Using QOS - Tutorial and discussion

I see...
My minimum measured speed was around 240kbps...
Just curious if it will work the same since only Unclassified will go over the "limit"...
Thanx...

Ok this is what it looks like with Vuze (p2p) and game going.

Something has changed with the math. I have a 500 k up and 3 MB down connection.
I used to be able to put 500 in outbound and 3000 in inbound, and all was fine.
I know that theses numbers are not the -15 to 30% but they have always worked just fine

After changeing the inbound limit to 300 and setting the p2p limits to 5-20%. Vuze strated to be limited. Need check and see if the game is running ok now.

@Beast

This downloading test picture indicates that the QoS exactly works fine.

1. RT-N16 with 4494-USB-VLAN-VPN-NOCAT
2. Client 10.8.8.14 with BT running.
3. QoS setting:

Max Bandwidth Limit=17,500 (-15%/ISP)

P2P/Bulk = 10% - 100%

4. A, the IPT-real-time page first launched. QoS was enabled.
5. B, I changed P2P/Bulk setting from 10% - 100% to 10% - 50%

the bandwidth is exactly half cut to 8,750.

6. C, I disabled the QoS, and it went to 20M of ISP provided.

It does not make any difference if I set Max Bandwidth Limit to full ISP rate 20M with this test.

EDIT
Read if you like, I did a nvram clear after the initial flash. But after all the squirly behavior with the QOS, I did another nvram clear and only setup the basics to get on line. Used 512 for outbound and 3008 for inbound. Set p2p 5%to10%. Vuze d/l at about 28 kbs which is about 10% of my max 300 kbs. And Quake 3 Arena is playing just fine. I would still get some clarification on how the rates are calculated ie. a 3 Mps = what in kbs. This has been confusing me for a while now.
-----------------------------------------------------------------------------------------------------------------------

Ok, My brain has possibly stopped working.
Here is the connection rates from the modem (very slow dsl).

Connected at 3008 Kbps (downstream) 512 Kbps (upstream). <------- Copied from the modem status page.

I know that the max 3008Kbps=3Mps and is messured as 300 kbit/s download speed.

So where dose that leave the 512 upstream. Both entries in qos are in kbit/s outbound tab
will not except single digit numbers.

Im sure my brain is dead so help me with the math.......please. Useing my actuall numbers..

Do you know a speed test site that uses the kbit/s speeds to messure my connection.
Bytes vs bits, ....killing my brain.

Found a calculator on line and I hope I used it correctly. The final numbers I came up with that need to be in Tomato are (-30%) outbound =45 and inbound=263.

I too can see that indeed vuze responds to the limit setting, but I can not get Quake Arena III to work at the same time. Even with vuze using 30 kbs out of the max 300 kbs Q3 still has a really unplayable ping. Without QOS ping = 64 with QOS it all over the map fro 225-999.

I know it uses UDP port 27960 and protocal 68 (what ever that is?).

New development, after running for a 1 hour or so all was fine. Then I enabled UPnP and AT-PMP

As soone as I did that Vuze started taking all the band width. And of course opened up its desired ports.

So how can we use UPnP and AT-PMP and still limit p2p. With these turned works as expected.
Vuze has RED NAT indicator and says firewalled. As soone as I turn them back on NAT goes green and Vuze resumes using 100% band width.

Ok did the test and yes your numbers are spot on.
Will test. And see what happens when I turn on UPnP and AT-PMP.

As soone as I turn on UPnP I loose the limiting. Inbound set to 5%-10%.
I rebooted the router after making the change and before starting Vuze.

Has anyone been able to get any type of Citrix Receiver QOS working? With the latest Citrix products they don't use dedicated ports anymore and communicate with port 80 and 443. Ultimately the traffic ends up in the "download" bucket. I been though the Citrix documentation,

http://support.citrix.com/servlet/KbServlet/download/2389-102-571384/Citrix_TCP_Ports.pdf

and really can't find anything that I can key off of to create a rule. They seem to use a random source port. Also when I tried the L7 filter it doesn't ever match.

Thanks...

I've had an idea regarding the improvement of P2P in the QoS, prioritizing ACK is bad for P2P users but on the other hand deprioritizing ACK results in retransmission of packets because of lost ACKs, the solution might be to add a field for tcp-flags in the QoS classification which will allow to place ACK packets below everything prioritized but above the default P2P/Bulk class, theoretically it should prioritize ACK over P2P and prevent data retransmission.

Does it make any sense?

Was having an issue keeping p2p outbound within it's set limit. It appears as though some p2p was being tagged as VOIP. Anyone else?

DD

Disable the skype L7-filters. They are overmatching.

Hi,any ideas on my question?

http://www.linksysinfo.org/index.ph...tman-firmware-qos-issue-with-vpntunnel.36895/

I need the skype filters though. Static ports for skype should do it.

DD

Hi guys. I've tweaked around but still didn't find the optimised option for me. I have Linksys WRT54GL v1.1 I think. And Toastman's release tomato-ND-1.28.7628.1-Toastman-VPN

I have problem I think with download. When user is doing torrents, I can't watch youtube videos normal (even on 320p) if I choose to watch 720p videos heh, than I get to see loading icon a lot Also loading some pages is taking sooooooooooooo long... So I think I have badly configured QoS

My Download speed: 28Mbit
My Upload speed: 2.5Mbit



QoS Basic:



QoS classifications are left default. And here is the image of a user downloading like a madman:
http://i.imgur.com/1r29b.png

What am I doing wrong?

1. Please upgrade to the latest Toastman build.

2. Delete NVRAM thoroughly.

3. Don't give WWW any rate at all. Give it 100% if you have to, but I'd advice you to go a bit lower.

4. After that check whether you have been successful with the QoS Graphs.

You could change the outbound paramenters for P2P from 5%-90% to 1%-5%.
After that you might increase the limit from 5% towards 10%, if there is spare capacity.

If that's not enough, you could reduce Syn Sent timeout.
Might also consider reclassifying DNS as Download class.

If all that is not enough, it's time to zap UDP connections.
And perhaps reduce Unreplied UDP timeout to 5s.

Ok. I've upgraded to: tomato-ND-1.28.7632.3-Toastman-IPT-ND-VPN Even though my download link is 28Mbit, I've redcued it to 22630kbits and even though my upload link is 2.5Mbit I've reduced it to 1900kbits. Just for the sake of QoS. I've test a little bit with torrenting (I was the tester) And I watched 1080p youtube videos. And by loading youtube videos I opened random pages that are known to be very big. A few notes. Youtube still loads from time to time but less time than in previous version. Pages opens more quickly but sometimes it hangs... I'll get more real time torrenting this week when students arrive

Also I've noticed that my download speed for torrents didn't go above 900KB/s. Also When Watching youtube videos on 1080p download rate was approximately 300KB/s What I don't understand is, why youtube won't get more download speed? Also why downloading torrents with max ~800KB/s even though my class says: from 5% to 100% ? Should I rearange classess somehow in new version?

I've also noticed while being on skype, that the user didn't hear me a few times, there was interraption on my part... And also in QoS I saw that when using skype some port was in p2p/Bulk.

Images:
Advanced -> Contrack/Netfilter http://i.imgur.com/SZPuT.png
QoS -> Bassic Settings http://i.imgur.com/B6U2t.png
QoS -> Classifications http://i.imgur.com/UnMqe.png (They are left default)
QoS -> Graphs http://i.imgur.com/PRzzh.png (I think it's worng because most of the traffic is indeed p2p

Hi Toastman I just want to tell you thank you for time and good work here!

I've disabled skypeout rule (It was rule 25). I've erase NVRAM after upgrade and start configuring from scratch. Where do I see (in router) if LAN connection is running at 10Mbps? Transfers within LAN are 100Mbit... Also I don't see LAN in Bandwith -> Real-Time I See: WAN (wlan1), WL (eth1), br0, eth0, imq0, vlan0

Also I've noticed just now that DL speed for torrents went to 1300KB/s fro a few minutes and in this time load buffers incrased and response time of pages also increased.

Is my Advanced->Conntrack/Netfilter missconfigured? Or maybe QoS -> Bassic Settings?

Hi Toastman
Thanks for your good work , Keep it up man
I'm currently using tomato-E3000USB-NVRAM60K-1.28.7495.1MIPSR2-Toastma n-RT-VPN-NOCAT firmware , really happy with it .
I just want to ask you if you can load "String match" & "comment" modules into your next builds ?

Toastman: http://i.imgur.com/OLpS8.png The computer I was testing torrents was FreeBSD 8.2 with 100Mbit ethernet card. I'm 1000% positive it's 100Mbit because I was able to transfer from that computer 100Mbit ethernet card to my working computer (Linux) which has Gigabit ethernet card at around 12MB/s (as in megabytes per seconds). But if I'm not wrong, LAN speeds will be at around 10MB/s if the main router has 100Mbit ports?

I called my ISP and he remotely checked and confirmed that the line is fine. It's not locked to 10Mbps.

Real time example, what I can't find in this new version is LAN tab.


And here is scheme of LAN configuration:


The transfers I was describing were through Linux and BSD through 100Mbit Switch.

I was downloading a file through http, using wget directly on a Linux computer and I don't think it's 10Mbit limitation issue:


I found LAN tab under IP Traffic Real - Time blush What I don't understand is that even though I was transfering file from BSD to Linux with 9Mb/s LAN didn't recognize this:

@frojnd have you turned the QOS off to see if the transfers are still limited?

The custom naming of classes was a nice touch.
Since toastman updated the QOS settings, I install firmware, clear nvram again, turn off L7, rename the classes to Highest-High-Medium-Low-Lowest (the old way), set default class to medium, download limits for all classes to none, upload limit for each (Highest to Lowest) ~90% to ~10% in a decreasing order, and make my own rules on a case by case basis - for apps, http, p2p ports, certain IPs etc. I copy and paste those rules into notepad and do them all over again. Coz nvram reset keeps everything shiny and fast after flashing : ) seriously. I'm not an expert but i'm just sharing what works best for me.

Since my last flashing i've kept the default QOS setting on because I noticed the youtubes are playing with less/no interruption @720p on my 4mb DSL. Although I'm tempted to go back to my "old" custom settings. Thank you toastman, really appreciate your support.

windozer, yes I've turned off QoS an it wasn't nice, there was a BOOOOOM on a network

Hi there. Today I have 3 questions regarding QoS -> Details:


a) How can I fix red Unclassified rule? I have a feeling that this port is p2p since it's going to the soruce port 41132 <- p2p. How can I fix that there won't be unclassified anymore?
b) blue unclassfied. Destination port is 138 and also source port is 138. Where should I put this port?
c) green remote. This is teredo port. I'm almost 100% this user doesn't use teredo. At least not in his knowladge. Could this be some trojan horse or smth that it's triggering this port to be active?

Other than that, QoS works fine and I'm still doing some tweaking. Any tips how to make Web pages more responsive even under high usage of torrents, youtube videos?

Thank you for yor detailed answer on my a) question and on other two questions. I second looked at destination ip for 139 port and it was locally. So all is good. How can I disable Teredo on Toastman version? Or do I have to disable it on each machine individually?

It's recommended to disable UDP/DHT in your P2P application as it doesn't contribute much to the download speed and QoS is performing much better without it.

You have to disable Teredo on each machine individually, this is how you do it on windows 7:
Open CMD and type the following commands
netsh
interface
teredo
set state disabled

Thank you quietsy. I'll try somehow to inform the users that use torrents, toredo.

Well I did some digging on deltacopy & found the 'real' problem is the rsync protocol the program uses. It runs at very slow rates.

http://www.readynas.com/forum/viewtopic.php?f=4&t=35911

So there is no issue here & sorry for leading you guys on a wild goose chase. I deleted my previous posts.

Hi, i need to do income filtering based on private destination IP address on VLAN4 interface.
I found how to do this here http://serverfault.com/questions/36...ering-based-on-private-destination-ip-address
But i failed to do
$IPTABLES -t mangle -A FORWARD -i $INTERNET -j IMQ --todev 1
I guess it happened because there is no ipt_IMQ module. How can i get it?
i found it here http://downloads.openwrt.org/whiterussian/packages/iptables-mod-imq_1.3.3-2_mipsel.ipk
but it is for another kernel. Please help

PS:I'm using shibby tomatousb on asus-rt-n66u

Ok, the correct module is xt_IMQ and all commands are accepted now. The classification works ok and “ceil” parameter works properly for all classes, but “rate” parameter still doesn’t work (classid 1:10 always takes all bandwidth limited to 4Mbit ceil).
Here is the commands I use

169.254.1.8 is in another VLAN: vlan3
vlan4 is DSL internet

I guess there is something wrong with tc in the tomato firmware.
1. It doesn’t respect rate or quantum parameters on imq interface. Here is tc stat ( 1:11 class has only 71576bit rate although it has much more quantums):

2. I tried another approach for incoming traffic control, which I used on Oleg's based custom firmware (2.4.37 kernel based) on wl500g router: building separate classes on eth0 for VLAN. It worked on tomato too, although tc stat displays wrong classification. Very strange.
I will try dd-wrt if it works better.

How is the QoS "View Details" page populated? I'd like to capture this information via script, say every 5 minutes, over a period of days or weeks, and use the results to eliminate redundant QoS rules.

Is this (a) feasible (b) worthwhile?

Way back in this thread there was rebooting issues solved by firewall prerouting scripts.

Its still in the firewall tab of current builds, under admin-scripts.asp, but it assumes you use 192.168.1.1/24 and no VLANs

My main IP range is 10.10.10.1/24, not 192.168.1.1/24
and a VLAN on a port with IP range 10.10.5.1/24

Question! Will these modified firewall rules below serve the purpose intended on both IP ranges?
I'm a little concerned that doubling up on these, albeit with different src-range, will make one or both inoperable/ineffective. I don't understand this enough to know.

iptables -t nat -I PREROUTING -p tcp --syn -m iprange --src-range 10.10.10.50-10.10.10.250 -m connlimit --connlimit-above 100 -j DROP
iptables -t nat -I PREROUTING -p ! tcp -m iprange --src-range 10.10.10.50-10.10.10.250 -m connlimit --connlimit-above 50 -j DROP

iptables -t nat -I PREROUTING -p tcp --syn -m iprange --src-range 10.10.5.50-10.10.5.250 -m connlimit --connlimit-above 100 -j DROP
iptables -t nat -I PREROUTING -p ! tcp -m iprange --src-range 10.10.5.50-10.10.5.250 -m connlimit --connlimit-above 50 -j DROP

iptables -t nat -I PREROUTING -p tcp --dport 25 -m connlimit --connlimit-above 5 -j DROP

Thanks

Environment:
Qnap TS-212 (BT Downloads using Download Station and Transmission, mostly downloading movies and tv episode, generally 10 torrends on download station and Transmission each)
Asus RT-N16 with latest tomato firmware (Toastman build:tomato-K26USB-1.28.7498MIPSR2-Toastman-RT-VPN.trx).
All lan lines are CAT 5e.
One desktop with gigabit lan wired to RT-N16 (It is dedicated for playing music and video stored on the NAS)
Two Notebook (Macbook Pro and Toshiba Z830) (General Internet browsing only)

Background:
Previously I had a TP-LINK WR340G v2, which is a b/g router, and I could get about 300~800KB/s of download rate. However I bought a Asus RT-N16 and flashed latest Toastman Tomato firmware (tomato-K26USB-1.28.7498MIPSR2-Toastman-RT-VPN.trx) due to the old TP-LINK is crippling my internet access (whever download station is active, no matter if download/upload speed is 1kBs or 1000kBs, loading yahoo or google takes more than 3 minutes and often failed to open).

I live in school dormitory and using speedtest.net I tested my download speed is about 3.5~4.0mb/s and upload about 0.5mb/s. I entered the speeds with about 70% of this value. Here's a snapshot of my QoS settings:



Problem:
With QoS enabled, downloading torrents no longer cripple my network and my browsing is pretty smooth. However I discover that my download speed is no more than 50kB/s. Here's a snapshot of the bandwidth.

As you can see, download can be as low os 10KB/s
I suspect its QoS limiting my download speed and so I turned it off, here's a snapshot.

As expected, download speed shoots up to about 500KB/s and more.

So I'm thinking I'm not setting the QoS properly. My objective is simple: when I'm using browsing internet, bt download should not affect my browsing experience. When I'm not browsing, BT should be at full speed. Can anyone give me some suggestion of how I should set my QoS?

PS: I'm not sure if I've forwarded the ports correctly:

Can someone confirm that if this setting is correct/incorrect?

Thanks a lot.

I had some P2P traffic coming in through the VOIP/Game ports, is this normal? Without being able to directly control a user's port selection on their torrent application, is there any way to combat this? I'm concerned someone who's torrent application randomises ports might end up damaging likes of Skype's bandwidth if they end up using the same ports.

Toastman does have some firewalls rules that come with his firmware that could help somewhat. You'd have to uncomment them, but they should limit the amount of connections each computer can create. If someone torrents over voip ports, it could at least keep it down to significantly fewer connections instead of dozens.
I've also wondered about this, though I haven't yet seen the issues arise for me. Especially if a user has knowledge of the workings of qos, seems you could not only bypass, but exploit the system. Limiting the connections though probably ought to help prevent saturating the line though.

So aside from P2P performance being hit, is there any other disadvantages to limiting the amount of connections each computer can create?

I've got bandwidth limitations assigned to each computer/IP address which will help. But it would be good to have QoS settings for each IP too (the classification rules etc for each IP). So if someone torrents through the VoIP ports, it only affects them. I guess it would result in a very complex arrangement of QoS settings.

Is there a way to re-arrange the rank order for the classes on incoming bandwidth distributions? I can only see ways to change it on outbound. One video streaming application comes in as FileXfer, and I'd rather that had higher priority than VoIP, since P2P traffic keeps appearing through that and getting priority. Or is the inbound traffic not ranked by priority?

Youtube?

have anyone found a correct way to classify Youtube? An QoS classification in Tomato that does work with it?
L7 httpvideo never catches Youtube here. L7 flash neither. I also tried L7 http-rtsp and no way to work also.
Using standard Toastman classifications Youtube is always set as http and thus endup QoS classified as DOWNLOAD cause of 512k+. That's a huge problem because usually we want consistent but slow (low QoS priority) downloads in one side and consistent but fast (high QoS priority) streaming videos on the opposite side.

Tests done lots of times with diffent Tomato mods K2.6 and also K2.4. Exactly now runing "tomato-WRT54G_WRT54GL-1.28.7633.3-Toastman-VLAN-IPT-ND-VPN" on a WRT54G v3.0. Youtube was and is always a problem. Tomato's L7 httpvideo/flash/http-rtsp cannot catch it.

I think it is impossible to have and keep up to date a list of all Youtube servers IP, but if someone could solve this or another way please share.

Hey Toastman, i am looking through the internet and your countless posts to properly set up my QoS (for gaming purposes). I still havent so i cant tell what works and what doesnt, but through google i found this thread http://www.dslreports.com/forum/r24052405-Tomato-Optimizing-QoS-for-Gaming where another guy says that setting inbound outbound limits to 60% instead of 100% is totally wrong, apparently what he says helps whoever was asking, so im wondering what is right and what is wrong, what do you advice me?

and, in another more important note, how do i know if i should use source or destination (src, dst) for X port number? :/
I want to set a class for steam games :

• ports: UDP 27000 to 27030 inclusive

27000 to 27030? Steam, eh? I used Src or Dst for my Steam rule.

Personally the only way QoS makes sense for me is if all values in the left column - the ones that are in use by rules at least - total 100%. Left side is guaranteed bandwidth, and you can't guarantee > 100% of bandwidth.

um kk, ty

do you know when to use src or dst? in case i want to set another rule so i can figure out myself

I'm having some major problems with version tomato-ND-1.28.7632.3-Toastman-IPT-ND-VPN.bin torrent speeds are like only 30-50KB/s fring doesn't work properly etc... I think it's something with QoS. So I'll try to upgrade to tomato-ND-1.28.7633.3-Toastman-IPT-ND-VPN.trx Do I have to rename .trx to .bin?

Ok I've renamed to .bin and upgraded. I've erased NVRAM before and after upgrade. But I still have similar problem as Bladepopper. My download rate is around 130kB/s when QoS enabled. The moment I disable QoS bandwith significly rise up. I've upgraded to tomato-ND-1.28.7633.3-Toastman-IPT-ND-VPN

I stream live TV using a website called Sky Go (which uses Microsoft Silverlight). QoS defines it as FileXfer, and I've allocated sufficient bandwidth (40% to 100%) so it works without buffering when P2P traffic gets heavy.

The video stream allows you to set 4 video quality settings: low, medium, high and auto. Using auto, it will begin using low quality and after a few seconds determine there's enough bandwidth to use high. QoS seems to affect this, as it'll remain on low quality, even though there is sufficient bandwidth - with QoS disabled it works as expected. I can manually select high, so this isn't really an issue but just some background info.

With the 'high' setting - there is two bit-rates, one at 1.8Mbps and one at 2.7Mbps. For some reason, with QoS enabled, it will always remain at the 1.8Mbps stream, never using the full bandwidth for the 2.7Mbps stream. There is no way for me to force the web app to use the 2.7Mbps stream, it is determined automatically, and the QoS seems to be affecting it somehow. This happens with no other traffic. With QoS it uses the 2.7Mbps stream. I have 10Mb internet.

The ports used vary, and Sky won't tell me what the port range is. What else can I do to set this up?

What I usually do is set a rule to src or dst, then establish a connection, then go into View Details to see how the connection is working.

With Steam I believe you're connecting to their servers over 27000 to 27030 and other peers are connecting to you over 27000 to 27030, therefore you need the rule to encompass both src & dst... but I haven't looked at Steam in ages so things may have changed. I set it to both, set up a port forwarding rule, and haven't needed to touch it since.

This is odd. Somehow web interface every now and then become unresponsive. I can't access it locally. The only option I have is to ssh to the router and reboot it. But now even this doesn'thelp. Internet works however web interface is unresponsive. My version of the firmware is: tomato-ND-1.28.7633.3-Toastman-IPT-ND-VPN (I belive it's the last stable one) Any ideas what is going on? Is this the right topic to write this stuff in? If not please inform me where to post it.

Hm. The odd part is that I see in status numbers like this:
CPU Usage 28.16%
Total / Free Memory 14.04 MB / 3,760.00 KB (26.16%)

Odd because CPU doesn't go higher even though I have a few havy torrent users. And memory well maybe because I set cpu to 250MHz? But didn't have any problems in the past with setting CPU clock to 250MHz.

And question two. I've setup openVPN server with certificates that listens on port 1194 (TCP) I didn't forward it. Vpn works fine. The only problem is that it's very slow. Even though I have plenty of upload/download speed. Is it even possible to clasify in QoS vpn?

This. I have the same problem. The L7 filters don't seem to work, at least for Youtube.

On a related note, it would be tremendously helpful for debugging QoS if the "Transfer Rates" view listed the classification (Class and Rule).

Concerning the L7-filters and youtube:

I can't say that the flashvideo filters don't work at all. But especially on youtube they are quite unreliable. Sometimes if I click on a video link then the QoS graphs will show me, that the video is classified as download. But if I reload the youtube page it gets classified as Media the next time.

Maybe this ist because of the way L7-filters work. As far as their howto told me, the filters look at the first 2KB of a connection or the first 10 packets, whichever is reached first. Those limits could be too small nowadays. But that's only my guess. Another explanation is that the regular expressions in the filters need better finetuning to match again because most of them are quite old and some things could have changed.

These in attachment are my QoS settings for the "media" class



They are not perfect... but they match quite a lot.

The Youtube L7 filters don't work for me either. But I found out one reason why. I use Firefox, and when I watch Youtube the videos pass all the filters and end up as Bulk Download. Watch the same videos in IE, and they get caught by the filters and classified correctly. Any one have any idea what Firefox could be doing to cause this?

I found the answer - Firefox is using HTML5 (http://www.youtube.com/html5), while IE and Chrome are not. So Flash is being caught by the filter, but html5 is not. Anyone know how to filter out html5 videos in QOS?

Watching youtube with Firefox 13.01 gets picked up by L7 rule "httpvideo" correctly for me using Shibby 095. Puts it in the "media" class.

Not for me, using Firefox 13.1 as well. But I am using WRT54GL-1.28.7633.3-Toastman-IPT-ND-Std

I've made some tests in different browsers (all Youtube, Windows).

- Firefox 13.0.1 with Flash 11,3,300,262 - does detect as file transfer.
- Chrome 20.0.1132.47 with Flash 11,3,300,257 - does detect as file transfer.
- IE 9 with Flash 11,2,202,235 is interesting - it detects as media, but only initially. It then seems to switch to new connections in regular intervals (I observe new connections to the same destinations with the source port increasing by +1), and those new connections are not detected as media.

I also tried Youtube with HTML5 enabled in Chrome, and it makes no difference - still file detected as transfer.
My classifications setup is first testing for L7 flash, httpvideo, http-rtsp, shoutcast, then a bunch of manual ports, all targeting the media class, then two rules that classify HTTP, HTTPS and FTP with Transferred 512KB+ as file transfer.

Toastman have you thought about doing a YouTube tutorial for QoS?

It's difficult to give advice if the complete configuration is unknown. Some screenshots would help.

Did you read Toastman's guide? Are your overall Max Bandwidth Limits low enough? How is Netflix classified? I'm not sure about it, but does it end up in the Media class?

This post is in response to my QoS questions posted in the other thread about QoS(click here). See below for my QoS setup (images included)

Thx for the fast response!
2. That's good to know. I actually *only* really need BW limiter to control the amount of connections on a few IPs who are known torrent users, and a total limit for the rest. Would the BW limiter work together with the main QoS to do that, at least?
So you're saying that that one or the other works? Or, for example, if I have classes setup on both, and both enabled, do rules from the main QoS classification's list overrule the BW-limiter's rules? I've noticed that the main QoS class list goes from #1, #2, #3.... and so on, depending on how many you make, while I have seen much higher rules prioritizing my traffic (for ex, I see Rule #255 a lot) and I've only ever had 15 rules, max.

3. I knew it was traffic between LAN and router... but when there is a lot of traffic (i.e. many connections between LAN(s) and the router) that the router might have to use extra processor speed or power to handle all of that local traffic, and therefore, the router would have less overall processor speed or power available for browsing the internet or w/e, and thus slow down my game.

4. Screens of my current setup below. Been working quite nicely so far, this is my best setup yet:

A)Qos-Classification.PNG, B)Qos-BasicSettings.PNG

C)QoS-BW-Limiter.PNG, D)QoS-Graph.PNG

A) B)

C) D)

5. I'm not actually sure what I meant either.
edit: Oh, I was trying to understand why there is no classification list for "Inbound Direction" traffic? I read something somewhere but it looks like I confused a few things together.

6 + 7. Thx for the reminder, I did think of that, but I actually think it would be more of a hassle for all of us for me try to and get everyone to control their bandwidth appropriately, I think they'd just prefer I did this (I told one, but I probably should ask every1). I don't really care about having priority over them in games but I can see how that would be considered cheating.
Like I said though, the game uses random ports other than just 80 which is why this whole QoS deal was so difficult. It has a list of about 6 or 7 ports, but then there will be some random server that requires some random port to be open, it was really stupid of them to design it that way really.

8. Toastman, I am experiencing less lag in my game after unchecking ALL 5 or 6 of the "small-packet" prioritization options, I think. But that's only after one night of experience. Could not having these options checked be worse in some situations than others?
Also, I made QoS rules that simply prioritize small amounts of traffic instead (see my classification image) 0-8kb in size. Is this alternative equivelant? Or should I make the 8kb smaller or larger? Or just have them all checked except ACKS?

Thanks for your help and the work you did on this!

2. They may interact unintentionally. I repeat myself: only use one of them. If you want to limit the amount of connections read this and adept it. http://www.linksysinfo.org/index.php?threads/using-qos-tutorial-and-discussion.28349/#post-138446
#255 ist the default rule, which has to be the last one, because it matches everything that hasn't been matched by anything before. If you really want to prevent p2p from crashing your network, you should read Toastman's guide for the QoS-system.

3. When there is a lot of traffic between the hosts of your network (LAN) the integrated switch in your router does all the work. Only connections to your router use cpu power and unless you have dozens of tabs open that display QoS-graphs this shouldn't be a problem.

4. I highly doubt that you get a smooth internet experiece with you current config. If this works for you and your roommates then fine. But using the default rules and adjusting them to your needs should be far more effective. Not distinguishing between different protocols (i.e. mail, http) will mess everything up. Imagine somebody is sending an email while you are playing over http. Email and http will end up within the same class pretty quickly because you only classify based upon connection bytes and 8KB are reached very quickly.

5. You actually have a point there. Seems like this headline was forgotten when the QoS system was improved. Maybe to something like "Rules for Classification", Toastman?

6. If the game is http-based (and flash games probably are, but I'm just guessing) then you shouldn't have a problem matching it. You do have a problem though if the game traffic doesn't get matched and shows up in your default class. But then again, if you load the default rules and your game connection over http has seen more than 512KB, it will end up in the Download class and will get slowed down considerably when there are people downloading. You might be screwed either way. Your only chance might be a self-made L7-filter.

Over the course of a few days I have to say it's not nearly as smooth as I thought. The lag spikes aren't constant, at least, they come every once in a while and are fairly brief, like a bottle-neck finally releasing everything, and then building up again. So it's still better than constant lag with giant spikes, but definitely needs improvement.
2.
Thanks. I disabled the BW limiter, and using only QoS now. I'm using the following code exactly as I copied/pasted it into my Firewall Scripts section:

Code:

#Limit all *other* connections per user including UDP
iptables -I FORWARD -m iprange --src-range 192.168.1.7-192.168.1.255 -p ! tcp -m connlimit --connlimit-above 40 -j DROP
iptables -I INPUT -m iprange --src-range 192.168.1.7-192.168.1.255 -p ! tcp -m connlimit --connlimit-above 100 -j DROP
 
#Limit UDP packet opens from all users - UDP to Router
iptables -I INPUT -p udp -m limit --limit 20/s --limit-burst 40 -j ACCEPT
 
#Limit UDP packet opens from all users - UDP out to WAN
iptables -I FORWARD -p udp -m limit --limit 20/s --limit-burst 40 -j ACCEPT

Do the last 2 mean there's 20 UDP connections per second, per user, or 20/s total?

6. I didn't try to differentiate protocols because I didn't understand them too much. I only know that TCP is more for important stuff that can't have packet loss, and UDP is for streaming media and such. Would there be any disasterous effects if I restricted all my current rules to TCP/UDP, and then had one rule at the end restricting all protocols (so, all other protocols) to the Lowest class? Would that work or would all traffic use that rule? I'll look into the protocols further. For L7, is that simply a class that contains a list of classes?Thx again.

You chose to divert with no good reason and even deleted all the classification rules just because you didn't understand them. Don't blame me or anybody else if it doesn't live up to your expectations.

I suggest you read Toastman's QoS-Guide in its enterity, because I'm getting the feeling you never did that until now.

2. You also didn't read the whole post I pointed you to. At the end of the post you can find the commands that turned out to be useful.
Concerning whether the commands limit overall or per IP: I don't know. You will have to google that. I would guess it's an overall limit.

6. Please load the default rules by resetting you config. The most important thing about getting QoS to work is knowing your line capacity and then not enter the values of 100% but 60-70% of your line capacity. Only by that are big and latency generating queues being prevented.
Please google for: iptables l7-filter.

Hi Toastman, I have a question. I am using your build and setup 66% of max download speed in Qos, I still get slow latency. I just wonder if you could help me out. I even set up to 30% and still the same result. as long as download speed reaches "flat line" the responding time became very slow and all other qos classes are slow too, such as www.

thanks

PS. please take a look of the screen capture if you have time. thanks!

Hi bobyang,

on the QoS/Basic Sttings-page:
the left values are the guaranteed speed for a class and the right values are the maximum speed one class can get. The sum of the left values must not exceed 100%. Your current values guarantee about 200%! That's most likely the cause of your problem.

thanks for the information! I am going to modify the left column again.

by the way, I thought that thought the left column means by class, if the total of top few classes use up all 100%, then lower classes will have no speed...

Do you know how classes work with the % speed? For example, before, I setup WWW as 10% on the left. when someone use P2P (setup as 5%) with a lot of speed, it still sucks a lot of speed even WWW has a higher class, it ends up P2P uses about 6Mb and only few kb to WWW in the speed test. it seems like P2P is the first takes the speed then it owns the speed...

thanks a lot

Everything I've done so far has made our network much stronger and faster than the default setup so I only consider these things improvements... you're right I didn't read through the guide, I did use a few parts of it, but it's just too much for me, I'm pretty ADD when it comes to reading stuff I'm not interested in (not trying to be a dick, it's just the truth). I just like the rules that cover everything because they are simple and easy.

Setting my connections too small was actually a big problem it turns out, after fixing that, we're getting no lag and good ping times. It could probably be better, I'll have to come back and finish the guide in parts. But I just wanted to let you guys know about the connections problem. The game did NOT like the fact that I set Time Wait: 30 seconds and Established: 1200 and there was weird lag when I set these too low, in addition to regular lag I had before my current QoS setup.
After finding a higher time_wait that would not max out our connections too fast Time Wait: 210 seconds and making established connections last longer Established: 3600 basically all lag has ceased and everythings running smoothly.
Thanks guys for caring enough to help and working with me to find the problems!

Thanks. yes, I read through almost all articles before I post, I tried all most everything I can google and in "http://www.linksysinfo.org/index.php?threads/common-tomato-topics-help-information.31234/" I think that's the reason I end up different configulations. I will go through and reset again.

here is the result I setup on the left column for downstream and adds up to 100% but still with the same slow response time. (by the way, I only use QOS without speed limiter, and uncheck all packages and icmp)

thanks!

the picture shows the ping with max of 66% and 50% of ISP downstream. with firewall script:
#The new rules in the firewall script box were:
iptables -t nat -I PREROUTING -p tcp --syn -m iprange --src-range 192.168.2.50-192.168.2.250 -m connlimit --connlimit-above 150 -j DROP
iptables -t nat -I PREROUTING -p ! tcp -m iprange --src-range 192.168.2.50-192.168.2.250 -m connlimit --connlimit-above 100 -j DROP
iptables -t nat -I PREROUTING -p tcp --dport 25 -m connlimit --connlimit-above 5 -j DROP



thanks!

tutorialbs:

So you are saying you kept your own old config and it's made your connection better? Web-downloads, youtube or P2P don't mess with the responsiveness?
Concerning the timeout-settings: it's not wrong to use higher values. In fact the default are much higher values. But when under heavy load the old wrt54gl and alike weren't able to deal with so many connections, so reducing the timeouts was a good tradeoff, which I have never had a problem with. At least not that I know of.


bobyang:

Don't sweat it. Toastman might have confused you with tutorialbs.
What type of traffic are you using to test your config? Web-downloads, p2p etc.?

Are you sure that the host you are pinging is giving you stable and fast repsonses when you don't download?

I wouldn't give any class 99%. In my oppinion it's always better to be a bit more on the safe side. As an example I have uploaded a screenshot.

Check the QoS-graphs. Maybe some traffic isn't behaving as you like. Can you browse the web with a reasonable speed while you are still downloading?

The way I tested is using netflex and IPTV (MEDIA class) to make sure with bigger downstream (about 2-5 Mb) (my ISP gives me 10Mb) + running torrents to test if someone tries to use P2P at the same time (P2P class) + browse web at the same time to test speed (WEB/DOWNLOAD classes) for most of regular users.

At the same time, I try to change neflex menu, then nothing comes up. I found that's because the latency (1xxx-3xxx ms) is too slow, so the menu couldn't pop up. Afterwards, I stop P2P client, I don't see flat line anymore in the router realtime graph and I could see ping comes back to about 50-80ms, at this time, I can see netflex menu again.

I could not browse web (even google) with a reasonable speed, it was poping up right away, but with slow ping time (flat line) it takes about 5 seconds to have google web comes up.

I ping -t to 8.8.8.8 (the google DNS) and 4.2.2.1 (DNS) and both should be very stable.

I will try your setting shortly and let you know the result. thanks!

Sir Toastman or Expert Ones,
which one is the correct opinion:
1. QOS Outbound Rates / Limits & Inbound Rates / Limits setting are intended to manage bandwidth for each client to WAN based on each client's request? or
2. QOS Outbound Rates / Limits & Inbound Rates / Limits setting are intended to manage bandwidth for router to WAN based on all clients' request?

if the correct is #2, what about if all clients (say 25 clients) are connected/request for gaming class, while the QOS is set 5% - 20% (outbound) & 10% - 30% (inbound)? is that setting enough for serving the clients' (25 clients) request?

or if another correct opinion please describe.

Regards.
Eri

#2 is the right description of what is happening in the router.

Nobody can tell you how much bandwidth your game needs. You will have to test it for yourself. If gaming is so important to you, why don't you set the right value to 85% or 90% instead of 20% and 30%?

Thanks for your concern to my question sir.
i'll set as suggested (since most of my users are enthusiast game).
I'll keep monitor on it.

And if the quota of each class (even the higher one) doesn't reach max limit yet, will it be merged to the other class (even the lower one) ?
Then if the higher class needs more quota, will it take to the lower class till the higher class reach max limit of it's quota?

Hi Porter, I try your setting and use 66% and 50% of the my ISP download speed. However, I still get the same thing.. once I hit the max speed in average which is almost flat line for then latency became very slow and other higher priority Qos didn't get the bandwidth of it should get.

More information, once I see the line pop up or down, then the latency will get back to normal until I see the flat line again.

thanks!

bobyang:
I didn't mean that you only use 66% or 50% of your overall line capacity. I meant that you shouldn't give any class 99%. To be on the safe side, I wouldn't give any class more than 70% or 80%.

Try to test every type of traffic (IPTV, P2P, Web-Download) for itself. Monitor with the QoS-graph that they are classified correctly and stay within the defined limits of their classes.

I found P2P is hard to setup limit because it may use other classes too, for example, I use google voice, which uses port 5222, 5228..etc and sometimes I see P2P uses those port because I don't use google voice at that moment, and I have skype L7 setup too and I see some goes to that class too.

sorry, I didn't reply clearly earlier. Yes, I use your Qos setting from the picture + my own setting of 50% or 66% of download speed (where I read from toastman's post using only 66% downstream speed; otherwise, the latency will go up).

thanks!

Only use L7 filter if you absolutely have to. I forgot whether it makes sense to make L7 filters the last filters so that most traffic has been already matched. You could try that. The skype L7-filters are known to overmatch. Just disable them and hav skype use a specific port so that you can match it with a simple port-filter.

Try to make people use specific ports for p2p, too.

In my experience, when I'm downloading a lot, webpages take twice the time to load. But I believe without QoS it would be even worse.

yes, skype L7 doesn't really work well.. However, skype uses dymanic ports so could not use the port numbers

by the way, about P2P, do you block all other ports in the end of Qos? I don't know how to ask people to use specific ports unless they cannot connect...and I found a lot of them have no idea how to change ports in P2P software. it will take me too long to support them with 50 rental studios.)

Thanks for the information. I thought Qos makes the higher priority traffic gets in and out First. I tried AximCom's iDBM, it works very well, it handles, all media, VOIP, gamming, web, P2P in the correct order. While full speed with P2P, the web speed is normal and ping is normal too. However, the only bad thing, AximCom only supports up 64 IPs now. However, with 50 rental studio unit 64 IPs are not enough.

I read somewhere, it is related to "buffer bloat" with tomato firmware. I will try to do some research on that.

by the way, I know this is out of topic, I tried DD-WRT, I don't like their Qos features and I wrote firewall scripts but get too much problems in the end because people ask for different rules, so I tried to use tomato. I heard people saying OpenWrt with X-WRT works out very well now, I just wonder if anyone tried it and see any problem?

thanks a lot!

You can tell skype to use a specific port. But since people already don't know how to do this in their p2p-software they most likely don't know for skype either. Just make sure that the L7-skype filter is one of the last filters in line and see if this helps.

Everything that doesn't get matched by a filter will end up in the default class (that's when you see filter rule #255). That's why you don't need an extra rule for all the other ports.

QoS tries to prevent buffer bloat by handling traffic well. It's got nothing to do with tomato because if you configure QoS in the right way no buffers will run full.

I didn't try any other firmware. The only thing that I know of is Gargoyle which is supposed to have automatic QoS.

thanks for the help Porter!

I tried L7 skype as last rule.. and testing skype, it gets to my default class "Crawl" and the quality is not usable.. I heard almost nothing... ;(

FYI, I just gave a try of http://ordorica.org/blog/tomato-firmware-wreduced-bufferbloat , I think it really fixes the problem! the latency is good (about 60 ms) with flat line downloading speed! According to the posts, it limits the buffer pockets rather than using tomato Qos default 128 or 256.
I tried their 2 packets limit but I can only reach the download speed to max of 4.xx or 5Mb... I will try to ask if he could help me to compile the firmware for 10 or 20 packets. if he could, I will post for the result.

thanks!

PS. I just read this. it sounds interesting. http://www.cringely.com/2012/05/08/beginning-of-the-end-for-bufferbloat/

After doing more research and reading about bufferbloat problem, Linux Kernel 3.5 fixed the problem by using CoDel queue management.
some information if you are inerestingin (I don't think any wrt use version 3.x yet but I will start doing research. thansk for all the helps)

http://kernelnewbies.org/Linux_3.5#head-04f799359e8a199d7788bb0ce6ddf59c74322b01
http://news.softpedia.com/news/Linux-Kernel-3-5-Has-Been-Officially-Released-282543.shtml

I tried these setting but it destroyed my steam (source games) ping and that was after adding the required ports to the "well known games/voip" classification.

threeclaws:
which settings did you try? The ones against bufferbloat?


bobyang:
I remember playing around with txqueuelen, but this was several years ago. It didn't improve network speeds at all. I think it even had adverse effects. Especially when you reduce txqueuelen on a linux fileserver/router, because this network interface then has to handle your internet connection and your fileserving. If you've got only average internet speed then you are dealing with a 6MBit connection, but inside your LAN you might have gigabit interfaces (1000MBit). I highly doubt that those will work without proper queues.

Another argument why the described measures might be a bit too much: buffers are only there to prevent packet loss when there is traffic that cannot go on the wire because the line capacity has been reached. If the line capacity is never reached, buffers won't fill up and slow down traffic.

There is a specific problem to DSL networks per se. Due to the underlying ATM-Layer there is a certain amount of overhead induced which normal QoS doesn't know of. This is why normal QoS can never know exactly how much bandwidth is being used over a DSL-Link and therefore we all have to use such a big safety margin. We don't use 100% of our line capacity as maximum in the QoS/Basic Settings dialogue, but only 66-70%!

There is a solution for this already in the K26 builds, but as far as I know it hasn't been implemented in the GUI, yet. This would be one cool solution to use QoS in a more efficient and reliable way.

Apart from that I made a rather sad discovery today. I tested my connection with http://netalyzr.icsi.berkeley.edu/ . Eralier this year I switched from a firmware with the mentioned ATM-mod to the new Toastman-mod with proper QoS. I always thought the reason why my internet got slower was the kernel: http://linksysinfo.org/index.php?threads/tomato-1-25-vs-1-28.36757/#post-178821

But in fact that's not true! I disabled QoS to see how buffers looked like without it because they were really high:

QoS on:

Now with QoS off:

This came as a real surprise.

To confirm I checked with my monitoring tool that downloads two websites every 5min:




Well, the sad conclusion now is that just by enabling QoS my internet speed slows down considerably! One explanation might be that I still use a wrt54gl and Tomato-QoS uses iptables to mark packets which is far more demanding than pure tc-filters.

So now I can either buy a new and powerful router or I can switch back to the ATM-mod. Unfortunately the iptables subsystem is far more powerful in marking traffic, so control is much better. But right now, this costs a lot of speed!

Sounds to me like you didn't adjust your inbound/outbound speeds correctly.

Personally I hack the ever living crap out of the default rulebase and go with a much simpler ruleset, with the first QoS category and the first QoS rule applying to Steam, so that it immediately classifies that traffic and goes along its merry way. Categories seem to be prioritized from the top down, and rules are compared sequentially from the top down, so anything that is time-sensitive (DNS, NTP) should be placed higher on the rule list and category list than, say, HTTP/HTTPS traffic (which while important to prioritize, isn't as time sensitive so it can be the 3rd or 4th category/rule w/o consequences).

FYI, Steam uses ports 27000-27050. I also set a port forwarding rule for 27000-27050 to forward those ports to my PC. This doesn't mean that third party (non-Valve) games are going to use ports 27000-27050 though, if a game uses G4WL for example it will likely use different ports.

Also, make sure in categories that the left bandwidth column, the minimum bandwidth percentage column, never exceeds 100% when totalling all values for all categories up. That column is a guarantee of a percentage of your bandwidth, you can't guarantee more than 100% (really you shouldn't try guaranteeing more than 90% so QoS has some room to work with).

very good point! I never test the LAN speed. I just try to make sure I got reasonable latency from outside so people can use netflex and gaming correctly instead of getting error message. ;P hard to handle everything all at once good to know the potential problems ahead.

(We don't use 100% of our line capacity as maximum in the QoS/Basic Settings dialogue, but only 66-70%!) this what I thought earlier so I thought ping will not slow down since we didn't take the whole bandwidth and that's the reason I test with 6.6Mb and 5Mb limitation and all comes up the same result. This sounds like a conclusion to me, the router uses only the max speed we set up and then it became a "flat line" then buffer starts building up, I think that's the time even higher priority traffic could not go first because all are in the buffer and waiting to release.

I just wonder is there any way I can say up only use 6.6Mb but when it is flat line, then higher priority traffic can pass over by using those other 3.4Mb (10Mb-6.6Mb), such as, latency, so it won't stay in the buffer too long and wait.

I am using e2000 and wnr3500L both has the same "flat line" issue. this is not a problem at all until the bandwidth hit the flat line (but it is easy to hit flat line, can make it happens with one computer).. then people said game doesn't work, online TV menu doesn't pop up, google voice doesn't ring, skype doesn't pop up.......

I am not sure your internet speed slows down with Qos. I thought toastman use tc filters? I remember I see something in tc -s qdisc before.. but I forget.. I haven't tried it for a while. I remember toastman build is different from others which has more rules and including internal and external interface. I will do some test to turn on/off qos. so you use ADSL there? I am using cable connection not sure if they are the same situation.

I have another problem about Qos filter to youtube, I try to set youtube as "media" with L7 of httpvideo and rstp. However, it doesn't work, it gets to the "www" and then "download" rule. I just wonder if anyone knows how to set this up correctly?

Thanks

What's with the Basic Settings? Did you enable icmp prioritization? In my experience enabling this doesn't help. What helped was making a new filter for the icmp-protocol and adding it as #2. But I never had pings with 1000-2000ms, even without prioritization. Maybe something else is wrong. You could post some screenshots of your whole config again.

You can easily put unimportant traffic in one low class and put every other high priority traffic in a higher class. Using more classes just makes you a bit more flexible. But whatever works. Give it a try.

Does your TV traffic really end up in the media class?

You always use tc when doing QoS in linux. But the filtering can either be done by tc itself or by iptables. And Tomato uses iptables. Which is ok, but it's slower on older routers.

The L7-filters for youtube mainly don't work anymore. We'll have to wait for somebody to analyse the youtube traffic and rewrite the regular expression in the filter accordingly.