QOS Configuration

Tom Eastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.

2020/03/16


Introduction

This configuration was inspired by the one in this thread on the OpenWRT Forum: https://forum.openwrt.org/viewtopic.php?pid=154533#p154533. The configuration has been adapted to Shorewall 4.5.6 with the following changes:

  1. The configuration uses an IFB, yet only uses firewall marks in the OUTPUT and FORWARD chains to classify packets; clearly that doesn't work[1]The configuration presented here uses U32 classifiers (shorewall-tcfilters(5)) to classify traffic for download shaping and uses the POSTROUTING chain for upload shaping.

  2. The sample uses a weak form of P2P classification; the one presented below uses IPP2P.

  3. The OpenWRT script assumed that the uplink was ATM -- the one below makes no assumption (it specifies 'ethernet' with overhead '0').

/etc/shorewall/params

The shell variables set in the OpenWRT script are set in the Shorewall params file:

# local network

MYNET=192.168.0.0/24

DOWNLOAD=40000 #download speed in kbit. set xx% of real download speed
UPLOAD=7000 # set xx% of real upload speed

# multiports = up to 15 ports
# ports to be classified as bulk #set after connection mark save and after connection mark restore
TCP_BULK="1024:" #S and D ports
UDP_BULK="1024:" #S and D ports

# Destination ports to be classified as P2P
TCP_P2P="13769" #D ports
UDP_P2P="13769" #D ports
IP_P2P="192.168.0.133"

# Destination ports to be classified as normal
TCP_NORMAL="80,443,25,20,21,110,993,995" # D ports
UDP_NORMAL=""

# Destination ports to be classified as Prio (overules bulk ports)
TCP_PRIO="22,53" #destination ports
UDP_PRIO="22,53" #destination ports

# Destination ports to be classified as VoIP (overules bulk ports)
TCP_VOIP=""
UDP_VOIP="18080"
IP_VOIP="192.168.0.226" #destination and source IP
IP_VOIP="192.168.0.226" #destination and source IP

#!!!!!uplink leaf class parameters!!!!!!!!!

#bulk
UP_LS_BULK_RATE=$(($UPLOAD*5/100))
UP_UL_BULK_RATE=$UPLOAD
#settings leaf qdisc
UP_BULK_RED_PROB=0.05 #red drob probability
UP_BULK_RED_min=6250 #real limit. To limit BULK traffic
UP_BULK_RED_min2=6250 #min for doing the calculations (burst and etc)
UP_BULK_RED_max=$((2 * $UP_BULK_RED_min2 + $UP_BULK_RED_min))
UP_BULK_RED_burst=$(((5 * $UP_BULK_RED_min2) / (3 * 1000)))
UP_BULK_RED_limit=$(($UP_BULK_RED_max * 5))

#P2P
UP_LS_P2P_RATE=$(($UPLOAD * 5 / 100))
UP_UL_P2P_RATE=$UPLOAD
#settings leaf qdisc
UP_P2P_RED_PROB=0.05 #red drob probability
UP_P2P_RED_min=32000 #real limit. To limit P2P traffic
UP_P2P_RED_min2=32000 #min for doing the calculations (burst and etc)
UP_P2P_RED_max=$((5 * $UP_P2P_RED_min2 + $UP_P2P_RED_min))
UP_P2P_RED_burst=$(((5 * $UP_P2P_RED_min2) / (3 * 1000)))
UP_P2P_RED_limit=$(($UP_P2P_RED_max * 5))
#normal class
UP_LS_NORMAL_RATE=$(($UPLOAD * 40 / 100))
UP_UL_NORMAL_RATE=$UPLOAD
#settings leaf qdisc
UP_NORMAL_RED_PROB=0.05 #red drob probability
UP_NORMAL_RED_min=6250 #real limit. To limit NORMAL traffic
UP_NORMAL_RED_min2=6250 #min for doing the calculations (burst and etc)
UP_NORMAL_RED_max=$((2 * $UP_NORMAL_RED_min2 + $UP_NORMAL_RED_min))
UP_NORMAL_RED_burst=$(((5 * $UP_NORMAL_RED_min2) / (3 * 1000)))
UP_NORMAL_RED_limit=$(($UP_NORMAL_RED_max * 5))

#prio
UP_LS_PRIO_RATE=$(($UPLOAD*50/100))
UP_RT_PRIO_RATE="200" #rate in kbit
UP_RT_PRIO_UMAX="400" #lengte of the packets [byte]
UP_RT_PRIO_DMAX="15" #delay in ms
UP_UL_PRIO_RATE=$UPLOAD

#Voip
UP_UL_VOIP_RATE=$UPLOAD
UP_SC_VOIP_RATE="200"
UP_SC_VOIP_UMAX="350" #length of the voip packets [byte]
UP_SC_VOIP_DMAX="10" #delay in ms

#bulk
DOWN_LS_BULK_RATE=$(($DOWNLOAD*5/100))
DOWN_UL_BULK_RATE=$DOWNLOAD
#leaf qdisc parameters
DOWN_BULK_RED_PROB=0.05 #red drob probability
DOWN_BULK_RED_min=62500 #real limit. To limit BULK traffic
DOWN_BULK_RED_min2=62500 #min for doing the calculations (burst and etc)
DOWN_BULK_RED_max=$((2 * $DOWN_BULK_RED_min2 + $DOWN_BULK_RED_min))
DOWN_BULK_RED_burst=$(((5 * $DOWN_BULK_RED_min2) / (3 * 1000)))
DOWN_BULK_RED_limit=$(($DOWN_BULK_RED_max * 5))


#P2P
DOWN_LS_P2P_RATE=$(($DOWNLOAD*5/100))
DOWN_UL_P2P_RATE=4000
#leaf qdisc parameters
DOWN_P2P_RED_PROB=0.05 #red drob probability
DOWN_P2P_RED_min=200000 #real limit. To limit P2P traffic
DOWN_P2P_RED_min2=200000 #min for doing the calculations (burst and etc)
DOWN_P2P_RED_max=$((2 * $DOWN_P2P_RED_min2 + $DOWN_P2P_RED_min))
DOWN_P2P_RED_burst=$(((5 * $DOWN_P2P_RED_min2) / (3 * 1000)))
DOWN_P2P_RED_limit=$(($DOWN_P2P_RED_max * 5))

#normal class
DOWN_LS_NORMAL_RATE=$(($DOWNLOAD*75/100))
DOWN_UL_NORMAL_RATE=$DOWNLOAD

#leaf qdisc parameters
DOWN_NORMAL_RED_PROB=0.05 #red drob probability
DOWN_NORMAL_RED_min=62500 #real limit. To limit NORMAL traffic
DOWN_NORMAL_RED_min2=62500 #min for doing the calculations (burst and etc)
DOWN_NORMAL_RED_max=$((2 * $DOWN_NORMAL_RED_min2 + $DOWN_NORMAL_RED_min))
DOWN_NORMAL_RED_burst=$(((5 * $DOWN_NORMAL_RED_min2) / (3 * 1000)))
DOWN_NORMAL_RED_limit=$(($DOWN_NORMAL_RED_max * 5))

#prio
DOWN_RT_PRIO_RATE="500" #rate in kbit
DOWN_RT_PRIO_UMAX="400" #length of the packets [byte]/
DOWN_RT_PRIO_DMAX="1.5" #delay in ms
DOWN_UL_PRIO_RATE=$DOWNLOAD


#Voip
DOWN_UL_VOIP_RATE=$DOWNLOAD
DOWN_SC_VOIP_RATE="250"
DOWN_SC_VOIP_UMAX="350" #lengt of voip packets [byte]
DOWN_SC_VOIP_DMAX="1.2" #delay in ms

/etc/shorewall/init

The init file loads the ifb module, creating a single device:

modprobe ifb numifbs=1
ip link set ifb0 up

/etc/shorewall/tcdevices

The tcdevices file describes the two devices:

#NUMBER:        IN_BANDWITH     OUT_BANDWIDTH   OPTIONS         REDIRECT
1:eth0          -               ${UPLOAD}kbit   hfsc,linklayer=ethernet,overhead=0
2:ifb0          -               ${DOWNLOAD}kbit hfsc            eth0

/etc/shorewall/tcclasses

The tcclasses file defines the class hierarchy for both devices:

#INTERFACE MARK    RATE                            CEIL                            PRIORITY        OPTIONS
1          1       ${UP_SC_VOIP_RATE}kbit:\
                   ${UP_SC_VOIP_DMAX}:\
                   ${UP_SC_VOIP_UMAX}              ${UP_UL_VOIP_RATE}kbit          1

1          2       ${UP_RT_PRIO_RATE}kbit:\
                   ${UP_RT_PRIO_DMAX}:\
                   ${UP_RT_PRIO_UMAX}              ${UP_LS_PRIO_RATE}kbit:\
                                                   ${UP_UL_PRIO_RATE}kbit          1

1          3       -                               ${UP_LS_NORMAL_RATE}kbit:\
                                                   ${UP_UL_NORMAL_RATE}kbit        1               red=(limit=$UP_NORMAL_RED_limit,\
                                                                                                        min=$UP_NORMAL_RED_min,\
                                                                                                        max=$UP_NORMAL_RED_max,\
                                                                                                        burst=$UP_NORMAL_RED_burst,\
                                                                                                        probability=$UP_NORMAL_RED_PROB,\
                                                                                                        ecn)
1          4       -                               ${UP_LS_P2P_RATE}kbit:\
                                                   ${UP_UL_P2P_RATE}kbit           1               red=(limit=$UP_P2P_RED_limit,\
                                                                                                        min=$UP_P2P_RED_min,\
                                                                                                        max=$UP_P2P_RED_max,\
                                                                                                        burst=$UP_P2P_RED_burst,\
                                                                                                        probability=$UP_P2P_RED_PROB,\
                                                                                                        ecn)
1          5       -                               ${UP_LS_BULK_RATE}kbit:\
                                                   ${UP_UL_BULK_RATE}kbit          1               default,\
                                                                                                   red=(limit=$UP_BULK_RED_limit,\
                                                                                                        min=$UP_BULK_RED_min,\
                                                                                                        max=$UP_BULK_RED_max,\
                                                                                                        burst=$UP_BULK_RED_burst,\
                                                                                                        probability=$UP_BULK_RED_PROB,\
                                                                                                        ecn)

2:10       -       ${UP_SC_VOIP_RATE}kbit:\
                   ${UP_SC_VOIP_DMAX}:\
                   ${UP_SC_VOIP_UMAX}              ${UP_UL_VOIP_RATE}kbit          1

2:20       -       ${DOWN_RT_PRIO_RATE}kbit:\
                   ${DOWN_RT_PRIO_DMAX}:\
                   ${DOWN_RT_PRIO_UMAX}            ${DOWN_UL_PRIO_RATE}kbit        1

2:30       -       -                               ${DOWN_LS_NORMAL_RATE}kbit:\
                                                   ${DOWN_UL_NORMAL_RATE}kbit      1               red=(limit=$DOWN_NORMAL_RED_limit,\
                                                                                                        min=$DOWN_NORMAL_RED_min,\
                                                                                                        max=$DOWN_NORMAL_RED_max,\
                                                                                                        burst=$DOWN_NORMAL_RED_burst,\
                                                                                                        probability=$DOWN_NORMAL_RED_PROB)
2:40       -       -                               ${DOWN_LS_P2P_RATE}kbit:\
                                                   ${DOWN_UL_P2P_RATE}kbit         1               red=(limit=$DOWN_P2P_RED_limit,\
                                                                                                        min=$DOWN_P2P_RED_min,\
                                                                                                        max=$DOWN_P2P_RED_max,\
                                                                                                        burst=$DOWN_P2P_RED_burst,\
                                                                                                        probability=$DOWN_P2P_RED_PROB)
2:50       -       -                               ${DOWN_LS_BULK_RATE}kbit:\
                                                   ${DOWN_UL_BULK_RATE}kbit        1               default,\
                                                                                                   red=(limit=$DOWN_BULK_RED_limit,\
                                                                                                        min=$DOWN_BULK_RED_min,\
                                                                                                        max=$DOWN_BULK_RED_max,\
                                                                                                        burst=$DOWN_BULK_RED_burst,\
                                                                                                        probability=$DOWN_BULK_RED_PROB)

/etc/shorewall/mangle

The mangle file classifies upload packets:

#ACTION          SOURCE         DEST          PROTO     DPORT       SPORT      USER    TEST
RESTORE:T        -              -             -         -           -          -       !0:C
CONTINUE:T       -              -             -         -           -          -       !0
MARK(2):T        -              -             icmp
MARK(1):T        -              -             udp       $UDP_VOIP   -          -       0
MARK(1):T        $IP_VOIP       -             -         -           -          -       0
MARK(1):T        -              $IP_VOIP      -         -           -          -       0
MARK(2):T        -              -             tcp       $TCP_PRIO   -          -       0
MARK(2):T        -              -             udp       $UDP_PRIO   -          -       0
MARK(2):T        -              -             tcp       -           $TCP_PRIO  -       0
MARK(2):T        -              -             udp       -           $UDP_PRIO  -       0
MARK(3):T        -              -             tcp       $TCP_NORMAL -          -       0
MARK(4):T        -              -             ipp2p:all -           -          -       0
MARK(5):T        -              -             tcp       $TCP_BULK   -          -       0
MARK(5):T        -              -             tcp       -           $TCP_BULK  -       0
MARK(5):T        -              -             udp       $UDP_BULK   -          -       0
MARK(5):T        -              -             udp       -           $UDP_BULK  -       0
SAVE:T           -              -             -         -           -          -      !0

/etc/shorewall/tcfilters

The tcfilters file classifies download packets:

#INTERFACE:     SOURCE  DEST    PROTO   DPORT   SPORT     TOS            LENGTH
#
# These classify download traffic
#
2:10            -       $MYNET  udp     -       $UDP_VOIP
2:20            -       $MYNET  tcp     -       $TCP_PRIO
2:20            -       $MYNET  udp     -       $UDP_PRIO
2:20            -       $MYNET  tcp     $TCP_PRIO
2:20            -       $MYNET  udp     $UDP_PRIO
2:30            -       $MYNET  tcp     -       $TCP_NORMAL
2:50            -       $MYNET  tcp     $TCP_BULK
2:50            -       $MYNET  tcp     -       $TCP_BULK
2:50            -       $MYNET  udp     $UDP_BULK
2:50            -       $MYNET  tcp     -       $UDP_BULK


[1] To be more precise, it doesn't work with an unpatched kernel. The OpenWRT script assumes an 'act_conntrack' patch which performs conntrack processing on packets before they are sent to the IFB. That patch is not generally available.

Documentation


Frequently Used Articles

- FAQs - Manpages - Configuration File Basics - Beginner Documentation - Troubleshooting

Shorewall 4.4/4.5/4.6 Documentation

Shorewall 4.0/4.2 Documentation


Shorewall 5.0/5.1/5.2 HOWTOs and Other Articles

- 6to4 and 6in4 Tunnels - Accounting - Actions - Aliased (virtual) Interfaces (e.g., eth0:0) - Anatomy of Shorewall - Anti-Spoofing Measures - AUDIT Target support - Bandwidth Control - Blacklisting/Whitelisting - Bridge/Firewall - Building Shorewall from GIT - Commands - Compiled Programs - Configuration File Basics - DHCP - DNAT - Docker - Dynamic Zones - ECN Disabling by host or subnet - Events - Extension Scripts - Fallback/Uninstall - FAQs - Features - Fool's Firewall - Forwarding Traffic on the Same Interface - FTP and Shorewall - Helpers/Helper Modules - Installation/Upgrade - IPP2P - IPSEC - Ipsets - IPv6 Support - ISO 3661 Country Codes - Kazaa Filtering - Kernel Configuration - KVM (Kernel-mode Virtual Machine) - Limiting Connection Rates - Linux Containers (LXC) - Linux-vserver - Logging - Macros - MAC Verification - Manpages - Manual Chains - Masquerading - Multiple Internet Connections from a Single Firewall - Multiple Zones Through One Interface - My Shorewall Configuration - Netfilter Overview - Network Mapping - No firewalling of traffic between bridge port - One-to-one NAT - Operating Shorewall - OpenVPN - OpenVZ - Packet Marking - Packet Processing in a Shorewall-based Firewall - 'Ping' Management - Port Forwarding - Port Information - Port Knocking (deprecated) - Port Knocking, Auto Blacklisting and Other Uses of the 'Recent Match' - PPTP - Proxy ARP - QuickStart Guides - Release Model - Requirements - Routing and Shorewall - Routing on One Interface - Samba - Shared Shorewall/Shorewall6 Configuration - Shorewall Events - Shorewall Init - Shorewall Lite - Shorewall on a Laptop - Shorewall Perl - Shorewall Setup Guide - SMB - SNAT - Split DNS the Easy Way - Squid with Shorewall - Starting/stopping the Firewall - Static (one-to-one) NAT - Support - Tips and Hints - Traffic Shaping/QOS - Simple - Traffic Shaping/QOS - Complex - Transparent Proxy - UPnP - Upgrade Issues - Upgrading to Shorewall 4.4 (Upgrading Debian Lenny to Squeeze) - VPN - VPN Passthrough - White List Creation - Xen - Shorewall in a Bridged Xen DomU - Xen - Shorewall in Routed Xen Dom0

Top of Page