Hi folks,
First of all let me say an enormous THANK YOU for shorewall in
general! It is so easy to write powerful firewall configurations with
this tool!
Well, it was until I wanted to fiddle with QoS ... now it is not so
easy unfortunately :-(
I just got VOIP at home a few weeks ago and my connection was
deplorable, which forced me to turn on QoS on my Ubuntu 12.10
firewall. That solved my VOIP issue but it clobbered my smoking
fast HTTP speeds, and I just can''t figure out why. I''m
finding the
tc files in shorewall not as easy to understand as the other stuff. I
think I''ve got it right from an example I found online and
don''t think
it should be throttling me, but it is.
Does someone have a working example they can share?
Or alternately, I have been reading about this method of traffic
shaping where you mark packets using iptables as they come in, and
then you write your QoS rules to simply use the marks to shape.
http://www.andybev.com/index.php/Fair_traffic_shaping_an_ADSL_line_for_a_local_network_using_Linux
That looks like a good alternative for me because some of the other
QoS stuff I''ve read makes me believe that I might be able to just
write my own QoS script and tell shorewall to use my script instead of
the tc files per-se.
But I''m not sure how to tell shorewall to mark packets like that as
they come in.
thanks,
-Alan
--
“Don''t eat anything you''ve ever seen advertised on TV”
- Michael Pollan, author of "In Defense of Food"
------------------------------------------------------------------------------
Own the Future-Intel(R) Level Up Game Demo Contest 2013
Rise to greatness in Intel''s independent game demo contest. Compete
for recognition, cash, and the chance to get your game on Steam.
$5K grand prize plus 10 genre and skill prizes. Submit your demo
by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
Robert K Coffman Jr. -Info From Data Corp.
2013-Mar-29 13:05 UTC
Re: looking for good traffic shaping working example
Alan, Post your tc* files and I''ll take a look. - Bob> Does someone have a working example they can share?------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
On Fri, Mar 29, 2013 at 9:05 AM, Robert K Coffman Jr. -Info From Data Corp. <bcoffman@infofromdata.com> wrote:> Post your tc* files and I''ll take a look.I''m just giving those another good going over ... I think I"m a bit mixed up on them :-) Part of what confused me at first is which files are for what type of config. It looks like TC_ENABLED=Simple uses only tcpri and tcinterfaces, is that right? And I guess that means that TC_ENABLE=Internal uses tcdevices, tcclasses and tcrules??? Is that right? At first I tried to get Simple going but as I recall it seemed to work until I pulled a big file from my webserver on the Linux FW, then it clobbered. So I futzed around with Internal and got something that fixed the VOIP issue even when pulling a big file. Anyway confirm that for me and then let me have another go at it based on that answer, then I might not be too embarassed showing my files :-) -- “Don''t eat anything you''ve ever seen advertised on TV” - Michael Pollan, author of "In Defense of Food" ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
On 29/03/13 12:22, Alan McKay wrote:> Hi folks, > > First of all let me say an enormous THANK YOU for shorewall in > general! It is so easy to write powerful firewall configurations with > this tool! > > Well, it was until I wanted to fiddle with QoS ... now it is not so > easy unfortunately :-( > > I just got VOIP at home a few weeks ago and my connection was > deplorable, which forced me to turn on QoS on my Ubuntu 12.10 > firewall. That solved my VOIP issue but it clobbered my smoking > fast HTTP speeds, and I just can''t figure out why. I''m finding the > tc files in shorewall not as easy to understand as the other stuff. I > think I''ve got it right from an example I found online and don''t think > it should be throttling me, but it is. > > Does someone have a working example they can share? > > Or alternately, I have been reading about this method of traffic > shaping where you mark packets using iptables as they come in, and > then you write your QoS rules to simply use the marks to shape. > > http://www.andybev.com/index.php/Fair_traffic_shaping_an_ADSL_line_for_a_local_network_using_Linux > > That looks like a good alternative for me because some of the other > QoS stuff I''ve read makes me believe that I might be able to just > write my own QoS script and tell shorewall to use my script instead of > the tc files per-se. > > But I''m not sure how to tell shorewall to mark packets like that as > they come in. > > thanks, > -Alan >Hi, unfortunately part of that is a result of the fact tc is not the easiest thing to understand, if you are struggling to work it out in shorewall I recommend not trying to figure it out using TC directly, shorewall is a *lot* easier than tc. Which part are you finding most difficult? Once you have set up your interface definition in tcdevices and your classes in tcclasses the tcrules file is set up in much the same way as regular rules, for VOIP you are probably going to