Using QOS - Tutorial and discussion

Discussion in 'Tomato Firmware' started by Toastman, Dec 24, 2008.

  1. careh

    careh Addicted to LI Member

    Interference mitigation is at the default of 'WLAN Auto' right now. Should I set it to off? I will try some additional tests with power set to 1 then 42 then 60 and country USA and report back.
  2. Toastman

    Toastman Super Moderator Staff Member Member

    shadowken - as far as I am aware the VPN works fine in both versions, as many people are using it, but as I don't use it myself I can't vouch for that 100%. Maybe it's a setup issue? Get it working on an earlier version first, then upgrade....

    You can transfer settings easily following this method:

    You can probably change consecutive versions without erasing nvram, but be careful if anything funny happens then do an erase.

    careh - yes, try it set to "off". That stupid setting is responsible for a lot of hassle and signal strength problems. It can cut down transmit power if it thinks there is another router on or near the channel.

    There's another setting "interference_override" which when set to off may help your settings from being overrriden.

    In my builds, I set it "off" by default these days. Basically, I turn off all of the crap and find that things work better.
  3. careh

    careh Addicted to LI Member

    For Interference Mitigation - I have now set it off in the router and the AP's.

    Strange - when I went into the AP's most (but not all) were already set to Interference Mitigation off - yet I do not recall changing them. Perhaps the default got changed in a newer release of the firmware?
  4. careh

    careh Addicted to LI Member

    Update on the E2000 transmit power settings.

    With Country set to USA I tried turning transmit power from the default of 42 down to 1 and up to 60.

    In InSSIDer:
    with power set to 1 the amplitude fluctuated between -90 and -80.
    with power set to 60 and at the default of 42 the amplitude fluctuated between -80 and -70.

    In Tomato - Device List - the RSSI Quality and TX/RX did not change when I switched from 1 to 42 to 60.
  5. Toastman

    Toastman Super Moderator Staff Member Member

    All seems correct then. Taking readings isn't an exact thing - because as you can see they jump around all over the place! I wouldn't expect you to notice much change from 42 to 60.
  6. Toastman

    Toastman Super Moderator Staff Member Member

    careh, you're too far away. -90 is awful, -80 not much better. Aim for -70. Link is probably reverting to mode B which is the best for long distance. Mode B esp. at 1 Mbps goes quite a long way, much more than "G". It may be best to always use it.

    peyton - yes, a typo. I have too many fingers. I corrected it already, and also changed the "about" page in that build if you download it again. Not important though.
  7. careh

    careh Addicted to LI Member

    We only have a 1Mbps download speed here (Satellite Internet) ... and that is being shared by up to 30 computers. Because of that I am not concerned with the connection speed (until we get a faster Satellite provider). I am going to be replacing the antennas with some more directional ones to improve the connection and add in some more AP's where the signal is very weak.

    Besides the low 1Mbps speed we also have an 88 MB per hour download and 8.8 MB per hour upload limit. If we exceed that our speed is reduced to 25% of what it was for the next hour. Is there a way in Tomato to determine who is using up that limit the most?

    Something like:

    I/P Download volume last hour Upload volume last hour 40 MB 2 MB 30 MB 6 MB

  8. Toastman

    Toastman Super Moderator Staff Member Member

    No, I've been hoping someone would come up with per-IP download stats for Tomato - but the only one who came up with a good method never finished the job by integrating it into the Tomato GUI.

    That's a really horrible limit you have! :eek:

    EDIT - added per - IP stats in 2012
  9. careh

    careh Addicted to LI Member

    For QOS - View Details.

    When you initially go to that page - are the records listed in descending time/date order? There is no time stamp on the records and I see one can sort them by column (after which they would no longer be in most recent to least recent order).

    Also - how often or how would the list be cleared or reset (other than rebooting the router)?
  10. Toastman

    Toastman Super Moderator Staff Member Member

    I imagine the record of a connection would expire when conntrack finally closes that connection. I don't know what the initial order is based upon.
  11. careh

    careh Addicted to LI Member

    I had my router stop broadcasting its ssid tonight. A power down/power up would not fix it nor would a reboot. I checked the settings including enable wireless and all settings were correct. I did a router reset back to default by holding the reset button for 30 sec and the wireless came back. I am using WDS and had QOS turned on. 2 days ago I turned on Web Access Tracking and wonder if I overloaded the router. also earlier that day I had disabled the wireless through the router access restrictions menu. I had gone back in to disable the wireless disabled rule and that was accepted by the router. I don't know exactly when the wireless stopped transmitting. a
  12. Toastman

    Toastman Super Moderator Staff Member Member

    Well, that's one of the usual problems with using WDS. Happened to me a year ago with an outdoor event, but it only happened two times in 3 days.
  13. rcordorica

    rcordorica Network Guru Member

    Make sure you don't have small packets prioritized (ACK, SYN, FIN). Also make sure that no other classes aren't accidentally classifying your P2P traffic with higher priority. You may have to move your P2P catch all class before your other classes so that it catches everything first. Although ideally your latency sensitive classes should be first.

    Try enabling limits (0-256K) is considered high priority, 256K+ is considered "default" catch all low priority.
  14. Toastman

    Toastman Super Moderator Staff Member Member

    Trap UDP wherever you can and throttle it, it's probably DHT or uTP. Use the bandwidth limiter to limit bandwidth of the offending users as a last resort - the one in my builds will work together with QOS.

    There should be no catch-all class for P2P. You must use a default class and then classify everything that you want given priority in a higher class.
  15. shadowken

    shadowken Networkin' Nut Member

    Where is the folder of 1.28.7477.1 builds gone ?
    or did you rename it ?
  16. Toastman

    Toastman Super Moderator Staff Member Member

    Look at the readme file. I have a suspicion about builds using VLAN-GUI having some occasional weird problems, so I am going to continue to make builds without it - currently 7475.5 is the latest. I've pulled that build.

    I will have a new branch Toastman-VLAN for those who need it or want to experiment. However, currently that branch has a problem - the wireless doesn't work. We're scratching our heads about that now - but I'm sure it will be sorted soon.
  17. shadowken

    shadowken Networkin' Nut Member

    Well , I'm looking forward for your firmwares .
  18. Toastman

    Toastman Super Moderator Staff Member Member

    1.28.7478 up...

    HFS/HFS+ Mac OS x read support - thanks to Victek
    snmp integration from Shibby
    maximum number of QOS rules increased by request to 80
    dlna updated to 1.0.21
    new filters added to qos-ctrate page (soon will also be added to qos-detailed page) - thanks Augusto
  19. Toastman

    Toastman Super Moderator Staff Member Member

    August 3 2011 Toastman-RT-1.28.7479

    DLNA updated to 1.0.21
    HFS/HFS+ Mac OS x read support by Victek
    SNMP integrated by Shibby

    Toastman-VLAN-BETA-1.28.4402 also includes VLAN-GUI by Augusto Bott
    (fully up to date with latest improvements).

    New filters added to qos-ctrate & detailed pages (Nice work by Teaman)
    + cosmetics changes to many pages. This makes these pages extremely
    useful for monitoring purposes.

    Pages which may be used for realtime monitoring now have
    the ability to "hide" much of the extra setup entry boxes, leaving
    the page clearer for the lists.

  20. shadowken

    shadowken Networkin' Nut Member

    That was fast , Thanks Toastman :)
    You are the best :)
  21. careh

    careh Addicted to LI Member

    We have a need to use openDNS to restrict access to sites by one group of users - but want to allow a subset of users to have broader access. In asking if this could be done on the OpenDNS forum it was suggested to use a NetGear router with the stock firmware having Live Parental Control (LPC). That would work - except now the router would not be running Tomato - which means no QOS. Any other suggestions on how we can have QOS but also restrict a set of users from full web access?
  22. Kcolyhs

    Kcolyhs LI Guru Member

    Toastman, I am having a problem with internet speed of VPN clients on the LAN.
    They are being severely throttled by QOS.
    Disabling QOS restores speed for these clients.
    I would appreciate any advice on QOS settings to solve this issue?

    My clients are using a mixture of OpenVPN,PPTP and L2TP
  23. mrplowking

    mrplowking Networkin' Nut Member

    Hi Toastman, I would like to know if it's possible to configure " IPv6 rapid deployment " ( 6rd ) with your firmware ? My ISP is Videotron and they use that standard for thier beta IPv6 phase. I think Comcast is doing the same since october 2010. If it's not possible right now, I would like to suggest you guys add that feature in a next release because I found no other firmware able to support that.

    BTW I'm currently using " v1.28.7479 MIPSR2-Toastman-RT K26 USB Ext" on my RT-N16 aid it works great ! :)
  24. Toastman

    Toastman Super Moderator Staff Member Member

    careh - no ideas on that one.

    kcolyhs, You probably don't need QOS at all then.

    mrplowking - perhaps the ipv6 developers will see this post and take note.
  25. mrplowking

    mrplowking Networkin' Nut Member

    Is there a way I could contact the IPv6 developers directly ?
  26. Toastman

    Toastman Super Moderator Staff Member Member


    I would ask everyone to please stop trying to force people to do things when they do not respond favorably to your post. This is a hobby, if they wish to do anything they will read the forums, and maybe do something, if they don't, they won't, and they won't.... :D . Trying to force them to do so by repeated posts, nagging, requests for really stupid addons, and unending criticism, just pisses developers off, and they will stop working on the project. Most of them have gone already, or didn't you notice?

    Think about it please guys.

    Same goes for "bumping" requests and so on. You might take this as a gentle reminder that too much of this is counter-productive.
  27. E.L.

    E.L. Networkin' Nut Member

    Hi Toastman, thanks for you great builds!
    I've been having some difficulty getting QOS setup and would like to clarify one question. If I don't change default QOS settings and only set BW Limit/QOS to prioritize my ATA's by their IP address, will that guarantee QOS for voip?
  28. Toastman

    Toastman Super Moderator Staff Member Member

  29. gutsman7

    gutsman7 Networkin' Nut Member

    Thnks Toastman for your builds they rokz.
  30. jeff_tay

    jeff_tay Networkin' Nut Member

    is it cool to save config from victeks raf build and import into toastmans?
  31. Toastman

    Toastman Super Moderator Staff Member Member

  32. jeff_tay

    jeff_tay Networkin' Nut Member

    ok thanks toastman, i'm coming from victeks raf on an e4200 and i'm having issues with the captive portal stopping randomly. does your latest build have a captive portal? also, is it ok to flash yours straight from victeks?
  33. Toastman

    Toastman Super Moderator Staff Member Member

  34. jeff_tay

    jeff_tay Networkin' Nut Member

    ok, i posted in another thread with victek but haven't heard back, toastman, do you have any thoughts on why my captive portal would just be randomly stopping? it will work awesome for a day or two and then just not be there and guests are blocked with no access. do you think its something i've configured wrong or possibly just a bug...? the logs don't show it stopping, only when i enable it.
  35. Toastman

    Toastman Super Moderator Staff Member Member

    No, sorry, I haven't any idea why it might do that. Perhaps Vic may know.
  36. personalt

    personalt Networkin' Nut Member

    This forum is great. Learned so much already.

    What is the best measure of sucess other then eyeballing website load times? Is it to just ping the ISP gateway?

