Using QOS - Tutorial and discussion

Discussion in 'Tomato Firmware' started by Toastman, Dec 24, 2008.

  1. Porter

    Porter LI Guru Member

    Go to the classification page and make a new filter. Replace the default protocol TCP/UDP by IPv6. Hope this does the trick.

    Need to think about it a bit more...
  2. tutorialbs

    tutorialbs Serious Server Member

    Well, not exactly... only for my computer, and my 4 friend's computers. I have priority over them, they have priority over everyone else, and everyone else has priority over everyone else's "bulk" traffic. It works for now, especially since IPs in the "everyone else" range aren't paying the bill ;).

    I will get around to making it more specific after I read the guide. But now I want to explore why setting the default connection time-out settings higher helped me.
    That is exactly what I thought when I set them to slightly lower than even Toastman recommends. However, by chance I came across a guide, written in 2004, that says it's actually the exact opposite of that. I think it still applies to stuff we're doing, but I'm not sure, part of why I want to discuss it. Here's a link:
    The point I got out of it was that the time_wait connection setting and others should be higher not lower than default because this actually reduces load. The reason for this is it actually takes more processor load to have to keep creating new connections than reusing connections that are in the Time_Wait state. If the time_wait and other connection settings are too low, it has to keep creating a lot of connections. If these settings are higher, then it can reuse waiting connections.
    This seems to be the case for my router, which has lower load %s on all 3 time intervals, and about 9% more free memory, on average, than before I increased all those connection settings, in addition to better ping in my game.
    "TIME_WAIT conenctions have no effect on server load. There are just
    lots of connections. TIME_WAIT is your friend unless it prevents more connections from being created or being serviced. TIME_WAIT is a state where connections could conceivably be re-used without making a new TCP between servers, so it can help reduce load."​

    Attached Files:

  3. Porter

    Porter LI Guru Member

    Something with the QoS is wrong. I don't remember you telling which Tomato version you are using. Are you using a recent one?

    Now to diagnose your problem: Set the download class to maybe 1000kbit. Start a download. Does this download stay inside the 1000kbit?
    And just to make sure I checked my QoS. I tested with a stream, a download and bittorrent maxing at 4800kbit and let a ping run for 5min. Avg/Min/Max: 170ms/30ms/300ms. So at least I'm not selling snake oil...

    Good luck!

    Sure, you can set time_wait higher. But the limiting factor is how much RAM your router has, which directly limits how many connection it can handle. Mine doesn't have enough RAM.

    Feel free to experiment. The logs will tell you when the kernel can't handle any more connections. Usually this becomes noticeable when you get timeouts while webbrowsing.
  4. bobyang

    bobyang Serious Server Member

    thanks Porter. yes, I use the latest version I found in Aug 1st.

    thanks for the testing, and I just wonder if you see the "flat line" for the downloading speed in the Tomato chart?

    I could not really set the "download" class because I have "media" and "VOIP" ports open, and some P2P get into those categories because ports open and then those connections use those. for example, google voice, 5222, 5228..etc and I see other machine using those...
  5. alfred

    alfred LI Guru Member

    I have set the IPv6 rule for the QoS classification, yes, it was classified. but there is chance of getting the error message:

    Date: Tue, 14 Aug 2012 09:28:40 GMT Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, must-revalidate, private Expires: Thu, 31 Dec 1970 00:00:00 GMT Pragma: no-cache Connection: close
    I have tried this both Toastman-7500.2 and shibby-100-AIO on my RT-N16, same results.
  6. Porter

    Porter LI Guru Member

    Sorry, but this is not enough information. Where and when does this occur? Which process is this from?

    If this is some kind of encryption, this seems odd:
  7. alfred

    alfred LI Guru Member

    In the past few days, I tried to set this ipv6 rule with Toastman/shibby builds, it is hard to say when it was occured.

    I had only once experience that it occured immediately when I pressed the save button of the qos-classify.asp page on the RT-N16 that is running with Toastman-7500.2 for a long time.

    Till now, I have approx. three, maybe four occurences. all the others were occured randomly.

    When it happened, the browsing window was cleared, and the error message appeared on the top of the browsing window.
    I could telnet the router, but can not operate the GUI, I had to close the browser and open it again.

    I have another set of RT-N16 that is also running with Toastman-7500.2 for a long time, I switched to shibby-100-AIO today for the indentification, yes, this issue also occured once.

    Now the N16/Toastman is set back to the original setting and works fine; the other N16/shibby keeps on the ipv6 QoS rule observation.

    The IPv6 tunnel now is classified WWW:
  8. Porter

    Porter LI Guru Member

    Those are two different things we are discussing here. If IPv6 gets classified correctly: problem solved.

    You getting an error while using the webinterface: in this thread this is off topic. Google is your friend btw. This is the thread I found:

    It doesn't seem to be exactly what you are experiencing but please post there or search for yourself. Only if you don't find a thread that is describing your problem open a new thread.
  9. Porter

    Porter LI Guru Member


    I get a steady line, too. But for some reason your QoS doesn't work. I was using one web download and bittorrent.

    maxed out download.png

    Unless you have proven that you can limit one class successfully, it's unwise to try something else. It doesn't matter which traffic ends up in one class. It just matters that you see that this class doesn't breach its limit. So maybe just put everything in this class and then limit it to 50% or so.
  10. SoylentGreen

    SoylentGreen Serious Server Member


    I live in a highrise, and the "building provided" ISP has fiber connected switches located every few floors. Resident routers are directly connected into these switches for both IP TV and internet.

    The switch servicing my floor is somehow screwed up. I have a download speed of 15 mbps maximum, and an upload speed of over 90 mbps (probably limited only to the port-speed being 100mbit).

    Normally this would see like an awesome setup, but unfortunately it interferes with the TV IP service, and naturally it causes massive dropped packets, timeouts, and flat out port shutdowns that require me calling these people and waiting a week until they fix it. How can I fix this problem by using QoS on my end?

    Here is what I've been using, but
    Outbound rate: 2,000 to 2,800 kbit/s
    Inbound rate: 12,000 to 13,000 kbit/s (keeping in mind that my inbound is capped at 15,000)

    Besides asking them to fix it (I have tried for a couple months, and this point I don't mind just uploading crap at full speed to make them fix it), any advice on how to either fix or take advantage of this situation?
  11. Porter

    Porter LI Guru Member

    You seem to have forgotten to mention what the BUT with your setup is. Does it work?

    Did you try taking some legal action, for instance a moderate rent reduction? By moderate I mean reducing the rent by a reasonable percentage ( maybe about 5%) to start with and writing your landlord a reminder to fix the problem. I won't do any further counseling though. Ask somebody professional in your area.
  12. RonV

    RonV Network Guru Member

    I have a quick question. I was to turn off inbound QOS but there doesn't seem to be an option for this. I have been running into streaming issues with video and I don't want to turn off outbound only inbound. I thought I read somewhere that you can set it to zero but that only works on the old TomatoUSB builds.

  13. Porter

    Porter LI Guru Member

    Right, setting it to zero gives me an error actually. Invalid value for qos_ibw.

    Why don't you set the inbound bandwidth to something very high? Do you know why you are having problems? Do streams end up in the wrong class?
  14. RonV

    RonV Network Guru Member

    The issue is that my VUDU service is reporting high packet loss on the video stream and keeps asking to go from HDX to HD after about 10 minutes and then a few minutes later to SD and then it just quits. When I turn off QOS the video streams just fine. I see it classified just fine since I use the IP address of my device to the Video class and gave it 5 to 100%. It's very strange since other devices aren't using much (single digit kbps) and my downstream link is 15 mbps.
  15. KvadSP

    KvadSP Serious Server Member

    I have the following config

    Cisco 800 Series
    Running the following
    DHCP server​
    ADSL2+ Modem​
    3x Asus RT-N16
    Acting as access points (running toastman mod)​
    Not running DHCP​

    When checking out the QoS graphs and details everything is listed as Unclassified.

    When running a single AP with ADSL modem bridged everything is classified fine (I have larger office space I need to cover in terms of range).

    Is this type of configuration supported?
  16. pektong

    pektong Networkin' Nut Member

    Good day Toastman! I'm having problems on my qos settings And I hope you can help me. I'm using an Asus wl-520gu router with your fw v1.28.7633 .3-Toastman-VLAN-IPT-ND ND USB Lite and my problem is the torrent which supposed to be classified in bulk is being classified in my VOIP/Game class. I did an nvram reset many time and even the physical reset button but still the same problem. I redid the settings manually and not using my save settings and still a no go. I'm checking the graphs and it's making me nuts. I 'm using your default settings and put the torrents in bulk class then added 2 more rules for my Battlefield3 ports. I don't know where I've gone wrong I hope you can help me with this thank you.

    Btw, I'm on 1.5mbps dsl line with 550 upload speed..

    Attached is my screenshot links of my QOS rules..
  17. Porter

    Porter LI Guru Member

    Try disabling Skype and Skypeout. Those filters overmatch.
  18. pektong

    pektong Networkin' Nut Member

    Update: I did an nvram reset and tried the default settings of the qos and the torrent sometimes be classified as bulk and sometimes it would go to voip class. I don't know whats happening.. I even tried to set a static port in utorrent and it would go to bulk for a minute then would go back to voip class.
  19. Toastman

    Toastman Super Moderator Staff Member Member

    That's very strange. I have tomato running at a few places (legacy sites) on WRT54GL and they don't slow down significantly when QOS is enabled. And I have never seen pings that long with QOS enabled.

    As I mentioned before, pings here usually 19-27mS with QOS on and ICMP box ticked, could be 70-1500mS or so when unchecked. (RT-N16 with 1mbps/16Mbps ADSL)

    Pretty much all of my ADSL lines have been upgraded recently to these speeds.

  20. pektong

    pektong Networkin' Nut Member

    ok i've tried victeks build and the torrent traffic is in bulk class. note that i use the default qos settings there with p2p enabled at bulk class. all is running well there except that browsing is snappier in your build. I love your build that's why I'm trying to solve the problem and going to victeks build is my last resort here. All that I need is in your fw I hope theres a way to solve this problem Toastman thanks a lot!

    I also noticed that after a power cycle, the torrents would go to bulk class but most of the time after a power cycle, it's back in the voip class.
  21. Toastman

    Toastman Super Moderator Staff Member Member

    pektong, you do have some traffic in the P2P class. The P2P that is in the VOIP class is being classified by some rule - look for the traffic and look in the "rule number" column to see which rule put it there. Then you can perhaps see a reason and it may be possible to do something with it. There is often some P2P leakage into other classes but yours looks excessive.
  22. Porter

    Porter LI Guru Member

  23. pektong

    pektong Networkin' Nut Member

    Toastman, thanks for the response. I'm only using your default rules and enabling the p2p to bulk class.. I also added 2 more rules for my Battlefield ports. I also tried to disable the 2 rules, using your default QOS (p2p enabled to bulk class) and still, the torrent traffic is at the voip class.

    Porter, thanks also for the suggestion. I tried it also and still a no go.

    I know it's strange but that's what I'm experiencing. Currently, I'm using Victeks build and the problem is solved. But I still prefer to use your build because all that I wanted was there.

    This are the ports Battlefield 3 use as you can see in my screenshot earlier.
    TCP: 9988, 20000-20100, 22990, 17502, 42127
    UDP: 3659, 14000-14016, 22990-23006, 25200-25300

    I ommited ports 80 and 443 because it's classified as web on your QOS rules. even when I disabled or deleted the 2 rules that I added, my torrent traffic is still in full throttle in voip class.
  24. Toastman

    Toastman Super Moderator Staff Member Member

    what rule is placing it in the VOIP class?
  25. pektong

    pektong Networkin' Nut Member

    Ok I found the culprit.. it's the skypeout rule 25. Weird.. I disabled both skype and skypeout yesterday but it's still in voip class.

    Thanks Toastman and to you Porter. I'll observe this and post again if I still have problems. thanks a lot!
  26. pektong

    pektong Networkin' Nut Member

    Good day again Toastman. My new problem now is that how can I lower my pings in Battlefield 3 while the other pc is downloading via torrent or watching youtube? my normal ping ranges from 60~100 then when torrents or youtube kicks in my ping goes from 200 to 1k.
  27. Porter

    Porter LI Guru Member

    I hope you did measure your maximum line speed with several speed tests.

    Look at your inbound and outbound rates. The sum of the left values mustn't exceed 100%. Your sums for in- and outbound do exceed 100%.

    Don't give any class a maximum bandwidth of 100%. 80% might be better, especially if you need good pings.
  28. pektong

    pektong Networkin' Nut Member

    So I start half of my subscribed speed and increase little by little until I achieved the right bandwidth speed to make the my pings better in BF3? I'll also lower the max inbound speed and outbound for each class and see the results. Thanks porter I'll give you a feedback on what's the result would be.

    Also, is it ok for me to max my outbound for voip class? because I noticed that there's a video quality degredation if i lower it down to let say half.
  29. Porter

    Porter LI Guru Member

    You can give VoIP 100%. I don't think you are gaming and voiping at the same time, are you?
  30. xtacydima

    xtacydima LI Guru Member

    Hi does anyone know (if it exists) the export syntax command to get output for the port forward list
    nvram export --set | grep ???
  31. Toastman

    Toastman Super Moderator Staff Member Member

    nvram export --set | grep portforward
    xtacydima likes this.
  32. Munshisan

    Munshisan Serious Server Member

    We are a cloud VoIP provider, all business clients. The challenge we face daily is to get clear calls in/out of a customer's premises while they carry on sundry business activities: generally, email, browsing and some downloading/uploading. Viruses are occasionally an issue. We want to establish high priority access to our nodes in the cloud, and let everything else fend for itself, more or less. :)

    We have a working framework with DD-WRT, but it's all Unix scripting and not at all user friendly or even tech friendly (htb classes in various buckets, and then a global prioritizer).

    Is Tomato's approach to QoS any better? Can the out of box framework be easily tweaked, say, to include src/dst ip address matching?

    First time post, so go easy on the flame thrower.

    a s m at ipfinity d0t com.
  33. Newsman1

    Newsman1 Serious Server Member

    First, thank you Toastman for your very robust and powerful firmware.

    I'm, hoping to get some help on stabilizing my router when QoS is enabled.

    I'm currently running Tomato Firmware v1.28.0500 MIPSR2Toastman-RT-N K26 USB VPN, on my Netgear WNR3500Lv2 N300.

    I haven't changed much from the stock settings. Enabled DHCP. Enabled QoS, assigned static IP's to the mac addresses of PC's connected to the router, defined rate limits, and added 2 classifications.
    The issue I'm having is that my brother often streams TV/Movies to his PC, making my PC(used for gaming and browsing) and our Mom's PC(used for browsing), slow to a crawl and cause my latency to sky rocket for hours at a time.

    Setting rate limits for inbound and outbound traffic seemed to help a bit, but my pings are still on the order of 400-1200ms when he's streaming. The 2 classifications I added were
    Match Rule Class Description #
    To "My PC" VOIP/Game Any In 1
    From "My PC" VOIP/Game Any Out 2

    But this seems to have had little effect.
    I then tried enabling the bandwidth limiter, following
    After enabling the bandwidth limiter the router will reboot itself anywhere from 1-10 times an hour.

    I'm wondering if I inadvertently told the router a conflict that causes it to not know what to do, so it reboots. Not being able to stably throttle his connection/list my PC as having bandwidth priority has become very frustrating.

    His PC is connected via wireless. Mine and our Mom's are connected via ethernet.

    I appreciate any suggestions or advice anyone can offer.
  34. Porter

    Porter LI Guru Member

    So each customer of yours is getting its own router with dd-wrt?

    You can easily shape by IP or port number. The only problem with QoS and VoIP seems to be that there might be too much buffering involved. This site always claims that the buffers are very large and this only happens with QoS involved. I'm not an expert on VoIP though but this might be an issue. It's quite possible that in this regard it doesn't matter whether you use Tomato or dd-wrt. I just wanted to mention it, since you seem to belong to the Pros who might be able to tell us something more concrete about it. The buffers in the QoS-system can be tweaked but as far as I know nobody did this for Tomato as of yet.

    If you are providing VoIP over DSL there is another very important point to be mentioned: ATM overhead. Especially with VoIP this is an issue. The linux kernel can calculate the ATM overhead for a specific DSL-connection, but it needs to be told so and this is what's still missing in Tomato (it's a feature for nerds anyway, because it's difficult to know how much overhead is produced by the underlying protocols on the DSL-connection). So if you want to really use QoS as best as possible, you still need to use custom shell scripts. On the other hand you can still make a cool script with the Tomato GUI and just put the parameters for ATM-overhead calculation in by hand.
    Only the K26 builds support overhead calculation!

    Don't use B/W limiter and QoS at the same time. I suggest that you only use QoS. If you want to configure it the right way, look around in this thread, there have been several people asking the same questions. Toastman has written an extensive How-To that you should also read.

    If you still need help, please post screenshots of your configuration, anything less is mostly not that helpful.
  35. Munshisan

    Munshisan Serious Server Member

    Porter: Thanks for your reply and links provided.

    Correct, each client gets their own router and we put the DSL/cablemodem/whatever upstream device into bridge mode. MAC address filtering is possible, but cumbersome because devices are often added on the fly necessitating continuous changes to the router's QoS settings. It's easier for us to prioritize by destination/source address and packet type (udp).

    To your question about buffer sizes: buffer sizes for voice are adjustable by the provider (us). Many folks concentrate on the signalling side of voip (SIP most often) but neglect the more critical voice payload (RTP) which emanates from and terminates to dynamically determined port#s on both sides.

    I liken the job of a traffic shaper like that of a cop at an narrow junction between two high speed roadways where 100mph traffic (LAN at 100Mbps, say) meets 10,000mph traffic (Net backbone), but transiting traffic has to go through a section of 1-10mph (the last mile). Voice and other hard real-time data are like ambulances (small and infrequent but critical) vs everything else (trucks, say) that need to get through in a time-critical fashion. The only way this can work is if the cop (router) keeps a small lane (reserved bandwidth which can be demand scalable) open. To do this, the cop needs to know how many cars are in the constriction (the traffic shaper needs to drip feed the upstream device so it doesn't fill up its buffers) so it can sequence the priority traffic as when arrives. Of course too many ambulances and all goes to pot...

    I find this analogy useful when I explain traffic shaping to lay folk. Everyone can visualize what it's like when freeway traffic meets a construction zone and there's nobody to regulate the flow.

    It all comes down to flow control...anyone remember RS232? :)
  36. suzook

    suzook Serious Server Member

    Hi All. I have a little problem. I am unable to get my wireless to work. Also, when I have anything plugged into the bridge (2nd e4200) it
    will pass a connection test but error when I use something connected (such as Vudu streaming)

    I have a few questions.

    Should the AP (2nd router) in the basic/network page be set up as a bridge in the wan or the lan
    I have it disabled in the wan. I have not changed anything in the Lan area

    Second, the static dns I have set to match that of the first router? Is this correct?

    It seems like this is easy but I am confused.
  37. dorimon5

    dorimon5 Networkin' Nut Member

    Hi toastman! Can I ask a help? I am now managing internet cafe here in the phillipines. I'm using linksys e4200 v1 router. I'm using your firmware because i'v heard a good feedback of your firmware in term of Quality of Service. But I encountered a big problem as of now. I already enable the qos and set everything what i want. My problem, all my online games encountered a delay radomly. Here's my setting of my qos. I don't know if it is correct of not. Please! help me. Thanks! sorry for my bad english.


    I change the default qos name. It is safe of not? here's my classification setup


  38. pektong

    pektong Networkin' Nut Member

    Kabayan! try to uncheck ACK first..
  39. hacim

    hacim Networkin' Nut Member

    Hey all. I've been reading through this post trying to get some kind of workable QOS setup for me and my wife at home. So far, everytime I turn on the QoS, everything is not happy :( The main problem I'm struggling with right now is skype, which she uses regularly. I looked in skype's configuration and found that it has a specific port set, and so I tried to classify that in the VOIP class, but when she actually uses it I see a ton of other connections that are being classified as Crawl and its impossible for her to use it. The connections seem somewhat arbitrary ports, so I'm not sure how I can get it to work. I turned off the level 7 skype classification because people were saying it was overbroad, and I've turned off ACK, but I think the main issue is that the connections are getting classified in the Crawl class, and I dont know how to indicate those.
  40. Porter

    Porter LI Guru Member

    From what you are describing you did everything right. Please upload some screenshots of your config, Basic Settings and Classification so we can have a look.
  41. hacim

    hacim Networkin' Nut Member

    Here are the screenshots. Note I just added skypeout and skypetoskype back in to see if they would help so they show up in the shots


  42. tbjerret

    tbjerret Network Guru Member

    Ha - you must of course place "from your wife's computers IP" in VOIP/game and yours somewhere lower. Static IP, that is. That's the only durable solution :)

    And looking at your last post, 95 can't be right.
  43. hacim

    hacim Networkin' Nut Member

    I guess you are just joking there, right? :)

    Well, I was trying to follow the directions here, I did several speedtest measurements and found my upstream bandwidth to find the minimum measured bandwidth. I found that I got 0.11Mbit/sec at one point, which is 112.64Kbps, and 85% of that is 95. Did I do the math wrong?
  44. tbjerret

    tbjerret Network Guru Member

    Joking, yes - but with only two or three computers prioritizing one should be enough. And if 95 is correct you need to give Skype all of your upload. And no video.
  45. Porter

    Porter LI Guru Member

    First of all, please don't forget to enable QoS, you didn't tick the box...

    Your upload bandwidth is very small, so you will have problems with skype anway. For one voice call you need approximately 128KByte/s, you only have 95.

    You configured your Outgoing bandwidth wrong. You only give VoIP/Games 19KByte, which as you now know is not enough! You'll have to experiment a bit, but with VoIP I wouldn't even suggest giving it 100%, because of overhead. Well, experiment...

    Please don't use the Skype-L7-filters. They hurt more than they help. Especially with your connection. Put your skype-port-filter more on top, maybe as rule number 9.

    Disable TCP Vegas.

    Don't give any of the incoming classes 100%, better 80-90%.

    Disregard tbjerret's suggestions.
  46. DJarvis1

    DJarvis1 Addicted to LI Member

    hi, i`ve got an e2000 and have got the latest toastman ready to be flashed onto it, after reading through the 1st page of this thread and while looking for the fw for my e2000 Toastman said theres a much newer `IMQ based ingress system` for incoming Q.O.S rules.

    Is there any setup info, or anything different than what I`ve read at the start of this thread? is there anything that tellls me how this newer system works ?

    Also, once I`ve flashed router i wanna set it all up fresh,
    As far as gaming goes (PS3) I`ve alway used DMZ....some ppl say use it as a last resort and some say its fine.
    Am i better off setting up port-forwarding for the ps3 and then use QOS, or is QOS happy with DMZ ?....pros n cons either way ??

  47. Porter

    Porter LI Guru Member

    Just flash the newest Toastman and you will use the new system. Configure QoS as mentioned in the first posts of this thread. Most of what you need to know has been mentioned over and over on the last few pages by Toastman and me, too.

    I don't really know why it is important to put your ps3 in a DMZ and which type of DMZ you plan to use. I'm not very familiar with DMZs. Whichever way you choose, report back when you run into problems and give it a try first.
  48. DJarvis1

    DJarvis1 Addicted to LI Member

    Ok ta...

    The reason I was using dmz is we've got 2 ps3s going online (mp) & dmz was easier than setting up multiple rules for each ps3+ several different games, I just ended up using dmz on 1, upnp on the other..

    Type of dmz? Afaik there's only the software based ones in the routers...

    Sent from my Galaxy S II using tapatalk
  49. Porter

    Porter LI Guru Member

    I'm not very familiar with the ps3 either, but why did you need several rules for them? Do you do anything else than gaming with them? Just add a new IP filter for each one of them on the Classification page and let them do their portforwarding via upnp and you are done. Or did I miss something?
  50. DJarvis1

    DJarvis1 Addicted to LI Member

    Ok upnp isn't always that great, sometimes it's down to the routers (or software on them) themselves. Opening ports manualy is just more reliable online.
    There's about 6 rules for the psn itself, plus a few rules per game, then all those are client specific also.
    Mainly gaming g on PS3, sometimes use then itv /BBC I player services.

    Sent from my Galaxy S II using tapatalk
  51. Monk E. Boy

    Monk E. Boy Network Guru Member

    UPnP works fine so long as applications actually bother to use it. The problem is game companies don't tend to hire people to write their networking code who actually know what they're doing. I'm so glad to be away from that environment...
  52. DJarvis1

    DJarvis1 Addicted to LI Member

    Yeah, I forgot to mention that, that's there are some games that are renowned for being made poorly (in terms of networking) & thus why easier to manually open ports, rather than rely on a dodgy game being inconsistent in that regard....

    Sent from my Galaxy S II using tapatalk
  53. zbeyuz

    zbeyuz Serious Server Member

    Does this general rules are still applicable for a new version of Tomato firmware ?

    How to adjust to make a better version for VOIP ? Can I change it from "High Class" to "Class A" ?
  54. Porter

    Porter LI Guru Member

    Expect it to be still valid.

    Why would you like to change the classes? And for the record: the classes don't use theses names anymore. Please get the newest Toastman release.

    If you want to improve skype-calls disable the L7-Skype filters and configure skype to use a specific port. Add a filter on the Classification page with that port.
  55. Monk E. Boy

    Monk E. Boy Network Guru Member

    Worst case he could create a static DHCP lease for a system, then create two rules for traffic going into and out of that system. But that has the problem of all non-Skype traffic from that system getting classified by the same rule, and therefore fighting Skype for the same amount of bandwidth. Creating rules with the correct ports is the best way to go, the trick is always figuring out what those ports are.
  56. Dinnn

    Dinnn Networkin' Nut Member

    Please someone answer my question.
    I have 8 rules for youtube. Each rule will filter IP range.
    I would like to know if this will slow down my router?
    See image below.
    Sorry for my poor english.

  57. lefty

    lefty Networkin' Nut Member

    That pic alone doesn't provide enough info to be able to answer the question, this shows the custom rule classes you have created, but it doesn't show what you have the "streaming" class set to in the bandwidth section..
  58. Dinnn

    Dinnn Networkin' Nut Member

    Sorry my question is not clear enough.
    I didn't mean about bandwitdth allocation, currently my Qos works well.
    What i want know is if having too many rules(youtube-filter based on IP range) like picture above will slow down Qos or router process.
    Or is there any other better way to classify youtube?
  59. lefty

    lefty Networkin' Nut Member

    It should work just fine as you have it. what brand/model router do you have?
  60. Dinnn

    Dinnn Networkin' Nut Member

    I'm using Asus RT-N12 C1 with 4MB Adsl. I have added 2 more ip range for youtube. Now i have 10 rules for youtube.
    So far no problem while browsing, streaming, gaming, etc...
    All youtube video correctly classify as streaming instead of download.
    But if someone have a better way to filter youtube video please share it here.

  61. Toastman

    Toastman Super Moderator Staff Member Member

    Where I live, we get completely different IP ranges, and none of the youtube videos I just tried were caught by this at all. However, httpvideo flashvideo, rtp, etc (defaults) still work for most of them.

    Re the question about speed - well, all rules consume processing power, and obviously will affect the maximum throughput. But for most of us, it isn't so noticeable. There are a lot of ports there, but when compared with the L7 filters, it may still be faster.

    I tried to explain this once to a "megauser" with 100Mbps+ internet, that even if a router is not fully capable of handling this speed, Tomato's QOS system gives you the choice of absolute chaos at 130Mbps or perhaps sub 100Mbps of ordered access for everyone.
  62. Dinnn

    Dinnn Networkin' Nut Member

    I did try L7 httpvideo and flash but somehow only some videos were caught by L7 filter.
    Thanks to Toastman for explanation. That's what i want to know. Thanks also lefty for your advise.
    Based on Toastman explaination, i will stick to IP filter instead of L7.
    Sorry for my poor english.
  63. najevi

    najevi LI Guru Member

    I am reading in an effort to understand how the developers of Tomato's QoS mods might have used combinations of qdisc,class,filter to implement QoS functionality. The trouble is I am not finding where the data I enter at the qos-classify GUI webpage is being transformed into filter rules as the above documentation would suggest is the standard practice.

    I am connecting to my router via a telnet session and I am using the command line to understand how changes I make at the qos-basic and qos-classify pages are transformed into qdisc,class,filter.

    Simply running (or viewing) /etc/qos makes it pretty obvious how the data entered at qos-basic is being translated into qdisc, classes and filters based on the tc command. So I can understand how bandwidth rate(ceiling) pairs are being prescribed for guaranteeing(shaping) outgoing traffic on vlan1 and policing incoming traffic on imq0.

    What is not so obvious to me is how the Match Rule data entered at qos-classify is being used to classify data packets.

    I vaguely recall reading that iptables can be used to mark packets for subsequent filtering and yet I have inspected the output from iptables -L but that does not give me any clues either.
    1. Would someone please point out what command line tools I should use to see the effects of Match Rule data entered at the qos-classify GUI webpage? (That table is still labelled Outbound Direction.)
    2. Where do I specify match rules for classifying Inbound Direction data packets?
    3. What should I read to understand the mechanics of how a Match Rule that is based on some total kByte transferred is put into effect?
    Thank you.
  64. Porter

    Porter LI Guru Member

    Are you just curious or do you want to achieve something special?

    To answer your questions:
    Tomato almost exclusively relies on the iptables subsystem as a means to mark the traffic (aka "filter" in tc nomenclature). To see what iptables is doing please have a look at /etc/iptables. The chain is called QOSO. I already shared a bit of my knowledge here:

    The outgoing interface should be ppp0. If it's vlan1 there probably is an error somewhere or you changed something...

    "Outbound Direction" just hasn't been changed, yet. Tomato _used_ to be able to only shape in outbound direction. Therefore Inbound and Outbound doesn't really matter at this point any more.

    Tomato uses the iptables match "connbytes" to determine how many KB a connection has seen to classify this connection accordingly.
  65. Zodler

    Zodler Serious Server Member

    My newsgroup uses port 563 SSL. There is a rule that recognizes this as Mail. How can I add a rule that make only these newsgroup connection as bulk or something.

    I use shibby's

    I have both these rules

    Dst Port: 119,563 Mail NNTP 31

    Dst Port: 80,443,8080,563
    Transferred: 512KB+ Download HTTP,SSL File Transfers 39

    is this bad?
  66. gutsman7

    gutsman7 Networkin' Nut Member

    Delete the first rule. The second rule is giving each port connection a sum of 512kb then they are droped to the +512 class. So just remove those ports from the 512+ n +512 asumming its on there too and just make a new rule and put it in the lower prio class.
  67. najevi

    najevi LI Guru Member

    I was just curious but now that I have read about iptables some more I now realize that there is something special that I want to achieve:
    I'd like to classify all data from a set of IP addresses that are known to be unmetered by my ISP. (Yes, these are static IP addresses and some members of the set are best specified using address/mask syntax.) I already experimented with the match rules by trying to enter multiple IP addresses using such syntax as:, or or or or but none of these methods seemed to pass the GUI's parser. I now know that this is not a limitation of iptables per-se and so I assume it is only the parser that needs to be encouraged to support multiple IP addresses. Has this been considered before?

    OK now this is a big surprise because for all the time that I was using Jon Zarate's original Tomato (many years using v1.23 and just a few weeks using v1.28) the first three lines of /etc/qos have been:
    TQA="tc qdisc add dev $I"
    From this I assumed that vlan1 is the default because I never consciously specified vlan1 myself.
    I may try a reinstall of my current toastman build with an NVRAM purge beforehand and see if the default changes to ppp0.

    OK so the one table is used to specify rules for traffic in both inbound and outbound directions.
    Should I assume the following:
    1. a) If src-addr is outside the LAN range ( in my case) then the match rule is going to affect inbound data packets.
      b) If src-addr is within the LAN range then the match rule is going to affect outbound data packets.
    2. a) If dst-addr is outside the LAN range ( in my case) then the match rule is going to affect outbound data packets.
      b) If dst-addr is within the LAN range then the match rule is going to affect inbound data packets.
    3. If no src or dst IP address is specified then the match rule affects data packets flowing in both outbound and inbound directions.
    OK, I have read about this now and understand it much better.

    As an interim measure I imagine that I will be able to support my desired set of IP addresses with a script to Append (or maybe Insert) multiple rules once I have a stable QOSO table. In fact now I understand iptables better it might be cleaner for me to create a new user table and specify that as a target for one of the rules in the QOSO table.

    Many thanks!
  68. Porter

    Porter LI Guru Member

    I highly recommend this! There have been a lot of changes, especially in the QoS-system.

    This works:
    -A QOSO -p udp -m iprange --src-range -j CONNMARK --set-return 0x3100005/0xFF
    -A QOSO -p tcp -m iprange --src-range -j CONNMARK --set-return 0x3100005/0xFF

    -A QOSO -p udp -s -j CONNMARK --set-return 0x3100005/0xFF
    -A QOSO -p tcp -s -j CONNMARK --set-return 0x3100005/0xFF

    -A QOSO -p udp -s -j CONNMARK --set-return 0x3100005/0xFF
    -A QOSO -p tcp -s -j CONNMARK --set-return 0x3100005/0xFF

    But this doesn't:, or
    There is a java script input check of the field and this gives me an error.

    iptables matches whole connections, not just packets. A connection is a two way process, therefore you see both inbound and outbound packets. To match the first packet of every connection you probably need a src and dst rule for every ip or ip-range. Unfortunately the GUI doesn't let you specifiy an ip only. I think iptables doesn't care, but well, I think it's just cosmetics. One rule for an ip or ip-range should be enough. Preferrably use a src-ip rule for hosts inside your LAN because they will initiate the traffic most of the time, if you don't host a webserver or something like that inside your LAN.
  69. Jairus

    Jairus Serious Server Member

    I'm having a bit of a problem with (presumably the inbound) QoS.

    My connection tests at 35mbps down and 1mbps up. However, with QoS enabled, it never tests faster than 16mbps down, no matter what the inbound/outbound QoS maximum values are set to. The speedtest traffic is being classified as 'download', which is set to a limit of 100% inbound, but even when my inbound/outbound caps are set to 10x my real-world caps, I can still only get 16mbps down.

    Which means that if I enable QoS I'm cutting my internet connection in half.

  70. gutsman7

    gutsman7 Networkin' Nut Member

    Try to disable these only for awhile and try your test. Transferred: 512KB+, +512.
  71. Jairus

    Jairus Serious Server Member

    With that rule disabled, the traffic ends up in the default class (P2P/Bulk), and the results are the same.
  72. Porter

    Porter LI Guru Member

    My first guess is that your router may not have enough cpu power to do QoS. At least not to this extend. Which router are you using and which firmware?

    What you could do is reenable the filter gutsman7 told to disable and disable every L7-filter. If this doesn't help, post some screenshots of QoS/Basic Settings and QoS/Classification.
    koitsu likes this.
  73. BaconSandwich

    BaconSandwich Serious Server Member

    Hi, hopefully someone can help me, I can't get full download speed when qos or the bandwidth limiter are enabled.

    Router is Asus RT-N16 running tomato-K26USB-1.28.7500.4MIPSR2Toastman-RT-VPN.trx. There is no other traffic on the network and tests are wired.

    First test without QOS or bandwidth limit enabled.

    With just QOS enabled, it's all at default accept I set everything to 100% on Basic Settings to try and remove all limits.
    [​IMG] [​IMG]

    Now with QOS disabled but bandwidth limiter enabled

    Any ideas what's causing this?
  74. Monk E. Boy

    Monk E. Boy Network Guru Member

    What rule is your bandwidth testing traffic being classified under, when it's not classified as P2P/Bulk, and are there any L7 rules above it?

    More information would be helpful though as Porter points out, including router make & model and the firmware "flavor" (Toastman, Shibby, TeddyUSB, etc.) & version you're using.
  75. Jairus

    Jairus Serious Server Member

    When I run the test with QoS on, the router hits about 90% CPU, but doesn't seem to hit 100%. It's a WHR-HP-G54 running: v1.28.7633 -Toastman-IPT-ND ND VPN.

    The traffic was being classified under Download, and there are a ton of L7 rules above it. If I move it above all the L7 rules I get the same results as far as speed, but the CPU only hits 80%.

    [​IMG] [​IMG]
  76. Porter

    Porter LI Guru Member

    You didn't disable every L7-filter, but what you are describing makes it likely that your cpu doesn't have enough power for this. Disable as many L7-filters as you can. It would probably be best, if you disabled every L7-filter. Alternatively you could buy a better router. ;)

    How is the cpu usage when you are downloading? Please post a screenshot of your Classification page, too.
    Just to make sure I'm asking again: you didn't use B/W Limiter and QoS at the same time?
  77. BaconSandwich

    BaconSandwich Serious Server Member

    Hi Porter,

    CPU is 100% whether QOS or BW Limiter is enabled or not.

    Screenshot is in my previous post isn't it? Might not be obvious because the thumbnails blend in a bit, sorry.

    No I did not use B/W Limiter and QoS at the same time.

    Is the CPU insuficient then? I was under the impression the RT-N16 had plenty of processing power :( The reason I enabled QOS was to prioritise ICMP, I don't actually need QOS for anything becasue no matter what I throw at it everything is speedy and smooth with QOS off.
  78. Monk E. Boy

    Monk E. Boy Network Guru Member

    Put your L7 rules at the bottom of your rulebase. They're only useful for catch-alls if no other port-based rules can catch it. For example, right now all your web traffic has to pass through several L7 rules before being caught by the HTTP rule. Only once the connection reaches 512KB do packets avoid being compared against some of them.

    Flash & FlashVideo L7 filters have been broken for some time.
  79. Porter

    Porter LI Guru Member

    It doesn't matter if L7-filters match or don't match. They always use cpu power and that's why I told Jairus to disable them all.

    I just made a new L7-filter for youtube which seems to work nicely. I'll probably post it sometime soon in the QoS-development thread for others to try.
  80. Monk E. Boy

    Monk E. Boy Network Guru Member

    If the traffic has to go through an L7 rule, it uses the same power whether it matches or not. But if it doesn't hit an L7 rule, it shouldn't use the CPU power - yes? Or no?

    He's certainly better off going through and disabling L7 rules, but mixing them up like he has is a recipe for high CPU utilization. Port-based rules first, and L7 rules sparingly at the end. And, whenever possible, convert your L7 rules to port-based rules.

    I also like to re-order my categories, since bandwidth seems to be assigned from the top down. The category at the top seems to take priority over the category below it. Kind of like rules but in terms of bandwidth allotments. If the first category needs to spike to 30% utilization, its max, then it can do so even if a category below is utilizing 95%.

    Also, make sure to tune port-based rules. NTP, for example, only uses UDP packets. DNS too (at least if you're just relying on dnsmasq, which doesn't - by default - proxy dnssec requests). HTTP/HTTPS traffic only uses TCP.
  81. Porter

    Porter LI Guru Member

    As far as I remember (and without being able to explain this at all) L7-filters always see the entire traffic and therefore it doesn't matter where they are being placed. I never did a speed check, though.
  82. rhester72

    rhester72 Network Guru Member

    L7 rules are like any other - if there's a higher-rule match, they won't be reached. First positive match wins, so putting them at the bottom is the right thing to do.

    Then again, the idea is that your rules should match maybe 20% of your overall traffic, and the remaining 80% of "generic" traffic you don't care about shaping goes to the default handler, so in the real world, the L7 rules will get hit a _lot_, even when processed last (and they do chew up a LOT of time because you're doing decoding and deep-packet inspection in userland).

  83. Porter

    Porter LI Guru Member

    Ok, I tested it and you are right in general, but not when it comes to something specific like flashvideos. Those l7-filters need to match before the port filter for port 80. Putting them all at the bottom is only good advice if you are absolutely sure that no other rule matches this traffic.
  84. Monk E. Boy

    Monk E. Boy Network Guru Member

    Personally I don't particularly care about flash videos matching, unless they don't get caught by a port 80/443 filter.

    Still, you could have all your rules run through all the port matching at the top, place your http/https rules at the bottom, then right above it have an L7 flashvideo rule. Below http/https have your xbox or whatever L7 rule.

    Just for goodness's sake limit the L7 rule hits. If you never are hitting the shoutcast rule then lop it out.
  85. Porter

    Porter LI Guru Member

    If your CPU usage is at 100% all the time there is something wrong, especially with a router like yours. You could login to your router and run "top" to see what's causing this. Did you do an NVRAM purge after you flashed the firmware?
  86. BaconSandwich

    BaconSandwich Serious Server Member

    Hmm top won't run in the GUI it just hangs, and when I try to login via telnet with putty on port 23 it says Login Incorrect. Is the login the same as the GUI, is there some extra setup I need to do? I have no trouble using putty to login to my seperate modem using telnet or my webhosting using ssh.

    I did do an NVRAM purge after flashing, then I restored my saved config file.

    To be clear the CPU is only at 100% when maxing the download, when the connection is idle it sits at 1-3%



  87. BaconSandwich

    BaconSandwich Serious Server Member

    Ah have to use root to login via telnet, I'll check it out later.
  88. BaconSandwich

    BaconSandwich Serious Server Member

    Here are some snapshots of top, first without and then with QOS enabled. I'm out of my depth here so any suggestion appreciated. In the mean time I'll google sirq and ksoftirqd. Thanks.

    QOS disabled maxing download with single thread.


    QOS enabled maxing download with single thread.

  89. Porter

    Porter LI Guru Member

    Thank you for the screenshots. Well, seems like this is a general software issue and not really QoS-related. If normal operation (with QoS off) already uses so much cpu power, it's no wonder that your bandwidth drops when you enable QoS. I found this test stating that this router should be able to cope with your connection. Maybe somebody else has something to say to this because router performance in general isn't my field of expertise. It would be helpful if somebody else with a comparable device and internet connection could run some tests so we can narrow down the problem. I still don't think this is normal. I don't know how many people are using your connection, but with a connection this good QoS might be optional anyway.
  90. gschnasl

    gschnasl Addicted to LI Member

    How did you restore your setting?
    Have you manualy set your settings after purge?
    If you restore the settings from a file, the NVRAM purge was useless.

    Gesendet von meinem GT-I9100 mit Tapatalk 2
  91. BaconSandwich

    BaconSandwich Serious Server Member

    Porter, your right I've no need for QOS becasue of the speed of the connection, I only enabled it because I wanted to use the prioritise ICMP option. Is there a way to effectively disable QOS but leave it enabled so I can use the prioritise ICMP option? If you see what I mean.

    gschnasl, it was from a file. so i guess another NVRAM erase and manual setup is in order.

    There are a few instances of the high sirq here, apparently it's normal. I'm still lost though. I suppose if the connection performance is fine without QOS enabled I shouldn't worry about it. Would like to try the Prioritise ICMP option out but throughput needs to be able to max out.

    There is a discussion on high ksoftirqd usage and bittorrent here but I'm not using bittorrent so don't know if it's relevant.
  92. Monk E. Boy

    Monk E. Boy Network Guru Member

    Yeah, if you restored the config from a file then you're right back in the same boat you were before you did the NVRAM erase. You have to set things up by hand, because the config is basically a memory dump

    If you restore the config file from one router onto another, same model, router it'll actually change that router's MAC addresses to match the first router's MAC addresses - yikes!
  93. asloane

    asloane LI Guru Member

    What do I need to do to get Web Monitor working in Tomato Firmware v1.28.7633?

    "Monitor Web Usage" is enabled for all computers
    I have enabled Log Internally and Log To Remote System with both Connection Logging for Inbound and Outbound traffic
    Recently Visited Web Sites and Recent Web Searches are both blank

    What is missing from the setup?
  94. Monk E. Boy

    Monk E. Boy Network Guru Member

    The top part of the Logging page is unrelated to the bottom part of the page. The top part is syslog/messages logging, and the bottom part is WebMon.

    Have you configured "Number of Entries to remember" with sufficiently low values? I've never had it work reliably with anything above 1000.

    Are you browsing the web over http? I don't think WebMon logs https traffic.
  95. Zodler

    Zodler Serious Server Member

    I use sabnzbd for newsgroup download 10 connections on port 563. With toastman's firmware they are classified as FileXfer. When I do another direct http download or watch youtube (classified again as FileXfer), the speed is evenly distributed which means my new download is 1/11 of the total available speed.

    This is fair but is not what I want. How can I make tomato drop my 10 connections sabnzbd download to as low as like 1/5 of total when another file transfer starts?

    So in short, near full speed download for sabnzbd when there is no other file transfer. Drop to a minimum when there is.
  96. Porter

    Porter LI Guru Member

    Can you tell sabnzbd to use a specific port only? If you can, make a new filter on the QoS/Classification page and enter this src-port. Put this traffic in a lower priority class than FileXfer. If you want sabnzbd to be able to use the rest of the bandwidth when there are no web downloads present be sure to give this class 80-90% (right value) in inbound direction on QoS/Basic Settings.
  97. Zodler

    Zodler Serious Server Member

    Thank you I will work on it. What makes more sense to me is to
    create a sabnzbd class and set it to 5-100% and
    put the rest of FileXfer to 70-100%.
    In that case if a filexfer other than sabnzbd starts, it goes up.

    By the way I cant make more classes in toastman's firmware. Are we limited to 10 QOS classes only? I have to sacrifice one class and drop it?
  98. Porter

    Porter LI Guru Member

    Sorry, but what you want to do won't work. QoS doesn't work this way. Higher priority classes get the bandwidth, so if you put your traffic below FileXfer it should work. Don't use 70-100% for FileXfer. Use 5-90%. I don't know which classes you have, but I'm guessing you still have a crawl or P2P-class. Just put your traffic into one of them.

    If you want to know how the QoS-system works read the posts by Toastman at the beginning of this thread.
  99. Zodler

    Zodler Serious Server Member

    You said make a sabnzbd class and set it to 80-90%. How that will help? sabnzbd will use 80% of the speed at all time.
  100. Porter

    Porter LI Guru Member

    I only told you to set the _right_ value to 80-90%.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice