[nlug] Re: Need help with Traffic Shaping

2008-09-11 Thread Mark J Bailey 

i haven't done this yet, but a number of guys on the pfsense forums have 
reported it works quite well:



--On Thursday, September 11, 2008 2:59 PM -0500 Chris McQuistion 
<[EMAIL PROTECTED]> wrote:

> I kinda like that idea.  Maybe a Comcast business-class connection for
> HTTP and use our 3mb connection for everything else.  I think pfSense
> has a module for this.
>
> Chris
>
>
> Steven S. Critchfield wrote:
>
>
> With the advanced routing stuff, yes. Anything you can identify with
> firewall rules can be placed in buckets, and then you can prioritize
> that to make it better. But like I said, and others too, this only
> helps the outbound congestion. Inbound would still be out of his
> control. This is why I also mentioned the idea of a second less
> expensive async network connection and the ability to route
> based on the type of traffic to certain netowrks. You could easily
> route all you download intensive apps to the async network and
> keep the sync network for the symetrical or higher upload intensive
> applications. Since then you could better control your congestion.
>
> - "Mark J Bailey" <[EMAIL PROTECTED]> wrote:
>
>
>
> Would he be able to shape RTP somehow on its Type of Server (TOS)
> designation of 0xba (dec 184)???
>
> --On Thursday, September 11, 2008 11:18 AM -0500 "Steven S.
> Critchfield"
> <[EMAIL PROTECTED]> wrote:
>
>
>
>
>
> - "Chris McQuistion" <[EMAIL PROTECTED]> wrote:
>
>
>
> Bill Butler suggested that if we could prioritize RTP, over
>
>
>
>
> everything
>
>
>
>
> else, that may be enough by itself.  Unfortunately, neither
>
>
>
>
> Untangle,
>
>
>
>
> nor our internal firewall/router (a Sonicwall Pro 3060) have the
> ability
> to prioritize RTP.  They only have rules for TCP, UDP, ICMP, etc.
>
> I have tried pfSense, but I'm not having much luck getting it to
>
>
>
>
> do
>
>
>
>
> traffic shaping, in both directions, when it is in transparent
>
>
>
>
> bridge
>
>
>
>
> mode.
>
> Anyone have any ideas or know of somewhere you can point me?
>
>
>
> RTP is a type of traffic like HTTP. RTP is usually found inside UDP
> packets because some dropped audio is better than the lag that a
>
>
>
> TCP
>
>
>
> connection could cause.
>
> Another thing to know, you can't really traffic shape what you
>
>
>
> receive.
>
>
>
> By the time the bits have crossed the wire to you and you see them,
>
>
>
> they
>
>
>
> have already contributed to your congestion. You can only really
>
>
>
> effect
>
>
>
> your outbound portion. And in effect, that will help shape your
>
>
>
> inbound.
>
>
>
> Specifically if you throttle some streams, then the otherside will
>
>
>
> slow
>
>
>
> as well.
>
> I would suggest maybe reading the Linux advance routing and traffic
> control howto.
> http://lartc.org/
>
> You might even be able to put the information from here into place
>
>
>
> on
>
>
>
> your untangle box. The part I think you need to look at specifically
>
>
>
> is
>
>
>
> chapter 9: Queueing Disciplines for Bandwidth Management.
>
> When reading the lartc docs, it took quite a while for me to get my
> head wrapped around some of the things you could do.
>
> To give you an idea of the fun we had and did with our firewall,
>
>
>
> and
>
>
>
> maybe an idea for you and your network management, we built a
>
>
>
> firewall
>
>
>
> with 1 to 1 nating from Butler to our internal network. We also do
>
>
>
> normal
>
>
>
> nating from Comcast. We then put IP range rules internally for
>
>
>
> traffic to
>
>
>
> go out either Butler or Comcast. 1 range is the specific 1 to 1 nat,
>
>
>
> and
>
>
>
> therefore traffic originating there will show up on the internet
>
>
>
> with the
>
>
>
> static public IP. There is a mirror range of the 1 to 1 nat that is
> reserved for traffic destined to go out Comcast. There is another
>
>
>
> range
>
>
>
> devoted to machines otherwise not configured in dhcp to only go out
> Comcast. The 1 to 1 range and the mirror range allows our users to
> determine what link they wish their traffic to traverse. Granted
>
>
>
> this is
>
>
>
> due to a small user base and ones I can go talk to should a link
>
>
>
> become
>
>
>
> congested.
>
> You could possibly augment your network with a asymetrical link like
>
>
>
> we
>
>
>
> did. Then route certain traffic that you can identify as asymetrical
>
>
>
> to
>
>
>
> that link. Web browsing over a fast download slow upload link is
>
>
>
> much
>
>
>
> nicer than over the slower symetrical link. I am sure you would
>
>
>
> probably
>
>
>
> choose different segmentation than we did, but the work would still
>
>
>
> be
>
>
>
> useful to you.
>
> --
> Steven Critchfield [EMAIL PROTECTED]
>
>
>
>
>
>
> 
> Mark J. BaileyJobsoft Design & Development, Inc.
> 104 Arlington Place, Suite 100Franklin, TN 37064
> EMAIL: [EMAIL PROTECTED]  WEB: http://www.jobsoft.com/
> VOICE:(615)904-9559 FAX:(615)9

[nlug] Re: Need help with Traffic Shaping

2008-09-11 Thread Chris McQuistion 
I kinda like that idea.  Maybe a Comcast business-class connection for 
HTTP and use our 3mb connection for everything else.  I think pfSense 
has a module for this.

Chris


Steven S. Critchfield wrote:
> With the advanced routing stuff, yes. Anything you can identify with 
> firewall rules can be placed in buckets, and then you can prioritize
> that to make it better. But like I said, and others too, this only
> helps the outbound congestion. Inbound would still be out of his
> control. This is why I also mentioned the idea of a second less 
> expensive async network connection and the ability to route
> based on the type of traffic to certain netowrks. You could easily
> route all you download intensive apps to the async network and
> keep the sync network for the symetrical or higher upload intensive
> applications. Since then you could better control your congestion.
>
> - "Mark J Bailey" <[EMAIL PROTECTED]> wrote:
>   
>> Would he be able to shape RTP somehow on its Type of Server (TOS) 
>> designation of 0xba (dec 184)???
>>
>> --On Thursday, September 11, 2008 11:18 AM -0500 "Steven S.
>> Critchfield" 
>> <[EMAIL PROTECTED]> wrote:
>>
>> 
>>> - "Chris McQuistion" <[EMAIL PROTECTED]> wrote:
>>>   
 Bill Butler suggested that if we could prioritize RTP, over
 
>> everything
>> 
 else, that may be enough by itself.  Unfortunately, neither
 
>> Untangle,
>> 
 nor our internal firewall/router (a Sonicwall Pro 3060) have the
 ability
 to prioritize RTP.  They only have rules for TCP, UDP, ICMP, etc.

 I have tried pfSense, but I'm not having much luck getting it to
 
>> do
>> 
 traffic shaping, in both directions, when it is in transparent
 
>> bridge
>> 
 mode.

 Anyone have any ideas or know of somewhere you can point me?
 
>>> RTP is a type of traffic like HTTP. RTP is usually found inside UDP
>>> packets because some dropped audio is better than the lag that a
>>>   
>> TCP
>> 
>>> connection could cause.
>>>
>>> Another thing to know, you can't really traffic shape what you
>>>   
>> receive.
>> 
>>> By the time the bits have crossed the wire to you and you see them,
>>>   
>> they
>> 
>>> have already contributed to your congestion. You can only really
>>>   
>> effect
>> 
>>> your outbound portion. And in effect, that will help shape your
>>>   
>> inbound.
>> 
>>> Specifically if you throttle some streams, then the otherside will
>>>   
>> slow
>> 
>>> as well.
>>>
>>> I would suggest maybe reading the Linux advance routing and traffic
>>> control howto.
>>> http://lartc.org/
>>>
>>> You might even be able to put the information from here into place
>>>   
>> on
>> 
>>> your untangle box. The part I think you need to look at specifically
>>>   
>> is
>> 
>>> chapter 9: Queueing Disciplines for Bandwidth Management.
>>>
>>> When reading the lartc docs, it took quite a while for me to get my
>>> head wrapped around some of the things you could do.
>>>
>>> To give you an idea of the fun we had and did with our firewall,
>>>   
>> and
>> 
>>> maybe an idea for you and your network management, we built a
>>>   
>> firewall
>> 
>>> with 1 to 1 nating from Butler to our internal network. We also do
>>>   
>> normal
>> 
>>> nating from Comcast. We then put IP range rules internally for
>>>   
>> traffic to
>> 
>>> go out either Butler or Comcast. 1 range is the specific 1 to 1 nat,
>>>   
>> and
>> 
>>> therefore traffic originating there will show up on the internet
>>>   
>> with the
>> 
>>> static public IP. There is a mirror range of the 1 to 1 nat that is
>>> reserved for traffic destined to go out Comcast. There is another
>>>   
>> range
>> 
>>> devoted to machines otherwise not configured in dhcp to only go out
>>> Comcast. The 1 to 1 range and the mirror range allows our users to
>>> determine what link they wish their traffic to traverse. Granted
>>>   
>> this is
>> 
>>> due to a small user base and ones I can go talk to should a link
>>>   
>> become
>> 
>>> congested.
>>>
>>> You could possibly augment your network with a asymetrical link like
>>>   
>> we
>> 
>>> did. Then route certain traffic that you can identify as asymetrical
>>>   
>> to
>> 
>>> that link. Web browsing over a fast download slow upload link is
>>>   
>> much
>> 
>>> nicer than over the slower symetrical link. I am sure you would
>>>   
>> probably
>> 
>>> choose different segmentation than we did, but the work would still
>>>   
>> be
>> 
>>> useful to you.
>>>
>>> --
>>> Steven Critchfield [EMAIL PROTECTED]
>>>
>>>   
>>
>> 
>> Mark J. BaileyJobsoft Design & Development, Inc.
>> 104 Arlington Place, Suite 100Franklin, TN 37064
>> EMAIL:

