[Firehol-support] FireQOS: need help with input traffic shaping
AM
stuff at kr33.de
Mon Feb 2 21:57:16 GMT 2015
Hi Costa,
I know that the double snat isn't nice, but I cant avoid it since I have
to use the router provided by my ISP.
This box is a whole load full of crap... if there was any possibility to
add static routes i would have done so, but there isn't.
Here are the headers:
root at router ~ # fireqos status dsl-in
FireQOS 2.0.0
(C) 2013-2014 Costa Tsaousis, GPL
dsl-in: eth0 input => eth0-ifb, type: adsl, overhead: 18
Rate: 14300Kbit/s, min: 143Kbit/s
Values in Kbit/s
CLASS intera tcpack web-ht defaul lowpri
CLASSI 1:11 1:12 1:13 1:5000 1:15
COMMIT 1000 2000 7500 2500 143
MAX 14300 14300 14300 14300 11440
PRIORI 0 1 2 3 7
QDISC fq_cod fq_cod fq_cod fq_cod fq_cod
Thank you very much for all your efforts and your great work an FireQOS!
Tsaousis, Costa schrieb:
> Andreas,
>
> I think you should avoid the double snat/masquerade. It might not be a
> problem, but it is not a good thing either. If you can add a static
> route on your dsl router for 10.0.0.0/24 via your linux, you could
> remove the snat / masquerade from linux. Then you could directly match
> the real nas IP.
>
> Anyway, try the following. I sorted the classes based on the match
> statements (so that syn/ack even from the nas will go to the tcpack
> class):
>
> interface $DEVICE dsl-in input rate $INPUT_SPEED $LINKTYPE
>
> class interactive commit 1000kbit
> match udp port 53 # DNS
> match tcp port 22 # SSH
> match icmp
>
> class tcpack commit 2000kbit
> match tcp syn
> match tcp ack
>
> class lowprio prio 7 #<<< prio 7 is the last, but the class is
> placed here only for its match statement
> match4 dst 192.168.2.11
>
> class web-http commit 7500kbit
> match tcp sports 80,443
>
> class default commit 2500kbit
>
>
>
>
> or this (tcp/ack from nas will not go to the tcp/ack class, but
> directly to lowprio, which might give you a better performance when
> the nas is downloading full speed):
>
> interface $DEVICE dsl-in input rate $INPUT_SPEED $LINKTYPE
>
> class interactive commit 1000kbit
> match udp port 53 # DNS
> match tcp port 22 # SSH
> match icmp
>
> class tcpack commit 2000kbit
> match tcp syn
> match tcp ack
>
> class web-http commit 7500kbit
> match tcp sports 80,443
>
> class default commit 2500kbit
>
> class lowprio
> match4 dst 192.168.2.11 prio 1 #<<< this will be the first
> match executed for this interface
>
> Also, please paste back the headers of the fireqos status printout. I
> need to see the priorities fireqos uses.
>
>
> On Mon, Feb 2, 2015 at 7:40 PM, AM<stuff at kr33.de> wrote:
>> Hi again,
>>
>> Okay tested the modifications
>>
>> 1. Removed the qdisc htb statement, fq_codel is now used.
>>
>> 4. I added prio 1 to the match lines for tcp ack and syn, the now show up in
>> the right class! :)
>>
>> This is the input status now:
>>
>> Class Utilization on dsl-in (eth0 input => eth0-ifb) - values in Kbit/s
>> TOTAL intera tcpack web-ht defaul lowpri
>> 14423 - - 7436 - 6988
>> 14250 - - 7222 - 7028
>> 14299 - - 6971 1 7327
>> 14249 - - 7437 - 6811
>> 14460 - - 7608 - 6852
>> 14205 - - 7774 - 6431
>> 14324 - - 7863 2 6458
>> 14443 - - 7549 1 6893
>> 14223 - 3 7354 - 6865
>> 14472 - 1 8080 - 6391
>> 14385 - 1 7191 - 7192
>> 14379 - - 7324 - 7055
>> 14316 - - 6432 - 7884
>> 14152 - - 6768 3 7381
>> 14487 3 - 6560 - 7924
>> 14263 - - 6516 - 7747
>> 14304 - - 6663 2 7639
>> 14299 - 1 6537 - 7761
>> 14157 - - 6274 - 7883
>> 14570 - 2 5722 - 8846
>>
>>
>> Class Utilization on dsl-out (eth0 output => eth0) - values in Kbit/s
>> TOTAL intera tcpack web-ht defaul lowpri
>> 473 3 444 25 - 2
>> 561 3 536 22 1 -
>> 534 4 529 - - 1
>> 510 1 487 22 - -
>> 633 1 502 33 - 97
>> 526 - 526 - - -
>> 522 - 520 - 2 -
>> 495 - 407 5 - 83
>> 488 - 409 - - 79
>> 464 - 400 64 - -
>> 554 - 506 47 - -
>>
>> Download seems to be spitted up 50:50, I can live with that if there is no
>> other solution.
>> But a 90:10 split would be nicer, if this is even possible with ingress
>> traffic?
>>
>> Thanks for your help!
>> Andreas
>>
>> AM schrieb:
>>
>>> Hi Costa,
>>>
>>> Thanks for your reply!
>>>
>>> 1. Ok, I will remove the "qdisc htb" line an try again, if that is what
>>> you meant?
>>>
>>> 2. I do masquerading and it is configured like this:
>>> Outsite is eth0 with ip 192.168.2.10/24 - Internal LAN is 10.0.0.0/24
>>> which is masqueraded to 192.168.2.10.
>>> Then I have eth0:1 with ip 192.168.2.11/24 - all outgoing requests from my
>>> nas (10.0.0.254) get masqueraded to 192.168.2.11
>>> And as seen in the status output it is working, as traffic gets associated
>>> with the right class. (Checked with iptraf on eth0 too)
>>>
>>> 3. Ok, will remove the acks and just leave ack.
>>>
>>> 4. Yes I also noticed that and was wondering why there is barely anything
>>> in the tcpack class... but no idea why?
>>>
>>> Will report back once I had the chance to test your suggestions!
>>> Thanks!
>>>
>>> Andreas
>>>
>>> Tsaousis, Costa schrieb:
>>>> Hi Andreas,
>>>>
>>>> I can see the following problems on your config:
>>>>
>>>> 1. There is no htb qdisc. Leave FireQOS select the default (fq_codel
>>>> or sfq). fq_codel will be of great help on your setup. Make sure your
>>>> kernel supports it.
>>>>
>>>> 2. On the lowprio class you match a private IP on the public
>>>> interface. This cannot be done. On the public interface there are only
>>>> public IPs. This is your key problem.
>>>>
>>>> 3. 'tcp ack' and 'tcp acks' is the same thing.
>>>>
>>>> 4. It is strange that on your output interface you have such traffic
>>>> on the interactive class. If this traffic are the tcp acks of the
>>>> download, they should be on the tcpack class. I hope this will be
>>>> fixed by setting the correct qdisc.
>>>>
>>>>
>>>> So, because of point 2, it is impossible to distinguish between normal
>>>> web traffic from other PCs and your NAS. fq_codel will help but it
>>>> won't solve the problem completely.
>>>>
>>>> Another idea would be to use marks to separate nas traffic from other
>>>> traffic. This however does not work without the act_connmark kernel
>>>> module (which by default is only available in openwrt).
>>>>
>>>> Let me think...
>>>>
>>>> Do you masquerade or snat traffic in firehol?
>>>>
>>>> When you masquerade or snat traffic, what you actually do is that you
>>>> map 192.168.2.11:PORT1 (or any local IP) to your PUBLIC_IP:PORT2.
>>>>
>>>> You could use masquerade or snat to have your NAS use 60000-64999 for
>>>> PORT2, while all your other PCs use 20000-59999. This way you could
>>>> apply qos on the inbound direction by just examining your port range.
>>>>
>>>> I will try to do this with firehol and fireqos later today and come
>>>> back with the statements you should use.
>>>>
>>>> Costa
>>>>
>>>>
>>>>
>>>>
>>>> On Mon, Feb 2, 2015 at 2:31 PM, AM<stuff at kr33.de> wrote:
>>>>> Hi,
>>>>>
>>>>> I already spend hours on reading and testing tc.
>>>>> But now I'm at a point where I have to ask here for any hints.
>>>>>
>>>>> Basically I want to shape my input and output traffic.
>>>>> I have one nas server which handles large downloads. I want that nas to
>>>>> have
>>>>> a low priority, so that if I start a download on a normal client in the
>>>>> network this client gets most of the bandwidth.
>>>>> But I cant get this to work. Here is my fireqos.conf:
>>>>> ####################################
>>>>> DEVICE=eth0
>>>>> INPUT_SPEED=14300kbit
>>>>> OUTPUT_SPEED=2400kbit
>>>>> LINKTYPE="adsl remote bridged-llc mtu 1492"
>>>>>
>>>>> interface $DEVICE dsl-in input rate $INPUT_SPEED $LINKTYPE qdisc htb
>>>>> # Eingehender Traffic Internet --> LAN
>>>>> class interactive commit 1000kbit
>>>>> match udp port 53 # DNS
>>>>> match tcp port 22 # SSH
>>>>> match icmp
>>>>>
>>>>> class tcpack commit 2000kbit
>>>>> match tcp syn
>>>>> match tcp ack
>>>>> match tcp acks
>>>>>
>>>>> class web-http commit 7500kbit
>>>>> match tcp sports 80,443 prio 20 # http(s)
>>>>>
>>>>> class default commit 2500kbit
>>>>>
>>>>> class lowprio commit 1% max 80% prio 7
>>>>> match4 dst 192.168.2.11 prio 10 # debsrv
>>>>>
>>>>>
>>>>> interface $DEVICE dsl-out output rate $OUTPUT_SPEED $LINKTYPE qdisc htb
>>>>> # Ausgehender Traffic LAN --> Internet
>>>>> class interactive commit 200kbit
>>>>> match udp port 53 # DNS
>>>>> match tcp port 22 # SSH
>>>>> match icmp
>>>>>
>>>>> class tcpack commit 400kbit
>>>>> match tcp syn
>>>>> match tcp ack
>>>>> match tcp acks
>>>>>
>>>>> class web-http commit 1100kbit
>>>>> match tcp dports 80,443 prio 20 # http(s)
>>>>>
>>>>> class default commit 600kbit
>>>>>
>>>>> class lowprio commit 1% max 80% prio 7
>>>>> match4 src 192.168.2.11 prio 10 # debsrv
>>>>> ####################################
>>>>>
>>>>> If I now start downloading on both hosts with e.g. wget
>>>>>
>>>>> http://cdimage.debian.org/debian-cd/7.8.0/amd64/iso-dvd/debian-7.8.0-amd64-DVD-2.iso
>>>>> I get the following stats:
>>>>>
>>>>>
>>>>> Class Utilization on dsl-in (eth0 input => eth0-ifb) - values in Kbit/s
>>>>> TOTAL intera tcpack web-ht defaul lowpri
>>>>> 14552 - - 6069 3 8480
>>>>> 14116 1 - 5418 - 8697
>>>>> 14139 - - 6011 1 8127
>>>>> 14422 - - 6078 - 8344
>>>>> 14281 - - 5299 - 8982
>>>>> 14264 3 - 5521 - 8739
>>>>> 14277 - - 5252 1 9024
>>>>> 14201 - - 4798 1 9403
>>>>> 14288 - - 4762 1 9525
>>>>> 14227 - - 4988 - 9253
>>>>> 14293 - - 6318 11 7951
>>>>> 14327 - - 6905 142 7281
>>>>> 14219 - - 6988 - 7232
>>>>> 14133 - - 7172 - 6960
>>>>> 14347 - - 7196 - 7151
>>>>> 14390 - - 7048 1 7340
>>>>> 14203 1 - 7024 1 7177
>>>>> 14289 1 - 6979 - 7309
>>>>> 14272 1 4 6852 12 7403
>>>>> 14304 3 - 6385 - 7916
>>>>>
>>>>> ==> lowprio is getting much more bandwidth... why?
>>>>> Can anyone help me out / explain why it is behaving like this?
>>>>>
>>>>> Outgoing everything works like expected.
>>>>> (Used scp to upload a file to remote server)
>>>>>
>>>>> Class Utilization on dsl-out (eth0 output => eth0) - values in Kbit/s
>>>>> TOTAL intera tcpack web-ht defaul lowpri
>>>>> 2674 2619 - 28 - 27
>>>>> 2432 2379 - 25 - 27
>>>>> 2524 2483 - 14 - 27
>>>>> 2515 2462 - 25 - 27
>>>>> 2527 2490 - 24 - 14
>>>>> 2501 2458 - 14 1 27
>>>>> 2520 2476 - 17 - 27
>>>>> 2551 2509 - 14 - 27
>>>>> 2514 2463 - 25 - 27
>>>>> 2532 2479 - 25 1 27
>>>>> 2514 2474 - 13 - 27
>>>>> 2512 2469 2 27 1 14
>>>>> 2531 2323 70 25 86 27
>>>>> 2546 2490 - 29 - 27
>>>>> 2505 2463 - 15 - 27
>>>>> 2534 2479 1 25 1 27
>>>>> 2519 2440 - 52 - 27
>>>>> 2550 2491 - 31 - 27
>>>>> 2511 2476 - 22 - 14
>>>>> 2511 2449 5 22 7 27
>>>>>
>>>>> Thanks!
>>>>>
>>>>> Regards
>>>>> Andreas
>>>>> _______________________________________________
>>>>> Firehol-support mailing list
>>>>> Firehol-support at lists.firehol.org
>>>>> http://lists.firehol.org/mailman/listinfo/firehol-support
More information about the Firehol-support
mailing list