Router Installation and Configuration Manual/Configuring Services: Quality of Service Menu

From ImageStream Router Documentation

Jump to: navigation, search
This chapter describes how to configure settings for the Quality of Service (QoS) utilities provided by the ImageStream router. This chapter describes how to configure the ImageStream router to use ImageStream's bwinit and bwadd utilities. The bwinit and bwadd utilities are user-friendly interfaces to the more in-depth DiffServ utility, tc, provided on the router. Refer to the Linux Advanced Routing and Traffic Control HOWTO for additional information on using the tc commands and other advanced Linux routing utilities.

Contents

Quality of Service Menu

After logging in, the main menu is displayed (your menu may look slightly different):
     ISis-Router main menu 
     1. Configuration menu 
     2. Show interface status 
     3. Advanced 
     4. Router software management 
     5. Backup/Restore 
     6. halt/reboot 
     0. Log off 
Select menu option 1, Configuration menu, and press Enter to configure the router. The Configuration menu should appear (your menu may look slightly different):
     Configuration menu  
     1. AAA (Password) Configuration 
     2. Global configuration 
     3. Network interface configuration 
     4. Firewall and QOS configuration 
     5. Service configuration 
     6. Dynamic routing configuration 
     7. Save configuration to flash 
     0. ISis-Router main menu 
Select menu option 4, Firewall and QOS configuration, and press Enter to configure the router's service configuration settings. The firewall and QOS menu will be displayed (again, your menu may look slightly different):
     Firewall and QOS configuration 
     1. QOS Menu (diffserv), (instated) 
     2. Firewall (iptables), (instated) 
     0. Configuration menu 
Select menu option 1, Quality of Service, and press Enter to configure the router's Quality of Services settings. The QOS Menu will be displayed (again, your menu may look slightly different):
     QOS Menu (diffserv), (instated) 
     1. Configure QoS management 
     2. Enable QoS on boot 
     3. Disable QoS on boot 
     4. Instate QoS Rules 
     5. Clear QoS Rules 
     6. Restore to default configuration 
     7. Firewall and QOS configuration 
     0. Quit 
Select menu option 1, Configure QoS management, and press Enter to configure the router's Quality of Services settings. This will open the default QoS configuration file in your default text editor. The first line of the file:
     #!/bin/sh 
must remain unchanged. This line indicates to the router that the lines in the file are part of a shell script. Lines that begin with a # are comments and will not be processed by the router. You may add comments anywhere in the file. There is no limit on the number of comments you may have in a particular file, provided that you have enough system memory and flash space to store the file.


Configuring Quality of Service using Service, Policy and Interface definitions

The latest 4.4.0 and 4.2.12 distributions utilize an improved policy-based configuration for quality of service. The default rc.qos script has examples that use a new QoS library of functions, greatly simplifying QoS configuration.
Services define a type of traffic or service. Policies prioritize services, define how the traffic is queued and set minimum and maximum rates as a percentage of the maximum rate. Interface definitions apply a policy to an interface and define the maximum input and output rates as well as the maximum allowed latency for queued traffic. Because policy rates are specified using percentages a policy can be applied to multiple interfaces which may have differing input and output rates.

QOS_SERVICE

The QOS_SERVICE command defines parameters that match a type of service such as Web traffic or SMTP traffic. ImageStream pre-defines many services that can be added to or modified.
Currently only tc filter matches are supported. See the Linux Advanced Routing and Traffic Control guide for more information on tc filter matching.
Usage: QOS_SERVICE --name <service_name> [--init] --tc_match <tc_filter_command_match>
Example:
Create a new service called ims1 that matches traffic to and from 205.159.243.5
QOS_SERVICE --name ims1 --init --tc_match protocol ip u32 match ip src 205.159.243.5
QOS_SERVICE --name ims1 --tc_match protocol ip u32 match ip dst 205.159.243.5
Release 4.4.0-77 adds a new --host option to simplify the match above:
QOS_SERVICE --name ims1 --init --host 205.159.243.5
It is also possible to add on to a pre-defined service. Simply omit the '--init' option to add another match to a service.
Example:
In addition to the IP ToS bit matches also match on the SIP server's IP at 205.159.243.5.
QOS_SERVICE --name voip --tc-match protocol ip u32 match ip src 205.159.243.5
QOS_SERVICE --name voip --tc-match protocol ip u32 match ip dst 205.159.243.5

QOS_POLICY

The QOS_POLICY command prioritizes and rate-limits services. Low latency queueing and class-based queueing are supported.
Low latency queueing provides a strict priority-based first-in-first-out (FIFO) queue which does not rate shape the traffic. This queueing method is preferred for real-time traffic such as VoIP and routing protocols.
Priorities range from 0 to 9. Lower values indicate higher priority.
Minimum and maximum values are expressed as percentages ranging from 1 to 100. The actual rate will be calculated using this percentage and the interface's real bandwidth.
Class-based queueing provides prioritization but also performs rate shaping. This queueing method is preferred for non-realtime traffic such as Web and E-mail.
LLQ Usage: QOS_POLICY --name <policy_name> --type llq --service <service_name> --prio <priority 0-9> --max <max_percent>
Example:
QOS_POLICY --name default --type llq --service voip --prio 0 --max 90
CBQ Usage: QOS_POLICY --name <policy_name> --type cbq [--default | --service <service_name>] --prio <priority 0-9> --min <min_percent> --max <max_percent>
Example:
Set the default traffic class to priority 5 and prioritize TCP ACKs higher than other traffic.
QOS_POLICY --name default --type cbq --default --prio 5 --min 10 --max 75
QOS_POLICY --name default --type cbq --service ack --prio 3 --min 10 --max 40

QOS_IFACE

The QOS_IFACE command applies a policy to an interface. The maximum input and output rates are specified in Kbps (Kilobits per second). Latency is specified in milliseconds.
Fair queueing can also specified on the interface. ImageStream's PUFQ, standard fair-queueing and simple first-in-first-out (FIFO) queueing are options.
FIFO Usage: QOS_IFACE --name <interface_name> --policy <policy_name> --max_in <input_rate_in_Kbps> --max-out <output_rate_in_Kbps> --max-latency <max_latency_in_ms>
Example:
Assign the default policy to Ethernet0 which has a 3.0 Mbps input and 640 Kbps output rate. We want 150 ms max latency.
QOS_IFACE --name eth0 --policy default --max_in 3000 --max_out 640 --max_latency 150
Fair-Queueing Usage: QOS_IFACE --name <interface_name> --policy <policy_name> --max_in <input_rate_in_Kbps> --max-out <output_rate_in_Kbps> --max-latency <max_latency_in_ms> --fair_queue
sfq advanced options
Example:
Assign the default policy to Ethernet0 using fair queueing which has a 3.0 Mbps input and 640 Kbps output rate. We want 150 ms max latency.
QOS_IFACE --name eth0 --policy default --max_in 3000 --max_out 640 --max_latency 150 --fair_queue
PUFQ Usage: QOS_IFACE --name <interface_name> --policy <policy_name> --max_in <input_rate_in_Kbps> --max-out <output_rate_in_Kbps> --max-latency <max_latency_in_ms> --pufq --pufq_iface_type <inside | outside | nat_inside | nat_outside>
pufq advanced options
Example:
Assign the default policy to Ethernet0 using PUFQ which has a 3.0 Mbps input and 640 Kbps output rate. We want 150 ms max latency.
QOS_IFACE --name eth0 --policy default --max_in 3000 --max_out 640 --max_latency 150 --pufq --pufq_iface_type outside
ATM/DSL Adjustments
Starting in 4.4.0-72 and 4.2.12-46 a new --calc_atm parameter was added to the QOS_IFACE statement to allow the QOS subsystem to calculate ATM/AAL5 overhead for each packet being transmitted. This allows the system to specify the exact ATM data rate for the link.
Example:
A 3.0 Mb / 512 K DSL link has synced up at 3520000 bps down and 768000 bps up.
QOS_IFACE --name eth0 --policy default --max_in 3520 --max_out 768 --max_latency 150 --fair_queue --calc_atm
Frame Relay Parameters
frame relay options
Example:
A 256K CIR burstable to 384K Frame Relay circuit
QOS_IFACE --name Serial0.1 --policy default --max_latency 150 --fair_queue --frame_relay_mincir 256000 --frame_relay_cir 384000

Advanced Example

################################################################################
#
# Advanced example
# Override the voip service definition. We define voip as traffic to/from
# 192.168.0.35
# Policy:
#  Low Latency Queues:
#   voip: Low Latency Queue with highest priority and maximum of 90% of the
#         interface's bandwidth.
#  Class-Based Queues:
#   telnet: Highest priority with min of 10% and max 40%.
#   ssh: Lower priority than telnet with min 10% and max 40%.
#   tcp acks: Lower priority than ssh with min of 10% and max of 40%.
#   smtp: Lowest priority with min of 10% and max 60%.
#   default: Priority 5 (just above smtp) with min 10% max 95%
#
# Interface:
#  Apply the policy "default" to interface eth0 with the maximum input rate of
#  3000 Kbps (3.0 Mbps) and maximum output rate of 640 Kbps with a maximum
#  queueing latency of 150 ms. Configure PUFQ with nat_outside as the interface type
#  since this interface performs SNAT on user traffic.
#
QOS_SERVICE --name voip --init --tc_match protocol ip u32 match ip src 192.168.0.35/32
QOS_SERVICE --name voip        --tc_match protocol ip u32 match ip dst 192.168.0.35/32
QOS_POLICY --name default --type llq --service voip     --prio 0 --max 90
QOS_POLICY --name default --type cbq --init --default   --prio 5 --min 10 --max 95
QOS_POLICY --name default --type cbq --service telnet   --prio 1 --min 10 --max 40
QOS_POLICY --name default --type cbq --service ssh      --prio 2 --min 10 --max 40
QOS_POLICY --name default --type cbq --service ack      --prio 3 --min 10 --max 40
QOS_POLICY --name default --type cbq --service smtp     --prio 6 --min 10 --max 60

QOS_IFACE --name eth0 --policy default --max_in 3000 --max_out 640 --max_latency 150 --pufq --pufq_iface_type nat_outside

Statistics

Release 4.4.0-83 introduces a new command line utility qos_stats to retrieve QoS statistics. You must enter the bash shell (available from the advanced menu) to use this utility. Without any parameters the utility will display statistics on all known services for all policies on all interfaces. You can filter the results by specifying the policy, type, service, or interface.

qos_stats usage: qos_stats --policy <policy_name> --type <LLQ | CBQ> --service <service_name> --iface <interface_name> [--machine]
Specify any number of the policy, type, service or iface filters to narrow the results. Use the --machine flag to produce machine parseable output with one line per value.
Examples:
Router:/usr/local/sand# qos_stats
Interface brSerial0.1, Policy default, Service voip, Type LLQ, Priority 0
  Rx limits: 3420 Kbps min, 3420 Kbps max
  Rx 895678 packets 231548469 bytes (dropped 0 overlimits 0)
    Rx backlog 0 packets 0 bytes 0 ms
  Tx limits: 728 Kbps min, 728 Kbps max
  Tx 897262 packets 245654314 bytes (dropped 0 overlimits 0)
    Tx backlog 0 packets 0 bytes 0 ms
Interface brSerial0.1, Policy default, Service default, Type CBQ, Priority 5
  Rx limits: 290 Kbps min, 2616 Kbps max
  Rx 2542388 packets 3422291056 bytes (dropped 39545 overlimits 0)
    Rx backlog 0 packets 0 bytes 0 ms
  Tx limits: 58 Kbps min, 523 Kbps max
  Tx 512702 packets 108693924 bytes (dropped 673 overlimits 0)
    Tx backlog 0 packets 0 bytes 0 ms
Router:/usr/local/sand# qos_stats --service voip --iface brSerial0.1
Interface brSerial0.1, Policy default, Service voip, Type LLQ, Priority 0
  Rx limits: 3420 Kbps min, 3420 Kbps max
  Rx 895768 packets 231573574 bytes (dropped 0 overlimits 0)
    Rx backlog 0 packets 0 bytes 0 ms
  Tx limits: 728 Kbps min, 728 Kbps max
  Tx 897340 packets 245680162 bytes (dropped 0 overlimits 0)
    Tx backlog 0 packets 0 bytes 0 ms

Release 4.4.0-83 also allows querying these values via SNMP using the IMAGESTREAM-QOS-MIB.

Configuring Quality of Service using BWINIT/BWADD Filter Method

Both ImageStream's bwinit and bwadd utilities and standard Linux DiffServ tc commands are valid in the QoS configuration file. Once you have successfully opened the file, you can initialize devices with bwinit and begin adding limits with the bwadd utility. The bwinit and bwadd utilities provide a more intuitive front-end to the "tc" utility for simple bandwidth limiting.
Remember that QoS may only be used for traffic that is being transmitted on the interface. In the real world, QoS works much like your postal mailbox for your organization. You cannot limit the amount of postal mail that is sent to your organization, but you can limit the amount of postal mail that you send out and the amount of mail you deliver within your organization. Similarly, QoS may only be used to limit traffic that is sent on an interface. If your router has two devices, Ethernet0 (LAN) and Serial0 (WAN), you would limit incoming traffic from the WAN destined for your LAN by adding limits to Ethernet0. Similarly, if you want to limit outbound traffic from your LAN to your WAN, you would add limits to Serial0.
Note: The order of the commands entered into this file are important. Each device must be initialized first. The router checks for matches to the specified limits from the top to the bottom of the file. Once a traffic flow has been matched against a limit, the router will stop attempting to match limits and will not use any subsequent limits in the file.
The first step to implement bandwidth limiting for any interface in the system is to initialize the device using the bwinit command. The syntax for this command is:
     bwinit --dev device --bandwidth bandwidth 
The --dev option is used to specify the device in the interface configuration file (wan.conf) that you are initializing. You may use Linux's "eth" shorthand instead of "Ethernet" when working with Ethernet devices, though this is not required.
The --bandwidth option is used to specify the total amount of bandwidth available to the interface, regardless of any limits you wish to set. This value should be equal to the actual wire speed of the interface and must be a whole number. The value of --bandwidth should be abbreviated using "Mbit" or "Kbit" accordingly. Specifying an incorrect or inaccurate value will cause bandwidth limiting results to be inaccurate.

Initializing an Interface using BWINIT

Each interface to which you want to add bandwidth limiting rules must be initialized first. Failing to initialize a particular interface will prevent your bandwidth limiting rules from working properly. In the example below, we have initialized Ethernet0 with a bandwidth of 100 Mbps:
     bwinit --dev Ethernet0 --bandwidth 100Mbit 
The bandwidth above is expressed in abbreviated notation. For 10Mbps ethernet devices, use 10Mbit. Similarly, the example below shows initialization of a Serial interface at a T1 line rate:
     bwinit --dev Serial1 --bandwidth 1544Kbit 
The above command initializes Serial1. We have specified a full T1 connection of 1.544Mbps. Unlike SAND's rate-limit commands, you can initialize any valid interface defined in wan.conf, including subinterfaces, tunnels and VLAN devices.


Adding Limits to Initialized Devices using BWADD

Once each interface you wish to manage has been initialized, you can add limiting rules. bwadd supports separate limits on inbound and outbound bandwidth, as well as combined inbound/outbound traffic limits. Various networks or IP addresses can be grouped together to share a single bandwidth limit.
When adding limits, bwadd uses the following structure:
bwadd --dev device --bandwidth bandwidth { --source | --destination | --ip } ip address[/bitmask] \
  [ --priority priority ] [ --group group number ] [ --fair-queue ]
The --dev option is used to specify the device in the interface configuration file (wan.conf) that you are initializing. You may use Linux's "eth" shorthand instead of "Ethernet" when working with Ethernet devices, though this is not required.
The --bandwidth option is used to specify the total amount of bandwidth allocated to the interface. The value of --bandwidth should be abbreviated using "Mbit" or "Kbit" accordingly.
The [ --source | --destination | --ip ]' keywords are used to tell the router how to match the corresponding IP or network block. --source will match only a packet's source address, --destination will match only a packet's destination address and --ip will match either address. Optionally, you may specify {/bitmask} which is used when the limit is for a network and not a single IP address/host. A table is provided in Chapter 29, Router Installation and Configuration/Helpful Tools of this manual to convert between netmasks and bitmasks.
The --priority keyword specifies the limit's routing priority. The default value is 8. The valid range is 0 (highest) through 20 (lowest). The --priority keyword may be used to classify different networks, hosts or groups by level of importance. The network, host or group with the highest priority will always have the first access to the available interface bandwidth to the exclusion of other networks, hosts or groups.
The --group option allows you to add a limit to a particular group. Using groups allows multiple networks or hosts to share an aggregate bandwidth. See Grouping hosts and networks below.
In the example below the Serial1 device has been set with the limit (512Kbit) for the 192.168.100.0 class C network:
     bwadd --dev Ethernet0 --bandwidth 512Kbit --ip 192.168.100.0/24 \ --group 3 
When adding additional networks or hosts to an existing group, you do not need to respecify the bandwidth. Networks or hosts added to an existing group inherit the bandwidth limit previously specified.
Note that when your command wraps beyond the end of the line, you must end the first line with a backslash ( \ ). Failing to end a wrapped line with a backslash will cause the router to interpret the next line as a new line and will generate an error.
The example command above would limit any host with a 192.168.100.xx address to 512Kbps of bandwidth inbound and outbound. By specifying the keyword --ip, hosts share a single 512Kbps bandwidth limit, regardless of whether the 192.168.10.xx address is in the source or destination fields of the IP packet. Additionally, a group number (3) has been specified. Other hosts or networks can now be added to the group and share the allocated bandwidth.
To limit destination traffic only to an aggregate bandwidth of 512Kbps, use the --destination keyword:
     bwadd --dev Ethernet0 --bandwidth 512Kbit --destination \ 192.168.100.0/24 --group 3 
Similarly, to limit source traffic only to an aggregate bandwidth of 512Kbps, use the --source keyword:
     bwadd --dev eth0 --bandwidth 512Kbit -source 192.168.100.0/24 \ --group 3 
Again, note the use of the backslash to wrap at the end of the first line in both commands. The use of the backslash is only necessary when the commands wraps across more than one line in your display. We have also used the shorthand "eth0" notation in the second example. Either "Ethernet0" or "eth0" is acceptable.

Grouping Hosts and Networks

Using the group keyword allows other hosts and networks to share a common bandwidth limit. We have configured the below example based on the Serial0 device initialized in our example above:
     bwadd --dev Serial0 --bandwidth 1Mbit --ip 172.0.0.0/24 \ --group 2 
     bwadd --dev Serial0 --ip 172.1.1.0/24 --group 2 
     bwadd --dev Serial0 --bandwidth 512Kbit --ip 172.20.1.0/24 
This example will limit 172.0.0.0/24 and 172.1.1.0/24 to 10Mbit and 172.0.1.0/24 to 1Mbit on the T1 link. Note that to add 172.1.1.0/24 to group 2, you only need to specify the device, address range and group number. 172.20.1.0/24 inherits the bandwidth limit specified in the previous command.


Configuring Quality of Service using BWINIT/BWADD Classify Method

In this example, we are going to assume the following service classes:
  • Voice over IP phone with highest priority at 192.168.1.5
  • SSH/telnet (interactive character) traffic with high priority
  • "Default" service class for all non-classified traffic
  • Non-realtime e-mail traffic at low priority
  • Security camera (192.168.1.6) FTP traffic at low priority
The configuration will define five service classes under a common leaf class:
Common Leaf class.png


It is possible to configure classes under the root class, but this limits your ability to create additional leaf classes with different service classes and priorities. Using multiple classes can be important in networks that have differing requirements for business and residential users, for example. The service classes will be identical on both Serial0 and Ethernet0.
ImageStream's bwinit and bwadd utilities allow users to define traffic control classes with a simpler utility than the advanced 'tc' utility provided with ImageStream routers. In this example, we will start with the rules for bandwidth allocation (please note the use of the shorthand "eth0" in the configurations below):
Bandwidth allocations:
  • Total bandwidth available: 1.5 Mbps (limit of Serial0 speed)
  • VoIP -- Minimum guarantee: 256 Kbps, Maximum allowed: 1 Mbps, Priority: 1
  • SSH/telnet -- Minimum guarantee: 32 Kbps, Maximum allowed: 128 Kbps, Priority: 2
  • "Default" -- Minimum guarantee: 128 Kbps, Maximum allowed: 1 Mbps, Priority: 3
  • E-Mail -- Minimum guarantee: 128 Kbps, Maximum allowed: 512 Kbps, Priority: 4
  • Security camera -- Minimum guarantee: 128 Kbps, Maximum allowed: 1500Kbps, Priority: 5
We have chosen to allocate a small amount of bandwidth to SSH/telnet, since these applications are character-oriented and depend on user typing speeds (typically only a few bits per second). Please note that if the VoIP requires 1 Mbps, the remaining classes will have very little bandwidth available. It is possible with this configuration for e-mail traffic and security camera traffic to receive no bandwidth during high traffic conditions in the VoIP or default classes. You may need to adjust the maximum guaranteed bandwidths to ensure available bandwidth for all classes. In this example, email and security camera traffic are low priority and will not be guaranteed bandwidth if the higher priority classes require 1.5 Mbps of bandwidth.
As noted above, the configurations for Ethernet0 and Serial0 are identical. First, we must initialize the router's QoS layers and specify both the maximum bandwidth available to the device as well as the default traffic class. Use of the default traffic class is not required, but strongly recommended to avoid the possibility that traffic is not classified into a QoS queue. In the router's Quality of Service configuration, we will add the following statements:
     bwinit --dev eth0 --bandwidth 1536Kbit --default 20 
     bwinit --dev Serial0 --bandwidth 1536Kbit --default 20 
In the above configuration, we have specified a device (eth0 and Serial0, respectively), the total bandwidth available (1.5 Mbps, or T1 speeds) to both devices and a default traffic class (20, in both cases). The default class instructs the router to sort all unclassified traffic into class 20 automatically.
Next, we must configure the bandwidth allocations for each of the five classes specified above:
  1. Rules for Ethernet0
     bwadd --dev eth0 --classid 10 --minimum 256Kbit \ --maximum 1Mbit --priority 1 
     bwadd --dev eth0 --classid 15 --minimum 32Kbit \ --maximum 128Kbit --priority 2 
     bwadd --dev eth0 --classid 20 --minimum 128Kbit \ --maximum 1Mbit --priority 3 --fair-queue 
     bwadd --dev eth0 --classid 30 --minimum 128Kbit \ --maximum 512Kbit --priority 4 --fair-queue 
     bwadd --dev eth0 --classid 35 --minimum 128Kbit \ --maximum 1500Kbit --priority 5 --fair-queue 
  1. Rules for Serial0
     bwadd --dev Serial0 --classid 10 --minimum 256Kbit \ --maximum 1Mbit --priority 1 
     bwadd --dev Serial 0 --classid 15 --minimum 32Kbit \ --maximum 128Kbit --priority 2 
     bwadd --dev Serial 0 --classid 20 --minimum 128Kbit \ --maximum 1Mbit --priority 3 --fair-queue 
     bwadd --dev Serial 0 --classid 30 --minimum 128Kbit \ --maximum 512Kbit --priority 4 --fair-queue 
     bwadd --dev Serial 0 --classid 35 --minimum 128Kbit \ --maximum 1500Kbit --priority 5 --fair-queue 
Again, please note that the rules for Ethernet0 and Serial0 are identical. Each set of queues will apply only in the transmit direction ("upstream" traffic leaves on Serial0, "downstream" traffic leaves the router on Ethernet0). In most networks where upload and download speeds are symmetric, the rules for the inward-facing and outward-facing interfaces will be identical. The class identification numbers we have chosen for this example are arbitrary. You may select a range of valid integers, and the class identifiers do not have to match from interface to interface.
The rules follow a common format:
bwadd - Specifies that the router is adding a rule to an initialized interface.
--dev DEVICE - Specifies that the router is adding a rule to the device named DEVICE.
--classid XX - Configures a QoS class with the identifier "XX". This class value is used later by iptables.
--minimum XX - Configures the minimum guaranteed bandwidth ("XX") for this class. The router will attempt to always guarantee this amount of traffic to the class.
Kbit, Mbit - Notation used to specify Kilobits and Megabits. Only whole numbers are valid, so 1.5 Megabit becomes 1500Kbit.
--maximum XX - Configures the maximum allowed bandwidth ("XX") for this class. The router will not allow traffic in this class to exceed the specified maximum.
--priority XX - Specifies an optional priority value ("XX") from 0 to 8 used to rank classes in order of bandwidth allocations.
The --fair-queue option enables Stochastic Fair Queuing (SFQ) for the class. This option accepts no configuration variables. The router will allocate bandwidth fairly to all class members. This is especially useful in busy classes where a combination of users with different bandwidth usage profiles share a common bandwidth limit. SFQ's help to avoid a single user or small group of users from using all of the bandwidth available to a class to the exclusion of other class members.
Both the --minimum and --maximum values are not required. You may specify only a minimum or maximum, and the router will automatically set the two values equal to each other. The router will not attempt to check for oversubscriptions or overallocations. Please carefully check your configurations for proper bandwidth allocation for your network requirements. Save your Quality of Service configuration. It is not necessary to instate the rules immediately, but you will need to instate the rules before the configuration will take effect.

Classifying Traffic using iptables CLASSIFY

Now we need to sort the traffic into their proper queues. While it is possible to do this from within the "tc" QoS utility, using the iptables CLASSIFY directive provides a simpler, more flexible and more powerful method. In the router's firewall configuration (Option 1, Option 4, Option 2, Option 1 from the main menu), we will add the following statements below. For our VoIP phone, we can match traffic based on the source or destination IP address. We will map traffic coming from (Serial0) or going to (Ethernet0) the address 192.168.69.5 and add that traffic to class 1:10, which we mapped out originally and configured in the previous step:
     #Phone traffic 
     iptables -A POSTROUTING -t mangle -o eth0 -d 192.168.69.5 \ -j CLASSIFY --set-class 1:10 
     iptables -A POSTROUTING -t mangle -o Serial0 -s 192.168.69.5 \ -j CLASSIFY --set-class 1:10 
The iptables CLASSIFY directives are always added to the POSTROUTING chain's mangle table. Note the difference between the two rules, which is the use of -s and -d with the "192.168.69.5" address. For traffic leaving the network on Serial0, 192.168.69.5 will be the source address. For reply traffic returning to the network (Ethernet0), the 192.168.69.5 will appear as the destination address. For more information on the path a packet follows through iptables, please see the iptables HOWTO.
The rules use several different elements, explained below:
iptables - Specifies that the router is adding an iptables rule
-A POSTROUTING - Appends (-A) a rule to the router's POSTROUTING chain
-t mangle - Appends the rule to the mangle (-t mangle) table inside the specified chain
-o eth0, -o Serial0 - Specifies that only packets that match the specified outbound (-o) interface will match the rule. CLASSIFY rules will always be applied to an outbound interface.
-d XX - Specifies that only packets with a destination address of "XX" will match the rule.
-s XX - Specifies that only packets with a source address of "XX" will match the rule.
-j CLASSIFY - Instructs iptables to take an action (-j) on packets matching this rule, in this case to CLASSIFY them into a QoS queue
--set-class 1:XX - Instructs iptables to add matching packets to class ID 1:XX.
Next, we will add rules for our interactive traffic class. First, add the rules for telnet traffic, which uses port 23:
     #telnet traffic 
     iptables -A POSTROUTING -t mangle -o eth0 -p tcp --sport 23 \ -j CLASSIFY --set-class 1:15 
     iptables -A POSTROUTING -t mangle -o Serial0 -p tcp -dport \ 23 -j CLASSIFY --set-class 1:15 
Next, we add the rules for interactive SSH traffic. This traffic uses port 22, but we must also match the ToS bit for Minimize-Delay (0x10). Secure copy (SCP) traffic also uses port 22, but does not set the ToS bit. Please note that some SSH applications, such "putty" and "SecureCRT", do not set the ToS bit on interactive SSH traffic and will not match this rule. There is no workaround for programs that do not properly set the ToS bit.
     #ssh traffic 
     iptables -A POSTROUTING -t mangle -o eth0 -p tcp -m tos \ --tos 0x10 --sport 22 -j CLASSIFY --set-class 1:15 
     iptables -A POSTROUTING -t mangle -o Serial0 -p tcp -m tos \ --tos 0x10 --dport 22 -j CLASSIFY --set-class 1:15 
Notice that the above rules match both port 22 and the Minimize-Delay (0x10) ToS bit. The rules above use some additional elements, explained below:
-p tcp - Specifies that only TCP packets will match the rule ("udp", "icmp" and others are accepted also). The -p directive must be included when using --dport or --sport.
--dport XX - Specifies that only packets with a destination port number of "XX" will match the rule. Requires the use of -p.
--sport XX - Specifies that only packets with a source port number of "XX" will match the rule. Requires the use of -p.
-m tos - Load the Type of Service match module for iptables. The -m tos directive must be included when matching a ToS bit (--tos).
--tos XX - Specifies that only packets with tos bit of "XX" will match the rule. Names such as "Minimize-Delay" are acceptable instead of binary values. Requires the use of -m tos.
Next, we add the rules for e-mail traffic class. We must match 3 ports: SMTP (25), POP (110) and IMAP (143):
     #Mail traffic 
     iptables -A POSTROUTING -t mangle -o eth0 -p tcp --sport 25 \ -j CLASSIFY --set-class 1:30 
     iptables -A POSTROUTING -t mangle -o eth0 -p tcp --sport 110 \ -j CLASSIFY --set-class 1:30 
     iptables -A POSTROUTING -t mangle -o eth0 -p tcp --sport 143 \ -j CLASSIFY --set-class 1:30 
     iptables -A POSTROUTING -t mangle -o Serial0 -p tcp --dport \ 25 -j CLASSIFY --set-class 1:30 
     iptables -A POSTROUTING -t mangle -o Serial0 -p tcp -dport \ 110 -j CLASSIFY --set-class 1:30 
     iptables -A POSTROUTING -t mangle -o Serial0 -p tcp -dport \ 143 -j CLASSIFY --set-class 1:30 
Finally, we will add rules to match FTP traffic from our security camera at 192.168.1.6. The rule will match both the IP address and port numbers (20 and 21):
     iptables -A POSTROUTING -t mangle -o eth0 -p tcp -d \ 192.168.1.6 --sport 20:21 -j CLASSIFY --set-class 1:35 
     iptables -A POSTROUTING -tmangle -o Serial0 -p tcp -s \ 192.168.1.6 --dport 20:21 -j CLASSIFY --set-class 1:35 
Please note the use of port ranges ("20:21" or "20,21", which is equivalent). Be careful to match the correct source or destination port. When the FTP replies to the security camera, it will reply from ports 20 or 21 to the 192.168.1.6 IP address. Accordingly, we have used the "-d" and "--sport" directives. It is not necessary to instate the rules immediately, but you will need to instate the rules before the configuration will take effect.

Configuring Quality of Service using Differentiated Services (DIFFSERV)

ImageStream Routers also provide the in-depth tc utility for Quality of Service management. This Differentiated Services (DiffServ) utility is the standard tool provided by Linux. tc commands may be specified in the QoS configuration file or directly on the command line. The tc commands entered by the bwinit and bwadd utilities are stored in the router's /tmp directory for reference by advanced users. See the Linux Advanced Routing and Traffic Control guide for information on using the tc commands and other advanced Linux routing utilities. Once you have entered all of the Quality of Service rules in this file, save the file by pressing Control-X. If you have made changes to the file, the router will prompt you to save the file at the bottom of the screen:
     Save modified buffer (ANSWERING "No" WILL DESTROY CHANGES) ? Y Yes N No	^C Cancel
Press Y on your keyboard. The router will prompt you for a file name:
     File Name to write: /etc/rc.d/rc.bwlimit ^C Cancel 
You should accept the default filename. If you choose to save the file in a different location, the router will not automatically locate the file and instate any changes. Press Enter on the keyboard to accept the default. The ^C notation indicates the key combination Control-C. You may press Control-C at any time during the save process to return to the file.
Note: You must save the settings to the router's non-volatile flash memory! If the router is rebooted before saving, your changes will be lost! See Chapter 26, "Backup/Restore Menu: Managing Configurations" for more information.
Once you have saved the file by pressing Enter, the router will display: Instating QOS rules...done. and return you to the Quality of Service menu:
     QOS Menu (diffserv), (instated) 
     1. Configure QoS management 
     2. Enable QoS on boot 
     3. Disable QoS on boot 
     4. Instate QoS Rules 
     5. Clear QoS Rules 
     6. Restore to default configuration 
     0. Firewall and QOS configuration

Enabling QoS at Boot-time

2. Enable QoS on boot
Selecting this menu option enables the QoS rules when the router is booted. This does not start QoS on the router if it is not running, unless the router is rebooted first. By default, the QoS configuration is enabled on boot. To enable QoS on boot, select this menu option by pressing 2 and Enter. The router will display the message:
     QOS enabled on boot
If the QoS configuration has already been enabled on boot, the router will display the message:
     QOS already enabled on boot 
The resulting message will only be displayed for a few seconds, and then you will be returned to the Quality of Service menu.

Disabling QoS at Boot-time

3. Disable QoS on boot
Selecting this menu option disables the QoS rules when the router is booted. This does not stop QoS on the router if it is running, unless the router is rebooted first. To disable QoS on boot, select this menu option by pressing 3 and Enter. The router will display the following message:
     QOS disabled on boot. 
If the QoS configuration has already been disabled on boot, the router will display the message:
     QOS already disabled on boot. 
The resulting message will only be displayed for a few seconds, and then you will be returned to the Quality of Service menu.

Instating QoS Rules

4. Instate QoS rules

Selecting this menu option instates the QoS configuration on the router. Instating the QoS configuration does not automatically enable QoS when the router is booted. To instate the QoS rules, select this menu option by pressing 4 and Enter. The router will display the following message:
     Instating QoS rules...done. 
The message will only be displayed for a few seconds, and then you will be returned to the Quality of Service menu.

Clearing QoS Rules

5. Clear QoS rules

Selecting menu option clears the QoS configuration on the router. Clearing the QoS configuration does not automatically disable QoS when the router is booted. To clear the QoS rules, select this menu option by pressing 5 and Enter. The router will display the following message:
     Clearing QOS rules...done. 
The message will only be displayed for a few seconds, and then you will be returned to the Quality of Service menu.

Restoring Factory Default QoS Configuration

6. Restore to default configuration

Selecting this menu option removes the stored QoS configuration from the router's nonvolatile flash memory. Selecting this menu option and confirming your selection will remove any user-defined QoS configurations from the router. This will not instate or clear any of the rules, and will not enable or disable QoS rules. Selecting this option will restore the router to the factory default QoS configuration only.

To restore the factory default QoS rules, select this menu option by pressing 6 and Enter. The router will display a confirmation menu:

     Set default config for qos? 
     1. Yes 
     2. No 
     0. Quit 
Pressing 2 or 0 and Enter will return you to the Quality of Service menu without making any changes to the configuration. Confirming your decision to restore the factory default QoS configuration by pressing 1 and Enter will display:
     qos returned to default configuration. Press enter/return to continue 
Press Enter to return to the Quality of Service menu.

Returning to the Firewall/QOS Configuration Menu

0. Firewall and QOS configuration
Selecting this menu option returns you to the "Firewall and QoS configuration" menu. To return to the Service configuration menu, press 0 on and Enter. The router will display the Service configuration menu:
     Firewall and QOS configuration 
     1. QOS Menu (diffserv), (instated) 
     2. Firewall (iptables), (instated) 
     0. Configuration menu
Personal tools
Router software releases