need to use a rule with the sip helper as ports vary. You can set up shorewall to use marks too, though I find using the CLASSIFY target (Requires kernel support) even easier to use marks just set up the device in tcdevices without the classify option, then in the tcclasses file specify a mark for each class. In tcrules just put the mark value in the first column of each rule. By way of an example for the article you linked to, I''ve not done it exactly the same way, for instance using an IFB to shape the downlink instead this way it doesn''t interfere with lan traffic and leaves you free to set separate rules for that if you wish. I also make use of ipp2p support for the p2p shaping in this example, requires the xtables-addons package be installed. tcdevices 1 ppp0 - 550kbit - - 2 ifb0 - 3600kbit - ppp0 tcclasses 1 10 76kbit 76kbit 0 - 1 20 170kbit 170kbit 1 tcp-ack 1 30 106kbit 106kbit 4 - 1 40 84kbit 84kbit 4 default 1 50 76kbit 76kbit 4 - 1 666 38kbit 38kbit 7 - 2 10 720kbit 720kbit 0 - 2 30 1008kbit 2880kbit 4 - 2 40 792kbit 2880kbit 4 default 2 50 720kbit 3420kbit 4 - 2 666 360kbit 3600kbit 7 - tcrules #If using shorewall 4.5.14 or later you can do the rules like this 30 - - tcp 80 30 - - tcp 443 10 - - tcp 22 10 - - udp 53 30 - - tcp 993 #Otherwise it will need 2 rules like this 30 - - tcp - 80 30 - - tcp 80 30 - - tcp - 443 30 - - tcp 443 10 - - tcp - 22 10 - - tcp 22 10 - - tcp - 53 10 - - tcp 53 30 - - tcp - 993 30 - - tcp 993 For the p2p using ipp2p match you need a group of rules, the reason for this is that p2p protocols are tricky to identify and thus not every packet of a p2p session can be identified. RESTORE - - all - - - 0 CONTINUE - - all - - - !0 666 - - ipp2p:all SAVE - - all - - - !0 This is useful as an example for you also as the same situation applies to sip VOIP traffic, so to prioritise VOIP you could use something like this: RESTORE - - all - - - 0 CONTINUE - - all - - - !0 10 - - all - - - - - - sip SAVE - - all - - - !0 I wrote that up fairly quickly but it should give you some idea. ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
On 29/03/13 13:25, Alan McKay wrote:> On Fri, Mar 29, 2013 at 9:05 AM, Robert K Coffman Jr. -Info From Data > Corp. <bcoffman@infofromdata.com> wrote: >> Post your tc* files and I''ll take a look. > I''m just giving those another good going over ... I think I"m a bit > mixed up on them :-) > > Part of what confused me at first is which files are for what type of config. > > It looks like TC_ENABLED=Simple uses only tcpri and tcinterfaces, is that right? > > And I guess that means that TC_ENABLE=Internal uses tcdevices, > tcclasses and tcrules??? > > Is that right? > > At first I tried to get Simple going but as I recall it seemed to work > until I pulled a big file from my webserver on the Linux FW, then it > clobbered. So I futzed around with Internal and got something that > fixed the VOIP issue even when pulling a big file. > > Anyway confirm that for me and then let me have another go at it based > on that answer, then I might not be too embarassed showing my files > :-) > > > > >Correct I believe, though I have never tried to use simple myself, I deal with some pretty complex setups so need the full feature set. ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
Robert K Coffman Jr. -Info From Data Corp.
2013-Mar-29 13:43 UTC
Re: looking for good traffic shaping working example
I have the following for a site with VOIP and a pretty narrow outbound pipe. I have no idea if it is ideal. To me, the most critical setting is TCDEVICES. If you can tweak this while the line is being heavily utilized, you can set this progressively lower until there is a dramatic reduction in latency (which I simply use response in my remote SSH session to determine). Not scientific, but it seems to work for me. For the rest of it, I relied heavily on shorewall.net and Tom''s examples. - Bob shorewall.conf: TC_ENABLED=Internal TCRULES ======1 0.0.0.0/0 0.0.0.0/0 tcp 53 1 0.0.0.0/0 0.0.0.0/0 udp 53 #Normal Traffic - probably not needed as is default. 3 0.0.0.0/0 0.0.0.0/0 all #Phones 2 192.168.21.50/0 0.0.0.0/0 all 2 192.168.21.52/0 0.0.0.0/0 all #Guest System 4 192.168.21.53 0.0.0.0/0 all #SMTP 4 0.0.0.0/0 0.0.0.0/0 tcp 25 TCDEVICES: ========ppp0 0kbit 500kbit TCCLASSES ========#DNS ppp0 1 5*full/100 75*full/100 1 tcp-ack,tos-minimize-delay #Phones ppp0 2 80*full/100 full 2 tos-minimize-delay ##Normal ppp0 3 10*full/100 90*full/100 3 default #Limited ppp0 4 5*full/100 75*full/100 4 ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
OK thanks everyone - I''m going to try to craft a better config based
on this feedback.
To demonstrate my basic problem though, here you have it. I''ve
noticed lately that my connection is slow so I wrote some scripts to
replicate the speedtest.net tests to my ISPs speedtest server. My
results for downloads have been terrible (5 to 8Mbit/s on a line that
should be 28Mbit and was often faster than that).
When I connected a PC directly to the cable modem I got smoking fast
speeds again, which left me to ponder what had changed since I used to
get those speeds behind the firewall.
The answer was : QoS
Here is a quick example the first one is with my TC_ENABLED=Internal
and then second one just seconds later after changing to TC_ENABLED=No
and restarting shorewall.
root@userver:/etc/shorewall# !wg
wget -O /dev/null http://speedtest.teksavvy.com/speedtest/random1000x1000.jpg
--2013-03-29 10:14:03--
http://speedtest.teksavvy.com/speedtest/random1000x1000.jpg
Resolving speedtest.teksavvy.com (speedtest.teksavvy.com)... 206.248.140.50
Connecting to speedtest.teksavvy.com
(speedtest.teksavvy.com)|206.248.140.50|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1986284 (1.9M) [image/jpeg]
Saving to: `/dev/null''
100%[=========================================================================================>]
1,986,284 602K/s in 3.2s
2013-03-29 10:14:06 (602 KB/s) - `/dev/null'' saved [1986284/1986284]
root@userver:/etc/shorewall# vi shorewall.conf
root@userver:/etc/shorewall# /etc/init.d/shorewall restart
Restarting "Shorewall firewall": done.
root@userver:/etc/shorewall# wget -O /dev/null
http://speedtest.teksavvy.com/speedtest/random1000x1000.jpg
--2013-03-29 10:14:25--
http://speedtest.teksavvy.com/speedtest/random1000x1000.jpg
Resolving speedtest.teksavvy.com (speedtest.teksavvy.com)... 206.248.140.50
Connecting to speedtest.teksavvy.com
(speedtest.teksavvy.com)|206.248.140.50|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1986284 (1.9M) [image/jpeg]
Saving to: `/dev/null''
100%[=========================================================================================>]
1,986,284 1.94M/s in 1.0s
2013-03-29 10:14:26 (1.94 MB/s) - `/dev/null'' saved [1986284/1986284]
--
“Don''t eat anything you''ve ever seen advertised on TV”
- Michael Pollan, author of "In Defense of Food"
------------------------------------------------------------------------------
Own the Future-Intel(R) Level Up Game Demo Contest 2013
Rise to greatness in Intel''s independent game demo contest. Compete
for recognition, cash, and the chance to get your game on Steam.
$5K grand prize plus 10 genre and skill prizes. Submit your demo
by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
On 03/29/2013 07:18 AM, Alan McKay wrote:> OK thanks everyone - I''m going to try to craft a better config based > on this feedback. > > To demonstrate my basic problem though, here you have it. I''ve > noticed lately that my connection is slow so I wrote some scripts to > replicate the speedtest.net tests to my ISPs speedtest server. My > results for downloads have been terrible (5 to 8Mbit/s on a line that > should be 28Mbit and was often faster than that). > > When I connected a PC directly to the cable modem I got smoking fast > speeds again, which left me to ponder what had changed since I used to > get those speeds behind the firewall. > > The answer was : QoS > > Here is a quick example the first one is with my TC_ENABLED=Internal > and then second one just seconds later after changing to TC_ENABLED=No > and restarting shorewall. > > > root@userver:/etc/shorewall# !wg > wget -O /dev/null http://speedtest.teksavvy.com/speedtest/random1000x1000.jpg > --2013-03-29 10:14:03-- > http://speedtest.teksavvy.com/speedtest/random1000x1000.jpg > Resolving speedtest.teksavvy.com (speedtest.teksavvy.com)... 206.248.140.50 > Connecting to speedtest.teksavvy.com > (speedtest.teksavvy.com)|206.248.140.50|:80... connected. > HTTP request sent, awaiting response... 200 OK > Length: 1986284 (1.9M) [image/jpeg] > Saving to: `/dev/null'' > > 100%[=========================================================================================>] > 1,986,284 602K/s in 3.2s > > 2013-03-29 10:14:06 (602 KB/s) - `/dev/null'' saved [1986284/1986284] > > root@userver:/etc/shorewall# vi shorewall.conf > root@userver:/etc/shorewall# /etc/init.d/shorewall restart > Restarting "Shorewall firewall": done. > root@userver:/etc/shorewall# wget -O /dev/null > http://speedtest.teksavvy.com/speedtest/random1000x1000.jpg > --2013-03-29 10:14:25-- > http://speedtest.teksavvy.com/speedtest/random1000x1000.jpg > Resolving speedtest.teksavvy.com (speedtest.teksavvy.com)... 206.248.140.50 > Connecting to speedtest.teksavvy.com > (speedtest.teksavvy.com)|206.248.140.50|:80... connected. > HTTP request sent, awaiting response... 200 OK > Length: 1986284 (1.9M) [image/jpeg] > Saving to: `/dev/null'' > > 100%[=========================================================================================>] > 1,986,284 1.94M/s in 1.0s > > 2013-03-29 10:14:26 (1.94 MB/s) - `/dev/null'' saved [1986284/1986284]Have you looked at FAQ 97a? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
On Fri, Mar 29, 2013 at 10:26 AM, Tom Eastep <teastep@shorewall.net> wrote:> Have you looked at FAQ 97a?BAM! I had been going through the FAQs but had not gotten to that one yet ... root@userver:/etc/shorewall# ethtool -K eth0 gro off root@userver:/etc/shorewall# !wg wget -O /dev/null http://speedtest.teksavvy.com/speedtest/random1000x1000.jpg --2013-03-29 10:44:11-- http://speedtest.teksavvy.com/speedtest/random1000x1000.jpg Resolving speedtest.teksavvy.com (speedtest.teksavvy.com)... 206.248.140.50 Connecting to speedtest.teksavvy.com (speedtest.teksavvy.com)|206.248.140.50|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1986284 (1.9M) [image/jpeg] Saving to: `/dev/null'' 100%[=========================================================================================>] 1,986,284 1.43M/s in 1.3s 2013-03-29 10:44:13 (1.43 MB/s) - `/dev/null'' saved [1986284/1986284] -- “Don''t eat anything you''ve ever seen advertised on TV” - Michael Pollan, author of "In Defense of Food" ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
On Fri, Mar 29, 2013 at 10:45 AM, Alan McKay <alan.mckay@gmail.com> wrote:> BAM!p.s. Thanks Tom! And this is good news for me because it means I did largely understand the configuration and had everything pretty much right. I just thought I had it wrong because I was not getting full bandwidth -- “Don''t eat anything you''ve ever seen advertised on TV” - Michael Pollan, author of "In Defense of Food" ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
On Fri, Mar 29, 2013 at 10:26 AM, Tom Eastep <teastep@shorewall.net> wrote:> Have you looked at FAQ 97a? >Well trouble in paradise - I had to reboot this morning and it is back. I had put this into /etc/network/interfaces iface eth0 inet dhcp post-up ethtool -K eth0 gro off and tested it yesterday right after my success by restarting networking. After the reboot, though, even though that got executed and the value appears correct, it is still slow until I set TC_ENABLED=No root@userver:/etc/shorewall# ethtool -k eth0 | grep offload tcp-segmentation-offload: off udp-fragmentation-offload: off [fixed] generic-segmentation-offload: off [requested on] generic-receive-offload: off large-receive-offload: off [fixed] rx-vlan-offload: on tx-vlan-offload: on Do I need to get into the bursting config from FAQ 97? Or something else? -- “Don''t eat anything you''ve ever seen advertised on TV” - Michael Pollan, author of "In Defense of Food" ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
On 03/30/2013 07:53 AM, Alan McKay wrote:> > On Fri, Mar 29, 2013 at 10:26 AM, Tom Eastep <teastep@shorewall.net > <mailto:teastep@shorewall.net>> wrote: > > Have you looked at FAQ 97a? > > > > Well trouble in paradise - I had to reboot this morning and it is back. > I had put this into /etc/network/interfaces > > iface eth0 inet dhcp > post-up ethtool -K eth0 gro off > > and tested it yesterday right after my success by restarting networking. > > After the reboot, though, even though that got executed and the value > appears correct, it is still slow until I set TC_ENABLED=No > > root@userver:/etc/shorewall# ethtool -k eth0 | grep offload > tcp-segmentation-offload: off > udp-fragmentation-offload: off [fixed] > generic-segmentation-offload: off [requested on] > generic-receive-offload: off > large-receive-offload: off [fixed] > rx-vlan-offload: on > tx-vlan-offload: on > > Do I need to get into the bursting config from FAQ 97? Or something else?Please: 1) shorewall restart 2) perform a download test 3) shorewall show tc > showtc 4) Forward the ''showtc'' file. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
On Sat, Mar 30, 2013 at 11:49 AM, Tom Eastep <teastep@shorewall.net> wrote:> Please: > > 1) shorewall restart > 2) perform a download test > 3) shorewall show tc > showtc > 4) Forward the ''showtc'' file. >Here you go ... thanks! http://108.162.170.186/speedtest/showtc -- “Don''t eat anything you''ve ever seen advertised on TV” - Michael Pollan, author of "In Defense of Food" ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
On Sat, Mar 30, 2013 at 12:01 PM, Alan McKay <alan.mckay@gmail.com> wrote:> > http://108.162.170.186/speedtest/showtc >BTW, you can see the dramatic difference in my graph. That''s how I noticed the shorewall thing broke again after my reboot because I am working on my graph for my internet speed using speedtest.net http://108.162.170.186/speedtest/ -- “Don''t eat anything you''ve ever seen advertised on TV” - Michael Pollan, author of "In Defense of Food" ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
