Traffic Shaping

Hi m0n0wall users,

I stumbled on this forum recently and I must say I've found it very interesting.
I'm trying to setup a firewall for my internet users, I provide internet to my small community. The internet is not that much at only 2mbps Down & 512kbps Up to be shared among 23 users currently, as you can see this is very little bandwidth for that number of users and so sometimes it crawls to a halt especially if one user is using bittorent or streaming videos. I'm working on upgrading the bandwidth to 20mbps but its taking sometime for the ISP  to pull the fiber cable to my building so for the time being I have to work with what I have.

So I was wondering; how does the magic shaper on m0n0wall exactly work, especially the "share bandwidth evenly on LAN" option. Does this mean that after the bandwidth has been shared evenly to LAN users its static or does it vary according to number of users connected at a given time and their usage?.
For example; I have 23 users, if bandwidth was to be shared evenly that would be around 86kbps down for each, my question is does this amount remain at 86kbps when only 5 users are connected or is the 2mbps shared evenly amongst the 5 users to get 400kbps each?
My other question is; Lets say all my 23 users are connected at a given time but only 5 are heavy users and the rest are using way below the 86kbps, will the unused bandwidth for the light users be distributed evenly to the 5 heavy users?

I hope my questions make sense, if not kindly I'm sorry. Any response will be highly appreciated.

Regards

Cosmas.

When set up properly (which is limits just below what you can reliably get all the time)  It places everyone who is actively using it in line and distributes packets round robin style.  As people finish small downloads, that one person on Windows Update gets more bandwidth.  So it will use all you have, but evenly share among all active users.  I have found it to work very well on T1 connections for hotels.

And skip the "Set P2P traffic to lowest priority" since it is port based, and does not work well.

Thanks Lee Sharp for that explanation, it answers my question.
I'm curious tho', you said that I should skip the "Set P2P traffic to lowest priority" since it doesnt work well...I'm wondering is there a work around for P2P traffic, are there rules that actually cripples P2P traffic? I know P2P can be a pain in the @$$ but could there be a work around with m0n0wall? it would be perfect for me if I can share bandwidth evenly to LAN and at the same time cripple P2P traffic, kindly if there is a work around for that you can share the how to or point me somewhere for the steps.

Going back again to that bandwidth sharing option, I have two scenarios with my network layout, some users connect wirelessly from a WISP equipment and others use wired connections, both the WISP equipment and the wired users are connected to a switch which is connected to a ADSL Modem router which provides the internet, now I would like to place the m0n0wall firewall between the ADSL modem router and the switch, my question is when the m0n0wall firewall is sharing the bandwidth evenly to LAN users will it treat the WISP as a single user or will it be able to see beyond into the actual users connected to the WISP?

Note: The WISP is set to bridge mode.

I've attached a sketch of my network layout.

Regards
Cosmas.

The problem with trying to control P2P with a shaper that uses port based rules is that the P2P clients can generally be set to use arbitrary port numbers. There is no way to predict the ports in use or prevent them from changing even if you discover them.

Thanks Fred,
So what you mean is there is no way to slow down P2P traffic in m0n0wall? Does this mean even with the "Share Bandwidth evenly on LAN" option enabled if one of the users fires up a torrent client and starts to download they can still surpass their allocated bandwidth hence consuming all the bandwidth even when other users are active? I'm just hoping this is not the case because if it is then this option will be of no use to me.

I am not well versed in the shaper, so I have no further advice for you.

The problem with p2p is that it is an arms race, and they have more solders.   However, with share bandwidth evenly on the LAN it does not matter.  They can fire up whatever they want...  They still only get one packet in each rotation.  It will actually get you dropped from some swarms, and the connection is seen as very poor from the other end.  But for the most part, it actually works OK, with no one able to take over the connection.

As to your WISP issue...  If we see user IP addresses and MACs, all is good.  If your wireless does NAT or MAC aggregation, not so much.

Thanks alot Lee Sharp, if that's the case with the "Share bandwidth evenly on LAN" then I think it will work wonders for me & I wont have to worry about P2P traffic taking over the entire bandwidth (that was my biggest worry)

About the WISP issue...I'm currently using a Linux Centos proxy server and when I run the "arp-scan" command I can see all users behind the WISP (IPs & MAC addresses) but I can also see the IP & MAC address of the WISP station, so I'm guessing m0n0wall will be able to see them too and share bandwidth per actual user?

Note: No NAT or MAC aggregation on my wireless.

Regards

Cosmas.

Well, a proxy server kinds messes everything up.  The traffic shaper will see all the traffic comming from the proxy, and will treat it as one user.

Oh! what I meant is I'm currently using proxy server which I intend to replace with the M0n0wall firewall. Btw I've just configured the m0n0wall and set the share bandwidth evenly on LAN, it seems to work pretty well, I've tested on two pcs and I've now decided to hook it up to the entire network, waiting for peak hours to see how it handles the traffic.

I have a question: Does enabling "Set P2P to lowest priority" affect negatively the overall network performance or is that it just doesn't do what its supposed to do properly?

It adds more rules to the traffic shaper, so additional complexity, CPU and memory.  Not a problem unless you are on weak hardware.  I just like a simpler set for troubleshooting.

Thanks Lee,

This m0n0wall has surprised me, I'm using Compaq Deskpro EN PIII with 833mhz CPU & 512mb RAM but to my surprise the CPU usage is always below 3% & memory usage at 9% and the thing seems to work just fine, I tried to enable the "set p2p traffic to lowest priority" and there was hardly no change in CPU or Memory usage...I must say I'm starting to love m0n0wall.

I use old AMD Geode based terminal servers with extra NICs and run VPN tunnels over high speed links, and also have low CPU and memory on this ancient stuff.

[However, with share bandwidth evenly on the LAN it does not matter. They can fire up whatever they want... They still only get one packet in each rotation.]

Hi,

The problem with p2p is that it is an arms race, and they have more solders.   However, with share bandwidth evenly on the LAN it does not matter.  They can fire up whatever they want...  They still only get one packet in each rotation.  It will actually get you dropped from some swarms, and the connection is seen as very poor from the other end.  But for the most part, it actually works OK, with no one able to take over the connection.

Well...unfortunately this doesnt seem to work for me or may be something is terribly wrong, one of my clients fired up multiple torrent files yesterday and the network was completely crippled, I mean even loading google.com was a problem, disconnecting the client solved the problem. When I was setting up this feature I tested it with a single torrent file downloading from one computer and normal download and web browsing on two other computers and it worked perfect well, diving the bandwidth evenly on the three computers, now this guy fired up like twenty (20) torrent files and everything else just stopped. I checked to see if maybe there was a problem with the ISP by running a speedtest directly and speeds where ok nothing below what is allocated to m0n0wall.

I feel like I'm loosing this torrent fight but not before I exhaust all possible methods, I'm sure there is a way out there, I'm sure someone somewhere knows a trick to beat torrent traffic. I looked at pfsense traffic shaping and saw that it uses packet inspection (L7), I'm willing to give it a try but I dont want to go through all the hassles of configurations only to fail to work, so, do you think there is something else I can do with m0n0wall to beat torrent traffic?. This is my ultimate goal, everything else comes after that.

May be SmallWall will be able to achieve this, it will be the best gift for me!

Regards

Cosmas.

You will have to look closer at what is happening.  I suspect he is opening up a lot of torrents with no peer limit and actually filling up the state table.  I would have to look at how we could set up a per user state limit...  And one that would not break everything later.