[Firehol-support] FireQOS: need help with input traffic shaping
Tsaousis, Costa
costa at tsaousis.gr
Mon Feb 2 22:35:47 GMT 2015
ok. Did the config I gave you fixed the problem of traffic shaping?
By the way, I just committed to github a version of firehol that
allows setting ports on MASQUERADE (SNAT already had this
functionality).
So, for anyone interested, inbound traffic can be controlled with
FireQOS using this port-mapping. I have updated the wiki page
accordingly: https://github.com/ktsaou/firehol/wiki/FireQOS-Use-Scenarios
Costa
On Mon, Feb 2, 2015 at 11:57 PM, AM <stuff at kr33.de> wrote:
> Hi Costa,
>
> I know that the double snat isn't nice, but I cant avoid it since I have to
> use the router provided by my ISP.
> This box is a whole load full of crap... if there was any possibility to add
> static routes i would have done so, but there isn't.
>
> Here are the headers:
>
> root at router ~ # fireqos status dsl-in
> FireQOS 2.0.0
> (C) 2013-2014 Costa Tsaousis, GPL
>
>
> dsl-in: eth0 input => eth0-ifb, type: adsl, overhead: 18
> Rate: 14300Kbit/s, min: 143Kbit/s
> Values in Kbit/s
>
> CLASS intera tcpack web-ht defaul lowpri
> CLASSI 1:11 1:12 1:13 1:5000 1:15
> COMMIT 1000 2000 7500 2500 143
> MAX 14300 14300 14300 14300 11440
>
> PRIORI 0 1 2 3 7
> QDISC fq_cod fq_cod fq_cod fq_cod fq_cod
>
> Thank you very much for all your efforts and your great work an FireQOS!
>
> Tsaousis, Costa schrieb:
>
>> Andreas,
>>
>> I think you should avoid the double snat/masquerade. It might not be a
>> problem, but it is not a good thing either. If you can add a static
>> route on your dsl router for 10.0.0.0/24 via your linux, you could
>> remove the snat / masquerade from linux. Then you could directly match
>> the real nas IP.
>>
>> Anyway, try the following. I sorted the classes based on the match
>> statements (so that syn/ack even from the nas will go to the tcpack
>> class):
>>
>> interface $DEVICE dsl-in input rate $INPUT_SPEED $LINKTYPE
>>
>> class interactive commit 1000kbit
>> match udp port 53 # DNS
>> match tcp port 22 # SSH
>> match icmp
>>
>> class tcpack commit 2000kbit
>> match tcp syn
>> match tcp ack
>>
>> class lowprio prio 7 #<<< prio 7 is the last, but the class is
>> placed here only for its match statement
>> match4 dst 192.168.2.11
>>
>> class web-http commit 7500kbit
>> match tcp sports 80,443
>>
>> class default commit 2500kbit
>>
>>
>>
>>
>> or this (tcp/ack from nas will not go to the tcp/ack class, but
>> directly to lowprio, which might give you a better performance when
>> the nas is downloading full speed):
>>
>> interface $DEVICE dsl-in input rate $INPUT_SPEED $LINKTYPE
>>
>> class interactive commit 1000kbit
>> match udp port 53 # DNS
>> match tcp port 22 # SSH
>> match icmp
>>
>> class tcpack commit 2000kbit
>> match tcp syn
>> match tcp ack
>>
>> class web-http commit 7500kbit
>> match tcp sports 80,443
>>
>> class default commit 2500kbit
>>
>> class lowprio
>> match4 dst 192.168.2.11 prio 1 #<<< this will be the first
>> match executed for this interface
>>
>> Also, please paste back the headers of the fireqos status printout. I
>> need to see the priorities fireqos uses.
>>
>>
>> On Mon, Feb 2, 2015 at 7:40 PM, AM<stuff at kr33.de> wrote:
>>>
>>> Hi again,
>>>
>>> Okay tested the modifications
>>>
>>> 1. Removed the qdisc htb statement, fq_codel is now used.
>>>
>>> 4. I added prio 1 to the match lines for tcp ack and syn, the now show up
>>> in
>>> the right class! :)
>>>
>>> This is the input status now:
>>>
>>> Class Utilization on dsl-in (eth0 input => eth0-ifb) - values in Kbit/s
>>> TOTAL intera tcpack web-ht defaul lowpri
>>> 14423 - - 7436 - 6988
>>> 14250 - - 7222 - 7028
>>> 14299 - - 6971 1 7327
>>> 14249 - - 7437 - 6811
>>> 14460 - - 7608 - 6852
>>> 14205 - - 7774 - 6431
>>> 14324 - - 7863 2 6458
>>> 14443 - - 7549 1 6893
>>> 14223 - 3 7354 - 6865
>>> 14472 - 1 8080 - 6391
>>> 14385 - 1 7191 - 7192
>>> 14379 - - 7324 - 7055
>>> 14316 - - 6432 - 7884
>>> 14152 - - 6768 3 7381
>>> 14487 3 - 6560 - 7924
>>> 14263 - - 6516 - 7747
>>> 14304 - - 6663 2 7639
>>> 14299 - 1 6537 - 7761
>>> 14157 - - 6274 - 7883
>>> 14570 - 2 5722 - 8846
>>>
>>>
>>> Class Utilization on dsl-out (eth0 output => eth0) - values in Kbit/s
>>> TOTAL intera tcpack web-ht defaul lowpri
>>> 473 3 444 25 - 2
>>> 561 3 536 22 1 -
>>> 534 4 529 - - 1
>>> 510 1 487 22 - -
>>> 633 1 502 33 - 97
>>> 526 - 526 - - -
>>> 522 - 520 - 2 -
>>> 495 - 407 5 - 83
>>> 488 - 409 - - 79
>>> 464 - 400 64 - -
>>> 554 - 506 47 - -
>>>
>>> Download seems to be spitted up 50:50, I can live with that if there is
>>> no
>>> other solution.
>>> But a 90:10 split would be nicer, if this is even possible with ingress
>>> traffic?
>>>
>>> Thanks for your help!
>>> Andreas
>>>
>>> AM schrieb:
>>>
>>>> Hi Costa,
>>>>
>>>> Thanks for your reply!
>>>>
>>>> 1. Ok, I will remove the "qdisc htb" line an try again, if that is what
>>>> you meant?
>>>>
>>>> 2. I do masquerading and it is configured like this:
>>>> Outsite is eth0 with ip 192.168.2.10/24 - Internal LAN is 10.0.0.0/24
>>>> which is masqueraded to 192.168.2.10.
>>>> Then I have eth0:1 with ip 192.168.2.11/24 - all outgoing requests from
>>>> my
>>>> nas (10.0.0.254) get masqueraded to 192.168.2.11
>>>> And as seen in the status output it is working, as traffic gets
>>>> associated
>>>> with the right class. (Checked with iptraf on eth0 too)
>>>>
>>>> 3. Ok, will remove the acks and just leave ack.
>>>>
>>>> 4. Yes I also noticed that and was wondering why there is barely
>>>> anything
>>>> in the tcpack class... but no idea why?
>>>>
>>>> Will report back once I had the chance to test your suggestions!
>>>> Thanks!
>>>>
>>>> Andreas
>>>>
>>>> Tsaousis, Costa schrieb:
>>>>>
>>>>> Hi Andreas,
>>>>>
>>>>> I can see the following problems on your config:
>>>>>
>>>>> 1. There is no htb qdisc. Leave FireQOS select the default (fq_codel
>>>>> or sfq). fq_codel will be of great help on your setup. Make sure your
>>>>> kernel supports it.
>>>>>
>>>>> 2. On the lowprio class you match a private IP on the public
>>>>> interface. This cannot be done. On the public interface there are only
>>>>> public IPs. This is your key problem.
>>>>>
>>>>> 3. 'tcp ack' and 'tcp acks' is the same thing.
>>>>>
>>>>> 4. It is strange that on your output interface you have such traffic
>>>>> on the interactive class. If this traffic are the tcp acks of the
>>>>> download, they should be on the tcpack class. I hope this will be
>>>>> fixed by setting the correct qdisc.
>>>>>
>>>>>
>>>>> So, because of point 2, it is impossible to distinguish between normal
>>>>> web traffic from other PCs and your NAS. fq_codel will help but it
>>>>> won't solve the problem completely.
>>>>>
>>>>> Another idea would be to use marks to separate nas traffic from other
>>>>> traffic. This however does not work without the act_connmark kernel
>>>>> module (which by default is only available in openwrt).
>>>>>
>>>>> Let me think...
>>>>>
>>>>> Do you masquerade or snat traffic in firehol?
>>>>>
>>>>> When you masquerade or snat traffic, what you actually do is that you
>>>>> map 192.168.2.11:PORT1 (or any local IP) to your PUBLIC_IP:PORT2.
>>>>>
>>>>> You could use masquerade or snat to have your NAS use 60000-64999 for
>>>>> PORT2, while all your other PCs use 20000-59999. This way you could
>>>>> apply qos on the inbound direction by just examining your port range.
>>>>>
>>>>> I will try to do this with firehol and fireqos later today and come
>>>>> back with the statements you should use.
>>>>>
>>>>> Costa
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Mon, Feb 2, 2015 at 2:31 PM, AM<stuff at kr33.de> wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I already spend hours on reading and testing tc.
>>>>>> But now I'm at a point where I have to ask here for any hints.
>>>>>>
>>>>>> Basically I want to shape my input and output traffic.
>>>>>> I have one nas server which handles large downloads. I want that nas
>>>>>> to
>>>>>> have
>>>>>> a low priority, so that if I start a download on a normal client in
>>>>>> the
>>>>>> network this client gets most of the bandwidth.
>>>>>> But I cant get this to work. Here is my fireqos.conf:
>>>>>> ####################################
>>>>>> DEVICE=eth0
>>>>>> INPUT_SPEED=14300kbit
>>>>>> OUTPUT_SPEED=2400kbit
>>>>>> LINKTYPE="adsl remote bridged-llc mtu 1492"
>>>>>>
>>>>>> interface $DEVICE dsl-in input rate $INPUT_SPEED $LINKTYPE qdisc htb
>>>>>> # Eingehender Traffic Internet --> LAN
>>>>>> class interactive commit 1000kbit
>>>>>> match udp port 53 # DNS
>>>>>> match tcp port 22 # SSH
>>>>>> match icmp
>>>>>>
>>>>>> class tcpack commit 2000kbit
>>>>>> match tcp syn
>>>>>> match tcp ack
>>>>>> match tcp acks
>>>>>>
>>>>>> class web-http commit 7500kbit
>>>>>> match tcp sports 80,443 prio 20 # http(s)
>>>>>>
>>>>>> class default commit 2500kbit
>>>>>>
>>>>>> class lowprio commit 1% max 80% prio 7
>>>>>> match4 dst 192.168.2.11 prio 10 # debsrv
>>>>>>
>>>>>>
>>>>>> interface $DEVICE dsl-out output rate $OUTPUT_SPEED $LINKTYPE qdisc
>>>>>> htb
>>>>>> # Ausgehender Traffic LAN --> Internet
>>>>>> class interactive commit 200kbit
>>>>>> match udp port 53 # DNS
>>>>>> match tcp port 22 # SSH
>>>>>> match icmp
>>>>>>
>>>>>> class tcpack commit 400kbit
>>>>>> match tcp syn
>>>>>> match tcp ack
>>>>>> match tcp acks
>>>>>>
>>>>>> class web-http commit 1100kbit
>>>>>> match tcp dports 80,443 prio 20 # http(s)
>>>>>>
>>>>>> class default commit 600kbit
>>>>>>
>>>>>> class lowprio commit 1% max 80% prio 7
>>>>>> match4 src 192.168.2.11 prio 10 # debsrv
>>>>>> ####################################
>>>>>>
>>>>>> If I now start downloading on both hosts with e.g. wget
>>>>>>
>>>>>>
>>>>>> http://cdimage.debian.org/debian-cd/7.8.0/amd64/iso-dvd/debian-7.8.0-amd64-DVD-2.iso
>>>>>> I get the following stats:
>>>>>>
>>>>>>
>>>>>> Class Utilization on dsl-in (eth0 input => eth0-ifb) - values in
>>>>>> Kbit/s
>>>>>> TOTAL intera tcpack web-ht defaul lowpri
>>>>>> 14552 - - 6069 3 8480
>>>>>> 14116 1 - 5418 - 8697
>>>>>> 14139 - - 6011 1 8127
>>>>>> 14422 - - 6078 - 8344
>>>>>> 14281 - - 5299 - 8982
>>>>>> 14264 3 - 5521 - 8739
>>>>>> 14277 - - 5252 1 9024
>>>>>> 14201 - - 4798 1 9403
>>>>>> 14288 - - 4762 1 9525
>>>>>> 14227 - - 4988 - 9253
>>>>>> 14293 - - 6318 11 7951
>>>>>> 14327 - - 6905 142 7281
>>>>>> 14219 - - 6988 - 7232
>>>>>> 14133 - - 7172 - 6960
>>>>>> 14347 - - 7196 - 7151
>>>>>> 14390 - - 7048 1 7340
>>>>>> 14203 1 - 7024 1 7177
>>>>>> 14289 1 - 6979 - 7309
>>>>>> 14272 1 4 6852 12 7403
>>>>>> 14304 3 - 6385 - 7916
>>>>>>
>>>>>> ==> lowprio is getting much more bandwidth... why?
>>>>>> Can anyone help me out / explain why it is behaving like this?
>>>>>>
>>>>>> Outgoing everything works like expected.
>>>>>> (Used scp to upload a file to remote server)
>>>>>>
>>>>>> Class Utilization on dsl-out (eth0 output => eth0) - values in
>>>>>> Kbit/s
>>>>>> TOTAL intera tcpack web-ht defaul lowpri
>>>>>> 2674 2619 - 28 - 27
>>>>>> 2432 2379 - 25 - 27
>>>>>> 2524 2483 - 14 - 27
>>>>>> 2515 2462 - 25 - 27
>>>>>> 2527 2490 - 24 - 14
>>>>>> 2501 2458 - 14 1 27
>>>>>> 2520 2476 - 17 - 27
>>>>>> 2551 2509 - 14 - 27
>>>>>> 2514 2463 - 25 - 27
>>>>>> 2532 2479 - 25 1 27
>>>>>> 2514 2474 - 13 - 27
>>>>>> 2512 2469 2 27 1 14
>>>>>> 2531 2323 70 25 86 27
>>>>>> 2546 2490 - 29 - 27
>>>>>> 2505 2463 - 15 - 27
>>>>>> 2534 2479 1 25 1 27
>>>>>> 2519 2440 - 52 - 27
>>>>>> 2550 2491 - 31 - 27
>>>>>> 2511 2476 - 22 - 14
>>>>>> 2511 2449 5 22 7 27
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>> Regards
>>>>>> Andreas
>>>>>> _______________________________________________
>>>>>> Firehol-support mailing list
>>>>>> Firehol-support at lists.firehol.org
>>>>>> http://lists.firehol.org/mailman/listinfo/firehol-support
More information about the Firehol-support
mailing list