On Sat, Mar 30, 2013 at 12:07 PM, Alan McKay <alan.mckay@gmail.com> wrote:> http://108.162.170.186/speedtest/The big dip about an hour ago was right after my reboot. I then turned off TC until I just did the test for you, then I turned it back off again after that test. -- “Don''t eat anything you''ve ever seen advertised on TV” - Michael Pollan, author of "In Defense of Food" ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
On 03/30/2013 09:01 AM, Alan McKay wrote:> > On Sat, Mar 30, 2013 at 11:49 AM, Tom Eastep <teastep@shorewall.net > <mailto:teastep@shorewall.net>> wrote: > > Please: > > 1) shorewall restart > 2) perform a download test > 3) shorewall show tc > showtc > 4) Forward the ''showtc'' file. > > > Here you go ... thanks! > > http://108.162.170.186/speedtest/showtcI don''t see any reason for the slow performance: qdisc ingress ffff: parent ffff:fff1 ---------------- Sent 16188983 bytes 12728 pkt (dropped 138, overlimits 0 requeues 0) About 1% of the incoming packets are being dropped. What does your eth0 entry in tcdevices look like? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
On Sat, Mar 30, 2013 at 12:21 PM, Tom Eastep <teastep@shorewall.net> wrote:> What does your eth0 entry in tcdevices look like? >#NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED #INTERFACE INTERFACES 1:eth0 35Mbit 1Mbit 2:eth2 1000Mbit 1000Mbit -- “Don''t eat anything you''ve ever seen advertised on TV” - Michael Pollan, author of "In Defense of Food" ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
On 3/30/13 9:33 AM, "Alan McKay" <alan.mckay@gmail.com> wrote:> > On Sat, Mar 30, 2013 at 12:21 PM, Tom Eastep <teastep@shorewall.net> wrote: >> What does your eth0 entry in tcdevices look like? > > #NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED > #INTERFACE INTERFACES > 1:eth0 35Mbit 1Mbit > 2:eth2 1000Mbit 1000MbitDo you run services on the firewall? If not, I would place ''-'' in the IN-BANDWIDTH of eth0 and move the 35Mbit to the OUT-BANDWIDTH of eth2. Also, is there an eth1 that interfaces to a DMZ? If so then you need to have a bit more config. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
On Sat, Mar 30, 2013 at 2:16 PM, Tom Eastep <teastep@shorewall.net> wrote:> > Do you run services on the firewall? >Webserver> If not, I would place ''-'' in the IN-BANDWIDTH of eth0 and move the 35Mbit > to the OUT-BANDWIDTH of eth2. >Still do that with a web server?> Also, is there an eth1 that interfaces to a DMZ? If so then you need to > have a bit more config. >No, I had an eth1 because I wanted a separate zone for wifi but the card was flakey so I pulled it. I''m going to reboot again without that stuff in /etc/network/interfaces and see what happens. -- “Don''t eat anything you''ve ever seen advertised on TV” - Michael Pollan, author of "In Defense of Food" ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
On Sat, Mar 30, 2013 at 3:34 PM, Alan McKay <alan.mckay@gmail.com> wrote:> I''m going to reboot again without that stuff in /etc/network/interfaces > and see what happens. >Nope, still not working with TC enabled :-( -- “Don''t eat anything you''ve ever seen advertised on TV” - Michael Pollan, author of "In Defense of Food" ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
On Sat, Mar 30, 2013 at 12:21 PM, Tom Eastep <teastep@shorewall.net> wrote:> > http://108.162.170.186/speedtest/showtc > > I don''t see any reason for the slow performance:BTW, does it matter that I ^C''ed my wget about half way through because it was a really large one? -- “Don''t eat anything you''ve ever seen advertised on TV” - Michael Pollan, author of "In Defense of Food" ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
On 3/30/13 1:01 PM, "Alan McKay" <alan.mckay@gmail.com> wrote:> > On Sat, Mar 30, 2013 at 12:21 PM, Tom Eastep <teastep@shorewall.net> wrote: >>> > http://108.162.170.186/speedtest/showtc >> >> I don''t see any reason for the slow performance: > > BTW, does it matter that I ^C''ed my wget about half way through because it was > a really large one?No. You are speed testing from the firewall itself, right? -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
How do I get a list of the tc rules that shorewall created?
And what other information would I need to take this to the LARTC mailing
list?
thanks,
-Alan
--
“Don''t eat anything you''ve ever seen advertised on TV”
- Michael Pollan, author of "In Defense of Food"
------------------------------------------------------------------------------
Own the Future-Intel(R) Level Up Game Demo Contest 2013
Rise to greatness in Intel''s independent game demo contest. Compete
for recognition, cash, and the chance to get your game on Steam.
