This webconfig app will let you get under the skin of the bandwidth rules created by ClearOS. Ever wanted to check whether the rules you have in place are effective? matching the intended traffic, and are prioritising / capping traffic? well now you can. This app was inspired by the TCCS (tc class statistics parser)
Info
The bandwidth system consists of two intermediate queueing devices (imq) that sit between the ClearOS box and the internet. These devices filter upload and download traffic and prioritise according to the defined rules. The app will display each of the rules on each interface, whether packets are being dropped, over the limits, or creating a backlog. It will also show which classes are consistently borrowing traffic from others.
Bandwidth is distributed between all the classes according to their rate, and their priority. When a class needs more traffic than it's rate it will attempt to borrow more from the parent class. The priority in which traffic is borrowed and shared is based on the priority of the class. Each class can borrow more traffic up to the ceiling limit. You can artificially limit traffic by setting the ceiling limit lower than your upload.
The top table will list all rules which have seen traffic since the firewall was restarted. It's essentially a static snapshot - refresh the page to see updates....(todo: use AJAX to update the table)
Install
To install simply setup the community repo with instructions here HERE
Navigate to Gateway > Bandwidth and QOS > Bandwidth Monitor
What this app doesn't do....record bandwidth usage or log bandwidth totals, sorry!
Lessons learnt- all other traffic not specified by your bandwidth rules end up in the standard 1:2 class. This is hard coded to have a low priority and 1/8th of your upload. It maybe obvious but to maintain maximum throughput and interactivity you should create rules for all traffic that rely on packets being passed in a timely manner. Namely SSH (port 22), DNS (port 53), VOIP, Gaming UDP ports. Everything else can be left as bulk traffic. Or if you wish to limit P2P create a rule for that but limit the Ceiling slightly lower than your upload.
For all things bandwidth related see this excellent guide
http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm
Tricks!
since i've been learning a lot about how the bandwidth system goes together, there are a couple of tweaks which originate from the wondershaper scripts that you can apply to the bandwidth system here:-
Prioritise small ACK and ICMP packets. Run the following from the console:-
Note both rules only apply to packets <64bytes, as ACK and ICMP can have some payload which we don't want to prioritise. To show off to your friends once these are in place you should try and max out your upload whilst demonstrating a very low ping!
This application doesn't do anything amazingly special, but if you want to understand a bit more about how your bandwidth rules are implemented I find it useful
Info
The bandwidth system consists of two intermediate queueing devices (imq) that sit between the ClearOS box and the internet. These devices filter upload and download traffic and prioritise according to the defined rules. The app will display each of the rules on each interface, whether packets are being dropped, over the limits, or creating a backlog. It will also show which classes are consistently borrowing traffic from others.
Bandwidth is distributed between all the classes according to their rate, and their priority. When a class needs more traffic than it's rate it will attempt to borrow more from the parent class. The priority in which traffic is borrowed and shared is based on the priority of the class. Each class can borrow more traffic up to the ceiling limit. You can artificially limit traffic by setting the ceiling limit lower than your upload.
The top table will list all rules which have seen traffic since the firewall was restarted. It's essentially a static snapshot - refresh the page to see updates....(todo: use AJAX to update the table)
Install
To install simply setup the community repo with instructions here HERE
yum --enablerepo=timb install app-bandwidth-monitor
Navigate to Gateway > Bandwidth and QOS > Bandwidth Monitor
What this app doesn't do....record bandwidth usage or log bandwidth totals, sorry!
Lessons learnt- all other traffic not specified by your bandwidth rules end up in the standard 1:2 class. This is hard coded to have a low priority and 1/8th of your upload. It maybe obvious but to maintain maximum throughput and interactivity you should create rules for all traffic that rely on packets being passed in a timely manner. Namely SSH (port 22), DNS (port 53), VOIP, Gaming UDP ports. Everything else can be left as bulk traffic. Or if you wish to limit P2P create a rule for that but limit the Ceiling slightly lower than your upload.
For all things bandwidth related see this excellent guide
http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm
Tricks!
since i've been learning a lot about how the bandwidth system goes together, there are a couple of tweaks which originate from the wondershaper scripts that you can apply to the bandwidth system here:-
Prioritise small ACK and ICMP packets. Run the following from the console:-
#create upload class for low traffic. Set ceil to your upload limit. Because ACK and ICMP packets are only applied to packets <64bytes, you can safely use a value of 50kbit here.
tc class add dev imq0 parent 1:1 classid 1:3 htb rate 50000bit ceil [YOURVALUE]bit prio 0
## create a new filter class that matches acks the hard way, and passes it to our new class above 1:3.
tc filter add dev imq0 parent 1:0 protocol ip prio 1 u32 \
match ip protocol 6 0xff \
match u8 0x05 0x0f at 0 \
match u16 0x0000 0xffc0 at 2 \
match u8 0x10 0xff at 33 \
flowid 1:3
# do the same for ICMP packets
tc filter add dev imq0 parent 1:0 protocol ip prio 1 u32 \
match ip protocol 1 0xff \
match u8 0x05 0x0f at 0 \
flowid 1:3
Note both rules only apply to packets <64bytes, as ACK and ICMP can have some payload which we don't want to prioritise. To show off to your friends once these are in place you should try and max out your upload whilst demonstrating a very low ping!
This application doesn't do anything amazingly special, but if you want to understand a bit more about how your bandwidth rules are implemented I find it useful
Share this post:
Responses (61)
-
Accepted Answer
Tim
Installed your repo and installed in bandwith monitor app no problems except I cannot see the monitor option under Bandwith and QoS, if I try to reinstall I get the message nothing to do already installed
tried removing and reinstalling, closing browser and reloging a s well as a total reboot nothing worked
Have I done something wrong or is there another step I'm missing to get the menu option to display in webconfig
also installed eaccelerator with no apparent problems
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
problem solved didnt update my admin login to include bandwidth monitor once I logged in as root found my mistake and could correct -
Accepted Answer
Well, that figures. I went to pull the log file to demonstrate I'd added the repository and found that I didn't add it correctly thanks to fat fingers. Installed the monitor successfully now.
Still seeing some inconsistency with what the Bandwidth Monitor interface is showing versus ntop's reports (4.0.3 running on the 5.2sp1 clear box.) Going to watch it for a while and if the oddities continue put together a decent slew of screen shots for my questions. -
Accepted Answer
-
Accepted Answer
Hopefully I'm not beavising the syntax myself, but can't seem to load the package:
[root@box2 ~]# yum --enablerepo=timb install app-bandwidth-monitor
Loading "kmod" plugin
Loading "protect-packages" plugin
Error getting repository data for timb, repository not found
Seeing some results from Ntop that indicate the rules are not working as planned/expected in all cases. Trying to get a handle on what is actually happening. -
Accepted Answer
-
Accepted Answer
Tim,
I have successfully installed this on one of my clearboxes but this is what i get on the second one:
[root@web-3 ~]# yum --enablrepo=timb install app-bandwidth-monitor
Loading "kmod" plugin
Loading "protect-packages" plugin
usage: yum [options] < grouplist, localinstall, groupinfo, localupdate, resolvedep, erase, deplist, groupremove, makecache, upgrade, provides, shell, install, whatprovides, groupinstall, update, repolist, groupupdate, info, search, check-update, list, remove, clean, grouperase >
Command line error: no such option: --enablrepo
[root@web-3 ~]#
Any ideas? -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Well spotted and thanks for trying it out, yes I think when you use a webconfig rule which is defined for all traffic leaving my network, it creates more than bandwidth for that 'single' webconfig entry. This causes the rules to shift down by one entry...i'll investigate and see if I can fix it. -
Accepted Answer
Great module.
I found a small bug though.
When looking at bandwidth traffic I notice that the "labels" for the rules are pushed one row below from where they are supposed to be.
It happening because the first rule from the advanced tab is displayed twice (once with it own label and once with a label from the next rule???).
It is consistent for both upload imq0 and download imq1 tables.
Instead of expected:
Upload imq0 Rate Ceiling Port IP Address
----------------------------------------------------------------------------------
1:1 (ALL) 820 820
--> 1:10 (sip) 384 820 S 5060 S X.X.X.X/24
--> 1:11 (sip) 384 820 S 5061 S X.X.X.X/24
--> 1:12 (sip) 384 820 D 5060 D X.X.X.X/24
--> 1:13 (sip) 384 820 D 5061 D X.X.X.X/24
--> 1:14 (gv_up) 256 820 D 174.X.X.X/32
--> 1:15 (Voice_up) 384 820 D 188.X.X.X/32
--> 1:2 (Other)
It looks like below:
Upload imq0 Rate Ceiling Port IP Address
----------------------------------------------------------------------------------
1:1 (ALL) 820 820
--> 1:10 (sip) 384 820 S 5060 S X.X.X.X/24
--> 1:11 (sip) 384 820 S 5061 S X.X.X.X/24
--> 1:12 (sip) 384 820 D 5060 D X.X.X.X/24
--> 1:13 (sip) 384 820 D 5061 D X.X.X.X/24
--> 1:14 (gv_up) 256 820 D 174.X.X.X/32
--> 1:15 (Voice_up) 256 820 D 174.X.X.X/32
--> 1:16 () 384 820 D 188.X.X.X/32
--> 1:2 (Other) -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Hi, thanks for trying it out - what locale settings area you using?
You can try navigating to https://clearos:81/admin/bandwidth-monitor.php -
Accepted Answer
Tim Burgess wrote:
UPDATE: 5.1.8 is out, this fixes several multiwan detection issues in 5.1.7.
It should now more reliably detect more than one WAN and which IMQ devices belong to which
ftp://starlane.gotdns.org/app-bandwidth-monitor-5.1-8.i386.rpm
i have a clearos box with 3 external links and one single lan.
i need to limit bandwidth and as per your suggestion i installed the bandwidth module from the upper link which is quoted....the module installs fine but the problem is..it does not appear in the bandwidth and qos...only bandwidth link is present but lack the currently installed module...
i even rebooted the machine but the problem persists..
i have a latest clearos 5.2 sp1 installed
and whenever i type the command ifconfig
it shows other two new interfaces named imq0 and imq1
will you please let me solve the problem
any help will greatly be appreciated
~prahmod -
Accepted Answer
Hi Kripz, no i've not used the bandwidth system with MAC addresses...in fact it wont work because the u32 filters the webconfig creates match IP's only
I did once attempt too when I was experimenting with u32 filters but it's a bit futile because MAC is lost once is passes through the gateway anyway. If you or anyone likes to play around with custom rules by all means have a play with the following example:-
#add new class for testing
tc class add dev imq0 parent 1:1 classid 1:4 htb rate 50000bit ceil 450000bit prio 0
tc class add dev imq1 parent 1:1 classid 1:4 htb rate 50000bit ceil 450000bit prio 0
# match dst MAC addresses (AA:BB:CCD:EE:FF)
tc filter add dev imq1 parent 1:0 protocol ip prio 1 u32 \
match u16 0x0800 0xFFFF at -2 \
match u32 0xCCDDEEFF 0xFFFFFFFF at -12 \
match u16 0xAABB 0xFFFF at -14 \
flowid 1:4
# match src MAC addresses (AA:BB:CCD:EE:FF)
tc filter add dev imq0 parent 1:0 protocol ip prio 1 u32 \
match u16 0x0800 0xFFFF at -2 \
match u16 0xEEFF 0xFFFF at -4 \
match u32 0xAABBCCDD 0xFFFFFFFF at -8 \
flowid 1:4
-
Accepted Answer
-
Accepted Answer
UPDATE: 5.1.8 is out, this fixes several multiwan detection issues in 5.1.7.
It should now more reliably detect more than one WAN and which IMQ devices belong to which
ftp://starlane.gotdns.org/app-bandwidth-monitor-5.1-8.i386.rpm -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
UPDATE: app-bandwidth-monitor-5.1.7 is now available, and multiwan friendly
Can someone with Multi WAN confirm that this works ok? I don't have two to test properly. My limited testing in my VM seems to be OK in terms of formatting however it doesn't have live traffic. Things to check for are the rule nicknames, and that you end up with two tables - one for each WAN
i.e.
WAN1 - eth1
Upload - imq0
Download - imq2
WAN2 - eth2
Upload - imq1
Download - imq3 -
Accepted Answer
I am more interested in the first way , because the second way looks difficult. It would be nice if you made a simple step tutorial how to configuration, so many will try.
The limitation bandwidth per ip client issue is a lot I have encountered during the installation to the office where the manager wanted the limitations on bandwidth for each clients ip, while the proxy server is still run to support the lack of available internet bandwidth. -
Accepted Answer
-
Accepted Answer
Hi Andi,
TProxy combined with Squid looks interesting with TPROXY being used as the iptables target instead of REDIRECT.
http://wiki.squid-cache.org/Features/Tproxy4
I've been trying to think of some other creative ways of implenting IP based bandwidth control using the existing setup,
So far I have:-
1. Using iptables conntrack to mark packets that match certain LAN ip addresses. These marks are kept as they traverse the chain through the mangle table, so you could then write a bandwidth filter rule that matches the packet mark
2. Or creating an additional IMQ device between the LAN and ClearOS so that local LAN traffic can be throttled by IP before it gets to the proxy, however this would also limit speeds to and from the gateway (but could be restricted to just web traffic). Which is OK if all you want to do is use the internet, but not good for transferring files on /off the server.
The second option would require a lot of hacking to the firewall to get it to work as the IMQ module limits the number of IMQ devices when the firewall is loaded. This limit at the moment is obtained from the number of WAN interfaces present... -
Accepted Answer
Hi Tim.
..
I also have problems like Mr. Waldir.
To solve this, it can be classified as ports and limiting bandwidth per port,like you says.
Only, I think so, is there any kind of additional program or patch, so that bandwidth managers can recognize the ip client though traffic is passed through a proxy server?
I have read about TProxy , which are able to make squid to be bridged, so that clients ip can be recognize by the bandwidth manager (not NAT)
Is it possible, be installed directly into the ClearOS squid, because to do the installation TProxy must perform kernel patching and squid patching itself.
Just about the idea .. Who knew It could solve this problem.
Or from the developer there another solution? improvements, perhaps? for the next version? -
Accepted Answer
Have a look at my bandwidth "hacks" on the first page that prioritise small ACK packets. This helps reduces lag. If you find out which ports your games use and create a rule for these they should also have minimal lag under a full loaded connection.
I can play Call of Duty Modern Warfare 2 with a torrent running at 90% of my upload and still have minimal lag, simply by reserving traffic to / from my PS3 IP. It will never be perfect but it can be acheived with a bit of tweaking and ensuring your upload limits are below your *actual* bandwidth capacity. -
Accepted Answer
thanks Mr. Burgess, to reach some ideas. What I want is to limit the bandwidth for the voyage, that is, upon opening pages, for example, images (hi5, facebook, etc) or music (youtube) do not consume all the bandwidth, but always keeping the proxy cache, since it is of great help.
there lies the problem with online gaming, to produce what we commonly call "lag."
Thanks for taking the time to address my question.
Greetings from Lima - Peru . -
Accepted Answer
-
Accepted Answer
Yes that's right - when the proxy is on, all web traffic (destination port 80) leaving your ClearOS box has the source IP of your WAN, not LAN IP's. This means it is not possible to create bandwidth rules for *web* traffic on LAN IP addresses. This is the same for all web proxy's.
Think of it in reverse, prioritise the trafic you *want* to get through, not limiting bandwidth for others.
So in your situtation I would create a global rule for web traffic which is limited to say 80% of your max bandwidth - by specifying a lower Ceiling value. Then create your gaming rules with a low rate so that they are not starved of bandwidth when they need it. This works well for me here with torrent traffic and gaming -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Hi Alton,
The proxy only affects web traffic (i.e. port 80), when it is enabled regardless of transparent mode all web traffic (i.e. destination port 80) will have a source IP of your WAN interface, and not your LAN IP's.
This will affect how you create your bandwidth rules, as mentioend in several other threads the end result is that you can't shape web traffic on an IP basis for different LAN clients if the proxy is turned on.
Usually when the proxy is running and transparent mode is disabled, each browser then has to be configured to use the ClearOS proxy (on port 3128) to get web access. So it actually doesn't matter whether transparent mode is on or not. -
Accepted Answer
-
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »