Hello all! a short system info: 3 interfaces - 1 is ppp0 and 2 for 2 local zones at the moment the asterisk-VoIP-server is running on the fw itself (but I have the same problems if I put the asterisk in a DMZ) its a debian with vanilla kernel 2.6.16.11 with all netfilter and QoS stuff enabled shorewall is version 3.0.6 the shorewall init-log shows that all iptables/netfilter capabilities are available the problem: If clients in the local zones are causing http-traffic I "hear" it in the VoIP. Especially if they are on sites with pictures. The problem is independent of the VoIP-protocol. I''ve tested sip and IAX2 - both the same. In the asterisk-confs I''ve set tos=0xb8 my tcclasses ############################################################################### #INTERFACE MARK RATE CEIL PRIORITY OPTIONS ppp0 1 100kbit 180kbit 1 tos=0x68/0xfc,tos=0xb8/0xfc ppp0 2 full/4 full 2 tcp-ack,tos-minimize-delay ppp0 3 full/4 full 3 default #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE my tcrules ############################################################################### #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST # PORT(S) 1 fw 0.0.0.0/0 udp 4569 #VoIP,IAX2 2 0.0.0.0/0 0.0.0.0/0 icmp 8 #ping 3 eth0 0.0.0.0/0 all 3 eth1 0.0.0.0/0 all #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE if I do a: watch tc -s class show dev ppp0 to see what''s going on in realtime the VoIP-traffic is prio 1 and the http-traffic is prio 3 everything seems to work fine now perhaps a problem in understanding: with QoS I can only control outgoing traffic? - think so and if the clients in the local zones surf on sites with pictures, the pictures are downloads and incoming traffic may it be, that downloads of pictures are "short peaks" that take all the bandwidth, so that the VoIP-stream gets problems for a short time and that''s what I hear, the sound problems??? is it possible to have influence to/controll the incoming traffic? if it''s perhaps a problem from outside, could it be a problem of my ISP (not ADSL, a kind of SDSL-standard)? any other ideas? I KNOW that "hardware" routers like e.g. the "FRITZ Box! Fon" don''t habe these problems. And I think the linux-solution should be as powerful as these boxes... Thanks in advance, Adalbert ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
I''m pretty much in the same boat, except I''m also dealing with having to push the VoIP into a VPN tunnel. One suggestion, don''t allow your non-VoIP traffic to burst to full, give it some full*8/10 or full*7/10. This way no single traffic class will be able to take the whole bandwidth. And make sure that your downlink bw (in tcdevices) is less than your full downlink - this is to avoid queueing at the ISP end (explained in detail on the shorewall site). Let me know how that works out. Hope that helps, Prasanna. On 5/2/06, Adalbert Netzer <adeln@gmx.de> wrote:> Hello all! > > a short system info: > 3 interfaces - 1 is ppp0 and 2 for 2 local zones > at the moment the asterisk-VoIP-server is running on the fw itself > (but I have the same problems if I put the asterisk in a DMZ) > its a debian with vanilla kernel 2.6.16.11 with all netfilter and QoS > stuff enabled > shorewall is version 3.0.6 > the shorewall init-log shows that all iptables/netfilter capabilities > are available > > the problem: > If clients in the local zones are causing http-traffic I "hear" it in > the VoIP. Especially if they are on sites with pictures. > > The problem is independent of the VoIP-protocol. I''ve tested sip and > IAX2 - both the same. > In the asterisk-confs I''ve set tos=0xb8 > > my tcclasses > ############################################################################### > #INTERFACE MARK RATE CEIL PRIORITY OPTIONS > ppp0 1 100kbit 180kbit 1 > tos=0x68/0xfc,tos=0xb8/0xfc > ppp0 2 full/4 full 2 > tcp-ack,tos-minimize-delay > ppp0 3 full/4 full 3 default > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > my tcrules > ############################################################################### > #MARK SOURCE DEST PROTO PORT(S) CLIENT USER > TEST > # PORT(S) > 1 fw 0.0.0.0/0 udp 4569 > #VoIP,IAX2 > 2 0.0.0.0/0 0.0.0.0/0 icmp 8 #ping > 3 eth0 0.0.0.0/0 all > 3 eth1 0.0.0.0/0 all > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > if I do a: > watch tc -s class show dev ppp0 > to see what''s going on in realtime > the VoIP-traffic is prio 1 > and the http-traffic is prio 3 > everything seems to work fine > > now perhaps a problem in understanding: > with QoS I can only control outgoing traffic? - think so > and if the clients in the local zones surf on sites with pictures, the > pictures are downloads and incoming traffic > may it be, that downloads of pictures are "short peaks" that take all > the bandwidth, so that the VoIP-stream gets problems for a short time > and that''s what I hear, the sound problems??? > > is it possible to have influence to/controll the incoming traffic? > > if it''s perhaps a problem from outside, could it be a problem of my ISP > (not ADSL, a kind of SDSL-standard)? > > any other ideas? > > I KNOW that "hardware" routers like e.g. the "FRITZ Box! Fon" don''t habe > these problems. > And I think the linux-solution should be as powerful as these boxes... > > Thanks in advance, > Adalbert > > > > ------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Thanks Prasanna! I''ve played a little bit around with these two settings. My ISP Bandwidth is 1024/512 but even "extreme" settings like the following don''t make any differences: Processing /etc/shorewall/tcdevices... TC Device ppp0 500kbit 300kbit Added. Processing /etc/shorewall/tcclasses... TC Class "ppp0 1 100kbit 180kbit 1 tos=0x68/0xfc,tos=0xb8/0xfc" Added. TC Class "ppp0 2 full/10 full*1/2 2 tcp-ack,tos-minimize-delay" Added. TC Class "ppp0 3 full/10 full*1/2 3 default" Added. Adalbert Am Dienstag, den 02.05.2006, 12:31 +0530 schrieb Prasanna Krishnamoorthy:> I''m pretty much in the same boat, except I''m also dealing with having > to push the VoIP into a VPN tunnel. > > One suggestion, don''t allow your non-VoIP traffic to burst to full, > give it some full*8/10 or full*7/10. This way no single traffic class > will be able to take the whole bandwidth. > > And make sure that your downlink bw (in tcdevices) is less than your > full downlink - this is to avoid queueing at the ISP end (explained in > detail on the shorewall site). > > Let me know how that works out. > > Hope that helps, > Prasanna.------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Adalbert Netzer wrote:> Thanks Prasanna! > > I''ve played a little bit around with these two settings. > > My ISP Bandwidth is 1024/512 > > but even "extreme" settings like the following don''t make any > differences: > Processing /etc/shorewall/tcdevices... > TC Device ppp0 500kbit 300kbit Added. > Processing /etc/shorewall/tcclasses... > TC Class "ppp0 1 100kbit 180kbit 1 tos=0x68/0xfc,tos=0xb8/0xfc" > Added. > TC Class "ppp0 2 full/10 full*1/2 2 tcp-ack,tos-minimize-delay" > Added. > TC Class "ppp0 3 full/10 full*1/2 3 default" Added. >You can use ''shorewall show tc'' to see a display of the configured qdiscs and classes and and you can use ''shorewall show classifiers'' to see the filter''s generated by your tc configuration. Using these two commands, you can see the number of successful matches of each filter and the current rate of each of the classes as well as the total number of bytes and packets for each class. Please do not ask for explanations of the output beyond that -- the ''shorewall show'' commands are simply wrappers around ''tc qdisk show'', ''tc class show'' and ''tc filter show'' so all detailed output is generated by the ''tc'' utility and not by Shorewall code. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
[...]> > is it possible to have influence to/controll the incoming traffic?It''s possible to influence incoming traffic, too. But you need nevertheless an outgoing interface to control the traffic. For me the solution is IMQ "Intermediate queueing device". You need a kernel patch and you need patches to iptables. http://www.linuximq.net/ Now you can redirect incoming traffic via iptables to the imq device and have all the egress filters work on this device. Thats special in my shorewall config: /etc/shorewall/start: setup_imq() { echo "Setting up IMQ device ..." /sbin/modprobe imq numdevs=1 /sbin/ip link set imq0 up run_iptables -t mangle -A PREROUTING -i dsl0 -j IMQ --todev 0 } For the rest you can use the shorewall documentation as if imq0 was a real outgoing network device (Swap uplink and downlink rates in /etc/shorewall/tcdevices since your internet downlink ist imq''s uplink). You will have to understand however where in netfilter the marking/tos mangling etc. occurs to do all possible things with this setup. If you can read german I found a work of two students regarding traffic-shaping for VOIP with the help of Linux and imq: http://www.ks.uni-freiburg.de/download/studienarbeit/WS05/01-06-trafficshapping-TGasmi/studienarbeit-vortrag.pdf> if it''s perhaps a problem from outside, could it be a problem of my ISP > (not ADSL, a kind of SDSL-standard)? > > any other ideas? > > I KNOW that "hardware" routers like e.g. the "FRITZ Box! Fon" don''t habe > these problems. > And I think the linux-solution should be as powerful as these boxes...My telnet to my Fritz!Box 7050 says # uname -a Linux (none) 2.4.17_mvl21-malta-mips_fp_le #949-4 Wed Feb 1 14:58:40 CET 2006 mips unknown This is standard firmware with only telnet enabled. But they are not using netfilter and standard tools for traffic-control as far as I can say. -- __________________________________________________ Ralf Schenk fon (02 41) 9 91 21-0 fax (02 41) 9 91 21-59 rs@databay.de Databay AG Hüttenstraße 7 D-52068 Aachen www.databay.de Databay - einfach machen. _________________________________________________ ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642