Installed OpenWRT on my Asus WL-500G Deluxe last week and I have been very impressed! Thanks to all involved in its development.

I have downloaded and installed the qosfw-scripts_0.4 package from nbd.

In the /usr/lib/qosfw foler I can see the collection of .awk scripts and the fw.sh script. I have had a read through and think that i need to:

1. Edit /etc/config/firewall & /etc/config/qos-wan and add rules / priorites?
2. Run /usr/lib/qosfw/fw.sh
3. ? profit ?

If anyone can confirm, or correct the steps i need to take, provide code snippets or URLs i would be very grateful! I have been using linux for a while but the QoS stuff is new to me.

Also, should the OpenWRT project need any hosting/bandwidth I would be happy to donate. I manage a couple of dedicated linux servers on 100mbit, unlimited bandwidth connections. I can supply my email/phone num to the devs if they would like to take up the offer.

EDIT: read the .awks properly and realised the qos-wan file will need editing too!

Cheers
Andy

(Last edited by fibble on 28 Dec 2005, 10:45)

the QOS is managed by hotplug, what you need to do is edit /etc/config/firewall & /etc/config/qos-wan then reboot or restart the WAN interface.

Hi, thanks for your reply.

I have edited /etc/config/qos-wan and firewall to my needs.

Will i also need to load a number of the ipt_* modules at boot? Or do the hotplug scripts load the necesary modules for me?

If not which init script is the best place to put the insmod commands to load them at boot?

Cheers
Andy

(Last edited by fibble on 28 Dec 2005, 11:34)

Or execute:

env -i ACTION=ifup INTERFACE=wan /sbin/hotplug iface

This simulates a ifup on the WAN interface and reruns the hotplug scripts.

(Last edited by olli on 28 Dec 2005, 11:42)

So far i have:

1. Installed the qosfw-scripts_0.4 via ipkg
2. Edited /etc/config/firewall with the port forwards i need.

/etc/config/firewall

forward:proto=tcp dport=4662:192.168.1.100
forward:proto=udp dport=4667:192.168.1.100
forward:proto=tcp dport=6262:192.168.1.100
forward:proto=tcp dport=3389:192.168.1.100

/etc/config/qos-wan

class:Priority
burstrate:100
bursttime:10
avgrate:25
share:10
end

class:VOIP
burstrate:80
bursttime:25
avgrate:50
share:50
end

class:Normal
burstrate:80
bursttime:40
avgrate:24
share:20
end

class:Bulk
share:1
limit:80
end

classify:Bulk:layer7=edonkey
classify:Priority:proto=udp dport=53,5190
classify:Priority:proto=tcp dport=22,53,5190
#classify:VOIP:proto=tcp sport=60168
#classify:VOIP:proto=udp sport=60168

#option:enabled
option:upload:195
option:download:2000

option:priority:Priority
option:bulk:Bulk
option:defaultlow:Normal
option:default:Bulk
option:bulk_dl:Normal:10

3. After editing these I ran /usr/lib/qosfw/fw.sh

4. I then simulated the WAN interface coming up as per olli's post above to get the 10-qos script in /etc/hotplug.d/iface to execute.

When i issue "iptables -L -v -t mangle" I see no rules.

iptables -L -v -t mangle

Chain PREROUTING (policy ACCEPT 33131 packets, 15M bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain INPUT (policy ACCEPT 2088 packets, 164K bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain FORWARD (policy ACCEPT 31041 packets, 14M bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 1838 packets, 472K bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain POSTROUTING (policy ACCEPT 32879 packets, 15M bytes)
 pkts bytes target     prot opt in     out     source               destination

Also the kernel modules needed are not being loaded. See below:

lsmod output

Module                  Size  Used by    Tainted: P
ehci-hcd               20140   0 (unused)
uhci                   30164   0 (unused)
usb-storage            65328   1
sd_mod                 12452   2
scsi_mod               70488   2 [usb-storage sd_mod]
usbcore                74792   1 [ehci-hcd uhci usb-storage]
vfat                   11692   1
fat                    36840   0 [vfat]
ext3                   72788   0
jbd                    54904   0 [ext3]
ext2                   41512   0
wlcompat               14896   0 (unused)
wl                    423640   0 (unused)
et                     32064   0 (unused)
diag                    2560   0 (unused)

Have i missed a step?

Any pointers would be greatly appreciated.

Andy

EDIT: I think your problem is that you didn't enabled qosfw-scripts in /etc/config/qos-wan. Uncomment the line:

#option:enabled

When you enabled qosfw-script reboot or run:

env -i ACTION=ifup INTERFACE=wan /sbin/hotplug iface

Btw. You can skip point #3 in your last post. White Russian RC4 or later is required to run qosfw-scripts.

(Last edited by olli on 28 Dec 2005, 18:36)

Thank you olli!

Are you still interested in finding out how the QoS scripts perform? I plan on spending some time putting the now working set up through some performace testing tomorrow, i will share my results if you are interested. It may have been nbd who mentioned this however.

Andy

Yes, please share your test results with us.

I think specially nbd (he created the qosfw-scripts package) is very interested in some feedback.

I have just begun testing QoS and things are looking good.

The default values in /etc/qos-wan werent suitable for my home LAN, I am in the process of tweaking and testing performance now.

The following quick step-by-step might be useful for others trying to get QoS working on RC4:

1. download and install the qosfw-scripts_0.4_all.ipk package with:

ipkg install http://openwrt.inf.fh-brs.de/~nbd/qosfw-scripts_0.4_all.ipk

2. Edit /etc/config/qos-wan with vi or the editor of your choice, you will want to uncomment the "#option:enabled" line towards the end and edit the upload / download speed sections near the bottom to match your connection speed.

3. With the qos-wan file edited to suit your line speed, issue the following command. This will run the hotplug scripts for your WAN Interface.

env -i ACTION=ifup INTERFACE=wan /sbin/hotplug iface

n.b. I have to hit Enter to get back to a command prompt after executing this command, though i suspect its being caused by the ip-ezupdate dyndns updater and not the QoS script.

4. Check the output of "iptables -L -v -t mangle".  You should see a set of rules matching those specified in /etc/config/qos-wan

Your upload traffic should now be being shaped by the QoS rules in /etc/config/qos-wan  !

You will probably want to tweak and edit the /etc/config/qos-wan file to the needs of your network. I will edit this post with the values i find useful after some testing.

After each edit of /etc/config/qos-wan you will need to re-run the command:

env -i ACTION=ifup INTERFACE=wan /sbin/hotplug iface

to get the new values applied to the interface.

Andy

I saw that you use a layer 7 filter to classify some of the trafic. I'm very interested in this feature.

Could you explain how did you do that, please.

Nevermind I found my reply here http://wiki.openwrt.org/Faq?highlight=% … dfb4b761ff

I have a question to olli, I guess. Anybody may chime in too.

What is THE way to specify firewall rules now: /etc/firewall.user or /etc/config/firewall? As far as I can tell the former works fine. I guess the latter offers some kind of simplification of firewall rules. But how do they interact? Does the latter replace the former? Do they work together? Any insight would be appreciated.

It's still in /etc/firewall.user. I would recommend to use qos-scripts 0.3 because qosfw-scripts is still pre-alpha code.
By myself I have qos-scripts 0.3 running here and I use /etc/firewall.user for the firewall rules.

Since I haven't tried the qosfw-scripts 0.4 yet, I don't now for sure.

Please ask nbd directly for more details, he is the maintainer of the qosfw-script package.

(Last edited by olli on 30 Dec 2005, 11:32)

I added firewall rules to /etc/config/firewall at the same time as editing qos-wan.

I still had to add the rules to /etc/firewall.user to ger the port forwards operational. so either i did something wrong, or 0.4 doesnt deal with the /etc/config/firewall properly yet.

Andy

There is no relation between qos-script and firewall.user or S45firewall. Unless you work on the mangle table in your firewall rules.

The qos-script only marks the packets so as the classes can identify their packets. All this is done in the mangle table.

About the firewalling rules. The file /etc/init.d/S45firewall contains generic rules that can apply to nearly everybofy's configuration, you are not supposed to modify it. At the end of this script when these basic rules are set up, the script calls /etc/firewall.user where you are supposed to make your user configuration i.e. specific to your use.

Hope that help

Ok I didn't see the firewall scripts. I don't understand why would you melt firewalling with qos in a package.

Thi is dumb. We already have all we need to make a firewall without this script.

That's why I asked in the first place -- I didn't get it.

Andy or anyone else, really:

were you able to tweak your qos-wan?  I have the qosfw-scripts installed on white russian (on a WRT54G v2), but i am seeing considerable drops in upload speeds (e.g. i have 256 kbps up, dropping to 33 kbps up).  I have placed different source IPs (e.g. w/ src= option) in various classes w/in qos-wan and brought the interface up and down to make the changes (which show up in the mangle table), but have not really seen much of a change in upload speed (e.g. if a source is placed in the VOIP class, the upload speed is still the same as when it is placed in Normal or Priority classes).  I have been using testmy.net for the testing, in addition to checking ping-times.  Prior to enabling qosfw, my uploads were hovering right around 256 kbps.

qos-wan follows:

class:Priority                                                        
burstrate:100                                                         
bursttime:10                                                          
avgrate:25                                                            
share:10                                                              
end                                                                   
                                                                      
class:VOIP                                                            
burstrate:80                                                          
bursttime:25                                                          
avgrate:50                                                            
share:50                                                              
end                                                                   
                                                                      
class:Normal                                                          
burstrate:80                                                          
bursttime:40                                                          
avgrate:24                                                                                                                      
share:20                                                                                                                        
end                    

class:Bulk                                                            
share:1                                                               
limit:80                                                              
end                                                                   
                                                                      
#classify:Bulk:layer7=edonkey                                         
classify:Priority:proto=udp dport=53,5190                             
classify:Priority:proto=tcp dport=22,53,5190                          
classify:VOIP:src=192.168.1.102                                       
                                                                      
                                                                      
option:enabled                                                        
option:upload:256                                                     
option:download:3000                                                  
                                                                      
option:priority:Priority                                              
option:voip:VOIP                                                      
option:defaultlow:Normal                                              
option:default:Normal                                                 
option:bulk:Bulk                                                      
#option:bulk_dl:Normal:10

The reason for doing this is that I want to add a web interface for both the QoS and the firewalling part. Parsing /etc/firewall.user is too difficult, and the code that parses the classify rules in /etc/config/qos-* is the same that also parses the matching rules in /etc/config/firewall. That's why I make the code shared and put it in one package.

What kind of upload?

The scripts don't do much if only one type of traffic is active. These scripts are for prioritizing traffic, so if you set a P2P client to max. upload speed you can still have smooth VoIP and SSH sessions with low delays.

nbd,

these are uploads using a web browser (wireless g >> router >> cable modem; 256 kbps max upload from ISP) over port 80 and associated incoming ports (ipfw stateful here on laptop).  however, uploads with other services and through other ports (e.g. 25 for mail, 22 for sftp) are also capped at around 30 kbps.

yes.  the problem is that when the scripts are running, upload traffic is capped at 30-34 kbps max, even when there is no other traffic through the AP.  so, i was attempting to adjust the classifications such that i might be able to get better results.  however, no dice.  regardless of which category traffic is placed in, upload speed was capped @ the 30ish kbps.  does that make sense?  can i provide you with some other output that would be helpful?  i am running a relatively stock firewall.user with the following additions:

### Vonage mta
# data
iptables -t nat -A prerouting_rule -i $WAN -p udp --dport 10000:20000 -j DNAT --to 192.168.1.102
iptables        -A forwarding_rule -i $WAN -p udp --dport 10000:20000 -d 192.168.1.102 -j ACCEPT

## disallow tivo access to the WAN
iptables -A forwarding_rule -i $LAN -s 192.168.1.104 -o $WAN -j DROP

i should also mentioned that, just for kicks, i doubled the

option:upload:256

to

option:upload:512

and saw my uploads go from 32 to ~60 kbps.

-b

(Last edited by brant on 14 Jan 2006, 21:24)

please paste the content of /tmp/.qos-wan.sh

nbd,

thanks for get back to me so quickly.  here is cat /tmp/.qos-wan.sh:

#!/bin/sh
insmod cls_fw >&- 2>&-
insmod sch_hfsc >&- 2>&-
insmod ipt_CONNMARK >&- 2>&-
insmod ipt_length >&- 2>&-
insmod ipt_limit >&- 2>&-
insmod ipt_tos >&- 2>&-
iptables -t mangle -F
iptables -t mangle -X
tc qdisc del dev vlan1 root 2>&- >&-
tc qdisc add dev vlan1 root handle 1: hfsc default 40
tc class add dev vlan1 parent 1: classid 1:1 hfsc sc rate 245kbit ul rate 245kbit
tc class add dev vlan1 parent 1:1 classid 1:10 hfsc rt m1 245kbit d 10ms m2 61kbit ls rate 245kbit ul rate 245kbit
tc class add dev vlan1 parent 1:1 classid 1:20 hfsc rt m1 196kbit d 25ms m2 122kbit ls rate 1225kbit ul rate 245kbit
tc class add dev vlan1 parent 1:1 classid 1:30 hfsc rt m1 196kbit d 40ms m2 58kbit ls rate 490kbit ul rate 245kbit
tc class add dev vlan1 parent 1:1 classid 1:40 hfsc ls rate 24kbit ul rate 196kbit
tc filter add dev vlan1 parent 1: prio 1 protocol ip handle 1 fw flowid 1:10
tc filter add dev vlan1 parent 1: prio 2 protocol ip handle 2 fw flowid 1:20
tc filter add dev vlan1 parent 1: prio 3 protocol ip handle 3 fw flowid 1:30
tc filter add dev vlan1 parent 1: prio 4 protocol ip handle 4 fw flowid 1:40

insmod ipt_multiport >&- 2>&-
iptables -t mangle -N DEV_vlan1
iptables -t mangle -A POSTROUTING -o vlan1 -j DEV_vlan1
iptables -t mangle -A DEV_vlan1 -j CONNMARK --restore-mark
iptables -t mangle -A DEV_vlan1 -m mark --mark 0 -p udp -m multiport --dports 53,5190 -j MARK --set-mark 1
iptables -t mangle -A DEV_vlan1 -m mark --mark 0 -p tcp -m multiport --dports 22,53,5190 -j MARK --set-mark 1
iptables -t mangle -A DEV_vlan1 -m mark --mark 0 -s 192.168.1.102 -j MARK --set-mark 2
iptables -t mangle -A DEV_vlan1 -j CONNMARK --save-mark

iptables -t mangle -A DEV_vlan1 -m tos --tos Minimize-Cost -j MARK --set-mark 4

iptables -t mangle -A DEV_vlan1 -m mark --mark 0 -p tcp --dport 0:1024 -j MARK --set-mark 3
iptables -t mangle -A DEV_vlan1 -m mark --mark 0 -p udp --dport 0:1024 -j MARK --set-mark 3
iptables -t mangle -A DEV_vlan1 -m mark --mark 0 -j MARK --set-mark 3
iptables -t mangle -A DEV_vlan1 -m mark ! --mark 4 -p tcp -m length --length :128 --tcp-flags ALL SYN -j MARK --set-mark 1
iptables -t mangle -A DEV_vlan1 -m mark ! --mark 4 -p tcp -m length --length :128 --tcp-flags ALL ACK -j MARK --set-mark 1
iptables -t mangle -A DEV_vlan1 -m tos --tos Minimize-Delay -j MARK --set-mark 1
iptables -t mangle -A DEV_vlan1 -p icmp -j MARK --set-mark 1
iptables -t mangle -A DEV_vlan1 -p icmp --icmp-type echo-reply -j MARK --set-mark 4

-b

(Last edited by brant on 14 Jan 2006, 21:31)

Hmm... looks correct to me. Are you sure that your upload speed is really capped? Maybe just the timing's different. Try an FTP upload or something like that.

Oh, wait. I just noticed something else. Does your line have 256kbit/s or 256kbyte/s?

it is 256 kilobit/s.  the results i am getting are 30 kbit/s (or 3kByte/s).

so, i tried an sftp upload to a machine on a fat pipe.  got a transfer rate of ~3.4 KB/s, so that roughly translates back to the 'cap' i am seeing. 

i don't have anonymous upload access anywhere to test w/ ftp, but sftp should be moderately representative.  my transfer of outgoing mail (over port 25 w/ ssl) is also slow.

i am going to disable the scripts in qos-wan, and check to make sure my upload goes back up to its normal range (right around 256 kbit).

any other ideas?

-b