QoS / Traffic Shaping

stormer · August 4, 2015, 8:52pm

Hello, I’ve just set up an vyos firewall, and it works handsomely , except for the qos part

I have a 20Mb/2Mb Internet connection.

I have a server (192.168.4.70) connecting to Usenet.

I’d like the server to use all bandwidth available if I’m not browsing, watching Youtube videos, etc. on my laptop, cell phone, etc.

I’m running the August 1st build of vyos (lithium).

eth0 is the wan interface (dhcp from my provider)

These are the only rules I’ve set

set traffic-policy shaper EGRESS_QOS bandwidth '1800kbit'

set traffic-policy shaper EGRESS_QOS class 100 bandwidth '35%'
set traffic-policy shaper EGRESS_QOS class 100 burst '2kb'
set traffic-policy shaper EGRESS_QOS class 100 ceiling '100%'
set traffic-policy shaper EGRESS_QOS class 100 description 'usenet'
set traffic-policy shaper EGRESS_QOS class 100 match FROM_SERVER ip source address '192.168.4.70/24'
set traffic-policy shaper EGRESS_QOS class 100 match HTTPS ip destination port '443'
set traffic-policy shaper EGRESS_QOS class 100 match NNTP ip destination port '119'
set traffic-policy shaper EGRESS_QOS class 100 match NNTPS ip destination port '563'
set traffic-policy shaper EGRESS_QOS class 100 queue-type 'fq-codel'

set traffic-policy shaper EGRESS_QOS default bandwidth '65%'
set traffic-policy shaper EGRESS_QOS default burst '2kb'
set traffic-policy shaper EGRESS_QOS default ceiling '100%'
set traffic-policy shaper EGRESS_QOS default queue-type 'fq-codel'

set interfaces ethernet eth0 traffic-policy out 'EGRESS_QOS'

What’s happening right now is that browsing is slow as molasses on any machine, the server is running mostly at full speed.

this is the output of “/sbin/tc -s qdisc show dev eth0”

qdisc htb 1: root refcnt 2 r2q 10 default 65 direct_packets_stat 0 direct_qlen 1000
 Sent 60143477 bytes 789423 pkt (dropped 0, overlimits 52 requeues 0)
 backlog 0b 0p requeues 0
qdisc fq_codel 800a: parent 1:65 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms
 Sent 1104794 bytes 10249 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
  maxpacket 1514 drop_overlimit 0 new_flow_count 4447 ecn_mark 0
  new_flows_len 0 old_flows_len 4
qdisc fq_codel 800b: parent 1:64 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms
 Sent 59038683 bytes 779174 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
  maxpacket 1514 drop_overlimit 0 new_flow_count 35745 ecn_mark 0
  new_flows_len 0 old_flows_len 1

Any help will be greatly appreciated

carl.byington · August 6, 2015, 7:29pm

Traffic shaping only affects outgoing bandwidth. If eth0 is your wan link, then adding a traffic policy there won’t affect how much downstream (into the Vyos) bandwidth your local server can use.

You need to apply the bandwidth limits to your inside interface, so that Vyos will throttle the packets leaving the Vyos on your inside interface going to that server.

stormer · August 7, 2015, 10:29am

Thanks for the reply carl.byington.

What I ended up doing was use tc directly, by means of the script on this page Traffic shaping - Gentoo Wiki.

It’s working pretty well … no latency, responsive browsing, even when I’m saturating the line with Usenet traffic.

stormer · December 17, 2015, 5:33pm

I wanted to follow up on this subject, since I ended up doing traffic shaping after all

I posted my firewall’s config on github, hopefully it will be of help to others.

I used a couple of references to get the script up to this shape, I’ll try to collect and reference them in the gist.

gist.github.com

https://gist.github.com/jbrodriguez/cc0b1d9f72f66e555ad7

vyos.sh

#!/bin/vbash

# CONFIG
wan=dhcp
lan=192.168.1.1
lan_segment=192.168.1.0
vpn_segment=192.168.5.0
domain=apertoire.org
lease_start=192.168.1.200
lease_stop=192.168.1.245

This file has been truncated. show original

As mentioned in the gist, the script does the following:

Drop any incoming traffic by default (except for vpn)
DHCP from ISP (WAN, ethernet eth0)
NAT for the local network (LAN, ethernet eth1, set to 192.168.1.0/24)
NTP synchronization
OpenVPN (road warrior) access
DCHP server for the local network, including sample static mappings for workstations
DNS forwarder
Sample static mappings for workstations (you can, for example, ping )
SSH access to the router (from the local network)
DDNS setup (duckdns provider)
QOS setup, with 3 traffic ‘lanes’ (each ‘lane’ will use up all the bandwidth, if there’s no other traffic on the ISP connection):
High Priority: dns, icmp and ssh protocols
Medium Priority: all traffic
Low Priority: usenet traffic (by specifying the usenet provider you connect to)