    I need to put some controls in at an apartment I own but Iam demoing everything at my houser which has the same 5MB/15MB Fios connection. As the guide says I set my max uplimit to 4500 kbit/s(I am able to pull 5200+ 24/7 with QOS off).

    To start testing I start with no traffic and set the max speed of my lowest 2 classes to 3500 kbit/s. I then fire up a ftp upload to my fathers house (ftp is showing up as unclassified) and it maxes out at 3500 kbit/s as expected. When this happens my ping times to the gateway go from 3-4ms to 7-15ms. Should I care? I see there is plenty of headroom left in the connection so in theory i would say there should be no increase in ping times. That being said 7ms-15ms is still really fast. Could this downgrade be just to CPU usage in the router? I am on a gigabyte swich so cant see that as the problem with no other traffic going on
  37. Toastman

    Toastman Super Moderator Staff Member Member

    Sounds pretty good to me! Ping times will always increase some, but you have extremely fast response. You should have no problems with it.
  38. personalt

    personalt Networkin' Nut Member

    Any recommendation for classifying ftp traffic? I have a peice of software that does a nightly ftp upload. I put rules on port 21 but it seems like it uses 21 for the control and transfers the data over another random port.

    I thought I saw something in one of the 27 pages that talked about identifying ftp traffic but I dont seem to have the same choices on my router. Is that something specific to your build as I dont seem to have anything like that in the regular tomato build.
  39. Toastman

    Toastman Super Moderator Staff Member Member

    You might try the L7 ftp filter, but the normal rule for FTP should take care of it with the conntrack ftp helper enabled.

    New version 7481 posted

    #### NEW ####

    Revised combined Static DHCP/ARP Bind and client / Bandwidth monitor
    allows realtime monitoring of multiple clients.

    Now both incoming and outgoing details are shown on the same graph!

    Thanks to Augusto Bott (Teaman).

    *** Unless you need VLAN-GUI, this is the preferred build ****


    Build 1.28.7481
  40. Reiper

    Reiper LI Guru Member

    Been using Tomato since version 0.03 but it has been a long time since I've posted here... Just updated my WNR3500L to this version! Nice work Toastman, and all that have contributed to the Tomato world.
  41. eahm

    eahm LI Guru Member

    Amazing detailed guide Toastman, thank you.
  42. aquatroll

    aquatroll Guest

    Hey guys,

    I was fine-tuning my QoS settings and just got some results I didn't expect and don't know if it's a bug or normal.

    I tried to unblock all the bandwidth for the highest priority class and set none on the bandwidth for the class and the router just slammed all the connections that should go on that class to the default class as if the rules didn't match any more.

    Is that normal, a bug or is it that I'm assuming something wrong?

    Edit: Missed a letter.
  43. Toastman

    Toastman Super Moderator Staff Member Member


    Netflix is not a particularly easy thing to classify and control. It uses ports 80 and 443. But there is little information on what protocols it uses. Video streaming *MAY* be classified by the "HTTP Video" and "Flash" L7 filters, but as I can't use netflix service I cannot help there.

    However. There is one thing that you probably need to consider.

    In most QOS rules we set up the classifications to prioritize Ports 80 and 443 to allow swift web browsing - but not HTTP downloads. To do this we set a file transfer "trigger" so that if more than 512K of information is transferred OUT for a particular connection, then it becomes classified as a file transfer and limited by that rule in order that it won't slow down web browsing for other people. So your netflix streaming will be considered a download after 512K has been transferred OUT, and then it will be slowed down or limited according to the second rule.

    So, there would usually be two rules, one to allow fast browsing (e.g. 0-512K) and the other to limit downloads (512K+).

    Try to remove the "0-512K" or "0-256K" in the "transferred" box on the WWW rule.

    Disable the "Download" rule. Now see if that improves things.

    Note that Netflix is given no priority over other web browsing. But at least it should be better than it was.
  44. GrandPixel

    GrandPixel Networkin' Nut Member

    Just wanted to say thanks Toastman for working to help so many people with QoS. You provided a thorough tutorial and are still here answering questions. I have read the tutorial and picked up some basics about how QoS works, but will be reading it again because I'm not sure I understand enough to implement it. If it's okay I'll post my experiences and questions later.
  45. gof

    gof Networkin' Nut Member

    Thanks for the great read, some really usefull information!

    I have a questiin though, you seem to put a transfered limit of 0-50kb on your well known games rule, this seems a little wierd as games use the same connection for a long time so they almost always exceed 50kb. Could you please explain?


    Sent from my GT-I9000 using Tapatalk
  46. Toastman

    Toastman Super Moderator Staff Member Member

    This was actually added by a game freak in the building. Maybe the games he used were something special. I have no idea, as I don't play games. I agree with you - probably the transfer limit is not necessary.
  47. lancethepants

    lancethepants Network Guru Member

    Steam, the gaming distribution application makes use of the same ports to download games as you use to play multiplayer games, atleast some anyway. I've noticed this when playing a game, and my ping begins to suffer because of the massive game my roommate is downloading, which is also being classified also under Games/Voip.
    I've always just manually put in the ports for Steam, so I haven't noticed the transfer limit. Does this rule come in the 2.6 builds? Seems like I remember seeing the 2.4 and 2.6 builds qos differ a little bit.
  48. ast

    ast Networkin' Nut Member

    Hi Toastman!! Great work!! :) Can I ask a few questions (newbie here)? Been wanting to enable QOS (v1.28) on our system but was afraid to try, finally I enabled it.

    Everything seems to work, except for, mail clients (Thunderbird) cannot seem to receive and send emails.
  49. Toastman

    Toastman Super Moderator Staff Member Member

  50. Thurman

    Thurman Networkin' Nut Member

    First off, thanks so much for your writeup on QoS and your work in integrating all these cool features.

    I ran into something yesterday which indicates I'm still not quite getting everything with QOS and was hoping for some clarification.

    I have set up 13 different classifications, starting out with your recomendation & tweaking from there. This has been focused on the outbound. This all appears to be working exactly like I want. I see different types getting the correct priority. I see that even though I set limits of 5%, if the network allows it, the number will grow to the maximum. All good.

    My problem is on inbound. I set up max limit to 650 (this is 85% of my lower end of several tests). I have my class "downloads" set at 80%. This appears to be a hard-limit instead of a soft-limit, meaning that even if nothing else is happening on the network, and my network would allow 1500 instead of 650, it throttles it down to about 450.

    I found the only way to get what I truly want is to chang all my inbound limits to "none" so that the full bandwidth is utilized.

    I just want to check that I'm not setting myself up for something down the line that I'm not seeing in my limited testing.
  51. Toastman

    Toastman Super Moderator Staff Member Member

    Yes, you probably are :D

    Max bandwidth is set to 650. This figure does nothing - it is just used to calculate the class percentages. So 80% of 650 is where the approx. 450 comes from.

    Setting no incoming limits is almost certain at some point to cause congestion, unless you are very lucky..

    Incoming data levels in each class can rise to the limit specified in that class. If for example you set two classes each to 70% of maximum, it is possible for BOTH of them to rise to 70% at the same time. Of course, they can't - because the total exceeds 100% - and now your incoming pipe is congested and QOS stops working. For QOS to work correctly, the sum of all of the incoming class maxima must remain below 100%. Of course, that would mean you would have to set each limit very low, much lower then you would like, unfortunately preventing that class from taking all the bandwidth - even if it isn't being used by another class. No individual class could take much bandwidth, and that means we can't get the most benefit from our ISP's bandwidth. That's not acceptable to most of us. But you can find some limit settings that work reasonably well, most of the time.

    This can to some extent be avoided by trying to limit incoming data by paying attention to what your router actually requests from the server, by setting outgoing limits low for things like P2P. That is why I devote much time to explaining the relationship between outgoing "requests" and the resulting incoming data occurring as a direct result of those requests - the "ratio" of incoming to outgoing (where I used the analogy of the postman delivering just what you ordered). We can try to control as much as possible this way, and rely on the incoming limits more as a "failsafe" Both are necessary for good operation, but it's a bit of an art juggling the figures. We trade bandwidth for stability, and we can't have both.

    The ultimate answer is that the incoming (ingress) side of Tomato's QOS is unfinished, it needs a proper priority-based system with proper maximum limit. That is achievable by adding an IMQ device, which can do those things. Problem is, so far nobody with the necessary coding skills has "volunteered" to do it :confused:

    You can read about it here:

    p.s. You can actually additionally use the IMQ based bandwidth limiter in my builds, to set an overall limit for the incoming data. It's not a full solution, but it may help to stop the limit being exceeded.

    EDIT - Better QOS ingress system was added early 2012.
    aquatroll likes this.
  52. Thurman

    Thurman Networkin' Nut Member

    Let me try rephrasing this because I don't think I worded this correctly.

    My outgoing is exquisitely mapped - the minimums add up to 90 (not even a 100) and when everyone in the house is active, I'm very happy with QOS. The right packets are getting the right priority. For Inbound, I'm using very similar %'s that you highlighted on your latest example So what is my problem then?

    My problem is I noticed that when I was the only person on the network - and the only thing active on my computer was a download, I was surprised to see this was literally crawling along. The real-time QOS graph was full for download - but it was only taking a fraction of the available bandwidth - as I ran a speedtest and saw that I had 1.5mbs available to me (the 650 is my minimum I had measured). I increased the download % from 80 to 100 and it doubled. When I changed it from 100 to none, it doubled again.

    So, with 1.5mbs available to me at that time of night - why, when nothing else was running, doesn't download use all the available bandwidth? My assumption and it appeared to be backed up by Steam - as it reports the Mbs being downloaded - as I changed the numbers, the download increased. Even at 100%, it still peaked at 650 - it wasn't until I set it to none, that it finally used the pipe available.
  53. Toastman

    Toastman Super Moderator Staff Member Member

    Well, looking at this again, do I understand this right? You have overall limit set to 650 and class limit set to 80% of that 650 - and you get 450. (Let's say that is tomato's stab at approx. 80% of the 650).

    You change the limit to 100 % and get 100% of 650=650. That's correct, isn't it?

    Then when you change the limit to NONE (=no limit) then you get all the bandwidth=1,5Mbps. So to me, it's doing what you tell it to.

    If your question is "why doesn't it automatically use the full bandwidth available?" then the reason is that there is no incoming ingress policy that is telling it to do that. The link here explains why. It is a "hard" limit based on the % calculation of the figure you set in "MAX".

    Pretty soon, I will add a proper QOS ingress.

    By the way, the incoming MAX figure is not so important as outgoing (where it MUST be set low). Set it to 1.5Mbps and you may find a better compromise, but again, sometimes the incoming pipe may get congested.
  54. TheBigTomato

    TheBigTomato Networkin' Nut Member

    Ok after hours of reading this thread tweaking breaking and rechecking... I finally have a rock stable grasp of what I need to continue tweaking... THANK YOU Toastman!

