Using QOS - Tutorial and discussion


Hi Mishe

Sorry, I don't understand the second question...

The first - these scripts were designed to be pasted into the firewall script box. So when executed, the -I means that 1st (DROP) line is moved to the top of the iptables list. I = INSERT AT TOP. Next executed is the ACCEPT line, which is again moved to the top, BEFORE the drop line. So you are partly right in your assumption!

A = APPEND (add to the bottom).
 
ahh, so if I use -A it would be attached at the end? in which file can I see all rules on my router?

ok, second question I wrote sometimes and I receive no answer. I try...

wrt54gl with victek tomato 1.23
in init script is:
Code: 
sleep 5
ip addr add 192.168.1.3/24 dev vlan1 brd +
ifconfig vlan2 192.168.3.1 netmask 255.255.255.0
ifconfig vlan2 up
where I get a way to touch my modem and vlan2 gets an IP and Netmask

In firewallscript is:
Code: 
iptables -I INPUT -i vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o vlan1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan2 -o ppp0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan2 -o br0 -j ACCEPT
iptables -I POSTROUTING -t nat -o vlan1 -d 192.168.1.0/24 -j MASQUERADE

I should insert some rules to deny wlan clients get my vlan2 net with my computers.


nvram variables are left:

Code: 
lan_dhcp=0
lan_domain=
lan_gateway=0.0.0.0
lan_hwaddr=00:16:xx:xx:xx:xx
lan_hwnames=
lan_ifname=br0
lan_ifnames=vlan0 eth1 eth2 eth3
lan_ipaddr=10.0.0.254
lan_lease=86400
lan_netmask=255.255.255.0
lan_proto=static

and changed:

Code: 
vlan0hwname=et0
vlan0ports=5* 3
vlan1hwname=et0
vlan1ports=4 5
vlan2hwname=et0
vlan2ports=5* 0 1 2

thats it I think. I use pppoe.

Qos details shows:

HTML: 
Proto	Source	     S Port	Destination	D Port	Class
TCP	212.227.17.162	993	84.183.121.xxx	51947	Highest
TCP	213.244.185.41	80	84.183.121.xxx	1528	High
TCP	74.125.43.102	80	84.183.121.xxx	51944	High
TCP	209.85.135.138	80	84.183.121.xxx	2086	High
TCP	217.188.32.97	80	84.183.121.xxx	1549	High
ICMP	193.99.144.85		84.183.121.xxx		Lowest
TCP	192.168.3.1	80	192.168.3.100	51978	Unclassified

where 84.183.121.xxx is my external IP address, *3.100 is my PC, *3.1 my router. Class is not working correct, maybe happens on this problem.

So I hope you can turn on the lamp above me - and sorry for my english. you are welcome to correct me ;-)

michse
 
Hi again

Telnet or ssh to your router, obtain a list of iptables commands with "iptables -help" or abbreviate it to "iptables -h"

iptables -L
iptables -t nat -L

The other questions are to do with vlan and routing. I'm not an expert at this sort of thing, so hopefully someone else will answer these questions!
 
so that makes no sense after iptables -L?

target prot opt source destination
ACCEPT 0 -- anywhere anywhere
DROP 0 -- anywhere p54B77808.dip.t-dialin.net

first accept all, then drop something special. ok, maybe other thread...

thank you
 
Hi Toastman,
I cannot find a good way to set a port rule for Skype, since the outgoing call requires any port above 1024. It always fall to the default class, which is used for P2P. How to differentiate it from P2P? Thanks.
 
Hi Toastman,
I cannot find a good way to set a port rule for Skype, since the outgoing call requires any port above 1024. It always fall to the default class, which is used for P2P. How to differentiate it from P2P? Thanks.
 
fookxixi said:
Hi Toastman,
I cannot find a good way to set a port rule for Skype, since the outgoing call requires any port above 1024. It always fall to the default class, which is used for P2P. How to differentiate it from P2P? Thanks.
Click to expand...

Try Layer 7 skypetoskype (and skypeout)
 
Flashing routers over the web

I had a few mails recently asking about flashing routers remotely.

I was forced a while back to upgrade 24 AP's and 2 routers over the web, some 200kM from here. I did this half expecting to have to drive to the site to recover busted routers. But I made the discovery that actually flashing over the web was quite reliable. The secret is to WAIT and not panic if the router does not accept a flash in what you might think is a reasonable amount of time. It is quite normal for a remote flash to take up to 10-15 minutes and sometimes longer. If no flash after 15 minutes, I would wait an hour or two before I gave up. Once the connection is closed, then you have a big problem!

TIP: You can check the remote router's GUI in another browser window to see if it still responds - if it does, then the router is not accepting the flash and it is safe to disconnect. If it doesn't respond, either a) it's accepting the flash b) it has rebooted and DDNS not yet updated, or c) it's dead Jim ....

I have now flashed remote sites many, many hundreds of times with no failures.

I have never bothered to do it, but before uploading anything onto a busy router it might be a good idea to prevent anyone using it, which would allow best access speed and also free up RAM. Changing it's LAN IP no. is one method.
 
#121, #122 Concerning Layer 7 skypetoskype and skypeout.

I've found that a significant amount of skype traffic is not classified by using the L7 skype filters. Searching the web, I found several articles also saying the same thing. Unfortunately, there seems to be no easy way round this.

EDIT - It's now 1 year later and the L7 filters appear to work better - always use the latest version of firmware, and you'll stand a better chance of success. The skypetoskype filter seems good, but the sykepout one allows a lot of P2P through into that class. I decided against using it.
 
I'm guessing that L7 library developers need to keep up with ever-changing protocol pattern matching changes.
 
Hi Toastman,
thank you for that wonderful QoS explanation!
I have just setup your settings from example #19. Seems ok so far, but I'm wondering why internet radio streams (mp3, http port 80) are not classified as class C (dst port 80, transferred 256KB+), but as normal www connections (class lowest, dst port 80, transferred 0-256KB)? :confused:

Addition:
after listening a mp3 stream at 128kbps for approx. 7 minutes, the class switched from lowest to class C.
The traffic was: 128kbps/8*60sec*7min = 6720 kB

My rule was to switch after 256kB. Why is the switch after 6720kB?
 
Although I haven't touched this, I'll bet it simply uses a range of ports from which it picks them at random. Essentially it make qos impossible, but alot of newer programs e.g. msn list thousands of ports as it's way of handling nat and ensuring it functions on larger networks. Total pain in the ass. If you can't catch them with L7 you probably never will.

In the end I set all my classes to max and used the mac limiter (raf) leaving it to keep data moving and class rule more for the visual graphs plus lag reduction i.e. they aren't used to control bandwidth, just priority. Probably impractical for some, and a nuisance for other, but it's the only solution I've found after a month of tinkering :mad:
 
Classifying SHOUTCAST AV

Anyway, QOS itself is probably working correctly, remember the outgoing traffic is what is being counted for the >256KB rule. If the incoming traffic is UDP there are no ACKS, so there is very little outgoing traffic at all, perhaps just a small amount on what I will call the "control" channel. If TCP, then the ACKS are mostly what is being counted - so it takes a long time to cross over to class C.

If the L7 filters worked, and the "incoming L7" box is checked in the Conntrack page, then one should be able to classify it.

ADDITIONAL


I am using Winamp for the Shoutcast streams, and a few other bits of odd software for icecast and others. Spider Player is a great little application for both Shoutcast and Icecast.

The latest level 7 filters usually work for video but were not quite so good with MP3 streams. New version L7 filters will appear from time to time, so keep trying.

So far most of these connections seem to be TCP, (but I do see odd UDP ports opening and these do seem to be related to Winamp as they disappear when the application is closed).

The only reliable way to use QOS has been to prioritize ports for the complete range used by the MP3 and Video servers listed. Setting both TCP and UDP, no size filters. Without going through every possible server, there seems to be no information as to what range of ports are most common - but so far ports 7000-12100 seem to cover the video servers I've tested. All streams show in the correct classes. Video streams generally open one stream on a good solid link, but on poorer links will often open a good many connections - probably only the most recent one is actually the one in use and the others very quickly time out. This means that any limits set on numbers of connections and speed of opening may also impact the performance. Conntrack timeout settings need to be aggressive.

