[Firehol-support] FireQOS: need help with input traffic shaping
AM
stuff at kr33.de
Thu Feb 5 14:05:39 GMT 2015
Hi Costa,
Sorry for the delay, have been a bit busy the last days. Sadly your
changes didn't make any difference.
But it is fine like it is right now.
Normal surfing isn't blocked by a single download any more. You don't
even notice that there is a download running and that is the main goal I
wanted to achieve.
So I'm pretty happy with it right now.
But I have one further question. Is it possible to give fixed IDs to
classes?
Because I'm setting up RRD graphs. Now every time a new class is added
or the order is changed the class IDs change.
--> Statistics go to the wrong rrd file, and graphs are named wrong,
since the classid <--> "rrd-name" mapping isn't valid anymore.
Thanks!
Am 02.02.2015 23:35, schrieb Tsaousis, Costa:
> ok. Did the config I gave you fixed the problem of traffic shaping?
>
> By the way, I just committed to github a version of firehol that
> allows setting ports on MASQUERADE (SNAT already had this
> functionality).
> So, for anyone interested, inbound traffic can be controlled with
> FireQOS using this port-mapping. I have updated the wiki page
> accordingly:
> https://github.com/ktsaou/firehol/wiki/FireQOS-Use-Scenarios
>
> Costa
>
> On Mon, Feb 2, 2015 at 11:57 PM, AM <stuff at kr33.de> wrote:
>> Hi Costa,
>>
>> I know that the double snat isn't nice, but I cant avoid it since I
>> have to
>> use the router provided by my ISP.
>> This box is a whole load full of crap... if there was any possibility
>> to add
>> static routes i would have done so, but there isn't.
>>
>> Here are the headers:
>>
>> root at router ~ # fireqos status dsl-in
>> FireQOS 2.0.0
>> (C) 2013-2014 Costa Tsaousis, GPL
>>
>>
>> dsl-in: eth0 input => eth0-ifb, type: adsl, overhead: 18
>> Rate: 14300Kbit/s, min: 143Kbit/s
>> Values in Kbit/s
>>
>> CLASS intera tcpack web-ht defaul lowpri
>> CLASSI 1:11 1:12 1:13 1:5000 1:15
>> COMMIT 1000 2000 7500 2500 143
>> MAX 14300 14300 14300 14300 11440
>>
>> PRIORI 0 1 2 3 7
>> QDISC fq_cod fq_cod fq_cod fq_cod fq_cod
>>
>> Thank you very much for all your efforts and your great work an
>> FireQOS!
>>
>> Tsaousis, Costa schrieb:
>>
>>> Andreas,
>>>
>>> I think you should avoid the double snat/masquerade. It might not be
>>> a
>>> problem, but it is not a good thing either. If you can add a static
>>> route on your dsl router for 10.0.0.0/24 via your linux, you could
>>> remove the snat / masquerade from linux. Then you could directly
>>> match
>>> the real nas IP.
>>>
>>> Anyway, try the following. I sorted the classes based on the match
>>> statements (so that syn/ack even from the nas will go to the tcpack
>>> class):
>>>
>>> interface $DEVICE dsl-in input rate $INPUT_SPEED $LINKTYPE
>>>
>>> class interactive commit 1000kbit
>>> match udp port 53 # DNS
>>> match tcp port 22 # SSH
>>> match icmp
>>>
>>> class tcpack commit 2000kbit
>>> match tcp syn
>>> match tcp ack
>>>
>>> class lowprio prio 7 #<<< prio 7 is the last, but the class is
>>> placed here only for its match statement
>>> match4 dst 192.168.2.11
>>>
>>> class web-http commit 7500kbit
>>> match tcp sports 80,443
>>>
>>> class default commit 2500kbit
>>>
>>>
>>>
>>>
>>> or this (tcp/ack from nas will not go to the tcp/ack class, but
>>> directly to lowprio, which might give you a better performance when
>>> the nas is downloading full speed):
>>>
>>> interface $DEVICE dsl-in input rate $INPUT_SPEED $LINKTYPE
>>>
>>> class interactive commit 1000kbit
>>> match udp port 53 # DNS
>>> match tcp port 22 # SSH
>>> match icmp
>>>
>>> class tcpack commit 2000kbit
>>> match tcp syn
>>> match tcp ack
>>>
>>> class web-http commit 7500kbit
>>> match tcp sports 80,443
>>>
>>> class default commit 2500kbit
>>>
>>> class lowprio
>>> match4 dst 192.168.2.11 prio 1 #<<< this will be the first
>>> match executed for this interface
>>>
>>> Also, please paste back the headers of the fireqos status printout. I
>>> need to see the priorities fireqos uses.
>>>
>>>
>>> On Mon, Feb 2, 2015 at 7:40 PM, AM<stuff at kr33.de> wrote:
>>>>
>>>> Hi again,
>>>>
>>>> Okay tested the modifications
>>>>
>>>> 1. Removed the qdisc htb statement, fq_codel is now used.
>>>>
>>>> 4. I added prio 1 to the match lines for tcp ack and syn, the now
>>>> show up
>>>> in
>>>> the right class! :)
>>>>
>>>> This is the input status now:
>>>>
>>>> Class Utilization on dsl-in (eth0 input => eth0-ifb) - values in
>>>> Kbit/s
>>>> TOTAL intera tcpack web-ht defaul lowpri
>>>> 14423 - - 7436 - 6988
>>>> 14250 - - 7222 - 7028
>>>> 14299 - - 6971 1 7327
>>>> 14249 - - 7437 - 6811
>>>> 14460 - - 7608 - 6852
>>>> 14205 - - 7774 - 6431
>>>> 14324 - - 7863 2 6458
>>>> 14443 - - 7549 1 6893
>>>> 14223 - 3 7354 - 6865
>>>> 14472 - 1 8080 - 6391
>>>> 14385 - 1 7191 - 7192
>>>> 14379 - - 7324 - 7055
>>>> 14316 - - 6432 - 7884
>>>> 14152 - - 6768 3 7381
>>>> 14487 3 - 6560 - 7924
>>>> 14263 - - 6516 - 7747
>>>> 14304 - - 6663 2 7639
>>>> 14299 - 1 6537 - 7761
>>>> 14157 - - 6274 - 7883
>>>> 14570 - 2 5722 - 8846
>>>>
>>>>
>>>> Class Utilization on dsl-out (eth0 output => eth0) - values in
>>>> Kbit/s
>>>> TOTAL intera tcpack web-ht defaul lowpri
>>>> 473 3 444 25 - 2
>>>> 561 3 536 22 1 -
>>>> 534 4 529 - - 1
>>>> 510 1 487 22 - -
>>>> 633 1 502 33 - 97
>>>> 526 - 526 - - -
>>>> 522 - 520 - 2 -
>>>> 495 - 407 5 - 83
>>>> 488 - 409 - - 79
>>>> 464 - 400 64 - -
>>>> 554 - 506 47 - -
>>>>
>>>> Download seems to be spitted up 50:50, I can live with that if there
>>>> is
>>>> no
>>>> other solution.
>>>> But a 90:10 split would be nicer, if this is even possible with
>>>> ingress
>>>> traffic?
>>>>
>>>> Thanks for your help!
>>>> Andreas
>>>>
>>>> AM schrieb:
>>>>
>>>>> Hi Costa,
>>>>>
>>>>> Thanks for your reply!
>>>>>
>>>>> 1. Ok, I will remove the "qdisc htb" line an try again, if that is
>>>>> what
>>>>> you meant?
>>>>>
>>>>> 2. I do masquerading and it is configured like this:
>>>>> Outsite is eth0 with ip 192.168.2.10/24 - Internal LAN is
>>>>> 10.0.0.0/24
>>>>> which is masqueraded to 192.168.2.10.
>>>>> Then I have eth0:1 with ip 192.168.2.11/24 - all outgoing requests
>>>>> from
>>>>> my
>>>>> nas (10.0.0.254) get masqueraded to 192.168.2.11
>>>>> And as seen in the status output it is working, as traffic gets
>>>>> associated
>>>>> with the right class. (Checked with iptraf on eth0 too)
>>>>>
>>>>> 3. Ok, will remove the acks and just leave ack.
>>>>>
>>>>> 4. Yes I also noticed that and was wondering why there is barely
>>>>> anything
>>>>> in the tcpack class... but no idea why?
>>>>>
>>>>> Will report back once I had the chance to test your suggestions!
>>>>> Thanks!
>>>>>
>>>>> Andreas
>>>>>
>>>>> Tsaousis, Costa schrieb:
>>>>>>
>>>>>> Hi Andreas,
>>>>>>
>>>>>> I can see the following problems on your config:
>>>>>>
>>>>>> 1. There is no htb qdisc. Leave FireQOS select the default
>>>>>> (fq_codel
>>>>>> or sfq). fq_codel will be of great help on your setup. Make sure
>>>>>> your
>>>>>> kernel supports it.
>>>>>>
>>>>>> 2. On the lowprio class you match a private IP on the public
>>>>>> interface. This cannot be done. On the public interface there are
>>>>>> only
>>>>>> public IPs. This is your key problem.
>>>>>>
>>>>>> 3. 'tcp ack' and 'tcp acks' is the same thing.
>>>>>>
>>>>>> 4. It is strange that on your output interface you have such
>>>>>> traffic
>>>>>> on the interactive class. If this traffic are the tcp acks of the
>>>>>> download, they should be on the tcpack class. I hope this will be
>>>>>> fixed by setting the correct qdisc.
>>>>>>
>>>>>>
>>>>>> So, because of point 2, it is impossible to distinguish between
>>>>>> normal
>>>>>> web traffic from other PCs and your NAS. fq_codel will help but it
>>>>>> won't solve the problem completely.
>>>>>>
>>>>>> Another idea would be to use marks to separate nas traffic from
>>>>>> other
>>>>>> traffic. This however does not work without the act_connmark
>>>>>> kernel
>>>>>> module (which by default is only available in openwrt).
>>>>>>
>>>>>> Let me think...
>>>>>>
>>>>>> Do you masquerade or snat traffic in firehol?
>>>>>>
>>>>>> When you masquerade or snat traffic, what you actually do is that
>>>>>> you
>>>>>> map 192.168.2.11:PORT1 (or any local IP) to your PUBLIC_IP:PORT2.
>>>>>>
>>>>>> You could use masquerade or snat to have your NAS use 60000-64999
>>>>>> for
>>>>>> PORT2, while all your other PCs use 20000-59999. This way you
>>>>>> could
>>>>>> apply qos on the inbound direction by just examining your port
>>>>>> range.
>>>>>>
>>>>>> I will try to do this with firehol and fireqos later today and
>>>>>> come
>>>>>> back with the statements you should use.
>>>>>>
>>>>>> Costa
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Mon, Feb 2, 2015 at 2:31 PM, AM<stuff at kr33.de> wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I already spend hours on reading and testing tc.
>>>>>>> But now I'm at a point where I have to ask here for any hints.
>>>>>>>
>>>>>>> Basically I want to shape my input and output traffic.
>>>>>>> I have one nas server which handles large downloads. I want that
>>>>>>> nas
>>>>>>> to
>>>>>>> have
>>>>>>> a low priority, so that if I start a download on a normal client
>>>>>>> in
>>>>>>> the
>>>>>>> network this client gets most of the bandwidth.
>>>>>>> But I cant get this to work. Here is my fireqos.conf:
>>>>>>> ####################################
>>>>>>> DEVICE=eth0
>>>>>>> INPUT_SPEED=14300kbit
>>>>>>> OUTPUT_SPEED=2400kbit
>>>>>>> LINKTYPE="adsl remote bridged-llc mtu 1492"
>>>>>>>
>>>>>>> interface $DEVICE dsl-in input rate $INPUT_SPEED $LINKTYPE qdisc
>>>>>>> htb
>>>>>>> # Eingehender Traffic Internet --> LAN
>>>>>>> class interactive commit 1000kbit
>>>>>>> match udp port 53 # DNS
>>>>>>> match tcp port 22 # SSH
>>>>>>> match icmp
>>>>>>>
>>>>>>> class tcpack commit 2000kbit
>>>>>>> match tcp syn
>>>>>>> match tcp ack
>>>>>>> match tcp acks
>>>>>>>
>>>>>>> class web-http commit 7500kbit
>>>>>>> match tcp sports 80,443 prio 20 # http(s)
>>>>>>>
>>>>>>> class default commit 2500kbit
>>>>>>>
>>>>>>> class lowprio commit 1% max 80% prio 7
>>>>>>> match4 dst 192.168.2.11 prio 10 # debsrv
>>>>>>>
>>>>>>>
>>>>>>> interface $DEVICE dsl-out output rate $OUTPUT_SPEED $LINKTYPE
>>>>>>> qdisc
>>>>>>> htb
>>>>>>> # Ausgehender Traffic LAN --> Internet
>>>>>>> class interactive commit 200kbit
>>>>>>> match udp port 53 # DNS
>>>>>>> match tcp port 22 # SSH
>>>>>>> match icmp
>>>>>>>
>>>>>>> class tcpack commit 400kbit
>>>>>>> match tcp syn
>>>>>>> match tcp ack
>>>>>>> match tcp acks
>>>>>>>
>>>>>>> class web-http commit 1100kbit
>>>>>>> match tcp dports 80,443 prio 20 # http(s)
>>>>>>>
>>>>>>> class default commit 600kbit
>>>>>>>
>>>>>>> class lowprio commit 1% max 80% prio 7
>>>>>>> match4 src 192.168.2.11 prio 10 # debsrv
>>>>>>> ####################################
>>>>>>>
>>>>>>> If I now start downloading on both hosts with e.g. wget
>>>>>>>
>>>>>>>
>>>>>>> http://cdimage.debian.org/debian-cd/7.8.0/amd64/iso-dvd/debian-7.8.0-amd64-DVD-2.iso
>>>>>>> I get the following stats:
>>>>>>>
>>>>>>>
>>>>>>> Class Utilization on dsl-in (eth0 input => eth0-ifb) - values
>>>>>>> in
>>>>>>> Kbit/s
>>>>>>> TOTAL intera tcpack web-ht defaul lowpri
>>>>>>> 14552 - - 6069 3 8480
>>>>>>> 14116 1 - 5418 - 8697
>>>>>>> 14139 - - 6011 1 8127
>>>>>>> 14422 - - 6078 - 8344
>>>>>>> 14281 - - 5299 - 8982
>>>>>>> 14264 3 - 5521 - 8739
>>>>>>> 14277 - - 5252 1 9024
>>>>>>> 14201 - - 4798 1 9403
>>>>>>> 14288 - - 4762 1 9525
>>>>>>> 14227 - - 4988 - 9253
>>>>>>> 14293 - - 6318 11 7951
>>>>>>> 14327 - - 6905 142 7281
>>>>>>> 14219 - - 6988 - 7232
>>>>>>> 14133 - - 7172 - 6960
>>>>>>> 14347 - - 7196 - 7151
>>>>>>> 14390 - - 7048 1 7340
>>>>>>> 14203 1 - 7024 1 7177
>>>>>>> 14289 1 - 6979 - 7309
>>>>>>> 14272 1 4 6852 12 7403
>>>>>>> 14304 3 - 6385 - 7916
>>>>>>>
>>>>>>> ==> lowprio is getting much more bandwidth... why?
>>>>>>> Can anyone help me out / explain why it is behaving like this?
>>>>>>>
>>>>>>> Outgoing everything works like expected.
>>>>>>> (Used scp to upload a file to remote server)
>>>>>>>
>>>>>>> Class Utilization on dsl-out (eth0 output => eth0) - values
>>>>>>> in
>>>>>>> Kbit/s
>>>>>>> TOTAL intera tcpack web-ht defaul lowpri
>>>>>>> 2674 2619 - 28 - 27
>>>>>>> 2432 2379 - 25 - 27
>>>>>>> 2524 2483 - 14 - 27
>>>>>>> 2515 2462 - 25 - 27
>>>>>>> 2527 2490 - 24 - 14
>>>>>>> 2501 2458 - 14 1 27
>>>>>>> 2520 2476 - 17 - 27
>>>>>>> 2551 2509 - 14 - 27
>>>>>>> 2514 2463 - 25 - 27
>>>>>>> 2532 2479 - 25 1 27
>>>>>>> 2514 2474 - 13 - 27
>>>>>>> 2512 2469 2 27 1 14
>>>>>>> 2531 2323 70 25 86 27
>>>>>>> 2546 2490 - 29 - 27
>>>>>>> 2505 2463 - 15 - 27
>>>>>>> 2534 2479 1 25 1 27
>>>>>>> 2519 2440 - 52 - 27
>>>>>>> 2550 2491 - 31 - 27
>>>>>>> 2511 2476 - 22 - 14
>>>>>>> 2511 2449 5 22 7 27
>>>>>>>
>>>>>>> Thanks!
>>>>>>>
>>>>>>> Regards
>>>>>>> Andreas
>>>>>>> _______________________________________________
>>>>>>> Firehol-support mailing list
>>>>>>> Firehol-support at lists.firehol.org
>>>>>>> http://lists.firehol.org/mailman/listinfo/firehol-support
More information about the Firehol-support
mailing list