I''m looking over this traffic shaping available in the tc* files. I went through this when I did my own traffic shaping outside of shorewall previously. For the average (i.e. home, perhaps) user, I''ve never understood why we use these more complicated shaping algorithms that define classes and guaranteed minimums and maximums and so forth. For most home, or other small use situations, isn''t it easier to just specify priorities of traffic, i.e. Type Priority VOIP 1 Interactive (i.e. ssh) 2 All other 3 Then have TC rules which simply give way to priority. So if any VOIP traffic is sitting in the queue, it jumps the queue ahead of all other traffic. If and when there is no VOIP in the queue, Interactive traffic gets to jump the queue and when there is no VOIP or Interactive traffic then all else just gets FIFO access. And yes, VIOP traffic can completely fill the link an starve all other traffic out, and yes, if there is no VOIP, Interactive can completely starve all of the "All other" traffic out. But one writes their priority lists with this in mind. The way I see it, if VOIP needs 100% of my bandwidth, it should get it. No other traffic''s "minimum" should encroach on VOIP''s requirement. Same can be said of Interactive and All other traffic. In my thinking, priority is king and nobody gets any guarantees if higher priority traffic is at risk. Nobody gets ceilings either. If there is no VIOP or Interactive traffic in the queue, All other traffic should not be limited to some limited portion of the link, leaving the link under utilized. I used to do this all with the FIFO classifiers rather than using the more complicated HTB (and friends) classifiers. So now on to the question(s): Could the same be achieved in tcclasses (to steal the wondershaper example from the traffic_shaping.htm page) with: #INTERFACE MARK RATE CEIL PRIORITY OPTIONS ppp0 1 full full 1 tcp-ack,tos-minimize-delay ppp0 2 full full 2 default ppp0 3 full full 2 Cheers, b. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Brian J. Murrell wrote:> For most home, or other small use situations, isn''t it easier to just > specify priorities of traffic, i.e. > > Type Priority > VOIP 1 > Interactive (i.e. ssh) 2 > All other 3Sure. But Shorewall was never targeted at that market. It''s predecessor Seawall was targeted at SOHO users and I originally developed Shorewall to provide a product that took over where Seawall left off. The simple commodity firewall routers typically use a scheme like you advocate. But then I''ve never understood why a home user would choose Shorewall over one of those little devices anyway. If I didn''t develop and maintain Shorewall, I wouldn''t run it here at home (and my office would be a lot less crowded).> > I used to do this all with the FIFO classifiers rather than using the > more complicated HTB (and friends) classifiers.Then I urge you to develop such a traffic shaper as an alternative to the one built into Shorewall. If it turns out to be wildly popular, we can integrate it into Shorewall just like we did with Arne Bernin''s ''tc4shorewall'' which is the current Shorewall builtin TC.> > So now on to the question(s): > > Could the same be achieved in tcclasses (to steal the wondershaper > example from the traffic_shaping.htm page) with: > > #INTERFACE MARK RATE CEIL PRIORITY OPTIONS > ppp0 1 full full 1 tcp-ack,tos-minimize-delay > ppp0 2 full full 2 default > ppp0 3 full full 2Not really. HTB works badly when the sum of the RATEs exceeds the OUT-BANDWIDTH. Something more like this should work though: #INTERFACE MARK RATE CEIL PRIORITY OPTIONS ppp0 1 full*98/100 full 1 tcp-ack,tos-minimize-delay ppp0 2 full/100 full 2 default ppp0 3 full/100 full 2 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
On Thu, 2008-06-05 at 07:20 -0700, Tom Eastep wrote:> Brian J. Murrell wrote: > > > For most home, or other small use situations, isn''t it easier to just > > specify priorities of traffic, i.e. > > > > Type Priority > > VOIP 1 > > Interactive (i.e. ssh) 2 > > All other 3 > > Sure. But Shorewall was never targeted at that market. It''s predecessor > Seawall was targeted at SOHO users and I originally developed Shorewall to > provide a product that took over where Seawall left off.SOHO. That''s for the most part the situation I''m talking about. I''m talking about a small enough user base that guaranteeing bandwidth for certain use cases is overkill and all that is necessary is prioritizing.> The simple commodity firewall routers typically use a scheme like you > advocate. But then I''ve never understood why a home user would choose > Shorewall over one of those little devices anyway.For mom, perhaps, but for a hacker, they don''t do near enough. In fact they don''t even do enough for mom. VPN technology is sorely lacking from (almost?) all of them, just for starters.> Then I urge you to develop such a traffic shaper as an alternative to the > one built into Shorewall. If it turns out to be wildly popular, we can > integrate it into Shorewall just like we did with Arne Bernin''s > ''tc4shorewall'' which is the current Shorewall builtin TC.Probably not worth it if HTB can emulate the "prioritize only, not guarantee bandwidth" given the work that''s already present to support it.> > #INTERFACE MARK RATE CEIL PRIORITY OPTIONS > > ppp0 1 full full 1 tcp-ack,tos-minimize-delay > > ppp0 2 full full 2 default > > ppp0 3 full full 2^ this last one should have been priority 3---------+> Not really. HTB works badly when the sum of the RATEs exceeds the OUT-BANDWIDTH. > > Something more like this should work though: > > #INTERFACE MARK RATE CEIL PRIORITY OPTIONS > ppp0 1 full*98/100 full 1 tcp-ack,tos-minimize-delay > ppp0 2 full/100 full 2 default > ppp0 3 full/100 full 2So is class "1" limited to 98% bandwidth or full? It seems it would be full (otherwise what''s the point of the CIEL?). If class "1" is unused can class 2 get 100% of the bandwidth? If both class 2 and 3 are over-saturating, does class 2 get 100% of the bandwidth because of it''s priority? b. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Brian J. Murrell wrote:> > ppp0 1 full*98/100 full 1 tcp-ack,tos-minimize-delay >> ppp0 2 full/100 full 2 default >> ppp0 3 full/100 full 2 > >So is class "1" limited to 98% bandwidth or full? It seems it would be >full (otherwise what''s the point of the CIEL?). If class "1" is unused >can class 2 get 100% of the bandwidth? If both class 2 and 3 are >over-saturating, does class 2 get 100% of the bandwidth because of it''s >priority?It means class 1 is ''only'' guaranteed 98% of the bandwidth, but if the rest is unused then it can go up to 100%. The other two classes are only guaranteed 1%, but each can go up to 100% if nothing else is using it. Rate is the guaranteed bandwidth - ie if everything tries to use all the bandwidth, that is what each class will get. The sum of the individual rates MUST NOT exceed the available rate or the system will not work. Ceil (ceiling) is the maximum that a class can use when there is spare capacity. The ceiling values may add up to more than the available bandwidth, but no individual should exceed what''s available. The much bigger problem IMHO is that many (most ?) SOHO users don''t know what their available bandwidth is and/or it is variable. At home, I have about 6Mbps down and 448kbps up on the ADSL line, but then I hit contention with other users in the backhaul to the ISPs data center - thus my available bandwidth may be just a small fraction of the headline rate at busy times (a cause of great complaint here in the UK !). That, IMO, gives me three options : 1) manage down to a rate much lower than my line rate in the hope (not guaranteed) that I will never exceed my ''fair share'' of the ISPs bandwidth 2) manage to the ADSL line rate, and accept that for a significant part of the day it will be ineffective. 3) Not bother because neither of the above is much better - that''s the option I''m running at the moment. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Brian J. Murrell wrote:> On Thu, 2008-06-05 at 07:20 -0700, Tom Eastep wrote: >> Brian J. Murrell wrote: >> >>> For most home, or other small use situations, isn''t it easier to just >>> specify priorities of traffic, i.e. >>> >>> Type Priority >>> VOIP 1 >>> Interactive (i.e. ssh) 2 >>> All other 3 >> Sure. But Shorewall was never targeted at that market. It''s predecessor >> Seawall was targeted at SOHO users and I originally developed Shorewall to >> provide a product that took over where Seawall left off. > > SOHO. That''s for the most part the situation I''m talking about. I''m > talking about a small enough user base that guaranteeing bandwidth for > certain use cases is overkill and all that is necessary is prioritizing. > >> The simple commodity firewall routers typically use a scheme like you >> advocate. But then I''ve never understood why a home user would choose >> Shorewall over one of those little devices anyway. > > For mom, perhaps, but for a hacker, they don''t do near enough. In fact > they don''t even do enough for mom. VPN technology is sorely lacking > from (almost?) all of them, just for starters. > >> Then I urge you to develop such a traffic shaper as an alternative to the >> one built into Shorewall. If it turns out to be wildly popular, we can >> integrate it into Shorewall just like we did with Arne Bernin''s >> ''tc4shorewall'' which is the current Shorewall builtin TC. > > Probably not worth it if HTB can emulate the "prioritize only, not > guarantee bandwidth" given the work that''s already present to support > it. > >>> #INTERFACE MARK RATE CEIL PRIORITY OPTIONS >>> ppp0 1 full full 1 tcp-ack,tos-minimize-delay >>> ppp0 2 full full 2 default >>> ppp0 3 full full 2 > ^ > this last one should have been priority 3---------+ > >> Not really. HTB works badly when the sum of the RATEs exceeds the OUT-BANDWIDTH. >> >> Something more like this should work though: >> >> #INTERFACE MARK RATE CEIL PRIORITY OPTIONS >> ppp0 1 full*98/100 full 1 tcp-ack,tos-minimize-delay >> ppp0 2 full/100 full 2 default >> ppp0 3 full/100 full 2 > > So is class "1" limited to 98% bandwidth or full?Hint: CEIL == limit.> It seems it would be > full (otherwise what''s the point of the CIEL?). If class "1" is unused > can class 2 get 100% of the bandwidth?Yes.> If both class 2 and 3 are > over-saturating, does class 2 get 100% of the bandwidth because of it''s > priority?It gets 99% of it. Class 3 is guaranteed 1% -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Brian J. Murrell wrote:> > For mom, perhaps, but for a hacker, they don''t do near enough. In fact > they don''t even do enough for mom. VPN technology is sorely lacking > from (almost?) all of them, just for starters.If Mom needs a VPN, she can run an OpenVPN server behind her appliance and forward UDP port 1194 to the server. The applience can have a route through the remote clients via the VPN server and redirect requests addressed to those clients (if the size of the local network precludes configuring a static route on each local host). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
On Thu, 2008-06-05 at 12:48 -0700, Tom Eastep wrote:> > If Mom needs a VPN, she can run an OpenVPN server behind her appliance and > forward UDP port 1194 to the server.VPN was just one example, but to continue with it, that means leaving a huge power sucking computer on all the time just to provide VPN service which can happily be done on her power efficient little router if we replace the firmware with Linux and when you do that, you may as well run shorewall too. :-) b. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Brian J. Murrell wrote: VPN was just one example, but to continue with it, that means leaving a> huge power sucking computer on all the time just to provide VPN service > which can happily be done on her power efficient little router if we > replace the firmware with Linux and when you do that, you may as well > run shorewall too. :-)If there are no huge power sucking computers on all of the time then there is no need for a VPN. So run the OpenVPN server on one of them. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
On Thu, 2008-06-05 at 13:21 -0700, Tom Eastep wrote:> > If there are no huge power sucking computers on all of the time then there > is no need for a VPN. So run the OpenVPN server on one of them.You''re assuming that the only thing I might want to connect to in Mom''s house is a computer. She might have some other kind of IP appliance (STB with a web interface for example) that I cannot put OpenVPN on to because it really is a sealed box. b. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Brian J. Murrell wrote:> On Thu, 2008-06-05 at 13:21 -0700, Tom Eastep wrote: >> If there are no huge power sucking computers on all of the time then there >> is no need for a VPN. So run the OpenVPN server on one of them. > > You''re assuming that the only thing I might want to connect to in Mom''s > house is a computer. She might have some other kind of IP appliance > (STB with a web interface for example) that I cannot put OpenVPN on to > because it really is a sealed box.Now you''re stretching... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
On Thu, 2008-06-05 at 13:45 -0700, Tom Eastep wrote:> > Now you''re stretching...In fact only just barely even today (Mom does in fact have a STB which does have a web interface and no capacity to be an OpenVPN router) and most certainly not at all tomorrow. Your point is taken however, and I don''t disagree, that for a great number of people, off the shelf routers work just fine with the factory shipped firmware. b. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
>In fact only just barely even today (Mom does in fact have a STB which >does have a web interface and no capacity to be an OpenVPN router) and >most certainly not at all tomorrow. > >Your point is taken however, and I don''t disagree, that for a great >number of people, off the shelf routers work just fine with the factory >shipped firmware.And one day we might even get units with sensible functionality (IP6 would be nice), but then I''ve also heard that people are working on Porcine aviation ;-) Even professional grade equipment has limits - only yesterday at work I had to provide throttling in our Linux router because a professional Juniper router would lose it''s VPN connection if it''s throttling was turned on. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php