One problem remains - P2P using any ports in that range will also be placed in this class. This is something that one may just have to put up with, so far it doesn't seem to be a major problem. The method is the one used in the examples on this site, which has been tested for about 18 months - P2P generally holds in check OK.

EDIT: Lately, I have been finding the L7 filters have been improved. There is a new post below with example QOS, using L7 filter for Shoutcast. It seems to work OK and is not processor intensive. Give it a shot.
 
It won't help - because it's just counting control traffic or whatever, the actual download is what we need to find and try to classify. Going lower will most probably just end up putting all WWW into class C.

Try to see how it is arriving, what ports, protocol, into what class is it going (probably the default).

EDIT: See later example QOS for use of L7 filter
.
 
Today I installed Victeks Mod with your Mod (proper class labels). Really great work! Thanks a lot to all that made this nice piece of firmware.
The Radio Stream I was listening is a normal HTTP Stream with Dst Port 80. I don't know how to distinguish this from normal www traffic. But I think this is ok. Radio has a constant limited bandwidth and it should be guaranteed that the stream becomes not disrupted.
The last 6 months I used a Draytek Vigor 2710n. My family often complaint about our internet. I found that this Draytek is full of bugs. The DNS forwarder often returns no answer, making surfing the web a pain. The internet radio (Freecom Musicpal) often had short dropouts. So I replaced it this weekend with my old WRT54GL, installed your QoS rules, and now all are happy. :)
 
Toastman, i want to ask you ,are these values in screenshot tcp limit and udp limit not too low? I want to do this for a few clients . I was readed all your posts about optimising these things , but i want to control all this from a gui.

http://i50.tinypic.com/suu2av.jpg
 
QOS example for Tomato - compatible with v1.26+

In recent tomato releases there is a restriction of 10 port entries per QOS rule. Earlier versions of QOS with many entries per rule will probably load and run fine, but after any edit they will be rejected by the GUI checker, and you won't be able to save the rule. This is an improvement, as it was previously possible to corrupt your configuration by entering too many ports in a rule.

Here is the latest QOS setup used here for everyone, from home users right up to 400 room residential blocks. Some rules have been split into sections and a general tidy up has been made. It seems to run faster. Use it as a base for your own setup. If you copy all the settings exactly as given, this should work reasonably well for you, needing just a few changes for your own setup, or if you wish, disable and later delete things that are not appropriate.

NB - Please note that the use of Class E for "P2P uploads" (seeds) did not work as well as I had hoped, which is why there is no rule for P2P Uploads. Use this class as a "crawl" class to slow down or dump unwanted stuff in.

basicx.jpg


classify.jpg


conntrackx.jpg


Most popular chat services are covered including QQ, as is most streaming audio and video, either in the appropriate class or by use of HTTP ports by the application. Shoutcast, Icecast, TV and MP3 streams are now classified correctly by an L7 FILTER (most of the time). Occasionally a P2P connection can be identified as Shoutcast, but it will usually not cause any trouble. I have added an L7 filter to cover Flash/Youtube videos.

This setup runs on 1Mbps/16Mbps link. Since the values are given as percentages, just adjusting the maximum limits for your own link speeds should get things working without too many other changes needed. Remember you ***must*** set the maximum outgoing limit to, say, 85% of the minimum speed measured on the line. In fact, to begin with, set it lower to 70%. Once you know things are working you can up it later.

With the greater bandwidth available, allowing a higher level of P2P has been found much safer. However, I want to point out that in my opinion, a WRT54GL router, being clocked at 200MHz and with a small amount of memory, is severely limited in what it can do. I have found that a 16Mbps line can push it to the limit - if you run it at or close to SUSTAINED full throughput. The CPU Load can and probably will exceed 0.5 at times, maybe even higher. At these levels, the router becomes sluggish. The web GUI responds more slowly. While the above QOS does a very good job even on a little GL, some users may find this sluggishness to be annoying (as I do).

The ASUS RT-N16 is the answer to this, the faster router takes care of most of the slowdown problems.

Most users may not experience this problem, remember I usually have around 80 to 100 users active on my networks, so it's hammered quite hard. I would imagine those with even greater bandwidth via cable will have more noticeable slowdown. As in all things, your mileage may vary!

ADDIT: uTorrent has a new protocol from version 2.0, based upon UDP. One really *needs* harsh conntrack timeouts for this protocol. Without it, these UDP connections rise quickly and take up the router's resources. Clicking "drop idle" usually deletes around 90% of them. Setting UDP timeouts of 10 seconds for both unreplied and assured actually increased P2P throughput and freed up the router - in this instance reducing number of my own P2P connections from 2037 to 194 ! [This setting so far has not resulted in any complaints from anyone over the last few months]. In fact, dumping UDP packets altogether seems to improve downloads too. Strange.

Refer to posts 165 and later below.

VOIP users be careful with the UDP timeout settings. Use 10 and 25. Some users may need to increase the asured timeout figure towards 300 to avoid disconnection. Use the smallest number that is reliable for your own VOIP system.

The versions of Tomato with labelled classes are available here:

ftp://toastman.dyndns.org
http://toastman.dyndns.org

As a bonus I've added the wireless connection rate display from Fedor's USBmod. These compiles seem to work here but should be considered betas.

There's now a version for the RT-N16 also - this will become the router of choice in future.

The classes are in the exact same order Highest down to E, if you use normal version.

i.e.

Highest---Service
High------Game/VOIP
Medium--Media
Low-------Remote
Lowest---WWW
A---------Mail
B---------Messenger
C---------Download
D---------P2P/Bulk
E---------Crawl

Firewall scripts:

You may find the addition of one or more of the following scripts, to the firewall section in ADMIN/SCRIPTS, will place some limits on the total number of connections allowed per client. Please note - I have found these scripts to work one day and not the next, depending on what version of Tomato is in use, what religion you belong to, or maybe on the prevailing wind. Your mileage may vary :biggrin:

In theory (!):

The FORWARD chain defines the limit on what is sent to the WAN (the internet). This therefore places a limit on the connections to the outside from each client on your network.

The INPUT chain limits what comes in from the internet to each client. Without this limit, the router can still be overloaded by incoiming P2P etc. Often it is necessary to use both chains.

#Limit TCP connections per user FORWARD=to WAN INPUT=from WAN
iptables -I PREROUTING -p tcp --syn -m iprange --src-range 192.168.1.50-192.168.1.250 -m connlimit --connlimit-above 80 -j DROP
iptables -I INPUT -p tcp --syn -m iprange --src-range 192.168.1.50-192.168.1.250 -m connlimit --connlimit-above 100 -j DROP

#Limit all *other* connections per user including UDP
iptables -I PREROUTING -m iprange --src-range 192.168.1.50-192.168.1.250 -p ! tcp -m connlimit --connlimit-above 20 -j DROP
iptables -I INPUT -m iprange --src-range 192.168.1.50-192.168.1.250 -p ! tcp -m connlimit --connlimit-above 50 -j DROP

#Limit outgoing SMTP simultaneous connections
iptables -I PREROUTING -p tcp --dport 25 -m connlimit --connlimit-above 10 -j DROP

If you test the above scripts with a limit of say 5 connections in the line, you will often see that it doesn't appear to be working, you will have many more connections than your limit, maybe 30-100, that you can't explain. Some of these may be old connections that have not yet timed out, and waiting for a while will fix it. Be aware that often these may be TEREDO or other connections associated with IPv6 (windows Vista, and 7) which is enabled by default. You should disable it on your PC by command line:

netsh
interface
teredo
set state disabled

Associated post: http://www.linksysinfo.org/forums/showpost.php?p=359084&postcount=152

Accessing modem via the router:

Give your modem an IP in a different subnet to your router. Normally it's easy to use 192.168.0.1 which is probably the one in most common useage.

Enter the following scripts into these sections of ADMIN/SCRIPTS page:

init: ip addr add 192.168.0.13/24 dev $(nvram get wan_ifname) brd +
firewall: iptables -I POSTROUTING -t nat -o $(nvram get wan_ifname) -d 192.168.0.0/24 -j MASQUERADE

The first allocates an IP in a different subnet to the appropriate vlan interface for your router.
The second sets a route for that subnet via that vlan interface to the modem.

The scripts will discover the correct vlan for your router from NVRAM.

Now you should be able to access your modem by typing its IP into the browser. Not all modems seem to respond to this, though, even if they work just fine when connected directly to a PC.
 
You must log in or register to reply here.

Back
Top