[Firehol-support] FireQOS: need help with input traffic shaping

AM stuff at kr33.de
Mon Feb 2 17:20:54 GMT 2015


Hi Costa,

Thanks for your reply!

1. Ok, I will remove the "qdisc htb" line an try again, if that is what 
you meant?

2. I do masquerading and it is configured like this:
Outsite is eth0 with ip 192.168.2.10/24 - Internal LAN is 10.0.0.0/24 
which is masqueraded to 192.168.2.10.
Then I have eth0:1 with ip 192.168.2.11/24 - all outgoing requests from 
my nas (10.0.0.254) get masqueraded to 192.168.2.11
And as seen in the status output it is working, as traffic gets 
associated with the right class. (Checked with iptraf on eth0 too)

3. Ok, will remove the acks and just leave ack.

4. Yes I also noticed that and was wondering why there is barely 
anything in the tcpack class... but no idea why?

Will report back once I had the chance to test your suggestions!
Thanks!

Andreas

Tsaousis, Costa schrieb:
> Hi Andreas,
>
> I can see the following problems on your config:
>
> 1. There is no htb qdisc. Leave FireQOS select the default (fq_codel
> or sfq). fq_codel will be of great help on your setup. Make sure your
> kernel supports it.
>
> 2. On the lowprio class you match a private IP on the public
> interface. This cannot be done. On the public interface there are only
> public IPs. This is your key problem.
>
> 3. 'tcp ack' and 'tcp acks' is the same thing.
>
> 4. It is strange that on your output interface you have such traffic
> on the interactive class. If this traffic are the tcp acks of the
> download, they should be on the tcpack class. I hope this will be
> fixed by setting the correct qdisc.
>
>
> So, because of point 2, it is impossible to distinguish between normal
> web traffic from other PCs and your NAS. fq_codel will help but it
> won't solve the problem completely.
>
> Another idea would be to use marks to separate nas traffic from other
> traffic. This however does not work without the act_connmark kernel
> module (which by default is only available in openwrt).
>
> Let me think...
>
> Do you masquerade or snat traffic in firehol?
>
> When you masquerade or snat traffic, what you actually do is that you
> map 192.168.2.11:PORT1 (or any local IP) to your PUBLIC_IP:PORT2.
>
> You could use masquerade or snat to have your NAS use 60000-64999 for
> PORT2, while all your other PCs use 20000-59999. This way you could
> apply qos on the inbound direction by just examining your port range.
>
> I will try to do this with firehol and fireqos later today and come
> back with the statements you should use.
>
> Costa
>
>
>
>
> On Mon, Feb 2, 2015 at 2:31 PM, AM<stuff at kr33.de>  wrote:
>> Hi,
>>
>> I already spend hours on reading and testing tc.
>> But now I'm at a point where I have to ask here for any hints.
>>
>> Basically I want to shape my input and output traffic.
>> I have one nas server which handles large downloads. I want that nas to have
>> a low priority, so that if I start a download on a normal client in the
>> network this client gets most of the bandwidth.
>> But I cant get this to work. Here is my fireqos.conf:
>> ####################################
>> DEVICE=eth0
>> INPUT_SPEED=14300kbit
>> OUTPUT_SPEED=2400kbit
>> LINKTYPE="adsl remote bridged-llc mtu 1492"
>>
>> interface $DEVICE dsl-in input rate $INPUT_SPEED $LINKTYPE qdisc htb
>>      # Eingehender Traffic Internet -->  LAN
>>      class interactive commit 1000kbit
>>          match udp port 53                    # DNS
>>          match tcp port 22                    # SSH
>>          match icmp
>>
>>      class tcpack commit 2000kbit
>>          match tcp syn
>>          match tcp ack
>>          match tcp acks
>>
>>      class web-http commit 7500kbit
>>          match tcp sports 80,443    prio 20         # http(s)
>>
>>      class default commit 2500kbit
>>
>>      class lowprio commit 1% max 80% prio 7
>>          match4 dst 192.168.2.11 prio 10        # debsrv
>>
>>
>> interface $DEVICE dsl-out output rate $OUTPUT_SPEED $LINKTYPE qdisc htb
>>      # Ausgehender Traffic LAN -->  Internet
>>      class interactive commit 200kbit
>>          match udp port 53                    # DNS
>>          match tcp port 22                    # SSH
>>          match icmp
>>
>>      class tcpack commit 400kbit
>>          match tcp syn
>>          match tcp ack
>>          match tcp acks
>>
>>      class web-http commit 1100kbit
>>          match tcp dports 80,443 prio 20        # http(s)
>>
>>      class default commit 600kbit
>>
>>      class lowprio commit 1% max 80% prio 7
>>          match4 src 192.168.2.11 prio 10     # debsrv
>> ####################################
>>
>> If I now start downloading on both hosts with e.g. wget
>> http://cdimage.debian.org/debian-cd/7.8.0/amd64/iso-dvd/debian-7.8.0-amd64-DVD-2.iso
>> I get the following stats:
>>
>>
>> Class Utilization on dsl-in (eth0 input =>  eth0-ifb) - values in Kbit/s
>>   TOTAL intera tcpack web-ht defaul lowpri
>>   14552      -      - 6069 3   8480
>>   14116 1      -   5418      -   8697
>>   14139      -      - 6011 1   8127
>>   14422      -      -   6078      -   8344
>>   14281      -      -   5299      -   8982
>>   14264      3      -   5521      -   8739
>>   14277      -      -   5252      1   9024
>>   14201      -      -   4798      1   9403
>>   14288      -      -   4762      1   9525
>>   14227      -      -   4988      -   9253
>>   14293      -      -   6318     11   7951
>>   14327      -      -   6905    142   7281
>>   14219      -      -   6988      -   7232
>>   14133      -      -   7172      -   6960
>>   14347      -      -   7196      -   7151
>>   14390      -      -   7048      1   7340
>>   14203      1      -   7024      1   7177
>>   14289      1      -   6979      -   7309
>>   14272      1      4   6852     12   7403
>>   14304      3      -   6385      -   7916
>>
>> ==>  lowprio is getting much more bandwidth... why?
>> Can anyone help me out / explain why it is behaving like this?
>>
>> Outgoing everything works like expected.
>> (Used scp to upload a file to remote server)
>>
>>   Class Utilization on dsl-out (eth0 output =>  eth0) - values in Kbit/s
>>   TOTAL intera tcpack web-ht defaul lowpri
>>    2674   2619      -     28      -     27
>>    2432   2379      -     25      -     27
>>    2524   2483      -     14      -     27
>>    2515   2462      -     25      -     27
>>    2527   2490      -     24      -     14
>>    2501   2458      -     14      1     27
>>    2520   2476      -     17      -     27
>>    2551   2509      -     14      -     27
>>    2514   2463      -     25      -     27
>>    2532   2479      -     25      1     27
>>    2514   2474      -     13      -     27
>>    2512   2469      2     27      1     14
>>    2531   2323     70     25     86     27
>>    2546   2490      -     29      -     27
>>    2505   2463      -     15      -     27
>>    2534   2479      1     25      1     27
>>    2519   2440      -     52      -     27
>>    2550   2491      -     31      -     27
>>    2511   2476      -     22      -     14
>>    2511   2449      5     22      7     27
>>
>> Thanks!
>>
>> Regards
>> Andreas
>> _______________________________________________
>> Firehol-support mailing list
>> Firehol-support at lists.firehol.org
>> http://lists.firehol.org/mailman/listinfo/firehol-support



More information about the Firehol-support mailing list