[Firehol-support] FireQOS: need help with input traffic shaping

Tsaousis, Costa costa at tsaousis.gr
Mon Feb 2 16:44:32 GMT 2015


Hi Andreas,

I can see the following problems on your config:

1. There is no htb qdisc. Leave FireQOS select the default (fq_codel
or sfq). fq_codel will be of great help on your setup. Make sure your
kernel supports it.

2. On the lowprio class you match a private IP on the public
interface. This cannot be done. On the public interface there are only
public IPs. This is your key problem.

3. 'tcp ack' and 'tcp acks' is the same thing.

4. It is strange that on your output interface you have such traffic
on the interactive class. If this traffic are the tcp acks of the
download, they should be on the tcpack class. I hope this will be
fixed by setting the correct qdisc.


So, because of point 2, it is impossible to distinguish between normal
web traffic from other PCs and your NAS. fq_codel will help but it
won't solve the problem completely.

Another idea would be to use marks to separate nas traffic from other
traffic. This however does not work without the act_connmark kernel
module (which by default is only available in openwrt).

Let me think...

Do you masquerade or snat traffic in firehol?

When you masquerade or snat traffic, what you actually do is that you
map 192.168.2.11:PORT1 (or any local IP) to your PUBLIC_IP:PORT2.

You could use masquerade or snat to have your NAS use 60000-64999 for
PORT2, while all your other PCs use 20000-59999. This way you could
apply qos on the inbound direction by just examining your port range.

I will try to do this with firehol and fireqos later today and come
back with the statements you should use.

Costa




On Mon, Feb 2, 2015 at 2:31 PM, AM <stuff at kr33.de> wrote:
> Hi,
>
> I already spend hours on reading and testing tc.
> But now I'm at a point where I have to ask here for any hints.
>
> Basically I want to shape my input and output traffic.
> I have one nas server which handles large downloads. I want that nas to have
> a low priority, so that if I start a download on a normal client in the
> network this client gets most of the bandwidth.
> But I cant get this to work. Here is my fireqos.conf:
> ####################################
> DEVICE=eth0
> INPUT_SPEED=14300kbit
> OUTPUT_SPEED=2400kbit
> LINKTYPE="adsl remote bridged-llc mtu 1492"
>
> interface $DEVICE dsl-in input rate $INPUT_SPEED $LINKTYPE qdisc htb
>     # Eingehender Traffic Internet --> LAN
>     class interactive commit 1000kbit
>         match udp port 53                    # DNS
>         match tcp port 22                    # SSH
>         match icmp
>
>     class tcpack commit 2000kbit
>         match tcp syn
>         match tcp ack
>         match tcp acks
>
>     class web-http commit 7500kbit
>         match tcp sports 80,443    prio 20         # http(s)
>
>     class default commit 2500kbit
>
>     class lowprio commit 1% max 80% prio 7
>         match4 dst 192.168.2.11 prio 10        # debsrv
>
>
> interface $DEVICE dsl-out output rate $OUTPUT_SPEED $LINKTYPE qdisc htb
>     # Ausgehender Traffic LAN --> Internet
>     class interactive commit 200kbit
>         match udp port 53                    # DNS
>         match tcp port 22                    # SSH
>         match icmp
>
>     class tcpack commit 400kbit
>         match tcp syn
>         match tcp ack
>         match tcp acks
>
>     class web-http commit 1100kbit
>         match tcp dports 80,443 prio 20        # http(s)
>
>     class default commit 600kbit
>
>     class lowprio commit 1% max 80% prio 7
>         match4 src 192.168.2.11 prio 10     # debsrv
> ####################################
>
> If I now start downloading on both hosts with e.g. wget
> http://cdimage.debian.org/debian-cd/7.8.0/amd64/iso-dvd/debian-7.8.0-amd64-DVD-2.iso
> I get the following stats:
>
>
> Class Utilization on dsl-in (eth0 input => eth0-ifb) - values in Kbit/s
>  TOTAL intera tcpack web-ht defaul lowpri
>  14552      -      - 6069 3   8480
>  14116 1      -   5418      -   8697
>  14139      -      - 6011 1   8127
>  14422      -      -   6078      -   8344
>  14281      -      -   5299      -   8982
>  14264      3      -   5521      -   8739
>  14277      -      -   5252      1   9024
>  14201      -      -   4798      1   9403
>  14288      -      -   4762      1   9525
>  14227      -      -   4988      -   9253
>  14293      -      -   6318     11   7951
>  14327      -      -   6905    142   7281
>  14219      -      -   6988      -   7232
>  14133      -      -   7172      -   6960
>  14347      -      -   7196      -   7151
>  14390      -      -   7048      1   7340
>  14203      1      -   7024      1   7177
>  14289      1      -   6979      -   7309
>  14272      1      4   6852     12   7403
>  14304      3      -   6385      -   7916
>
> ==> lowprio is getting much more bandwidth... why?
> Can anyone help me out / explain why it is behaving like this?
>
> Outgoing everything works like expected.
> (Used scp to upload a file to remote server)
>
>  Class Utilization on dsl-out (eth0 output => eth0) - values in Kbit/s
>  TOTAL intera tcpack web-ht defaul lowpri
>   2674   2619      -     28      -     27
>   2432   2379      -     25      -     27
>   2524   2483      -     14      -     27
>   2515   2462      -     25      -     27
>   2527   2490      -     24      -     14
>   2501   2458      -     14      1     27
>   2520   2476      -     17      -     27
>   2551   2509      -     14      -     27
>   2514   2463      -     25      -     27
>   2532   2479      -     25      1     27
>   2514   2474      -     13      -     27
>   2512   2469      2     27      1     14
>   2531   2323     70     25     86     27
>   2546   2490      -     29      -     27
>   2505   2463      -     15      -     27
>   2534   2479      1     25      1     27
>   2519   2440      -     52      -     27
>   2550   2491      -     31      -     27
>   2511   2476      -     22      -     14
>   2511   2449      5     22      7     27
>
> Thanks!
>
> Regards
> Andreas
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support



More information about the Firehol-support mailing list