FlexQoS FlexQoS 1.0 - Flexible QoS Enhancement Script for Adaptive QoS

[Carnagerover]

Try running conntrack -F to clear the existing connections table. It may let iptables properly mark the traffic that was already established beforehand. If there is nothing else active in Others in the connection list, something else is wrong.

That worked and now the traffic shows as gaming, should I try just the ports now?

 

[dave14305]

That worked and now the traffic shows as gaming, should I try just the ports now?

I would personally leave it as is, as specific as you can make it to ensure no collateral damage to other connections that may happen to use those ports.

 

[dave14305]

Watching a different thread, it seems that the following command achieves what I need

conntrack -D

Testing this manually on my router does appear to have the desired effect of restarting all open connections so that they get correctly classified. I'm happy to experiment on my router if @dave14305 or anyone else can advise the best place to issue this command so it runs whenever FlexQoS is started, and whether I need a delay to allow FlexQoS etc to fully start beforehand.

What would be the downsides of always flushing the table when applying the iptables rules?

 

[brummygit]

What would be the downsides of always flushing the table when applying the iptables rules?

I have no idea, which is why I was trying to test it. I've also seen conntrack -F mentioned earlier which (I'm not familiar with conntrack) might be an alternative.

I've been searching for a solution to this (just like the issue a few posts above) for ages as you may recall, and being able to ensure all of my IoT devices are getting correctly classified when they can use between 25% and 50% of my limited uplink is more important (in my circumstances) than devices reconnecting.

Having said that, I manually ran conntrack -D a few times today and even my work VPN connection stayed up during a Teams call so it seems most connections are hardly interrupted.

 

[dave14305]

I have no idea, which is why I was trying to test it. I've also seen conntrack -F mentioned earlier which (I'm not familiar with conntrack) might be an alternative.

I've been searching for a solution to this (just like the issue a few posts above) for ages as you may recall, and being able to ensure all of my IoT devices are getting correctly classified when they can use between 25% and 50% of my limited uplink is more important (in my circumstances) than devices reconnecting.

Having said that, I manually ran conntrack -D a few times today and even my work VPN connection stayed up during a Teams call so it seems most connections are hardly interrupted.

I’m just wondering if it’s worth adding as a permanent feature of FlexQoS or if there are negatives (perhaps for people with many devices and connections).

 

[QuikSilver]

I wanted to add just the specific ports as stadia runs on a Chromecast, so if someone was to stream something to the Chromecast it would show in gaming as well.

@dave14305, does it work with the : between the ports or does it need to be a , between them? Their pic looks like a : between those ports.

 

[dave14305]

@dave14305, does it work with the : between the ports or does it need to be a , between them? Their pic looks like a : between those ports.

Yes, a range is separated by a colon.

 

[Morris]

It would be on the FlexQoS tab. Or are you looking only on the Bandwidth Monitor tab?

Thank you Dave,

First look at my classification table which was captured while streaming a Youtube video. The only significant traffic is classified "Other". Now look at the tracked connections. It shows a few youtube flows yet there should only be one on my PC. It's 443/TCP so not useful for classification. Furthermore, it shows many untracked flows yet looking at the connection tables on my computer there are less open connections than the table shows. The seem to stick around for a very long time on the router.

The issue is that active Youtube flow is classified as tracked any time we run Youtube under Chrome. I think you said Asus dose the classification. If so this is there issue.

There are a lot of IP's for www.youtube.com and I don't know if we can trust them to remain the same:
PS C:\Users\Morris> nslookup www.youtube.com
Server: UnKnown
Address: 192.168.2.1

Non-authoritative answer:
Name: youtube-ui.l.google.com
Addresses: 2607:f8b0:4006:805::200e
2607:f8b0:4006:806::200e
2607:f8b0:4006:807::200e
172.217.9.238
172.217.10.14
172.217.10.46
172.217.10.110
172.217.10.238
172.217.11.14
172.217.12.142
172.217.12.174
172.217.12.206
172.217.165.142
142.250.64.78
142.250.64.110
172.217.3.110
172.217.6.206
Aliases: www.youtube.com

It makes no sense that every user would have to enter all those IP's into the IP tables to classify the traffic. I'm not noticing a range or clear IP mask that could be used to make the list smaller.

I don't mind when it shows up under untracked, I believe I've also seen Youtube show up under Web browsing. Right now I've given untracked priority as it and a game my wife plays wind up there.

What is "Mark"? I've never seen that term related to an IP packet.

Thank you,

Morris

 

[dave14305]

What is "Mark"? I've never seen that term related to an IP packet.

Mark in this case refers to the assigned category and appid assigned to a connection. Click on an application label (e.g. YouTube) to reveal the mark that can be used in the iptables custom rules or in an AppDB custom rule. For simplicity, it’s the output of Asus classifying the connection against its database of known signatures.

I wouldn’t focus too much on how YouTube.com resolves since I don’t believe much of the actual video content comes from the domain, but instead one of the thousands of *.googlevideo.com domains.

You could decide you want to assume all QUIC traffic (443/udp) to 172.217.0.0/16 with Mark 000000 should be Streaming. It won’t be 100% accurate, but you can experiment.

Or find a way to disable QUIC in Chrome or in the Network Services Filter of the firewall.

 

[Morris]

Mark in this case refers to the assigned category and appid assigned to a connection. Click on an application label (e.g. YouTube) to reveal the mark that can be used in the iptables custom rules or in an AppDB custom rule. For simplicity, it’s the output of Asus classifying the connection against its database of known signatures.

I wouldn’t focus too much on how YouTube.com resolves since I don’t believe much of the actual video content comes from the domain, but instead one of the thousands of *.googlevideo.com domains.

You could decide you want to assume all QUIC traffic (443/udp) to 172.217.0.0/16 with Mark 000000 should be Streaming. It won’t be 100% accurate, but you can experiment.

Or find a way to disable QUIC in Chrome or in the Network Services Filter of the firewall.

I just monitored a youtube stream from e vs Chrome and saw the games they are playing with multiple IP's. I guess this is there anti theft mechanism and of cause it dose not work any better than copy protection on a CD.

They are using other IP ranges besides the one you mentioned. Are there required fields in the IP table? There is some very faint text that I guess you put there as documentation how to fill the form out. It is too light for me to read. Can you make it a bit more readable in the next release?

Using netstat on my PC I think I can identify the required IP blocks to classify youtube. I'm still wondering what the difference is that prevents Chrome's youtube traffic from being classified. The difference seems subtle.

 

[brummygit]

I’m just wondering if it’s worth adding as a permanent feature of FlexQoS or if there are negatives (perhaps for people with many devices and connections).

I’ve got quite a few devices and connections running most of the time and would be happy to test if you implement the feature either in the development branch or via a switch somehow. Maybe a switch would be best so people can turn it off if necessary.

I’ve always wondered how we can be sure all existing connections are getting classified correctly when already established pre-QoS start. I’ve often noticed it with lower bandwidth connections in the past, but it really hit when I got a couple of 4K Nest Cams. They establish an upload stream and just keep going untracked unless I turn them off and on.

 

[chris.at]

I tried the conntrack -F right now and no interruptions (company vpn, streaming surveillance cameras, ...) so it should have no other side effects than classifying connections correctly.

 

[geobernd]

I’ve got quite a few devices and connections running most of the time and would be happy to test if you implement the feature either in the development branch or via a switch somehow. Maybe a switch would be best so people can turn it off if necessary.

I’ve always wondered how we can be sure all existing connections are getting classified correctly when already established pre-QoS start. I’ve often noticed it with lower bandwidth connections in the past, but it really hit when I got a couple of 4K Nest Cams. They establish an upload stream and just keep going untracked unless I turn them off and on.

I am happy to test as well - I have a bunch of IOT things (Door Camera - Thermostats etc...) that I can check if they have a problem with it....

 

[JAAAAA]

Definitely not full. But the install messages suggest there was no space to write the files. Try again?

Hey man

I’ve attached all my rules and everything. I have also enabled the gaming rule from JRs script but I get the same problem.

Everytime that Netflix is used, the gaming devices (just the ps4) experience massive lag. Why is this happening with all these rules in place -aren’t QoS supposed to prevent this? Have I configured something incorrectly?

please help mate!

 

[dave14305]

Hey man

I’ve attached all my rules and everything. I have also enabled the gaming rule from JRs script but I get the same problem.

Everytime that Netflix is used, the gaming devices (just the ps4) experience massive lag. Why is this happening with all these rules in place -aren’t QoS supposed to prevent this? Have I configured something incorrectly?

please help mate!

2 ideas:

1. Have you accurately entered your download/upload bandwidths on the QoS page? 84 down/34 up? It looks disproportionate to how some ISPs provision (e.g. I get 300+ down, but only 25 up).
2. Are all devices at Default priority on the Bandwidth Monitoring page?

 

[JAAAAA]

2 ideas:

1. Have you accurately entered your download/upload bandwidths on the QoS page? 84 down/34 up? It looks disproportionate to how some ISPs provision (e.g. I get 300+ down, but only 25 up).
2. Are all devices at Default priority on the Bandwidth Monitoring page?

All devices are on default priority on bandwidth monitoring page - haven’t touched that page..should I?

where should I do a test to determine those numbers - pretty sure they’re right...(I’m inAUS)

 

[JAAAAA]

All devices are on default priority on bandwidth monitoring page - haven’t touched that page..should I?

where should I do a test to determine those numbers - pretty sure they’re right...(I’m inAUS)

 

[dave14305]

Run another one (preferably simultaneously to speedtest.net) with fast.com which should be classified as Netflix.

I would also disable QoS and run several tests and use the worst results as your QoS bandwidth (even if from separate test runs).

I don’t know that this explains your issue, but if QoS is not allowed to be your bottleneck, it won’t help at all. Meaning if your external bandwidth is dropping below your QoS bandwidth, QoS won’t help much.

 

[killahgoat]

Hi Dave, Appdb redirection doesn't seem to work properly. Every time i change untracked traffic class to another class it automatically goes to Work-from-home class. same goes with any appdb redirection rules.

 

[roboots21]

So I'm getting some weird behavior when trying to add items to the AppDB Redirection Rules table. For instance, if I try to add Snapchat in to classify it into a lower level priority that work-from-home (which is one of my top priority rules), and add the rule, it seems to add OK, but when adding the rule it changes the class from "Others" to "work-from-home". No matter how many times I edit the rule and save/apply it, it won't let me set the category of the rule to what I want. Does this sound familiar or am I doing something wrong?