Shorewall users - Jun 2009 - Shorewall traffic shaping

Hello out there,

I am using shorewall 3.2.6 on Debian Etch

I used the example files from the debian shorewall packages to configure
traffic shaping:

/etc/shorewall/tcclasses:
ppp0  1  100kbit  1000kbit   1  tos=0x68/0xfc,tos=0xb8/0xfc      # VOIP
ppp0  2  full/4   full      2  tcp-ack,tos-minimize-delay       # ssh/telnet
ppp0  3  full/4   full      3  default                          # all other
ppp0  4  full/8   full*8/10 4                                   #
underprivileged

/etc/shorewall/tcdevices:
ppp0            18000kbit        900kbit

/etc/shorewall/tcrules:
1        0.0.0.0/0 0.0.0.0/0    icmp    echo-request
1        0.0.0.0/0 0.0.0.0/0    icmp    echo-reply
2        0.0.0.0/0 0.0.0.0/0    udp     5060
2        0.0.0.0/0 0.0.0.0/0    udp     -       5060
4        0.0.0.0/0 0.0.0.0/0    udp    4666


I started shorewall and everything seemed to work. But after some time I
realised that the connection was pretty slow. I ran some "speed tests"
on
the web, and they all showed an average speed of approx. 2.000kbit/s.

I moved the files tcclasses, tcrules and tcdevices to /tmp and restarted
shorewall and the speedtest showed a speedrange up to 18.000kbit/s.

Any ideas what I did wrong?


------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

Mona Meyer wrote:
> Hello out there,
> 
> I am using shorewall 3.2.6 on Debian Etch
> 
> I used the example files from the debian shorewall packages to configure
> traffic shaping:
> 
> /etc/shorewall/tcclasses:
> ppp0  1  100kbit  1000kbit   1  tos=0x68/0xfc,tos=0xb8/0xfc      # VOIP
> ppp0  2  full/4   full      2  tcp-ack,tos-minimize-delay       #
ssh/telnet
> ppp0  3  full/4   full      3  default                          # all other
> ppp0  4  full/8   full*8/10 4                                   #
> underprivileged
> 
> /etc/shorewall/tcdevices:
> ppp0            18000kbit        900kbit
> 
> /etc/shorewall/tcrules:
> 1        0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
<http://0.0.0.0/0>
> icmp    echo-request
> 1        0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
<http://0.0.0.0/0>
> icmp    echo-reply
> 2        0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
<http://0.0.0.0/0>
> udp     5060
> 2        0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
<http://0.0.0.0/0>
> udp     -       5060
> 4        0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
<http://0.0.0.0/0>
> udp    4666
> 
> 
> I started shorewall and everything seemed to work. But after some time I
> realised that the connection was pretty slow. I ran some "speed
tests"
> on the web, and they all showed an average speed of approx. 2.000kbit/s.
> 
> I moved the files tcclasses, tcrules and tcdevices to /tmp and restarted
> shorewall and the speedtest showed a speedrange up to 18.000kbit/s.
> 
> Any ideas what I did wrong?
Not without seeing the output of ''shorewall dump'' gathered
when
performance was bad.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

2009/6/15 Tom Eastep <teastep@shorewall.net>
>
>
> Not without seeing the output of ''shorewall dump''
gathered when
> performance was bad.
>
First of all: thanks for your help

I made two dumpfiles.

One with QOS activated (http://co2.kilu.de/shorewall.txt)
and one without (http://co2.kilu.de/shorewall2.txt).


------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

Mona Meyer wrote:
> 
> 
> 2009/6/15 Tom Eastep <teastep@shorewall.net
<mailto:teastep@shorewall.net>>
> 
> 
> 
>     Not without seeing the output of ''shorewall dump''
gathered when
>     performance was bad.
> 
> 
> First of all: thanks for your help
> 
> I made two dumpfiles.
> 
> One with QOS activated (http://co2.kilu.de/shorewall.txt)
> and one without (http://co2.kilu.de/shorewall2.txt).
Looks like the ingress filter is dropping about 2% of the incoming
packets, even though the rate is set at 18000kbit and you seem to only
reach 2000kbit.

qdisc ingress ffff: ----------------
 Sent 3683533 bytes 2718 pkt (dropped 52, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0

Normally, I would recommend disabling the ingress filter by setting
IN-BANDWIDTH to 0 or omitting the setting altogether but your version of
Shorewall is too old to support that option. So I can only recommend
setting it higher until you see no dropped packets in the ingress filter
and then check your download speed.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects