[Firehol-support] FireQOS: need help with input traffic shaping

Tsaousis, Costa costa at tsaousis.gr
Mon Feb 2 22:35:47 GMT 2015


ok. Did the config I gave you fixed the problem of traffic shaping?

By the way, I just committed to github a version of firehol that
allows setting ports on MASQUERADE (SNAT already had this
functionality).
So, for anyone interested, inbound traffic can be controlled with
FireQOS using this port-mapping. I have updated the wiki page
accordingly: https://github.com/ktsaou/firehol/wiki/FireQOS-Use-Scenarios

Costa

On Mon, Feb 2, 2015 at 11:57 PM, AM <stuff at kr33.de> wrote:
> Hi Costa,
>
> I know that the double snat isn't nice, but I cant avoid it since I have to
> use the router provided by my ISP.
> This box is a whole load full of crap... if there was any possibility to add
> static routes i would have done so, but there isn't.
>
> Here are the headers:
>
> root at router ~ # fireqos status dsl-in
> FireQOS 2.0.0
> (C) 2013-2014 Costa Tsaousis, GPL
>
>
> dsl-in: eth0 input => eth0-ifb, type: adsl, overhead: 18
> Rate: 14300Kbit/s, min: 143Kbit/s
> Values in Kbit/s
>
>  CLASS intera tcpack web-ht defaul lowpri
> CLASSI   1:11   1:12   1:13 1:5000   1:15
> COMMIT   1000   2000   7500   2500    143
>    MAX  14300  14300  14300  14300  11440
>
> PRIORI      0      1      2      3      7
>  QDISC fq_cod fq_cod fq_cod fq_cod fq_cod
>
> Thank you very much for all your efforts and your great work an FireQOS!
>
> Tsaousis, Costa schrieb:
>
>> Andreas,
>>
>> I think you should avoid the double snat/masquerade. It might not be a
>> problem, but it is not a good thing either. If you can add a static
>> route on your dsl router for 10.0.0.0/24 via your linux, you could
>> remove the snat / masquerade from linux. Then you could directly match
>> the real nas IP.
>>
>> Anyway, try the following. I sorted the classes based on the match
>> statements (so that syn/ack even from the nas will go to the tcpack
>> class):
>>
>> interface $DEVICE dsl-in input rate $INPUT_SPEED $LINKTYPE
>>
>>      class interactive commit 1000kbit
>>          match udp port 53                    # DNS
>>          match tcp port 22                    # SSH
>>          match icmp
>>
>>      class tcpack commit 2000kbit
>>          match tcp syn
>>          match tcp ack
>>
>>      class lowprio prio 7 #<<<  prio 7 is the last, but the class is
>> placed here only for its match statement
>>          match4 dst 192.168.2.11
>>
>>     class web-http commit 7500kbit
>>          match tcp sports 80,443
>>
>>      class default commit 2500kbit
>>
>>
>>
>>
>> or this (tcp/ack from nas will not go to the tcp/ack class, but
>> directly to lowprio, which might give you a better performance when
>> the nas is downloading full speed):
>>
>> interface $DEVICE dsl-in input rate $INPUT_SPEED $LINKTYPE
>>
>>      class interactive commit 1000kbit
>>          match udp port 53                    # DNS
>>          match tcp port 22                    # SSH
>>          match icmp
>>
>>      class tcpack commit 2000kbit
>>          match tcp syn
>>          match tcp ack
>>
>>     class web-http commit 7500kbit
>>          match tcp sports 80,443
>>
>>      class default commit 2500kbit
>>
>>      class lowprio
>>          match4 dst 192.168.2.11 prio 1 #<<<  this will be the first
>> match executed for this interface
>>
>> Also, please paste back the headers of the fireqos status printout. I
>> need to see the priorities fireqos uses.
>>
>>
>> On Mon, Feb 2, 2015 at 7:40 PM, AM<stuff at kr33.de>  wrote:
>>>
>>> Hi again,
>>>
>>> Okay tested the modifications
>>>
>>> 1. Removed the qdisc htb statement, fq_codel is now used.
>>>
>>> 4. I added prio 1 to the match lines for tcp ack and syn, the now show up
>>> in
>>> the right class! :)
>>>
>>> This is the input status now:
>>>
>>> Class Utilization on dsl-in (eth0 input =>  eth0-ifb) - values in Kbit/s
>>>   TOTAL intera tcpack web-ht defaul lowpri
>>>   14423      -      -   7436      -   6988
>>>   14250      -      -   7222      -   7028
>>>   14299      -      -   6971      1   7327
>>>   14249      -      -   7437      -   6811
>>>   14460      -      -   7608      -   6852
>>>   14205      -      -   7774      -   6431
>>>   14324      -      -   7863      2   6458
>>>   14443      -      -   7549      1   6893
>>>   14223      -      3   7354      -   6865
>>>   14472      -      1   8080      -   6391
>>>   14385      -      1   7191      -   7192
>>>   14379      -      -   7324      -   7055
>>>   14316      -      -   6432      -   7884
>>>   14152      -      -   6768      3   7381
>>>   14487      3      -   6560      -   7924
>>>   14263      -      -   6516      -   7747
>>>   14304      -      -   6663      2   7639
>>>   14299      -      1   6537      -   7761
>>>   14157      -      -   6274      -   7883
>>>   14570      -      2   5722      -   8846
>>>
>>>
>>> Class Utilization on dsl-out (eth0 output =>  eth0) - values in Kbit/s
>>>   TOTAL intera tcpack web-ht defaul lowpri
>>>     473      3    444     25      -      2
>>>     561      3    536     22      1      -
>>>     534      4    529      -      -      1
>>>     510      1    487     22      -      -
>>>     633      1    502     33      -     97
>>>     526      -    526      -      -      -
>>>     522      -    520      -      2      -
>>>     495      -    407      5      -     83
>>>     488      -    409      -      -     79
>>>     464      -    400     64      -      -
>>>     554      -    506     47      -      -
>>>
>>> Download seems to be spitted up 50:50, I can live with that if there is
>>> no
>>> other solution.
>>> But a 90:10 split would be nicer, if this is even possible with ingress
>>> traffic?
>>>
>>> Thanks for your help!
>>> Andreas
>>>
>>> AM schrieb:
>>>
>>>> Hi Costa,
>>>>
>>>> Thanks for your reply!
>>>>
>>>> 1. Ok, I will remove the "qdisc htb" line an try again, if that is what
>>>> you meant?
>>>>
>>>> 2. I do masquerading and it is configured like this:
>>>> Outsite is eth0 with ip 192.168.2.10/24 - Internal LAN is 10.0.0.0/24
>>>> which is masqueraded to 192.168.2.10.
>>>> Then I have eth0:1 with ip 192.168.2.11/24 - all outgoing requests from
>>>> my
>>>> nas (10.0.0.254) get masqueraded to 192.168.2.11
>>>> And as seen in the status output it is working, as traffic gets
>>>> associated
>>>> with the right class. (Checked with iptraf on eth0 too)
>>>>
>>>> 3. Ok, will remove the acks and just leave ack.
>>>>
>>>> 4. Yes I also noticed that and was wondering why there is barely
>>>> anything
>>>> in the tcpack class... but no idea why?
>>>>
>>>> Will report back once I had the chance to test your suggestions!
>>>> Thanks!
>>>>
>>>> Andreas
>>>>
>>>> Tsaousis, Costa schrieb:
>>>>>
>>>>> Hi Andreas,
>>>>>
>>>>> I can see the following problems on your config:
>>>>>
>>>>> 1. There is no htb qdisc. Leave FireQOS select the default (fq_codel
>>>>> or sfq). fq_codel will be of great help on your setup. Make sure your
>>>>> kernel supports it.
>>>>>
>>>>> 2. On the lowprio class you match a private IP on the public
>>>>> interface. This cannot be done. On the public interface there are only
>>>>> public IPs. This is your key problem.
>>>>>
>>>>> 3. 'tcp ack' and 'tcp acks' is the same thing.
>>>>>
>>>>> 4. It is strange that on your output interface you have such traffic
>>>>> on the interactive class. If this traffic are the tcp acks of the
>>>>> download, they should be on the tcpack class. I hope this will be
>>>>> fixed by setting the correct qdisc.
>>>>>
>>>>>
>>>>> So, because of point 2, it is impossible to distinguish between normal
>>>>> web traffic from other PCs and your NAS. fq_codel will help but it
>>>>> won't solve the problem completely.
>>>>>
>>>>> Another idea would be to use marks to separate nas traffic from other
>>>>> traffic. This however does not work without the act_connmark kernel
>>>>> module (which by default is only available in openwrt).
>>>>>
>>>>> Let me think...
>>>>>
>>>>> Do you masquerade or snat traffic in firehol?
>>>>>
>>>>> When you masquerade or snat traffic, what you actually do is that you
>>>>> map 192.168.2.11:PORT1 (or any local IP) to your PUBLIC_IP:PORT2.
>>>>>
>>>>> You could use masquerade or snat to have your NAS use 60000-64999 for
>>>>> PORT2, while all your other PCs use 20000-59999. This way you could
>>>>> apply qos on the inbound direction by just examining your port range.
>>>>>
>>>>> I will try to do this with firehol and fireqos later today and come
>>>>> back with the statements you should use.
>>>>>
>>>>> Costa
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Mon, Feb 2, 2015 at 2:31 PM, AM<stuff at kr33.de>   wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I already spend hours on reading and testing tc.
>>>>>> But now I'm at a point where I have to ask here for any hints.
>>>>>>
>>>>>> Basically I want to shape my input and output traffic.
>>>>>> I have one nas server which handles large downloads. I want that nas
>>>>>> to
>>>>>> have
>>>>>> a low priority, so that if I start a download on a normal client in
>>>>>> the
>>>>>> network this client gets most of the bandwidth.
>>>>>> But I cant get this to work. Here is my fireqos.conf:
>>>>>> ####################################
>>>>>> DEVICE=eth0
>>>>>> INPUT_SPEED=14300kbit
>>>>>> OUTPUT_SPEED=2400kbit
>>>>>> LINKTYPE="adsl remote bridged-llc mtu 1492"
>>>>>>
>>>>>> interface $DEVICE dsl-in input rate $INPUT_SPEED $LINKTYPE qdisc htb
>>>>>>       # Eingehender Traffic Internet -->   LAN
>>>>>>       class interactive commit 1000kbit
>>>>>>           match udp port 53                    # DNS
>>>>>>           match tcp port 22                    # SSH
>>>>>>           match icmp
>>>>>>
>>>>>>       class tcpack commit 2000kbit
>>>>>>           match tcp syn
>>>>>>           match tcp ack
>>>>>>           match tcp acks
>>>>>>
>>>>>>       class web-http commit 7500kbit
>>>>>>           match tcp sports 80,443    prio 20         # http(s)
>>>>>>
>>>>>>       class default commit 2500kbit
>>>>>>
>>>>>>       class lowprio commit 1% max 80% prio 7
>>>>>>           match4 dst 192.168.2.11 prio 10        # debsrv
>>>>>>
>>>>>>
>>>>>> interface $DEVICE dsl-out output rate $OUTPUT_SPEED $LINKTYPE qdisc
>>>>>> htb
>>>>>>       # Ausgehender Traffic LAN -->   Internet
>>>>>>       class interactive commit 200kbit
>>>>>>           match udp port 53                    # DNS
>>>>>>           match tcp port 22                    # SSH
>>>>>>           match icmp
>>>>>>
>>>>>>       class tcpack commit 400kbit
>>>>>>           match tcp syn
>>>>>>           match tcp ack
>>>>>>           match tcp acks
>>>>>>
>>>>>>       class web-http commit 1100kbit
>>>>>>           match tcp dports 80,443 prio 20        # http(s)
>>>>>>
>>>>>>       class default commit 600kbit
>>>>>>
>>>>>>       class lowprio commit 1% max 80% prio 7
>>>>>>           match4 src 192.168.2.11 prio 10     # debsrv
>>>>>> ####################################
>>>>>>
>>>>>> If I now start downloading on both hosts with e.g. wget
>>>>>>
>>>>>>
>>>>>> http://cdimage.debian.org/debian-cd/7.8.0/amd64/iso-dvd/debian-7.8.0-amd64-DVD-2.iso
>>>>>> I get the following stats:
>>>>>>
>>>>>>
>>>>>> Class Utilization on dsl-in (eth0 input =>   eth0-ifb) - values in
>>>>>> Kbit/s
>>>>>>    TOTAL intera tcpack web-ht defaul lowpri
>>>>>>    14552      -      - 6069 3   8480
>>>>>>    14116 1      -   5418      -   8697
>>>>>>    14139      -      - 6011 1   8127
>>>>>>    14422      -      -   6078      -   8344
>>>>>>    14281      -      -   5299      -   8982
>>>>>>    14264      3      -   5521      -   8739
>>>>>>    14277      -      -   5252      1   9024
>>>>>>    14201      -      -   4798      1   9403
>>>>>>    14288      -      -   4762      1   9525
>>>>>>    14227      -      -   4988      -   9253
>>>>>>    14293      -      -   6318     11   7951
>>>>>>    14327      -      -   6905    142   7281
>>>>>>    14219      -      -   6988      -   7232
>>>>>>    14133      -      -   7172      -   6960
>>>>>>    14347      -      -   7196      -   7151
>>>>>>    14390      -      -   7048      1   7340
>>>>>>    14203      1      -   7024      1   7177
>>>>>>    14289      1      -   6979      -   7309
>>>>>>    14272      1      4   6852     12   7403
>>>>>>    14304      3      -   6385      -   7916
>>>>>>
>>>>>> ==>   lowprio is getting much more bandwidth... why?
>>>>>> Can anyone help me out / explain why it is behaving like this?
>>>>>>
>>>>>> Outgoing everything works like expected.
>>>>>> (Used scp to upload a file to remote server)
>>>>>>
>>>>>>    Class Utilization on dsl-out (eth0 output =>   eth0) - values in
>>>>>> Kbit/s
>>>>>>    TOTAL intera tcpack web-ht defaul lowpri
>>>>>>     2674   2619      -     28      -     27
>>>>>>     2432   2379      -     25      -     27
>>>>>>     2524   2483      -     14      -     27
>>>>>>     2515   2462      -     25      -     27
>>>>>>     2527   2490      -     24      -     14
>>>>>>     2501   2458      -     14      1     27
>>>>>>     2520   2476      -     17      -     27
>>>>>>     2551   2509      -     14      -     27
>>>>>>     2514   2463      -     25      -     27
>>>>>>     2532   2479      -     25      1     27
>>>>>>     2514   2474      -     13      -     27
>>>>>>     2512   2469      2     27      1     14
>>>>>>     2531   2323     70     25     86     27
>>>>>>     2546   2490      -     29      -     27
>>>>>>     2505   2463      -     15      -     27
>>>>>>     2534   2479      1     25      1     27
>>>>>>     2519   2440      -     52      -     27
>>>>>>     2550   2491      -     31      -     27
>>>>>>     2511   2476      -     22      -     14
>>>>>>     2511   2449      5     22      7     27
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>> Regards
>>>>>> Andreas
>>>>>> _______________________________________________
>>>>>> Firehol-support mailing list
>>>>>> Firehol-support at lists.firehol.org
>>>>>> http://lists.firehol.org/mailman/listinfo/firehol-support



More information about the Firehol-support mailing list