    ... Now I need to go sit down and let the info seep into my brain...
  55. TheBigTomato

    TheBigTomato Networkin' Nut Member

    Ok got a good run on using the QoS rules you tweaked... no latency for games even when all the neighbors are online doing their thing. A huge improvement.... | I am having the stats collection crash but I think it is because I did not do a proper reset after i flashed to the latest build. I will be doing that once the line is not so filled. Toastman... can I trouble you to repost a current distro of your QoS rules if they have changed from your most recent posting of them... I am running Tomato Firmware v1.28.7488 MIPSR2-Toastman-RT K26 USB Ext on a E4200
  56. Toastman

    Toastman Super Moderator Staff Member Member

  57. TheBigTomato

    TheBigTomato Networkin' Nut Member

    Alright got the settings cleared and the logs all set backup. I flashed the newest release, then went to the admin options and did a through erase of the nvram. Will see if I see a repeat of the earlier failure on cstats and rstats. I also did not go back and manually join rules together like I did last as I read in earlier posts that covering too many ports could have funny effects. I also went back to using just QoS and no bandwidth limiter as the basic settings appear to keep everything happy - Thank you for the pointers!
  58. braindedd

    braindedd Addicted to LI Member

    Is it just me or is 7489.1 unstable? My router has rebooted itself twice now in a day ... ?
  59. gutsman7

    gutsman7 Networkin' Nut Member

    7489.1 Has been rock solid so far for me.
  60. TheBigTomato

    TheBigTomato Networkin' Nut Member

    hakowy .... =\ .... Sure ... first click 'Enable QoS' and use the stock layout for the rules 7489.1 is so far good for me right out of the box. Look at your trending every site is unique but for what it is worth I have 12 users on my net standard rules have not required me to touch anything. Enable logging and monitor your data for a week and see who your biggest bandwidth hogs are. use the bandwidth limiter on them if you have to but so far I have not had any problems.

    .... literally 2 posts above covered your question entirely ...
  61. hakowy

    hakowy Networkin' Nut Member

    I read that bandwith limiter + qos doesnt work good, there should be only qos or only bandwith limiter.

    sorry im noob, where should i monitor, you mean bandwith monitor? And what is "7489.1"?
  62. Toastman

    Toastman Super Moderator Staff Member Member

    BW Limiter cannot be used together with QOS. Those modders don't themselves use QOS and therefore aren't too worried about how it works.

    For the other question, best to read through this forum's recent posts.

    BTW - to newcomers, sorry, this isn't a babysitting forum. Read through the threads, use the search facility, use google, most of your questions have been answered hundreds of times. Posting a question that was answered ten minutes before just annoys people. Posting the same question a hundred times in different threads will get you banned as a spammer. If nobody wants to answer your question, that's their right.

  63. hakowy

    hakowy Networkin' Nut Member

    Thank you for answer, so can i use QOS and BW Limiter in shibby build( is it nearly same build as yours?) as shown on picture ?


    And second question, how to set up IP TRAFFIC, i have all default(auto discovery ip) and i dont see any graphs on ip traffic, bandwith graphs work good.
  64. TheBigTomato

    TheBigTomato Networkin' Nut Member

    No problems for me here since updating
  65. braindedd

    braindedd Addicted to LI Member

    [1.28.]7489.1 is the build number on Toastman's site. I see 7490 is out now I'll try that. Could be something in my NVRAM from an old version or could be the copy of squid / optware I have running on it. It's running on a Netgear WNR3500L.
  66. Thurman

    Thurman Networkin' Nut Member

    Youtube and Netflix streaming are giving me headaches. It's like first come first served - once a person gets a connection going, they hog all the bandwidth and anyone else connecting gets very small slices of bandwidth. This only occurs when I have www inbound set to a % (I have it set at 85%). if I set www to NONE, then no problem - except this now impedes on my gaming as netflix & youtube suck up every bit of bandwidth. leaving me with choppy gaming (and gaming is prioritized higher than www).

    Both youtube and Netflix are being classified as www instead of media. Not sure why they are not being classified as media.

    any ideas on how to get both youtube & netflix classified into something other than www?
  67. careh

    careh Addicted to LI Member

    **** Update - this AM I check my email and the emails (that were sent last night at 10 PM) came in - starting at 4 AM. So I am now leaning toward thinking it has something to do with some glitch at my ISP's SMTP server and not the Tomato router - although it is strange to me that the email stop or delay was there with the Tomato router in place - and remained after a re-boot but when I switched in the old DD-WRT router the email worked immediately then when I switched back to the Tomato router the email stopped / got delayed again.

    Anyway - main thing is it is working properly again - and does not seem to be directly related to any Tomato setting - & I will keep an eye on it to see if / when it stops again.

    I called my ISP to ask what might have happened and got the usual "must be on your end ... we don't support routers' answer - even though my Tomato router was 'up' since I re-booted it at 10 PM last night yet the emails did not start to flow until 4 AM.
    Here is my original post from last night.
    I have a network camera that use SMTP on port 25 to send email to me when motion is detected. It worked just fine with DD-WRT and I believe it worked ok when I first switched to Tomato v1.28.7475 MIPSR2-Toastman-RT K26 Std- but today I noticed it was not succeeding with SMTP - no email was getting out. At first I re-booted the ISP modem, the router and the camera - no luck. Then I switched back to the DD-WRT router and SMTP worked normally - email was getting sent properly.

    I looked - but did not see - any settings in Tomato to block any ports (assuming that is the problem). I took out the #Restrict number of simltaneous SMTP connections (from mailer viruses) #iptables -t nat -I PREROUTING -p tcp --dport 25 -m connlimit --connlimit-above 5 -j DROP in case that was the problem - rebooted the tomato router - but no change. I also tried disabling QOS - no change. I googled for this issue but could not find relevant tips on what to turn off or on. Sorry if it is obvious - I just can't see what it is.
  68. occamsrazor

    occamsrazor Network Guru Member

    I came across this somewhat old post on how to backup the important router settings (i.e. those that take ages to re-enter manually). Is this still your preferred method to backup and restore settings when you need to clear NVRAM inbetween firmware upgrades? Is the above list still accurate? Any additions?

    Would I be right in saying that if, for example, I wanted to backup VPN client & server settings, I would just add the following command to the above?

    nvram export --set | grep vpn_
    And then once you get the output of all the above commands, you just save that in a .txt file somewhere, and when you want to restore you just paste that saved output into the "Execute System Commands" window?

  69. occamsrazor

    occamsrazor Network Guru Member

    Just answering my own question after playing around with it some more. The only thing that doesn't seme to work are entries where the information is stored on more than one line - for example the Administration>Scripts and VPN certificates all take up more than one line in the router interface, and don't seem to appear in the text output. E.g. if you run:

    nvram export --set | grep vpn_

    then output contains entries like:

    nvram set vpn_server1_ca="-----BEGIN CERTIFICATE-----

    but which doesn't contain anything of tha actual certificate, which would normally be a dozen lines of code underneath.
  70. Toastman

    Toastman Super Moderator Staff Member Member

    Yep, pretty much everything works, but some need care. The above list was only meant as an example back in the early days when I had just begun to use this method, it isn't exhaustive.
  71. occamsrazor

    occamsrazor Network Guru Member

    Do you have an updated list of entries that are "safe" to restore? Is this still your preferred method, or is there a better alternative now? Thanks....
  72. Toastman

    Toastman Super Moderator Staff Member Member

    No, nothing new. I only copy static DHCP and Access Restrictions mostly, I can enter the rest by hand almost as quickly.
  73. paladin252

    paladin252 Networkin' Nut Member

    hey toastman, don't know if you are aware of this, but opendns is releasing dnscrypt, to encrypt dns data. they just sent out a press release today and thought you might be interested in checking this out. i think being able to add this feature (if at all possible) would be great to protect your entire house or office's dns data rather than having to install on machines.
  74. braindedd

    braindedd Addicted to LI Member

    Hey all ... any idea what "Interface Status" is for under Wireless in the new build? Mine is showing "Down" but wireless is definitely up and running ...
  75. Toastman

    Toastman Super Moderator Staff Member Member

    So it is! I hadn't even noticed it - I'll take a look see.
  76. teaman

    teaman LI Guru Member

    It's indeed a brand-new feature I wrote just a few days ago.

    What would be its main purpose?
    To notify/show in the web UI when/if any WL interfaces are not 'up' from the OS perspective (Status: Overview page).

    How's that?
    Well - most of the information presented in the Status/Overview page is taken from NVRAM settings - which is fine, in most cases (i.e. ideal world). However, on some situations, the web UI may show some WL interface as 'active' when in fact... it may not be actually 'up' due to some configuration problem and/or conflict. Basically, the 'Interface Status' shows what you'd get when running 'ifconfig' via telnet/SSH.

    As an example, here's what I get in one of my routers:

    On this WRT54GL, WAN is configured as 'Wireless Client' (eth1) but it also has two extra 'virtual' SSIDs configured as Access Points ('guest' and 'ghetto' as wl0.1 and wl0.2).

    Then, we take that interface 'down':
    root@top:/tmp# ifconfig | grep Link | awk '{ print $1 }' | egrep 'eth1|wl'
    root@top:/tmp# ifconfig wl0.2 down
    root@top:/tmp# ifconfig | grep Link | awk '{ print $1 }' | egrep 'eth1|wl'
    This particular WL interface still exists (but since it's not 'up', it' only listed when running 'ifconfig -a'):
    root@top:/tmp# ifconfig -a | grep Link | awk '{ print $1 }' | egrep 'eth1|wl'
    While on previous versions this wouldn't be shown/noticed, so here's what I get:

    Hope this helps clarifying things a bit :)

    PS: I'm a bit puzzled about your particular settings... what is your router model? Is this issue still happening?
    PS2: we should probably move this discussion to another thread (as this one is supposed to be about QoS... don't you agree?)

  77. braindedd

    braindedd Addicted to LI Member

    Thanks for the explanation. :)

    I used this thread as it seems to be the main link for Toastman's build in the about page.

    My router is a Netgear WNR3500L ... didn't clear NVRAM on upgrade because I have too many low down settings that are difficult to put back but I will perhaps try this if it is the issue.
  78. braindedd

    braindedd Addicted to LI Member

    Reporting "Up (LAN)" with 7492.4 :)
  79. gutsman7

    gutsman7 Networkin' Nut Member

    Hey I need a little help categorizing ports 135-139 both tcp and udp as crawl. Heres what ive done so far
    and I reboot my router but it still wont place these ports under these categories.
  80. RonV

    RonV Network Guru Member

    I have a QOS question for classification of Hamachi VPN though the router. I know that toastman has quite a few rules that he put together due to the number of clients that he has to support. Myself I have a lot of routers in the field with everything locked down except for 80 and 443. I would like to classify Hamachi VPN as a QOS rule behind HTTP and was wondering if anyone had any suggestions since all I can find is one port so far with Hamachi 12975 based on google search. Since this is the initiation port what other ports/patterns to look for with Hamachi? So far I have one client attempting to do this and I can foresee many more in the future.

  81. Toastman

    Toastman Super Moderator Staff Member Member


    coded by TIOMO !

    (1.28.7494 & Variants)

    Those of us who make use extensive use of QOS have been aware that Tomato's QOS system was basically unfinished for some time. There has been a discussion thread, started by Porter, on the subject for those who are interested in learning more:

    Finally, thanks to some hard work by Tiomo, we now have a working IMQ based ingress sytem for Tomato. That means that we will now be able to make fuller use of our available bandwidth with less chance of congestion in the downlink from the ISP.

    I will shortly be posting a test RT version 7494 for you to try, your feedback is welcomed, especially those with large numbers of clients and P2P and video punters :cool:

    I have also added a checkbox to include or exclude UDP from the ingress mechanism, as conventional wisdom says there is no point in dropping UDP packets as it will not result in link slowdown, and therefore achieves nothing. However, keeping it in the ingress IMQ allows protocols using UDP as a transport mechanism but which do have their own congestion avoidance system to also be classified and show up in the correct places in the graphs and statistics.