[nlug] Re: Need help with Traffic Shaping

2008-09-11 Thread Steven S. Critchfield 

With the advanced routing stuff, yes. Anything you can identify with 
firewall rules can be placed in buckets, and then you can prioritize
that to make it better. But like I said, and others too, this only
helps the outbound congestion. Inbound would still be out of his
control. This is why I also mentioned the idea of a second less 
expensive async network connection and the ability to route
based on the type of traffic to certain netowrks. You could easily
route all you download intensive apps to the async network and
keep the sync network for the symetrical or higher upload intensive
applications. Since then you could better control your congestion.

- "Mark J Bailey" <[EMAIL PROTECTED]> wrote:
> Would he be able to shape RTP somehow on its Type of Server (TOS) 
> designation of 0xba (dec 184)???
> 
> --On Thursday, September 11, 2008 11:18 AM -0500 "Steven S.
> Critchfield" 
> <[EMAIL PROTECTED]> wrote:
> 
> >
> >
> > - "Chris McQuistion" <[EMAIL PROTECTED]> wrote:
> >> Bill Butler suggested that if we could prioritize RTP, over
> everything
> >>
> >> else, that may be enough by itself.  Unfortunately, neither
> Untangle,
> >>
> >> nor our internal firewall/router (a Sonicwall Pro 3060) have the
> >> ability
> >> to prioritize RTP.  They only have rules for TCP, UDP, ICMP, etc.
> >>
> >> I have tried pfSense, but I'm not having much luck getting it to
> do
> >> traffic shaping, in both directions, when it is in transparent
> bridge
> >> mode.
> >>
> >> Anyone have any ideas or know of somewhere you can point me?
> >
> > RTP is a type of traffic like HTTP. RTP is usually found inside UDP
> > packets because some dropped audio is better than the lag that a
> TCP
> > connection could cause.
> >
> > Another thing to know, you can't really traffic shape what you
> receive.
> > By the time the bits have crossed the wire to you and you see them,
> they
> > have already contributed to your congestion. You can only really
> effect
> > your outbound portion. And in effect, that will help shape your
> inbound.
> > Specifically if you throttle some streams, then the otherside will
> slow
> > as well.
> >
> > I would suggest maybe reading the Linux advance routing and traffic
> > control howto.
> > http://lartc.org/
> >
> > You might even be able to put the information from here into place
> on
> > your untangle box. The part I think you need to look at specifically
> is
> > chapter 9: Queueing Disciplines for Bandwidth Management.
> >
> > When reading the lartc docs, it took quite a while for me to get my
> > head wrapped around some of the things you could do.
> >
> > To give you an idea of the fun we had and did with our firewall,
> and
> > maybe an idea for you and your network management, we built a
> firewall
> > with 1 to 1 nating from Butler to our internal network. We also do
> normal
> > nating from Comcast. We then put IP range rules internally for
> traffic to
> > go out either Butler or Comcast. 1 range is the specific 1 to 1 nat,
> and
> > therefore traffic originating there will show up on the internet
> with the
> > static public IP. There is a mirror range of the 1 to 1 nat that is
> > reserved for traffic destined to go out Comcast. There is another
> range
> > devoted to machines otherwise not configured in dhcp to only go out
> > Comcast. The 1 to 1 range and the mirror range allows our users to
> > determine what link they wish their traffic to traverse. Granted
> this is
> > due to a small user base and ones I can go talk to should a link
> become
> > congested.
> >
> > You could possibly augment your network with a asymetrical link like
> we
> > did. Then route certain traffic that you can identify as asymetrical
> to
> > that link. Web browsing over a fast download slow upload link is
> much
> > nicer than over the slower symetrical link. I am sure you would
> probably
> > choose different segmentation than we did, but the work would still
> be
> > useful to you.
> >
> > --
> > Steven Critchfield [EMAIL PROTECTED]
> >
> > >
> 
> 
> 
> 
> Mark J. BaileyJobsoft Design & Development, Inc.
> 104 Arlington Place, Suite 100Franklin, TN 37064
> EMAIL: [EMAIL PROTECTED]  WEB: http://www.jobsoft.com/
> VOICE:(615)904-9559 FAX:(615)904-9576 CELL:(615)308-9099
> 
> 
> 

-- 
Steven Critchfield [EMAIL PROTECTED]

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en
-~--~~~~--~~--~--~---

[nlug] Re: Need help with Traffic Shaping

2008-09-11 Thread Mark J Bailey 

Would he be able to shape RTP somehow on its Type of Server (TOS) 
designation of 0xba (dec 184)???

--On Thursday, September 11, 2008 11:18 AM -0500 "Steven S. Critchfield" 
<[EMAIL PROTECTED]> wrote:

>
>
> - "Chris McQuistion" <[EMAIL PROTECTED]> wrote:
>> Bill Butler suggested that if we could prioritize RTP, over everything
>>
>> else, that may be enough by itself.  Unfortunately, neither Untangle,
>>
>> nor our internal firewall/router (a Sonicwall Pro 3060) have the
>> ability
>> to prioritize RTP.  They only have rules for TCP, UDP, ICMP, etc.
>>
>> I have tried pfSense, but I'm not having much luck getting it to do
>> traffic shaping, in both directions, when it is in transparent bridge
>> mode.
>>
>> Anyone have any ideas or know of somewhere you can point me?
>
> RTP is a type of traffic like HTTP. RTP is usually found inside UDP
> packets because some dropped audio is better than the lag that a TCP
> connection could cause.
>
> Another thing to know, you can't really traffic shape what you receive.
> By the time the bits have crossed the wire to you and you see them, they
> have already contributed to your congestion. You can only really effect
> your outbound portion. And in effect, that will help shape your inbound.
> Specifically if you throttle some streams, then the otherside will slow
> as well.
>
> I would suggest maybe reading the Linux advance routing and traffic
> control howto.
> http://lartc.org/
>
> You might even be able to put the information from here into place on
> your untangle box. The part I think you need to look at specifically is
> chapter 9: Queueing Disciplines for Bandwidth Management.
>
> When reading the lartc docs, it took quite a while for me to get my
> head wrapped around some of the things you could do.
>
> To give you an idea of the fun we had and did with our firewall, and
> maybe an idea for you and your network management, we built a firewall
> with 1 to 1 nating from Butler to our internal network. We also do normal
> nating from Comcast. We then put IP range rules internally for traffic to
> go out either Butler or Comcast. 1 range is the specific 1 to 1 nat, and
> therefore traffic originating there will show up on the internet with the
> static public IP. There is a mirror range of the 1 to 1 nat that is
> reserved for traffic destined to go out Comcast. There is another range
> devoted to machines otherwise not configured in dhcp to only go out
> Comcast. The 1 to 1 range and the mirror range allows our users to
> determine what link they wish their traffic to traverse. Granted this is
> due to a small user base and ones I can go talk to should a link become
> congested.
>
> You could possibly augment your network with a asymetrical link like we
> did. Then route certain traffic that you can identify as asymetrical to
> that link. Web browsing over a fast download slow upload link is much
> nicer than over the slower symetrical link. I am sure you would probably
> choose different segmentation than we did, but the work would still be
> useful to you.
>
> --
> Steven Critchfield [EMAIL PROTECTED]
>
> >




Mark J. BaileyJobsoft Design & Development, Inc.
104 Arlington Place, Suite 100Franklin, TN 37064
EMAIL: [EMAIL PROTECTED]  WEB: http://www.jobsoft.com/
VOICE:(615)904-9559 FAX:(615)904-9576 CELL:(615)308-9099


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en
-~--~~~~--~~--~--~---

[nlug] Re: Need help with Traffic Shaping

2008-09-11 Thread Steven S. Critchfield 


- "Chris McQuistion" <[EMAIL PROTECTED]> wrote:
> Bill Butler suggested that if we could prioritize RTP, over everything
> 
> else, that may be enough by itself.  Unfortunately, neither Untangle,
> 
> nor our internal firewall/router (a Sonicwall Pro 3060) have the
> ability 
> to prioritize RTP.  They only have rules for TCP, UDP, ICMP, etc.
> 
> I have tried pfSense, but I'm not having much luck getting it to do 
> traffic shaping, in both directions, when it is in transparent bridge
> mode.
> 
> Anyone have any ideas or know of somewhere you can point me?

RTP is a type of traffic like HTTP. RTP is usually found inside UDP 
packets because some dropped audio is better than the lag that a TCP 
connection could cause.

Another thing to know, you can't really traffic shape what you receive.
By the time the bits have crossed the wire to you and you see them, they
have already contributed to your congestion. You can only really effect
your outbound portion. And in effect, that will help shape your inbound.
Specifically if you throttle some streams, then the otherside will slow
as well.

I would suggest maybe reading the Linux advance routing and traffic 
control howto.
http://lartc.org/

You might even be able to put the information from here into place on 
your untangle box. The part I think you need to look at specifically is
chapter 9: Queueing Disciplines for Bandwidth Management. 

When reading the lartc docs, it took quite a while for me to get my
head wrapped around some of the things you could do. 

To give you an idea of the fun we had and did with our firewall, and
maybe an idea for you and your network management, we built a firewall
with 1 to 1 nating from Butler to our internal network. We also do normal
nating from Comcast. We then put IP range rules internally for traffic to
go out either Butler or Comcast. 1 range is the specific 1 to 1 nat, and 
therefore traffic originating there will show up on the internet with the
static public IP. There is a mirror range of the 1 to 1 nat that is reserved
for traffic destined to go out Comcast. There is another range devoted
to machines otherwise not configured in dhcp to only go out Comcast. The
1 to 1 range and the mirror range allows our users to determine what link
they wish their traffic to traverse. Granted this is due to a small user
base and ones I can go talk to should a link become congested.

You could possibly augment your network with a asymetrical link like we 
did. Then route certain traffic that you can identify as asymetrical to
that link. Web browsing over a fast download slow upload link is much
nicer than over the slower symetrical link. I am sure you would probably
choose different segmentation than we did, but the work would still be
useful to you.

-- 
Steven Critchfield [EMAIL PROTECTED]

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en
-~--~~~~--~~--~--~---

[nlug] Re: Need help with Traffic Shaping

2008-09-11 Thread Tim Jackson 
If you can prioritize UDP traffic that is all that you need... Since RTP
itself is just UDP traffic... More than likely your problem will be inbound
rather than outbound... How often are there large packets being sent up the
3mbps pipe?

Downstream you can't control what gets put into queue from Time Warner and
how it gets put into queue, and if you're hearing the voice quality degrade
on your end you can't do a whole lot about it other than attempting to use
some WRED-type methods to get TCP streams to slow down, but that will only
buy you so much, without any low-latency (priority queueing) downstream it
has the possibility of sounding bad.

--
Tim

On Thu, Sep 11, 2008 at 10:55 AM, Chris McQuistion
<[EMAIL PROTECTED]>wrote:

>
> I was wondering in anyone on the list has any experience with putting
> together some kind of transparent bridge, for the purpose of traffic
> shaping for VoIP.
>
> Here is my situation.  I've got a 3mb down/3mb up connection.  It is
> pretty saturated most of the time, with over 100 users.  Our current
> internal firewall/router (Sonicwal Pro 3060) is doing a good job and
> quite complex, so I would like to not replace it.  I would prefer to
> just put a transparent bridge between it and the TimeWarner router
> (which provides our 3mb connection.)
>
> I currently used Untangle (something I heard about on this list) as a
> transparent bridge to do content filtering, antivirus, antispyware,
> antispam, antiphishing, and protocol control (for P2P blocking.)
> Implementing this box helped with our network congestion a good amount.
> I think the P2P blocking probably made the biggest difference.  The
> problem is that our VoIP quality is still terrible.  Untangle has some
> QOS ability, but I have spent a good while tweaking it and it hasn't
> helped our VoIP quality enough.
>
> Bill Butler suggested that if we could prioritize RTP, over everything
> else, that may be enough by itself.  Unfortunately, neither Untangle,
> nor our internal firewall/router (a Sonicwall Pro 3060) have the ability
> to prioritize RTP.  They only have rules for TCP, UDP, ICMP, etc.
>
> I have tried pfSense, but I'm not having much luck getting it to do
> traffic shaping, in both directions, when it is in transparent bridge mode.
>
> Anyone have any ideas or know of somewhere you can point me?
>
> Thanks,
>
> Chris
>
>
> >
>

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en
-~--~~~~--~~--~--~---