$5K grand prize plus 10 genre and skill prizes. Submit your demo
by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
On Sat, Mar 30, 2013 at 4:18 PM, Tom Eastep <teastep@shorewall.net> wrote:> No. You are speed testing from the firewall itself, right? >yes, that is right -- “Don''t eat anything you''ve ever seen advertised on TV” - Michael Pollan, author of "In Defense of Food" ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
Raquel ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
On 03/30/2013 01:25 PM, Alan McKay wrote:> > How do I get a list of the tc rules that shorewall created?Please: a) shorewall compile foo b) send me (privately) the file foo> And what other information would I need to take this to the LARTC > mailing list?Is any one home any more at LARTC? -tOM -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
Hi, I will try to help you too. Your /showtc/ seems to indicate that it works, but it''s not easily readable. Can you provide your /tcclasses/ and /tcrules/ config files ? Can you explain what you want to do ? (to compare with config files) First, place ''-'' in the /IN-BANDWIDTH/ for all interfaces (/tcinterfaces/), it will disable packet drop on incoming (packet is received, bandwidth is consumed, why drop ?). For your tests, are you on the machine where the tc is enabled or on another ? Indeed, if you are not on the machine, the packet marking should be enable in routing process (prerouting by default), by indicating a "source" in /tcrules/ like a network or an interface. Else (you are on the machine), enable it for the machine ouputs, by using ''$FW'' for source. Thibaut Le 30/03/2013 21:01, Alan McKay a écrit :> > On Sat, Mar 30, 2013 at 12:21 PM, Tom Eastep <teastep@shorewall.net > <mailto:teastep@shorewall.net>> wrote: > > > http://108.162.170.186/speedtest/showtc > > I don''t see any reason for the slow performance: > > > BTW, does it matter that I ^C''ed my wget about half way through > because it was a really large one? > > > > -- > "Don''t eat anything you''ve ever seen advertised on TV" > - Michael Pollan, author of "In Defense of Food" > > > ------------------------------------------------------------------------------ > Own the Future-Intel(R) Level Up Game Demo Contest 2013 > Rise to greatness in Intel''s independent game demo contest. Compete > for recognition, cash, and the chance to get your game on Steam. > $5K grand prize plus 10 genre and skill prizes. Submit your demo > by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2 > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
On Sat, Mar 30, 2013 at 5:00 PM, Tom Eastep <teastep@shorewall.net> wrote:> Is any one home any more at LARTC? >No traffic at all but I got a few answers to me TC questions a couple weeks ago. That was the last traffic. So I figure someone may answer again :-) I''ll compile that stuff for you ... -- “Don''t eat anything you''ve ever seen advertised on TV” - Michael Pollan, author of "In Defense of Food" ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
On Sat, Mar 30, 2013 at 5:12 PM, Thibaut Chèze < shorewall-users.thibaut@kribleur.fr> wrote:> Can you provide your *tcclasses* and *tcrules* config files ? >tcclasses eth0 1 100kbit 180kbit 1 tos=0x68/0xfc,tos=0xb8/0xfc eth0 2 full/2 full 2 tcp-ack,tos-minimize-delay eth0 3 full/2 full 3 default eth0 4 full/4 full/2 4 eth2 1 100kbit 180kbit 1 tos=0x68/0xfc,tos=0xb8/0xfc eth2 2 full/2 full 2 tcp-ack,tos-minimize-delay eth2 3 full/2 full 3 default eth2 4 full/4 full/2 4 tcrules FORMAT 2 ########################################################################################################################################## # #ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER # 4:T 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftp 1 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - sip 1 172.30.99.5/32 0.0.0.0/0 1 0.0.0.0/0 172.30.99.5/32 1 199.21.149.36/32 0.0.0.0/0 1 0.0.0.0/0 199.21.149.36/32> Can you explain what you want to do ? (to compare with config files) >I had recently installed a VOIP device (172.30.99.5 - 199.21.149.36 is my provider) and the VOIP was terrible. So I just want to prioritize VOIP. I did that and it worked, but then suddenly my HTTP downloads went from 20Mbit/s to 5Mbit/s consistently.> First, place ''-'' in the *IN-BANDWIDTH* for all interfaces (*tcinterfaces*), > it will disable packet drop on incoming (packet is received, bandwidth is > consumed, why drop ?). >I''ll try this to see what happens> For your tests, are you on the machine where the tc is enabled or on > another ? >Yess, all tests are on the firewall itself -- “Don''t eat anything you''ve ever seen advertised on TV” - Michael Pollan, author of "In Defense of Food" ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
Thanks for details. Where does this value ''tos=0x68/0xfc,tos=0xb8/0xfc'' for the VoIP comes from ? Did you compute it or was it given from a tutorial/documentation ? Same questions for rate and ceil for VoIP ? Your downloads are maybe slowed when a call occur (tcp-ack priority is less than VoIP). Firstly, I''d rather try a simplified configuration: /tcclasses/ eth0 1 full/2 full 0 eth0 2 full/2 full 1 default eth2 1 full/2 full 0 eth2 2 full/2 full 1 default /tcrules/ // FORMAT 2 1 172.30.99.5/32 <http://172.30.99.5/32> 199.21.149.36/32 <http://199.21.149.36/32> 1 199.21.149.36/32 <http://199.21.149.36/32> 172.30.99.5/32 <http://172.30.99.5/32> Tell us what happened, and provide us new ''showtc'' files: 1. One before one call (nothing else if possible) 2. One after the call 3. restart shorewall to reset statistics 4. One before one bandwidth test 5. One after the bandwidth test Thibaut ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
On 30/03/13 16:33, Alan McKay wrote:> > On Sat, Mar 30, 2013 at 12:21 PM, Tom Eastep <teastep@shorewall.net > <mailto:teastep@shorewall.net>> wrote: > > What does your eth0 entry in tcdevices look like? > > > #NUMBER:IN-BANDWITHOUT-BANDWIDTHOPTIONSREDIRECTED > #INTERFACEINTERFACES > 1:eth0 35Mbit 1Mbit > 2:eth21000Mbit 1000Mbit > > > > -- > “Don''t eat anything you''ve ever seen advertised on TV” > - Michael Pollan, author of "In Defense of Food" > > > ------------------------------------------------------------------------------ > Own the Future-Intel(R) Level Up Game Demo Contest 2013 > Rise to greatness in Intel''s independent game demo contest. Compete > for recognition, cash, and the chance to get your game on Steam. > $5K grand prize plus 10 genre and skill prizes. Submit your demo > by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2 > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-usersWow, 35:1 async I have to ask here is there anything using the upload at all during these tests especially calls in the higher priority class? The reason I ask is am thinking along the lines that if the download is 1500byte packets acks for each probably 60bytes or so is about 25:1 unless sack is enabled on both ends, have you ever got 35Mbit download on that line? Try watching your system monitor or bmon or some similar tool I''d be interested to know if your upload is maxing out, TCP downloads are not a one way process so it''s quite possible to be looking for the wrong problem in the wrong place when the upload is the actual issue. It might be worth confirming you have sack enabled on your end, I think it''s normally a default but it can''t hurt to make sure sudo sysctl -w net.ipv4.tcp_sack=1 If that helps you will probably want to add this line to /etc/sysctl.conf so the setting is enabled every boot: net.ipv4.tcp_sack=1 Also have you tried checking with other servers? It''s just to me and it seems others here the tc configuration looks ok so am thinking a bit about other potential causes of your issues at this point can''t hurt to rule it out if nothing else. I''ll avoid the whole topic of why ISP''s think ratios of 35:1 or worse when an ISP tried to sell me one at 80M/2M suffice to say I was unimpressed and took their competitors 80M/20M product instead. ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
On Sat, Mar 30, 2013 at 6:38 PM, Thibaut Chèze < shorewall-users.thibaut@kribleur.fr> wrote:> > Your downloads are maybe slowed when a call occur (tcp-ack priority is > less than VoIP). >No, I know for sure this is not the case since I have a test line from voip.ms that nobody uses yet. I wanted to make sure to get all these issues ironed out before cutting over the house line to VOIP, so I only make the odd call for testing.> Where does this value ''tos=0x68/0xfc,tos=0xb8/0xfc'' for the VoIP comesfrom ?> Did you compute it or was it given from a tutorial/documentation ? > Same questions for rate and ceil for VoIP ?Yes, all from basically the shorewall docs. And the first one in particular I really did not take the time to understand. Well, not all. I added the one for the SIP protocol because I wanted the option to use soft clients inside the house. I even tested it with one and ti worked. BUt I agree at this point simplify it. So I''ll apply your suggested config tomorrow and let you know what happens. -- “Don''t eat anything you''ve ever seen advertised on TV” - Michael Pollan, author of "In Defense of Food" ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
On Sat, Mar 30, 2013 at 8:26 PM, Matt Joyce <mjoyce@mttjocy.co.uk> wrote:> Wow, 35:1 async I have to ask here is there anything using the upload at > all during these tests especially calls in the higher priority class? > > The reason I ask is am thinking along the lines that if the download is > 1500byte packets acks for each probably 60bytes or so is about 25:1 > unless sack is enabled on both ends, have you ever got 35Mbit download > on that line? >Yes, just look at my charts. I''m getting peaks at 55 down. But I don''t have the upload charts working yet. http://108.162.170.186/speedtest/> Try watching your system monitor or bmon or some similar tool I''d be > interested to know if your upload is maxing out, TCP downloads are not a > one way process so it''s quite possible to be looking for the wrong > problem in the wrong place when the upload is the actual issue. >I don''t think it is this because the problem is perfectly reproducible as follows. I turn on TC_ENABLE=Internal in shorewall and my downloads are 500Kbit or so. I turn it off and I get 20 to 30Mbit easily reproducible just about every time.> It might be worth confirming you have sack enabled on your end, I think > it''s normally a default but it can''t hurt to make sure > sudo sysctl -w net.ipv4.tcp_sack=1 >Looks like it is already enabled root@userver:~# sysctl -a | grep -i sack net.ipv4.tcp_dsack = 1 net.ipv4.tcp_sack = 1 Also have you tried checking with other servers?>This one is provided by my ISP so it is the shortest point for me. It is the most logical one to check and any other one will be outside of their network. Plus see my comment above about turning on and off tc.> I''ll avoid the whole topic of why ISP''s think ratios of 35:1 or worse > when an ISP tried to sell me one at 80M/2M suffice to say I was > unimpressed and took their competitors 80M/20M product instead. >Yeah it peeves me too. Though they are coming out next month with something like 25:5 for a better price so I''m going to switch. -- “Don''t eat anything you''ve ever seen advertised on TV” - Michael Pollan, author of "In Defense of Food" ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
Well not sure what else to do so I threw together a "Simple" config
and am trying that out to see what happens.
Could it be the NIC on my MoBo? It is a RealTek which I''ve always
considered to be pretty crappy. That''s why I put that one facing the
internet to begin with so I would not have to worry about 1Gig speeds
on the thing.
This is what lshw says about it :
description: Ethernet interface
product: RTL8111/8168B PCI Express Gigabit Ethernet controller
vendor: Realtek Semiconductor Co., Ltd.
physical id: 0
bus info: pci@0000:02:00.0
logical name: eth0
version: 06
serial: 30:85:a9:48:5d:46
size: 1Gbit/s
capacity: 1Gbit/s
width: 64 bits
clock: 33MHz
capabilities: pm msi pciexpress msix vpd bus_master
cap_list ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd 1000bt
1000bt-fd autonegotiation
configuration: autonegotiation=on broadcast=yes
driver=r8169 driverversion=2.3LK-NAPI duplex=full
firmware=rtl8168e-3_0.0.4 03/27/12 ip=108.162.170.186 latency=0
link=yes multicast=yes port=MII speed=1Gbit/s
resources: irq:45 ioport:d800(size=256)
memory:fdfff000-fdffffff memory:fdff8000-fdffbfff
--
“Don''t eat anything you''ve ever seen advertised on TV”
- Michael Pollan, author of "In Defense of Food"
------------------------------------------------------------------------------
Own the Future-Intel(R) Level Up Game Demo Contest 2013
Rise to greatness in Intel''s independent game demo contest. Compete
for recognition, cash, and the chance to get your game on Steam.
$5K grand prize plus 10 genre and skill prizes. Submit your demo
by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
On Sun, Mar 31, 2013 at 3:15 PM, Alan McKay <alan.mckay@gmail.com> wrote:> Well not sure what else to do so I threw together a "Simple" config > and am trying that out to see what happens.Nope, same basic behavior. To me it looks like the overhead of TC is killing the system. But it is a reasonably powerful system so not sure what is up there. root@userver:/etc/shorewall# cat tcpri #BAND PROTO PORT(S) ADDRESS INTERFACE HELPER COMMENT all of intranet in Band 3 by default 3 - - 172.30.99.0/24 - - COMMENT give priority to the Cisco SP 112 ATA and toronto.voip.ms 1 - - 172.30.99.5 - - 1 - - 199.21.149.36 - - COMMENT speedtest.teksavvy.com 1 - - 206.248.140.50 - - 1 - - 172.30.99.175 - - 1 - - 172.30.99.2 - - 1 - - 127.0.0.1 - - COMMENT and priority to SIP 1 UDP 5060,10000:20000 - - sip -- “Don''t eat anything you''ve ever seen advertised on TV” - Michael Pollan, author of "In Defense of Food" ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
On 3/31/13 12:24 PM, "Alan McKay" <alan.mckay@gmail.com> wrote:>On Sun, Mar 31, 2013 at 3:15 PM, Alan McKay <alan.mckay@gmail.com> wrote: >> Well not sure what else to do so I threw together a "Simple" config >> and am trying that out to see what happens. > >Nope, same basic behavior. To me it looks like the overhead of TC is >killing the system. But it is a reasonably powerful system so not >sure what is up there.Changing the OUTGOING configuration isn''t going to do anything. If you have specified an IN-BANDWIDTH, get rid of it; do you have normal download speed then? -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
On Sun, Mar 31, 2013 at 4:21 PM, Tom Eastep <teastep@shorewall.net> wrote:> Changing the OUTGOING configuration isn''t going to do anything. If you > have specified an IN-BANDWIDTH, get rid of it; do you have normal download > speed then?Duh, so simple! Yeah, that seems to have done the trick ... thanks! -- “Don''t eat anything you''ve ever seen advertised on TV” - Michael Pollan, author of "In Defense of Food" ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
On 31/03/13 21:37, Alan McKay wrote:> On Sun, Mar 31, 2013 at 4:21 PM, Tom Eastep <teastep@shorewall.net> wrote: >> Changing the OUTGOING configuration isn''t going to do anything. If you >> have specified an IN-BANDWIDTH, get rid of it; do you have normal download >> speed then? > Duh, so simple! Yeah, that seems to have done the trick ... thanks! > > > -- > “Don''t eat anything you''ve ever seen advertised on TV” > - Michael Pollan, author of "In Defense of Food" > > ------------------------------------------------------------------------------ > Own the Future-Intel(R) Level Up Game Demo Contest 2013 > Rise to greatness in Intel''s independent game demo contest. Compete > for recognition, cash, and the chance to get your game on Steam. > $5K grand prize plus 10 genre and skill prizes. Submit your demo > by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-usersIf you do want that on suggest you try it either using either burst or rate estimation for example on the 80mbps line at home in the past I''ve used: ~75mbit:500ms:8sec That''s with rate estimation, which in my experience works better the problem is without burst the kernel I believe will only let through at most 1 packet each time it ticks and usually has a frequency of I think around 1,000Hz or something like that 1,000 packets per sec is insufficient for high bandwidth lines, max 1,500b (12,000bit) per packet 12,000*1,000=12,000,000 (12mbit) assuming all packets are full to mtu real world would be lower. That said I see little point to dropping arbitrarily like this on the inbound, I now use an IFB so I can selectively drop when the line is running near max that way typically I avoid dropping UDP as it seems pointless will have no effect on the rate anyway, instead opting to drop a low priority TCP packet and let TCP congestion control handle reducing the rate thus hopefully eliminating quing latency or worse random dropping at the ISP end of the choke point. You don''t have the same kind of control you do on upload either way but it does help reduce the chances of more important services being adversely affected by say P2P, this could help prevent a large download via P2P or HTTP for example causing your VOIP to suffer high latency, jitter or packet drops all of which are bad. In my case I do it this way in particular for the benefit of the public NTP server here, NTP is far more accurate on stable connections with latency and jitter as low as possible similar to VOIP connections. ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2