Traffic Shaping

I have a 5Mb/800kb connection with a few wireless client PCs connected via WiFi to a Soekris net5501 running latest m0n0. I turned on the Magic Shaper Wizard and set P2P traffic to lowest priority, however when I fire up a pile of torrent downloads from my server, pings to www.google.ca from my laptop go from 30ms to 300ms+ and I go from 0% packet loss to 15% and sometimes higher, sustained.

What can I do to ensure my server's downloads are properly de-prioritized so that my the web experience from my client machines is unaffected?

I took a look at what the Magic Shaper Wizard does and it just adds in a bunch of rules for various client default configs, which won't work on my network.

I have 2 machines that get BT downloads, namely my server (HTPC) and laptop (MBP). I run uTorrent on both machines, port 56465 on the HTPC and 56466 on the MBP. I have the firewall set to forward traffic inbound for port 56465 to HTPC, and to forward traffic inbound to port 56466 to MBP.

I turned off the Magic Shaper Wizard and added a simple rule that should set all incoming traffic to ports 56465 and 56466 to the lowest priority but so far I don't see any impact to my traffic. Here are some screens of my config, this seems pretty straightforward so if anyone could help I would certainly appreciate it.

firewall config

Traffic Shaper config including BitTorrent Downloads - Test rule I created

config details of BitTorrent Downloads - Test rule

How much of your 5M/800K did you tell m0n0wall you really have?

If you used the full amounts, the resulting values in "Firewall: Traffic shaper: Pipes" may be too high.

It is my understanding that the shaper will not work at all if these settings are too high.

Quite simply, if you lie to m0n0wall about your *real* bandwidth, traffic shaper will have no affect on how to manage traffic flow because it's not able to work with the bandwidth you specify.

You'll have to do a lot of speed test on your connection first (like, just plug it right into your PC) and after that, get a good average of your actual upload and download. Plug those into the traffic shaper pipes and results will be much better. m0n0wall traffic shaper is very exacting and if the bandwidth values are all over the place with your ISP, traffic shaper won't be able to do much with it.

I took a look at what the Magic Shaper Wizard does and it just adds in a bunch of rules for various client default configs, which won't work on my network.

I have 2 machines that get BT downloads, namely my server (HTPC) and laptop (MBP). I run uTorrent on both machines, port 56465 on the HTPC and 56466 on the MBP. I have the firewall set to forward traffic inbound for port 56465 to HTPC, and to forward traffic inbound to port 56466 to MBP.

I turned off the Magic Shaper Wizard and added a simple rule that should set all incoming traffic to ports 56465 and 56466 to the lowest priority but so far I don't see any impact to my traffic. Here are some screens of my config, this seems pretty straightforward so if anyone could help I would certainly appreciate it.

firewall config

Traffic Shaper config including BitTorrent Downloads - Test rule I created

config details of BitTorrent Downloads - Test rule

I've had a lot of experience with rules magic (I use m0n0wall to run the backbone of 2 ISPs)

The easiest way, since you know which computers you want to control better. Delete all your rules, start fresh. Use the Magic shaper wizard to create a fresh rule set with the bandwidth you specified earlier 5000kbps D/ 800kbps U, but don't check the 'Set P2P traffic to lowest priority' because quite frankly, there are so many P2P applications now, trying to create a rule for all of them just isn't going to work in my opinion.

Now, save changes, apply, etc.  Go back to the "Pipes" section in the traffic shaper and create two more pipes. Name one of them "P2P Upload Limit" and set it's bandwidth low at first (like 128k for example), save the pipe, create one more call it "P2P Download Limit" and set it's bandwidth low at first (1000k for example), save the pipe, apply changes, etc.

Now, move back to the "Rules" section, we are going to create two all-catch rules for the port your P2P of choice.

The first rule that you create, call it "P2P Upload", set these options for it.
Target = "P2P Upload Limit"
Interface = "WAN"
Protocol = "any"
Source = "LAN Subnet"
Source Port Range = from "56465" (leave 'to' blank)
Destination = "any"
Direction = "any"

For the rest of the flag settings, set them all to "don't care"
Save the rule

Create a second rule:
call it "P2P Download", set these options for it.
Target = "P2P Download Limit"
Interface = "WAN"
Protocol = "any"
Source = "any"
Source Port Range = from "56465" (leave 'to' blank)
Destination = "LAN Subnet"
Direction = "any"

For the rest of the flag settings, set them all to "don't care"
Save the rules, and make sure they are at the top of the list (because we want the P2P traffic to match right away)

Apply settings and fire up your P2P software. See if these two rules are catch your p2p traffic by causing it to be extremely limited.

If that works, do other things while P2P is going on to test speed and latency. Just keep increasing those pipe vales for the "P2P Upload Limit" and "P2P Download Limit" until it starts to cause latency and speed problems. Once you find the magic number of upload and download, you should be able to have heavy torrent traffic and regular web surfing traffic co-exist without all the slowness.   

Thanks for the advice. I did as you said, creating a new pipe set to a very low 100kb/s and saw my torrent speeds drop from 450kB/s to about 12kB/s as expected, so I definitely nailed the torrent traffic with the rules. At that speed, ping tests showed pings of 30ms or so to www.google.ca with no lost packets, which is what I get when I'm not downloading anything.

Unfortunately even cranking the speed up to 1Mb/s caused my symptoms to re-emerge, with huge pings to websites and lots of dropped packets from other clients on the network. With all torrent restrictions removed I get download speeds up to 450kB/s or so, with m0n0 reporting it's using only 8-10% of the available RAM in the box and between 25% and 50% of CPU steady with the occasional spike up to 75%. WiFi strength from both server and laptop shows around -45dBm or excellent strength.

These figures seem like a router operating well inside its hardware limits, so it's a mystery to me why it's introducing so much latency and dropping so many packets.

Further advice/diagnostics are welcome, and thanks very much for your input so far. Here are some graphs from m0n0 showing usage with no QoS rules applied and no limits on torrent speed:

traffic graph

CPU load

memory usage

knightmb,

A most excellent set of rules.  Thanks for sharing this with us.

Dave

Thanks for the advice. I did as you said, creating a new pipe set to a very low 100kb/s and saw my torrent speeds drop from 450kB/s to about 12kB/s as expected, so I definitely nailed the torrent traffic with the rules. At that speed, ping tests showed pings of 30ms or so to www.google.ca with no lost packets, which is what I get when I'm not downloading anything.

Unfortunately even cranking the speed up to 1Mb/s caused my symptoms to re-emerge, with huge pings to websites and lots of dropped packets from other clients on the network. With all torrent restrictions removed I get download speeds up to 450kB/s or so, with m0n0 reporting it's using only 8-10% of the available RAM in the box and between 25% and 50% of CPU steady with the occasional spike up to 75%. WiFi strength from both server and laptop shows around -45dBm or excellent strength.

These figures seem like a router operating well inside its hardware limits, so it's a mystery to me why it's introducing so much latency and dropping so many packets.

Further advice/diagnostics are welcome, and thanks very much for your input so far. Here are some graphs from m0n0 showing usage with no QoS rules applied and no limits on torrent speed:

Do you know how many connections your P2P software is making? The irony is, you might have m0n0wall make a good handle on your bandwidth, but you might be maxing out some session table further down your ISP line, which would put it beyond your control I'm afraid