How would this help my LAN / network

How would this help my LAN / network

[Brent Clark]

HI all

I just came across one of the threads on the LARTC.
In the thread it had this.

So my question is, for the following rules, would these increase my browsing / traffic, and if so, how.

iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m length --length 0:128 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m length --length 128: -j TOS --set-tos Maximize-Throughput
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 20 -j TOS --set-tos Maximize-Throughput
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 21 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p udp -m udp --sport 53 -j TOS --set-tos Maximize-Throughput
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j TOS --set-tos Maximize-Throughput
iptables -t mangle -A PREROUTING -p udp -m udp --sport 123 -j TOS --set-tos Minimize-Delay

If someone would take the time to briefly explain this to me, I would be most grateful.

Kind Regards
Brent Clark

Re: How would this help my LAN / network

[Sorin Panca]

Brent Clark wrote:
> HI all
> 
> I just came across one of the threads on the LARTC.
> In the thread it had this.
> 
> So my question is, for the following rules, would these increase my
> browsing / traffic, and if so, how.
>
Small packets and control pachets should have priority because they
carry intrractive traffic.
> iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK
> ACK -m length --length 0:128 -j TOS --set-tos Minimize-Delay
Large packets are for upload or download. They can wait until people
open their html pages. Some p2p applications are ill-behaved and they
send large control packets for carrying payloads.
> iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK
> ACK -m length --length 128: -j TOS --set-tos Maximize-Throughput
Port 20 = ftp-data is the data channel in ftp transactions. We have file
transfer in that channel.
> iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 20 -j TOS
> --set-tos Maximize-Throughput
Port 21 - ftp is the ftp control channel. when you stop a transfer or
acknoledge something you need the program to respond at your action very
quick.
> iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 21 -j TOS
> --set-tos Minimize-Delay
Port 22 - ssh: when you remotely manage a computer, and if you press a
key on your keyboard, the letter must appear almost when you press the key.
> iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j TOS
> --set-tos Minimize-Delay
Port 53 - domain: when someone is browsing the Internet and waits for a
page to load, the Internet must translate quick the site address in the
IP address, so the user waits less for the page to start to load.
> iptables -t mangle -A PREROUTING -p udp -m udp --sport 53 -j TOS
> --set-tos Maximize-Throughput
Port 80 - http: this is from where the pages come and the requests for
them go. The system must respond quickly (we have fast computers these
days, don't we?)
> iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j TOS
> --set-tos Maximize-Throughput
( I don't know this port and i am too lazy to open /etc/services)
> iptables -t mangle -A PREROUTING -p udp -m udp --sport 123 -j TOS
> --set-tos Minimize-Delay
Where are https, irc, messengers... ?
> 
> If someone would take the time to briefly explain this to me, I would be
> most grateful.
> 
> Kind Regards
> Brent Clark
> 
> 

Re: How would this help my LAN / network

[Brent Clark]

Sorin Panca wrote:
> 
> Brent Clark wrote:
> 
>>HI all
>>
>>I just came across one of the threads on the LARTC.
>>In the thread it had this.
>>
>>So my question is, for the following rules, would these increase my
>>browsing / traffic, and if so, how.
>>
> 
> Small packets and control pachets should have priority because they
> carry intrractive traffic.

...

> Where are https, irc, messengers... ?

No Sure, this is how I saw / got it.

Hi Sorin

I have added / change the rules to this (was --sport, I made mine --dport).

$IPT -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m length --length 0:128 -j TOS --set-tos Minimize-Delay
$IPT -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m length --length 128: -j TOS --set-tos Maximize-Throughput
$IPT -t mangle -A PREROUTING -p tcp -m tcp --dport 20 -j TOS --set-tos Maximize-Throughput
$IPT -t mangle -A PREROUTING -p tcp -m tcp --dport 21 -j TOS --set-tos Minimize-Delay
$IPT -t mangle -A PREROUTING -p tcp -m tcp --dport 22 -j TOS --set-tos Minimize-Delay
$IPT -t mangle -A PREROUTING -p udp -m udp --dport 53 -j TOS --set-tos Maximize-Throughput
$IPT -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j TOS --set-tos Maximize-Throughput
$IPT -t mangle -A PREROUTING -p tcp -m tcp --dport 443 -j TOS --set-tos Maximize-Throughput
$IPT -t mangle -A PREROUTING -p udp -m udp --dport 123 -j TOS --set-tos Minimize-Delay

Out of interest, Can I use this on the FORWARD.
If so, would it be best in the PREROUTING, or the FORWARD.
Baring in mind that this is for a natting FW.

I have a private LAN, behind the FW, I basically would likes to try and speed things up for my users.

Thanks again for replying, I really appreciate this.

Kind Regards
Brent Clark

RE: How would this help my LAN / network

[Rob Sterenborg]

>> I just came across one of the threads on the LARTC.
>> In the thread it had this.
>> 
>> So my question is, for the following rules, would these increase my
>> browsing / traffic, and if so, how.
>> 
> Small packets and control pachets should have priority
> because they carry intrractive traffic.

Is it true that the upstream (ISP) routers have to support TOS for this
to work ?


Gr,
Rob

Re: How would this help my LAN / network

[Sorin Panca]

Hi Rob,

Rob Sterenborg wrote:
>>>I just came across one of the threads on the LARTC.
>>>In the thread it had this.
>>>
>>>So my question is, for the following rules, would these increase my
>>>browsing / traffic, and if so, how.
>>>
>>
>>Small packets and control pachets should have priority
>>because they carry intrractive traffic.
> 
> 
> Is it true that the upstream (ISP) routers have to support TOS for this
> to work ?
Yes, that is true. But the linux default qdisc (queuing discipline) for
network interfaces is  pfifo_fast, which priorize interractive traffic.
I assume that they use linux on their routers. I am curious if this is a
correct assumption and in what percentage.
> 
> 
> Gr,
> Rob
> 
> 
> 

Re: How would this help my LAN / network

[Gregory G Carter]

Upstream providers such as my ISP here (Time Warner Cable) hardly 
support ECN, I would be surprised if they did.

For example, the crappy Zyxel cable modems they put out here don't 
support ECN notification, so the first thing they do when they overflow 
due to high amounts of traffic is simple shut down, most of them just crash.

I have to put rate limiting policies on all my routers connected to 
these modems otherwise they simply die when you try and push too much 
data through them.

I remember when Time Warner was using ubr9xx routers from Cisco, which 
were excellent, but much more expensive of course than the Zyxel.

If somone like Time Warner can't do ECN, I would hardly expect them to 
do traffic prioritization....Oooo....complicated.

:-)

-gc

Rob Sterenborg wrote:

>>>I just came across one of the threads on the LARTC.
>>>In the thread it had this.
>>>
>>>So my question is, for the following rules, would these increase my
>>>browsing / traffic, and if so, how.
>>>
>>>      
>>>
>>Small packets and control pachets should have priority
>>because they carry intrractive traffic.
>>    
>>
>
>Is it true that the upstream (ISP) routers have to support TOS for this
>to work ?
>
>
>Gr,
>Rob
>
>
>  
>

Re: How would this help my LAN / network

[John A. Sullivan III]

Unless one has contracted with a private network, one is not likely to
find QoS/CoS.  However, your bottleneck is likely to be the last mile.
Although the ISP router may not be regulating the QoS on the last mile,
you can control the ingress and egress through your gateway . . . well,
at least the egress and the processing of the ingress - John

On Fri, 2005-10-07 at 11:45 -0500, Gregory G Carter wrote:
> Upstream providers such as my ISP here (Time Warner Cable) hardly 
> support ECN, I would be surprised if they did.
> 
> For example, the crappy Zyxel cable modems they put out here don't 
> support ECN notification, so the first thing they do when they overflow 
> due to high amounts of traffic is simple shut down, most of them just crash.
> 
> I have to put rate limiting policies on all my routers connected to 
> these modems otherwise they simply die when you try and push too much 
> data through them.
> 
> I remember when Time Warner was using ubr9xx routers from Cisco, which 
> were excellent, but much more expensive of course than the Zyxel.
> 
> If somone like Time Warner can't do ECN, I would hardly expect them to 
> do traffic prioritization....Oooo....complicated.
> 
> :-)
> 
> -gc
> 
> Rob Sterenborg wrote:
> 
> >>>I just came across one of the threads on the LARTC.
> >>>In the thread it had this.
> >>>
> >>>So my question is, for the following rules, would these increase my
> >>>browsing / traffic, and if so, how.
> >>>
> >>>      
> >>>
> >>Small packets and control pachets should have priority
> >>because they carry intrractive traffic.
> >>    
> >>
> >
> >Is it true that the upstream (ISP) routers have to support TOS for this
> >to work ?
> >
> >
> >Gr,
> >Rob
> >
> >
> >  
> >
> 

-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net

Re: How would this help my LAN / network

[Sorin Panca]

Hi John!

John A. Sullivan III wrote:
> Unless one has contracted with a private network, one is not likely to
> find QoS/CoS.  However, your bottleneck is likely to be the last mile.
> Although the ISP router may not be regulating the QoS on the last mile,
> you can control the ingress and egress through your gateway . . . well,
> at least the egress and the processing of the ingress - John
> 
> On Fri, 2005-10-07 at 11:45 -0500, Gregory G Carter wrote:
> 
I think TOS is for admins who want to priorize _THEIR_ traffic in
_THEIR_ controlled networks. ISP don't do any sahping. They only have
large txqueues and with them they demonstrate how fast the download is.
If I show them that when i download with the maximum speed and I cannot
browse the internet or chat, they say to stop downloading so fast.
When a tiny little http response packet waits in a 2 MBytes queue to
leave their server to my computer with a link speed of 128 kbit/s, I
have to wait a very long time for it to arrive and meanwhile the browser
times out...
So LARTC people developed ingress policing, to drop the bulk packets and
to sinal this loss to the isp's router, who discards a lot of the
traffic in his queue so my tiny little packet gets in front of other
packets and arrives to me in time...
Wouldn't it be better if ISPs would do some traffic shaping? (No more
packet loss, less internet traffic (discarded packets are resent at some
point), and better browsing... and... happy costomers.
>>Upstream providers such as my ISP here (Time Warner Cable) hardly 
>>support ECN, I would be surprised if they did.
>>
>>For example, the crappy Zyxel cable modems they put out here don't 
>>support ECN notification, so the first thing they do when they overflow 
>>due to high amounts of traffic is simple shut down, most of them just crash.
>>
>>I have to put rate limiting policies on all my routers connected to 
>>these modems otherwise they simply die when you try and push too much 
>>data through them.
>>
>>I remember when Time Warner was using ubr9xx routers from Cisco, which 
>>were excellent, but much more expensive of course than the Zyxel.
>>
>>If somone like Time Warner can't do ECN, I would hardly expect them to 
>>do traffic prioritization....Oooo....complicated.
>>
>>:-)
>>
>>-gc
>>
>>Rob Sterenborg wrote:
>>
>>
>>>>>I just came across one of the threads on the LARTC.
>>>>>In the thread it had this.
>>>>>
>>>>>So my question is, for the following rules, would these increase my
>>>>>browsing / traffic, and if so, how.
>>>>>
>>>>>     
>>>>>
>>>>
>>>>Small packets and control pachets should have priority
>>>>because they carry intrractive traffic.
>>>>   
>>>>
>>>
>>>Is it true that the upstream (ISP) routers have to support TOS for this
>>>to work ?
>>>
>>>
>>>Gr,
>>>Rob
>>>
>>>
>>> 
>>>
>>
> 

Re: How would this help my LAN / network

[Brent Clark]

Sorin Panca wrote:
> 
> Small packets and control pachets should have priority because they
> carry intrractive traffic.

HI

I just had this other Idea,

I have a few services running in my private LAN, - Rules as so:

# To allow PPL to see PORT 80 and 443 for a particular webserver
$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.111.11:80
$IPT -t filter -A FORWARD -i eth0 -p tcp --dport 80 -d 192.168.111.11 -j ACCEPT
$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 192.168.111.11:443
$IPT -t filter -A FORWARD -i eth0 -p tcp --dport 443 -d 192.168.111.11 -j ACCEPT

# TO ALLOW SMTP
$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to 192.168.111.11:25
$IPT -t filter -A FORWARD -i eth0 -p tcp --dport 25 -d 192.168.111.11 -j ACCEPT

Can / should I use this following to help my internal web / mail server.

$IPT -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j TOS --set-tos Maximize-Throughput
$IPT -t mangle -A PREROUTING -p tcp -m tcp --sport 25 -j TOS --set-tos Maximize-Throughput

Just something I was thinking.

Kind Regards
Brent Clark

Re: How would this help my LAN / network

[Sorin Panca]

Hi!

Brent Clark wrote:
> Sorin Panca wrote:
> 
>>
>> Small packets and control pachets should have priority because they
>> carry intrractive traffic.
> 
> 
> HI
> 
> I just had this other Idea,
> 
> I have a few services running in my private LAN, - Rules as so:
> 
> # To allow PPL to see PORT 80 and 443 for a particular webserver
> $IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to
> 192.168.111.11:80
> $IPT -t filter -A FORWARD -i eth0 -p tcp --dport 80 -d 192.168.111.11 -j
> ACCEPT
> $IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to
> 192.168.111.11:443
> $IPT -t filter -A FORWARD -i eth0 -p tcp --dport 443 -d 192.168.111.11
> -j ACCEPT
> 
> # TO ALLOW SMTP
> $IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to
> 192.168.111.11:25
> $IPT -t filter -A FORWARD -i eth0 -p tcp --dport 25 -d 192.168.111.11 -j
> ACCEPT
> 
> Can / should I use this following to help my internal web / mail server.
> 
> $IPT -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j TOS --set-tos
> Maximize-Throughput
> $IPT -t mangle -A PREROUTING -p tcp -m tcp --sport 25 -j TOS --set-tos
> Maximize-Throughput
Maximize-Throughput puts the packet in a low priority band. To help your
web server you should set the TOS to Minimize-Delay.
But as someone on the LARTC list said today, as a response to your post
there, few or none of the ISPs around the world honnor those TOS bits...
For your router you have two options for making it to consider those
bits: a classful queuing discipline that priorize according to their
meaning (that's PRIO qdisc) or a classless qdisc like pfifo_fast. The
last one happen to be the default qdisc for egress on Linux's NICs.
I don't think that sending mail is interactive traffic nor receiving it.
> 
> Just something I was thinking.
> 
> Kind Regards
> Brent Clark
>