    Why would that traffic not be prioritized as Highest? I have monitored the graphs when making a VOIP call and can watch the new connections and traffic on be prioritized as Lowest.

    It seems like the UDP traffic is going as Lowest and the TCP traffic is going Highest. Why would this be when the rule is TCP/UDP?

    Thanks for any insight...
  100. rhester72

    rhester72 Network Guru Member

    Are you sure it's DNS traffic? 10KB/sec is a *LOT*. Which direction is it going? dnsmasq should be caching entries to prevent this sort of thing, and particularly with Usenet the only entry of interest should be your news server.

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice