Koozali.org: home of the SME Server

testers wanted: htbwondershaper

BeatJunkie

testers wanted: htbwondershaper
« Reply #15 on: November 29, 2005, 12:11:41 AM »
Hi again Hans,

I spent most of today part of today going through the script, learning about what's going on, and adapting it to my network.

I added a bit of intelligence to the rate and ceil parameters where the tc classes are being defined.  Here's what I came up with:
Code: [Select]
tc qdisc add dev $EXTDEV root handle 1: htb default 13
tc class add dev $EXTDEV parent 1: classid 1:1 htb rate ${CEIL}kbit ceil ${CEIL}kbit
tc class add dev $EXTDEV parent 1:1 classid 1:10 htb rate $[3*$CEIL/10]kbit ceil $[3*$CEIL/10]kbit prio 0
tc class add dev $EXTDEV parent 1:1 classid 1:11 htb rate $[3*$CEIL/10]kbit ceil ${CEIL}kbit prio 1
tc class add dev $EXTDEV parent 1:1 classid 1:12 htb rate $[2*$CEIL/10]kbit ceil ${CEIL}kbit prio 2
tc class add dev $EXTDEV parent 1:1 classid 1:13 htb rate $[2*$CEIL/10]kbit ceil ${CEIL}kbit prio 3

You will notice that I put a calculation in for each rate so I could specify the rates as percentages of the ceiling.  The first two are 30% each, and the remaining two are 20% each, so that the total is 100%, and each class is guaranteed their minimum rate.

My implementation is a bit different than the one that the script was originally tailored to.  I my case, my SME server is not a web server that is eating up my uplink.  Rather, mine is a firewall and VPN server.  My boss needs high priority for presenting demos of our software over the Internet to clients using GoToMeeting.  Our bandwidth killer is uploading files to our co-locate facility through FTP, Therefore my priorities are assigned as follows:

Code: [Select]
#                 FORWARD to internet   |   OUTPUT to internet
#level 1 acks/small packets all icmp    | dns icmp time small-packets
#level 2 GoToMeeting                    |
#level 3 default other traffic          | everything else
#level 4 FTP uploading                  |

I expect to do some actual testing under this setup tomorrow.  It should work out nice.

Offline psoren

  • *
  • 371
  • +0/-0
testers wanted: htbwondershaper
« Reply #16 on: November 29, 2005, 08:58:53 AM »
Quote from: "hanscees"


But the question relevant here is if your voip did studder without the script?

Hans-Cees


Ohh yes, even if i just view regular pages on internet, my link is 512/512 so there should be enough bandwith just for that. With the script, i actually downloaded 2 big files from 2 different servers to be sure to eat up as much bandwith as possible while phoning, and it still worked fine.

Per

BeatJunkie

testers wanted: htbwondershaper
« Reply #17 on: November 30, 2005, 12:06:24 AM »
Well, I had some more time to tweak, and the traffic shaping is working for the most part.  My ping times remain fast even when uploading at full speed, and my FTP traffic to outside hosts runs at a lower priority than the rest of the traffic.

There is one caveat though.  I have an IPSEC VPN on my SME server, which connects my office to our hosting facility.  If I do an FTP session over the VPN to the hosting facility, the FTP upload gets the same priority as the regular traffic, and not the lower priority that it should get.

I figured out the reason for this...  My SME server routes VPN-bound traffic through the ipsec0 interface.  But HTBWonderShaper is set up to do traffic shaping on ppp0.  All ppp0 sees of this traffic is the IPSEC packets.  The priority mark on my FTP packets is hidden by the IPSEC encapsulation, and the qdisc just gives IPSEC packets default priority.

Because of this, I think I am going to have to do traffic shaping on both the ppp0 and the ipsec0 interfaces, giving them each their own htb tree.  And because all traffic eventually goes through ppp0, I will have to mark IPSEC packets such that they go out with a certain priority...perhaps even create a specific class for it.  Does that sound correct?

Offline hanscees

  • *
  • 267
  • +0/-0
    • nl.linkedin.com/in/hanscees/
testers wanted: htbwondershaper
« Reply #18 on: November 30, 2005, 08:16:28 PM »
Quote from: "BeatJunkie"
Well, I had some more time to tweak, and the traffic shaping is working for the most part.  My ping times remain fast even when uploading at full speed, and my FTP traffic to outside hosts runs at a lower priority than the rest of the traffic.

That sounds good. Could you post your iptables rules for this please. Perhaps people can learn from it. I am wondering how you do your ftp so the ports used for the data fall within a certain class?


Quote from: "BeatJunkie"


There is one caveat though.  I have an IPSEC VPN on my SME server, which connects my office to our hosting facility.  If I do an FTP session over the VPN to the hosting facility, the FTP upload gets the same priority as the regular traffic, and not the lower priority that it should get.

I figured out the reason for this...  My SME server routes VPN-bound traffic through the ipsec0 interface.  But HTBWonderShaper is set up to do traffic shaping on ppp0.  All ppp0 sees of this traffic is the IPSEC packets.  The priority mark on my FTP packets is hidden by the IPSEC encapsulation, and the qdisc just gives IPSEC packets default priority.

Because of this, I think I am going to have to do traffic shaping on both the ppp0 and the ipsec0 interfaces, giving them each their own htb tree.  And because all traffic eventually goes through ppp0, I will have to mark IPSEC packets such that they go out with a certain priority...perhaps even create a specific class for it.  Does that sound correct?


The reason you give makes sense. You could do a couple of things, but what you suggest may be the best thing to do.
You could do your ftp by sftp (ftp over ssh) and make sure this does not go over ipsec. But that might be a problem, since you should adjust your ipsec tunnels, and sftp might not be as secure as your ipsec.

I do not know what traffic goes over ipsec but you could de-prioritise all ipsec traffic.
But the best way to go is probably to make an htb-class for the ipsec interface as you suggest. And perhaps give ipsec traffic a specific amount in the htb class of the external interface.

If that succeeds please do post your configuration. I have no idea if it will work, but it just might work out fine.

Hans-Cees
nl.linkedin.com/in/hanscees/

Offline hanscees

  • *
  • 267
  • +0/-0
    • nl.linkedin.com/in/hanscees/
testers wanted: htbwondershaper
« Reply #19 on: November 30, 2005, 08:26:47 PM »
Quote from: "psoren"
Quote from: "hanscees"


But the question relevant here is if your voip did studder without the script?

Hans-Cees


Ohh yes, even if i just view regular pages on internet, my link is 512/512 so there should be enough bandwith just for that. With the script, i actually downloaded 2 big files from 2 different servers to be sure to eat up as much bandwith as possible while phoning, and it still worked fine.

Per


That means the scripts defaults do work benificial for voip as you use it. That is good news for voip users.

Hans-Cees
nl.linkedin.com/in/hanscees/

BeatJunkie

testers wanted: htbwondershaper
« Reply #20 on: November 30, 2005, 10:30:32 PM »
Quote from: "hanscees"
That sounds good. Could you post your iptables rules for this please. Perhaps people can learn from it. I am wondering how you do your ftp so the ports used for the data fall within a certain class?

Well, I haven't come across the universal solution yet.  Active ftp-data can be tagged because active ftp uses tcp port 20.  However, passive ftp uses random high ports as determined by the ftp server, so it isn't possible to tag passive ftp by a simple port rule.

Here's my temporary solution...  In my case, it is rare for my staff to upload FTP to anywhere except our co-locate, and I configured my co-locate's FTP server to use a specific narrow range of high ports for passive ftp .  I created a tagging rule in my HTBWonderShaper to tag destination port 20, and the destination ftp data ports that my ftp server uses.
Code: [Select]
iptables -t mangle -A FORWARD -p tcp --dport 20 -i $LANDEV -j MARK --set-mark 0x4
iptables -t mangle -A FORWARD -p tcp --dport 20 -i $LANDEV -j RETURN
iptables -t mangle -A FORWARD -p tcp --dport 20001:20005 -i $LANDEV -j MARK --set-mark 0x4
iptables -t mangle -A FORWARD -p tcp --dport 20001:20005 -i $LANDEV -j RETURN

But for passive ftp anywhere else, a solution remains to be found.  I can live with this for a while.

As for my IPSEC tunnel...Aside from file transfers, there is also interactive traffic that needs high priority, such as rdp and ssh for remote administration of servers.  This eliminates de-prioritizing IPSEC as an option for me.

Perhaps instead of trying to de-prioritize FTP traffic, I should just explicitly prioritize interactive traffic.  That would probably be easier.  :)

I found an unanswered year-old post asking about a situation similar to mine.  I'm going to e-mail that person and see if he ever found a solution.  Maybe he figured it out, or maybe we can help each other.

BeatJunkie

testers wanted: htbwondershaper
« Reply #21 on: December 01, 2005, 10:35:11 PM »
Things are shaping up!  (No pun intended)

The gentleman who had a similar setup to mine got back to me, and confirmed that I will need to set up two htb trees, one for ipsec0 and one for ppp0.  He also added that he is now using 2.6sec (IPSEC built into the kernel), which doesn't use a virtual interface for IPSEC, so he can get away with just one HTB tree.

But for those of us running FreeS/WAN or Openswan we need two trees.  I set up shaping on both my ipsec0 and ppp0 interfaces.  Here's how my htb trees are configured:

On the $EXTDEV interface...
1:10  TCP SYN, SYN-ack, ICMP, etc
1:11  Interactive traffic (dest ports 21, 22, 80, 443, 3389), GoToMeeting traffic (boss uses this for demos)
1:12  IPSEC traffic (ie: everything that goes through $VPNDEV)
1:13  Everything else

On the $VPNDEV interface...
2:10  TCP SYN, SYN-ack, ICMP, etc
2:11  Interactive traffic (dest ports 21, 22, 80, 443, 3389)
2:12  (nothing)
2:13  Everything else

I set up the tc filters so that the priority tags are interpreted the same for both interfaces.  As you can see above, TCP SYN, SYN-ack, ICMP, etc go to the *.10 class, interactive traffic goes to the *.11 class, bulk "Everything else" traffic goes to *.13.  That way I only need one set of tagging rules.

It seems to be working.  Traffic seems to be going through the proper counters.

In my script I also added an additional command line option that shows a subset of the status.  Useful when you want to just look at one set of counters, or just the iptables rules.

My complete script can be found here.
http://www.colp.ca/HTBWonderShaperIPSEC

So to answer some more of your original questions...
Quote
- Do you understand the script enough to use it?
- Does it work for your situation
- Can you come up with ideas to enhance it?

Yes on all counts!

Thank you very much for making the HTBWondershaper script.  It made it much easier for me to learn what traffic shaping is all about and implement it.

-Ryan

Offline p1ur

  • *
  • 33
  • +0/-0
Tested for VoIP
« Reply #22 on: January 09, 2006, 05:58:38 PM »
Hi
I have installed the script, but before i could figure it out,
I had to write my own howto.

HowTo for htbwondershaper, QoS for VoIP

Connect to SME Server with PuTTy
1. Handle(or execute? or ??) module:
[root@e-smith]# modprobe sch_htb
2. Check module with the command:
[root@e-smith]# lsmod

3 Collect data for VoIP:
ADSL: Up/down: 512/2048 kbit/s
Ip-Adapter: Sipura 2002
TCP:
Line1. Mapped SIP Port:   5060
Line2. Mapped SIP Port:   5061
UDP:
RTP Port Min:16384 RTP Port Max: 16482

4. Get Script
[root@e-smith]# mkdir /root/scripts
[root@e-smith]# cd /root/scripts
[root@server scripts]# wget http://web.inter.nl.net/users/hanscees/sme7/HTBWondershaper

5. Change the file tc i \sbin
Get the file htb3.6-020525.tgz
Get it here: http://luxik.cdi.cz/~devik/qos/htb/v3/htb3.6-020525.tgz
Extract the file tc and copy it to /sbin to replace it with the existing tc-file

6. Edit Script
Change CHMOD to 755.
Use MC or the command:
[root@server scripts]# chmod +x HTBWondershaper
Edit the file.
First You should adjust the liner-speed to your speed,
Then adjust "CEIL" "DOWNLINK" and "EXTDEV" and "LANDEV" if needed

Liner speed
Downlink is set to 1950 in the file, is that liner-speed? -
If so, what speed is it? 2mb?, why is it set to 1950?
Ceil is set to 950 in the file. Is that 75% of upstream bandwih? ~ 1266

I have 2048 down, so I set Downlink to 1950 - is that correct?
I have 512 up, so I set ceil to 384 ~ 75% af 512 - is that correct?

My EXDEV is eth1 (i'm pretty sure, but how do I check?)

7. Execute the script.
[root@server scripts]# /root/scripts/HTBWondershaper
Check status:
[root@server scripts]# /root/scripts/HTBWondershaper status


I have done no other changes to the script. My primery reason for trying htbwondershaper, is because I have set up at Ip-telefony-adapter, a Sipura 2002.
With that I can(have) connected a standard telefone to the LAN, and with that (and a provider) I can telefone to and from normal telefones.
When I first stress-tested it, with lots of download and filesharing, it was not possible to hear/understand the conversation.
After installing the script, I tested with huge filedownload and filesharing with Azureus
There is still studdering in the sound from the IP-phone The sound to the IP-phone is okay.
It did however help with browsing. It used to be imposible to browse the internet while Azureus was online.

My server is at home, it is ver 6.01.
I have only little experince with LINUX, but have had a sme-server for some years
(and I love it :-)

Is /root the right place to put the script?
If I have to restart the server, how do I make sure the script is loaded automatic?

I dont use the server as a web-server, and would like to know how to optimize the script for my purpose, and would also like to know, if the information given above, is enough.

Thanx in advance
 :-)

Petur
......

Offline xboxer21

  • **
  • 60
  • +0/-0
Priortize VOIP traffic
« Reply #23 on: January 10, 2006, 08:22:01 PM »
Does the script need any changes if my VOIP traffic uses  4569, 5060 & 10000-20000 all UDP ports.

Thanks
......

Offline hanscees

  • *
  • 267
  • +0/-0
    • nl.linkedin.com/in/hanscees/
Re: Tested for VoIP
« Reply #24 on: January 11, 2006, 04:02:25 PM »
Quote from: "p1ur"
Hi
...........................
Liner speed

I have 2048 down, so I set Downlink to 1950 - is that correct?
I have 512 up, so I set ceil to 384 ~ 75% af 512 - is that correct?

My EXDEV is eth1 (i'm pretty sure, but how do I check?)



yes that is correct.

Check the ip-addres by ifconfig eth1,

or ping to somewhere on the internet and see if traffic passes there:

open two putty screens, in screen 1 do: ping www.nu.nl
in screen 2 do tcpdump -nlpi eth1

and see if the traffic passes there. If so it is the outside interface.


Quote




I have done no other changes to the script. My primery reason for trying htbwondershaper, is because I have set up at Ip-telefony-adapter, a Sipura 2002.
With that I can(have) connected a standard telefone to the LAN, and with that (and a provider) I can telefone to and from normal telefones.
When I first stress-tested it, with lots of download and filesharing, it was not possible to hear/understand the conversation.
After installing the script, I tested with huge filedownload and filesharing with Azureus
There is still studdering in the sound from the IP-phone The sound to the IP-phone is okay.
It did however help with browsing. It used to be imposible to browse the internet while Azureus was online.


That is a good sign, so it helps a bit anyway. Perhaps some more tweaking is possible.

Quote



Is /root the right place to put the script?
If I have to restart the server, how do I make sure the script is loaded automatic?


I am sure there are better ways, but adding it to
/etc/rc.local will do the trick.


Quote



I dont use the server as a web-server, and would like to know how to optimize the script for my purpose, and would also like to know, if the information given above, is enough.



I am not sure.
You must know that the script as presented can only shape upward, so traffic to the internet.

So the ports you mention can be be shaped if they go up.
But adding these ports to the most fast class should be a good bet.
Hans-Cees
nl.linkedin.com/in/hanscees/

Offline Tib

  • *
  • 571
  • +0/-0
    • http://www.tibors.net
testers wanted: htbwondershaper
« Reply #25 on: April 09, 2006, 05:44:30 AM »
The way sme server7 runs seems to be fine except mail uploads to internet ... what would be the best wondershaper setup for a 1500/256 setup.

When a few large e-mails go out it totally kills the internet conection to the point that you cannot acces anything ... till all the mail goes out.

Anyone got any good ideas on that sort of setup?

Reagrds,

Tib.

Offline Tib

  • *
  • 571
  • +0/-0
    • http://www.tibors.net
testers wanted: htbwondershaper
« Reply #26 on: April 11, 2006, 01:27:04 PM »
I love wondershaper  :-D

Played arround with the settings and now i can slow down my e-mails to a reasonable speed so it doesn't impact on other users trying to brows the net.

You deserve a  :pint: hanscees


Regards,

Tib

Offline brianr

  • *
  • 988
  • +2/-0
testers wanted: htbwondershaper
« Reply #27 on: April 11, 2006, 02:37:52 PM »
can you give us an indication of the parameters that you found worked?
Brian j Read
(retired, for a second time, still got 2 installations though)
The instrument I am playing is my favourite Melodeon.
.........

Offline hanscees

  • *
  • 267
  • +0/-0
    • nl.linkedin.com/in/hanscees/
testers wanted: htbwondershaper
« Reply #28 on: April 11, 2006, 07:40:56 PM »
Quote from: "Tib"
I love wondershaper  :-D

Played arround with the settings and now i can slow down my e-mails to a reasonable speed so it doesn't impact on other users trying to brows the net.

You deserve a  pint hanscees


Regards,

Tib


To your health then:-)

Hans-Cees
nl.linkedin.com/in/hanscees/

Offline Tib

  • *
  • 571
  • +0/-0
    • http://www.tibors.net
testers wanted: htbwondershaper
« Reply #29 on: April 12, 2006, 02:09:52 PM »
brianr

here is my setup ...

#Size of downloads. Used for igress filter all below (2mb).
DOWNLINK=1152
#Adjust CEIL to 75% of your upstream bandwith limit by now(1mb line).
#tinkering with ceil and ceil-related variables in tables is crucial for success.
#with 80% of upload, my line becomes clogged. With 70% all goes well.
CEIL=180

My ADSL speed is 1500/256 so I set it to 75% of down and 70% of up

##set devices, extdev is your internet/outside device. Lan the inside one.
EXTDEV=ppp0
LANDEV=eth0

tc qdisc add dev $EXTDEV root handle 1: htb default 13
tc class add dev $EXTDEV parent 1: classid 1:1 htb rate ${CEIL}kbit ceil ${CEIL}kbit
tc class add dev $EXTDEV parent 1:1 classid 1:10 htb rate $[3*$CEIL/10]kbit ceil $[5*$CEIL/10]kbit prio 0
tc class add dev $EXTDEV parent 1:1 classid 1:11 htb rate $[3*$CEIL/10]kbit ceil ${CEIL}kbit prio 1
tc class add dev $EXTDEV parent 1:1 classid 1:12 htb rate $[2*$CEIL/10]kbit ceil $[8*$CEIL/10]kbit 2
tc class add dev $EXTDEV parent 1:1 classid 1:13 htb rate $[2*$CEIL/10]kbit ceil ${CEIL}kbit prio 3

These are the only bits I changed ... all else is default

I'm still getting my head arround the way it works ... but seems to run fine the way it is atm.

Mail upload is about 15k/sec and that leaves 10k/sec for other traffic ... I just want to have a look later and set the mail traffic to the least priority setting so that mail goes out after all else.

Regards,

Tib