On 15/12/17 07:05, Kenneth Porter wrote:> I came across this on the Fedora devel list. I added > /etc/sysctl.d/51-bufferbloat.conf containing the suggested line and it > installs the new codel qdisc as desired. There's probably more knobs > that might be useful to tweak but this makes a good start. More reading > on the bufferbloat site suggests that the later "cake" module will be > even better, but it requires a newer kernel than CentOS currently ships > with. > > <https://lists.fedoraproject.org/pipermail/devel/2015-March/209508.html> > > # 51-bufferbloat.conf > # Address bufferbloat > net.core.default_qdisc = fq_codel >I don't know your full requirements, but in the past for simple QoS gw I used FireQOS It's part of https://firehol.org/ , but can be used without firehol so in parallel of your own iptables rules Here is the doc : https://firehol.org/tutorial/fireqos-new-user/ -- Fabian Arrotin The CentOS Project | https://www.centos.org gpg key: 56BEC54E | twitter: @arrfab -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20171215/c10d2f4d/attachment-0001.sig>
On 12/15/2017 4:10 AM, Fabian Arrotin wrote:> I don't know your full requirements, but in the past for simple QoS gw I > used FireQOS > It's part ofhttps://firehol.org/ , but can be used without firehol so > in parallel of your own iptables rulesThat looks nice. It appears to be a declarative front-end to tc that eliminates some of the boilerplate like setting defaults. The gateway is for a small business and I don't want shell and remote desktop sessions to come to a crawl because someone's uploading/downloading/mailing a big CAD file to a customer/vendor, or because several are watching Youtube videos.
On Fri, 15 Dec 2017, Kenneth Porter wrote:> The gateway is for a small business and I don't want shell and remote desktop > sessions to come to a crawl because someone's uploading/downloading/mailing a > big CAD file to a customer/vendor, or because several are watching Youtube > videos.Slowdown is probably going to happen since these days much file/bulk transfer and certainly all Google (YouTube) services use HTTPS and thus seem the same to any but the most intrusive inspection and dynamic shaping, i.e., SSL bump or peek'n'splice would be needed wherein at least the beginning of a session can be inspected so that the real purpose can be inferred and used to set the shaping on that single session -- though usually they decrypt everything which has many concerns. Static shaping of HTTP(S) can help but certainly can't assure that "interactive" sessions won't be impacted by "heavy" sessions. If only SSH and RDP need more priority than anything else that should be easily handled by static policy (firehol, wondershaper, etc) though it fails when RDP is used for bulk file transfer (you can check TOS/DSCP on SSH sessions to de-prioritize SCP/SFTP transfers, provided such hasn't been defeated by the sender). /mark