Example Customized QoS

[bloater99]

Now that I have a well-running QoS system in place for awhile, I am posting my customized QoS in case it can help anyone. I thought of adding it to the wiki, but I don't know if the devs want customized examples or if they prefer examples stick to the default Preset.

Some notes:
-We have a 10/2 Mbps cable connection. I dropped maximum rates by 5% (9.5/1.9 Mbps) within the classes to help prevent modem buffers from bloating. Thanks to N0man for his posts on buffer bloat.
-I had to delete/recreate many of the classes because you cannot edit a Class to change its priority.
-When you delete/create Classes, the QoS graph will often break. Don't worry. Give it a minute and refresh the page and it will start working again.
-Because the QoS graph uses consistent colors in sequential order, having the outbound and inbound classes line up by class # makes the colors match up in the graphs. Example: Web class is red on both outbound and inbound graphs; Email class is grey in both outbound and inbound graphs. I had to add a class (Ping) to Inbound in order to make this happen. By default, there is one fewer class in inbound than in outbound.
-In my network, Web gets higher priority than VPN (the default presets are opposite).
-I monitored maximal transfer rates in the Ping, DNS/RTP, and VPN inbound classes for a week and adjusted my guaranteed rates according to the observed maximal rates, so they were guaranteed at least the highest rate I observed. For example, Class 101 never got higher than 70.6 KB/sec (565 kbps) and typically was much lower (about half that) so I guaranteed 500 kbps and capped the Max to 700 kbps.
-There is conflicting info about whether mail ports ever use UDP protocol or not, so I just threw UDP equivalents of all rules in to make sure I covered all bases.
-Class 111/211 (Misc) consists of layer7 protocols that are discouraged on my network. I am unaware that they are even in use, but I set this class up just to observe if any of these protocols are detected, with intentionally low bandwidth restrictions in case anyone is trying to use them.

[furryfennec]

Just wanted to say thanks for this! I'm sure it will help folks out trying to understand the basics of QoS in IPFire. Very clear and concise presentation.

[dnl]

Hey bloater99 thanks for this!

I've been investigating QoS for my network but do not seem to have any defaults, despite defaults being mentioned in the wiki page.

Would you please be able to post a copy of the text files in the /var/ipfire/qos directory?
These files mean that others can copy your configuration without having to enter it all manually:

• classes
• subclasses
• tosconfig
• portconfig
• level7config

I like how you've aligned all the protocols. If you're comfortable working in a shell, it is easier to fix the order of things directly in the files.

Thanks!

[bloater99]

dnl,

I'll try to get those text files posted today. If not, then early next week. Of course since I posted this, I've tweaked qos a bit more, so my current settings don't match my original post.

I do know I removed Class 111/211 because I was getting strange results on the qos graph. I'd get massive, impossible jumps in bandwidth (like 500 MB/sec on a 100Mbit network with 10Mbit internet) that seemed to go away when I removed 111/211. And these bandwidth jumps would only show on the qos graph, not on the network graphs at Status->Network.

I also increased the guaranteed bandwidth on some of the lowest set classes to 100kbps because of kernel complaints (HTB: quantum of class 20202 is small. Consider r2q change.) I decided as long as my guaranteed bandwidths for all classes totaled less than my total bandwidth, it wouldn't hurt to bump these up a little bit and stop the kernel complaints.

When I get the text files, I'll also post an updated PDF.

[bloater99]

While going through the text files, I noticed something strange. In the 'settings' file there are two values:
DEF_INC_SPD=9000
DEF_OUT_SPD=1800

These values do not match anything I have set through the GUI. I am guessing these are the speeds for class 210/110. But my speeds for these classes are 9500 and 1900. Anyone know what's going on?

Rather than attaching text files, I will paste the text here, as I wanted to go through and edit out some private ports.

classes
imq0;200;1;100;100;;;8;Ping;
imq0;202;2;100;1000;;;8;DNS/RTP;
imq0;203;3;3000;9500;;;8;Web;
imq0;204;4;100;7500;;;2;VPN;
imq0;205;5;2000;9500;;;2;Email;
imq0;210;6;100;9500;;;0;Default;
red0;101;1;500;1000;;;8;Ping;
red0;102;2;100;1000;;;8;DNS/RTP;
red0;103;3;500;1900;;;8;Web;
red0;104;4;500;1900;;;2;VPN;
red0;105;5;200;1900;;;2;Email;
red0;110;6;100;1900;;;0;Default;

subclasses is empty...

tosconfig is empty...

portconfig
120;red0;udp;;465;;;
120;red0;udp;;587;;;
120;red0;udp;;;;25;
200;imq0;icmp;;;;;
202;imq0;tcp;;53;;;
202;imq0;udp;;53;;;
203;imq0;tcp;;443;;;
203;imq0;tcp;;80;;;
220;imq0;tcp;;110;;;
220;imq0;tcp;;993;;;
220;imq0;tcp;;995;;;
220;imq0;tcp;;;;110;
220;imq0;tcp;;;;993;
220;imq0;tcp;;;;995;
220;imq0;udp;;110;;;
220;imq0;udp;;993;;;
220;imq0;udp;;995;;;
220;imq0;udp;;;;110;
220;imq0;udp;;;;993;
220;imq0;udp;;;;995;
204;imq0;esp;;;;;
204;imq0;tcp;;1194;;;
204;imq0;tcp;;;;1194;
204;imq0;udp;;1194;;;
204;imq0;udp;;;;1194;
204;imq0;udp;;4500;;4500;
204;imq0;udp;;500;;500;
205;imq0;tcp;;110;;;
205;imq0;tcp;;993;;;
205;imq0;tcp;;995;;;
205;imq0;tcp;;;;110;
205;imq0;tcp;;;;993;
205;imq0;tcp;;;;995;
205;imq0;udp;;110;;;
205;imq0;udp;;993;;;
205;imq0;udp;;995;;;
205;imq0;udp;;;;110;
205;imq0;udp;;;;993;
205;imq0;udp;;;;995;

level7config
102;red0;dns;;;
102;red0;rtp;;;
102;red0;skypetoskype;;;
103;red0;http;;;
103;red0;ssl;;;
104;red0;rdp;;;
104;red0;ssh;;;
104;red0;vnc;;;
105;red0;imap;;;
105;red0;smtp;;;
202;imq0;dns;;;
202;imq0;rtp;;;
202;imq0;skypetoskype;;;
203;imq0;http;;;
203;imq0;ssl;;;
204;imq0;rdp;;;
204;imq0;ssh;;;
204;imq0;vnc;;;
205;imq0;imap;;;
205;imq0;pop3;;;

And lastly, a fresh PDF of the GUI page.

ipfire.qos.091815.pdf

(486.46 KiB) Downloaded 1157 times

[dnl]

Thanks! That's the information I was after!
Thank you also for the tip about the kernel error, I'm seeing those also.

I also have DEF_INC_SPD and DEF_OUT_SPD defined, and they are both 90% of the value of my Downlink and Uplink speeds. I guess they're calculated, but I'm not sure what the purpose is for.


As an aside, I wonder if using level 7 filters is more CPU intensive than just using port filters?

[bloater99]

Glad I could help!

Yes, I noticed those two DEF_ lines were calculated at 90% of bandwidth limit too. I'm not sure what their purpose is either...

I've read that level7 filters ARE more cpu intensive, but if they are, it's still low on my network. I rarely see the cpu climb over 10% during the busiest times of day.

Cheers!

[dnl]

FYI: I've edited the QoS page in the wiki. It should be still technically accurate, but is now less confusing for a beginner. I removed the unhelpful DSL-specific table. People need to calculate their own bandwidth and not rely on the bandwidth their ISP reports.

Can you quickly review the page and let me know if you think anything is incorrect?




Also, I've been using your example but changed the order around. Here's a skeleton of the parent classes I'm thinking of switching to for a home connection.

I'll define the specific traffic by preferring port rules over layer 7 rules and I'll only include traffic we actually use, rather than all traffic which could exist in a particular class

• 101 ACK, priority 1, TOS 8, Not sure why IPFire separates ACKs out, but since it does I'll keep this. I'll also have a (201 ACK Placeholder) class so that the colours align in the QoS graphs (good idea by the way).
• 102 Network Services, priority 1, TOS 8, For ping, routing protocols (if required), DNS, NTP
• 103 Real-time comms, priority 2, TOS 8, VoIP, instant-messaging, Google Chat, Google Cloud Messaging, Skype, etc)
• 104 VPN, priority 3, TOS 4, For an inbound VPN, if used at all.
• 105 Streaming Video, priority 4, TOS 4, For YouTube NetFlix, etc (This might be lower priority for a business connection)
• 107 Web, priority 5, TOS 4, For general web traffic
• 108 Email, priority 6, TOS 2, Low priority, but with a guaranteed bandwidth
• 110 Default, priority 6, TOS not set.
• 111 File Transfer, priority 7, TOS 1, For ftp, rsync, NNTP (news), Bittorrent, depending on use.

I'd use identical for downlink rules.

[bloater99]

dnl,

I think the wiki page looks great. Some nice improvements and polish. I don't see anything incorrect but more eyes will help. I did make a few minor changes (grammatical) as I read the page from top to bottom.

When you get your QoS rules in place and working, please post them here (along with port and level7 changes) so that others may benefit.

Thanks!

[bloater99]

[*]105 Streaming Video, priority 4, TOS 4, For YouTube NetFlix, etc (This might be lower priority for a business connection)

How do you plan to classify YouTube and Netflix to separate it from Web? I don't know of any specific ports or protocols these two services use that would allow this to happen. I'd like to do this, so if you know, please share.

I know on Tomato firmware, you have the ability to assign a MAC address to a QoS Class, which would be great, but I don't see that you can do that in IPFire...

[dnl]

How do you plan to classify YouTube and Netflix to separate it from Web? I don't know of any specific ports or protocols these two services use that would allow this to happen. I'd like to do this, so if you know, please share.

I know on Tomato firmware, you have the ability to assign a MAC address to a QoS Class, which would be great, but I don't see that you can do that in IPFire...

Yes, good question! At this stage I've not come up with a solution to either example.
I did happily find that Spotify web play uses a Flash port (1935 TCP). However aside from trying to put chunks of google's network in a rule, I'm not yet sure how to filter YouTube.


How does MAC address filtering help? I guess you're talking about a dedicated media PC/chromecast or the like?
We use all PCs/Tablets for streaming at some point so that solution wouldn't work for me.

[dnl]

For YouTube, I wonder if there's some way to classify packets based on their source DNS domain (not IP)?
Ideally it would do the lookup on each new connection, no more frequently than that.

[bloater99]

How does MAC address filtering help? I guess you're talking about a dedicated media PC/chromecast or the like?
We use all PCs/Tablets for streaming at some point so that solution wouldn't work for me.

Yes, that's exactly what I'm referring to. It would be neat if there were such a thing as layer7 protocols for "netflix" and "youtube".

[dnl]

Yes, that's exactly what I'm referring to. It would be neat if there were such a thing as layer7 protocols for "netflix" and "youtube".

Well youtube is using HTML 5 over https. There is a mime type of video/mp4 I wonder if we can filter on that somehow?

In the short-term, I've identified the network ranges used by youtube for my country (while the network was quiet, I queued some HD videos and just used IPFire's "Connections" page to identify the source IPs and then their networks) and added them to the streaming class. It's not a long-term solution as content delivery networks can change.

[dnl]

My QoS settings for a home connection are getting close, although I've not properly solved the streaming media problem we've discussed.

I can't seem to get the layer 7 'ftp' filter to work. All my FTP traffic is ending up in the default class after the connection is established and data is exchanged over a random high port. I'm not sure why?

I've also noticed an annoying bug where if you edit a class, but then do not save it (by choosing another menu option in the web user interface) the class definition is removed. The good news is that if you add a new class definition with the same number it correctly inherits all the various rules you've already defined for it, saving you from having to do them all again.
Because of that bug I've ended up doing most of my editing in files and just restarting QoS each time.