FireQOS working but not giving expected result for VOIP

pagaille · May 27, 2019, 8:33am

NethServer Version: 7.6.1810
Module: Traffic shaping

Hi,

I use traffic shaping to give our VOIP phones priority over the rest of the traffic. As far as I can tell the traffic is correctly tagged into the right category but If I saturate the bandwidth the sound quality becomes really unacceptable.

Should the traffic shaper be able to handle such situation ? I tried various ways to get it working correctly, including specifying a lower than real available bandwidth in the ppp; fiddling with the TCLinklayer parameter (which looks not taken into account) but didn’t succeed, it just don’t work.

Anybody has had better success than me ?

db networks show
EDPNT=provider
    interface=ppp0
    weight=100
br0=bridge
    FwInBandwidth=
    FwOutBandwidth=
    bootproto=none
    gateway=
    ipaddr=10.10.1.1
    netmask=255.255.248.0
    role=green
enp3s4f0=ethernet
    FwInBandwidth=
    FwOutBandwidth=
    bridge=br0
    role=bridged
enp3s4f1=ethernet
    FwInBandwidth=1000
    FwOutBandwidth=1000
    bootproto=none
    ipaddr=10.10.9.1
    netmask=255.255.255.0
    role=blue
enp3s6f0=ethernet
    FwInBandwidth=50000
    FwOutBandwidth=10000
    role=pppoe
enp3s6f1=ethernet
    FwInBandwidth=50000
    FwOutBandwidth=10000
    bootproto=none
    gateway=10.10.1.1
    ipaddr=10.10.8.1
    netmask=255.255.255.0
    role=blue
ppp0=xdsl
    AuthType=auto
    FwInBandwidth=45000
    FwOutBandwidth=8000
    Password=wzXmxT
    TCLinklayer=adsl local
    name=PPPoE
    provider=EDPNET
    role=red
    user=xxxxx@EDPNETFIX

cat /etc/firehol/fireqos.conf
# ================= DO NOT MODIFY THIS FILE =================
# 
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at NethServer official site: https://www.nethserver.org
#
# 
FIREQOS_CONNMARK_RESTORE=""

modinfo act_connmark &>/dev/null

if [ $? -eq 0 ]; then
    FIREQOS_CONNMARK_RESTORE="act_connmark"
fi


interface ppp0 EDPNT bidirectional input rate 45000kbit output rate 8000kbit balanced ethernet

        class high input commit 10% output commit 10%
                match connmark 0x4

        class low input ceil 90% output ceil 90%
                match connmark 0x3

        class voip input commit 10% ceil 10% output commit 10% ceil 10%
                match connmark 0x2

# db tc show
high=class
    Description=
    Mark=4
    MaxInputRate=
    MaxOutputRate=
    MinInputRate=10
    MinOutputRate=10
low=class
    Description=
    Mark=3
    MaxInputRate=90
    MaxOutputRate=90
    MinInputRate=
    MinOutputRate=
voip=class
    Description=voip
    Mark=2
    MaxInputRate=10
    MaxOutputRate=10
    MinInputRate=10
    MinOutputRate=10

# fireqos status EDPNT-in                                                                                                                   
FireQOS 3.1.5
(C) 2013-2014 Costa Tsaousis, GPL


EDPNT-in: ppp0 input => ppp0-ifb, type: ethernet, overhead: 
Rate: 45000Kbit/s, min: 450Kbit/s
Values in Kbit/s

 CLASS   high    low   voip defaul 
CLASSI   1:11   1:12   1:13 1:8000 
COMMIT   4500    450   4500    450 
   MAX  45000  40500   4500  45000 

PRIORI      4      4      4      4 
 QDISC fq_cod fq_cod fq_cod fq_cod 

 color code (packets):  backlog  |  dropped  |  delayed  |  requeued 
 Class Utilization on EDPNT-in (ppp0 input => ppp0-ifb) - values in Kbit/s
 TOTAL   high    low   voip defaul 
    74      -      -      3     72 
   369      -      -      -    369 
   170      -      -      -    170 
    62      -      -      -     62 
   454      -      -      -    454 
   195      -      -     12    182 # call initiated, traffic goes in the right class
  4437      -      -      3   4435 
   224      -      -     96    128  
   413      -      -     86    327 
   441      -      -     80    361 
   442      -      -     89    353 
   289      -      -     82    207 
   220      -      -     28    192 
   675      -      -      7    667 
   199      -      -      -    199 
   252      -      -      -    252 
   165      -      -      -    165 
   243      -      -      -    243

Andy_Wismer · May 27, 2019, 8:54am

@pagaille

As it appears, your Nethserver is your primary (and only) firewall…

How many users / VoIP phones are we talking about?

I also use Nethserver in larger environments, like in a Hotel, where NethServer is AD and primary Server. However, in this case, Nethserver does not act as Firewall (We have 4 internal LANs, three providers incl. fail-over. In such a scenario, too many LANs in the nethserver makes the firewalling unduly complex, and usually results in AD not working…

I do use traffic shaping / QOS to provide adequate VoIP quality, especially during Backups, where Data is sent to an external Storage. Agreed, Backups are done at night, but at a Hotel, there are almost always telephone calls…
Traffic shaping is done by my firewall, not the nethserver. This is also OpenSource Software (OPNsense by Decisio) with a hardware box.

At a Hotel with free WLan for guests a major problem is uncontrolled Laptops (Windows). Several guests seem to have whole spamware collections on their Notebook…

My solution is something akin to toilet flushing. You can flush as often as you want. The first times, there’s still water in the tank, but afterwards you need to wait for the tank to fill up. Guests can send mail, no probs. But if they want to send 100 or 1000 mails, they’d have to stay longer!

My 2 cents
Andy

pagaille · May 27, 2019, 9:12am

Right, that NS instance is our firewall and gateway, it handles the ppp connection to the VDSL wan.

There are ~15 users and only 6 phones.

Actually it works pretty good for me, even with 4 different LANs and an OpenVPN tunnel to our cloud infrastructure (also running NS)

Yep I was also thinking to go to a Pfsense appliance.

Thanks for sharing you experience.

Andy_Wismer · May 27, 2019, 9:32am

@pagaille

Take a look at OPNsense, a fork of pfsense, which was itself a fork of M0n0wall. I used M0n0wal for quite a while, until the project was closed.

I tried out PFsense - I was using Soekris Hardware at the time. Soekris also closed shop, due to too much competitors from China, and Soekris could not hold the prices…

PFsense is quite good, but after trying out OPNsense, i was hooked…
See https://www.applianceshop.eu for HW for both platforms.

PFsense does too much in my opinion, and tries to satisfy hobbyists and enterprises alike - but one size does not fit all! Additionally, the cheapest support solution costs almost 1000.-/year!

OPNsense works well for me without support, for the last 4+ years. I have OPNsense at about 10 clients.

As a tip: both can be tested on VM, it doesn’t really matter what virtualisation you choose or are comfortable with. I actually keep a virtual firewall “ready”, in case or HW problems with the real HW.

The only problem I currently have with OPNsense is the fact that I can use Nextcloud to do automatic and regular backups of configuration, but it won’t accept my LetsEncrypt protected NextCloud running inhouse on the Nethserver.

My2cents
Andy

giacomo · May 27, 2019, 9:34am

I know that we have dozens of such installations around.

Maybe @davide_marini, @Stll0, @nrauso and @mrchiao can give you some suggestions to solve your problem!

filippo_carletti · May 27, 2019, 10:05am

I personally never used QoS over PPPoE.
I think that the right TCLinklayer options could make some difference.
@pagaille, if the db prop seems to be ignored, please modify directly /etc/firehol/fireqos.conf.

pagaille · May 28, 2019, 9:18am

Thanks @filippo_carletti !

I investigated further and narrowed the problem down to a radio link between the modem and the NS gateway.

It appeared that for whatever reason the available bandwidth wasn’t sustainable and varies between 50% and 100% of the nominal vdsl bandwitdh. Therefore the traffic shaper wasn’t able to work accurately.

I ended up restraining the available bandwidth to 50% of the vdsl link’s full bandwidth into NS’s network settings to workaround this. Now the VOIP works even with the bandwidth “fully” saturated.

Thanks all for sharing your ideas.

PS @filippo_carletti I confirm that the TCLinklayer parameter is not taken into account. I’ll look into this and will submit a PR if I’m able to.

PS2 : @giacomo when you’ll port this to Cockpit, take care of this : the order of the Traffic shaper rules is important. For example a “voip” rule should be higher than the default “high” category. So the list should be sortable.
There are also a lot of other FireQOS parameters that could be added to the UI but that’s another story.

filippo_carletti · May 29, 2019, 4:52pm

I cannot reproduce.

# db networks setprop enp0s8 TCLinklayer xxx
# expand-template /etc/firehol/fireqos.conf
# grep xxx /etc/firehol/fireqos.conf
interface enp0s8 red1 bidirectional input rate 66585kbit output rate 85988kbit balanced xxx
# db networks delprop enp0s8 TCLinklayer 
# expand-template /etc/firehol/fireqos.conf
# grep xxx /etc/firehol/fireqos.conf
#

pagaille · May 29, 2019, 7:34pm

That machine wasn’t up to date. I just updated and now it works. Probably there was some bug fixed lately.

Thanks filippo.

Matthieu

NB : in my test and in my particular crippled configuration I didn’t noticed any enhancement between “ethernet" and "adsl local”. But your mileage may certainly vary.