Simple, priority-based traffic shaping

darioshanghai · 2014-07-14 12:49:41

Hi all,

I set up an home network with an old laptop acting as a router. The laptop is connected to a 3G USB key for internet connection and to a wi-fi access point for local wi-fi access. I set up a simple firewall on it (gufw, no inbound traffic allowed for now), a caching server (polipo), a proxy to save bandwidth (privoxy), a local media server (subsonic), and of course a nice local DNS server for DNS caching (dnsmasq).

There are at any time at least three computers/tablets/phones connected to the local network, in use by different people with very different levels of computer literacy for very different purposes (torrents, voip, play videos/streaming, system updates & similar, and just plain browsing). One of the machines runs a VirtualBox virtual machine that also connects to the internet via a local NAT (essentially, the next version of the router).

I would like to shape traffic to avoid the "please pause your download" "internet is slow" "Skype is not working" daily struggle.

I am not interested in limiting bandwidth because I don't see the point of slowing down a download unless the bandwidth is being used for something else. Plus, the speed is wildly variable, but I would like to setup a strict priority-based traffic that works more or less like this:

1a) All traffic to and from the local network (duh)
1b) VoIP
2) Streaming
3) Browsing
4) All traffic from Virtualbox virtual machine (not local to the router shaping the traffic)
5) Everything else
99) Torrents and system updates (windows, linux, android)

I am a linux power user (14 years), however I am no networking expert. Where should I start?

Thank you.

lucke · 2014-07-14 14:26:26

You say the speed is wildly variable - don't you have set maximum throughput? Traffic shaping could be problematic otherwise.

darioshanghai · 2014-07-14 18:52:21

The maximum is roughly 5 mbits, but when it goes down (it's a 3g) it can get a lot lower, and that's probably when I need QoS most, despite it being about 20% of connection time (typically Saturdays or some evenings).

Is it a requirement to have some speed limitation of sort? I suppose it wouldn't be too difficult to script a periodic speed test that updates the limit

lucke · 2014-07-14 20:33:15

Bandwidth management is complex, it is hard for me to completely wrap my head around it and thus take whatever I say with a grain of salt. I have a nice bandwidth managing solution in my home network, but I spent a few days setting it up, tweaking it and testing it.

Bandwidth management really comes into play when the link is saturated, so you have to know when your network is trying to send more than the link can take. If your maximum throughput changes based on some specific schedule, then you should indeed manage. If your throughput depends on the quality of the connection, then it is more problematic (e.g. when you set the limit to 2 Mbits and the link can manage 3 Mbit, you lose 1 Mbit; when you set it to 2 Mbit and the link can manage 1 Mbit, you don't really get traffic shaping).

I was using shorewall prior to setting up bandwidth management, and it indeed offers a nice, configurable abstraction layer not only over iptables, but also over tc (which is used for bandwidth management). I started with setting up traffic shaping on the uplink, which is the most important thing for interactivity - if you set it up properly, some packets have preference over others, queues are created on your end and not upstream, and when two PCs are uploading over HTTP, both of them get the same portion of bandwidth.

Have a look at https://wiki.archlinux.org/index.php/Ro … ic_shaping and http://www.shorewall.net/traffic_shaping.htm

That's the way I have my tcclasses set up:

# ssh, icmp, dns
net1            1       30*full/100 full   1 tcp-ack,tos-minimize-delay,flow=nfct-src
# online gaming, skype
net1            2       25*full/100 full   2 flow=nfct-src
# http, mail
net1            3       10*full/100 full   3 flow=nfct-src
# bulk (sftp)
net1            4       10*full/100 full   4 tos-maximize-throughput,flow=nfct-src
# rest
net1            5       25*full/100 full   5 default,flow=nfct-src

It means that TCP ACK packets ("hey, I got your packet"-type of messages) go first, competing with DNS and ICMP (ping) packets, and packets with TOS set to minimize-delay. That class gets at least 0.3 of the bandwidth, if these packets don't use that much, the allowance trickles down to the classes with lower priority. "flow=nfct-src" ensures that the bandwidth in a class is shared equally between actively uploading PCs. Please note that matching P2P (Bittorrent) traffic isn't easy, one has to use kernels patched with l7filter or ipp2p for that - thus I treat the P2P traffic as "the rest".

If you truly want to get into it, I can give you more tips and introduce you to downlink policing.

Da_Coynul · 2014-07-16 00:54:02

Look into fq_codel as mentioned on the Advanced Traffic Control wiki page. For a simple example check out this blog:

http://blog.plenz.com/2012-05/trying-th … cally.html

You will need to tweak this to suit your needs, but it is very simple and effective.

My upstream bandwidth is currently maxed out by a backup to Amazon S3. Using fq_codel, ping times are back in the 30-40 millisecond range whereas before I was getting > 2 second ping times!

Arch Linux

#1 2014-07-14 12:49:41

Simple, priority-based traffic shaping

#2 2014-07-14 14:26:26

Re: Simple, priority-based traffic shaping

#3 2014-07-14 18:52:21

Re: Simple, priority-based traffic shaping

#4 2014-07-14 20:33:15

Re: Simple, priority-based traffic shaping

#5 2014-07-16 00:54:02

Re: Simple, priority-based traffic shaping

Board footer