[Release] FreshJR Adaptive QOS (Improvements / Custom Rules / and Inner workings)

[cybrnook]

-la

 

[cybrnook]

stoopid.... maybe it thinks we are trying to do some php/sql haxors or something. Thinks we are attacking the forum.

 

[RMerlin]

stoopid.... maybe it thinks we are trying to do some php/sql haxors or something. Thinks we are attacking the forum.

Feel free to talk to Cloudflare if you think this isn't necessary. They're the ones providing that security layer, not SNB, neither Tim.

With script kiddies frequently attacking this site, Tim is forced to increase the security level on Cloudflare's end.

 

[MarCoMLXXV]

Haven't had these issues with several other forum platforms, as I have been moderating for quite some years (>15). Either things have changed badly in the last year (when I decided to quit moderating as I have my hands full with my own kid) or this forum is definitely running on the wrong platform.

Too bad it enforces such annoying measures on legit users trying to help one another. This will make you laugh: the first time I got the 'You're blocked message', I sent a mail to the moderator(s?) with what I had done and my intentions to support another member. Stayed away for a couple of days, waiting for a reply and of course, to be unbanned. Then I realised I would never get a reply and I wasn't actually banned... Boy, I can be a major idot at times...

@FreshJR, to get back on topic: I noticed there's a tc package in entware-ng as well. Does it offer any advantages over the stock tc provided in BusyBox, which your script uses when there's no realtc present?

 

[MarCoMLXXV]

It just keep getting better and better

Bandwidth set @ 15/150 in WebUi, WAN packet overhead set to 0. Custom priorities, values in script:

    ####################  Variables Setup #####################

    #Percent of download speed guaranteed per QOS catagory, change below as desired (sum should equal 100)
        NetControl_DownBandPercent=5           
        VoIP_DownBandPercent=5                       
        Gaming_DownBandPercent=10                   
        Others_DownBandPercent=10                  
        WebSurfing_DownBandPercent=20              
        Video_DownBandPercent=25                   
        FileTransfer_DownBandPercent=20               
        Default_DownBandPercent=5                   
 
    #Percent of upload speed guaranteed per QOS catagory, change below as desired (sum should equal 100)
        NetControl_UpBandPercent=5                  
        VoIP_UpBandPercent=5                       
        Gaming_UpBandPercent=5                       
        Others_UpBandPercent=30                       
        WebSurfing_UpBandPercent=25                   
        Video_UpBandPercent=10                       
        FileTransfer_UpBandPercent=15               
        Default_UpBandPercent=5

Results:

Bufferbloat down: 22 / up: 3

Any recommendations to the variables setup above? No VoIP here, and little to no gaming (nothing causing a network load anyway or where a low latency is of importance). Mostly websurfing, file transferring and video (YT and Vod). Would like to setup OwnCloud sometime soon, as I'm tired of paying fees while have 15Mbit upload available and 5 Terabyte (over three NAS'es) lying around here, catching dust.

Another question to @FreshJR: as you changed redirection of unrecognized traffic from Default to Others, can I put Default_DownBandPercent's value to 0 or 1 or will it only work with multiples of 5?

 

[Lacrocious]

@FreshJR - Thank you for your help. I am all set. I upgraded to 1.92 and plugged in my additional $(tc ) rules for BackBlaze destinations - setting them to Default. I can get full speed uploads until pretty much anything else comes along. This is great. It will let me easily move from CrashPlan to BackBlaze B2 w/ARQ client. CrashPlan never published their IP ranges and they changed them periodically - so it was hard to control uploads with CrashPlan. Your script would have helped, but it would have been more work to maintain servers over time.

Thank you again.

 

[FreshJR]

@MarCoMLXXV
I wouldn't set it to 0.
You can set it to 1, it doesn't have to be multiples of 5.

Also that bandwidth is simply reserved. When defaults is not using that bandwidth, the bandwidth will be available for other catagories. Bandwidth is never wasted and held unused.

As for your results. I think it's just regular network variance as to what's effecting your scores every so often.

@Lacrocious

Don't say your old backup service was unworkable. I bet you they had a unique dscp packet mark we could of tapped. Glad everything is working

@RMerlin

Love the forum software. It's super quick + full featured on mobile and scales well to the screen. I hate whatever forum software makes that enchanced mobile view with infinite scrolling. It scales terribly and is slow. Just playful banther pointing out unique quirks. Either way it's super fast.

 

[MarCoMLXXV]

Thanks for your reply @FreshJR.

@FreshJR, to get back on topic: I noticed there's a tc package in entware-ng as well. Does it offer any advantages over the stock tc provided in BusyBox, which your script uses when there's no realtc present?

If you have the time for it, could you please answer the question above? Probably missed it while I was spilling my guts about the forum software If you answered it before, could you please point me to the post?

Thanks in advance
Marco

 

[charlie2alpha]

This script looks interesting. But I do have a question, is it possible to create a custom rule that combines source mac and a source port/port range? I did look at the script comments, all the iptables rules go to the postrouting chain and I wonder if that actually works.

 

[Vexira]

When I do too many edits, the posts gets locked and goes invisible pending moderator approval.

It has been approved.

@Vexira

If you just reuploaded the file with scp, I'm pretty sure permissions get overwritten aswell. You need both scp and a chmod 0755.

Without permissions, firewall start won't be able to run the file.

I adjusted the map to be the same as the old one.

 

[Vexira]

Thanks for restoring the install instructions for those who need them or are new to your script.

As for the automatic moderation on this forum: besides the limits on message editing, it's incredibly annoying, every time the frickin' 'you are blocked' overlay appears. I just got blocked (again, sigh) for an attempt to write a summary for @pattiri of the installation instructions... Never had any other forum software so hyper-sensitive to seriously (ahem) 'malicious code', especially a forum where many lines of code appear on a daily bases.

As for your comments on scp towards @Vexira , if I'm not mistaken scp -p preserves time, date and mode, so when you login with the same username and group on the 'source' machine, ownership remains the same too on the 'destination' machine. WinSCP offers options (through file properties I think) to change owner/group/permissions if I recall correctly. With rsync -p will preserve permissions, -a will preserve just about everything (user/group/permissions/symlinks/attributes etcetra).

I made sure all he permissions matched the ones when I uploaded via putty. It works perfectly fine and I can screen shot it.

 

[MarCoMLXXV]

I can screen shot it.

Oh, my dear @Vexira, no need for for screenshots. Not questioning you at all, and I apologize if it came out wrong (English is not my native language, so sometimes things just unintended come out the wrong way). I believe you on your (dark) blue eyes (Dutch saying, without the 'Dark'-part, that's just related to your awesome avatar). Did you need the -p option? Or are you running a unix-based system and set permissions prior to uploading?

 

[Vexira]

That's OK I just wanted to help, gui based on Windows, it didn't I didn't read it properly I was offering screenshots for those who wanted to use the same method as I did.

 

[Vexira]

Oh, my dear @Vexira, no need for for screenshots. Not questioning you at all, and I apologize if it came out wrong (English is not my native language, so sometimes things just unintended come out the wrong way). I believe you on your (dark) blue eyes (Dutch saying, without the 'Dark'-part, that's just related to your awesome avatar). Did you need the -p option? Or are you running a unix-based system and set permissions prior to uploading?

Thank you for the compliment, my eyes are brown in real life, also I understand my parents are not native English speakers.

 

[jpclarke]

Working great for me. Trying to use bc to do the calculations instead of losing the decimal part of the up and down bandwidth.

 

[Lacrocious]

...Did you need the -p option? Or are you running a unix-based system and set permissions prior to uploading?

After reading Vexira's info, I found the -p (Preserve File Attributes) option to pscp and tried it while watching the permissions via Putty. It would be nice not to have to chmod every upload while testing. Interestingly enough - If I use the -p option, it resets the permissions. If I don't use the -p option, pscp doesn't reset permissions. Once they are set after initial upload they seem to stay in place. Odd - different than I expected.

 

[Lacrocious]

Don't say your old backup service was unworkable. I bet you they had a unique dscp packet mark we could of tapped. Glad everything is working

Yes - CrashPlan does allow you to set a DSCP packet mark - so in theory I could have had QOS control. In practice, some of my initial investigations gave info that Windows 7 clients didn't allow setting DSCP by apps - overwriting it. I never actually sniffed the packets to check it out, but then again I didn't have a router with options to properly handle it. I tried Tomato on an old router, and could get QOS working, but that router passed away and I found Asus. Could I control it now? Sure - with the controls your script provides. So putting blame appropriately, it wasn't CrashPlan, but the routers.

 

[MarCoMLXXV]

Odd - different than I expected.

That's the opposite of what you'd expect indeed. Please let me know if I have to change something in my post, the info there I gathered from the man pages and some other (Linux) sources, but as I use a different way myself (opening the file through sftp (that's how the routers' filesystem is mounted on my linux laptop - it's 'just' another folder), copy new version locally from Pastebin, pasting it into the opened file while replacing it's content, saving it - which basically uploads the edited file back to the router and the I edit the remote file with nano through ssh, I never have issues with permissions or changes of ownerships or groups.

 

[Lacrocious]

Please let me know if I have to change something in my post, the info there I gathered from the man pages and some other (Linux) sources...

I did some testing and can confirm using pscp without using -p (preserve file attributes):

• The first time you copy a file, it gets default permissions of 644.
• If the file exists, it preserves the current permissions.

Per this Putty Wish List entry, you can see that the default is to preserve permissions.

If you section 5.2.2.2 of the Putty Doc states: "By default, files copied with PSCP are timestamped with the date and time they were copied. The -p option preserves the original timestamp on copied files.". I can see this as well.

Doing a "pscp", the date/timestamp is Now; with "pscp -p" the date/timestamp is the date/time of the file on the source device. This means you can pscp -p a file, overwriting an existing destination file with a source file dated older than that existing destination file. The router file system must think that this is considered a "new" file and sets the permissions appropriately back to 644 (per the Putty Wish List entry above).

I don't have anything to backup the theory of overwriting an existing file with a file with an earlier date is considered "new", but that is what it appears to be doing. The "pscp -p" doesn't explicitly do anything with permissions, it only affects file date/time.

 

[FreshJR]

@FreshJR, to get back on topic: I noticed there's a tc package in entware-ng as well. Does it offer any advantages over the stock tc provided in BusyBox, which your script uses when there's no realtc present?

To my knowledge the actual traffic control scheduling/filtering/etc actions are taken place inside at kernel level.
The tc binary (application) just configures the kernel by passing commands into it or retrieving parameters from it.

This means our overall feature set is limited to what the kernel offers, but tc newer binary can have more "blueprints" available to work with the materials available inside the "kernel".
At least this is how I think it works. I am not very well versed in this area.

The current realTC merlin is using has a special fq_codel (lite) backported specially to work with out limited kernel. So this custom realTC we are using is going to be better than the standard TC binaries.

This script looks interesting. But I do have a question, is it possible to create a custom rule that combines source mac and a source port/port range? I did look at the script comments, all the iptables rules go to the postrouting chain and I wonder if that actually works.

Iptables and TC rules both support AND (multi-match) rules.

DOWNLOAD RULE:

${tc} filter add dev br0 protocol all prio 1 u32 match u32 0xCCDDEEFF 0xffffffff at -16 match ip dport 4500 0xffff  flowid {VOIP}

Let me break it down line by line, so you can see the two matches simulanously

${tc} filter add dev br0 protocol all prio 1 u32
match u32 0xCCDDEEFF 0xffffffff at -16
match ip dport 1234 0xffff
flowid {VOIP}

UPLOAD RULE (note perform delete before append):

iptables -D POSTROUTING -t mangle -o eth0 -m mac --mac-source AA:BB:CC:DD:EE:FF -p tcp --sport 1234 -j MARK ${VOIP_mark}

iptables -A POSTROUTING -t mangle -o eth0 -m mac --mac-source AA:BB:CC:DD:EE:FF -p tcp --sport 1234 -j MARK ${VOIP_mark}

Let me break it down again

iptables -A POSTROUTING -t mangle -o eth0
-m mac --mac-source AA:BB:CC:DD:EE:FF
-p tcp --sport 1234
-j MARK ${VOIP_mark}