fair_traffic_shaping_an_adsl_line_for_a_local_network_using_linux
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
fair_traffic_shaping_an_adsl_line_for_a_local_network_using_linux [2018/12/06 21:55] – abeverley | fair_traffic_shaping_an_adsl_line_for_a_local_network_using_linux [2018/12/06 22:02] (current) – abeverley | ||
---|---|---|---|
Line 50: | Line 50: | ||
< | < | ||
- | # | + | # |
- | $IPTABLES -t mangle -A FORWARD -j MARK --set-mark 40 | + | $IPTABLES -t mangle -A FORWARD -j MARK --set-mark 40 |
- | + | ||
- | # | + | # |
- | $IPTABLES -t mangle -A FORWARD -p tcp --sport 80 -i ppp0 -j MARK --set-mark 30 | + | $IPTABLES -t mangle -A FORWARD -p tcp --sport 80 -i ppp0 -j MARK --set-mark 30 |
- | $IPTABLES -t mangle -A FORWARD -p tcp --dport 80 -o ppp0 -j MARK --set-mark 30 | + | $IPTABLES -t mangle -A FORWARD -p tcp --dport 80 -o ppp0 -j MARK --set-mark 30 |
- | $IPTABLES -t mangle -A FORWARD -p tcp --sport 443 -i ppp0 -j MARK --set-mark 30 | + | $IPTABLES -t mangle -A FORWARD -p tcp --sport 443 -i ppp0 -j MARK --set-mark 30 |
- | $IPTABLES -t mangle -A FORWARD -p tcp --dport 443 -i eth0 -j MARK --set-mark 30 | + | $IPTABLES -t mangle -A FORWARD -p tcp --dport 443 -i eth0 -j MARK --set-mark 30 |
- | + | ||
- | # | + | # |
- | $IPTABLES -t mangle -A FORWARD -p tcp --sport 22 -i ppp0 -j MARK --set-mark 10 | + | $IPTABLES -t mangle -A FORWARD -p tcp --sport 22 -i ppp0 -j MARK --set-mark 10 |
- | $IPTABLES -t mangle -A FORWARD -p tcp --dport 22 -o ppp0 -j MARK --set-mark 10 | + | $IPTABLES -t mangle -A FORWARD -p tcp --dport 22 -o ppp0 -j MARK --set-mark 10 |
- | + | ||
- | # | + | # |
- | $IPTABLES -t mangle -A OUTPUT -m udp -p udp --dport 53 -o ppp0 -j MARK --set-mark 10 | + | $IPTABLES -t mangle -A OUTPUT -m udp -p udp --dport 53 -o ppp0 -j MARK --set-mark 10 |
- | $IPTABLES -t mangle -A OUTPUT -m udp -p udp --sport 53 -o eth0 -j MARK --set-mark 10 | + | $IPTABLES -t mangle -A OUTPUT -m udp -p udp --sport 53 -o eth0 -j MARK --set-mark 10 |
- | + | ||
- | # IMAP | + | # IMAP |
- | $IPTABLES -t mangle -A FORWARD -p tcp --sport 993 -i ppp0 -j MARK --set-mark 30 | + | $IPTABLES -t mangle -A FORWARD -p tcp --sport 993 -i ppp0 -j MARK --set-mark 30 |
- | $IPTABLES -t mangle -A FORWARD -p tcp --dport 993 -o ppp0 -j MARK --set-mark 30 | + | $IPTABLES -t mangle -A FORWARD -p tcp --dport 993 -o ppp0 -j MARK --set-mark 30 |
- | + | ||
- | # | + | # |
- | $IPTABLES -t mangle -A FORWARD -m connbytes --connbytes 504857: | + | $IPTABLES -t mangle -A FORWARD -m connbytes --connbytes 504857: |
- | --connbytes-mode bytes -j MARK --set-mark 40 | + | --connbytes-mode bytes -j MARK --set-mark 40 |
- | + | ||
- | # | + | # |
- | # | + | # |
- | $IPTABLES -t mangle -A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags FIN, | + | $IPTABLES -t mangle -A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags \\ |
+ | FIN, | ||
</ | </ | ||
Now we need to look out for all those P2P connections. We're going to find these out by looking for a client on the network making lots of connections to high port numbers, which is generally what P2P software does. This isn't foolproof of course: I have seen P2P software start to use port 80, and there could be false negatives, but on the whole it seems to work better than any other solutions out there that I have tried. | Now we need to look out for all those P2P connections. We're going to find these out by looking for a client on the network making lots of connections to high port numbers, which is generally what P2P software does. This isn't foolproof of course: I have seen P2P software start to use port 80, and there could be false negatives, but on the whole it seems to work better than any other solutions out there that I have tried. | ||
- | '' | + | < |
- | '' | + | # |
- | '' | + | # |
- | '' | + | # |
- | '' | + | # |
- | '' | + | # |
- | '' | + | $IPTABLES -t mangle -A FORWARD -o ppp0 -p tcp --dport 1024: |
- | '' | + | -m connlimit --connlimit-above 8 -j SET --add-set p2p src |
- | '' | + | |
- | '' | + | # |
- | '' | + | # |
- | '' | + | $IPTABLES -t mangle -A FORWARD -o ppp0 -p udp --dport 1024: |
- | '' | + | -m connlimit --connlimit-above 4 -j SET --add-set p2p src |
- | '' | + | |
- | '' | + | # |
- | '' | + | # |
- | '' | + | $IPTABLES -t mangle -A FORWARD -i ppp0 -p tcp --sport 1024: |
- | '' | + | -m connlimit --connlimit-above 8 -j SET --add-set p2p dst |
- | '' | + | |
- | '' | + | # |
- | '' | + | # |
- | '' | + | $IPTABLES -t mangle -A FORWARD -i ppp0 -p udp --sport 1024: |
+ | -m connlimit --connlimit-above 4 -j SET --add-set p2p dst | ||
+ | </ | ||
The above rules just add the client IP address to the ipset. We now need to mark the traffic, which the following rules do. On one network, traffic became so slow that I marked ALL traffic to and from those clients as ' | The above rules just add the client IP address to the ipset. We now need to mark the traffic, which the following rules do. On one network, traffic became so slow that I marked ALL traffic to and from those clients as ' | ||
- | '' | + | < |
- | '' | + | # |
- | '' | + | # |
- | '' | + | $IPTABLES -t mangle -A FORWARD -o ppp0 -p tcp --dport 1024: |
- | '' | + | -m set --set p2p src -j MARK --set-mark 666 |
- | '' | + | $IPTABLES -t mangle -A FORWARD -i ppp0 -p tcp --sport 1024: |
- | '' | + | -m set --set p2p dst -j MARK --set-mark 666 |
- | '' | + | $IPTABLES -t mangle -A FORWARD -o ppp0 -p udp --dport 1024: |
- | '' | + | -m set --set p2p src -j MARK --set-mark 666 |
- | '' | + | $IPTABLES -t mangle -A FORWARD -i ppp0 -p udp --sport 1024: |
+ | -m set --set p2p dst -j MARK --set-mark 666 | ||
+ | </ | ||
===== Shaping the traffic using HTB ===== | ===== Shaping the traffic using HTB ===== | ||
Line 134: | Line 139: | ||
We don't set a default class; this is so that local eth0 traffic is not shaped. As already stated, we have to shape at eth0 and not ppp0 as we can only do egress shaping decently. | We don't set a default class; this is so that local eth0 traffic is not shaped. As already stated, we have to shape at eth0 and not ppp0 as we can only do egress shaping decently. | ||
- | '' | + | < |
- | '' | + | # |
- | '' | + | tc qdisc add dev eth0 root handle 1: |
- | '' | + | |
- | '' | + | |
- | '' | + | |
- | We now have one root HTB qdisc with a rate limit of 3600kbps. To this we add 6 further children. Note the numbers. 1: (or 1:0) is the root. 1:1 is the first child with the overall rate limit. Each child of this is 1:10, 1:20 and so on. To make things simpler, I have numbered the children below to align with the MARK numbers. < | + | # |
+ | # | ||
+ | tc class add dev eth0 parent 1: classid 1:1 htb rate 3600kbit ceil 3600kbit | ||
+ | </code> | ||
- | '' | + | We now have one root HTB qdisc with a rate limit of 3600kbps. To this we add 6 further children. Note the numbers. 1: (or 1:0) is the root. 1:1 is the first child with the overall rate limit. Each child of this is 1:10, 1:20 and so on. To make things simpler, I have numbered the children below to align with the MARK numbers. Note that all the rates of the children should add up to the single rate limit of the parent. |
- | '' | + | |
- | '' | + | < |
- | '' | + | # |
- | '' | + | # |
- | '' | + | # |
- | '' | + | # |
- | '' | + | |
- | '' | + | # |
- | '' | + | tc class add dev eth0 parent 1: |
- | '' | + | |
- | '' | + | # |
- | '' | + | |
- | '' | + | # |
- | '' | + | tc class add dev eth0 parent 1: |
- | '' | + | |
- | '' | + | # |
- | '' | + | tc class add dev eth0 parent 1: |
- | '' | + | |
- | '' | + | # bulk |
- | '' | + | tc class add dev eth0 parent 1: |
+ | |||
+ | # | ||
+ | tc class add dev eth0 parent 1: | ||
+ | </ | ||
We now have the HTB qdisc fully set up. However, no traffic will be sent to it yet, and the traffic will not be shaped within each class. | We now have the HTB qdisc fully set up. However, no traffic will be sent to it yet, and the traffic will not be shaped within each class. | ||
Line 169: | Line 178: | ||
The next set of rules shape traffic in each class. If we don't do this, then all the traffic for a particular class (such as all the webbrowsing traffic - 30) will be piled into the class on a fifo basis. We want to be more intelligent than this. SFQ does some nice fair shaping. | The next set of rules shape traffic in each class. If we don't do this, then all the traffic for a particular class (such as all the webbrowsing traffic - 30) will be piled into the class on a fifo basis. We want to be more intelligent than this. SFQ does some nice fair shaping. | ||
- | '' | + | < |
- | '' | + | tc qdisc add dev eth0 parent 1: |
- | '' | + | tc qdisc add dev eth0 parent 1: |
- | '' | + | tc qdisc add dev eth0 parent 1: |
- | '' | + | tc qdisc add dev eth0 parent 1: |
+ | tc qdisc add dev eth0 parent 1: | ||
+ | </ | ||
So, everything is set up and ready to go. We just need to divert some traffic into each of the classes. We do this by attaching a filter to the class. A filter looks for traffic of a particular type and sucks it into the class. In this example, we use the MARK of the traffic (called flowid here). | So, everything is set up and ready to go. We just need to divert some traffic into each of the classes. We do this by attaching a filter to the class. A filter looks for traffic of a particular type and sucks it into the class. In this example, we use the MARK of the traffic (called flowid here). | ||
- | '' | + | < |
- | '' | + | tc filter add dev eth0 parent 1: |
- | '' | + | tc filter add dev eth0 parent 1: |
- | '' | + | tc filter add dev eth0 parent 1: |
- | '' | + | tc filter add dev eth0 parent 1: |
+ | tc filter add dev eth0 parent 1: | ||
+ | </ | ||
Everything will be working nicely at this point. However, we have one more tweak to do. We want to share traffic between clients (by IP address) not by connection. This means that if one client has 4 downloads on the go, and another has only one, that traffic will be split 50/50, as opposed to the first client getting 80%. We do this by applying more filters to the existing ones. | Everything will be working nicely at this point. However, we have one more tweak to do. We want to share traffic between clients (by IP address) not by connection. This means that if one client has 4 downloads on the go, and another has only one, that traffic will be split 50/50, as opposed to the first client getting 80%. We do this by applying more filters to the existing ones. | ||
- | '' | + | < |
- | '' | + | tc filter add dev eth0 parent 4210: |
- | '' | + | tc filter add dev eth0 parent 4230: |
- | '' | + | tc filter add dev eth0 parent 4240: |
- | '' | + | tc filter add dev eth0 parent 4250: |
+ | tc filter add dev eth0 parent 666: | ||
+ | </ | ||
==== Uplink ==== | ==== Uplink ==== | ||
Line 195: | Line 210: | ||
The uplink is almost identical, except that it puts ACK packets into a separate class. This is so that when the upload link is saturated, download speeds are not affected. | The uplink is almost identical, except that it puts ACK packets into a separate class. This is so that when the upload link is saturated, download speeds are not affected. | ||
- | '' | + | < |
- | '' | + | tc qdisc add dev ppp0 root handle 1: |
- | '' | + | tc class add dev ppp0 parent 1: |
- | '' | + | |
- | '' | + | tc class add dev ppp0 parent 1: |
- | '' | + | tc class add dev ppp0 parent 1: |
- | '' | + | tc class add dev ppp0 parent 1: |
- | '' | + | tc class add dev ppp0 parent 1: |
- | '' | + | tc class add dev ppp0 parent 1: |
- | '' | + | tc class add dev ppp0 parent 1: |
- | '' | + | |
- | '' | + | tc qdisc add dev ppp0 parent 1: |
- | '' | + | tc qdisc add dev ppp0 parent 1: |
- | '' | + | tc qdisc add dev ppp0 parent 1: |
- | '' | + | tc qdisc add dev ppp0 parent 1: |
- | '' | + | tc qdisc add dev ppp0 parent 1: |
- | '' | + | tc qdisc add dev ppp0 parent 1: |
- | '' | + | |
- | '' | + | tc filter add dev ppp0 parent 1: |
- | '' | + | tc filter add dev ppp0 parent 1: |
- | '' | + | tc filter add dev ppp0 parent 1: |
- | '' | + | tc filter add dev ppp0 parent 1: |
- | '' | + | tc filter add dev ppp0 parent 1: |
- | '' | + | |
- | '' | + | tc filter add dev ppp0 parent 1: |
- | '' | + | tc filter add dev ppp0 parent 4210: |
- | '' | + | tc filter add dev ppp0 parent 4220: |
- | '' | + | tc filter add dev ppp0 parent 4230: |
- | '' | + | tc filter add dev ppp0 parent 4240: |
- | '' | + | tc filter add dev ppp0 parent 4250: |
+ | tc filter add dev ppp0 parent 666: | ||
+ | </ | ||
===== The full script ===== | ===== The full script ===== |
fair_traffic_shaping_an_adsl_line_for_a_local_network_using_linux.1544133331.txt.gz · Last modified: 2018/12/06 21:55 by abeverley