All of lore.kernel.org
 help / color / mirror / Atom feed
* [LARTC] Shared ADSL SHAPER
@ 2006-01-30 17:45 Rasmus Melgaard
  0 siblings, 0 replies; 2+ messages in thread
From: Rasmus Melgaard @ 2006-01-30 17:45 UTC (permalink / raw)
  To: lartc

Hi,

I'm trying to make a shaper / firewall to improve sharing of bandwidth on a 
ADSL (3mbit down / ½ mbit up)

Since the ADSL is very asymmetric, down is unimportant, I make a ingress rate 
limit shaper to ensure, all shaping is at the Shaper, and not on the Router 
or the ISP.

The Idea is then to make one HTB hierarchy and have each client (IP) filtererd 
and put in a child-HTB queue. This is the main idea, I have added prio to 
each HTB-child to keep priorities for each client.

I currently use a reduced setup with total-uplink limited to 160kbit, and i 
run first the firewall script (first) and then the Shaper script, below.

The problem is know that if a take Azureus, bittorrent client, and let it go 
(no uplink limitation), it now kills its own downlink speed. If I limit the 
uplink speed in Azureus the downlink will grow again, it is quiet obvious. 

I've tried adding some trick from the net, to especially improve ACK 
performance, but it hasn't helped.
 

Setup:

Clients (1-32)---Switch---Linux(shaper+firewall)---Cisco Soho 78---ISP

BR 
Rasmus Melgaard

------------------------------------
FIREWALL: Firewall script:
#First we flush our current rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

#Setup default policies to handle unmatched traffic
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

#Copy and paste these examples ...
export LAN=eth0
export WAN=eth1

export LAN_SCOPE="10.0.0.0/24"

#Then we lock our services so they only work from the LAN
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT

#(Optional) Allow access to our ssh server from the WAN
# iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

#Drop TCP / UDP packets to privileged ports
iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP

#Finally we add the rules for NAT
iptables -I FORWARD -i ${LAN} -d ${LAN_SCOPE} -j DROP
iptables -A FORWARD -i ${LAN} -s ${LAN_SCOPE} -j ACCEPT
iptables -A FORWARD -i ${WAN} -d ${LAN_SCOPE} -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

#Tell the kernel that ip forwarding is OK
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

#MTU Clamp
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS 
--clamp-mss-to-pmtu

---------------------------------------------
SHAPER: Shaping script:
#Copy and paste these examples ...
export LAN=eth0
export WAN=eth1

#delete previous
tc qdisc del dev ${WAN} root
tc qdisc del dev ${LAN} root

function command() {
echo "Command -> $*"
if ! $($*)
then
exit 0
fi
}

CEILDOWNRATE="3000mbit"
CEILRATE="160kbit"
CLIENTRATE="20kbit"

LAN_SCOPE="10.0.0.0/24"

LAN_SCOPE_PRE="10.0.0."
LAN_SCOPE_POST="/32"
LEAF_QDISC="prio"
HTB_MAIN_OPT="quantum 36000 burst 32000 cburst 16000"
HTB_LEAF_OPT="quantum 5000 burst 2000 cburst 1000"
MAX_IP_LIMIT3

#General egress Wan port
command "tc qdisc add dev ${WAN} root handle 1: htb default 10"
command "tc class add dev ${WAN} parent 1: classid 1:1 htb rate ${CEILRATE} 
ceil ${CEILRATE} ${HTB_MAIN_OPT}"

#Fix general tos - new chain tosfix
command "iptables -t mangle -N tosfix"
command "iptables -t mangle -A tosfix -p tcp -m length --length 0:512 -j 
RETURN"
command "iptables -t mangle -A tosfix -m limit --limit 2/s --limit-burst 10 -j 
RETURN"
command "iptables -t mangle -A tosfix -j TOS --set-tos Maximize-Throughput"
command "iptables -t mangle -A tosfix -j RETURN"


#Fix Ack being - new chain ack 
command "iptables -t mangle -N ack"
command "iptables -t mangle -A ack -m tos ! --tos Normal-Service -j RETURN"
command "iptables -t mangle -A ack -p tcp -m length --length 0:128 -j TOS 
--set-tos Minimize-Delay"
command "iptables -t mangle -A ack -p tcp -m length --length 128: -j TOS 
--set-tos Maximize-Throughput"
command "iptables -t mangle -A ack -j RETURN"


#Add rules
command "iptables -t mangle -A POSTROUTING -p tcp -m tos --tos Minimize-Delay 
-j tosfix"
command "ptables -t mangle -A POSTROUTING -p tcp -m tcp --tcp-flags" 
SYN,RST,ACK ACK -j ack

#Every ip egress
IP=1
while [ "$IP" -lt  $MAX_IP_LIMIT ]
do
CLASSID=${IP}0
IPADDR=${LAN_SCOPE_PRE}${IP}${LAN_SCOPE_POST}
echo "Class ID: ${CLASSID}"
echo "IP Addrs: ${IPADDR}"
echo "Adding Class"
command "tc class add dev ${WAN} parent 1:1 classid 1:${CLASSID} htb rate 
${CLIENTRATE} ceil ${CEILRATE} ${HTB_LEAF_OPT}"
echo "Adding qdisc"
command "tc qdisc add dev ${WAN} parent 1:${CLASSID} handle ${CLASSID}: 
${LEAF_QDISC}"
echo "Adding PREROUTING filtering"
command "iptables -I POSTROUTING -t mangle -s ${IPADDR} -j CLASSIFY 
--set-class 1:${CLASSID}"
IP=$(($IP+1))
done

#ingress
command "tc qdisc add dev ${WAN} handle ffff: ingress"
command "tc filter add dev ${WAN} parent ffff: protocol ip prio 50 u32 match 
ip src 0.0.0.0/0 police rate ${CEILDOWNRATE} burst 30k drop flowid :1"
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [LARTC] Shared ADSL SHAPER
@ 2006-02-25 15:01 Andy Furniss
  0 siblings, 0 replies; 2+ messages in thread
From: Andy Furniss @ 2006-02-25 15:01 UTC (permalink / raw)
  To: lartc

Rasmus Melgaard wrote:
> Hi,
> 
> I'm trying to make a shaper / firewall to improve sharing of bandwidth on a 
> ADSL (3mbit down / ½ mbit up)
> 
> Since the ADSL is very asymmetric, down is unimportant, I make a ingress rate 
> limit shaper to ensure, all shaping is at the Shaper, and not on the Router 
> or the ISP.
> 
> The Idea is then to make one HTB hierarchy and have each client (IP) filtererd 
> and put in a child-HTB queue. This is the main idea, I have added prio to 
> each HTB-child to keep priorities for each client.
> 
> I currently use a reduced setup with total-uplink limited to 160kbit, and i 
> run first the firewall script (first) and then the Shaper script, below.
> 
> The problem is know that if a take Azureus, bittorrent client, and let it go 
> (no uplink limitation), it now kills its own downlink speed. If I limit the 
> uplink speed in Azureus the downlink will grow again, it is quiet obvious. 
> 
> I've tried adding some trick from the net, to especially improve ACK 
> performance, but it hasn't helped.

I haven't checked the script but assuming it's OK I think that this 
could be fixed - I use the python client and it seems OK.

When you back off you will get fairness from the client - so you should 
use sfq.

You will need to priorotise small packets - I use < 128.

You also need to limit the length of the sfq to say 20 - 30 so that you 
get plenty of drops and less acks for the download get piggybacked on 
the upload packets - bittorrent uses tcp full duplex which makes it a 
bit of a special case for shaping.

Always remember that unless you patch/use overhead parameters that you 
need to back off from the advertises link rate.

Andy.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-02-25 15:01 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-02-25 15:01 [LARTC] Shared ADSL SHAPER Andy Furniss
  -- strict thread matches above, loose matches on Subject: below --
2006-01-30 17:45 Rasmus Melgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.