[Firehol-support] FireQOS: need help with input traffic shaping

Tsaousis, Costa costa at tsaousis.gr
Thu Feb 5 14:54:01 GMT 2015


Hi again,

There is another thread with the same question.

You can use this to get tc output for rrd, with the classids replaced
with names. The names will always be the same.

---

#!/bin/bash

dev="$1"
cmd="cat"

# check FireQOS names for classes
if [ -f /var/run/fireqos/ifaces/$dev ]
then
        name="`cat /var/run/fireqos/ifaces/$dev`"
        if [ ! -z "$name" -a -f /var/run/fireqos/$name.conf ]
        then
                interface_classes=
                . /var/run/fireqos/$name.conf
                opts=
                for n in $interface_classes_monitor
                do
                        classid=`echo $n | cut -d '|' -f 3`
                        classname=`echo $n | cut -d '|' -f 2`
                        opts="$opts -e 's/ $classid / $classname /g'"
                done
                test ! -z "$opts" && cmd="sed $opts"
        fi
fi

tc -s -d class show dev $dev | eval "$cmd"

---

You can also use netdata to monitor classes in realtime (per second charts):
https://github.com/ktsaou/netdata

demo:

http://www.tsaousis.gr:19999/

check the QoS section.

Costa


On Thu, Feb 5, 2015 at 4:05 PM, AM <stuff at kr33.de> wrote:
> Hi Costa,
>
> Sorry for the delay, have been a bit busy the last days. Sadly your changes
> didn't make any difference.
> But it is fine like it is right now.
> Normal surfing isn't blocked by a single download any more. You don't even
> notice that there is a download running and that is the main goal I wanted
> to achieve.
> So I'm pretty happy with it right now.
>
> But I have one further question. Is it possible to give fixed IDs to
> classes?
> Because I'm setting up RRD graphs. Now every time a new class is added or
> the order is changed the class IDs change.
> --> Statistics go to the wrong rrd file, and graphs are named wrong, since
> the classid <--> "rrd-name" mapping isn't valid anymore.
>
> Thanks!
>
> Am 02.02.2015 23:35, schrieb Tsaousis, Costa:
>
>> ok. Did the config I gave you fixed the problem of traffic shaping?
>>
>> By the way, I just committed to github a version of firehol that
>> allows setting ports on MASQUERADE (SNAT already had this
>> functionality).
>> So, for anyone interested, inbound traffic can be controlled with
>> FireQOS using this port-mapping. I have updated the wiki page
>> accordingly: https://github.com/ktsaou/firehol/wiki/FireQOS-Use-Scenarios
>>
>> Costa
>>
>> On Mon, Feb 2, 2015 at 11:57 PM, AM <stuff at kr33.de> wrote:
>>>
>>> Hi Costa,
>>>
>>> I know that the double snat isn't nice, but I cant avoid it since I have
>>> to
>>> use the router provided by my ISP.
>>> This box is a whole load full of crap... if there was any possibility to
>>> add
>>> static routes i would have done so, but there isn't.
>>>
>>> Here are the headers:
>>>
>>> root at router ~ # fireqos status dsl-in
>>> FireQOS 2.0.0
>>> (C) 2013-2014 Costa Tsaousis, GPL
>>>
>>>
>>> dsl-in: eth0 input => eth0-ifb, type: adsl, overhead: 18
>>> Rate: 14300Kbit/s, min: 143Kbit/s
>>> Values in Kbit/s
>>>
>>>  CLASS intera tcpack web-ht defaul lowpri
>>> CLASSI   1:11   1:12   1:13 1:5000   1:15
>>> COMMIT   1000   2000   7500   2500    143
>>>    MAX  14300  14300  14300  14300  11440
>>>
>>> PRIORI      0      1      2      3      7
>>>  QDISC fq_cod fq_cod fq_cod fq_cod fq_cod
>>>
>>> Thank you very much for all your efforts and your great work an FireQOS!
>>>
>>> Tsaousis, Costa schrieb:
>>>
>>>> Andreas,
>>>>
>>>> I think you should avoid the double snat/masquerade. It might not be a
>>>> problem, but it is not a good thing either. If you can add a static
>>>> route on your dsl router for 10.0.0.0/24 via your linux, you could
>>>> remove the snat / masquerade from linux. Then you could directly match
>>>> the real nas IP.
>>>>
>>>> Anyway, try the following. I sorted the classes based on the match
>>>> statements (so that syn/ack even from the nas will go to the tcpack
>>>> class):
>>>>
>>>> interface $DEVICE dsl-in input rate $INPUT_SPEED $LINKTYPE
>>>>
>>>>      class interactive commit 1000kbit
>>>>          match udp port 53                    # DNS
>>>>          match tcp port 22                    # SSH
>>>>          match icmp
>>>>
>>>>      class tcpack commit 2000kbit
>>>>          match tcp syn
>>>>          match tcp ack
>>>>
>>>>      class lowprio prio 7 #<<<  prio 7 is the last, but the class is
>>>> placed here only for its match statement
>>>>          match4 dst 192.168.2.11
>>>>
>>>>     class web-http commit 7500kbit
>>>>          match tcp sports 80,443
>>>>
>>>>      class default commit 2500kbit
>>>>
>>>>
>>>>
>>>>
>>>> or this (tcp/ack from nas will not go to the tcp/ack class, but
>>>> directly to lowprio, which might give you a better performance when
>>>> the nas is downloading full speed):
>>>>
>>>> interface $DEVICE dsl-in input rate $INPUT_SPEED $LINKTYPE
>>>>
>>>>      class interactive commit 1000kbit
>>>>          match udp port 53                    # DNS
>>>>          match tcp port 22                    # SSH
>>>>          match icmp
>>>>
>>>>      class tcpack commit 2000kbit
>>>>          match tcp syn
>>>>          match tcp ack
>>>>
>>>>     class web-http commit 7500kbit
>>>>          match tcp sports 80,443
>>>>
>>>>      class default commit 2500kbit
>>>>
>>>>      class lowprio
>>>>          match4 dst 192.168.2.11 prio 1 #<<<  this will be the first
>>>> match executed for this interface
>>>>
>>>> Also, please paste back the headers of the fireqos status printout. I
>>>> need to see the priorities fireqos uses.
>>>>
>>>>
>>>> On Mon, Feb 2, 2015 at 7:40 PM, AM<stuff at kr33.de>  wrote:
>>>>>
>>>>>
>>>>> Hi again,
>>>>>
>>>>> Okay tested the modifications
>>>>>
>>>>> 1. Removed the qdisc htb statement, fq_codel is now used.
>>>>>
>>>>> 4. I added prio 1 to the match lines for tcp ack and syn, the now show
>>>>> up
>>>>> in
>>>>> the right class! :)
>>>>>
>>>>> This is the input status now:
>>>>>
>>>>> Class Utilization on dsl-in (eth0 input =>  eth0-ifb) - values in
>>>>> Kbit/s
>>>>>   TOTAL intera tcpack web-ht defaul lowpri
>>>>>   14423      -      -   7436      -   6988
>>>>>   14250      -      -   7222      -   7028
>>>>>   14299      -      -   6971      1   7327
>>>>>   14249      -      -   7437      -   6811
>>>>>   14460      -      -   7608      -   6852
>>>>>   14205      -      -   7774      -   6431
>>>>>   14324      -      -   7863      2   6458
>>>>>   14443      -      -   7549      1   6893
>>>>>   14223      -      3   7354      -   6865
>>>>>   14472      -      1   8080      -   6391
>>>>>   14385      -      1   7191      -   7192
>>>>>   14379      -      -   7324      -   7055
>>>>>   14316      -      -   6432      -   7884
>>>>>   14152      -      -   6768      3   7381
>>>>>   14487      3      -   6560      -   7924
>>>>>   14263      -      -   6516      -   7747
>>>>>   14304      -      -   6663      2   7639
>>>>>   14299      -      1   6537      -   7761
>>>>>   14157      -      -   6274      -   7883
>>>>>   14570      -      2   5722      -   8846
>>>>>
>>>>>
>>>>> Class Utilization on dsl-out (eth0 output =>  eth0) - values in Kbit/s
>>>>>   TOTAL intera tcpack web-ht defaul lowpri
>>>>>     473      3    444     25      -      2
>>>>>     561      3    536     22      1      -
>>>>>     534      4    529      -      -      1
>>>>>     510      1    487     22      -      -
>>>>>     633      1    502     33      -     97
>>>>>     526      -    526      -      -      -
>>>>>     522      -    520      -      2      -
>>>>>     495      -    407      5      -     83
>>>>>     488      -    409      -      -     79
>>>>>     464      -    400     64      -      -
>>>>>     554      -    506     47      -      -
>>>>>
>>>>> Download seems to be spitted up 50:50, I can live with that if there is
>>>>> no
>>>>> other solution.
>>>>> But a 90:10 split would be nicer, if this is even possible with ingress
>>>>> traffic?
>>>>>
>>>>> Thanks for your help!
>>>>> Andreas
>>>>>
>>>>> AM schrieb:
>>>>>
>>>>>> Hi Costa,
>>>>>>
>>>>>> Thanks for your reply!
>>>>>>
>>>>>> 1. Ok, I will remove the "qdisc htb" line an try again, if that is
>>>>>> what
>>>>>> you meant?
>>>>>>
>>>>>> 2. I do masquerading and it is configured like this:
>>>>>> Outsite is eth0 with ip 192.168.2.10/24 - Internal LAN is 10.0.0.0/24
>>>>>> which is masqueraded to 192.168.2.10.
>>>>>> Then I have eth0:1 with ip 192.168.2.11/24 - all outgoing requests
>>>>>> from
>>>>>> my
>>>>>> nas (10.0.0.254) get masqueraded to 192.168.2.11
>>>>>> And as seen in the status output it is working, as traffic gets
>>>>>> associated
>>>>>> with the right class. (Checked with iptraf on eth0 too)
>>>>>>
>>>>>> 3. Ok, will remove the acks and just leave ack.
>>>>>>
>>>>>> 4. Yes I also noticed that and was wondering why there is barely
>>>>>> anything
>>>>>> in the tcpack class... but no idea why?
>>>>>>
>>>>>> Will report back once I had the chance to test your suggestions!
>>>>>> Thanks!
>>>>>>
>>>>>> Andreas
>>>>>>
>>>>>> Tsaousis, Costa schrieb:
>>>>>>>
>>>>>>>
>>>>>>> Hi Andreas,
>>>>>>>
>>>>>>> I can see the following problems on your config:
>>>>>>>
>>>>>>> 1. There is no htb qdisc. Leave FireQOS select the default (fq_codel
>>>>>>> or sfq). fq_codel will be of great help on your setup. Make sure your
>>>>>>> kernel supports it.
>>>>>>>
>>>>>>> 2. On the lowprio class you match a private IP on the public
>>>>>>> interface. This cannot be done. On the public interface there are
>>>>>>> only
>>>>>>> public IPs. This is your key problem.
>>>>>>>
>>>>>>> 3. 'tcp ack' and 'tcp acks' is the same thing.
>>>>>>>
>>>>>>> 4. It is strange that on your output interface you have such traffic
>>>>>>> on the interactive class. If this traffic are the tcp acks of the
>>>>>>> download, they should be on the tcpack class. I hope this will be
>>>>>>> fixed by setting the correct qdisc.
>>>>>>>
>>>>>>>
>>>>>>> So, because of point 2, it is impossible to distinguish between
>>>>>>> normal
>>>>>>> web traffic from other PCs and your NAS. fq_codel will help but it
>>>>>>> won't solve the problem completely.
>>>>>>>
>>>>>>> Another idea would be to use marks to separate nas traffic from other
>>>>>>> traffic. This however does not work without the act_connmark kernel
>>>>>>> module (which by default is only available in openwrt).
>>>>>>>
>>>>>>> Let me think...
>>>>>>>
>>>>>>> Do you masquerade or snat traffic in firehol?
>>>>>>>
>>>>>>> When you masquerade or snat traffic, what you actually do is that you
>>>>>>> map 192.168.2.11:PORT1 (or any local IP) to your PUBLIC_IP:PORT2.
>>>>>>>
>>>>>>> You could use masquerade or snat to have your NAS use 60000-64999 for
>>>>>>> PORT2, while all your other PCs use 20000-59999. This way you could
>>>>>>> apply qos on the inbound direction by just examining your port range.
>>>>>>>
>>>>>>> I will try to do this with firehol and fireqos later today and come
>>>>>>> back with the statements you should use.
>>>>>>>
>>>>>>> Costa
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Feb 2, 2015 at 2:31 PM, AM<stuff at kr33.de>   wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I already spend hours on reading and testing tc.
>>>>>>>> But now I'm at a point where I have to ask here for any hints.
>>>>>>>>
>>>>>>>> Basically I want to shape my input and output traffic.
>>>>>>>> I have one nas server which handles large downloads. I want that nas
>>>>>>>> to
>>>>>>>> have
>>>>>>>> a low priority, so that if I start a download on a normal client in
>>>>>>>> the
>>>>>>>> network this client gets most of the bandwidth.
>>>>>>>> But I cant get this to work. Here is my fireqos.conf:
>>>>>>>> ####################################
>>>>>>>> DEVICE=eth0
>>>>>>>> INPUT_SPEED=14300kbit
>>>>>>>> OUTPUT_SPEED=2400kbit
>>>>>>>> LINKTYPE="adsl remote bridged-llc mtu 1492"
>>>>>>>>
>>>>>>>> interface $DEVICE dsl-in input rate $INPUT_SPEED $LINKTYPE qdisc htb
>>>>>>>>       # Eingehender Traffic Internet -->   LAN
>>>>>>>>       class interactive commit 1000kbit
>>>>>>>>           match udp port 53                    # DNS
>>>>>>>>           match tcp port 22                    # SSH
>>>>>>>>           match icmp
>>>>>>>>
>>>>>>>>       class tcpack commit 2000kbit
>>>>>>>>           match tcp syn
>>>>>>>>           match tcp ack
>>>>>>>>           match tcp acks
>>>>>>>>
>>>>>>>>       class web-http commit 7500kbit
>>>>>>>>           match tcp sports 80,443    prio 20         # http(s)
>>>>>>>>
>>>>>>>>       class default commit 2500kbit
>>>>>>>>
>>>>>>>>       class lowprio commit 1% max 80% prio 7
>>>>>>>>           match4 dst 192.168.2.11 prio 10        # debsrv
>>>>>>>>
>>>>>>>>
>>>>>>>> interface $DEVICE dsl-out output rate $OUTPUT_SPEED $LINKTYPE qdisc
>>>>>>>> htb
>>>>>>>>       # Ausgehender Traffic LAN -->   Internet
>>>>>>>>       class interactive commit 200kbit
>>>>>>>>           match udp port 53                    # DNS
>>>>>>>>           match tcp port 22                    # SSH
>>>>>>>>           match icmp
>>>>>>>>
>>>>>>>>       class tcpack commit 400kbit
>>>>>>>>           match tcp syn
>>>>>>>>           match tcp ack
>>>>>>>>           match tcp acks
>>>>>>>>
>>>>>>>>       class web-http commit 1100kbit
>>>>>>>>           match tcp dports 80,443 prio 20        # http(s)
>>>>>>>>
>>>>>>>>       class default commit 600kbit
>>>>>>>>
>>>>>>>>       class lowprio commit 1% max 80% prio 7
>>>>>>>>           match4 src 192.168.2.11 prio 10     # debsrv
>>>>>>>> ####################################
>>>>>>>>
>>>>>>>> If I now start downloading on both hosts with e.g. wget
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> http://cdimage.debian.org/debian-cd/7.8.0/amd64/iso-dvd/debian-7.8.0-amd64-DVD-2.iso
>>>>>>>> I get the following stats:
>>>>>>>>
>>>>>>>>
>>>>>>>> Class Utilization on dsl-in (eth0 input =>   eth0-ifb) - values in
>>>>>>>> Kbit/s
>>>>>>>>    TOTAL intera tcpack web-ht defaul lowpri
>>>>>>>>    14552      -      - 6069 3   8480
>>>>>>>>    14116 1      -   5418      -   8697
>>>>>>>>    14139      -      - 6011 1   8127
>>>>>>>>    14422      -      -   6078      -   8344
>>>>>>>>    14281      -      -   5299      -   8982
>>>>>>>>    14264      3      -   5521      -   8739
>>>>>>>>    14277      -      -   5252      1   9024
>>>>>>>>    14201      -      -   4798      1   9403
>>>>>>>>    14288      -      -   4762      1   9525
>>>>>>>>    14227      -      -   4988      -   9253
>>>>>>>>    14293      -      -   6318     11   7951
>>>>>>>>    14327      -      -   6905    142   7281
>>>>>>>>    14219      -      -   6988      -   7232
>>>>>>>>    14133      -      -   7172      -   6960
>>>>>>>>    14347      -      -   7196      -   7151
>>>>>>>>    14390      -      -   7048      1   7340
>>>>>>>>    14203      1      -   7024      1   7177
>>>>>>>>    14289      1      -   6979      -   7309
>>>>>>>>    14272      1      4   6852     12   7403
>>>>>>>>    14304      3      -   6385      -   7916
>>>>>>>>
>>>>>>>> ==>   lowprio is getting much more bandwidth... why?
>>>>>>>> Can anyone help me out / explain why it is behaving like this?
>>>>>>>>
>>>>>>>> Outgoing everything works like expected.
>>>>>>>> (Used scp to upload a file to remote server)
>>>>>>>>
>>>>>>>>    Class Utilization on dsl-out (eth0 output =>   eth0) - values in
>>>>>>>> Kbit/s
>>>>>>>>    TOTAL intera tcpack web-ht defaul lowpri
>>>>>>>>     2674   2619      -     28      -     27
>>>>>>>>     2432   2379      -     25      -     27
>>>>>>>>     2524   2483      -     14      -     27
>>>>>>>>     2515   2462      -     25      -     27
>>>>>>>>     2527   2490      -     24      -     14
>>>>>>>>     2501   2458      -     14      1     27
>>>>>>>>     2520   2476      -     17      -     27
>>>>>>>>     2551   2509      -     14      -     27
>>>>>>>>     2514   2463      -     25      -     27
>>>>>>>>     2532   2479      -     25      1     27
>>>>>>>>     2514   2474      -     13      -     27
>>>>>>>>     2512   2469      2     27      1     14
>>>>>>>>     2531   2323     70     25     86     27
>>>>>>>>     2546   2490      -     29      -     27
>>>>>>>>     2505   2463      -     15      -     27
>>>>>>>>     2534   2479      1     25      1     27
>>>>>>>>     2519   2440      -     52      -     27
>>>>>>>>     2550   2491      -     31      -     27
>>>>>>>>     2511   2476      -     22      -     14
>>>>>>>>     2511   2449      5     22      7     27
>>>>>>>>
>>>>>>>> Thanks!
>>>>>>>>
>>>>>>>> Regards
>>>>>>>> Andreas
>>>>>>>> _______________________________________________
>>>>>>>> Firehol-support mailing list
>>>>>>>> Firehol-support at lists.firehol.org
>>>>>>>> http://lists.firehol.org/mailman/listinfo/firehol-support
>
>



More information about the Firehol-support mailing list