[ previous ] [ next ] [ threads ]
 
 From:  Jukka Ruotsalainen <jukka dot ruotsalainen at cs dot helsinki dot fi>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Traffic shaper, adsl connection and many users
 Date:  Mon, 20 Feb 2006 11:23:53 +0200
Hello!
I have searched a lot information about m0n0wall and typical settings 
for m0n0wall for example 8/1 adsl Internet connection and for about 100 
simultaneous users.

Have only found "pieces" so far.

m0n0wall version is 1.21 running via 400 Mhz p2 with 64 Mb memory.
For now I'm VERY happy about it's performance.

Connection is shared via wlan.

I feel that he Magic Shaper is not working properly as it doesn't work 
"right" and blocks and identifies too much p2p programs as port based, 
its too easy to mess the program up by changing ports.

It's better to identify "fixed ports" as http etc. and is being used 
also for other purposes not to priorise it to high.

-user base sounds a lot, but basically it's working very well even now, 
basically we do not have so much traffic.

Basic goals:
-identify high priority protocol traffic, basically  dns calls tcp ack, 
syn etc.
-identify icmp/ping etc priority traffic and also small packets.
-identify interactive traffic like voip cals, netradio and streaming media.
-identify important traffic like http surfing.
-classify everything else as pure junk.

-It should work with minimal tweaking in this kind of job (adsl sharing) 
, basically the WAN connection speed is only variable.
-All the bandwidth should be shared dynamically so the maximum amount is 
always used and if there is less traffic then one user may have more 
bandwidth. (what is the role of the queues mask setting in this)?


-I have also noticed that it's really important to put the upstream pipe 
bandwidth low enought as it otherwise causes huge delays, about 300 ms 
on uploads.(!)

-No extra settings for clients, basically support for p2p clients on 
certain ports may be offered as it really helps the load balancing.
-Also some high priority ports for small packet voip traffic.

-reserve also some traffic resources for junk traffic.

the goal is create optimal config for  housing cooperative use and make 
sure that even there is high p2p/something else traffic at lest smooth 
web surfing/email sending/receiving  is always possible.

also if the net stream traffic can be secured to come before p2p it 
would be nice.

As feature request it would be nice to see some traffic shaper svg gragh 
about the "sharing of the connection". and how the traffic is being 
classified.

I really hope comments to this lists as m0n0wall really helps people for 
building stable and secure networks example for example local internet 
sharing.

Special questions.
-I know that I'm still missing some protocols, specially streaming 
protocols, how I ensure that example netradio is priorised before p2p, 
now everything else than priority traffic and http imap etc. traffic is 
classified as "junk", like p2p.

Also some comment about the current queues and their weights

Thank you very much for the hard work with m0n0wall.

here is the xml traffic shaper config:

	<shaper>
		<pipe>
			<bandwidth>620</bandwidth>
			<descr>WAN Upstream Pipe (DO NOT SET TOO HIGH!)</descr>
		</pipe>
		<pipe>
			<bandwidth>7000</bandwidth>
			<descr>WAN Downstream Pipe</descr>
		</pipe>
		<queue>
			<targetpipe>0</targetpipe>
			<weight>30</weight>
			<mask>source</mask>
			<descr>Upload #1(protocol traffic)</descr>
		</queue>
		<queue>
			<targetpipe>0</targetpipe>
			<weight>25</weight>
			<mask>source</mask>
			<descr>Upload #2 (dns,ping,priority traffic)</descr>
		</queue>
		<queue>
			<targetpipe>0</targetpipe>
			<weight>20</weight>
			<mask>source</mask>
			<descr>Upload #3 (interactive)</descr>
		</queue>
		<queue>
			<targetpipe>0</targetpipe>
			<weight>15</weight>
			<mask>source</mask>
			<descr>Upload #4 (surfing)</descr>
		</queue>
		<queue>
			<targetpipe>0</targetpipe>
			<weight>10</weight>
			<mask>source</mask>
			<descr>Upload #5 (what is left)</descr>
		</queue>
		<queue>
			<targetpipe>1</targetpipe>
			<weight>25</weight>
			<mask>destination</mask>
			<descr>Download #2 (dns,ping,priority traffic)</descr>
		</queue>
		<queue>
			<targetpipe>1</targetpipe>
			<weight>20</weight>
			<mask>destination</mask>
			<descr>Download #3 (interactive)</descr>
		</queue>
		<queue>
			<targetpipe>1</targetpipe>
			<weight>30</weight>
			<mask>destination</mask>
			<descr>Download #1 (protocol traffic)</descr>
		</queue>
		<queue>
			<targetpipe>1</targetpipe>
			<weight>15</weight>
			<mask>destination</mask>
			<descr>Download #4 (surfing)</descr>
		</queue>
		<queue>
			<targetpipe>1</targetpipe>
			<weight>10</weight>
			<mask>destination</mask>
			<descr>Download #5 (what is left)</descr>
		</queue>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>out</direction>
			<iplen>0-128</iplen>
			<iptos/>
			<tcpflags>ack</tcpflags>
			<descr>TCP ACK Upload (small packets)</descr>
			<targetqueue>0</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<any/>
				<port>80</port>
			</destination>
			<direction>out</direction>
			<iplen>0-512</iplen>
			<iptos/>
			<tcpflags>syn</tcpflags>
			<descr>HTTP TCP SYN Upload</descr>
			<targetqueue>0</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<any/>
				<port>443</port>
			</destination>
			<direction>out</direction>
			<iplen>0-512</iplen>
			<iptos/>
			<tcpflags>syn</tcpflags>
			<descr>HTTPS TCP SYN Upload</descr>
			<targetqueue>0</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
				<port>6881-7100</port>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>out</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>BitTorrent Upload</descr>
			<targetqueue>4</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<source>
				<any/>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>out</direction>
			<iplen>0-100</iplen>
			<iptos/>
			<tcpflags/>
			<descr>Small Packet Upload (example Skype,VoIP)</descr>
			<targetqueue>1</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<address>10.10.0.1</address>
				<port>443</port>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>out</direction>
			<iplen/>
			<iptos/>
			<tcpflags>ack</tcpflags>
			<descr>Remote administration</descr>
			<targetqueue>1</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>udp</protocol>
			<source>
				<any/>
				<port>53</port>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>out</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>m0n0wall DNS relay</descr>
			<targetqueue>0</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<address>10.10.10.0/24</address>
				<port>50000-52009</port>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>out</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>User servers - Upload</descr>
			<targetqueue>3</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<any/>
				<port>21</port>
			</destination>
			<direction>out</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>FTP Upload</descr>
			<targetqueue>4</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<any/>
				<port>22</port>
			</destination>
			<direction>out</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>SSH Upload</descr>
			<targetqueue>2</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<any/>
				<port>25</port>
			</destination>
			<direction>out</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>SMTP Upload (potential zombie spam)</descr>
			<targetqueue>4</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>udp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<any/>
				<port>53</port>
			</destination>
			<direction>out</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>Outbound DNS Query</descr>
			<targetqueue>1</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<any/>
				<port>80</port>
			</destination>
			<direction>out</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>HTTP Upload</descr>
			<targetqueue>3</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<any/>
				<port>443</port>
			</destination>
			<direction>out</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>HTTPS Upload</descr>
			<targetqueue>3</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<any/>
				<port>587</port>
			</destination>
			<direction>out</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>SMTP TLS Upload</descr>
			<targetqueue>2</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<any/>
				<port>6969</port>
			</destination>
			<direction>out</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>BitTorrent default tracker</descr>
			<targetqueue>3</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<any/>
				<port>8080</port>
			</destination>
			<direction>out</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>Web proxy upload</descr>
			<targetqueue>3</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<source>
				<any/>
			</source>
			<destination>
				<any/>
				<port>1024-65535</port>
			</destination>
			<direction>out</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>Catch All P2P Upload</descr>
			<targetqueue>4</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>icmp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>out</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>ICMP Upload</descr>
			<targetqueue>1</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>ah</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>out</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>AH Upload (VPN)</descr>
			<targetqueue>2</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>esp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>out</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>ESP Upload (VPN)</descr>
			<targetqueue>2</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>gre</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>out</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>GRE Upload (VPN)</descr>
			<targetqueue>2</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<source>
				<any/>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>out</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>Catch-All Upload</descr>
			<targetqueue>4</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>in</direction>
			<iplen>0-128</iplen>
			<iptos/>
			<tcpflags>ack</tcpflags>
			<descr>TCP ACK Download (small packets)</descr>
			<targetpipe>1</targetpipe>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
				<port>80</port>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>in</direction>
			<iplen>0-512</iplen>
			<iptos/>
			<tcpflags>syn</tcpflags>
			<descr>HTTP TCP SYN Download</descr>
			<targetpipe>1</targetpipe>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
				<port>443</port>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>in</direction>
			<iplen>0-512</iplen>
			<iptos/>
			<tcpflags>syn</tcpflags>
			<descr>HTTPS TCP SYN Download</descr>
			<targetpipe>1</targetpipe>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<any/>
				<port>6881-7100</port>
			</destination>
			<direction>in</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>BitTorrent Download</descr>
			<targetqueue>9</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<source>
				<any/>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>in</direction>
			<iplen>0-100</iplen>
			<iptos/>
			<tcpflags/>
			<descr>Small Packet Download (example Skype,VoIP)</descr>
			<targetqueue>5</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>10.10.10.0/24</address>
				<port>50000-52009</port>
			</destination>
			<direction>in</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>User servers - Download</descr>
			<targetqueue>8</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
				<port>21</port>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>in</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>FTP Download</descr>
			<targetqueue>9</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
				<port>22</port>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>in</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>SSH Download</descr>
			<targetqueue>6</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
				<port>53</port>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>in</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>DNS Download</descr>
			<targetqueue>5</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
				<port>80</port>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>in</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr> HTTP Download</descr>
			<targetqueue>8</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
				<port>110</port>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>in</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>POP3 Download</descr>
			<targetqueue>8</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
				<port>143</port>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>in</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>IMAP Download</descr>
			<targetqueue>8</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
				<port>80</port>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>in</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr> HTTP Download</descr>
			<targetqueue>8</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
				<port>587</port>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>in</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>SMTP TSL Download</descr>
			<targetqueue>6</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
				<port>993</port>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>in</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>IMAP(SSL) Download</descr>
			<targetqueue>6</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
				<port>8080</port>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>in</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>Web proxy download</descr>
			<targetqueue>8</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<source>
				<any/>
				<port>1024-65535</port>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>in</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>Catch All P2P Download</descr>
			<targetqueue>9</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>icmp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>in</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>ICMP Download</descr>
			<targetpipe>1</targetpipe>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>ah</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>in</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>AH Download</descr>
			<targetqueue>6</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>esp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>in</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>ESP Download</descr>
			<targetqueue>6</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>gre</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>in</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>GRE Download</descr>
			<targetqueue>6</targetqueue>
		</rule>
		<rule>
			<interface>wan</interface>
			<source>
				<any/>
			</source>
			<destination>
				<any/>
			</destination>
			<direction>in</direction>
			<iplen/>
			<iptos/>
			<tcpflags/>
			<descr>Catch All Download</descr>
			<targetqueue>9</targetqueue>
		</rule>
		<magic>
			<p2plow/>
			<maskq/>
			<maxup>800</maxup>
			<maxdown>8000</maxdown>
		</magic>
		<enable/>
	</shaper>

Jukka