    The checkbox gives you the choice of potentially allowing QOS to work with UDP using such schemes by dropping UDP as normal.

    The "No Limits" selection no longer exists, and most of the incoming classes have been left at 100% ceiling.

    This is very much the initial release and we hope it'll get better as we understand more of it, and some small improvements will be likely.

    Note - it appears to be quite stable, so it has no BETA label. There is also a K2.4 version 7631. Both also have important updates from Teaman.

    You'll see that there is now a rate and limit setting for incoming data, similar to the outgoing section. The "Max Bandwidth Limit" now really is an overall limit. Total of all "rates" must be less than or equal to 100%. You may leave the class limits at 100% initially and see what happens. Then, you'll probably wish to set limits for classes, when carefully done you will achieve snappier response times.

    For the best VOIP and Games performance you should set the Max Bandwidth setting to around 66% of your measured minimum download speed.

    What is the improvement like in practice? Well, I'm currently testing online with many clients. On several occasions I've seen my incoming 16Mbps pipe running at around 15Mbps continually, mostly with P2p, while web browsing was still snappy and HD video still streaming from a local TV station's website. Pings still low with the occasional spike. It still "feels" responsive despite working close to maximum capacity.

    Happy New Year!
  82. gutsman7

    gutsman7 Networkin' Nut Member

    Heck yeah im really excited about this, ive been watching that thread really excited that there is progress thnx to all Toastman,Teaman,Tiomo, and all.
  83. Toastman

    Toastman Super Moderator Staff Member Member

    Uploaded .....


    I added a checkbox to include or exclude UDP from the ingress mechanism, as conventional wisdom says there is no point in dropping UDP packets as it will not result in link slowdown and therefore achieves nothing. This give you the choice.

    This is very much the initial release and we hope it'll get better as we understand more of it.

    Here's a snapshot of the new QOS ingress in operation on a 16Mbps ADSL line. Max incoming bandwidth is set to 15000, and as you can see, the QOS system is now limiting at 15,000 to prevent congestion.

  84. EpsilonX

    EpsilonX Network Guru Member

    A small question...
    For example, I got a 256kbps upload, so I set Max Bandwidth to 200kbps...
    And set rates to 10-100% for all classes...
    If I change Max Bandwidth to 400kbps...
    And change the rates to 5-50% for all classes...
    Theoritically that would be the same right..?
    Off course except for the Unclassified class...
    Any possible problem..?
  85. Toastman

    Toastman Super Moderator Staff Member Member

    Let me see now. The instructions call for setting Max Bandwidth to your measured speed and then deduct say 15% or so. Your speed (unmeasured?) is 256kbps - but for some reason you want to set it to 400?

    No, it isn't the same.
  86. EpsilonX

    EpsilonX Network Guru Member

    I see...
    My minimum measured speed was around 240kbps... :D
    Just curious if it will work the same since only Unclassified will go over the "limit"...
  87. Beast

    Beast Network Guru Member

    Ok this is what it looks like with Vuze (p2p) and game going.

    Something has changed with the math. I have a 500 k up and 3 MB down connection.
    I used to be able to put 500 in outbound and 3000 in inbound, and all was fine.
    I know that theses numbers are not the -15 to 30% but they have always worked just fine

    After changeing the inbound limit to 300 and setting the p2p limits to 5-20%. Vuze strated to be limited. Need check and see if the game is running ok now.

    Attached Files:

    • qos.JPG
      File size:
      145.2 KB
  88. alfred

    alfred LI Guru Member


    This downloading test picture indicates that the QoS exactly works fine.

    1. RT-N16 with 4494-USB-VLAN-VPN-NOCAT
    2. Client with BT running.
    3. QoS setting:
    Max Bandwidth Limit=17,500 (-15%/ISP)​
    P2P/Bulk = 10% - 100%​
    4. A, the IPT-real-time page first launched. QoS was enabled.
    5. B, I changed P2P/Bulk setting from 10% - 100% to 10% - 50%
    the bandwidth is exactly half cut to 8,750.​
    6. C, I disabled the QoS, and it went to 20M of ISP provided.

    It does not make any difference if I set Max Bandwidth Limit to full ISP rate 20M with this test.

    Attached Files:

  89. Toastman

    Toastman Super Moderator Staff Member Member

    Yep. You can set your incoming MAX Bandwidth to the full speed of 20Mbps, and things will still sort of work, but there's no "headroom" to make sure that the incoming pipe from the ISP can't fill and get congested. Only if you can see that the incoming bandwidth being used is less than 20 is it possible to know there's not a big queue piling up at the ISP.

    For best VOIP and Games response it is recommended to initially set the Max Incoming Bandwidth to 66% of your measured ISP speed.

    When upgrading to this version with the new QOS ingress, the outgoing settings should still work, but the incoming settings quite probably will. The "Max" setting now really IS a max. limit, so set this first at ISP speed (measured) less 15% and then adjust incoming class bandwidth to limit your classes as you find necessary. You should be able to find compromise settings that allow almost full use of bandwidth but still allow priority classes to be snappy.

    Now that the ingress limits are working better, it is possible to allow more P2P by setting the outgoing "limit" higher than before. I must stress here that P2P methods using UDP and uTP cannot be controlled properly by QOS. Not that this is a big deal. All or experiments have shown conclusively that they consume a great deal of bandwidth for almost no downloads. Turning off UDP/UTP reduces our bandwidth considerably and our download speeds almost double with TCP alone. If we can't get the clients to turn off UDP/UTP then we address this by simply dumping all UDP ports 1024-65535 into a crawl class and throttling it.
  90. Beast

    Beast Network Guru Member

    Read if you like, I did a nvram clear after the initial flash. But after all the squirly behavior with the QOS, I did another nvram clear and only setup the basics to get on line. Used 512 for outbound and 3008 for inbound. Set p2p 5%to10%. Vuze d/l at about 28 kbs which is about 10% of my max 300 kbs. And Quake 3 Arena is playing just fine. I would still get some clarification on how the rates are calculated ie. a 3 Mps = what in kbs. This has been confusing me for a while now.

    Ok, My brain has possibly stopped working.
    Here is the connection rates from the modem (very slow dsl).

    Connected at 3008 Kbps (downstream) 512 Kbps (upstream). <------- Copied from the modem status page.

    I know that the max 3008Kbps=3Mps and is messured as 300 kbit/s download speed.

    So where dose that leave the 512 upstream. Both entries in qos are in kbit/s outbound tab
    will not except single digit numbers.

    Im sure my brain is dead so help me with the math.......please. Useing my actuall numbers..

    Do you know a speed test site that uses the kbit/s speeds to messure my connection.
    Bytes vs bits, ....killing my brain.

    Found a calculator on line and I hope I used it correctly. The final numbers I came up with that need to be in Tomato are (-30%) outbound =45 and inbound=263.

    I too can see that indeed vuze responds to the limit setting, but I can not get Quake Arena III to work at the same time. Even with vuze using 30 kbs out of the max 300 kbs Q3 still has a really unplayable ping. Without QOS ping = 64 with QOS it all over the map fro 225-999.

    I know it uses UDP port 27960 and protocal 68 (what ever that is?).
  91. Beast

    Beast Network Guru Member

    New development, after running for a 1 hour or so all was fine. Then I enabled UPnP and AT-PMP

    As soone as I did that Vuze started taking all the band width. And of course opened up its desired ports.

    So how can we use UPnP and AT-PMP and still limit p2p. With these turned works as expected.
    Vuze has RED NAT indicator and says firewalled. As soone as I turn them back on NAT goes green and Vuze resumes using 100% band width.
  92. Toastman

    Toastman Super Moderator Staff Member Member


    Firstly, the Modem status page shows the maximum line connection speed. This is not the same as the maximum speed the ISP's routers are capping your maximum bandwidth to - that depends on their service level and rates - the service that you pay for. Don't bother looking at the modem's page because it's useless except for line diagnostics.

    To set up QOS you need to use an online speed tester. The one most of us use is - this should get you to the server most suitable for your area. They have a lot of servers around the globe. You can also select other servers from the map you will see there. Turn off QOS and make sure nobody else is using your system when you run these tests. Run the test to the recommended server a few times.

    Now, 1 Mbps = 1,000,000 bps = 1,000 kbps

    If you use, at the top of the page you'll see a tab marked "Settings". If you click that you'll see there is actually a place to set the display to read in kbps directly.

    Next - run your tests and do the maths.


    Mine gives:
    Upload Speed (Outbound) 0.95Mbps = 950kbps
    Download Speed (Inbound) 15.95Mbps = 15950kbps.

    So I would enter:
    for outbound max setting, 950 less 15% = 807 = 800 (again, use a nice round number)
    for inbound max setting, 15950 less 15% = 13557 = 13500 (use a nice round number)

    Make sure you do the speedtest with several different servers. Choose the one that gives the fastest speeds - what we are really looking for is to find out the maximum rate that data can be sent to and from your ISP's routers. [So if your own ISP actually runs a speedtest server that would of course be even better!] Since the speed can also vary at different times of the day, try it at different times of day and always use the lowest figure you get. That way, QOS always works, not just when the ISP's routers are not very busy.

    p.s. I have not used your figures because I'm confused by them:

    If your downstream bandwidth is only 300kbps I would be very surprised, so I assumed you made a typo there. Typically, if you have 500k UP and 3 Mbps DOWN, I would expect you to need to set something like 350 MAX UP and 2500 MAX DOWN.

    Hope this helps. Get back with some real tested figures if you have any doubts.
  93. Beast

    Beast Network Guru Member

    Ok did the test and yes your numbers are spot on.
    Will test. And see what happens when I turn on UPnP and AT-PMP.

    As soone as I turn on UPnP I loose the limiting. Inbound set to 5%-10%.
    I rebooted the router after making the change and before starting Vuze.
  94. Toastman

    Toastman Super Moderator Staff Member Member

  95. RonV

    RonV Network Guru Member

    Has anyone been able to get any type of Citrix Receiver QOS working? With the latest Citrix products they don't use dedicated ports anymore and communicate with port 80 and 443. Ultimately the traffic ends up in the "download" bucket. I been though the Citrix documentation,

    and really can't find anything that I can key off of to create a rule. They seem to use a random source port. Also when I tried the L7 filter it doesn't ever match.

  96. quietsy

    quietsy Network Guru Member

    I've had an idea regarding the improvement of P2P in the QoS, prioritizing ACK is bad for P2P users but on the other hand deprioritizing ACK results in retransmission of packets because of lost ACKs, the solution might be to add a field for tcp-flags in the QoS classification which will allow to place ACK packets below everything prioritized but above the default P2P/Bulk class, theoretically it should prioritize ACK over P2P and prevent data retransmission.

    Does it make any sense?
  97. dangdonkey

    dangdonkey Network Guru Member

    Was having an issue keeping p2p outbound within it's set limit. It appears as though some p2p was being tagged as VOIP. Anyone else?

  98. Porter

    Porter LI Guru Member

    Disable the skype L7-filters. They are overmatching.
  99. Mirko Baila

    Mirko Baila Networkin' Nut Member

  100. dangdonkey

    dangdonkey Network Guru Member

    I need the skype filters though. Static ports for skype should do it.

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice