[Firehol-support] FireQOS: need help with input traffic shaping
Tsaousis, Costa
costa at tsaousis.gr
Mon Feb 2 19:46:00 GMT 2015
Andreas,
I think you should avoid the double snat/masquerade. It might not be a
problem, but it is not a good thing either. If you can add a static
route on your dsl router for 10.0.0.0/24 via your linux, you could
remove the snat / masquerade from linux. Then you could directly match
the real nas IP.
Anyway, try the following. I sorted the classes based on the match
statements (so that syn/ack even from the nas will go to the tcpack
class):
interface $DEVICE dsl-in input rate $INPUT_SPEED $LINKTYPE
class interactive commit 1000kbit
match udp port 53 # DNS
match tcp port 22 # SSH
match icmp
class tcpack commit 2000kbit
match tcp syn
match tcp ack
class lowprio prio 7 # <<< prio 7 is the last, but the class is
placed here only for its match statement
match4 dst 192.168.2.11
class web-http commit 7500kbit
match tcp sports 80,443
class default commit 2500kbit
or this (tcp/ack from nas will not go to the tcp/ack class, but
directly to lowprio, which might give you a better performance when
the nas is downloading full speed):
interface $DEVICE dsl-in input rate $INPUT_SPEED $LINKTYPE
class interactive commit 1000kbit
match udp port 53 # DNS
match tcp port 22 # SSH
match icmp
class tcpack commit 2000kbit
match tcp syn
match tcp ack
class web-http commit 7500kbit
match tcp sports 80,443
class default commit 2500kbit
class lowprio
match4 dst 192.168.2.11 prio 1 # <<< this will be the first
match executed for this interface
Also, please paste back the headers of the fireqos status printout. I
need to see the priorities fireqos uses.
On Mon, Feb 2, 2015 at 7:40 PM, AM <stuff at kr33.de> wrote:
> Hi again,
>
> Okay tested the modifications
>
> 1. Removed the qdisc htb statement, fq_codel is now used.
>
> 4. I added prio 1 to the match lines for tcp ack and syn, the now show up in
> the right class! :)
>
> This is the input status now:
>
> Class Utilization on dsl-in (eth0 input => eth0-ifb) - values in Kbit/s
> TOTAL intera tcpack web-ht defaul lowpri
> 14423 - - 7436 - 6988
> 14250 - - 7222 - 7028
> 14299 - - 6971 1 7327
> 14249 - - 7437 - 6811
> 14460 - - 7608 - 6852
> 14205 - - 7774 - 6431
> 14324 - - 7863 2 6458
> 14443 - - 7549 1 6893
> 14223 - 3 7354 - 6865
> 14472 - 1 8080 - 6391
> 14385 - 1 7191 - 7192
> 14379 - - 7324 - 7055
> 14316 - - 6432 - 7884
> 14152 - - 6768 3 7381
> 14487 3 - 6560 - 7924
> 14263 - - 6516 - 7747
> 14304 - - 6663 2 7639
> 14299 - 1 6537 - 7761
> 14157 - - 6274 - 7883
> 14570 - 2 5722 - 8846
>
>
> Class Utilization on dsl-out (eth0 output => eth0) - values in Kbit/s
> TOTAL intera tcpack web-ht defaul lowpri
> 473 3 444 25 - 2
> 561 3 536 22 1 -
> 534 4 529 - - 1
> 510 1 487 22 - -
> 633 1 502 33 - 97
> 526 - 526 - - -
> 522 - 520 - 2 -
> 495 - 407 5 - 83
> 488 - 409 - - 79
> 464 - 400 64 - -
> 554 - 506 47 - -
>
> Download seems to be spitted up 50:50, I can live with that if there is no
> other solution.
> But a 90:10 split would be nicer, if this is even possible with ingress
> traffic?
>
> Thanks for your help!
> Andreas
>
> AM schrieb:
>
>> Hi Costa,
>>
>> Thanks for your reply!
>>
>> 1. Ok, I will remove the "qdisc htb" line an try again, if that is what
>> you meant?
>>
>> 2. I do masquerading and it is configured like this:
>> Outsite is eth0 with ip 192.168.2.10/24 - Internal LAN is 10.0.0.0/24
>> which is masqueraded to 192.168.2.10.
>> Then I have eth0:1 with ip 192.168.2.11/24 - all outgoing requests from my
>> nas (10.0.0.254) get masqueraded to 192.168.2.11
>> And as seen in the status output it is working, as traffic gets associated
>> with the right class. (Checked with iptraf on eth0 too)
>>
>> 3. Ok, will remove the acks and just leave ack.
>>
>> 4. Yes I also noticed that and was wondering why there is barely anything
>> in the tcpack class... but no idea why?
>>
>> Will report back once I had the chance to test your suggestions!
>> Thanks!
>>
>> Andreas
>>
>> Tsaousis, Costa schrieb:
>>>
>>> Hi Andreas,
>>>
>>> I can see the following problems on your config:
>>>
>>> 1. There is no htb qdisc. Leave FireQOS select the default (fq_codel
>>> or sfq). fq_codel will be of great help on your setup. Make sure your
>>> kernel supports it.
>>>
>>> 2. On the lowprio class you match a private IP on the public
>>> interface. This cannot be done. On the public interface there are only
>>> public IPs. This is your key problem.
>>>
>>> 3. 'tcp ack' and 'tcp acks' is the same thing.
>>>
>>> 4. It is strange that on your output interface you have such traffic
>>> on the interactive class. If this traffic are the tcp acks of the
>>> download, they should be on the tcpack class. I hope this will be
>>> fixed by setting the correct qdisc.
>>>
>>>
>>> So, because of point 2, it is impossible to distinguish between normal
>>> web traffic from other PCs and your NAS. fq_codel will help but it
>>> won't solve the problem completely.
>>>
>>> Another idea would be to use marks to separate nas traffic from other
>>> traffic. This however does not work without the act_connmark kernel
>>> module (which by default is only available in openwrt).
>>>
>>> Let me think...
>>>
>>> Do you masquerade or snat traffic in firehol?
>>>
>>> When you masquerade or snat traffic, what you actually do is that you
>>> map 192.168.2.11:PORT1 (or any local IP) to your PUBLIC_IP:PORT2.
>>>
>>> You could use masquerade or snat to have your NAS use 60000-64999 for
>>> PORT2, while all your other PCs use 20000-59999. This way you could
>>> apply qos on the inbound direction by just examining your port range.
>>>
>>> I will try to do this with firehol and fireqos later today and come
>>> back with the statements you should use.
>>>
>>> Costa
>>>
>>>
>>>
>>>
>>> On Mon, Feb 2, 2015 at 2:31 PM, AM<stuff at kr33.de> wrote:
>>>>
>>>> Hi,
>>>>
>>>> I already spend hours on reading and testing tc.
>>>> But now I'm at a point where I have to ask here for any hints.
>>>>
>>>> Basically I want to shape my input and output traffic.
>>>> I have one nas server which handles large downloads. I want that nas to
>>>> have
>>>> a low priority, so that if I start a download on a normal client in the
>>>> network this client gets most of the bandwidth.
>>>> But I cant get this to work. Here is my fireqos.conf:
>>>> ####################################
>>>> DEVICE=eth0
>>>> INPUT_SPEED=14300kbit
>>>> OUTPUT_SPEED=2400kbit
>>>> LINKTYPE="adsl remote bridged-llc mtu 1492"
>>>>
>>>> interface $DEVICE dsl-in input rate $INPUT_SPEED $LINKTYPE qdisc htb
>>>> # Eingehender Traffic Internet --> LAN
>>>> class interactive commit 1000kbit
>>>> match udp port 53 # DNS
>>>> match tcp port 22 # SSH
>>>> match icmp
>>>>
>>>> class tcpack commit 2000kbit
>>>> match tcp syn
>>>> match tcp ack
>>>> match tcp acks
>>>>
>>>> class web-http commit 7500kbit
>>>> match tcp sports 80,443 prio 20 # http(s)
>>>>
>>>> class default commit 2500kbit
>>>>
>>>> class lowprio commit 1% max 80% prio 7
>>>> match4 dst 192.168.2.11 prio 10 # debsrv
>>>>
>>>>
>>>> interface $DEVICE dsl-out output rate $OUTPUT_SPEED $LINKTYPE qdisc htb
>>>> # Ausgehender Traffic LAN --> Internet
>>>> class interactive commit 200kbit
>>>> match udp port 53 # DNS
>>>> match tcp port 22 # SSH
>>>> match icmp
>>>>
>>>> class tcpack commit 400kbit
>>>> match tcp syn
>>>> match tcp ack
>>>> match tcp acks
>>>>
>>>> class web-http commit 1100kbit
>>>> match tcp dports 80,443 prio 20 # http(s)
>>>>
>>>> class default commit 600kbit
>>>>
>>>> class lowprio commit 1% max 80% prio 7
>>>> match4 src 192.168.2.11 prio 10 # debsrv
>>>> ####################################
>>>>
>>>> If I now start downloading on both hosts with e.g. wget
>>>>
>>>> http://cdimage.debian.org/debian-cd/7.8.0/amd64/iso-dvd/debian-7.8.0-amd64-DVD-2.iso
>>>> I get the following stats:
>>>>
>>>>
>>>> Class Utilization on dsl-in (eth0 input => eth0-ifb) - values in Kbit/s
>>>> TOTAL intera tcpack web-ht defaul lowpri
>>>> 14552 - - 6069 3 8480
>>>> 14116 1 - 5418 - 8697
>>>> 14139 - - 6011 1 8127
>>>> 14422 - - 6078 - 8344
>>>> 14281 - - 5299 - 8982
>>>> 14264 3 - 5521 - 8739
>>>> 14277 - - 5252 1 9024
>>>> 14201 - - 4798 1 9403
>>>> 14288 - - 4762 1 9525
>>>> 14227 - - 4988 - 9253
>>>> 14293 - - 6318 11 7951
>>>> 14327 - - 6905 142 7281
>>>> 14219 - - 6988 - 7232
>>>> 14133 - - 7172 - 6960
>>>> 14347 - - 7196 - 7151
>>>> 14390 - - 7048 1 7340
>>>> 14203 1 - 7024 1 7177
>>>> 14289 1 - 6979 - 7309
>>>> 14272 1 4 6852 12 7403
>>>> 14304 3 - 6385 - 7916
>>>>
>>>> ==> lowprio is getting much more bandwidth... why?
>>>> Can anyone help me out / explain why it is behaving like this?
>>>>
>>>> Outgoing everything works like expected.
>>>> (Used scp to upload a file to remote server)
>>>>
>>>> Class Utilization on dsl-out (eth0 output => eth0) - values in Kbit/s
>>>> TOTAL intera tcpack web-ht defaul lowpri
>>>> 2674 2619 - 28 - 27
>>>> 2432 2379 - 25 - 27
>>>> 2524 2483 - 14 - 27
>>>> 2515 2462 - 25 - 27
>>>> 2527 2490 - 24 - 14
>>>> 2501 2458 - 14 1 27
>>>> 2520 2476 - 17 - 27
>>>> 2551 2509 - 14 - 27
>>>> 2514 2463 - 25 - 27
>>>> 2532 2479 - 25 1 27
>>>> 2514 2474 - 13 - 27
>>>> 2512 2469 2 27 1 14
>>>> 2531 2323 70 25 86 27
>>>> 2546 2490 - 29 - 27
>>>> 2505 2463 - 15 - 27
>>>> 2534 2479 1 25 1 27
>>>> 2519 2440 - 52 - 27
>>>> 2550 2491 - 31 - 27
>>>> 2511 2476 - 22 - 14
>>>> 2511 2449 5 22 7 27
>>>>
>>>> Thanks!
>>>>
>>>> Regards
>>>> Andreas
>>>> _______________________________________________
>>>> Firehol-support mailing list
>>>> Firehol-support at lists.firehol.org
>>>> http://lists.firehol.org/mailman/listinfo/firehol-support
More information about the Firehol-support
mailing list