Nethserver vs pfsense: QoS

Bug reproduced, thank you.

We can try to treat outgoing packets as high priority by default. We can’t set incoming priority (we will be able to shape incoming from 7.5).

If you don’t mind, I’d ask to repeat the test with the following modification.
Add tos-minimize-delay at the end of the first line in /etc/shorewall/tcclasses (it means assign prio 1 to packets where the tos bit says minimize delay, hoping that your voip system does it).
Example from my system:

ens33 1 5*full/10 9*full/10 1 fq_codel,flow=nfct-src,tos-minimize-delay

Run shorewall restart to apply the config.
If you could capture a voip packet we can have a look at the tos bits.

Hi Filippo,

Ah, thank you for the clarification on 7.4 limitations: we can only set priority for outgoing packets.

My test was for incoming packets.

I did try setting tos-minimize-delay and of course it did not help. :slight_smile:

I ran a tcpdump and used wireshark to view the VoIP packets. My ATA is setting the RTP traffic’s ToS value to 0xb8. wireshark confirms it. In fact wireshark prints the mnemonic Expedited Forwarding

I checked http://www.routereflector.com/2014/09/verifying-end-to-end-qos-marking/ and 0xb8 maps to Minimize Delay and Maximize Throughput

Should I tweak my ATA to use 0x10 and/or should we instead allow RTP traffic to be classified at a higher priority? Or (this might be too ugly) allow for a set of IP’s to have their traffic given high priority - pfSense allows this … not that it matters one way or another).

I’m not a networking person so any help is gratefully accepted! :slight_smile:

Thx!
-pablo

ps: I will be away tomorrow afternoon my time, through the weekend.

1 Like

I would try this route.
Add a line similar to the following to /etc/shorewall/mangle:

{source:x.x.x.x, proto:-, dest:-, time:-, action:MARK(0x1/0xff):T, dport:-}

where x.x.x.x is the ATA IP. You could also set dport to the voip port.
As usual, shorewall restart to apply the config.

Hi Fillippo,

Thank you for the shorewall HOWTO. :stuck_out_tongue:iptables confirms the packets[1].

I ran tcpdump though and I don’t see the packet’s DSCP changed but I think that’s expected. I google’d and I think if I wanted to affect the packets, I’d need to to use –set-tos

I think that the prioritization is happening within the gateway.

I see my changes are lost if I change the WAN NIC’s bandwidth settings. Are there includes or some other method so local changes are not lost? It is not the end of the world if not … I realize what we are doing for now is a stop-gap. :slight_smile:

Once again, thank you very much! I appreciate it!
-pablo

References
[1] - iptables showing packet/byte count:

# iptables -L -xv -n -t mangle | egrep '192.175.96.72|67.205.74.184'
 473   123936 MARK       all  --  *      *       67.205.74.184        0.0.0.0/0            MARK xset 0x1/0xff
 967   368015 MARK       all  --  *      *       192.175.96.72        0.0.0.0/0            MARK xset 0x1/0xff

Correct.
We are not modifying the packets, we are only MARKing them as high priority when they are leaving NethServer.

Yes, templates (http://docs.nethserver.org/projects/nethserver-devel/en/v7/templates.html)
Move the line to /etc/e-smith/templates-custom/etc/shorewall/mangle/90voip_prio.
Then: signal-event firewall-adjust

Hi Filippo,

Do I need also set tos-minimize-delay in …/etc/shorewall/tcclasses?

Thx!
-pablo

No, yesterday you proved that it’s ineffective for your voip traffic.

Hi Filippo,

My apologies for the delay in responding. I was away.

With a simplified test case[1], I am not able to use templates. I’m getting an error message[2].

I use signal-event firewall-adjust to trigger the change.

In another test, I double quoted (") the tokens which raised warnings. While the warnings were squelched, the error remains.

The same code works in /etc/shorewall/mangle when used in conjunction with
shorewall restart

Any ideas? Thx!

References
1 - simple test case

cat /etc/e-smith/templates-custom/etc/shorewall/mangle/90_set_VoIP_priority_by_IP
{source:67.205.74.184, proto:-, dest:-, time:-, action:MARK(0x1/0xff):T, dport:-}

2 - error message from /var/log/messages

Mar 20 15:44:46 beast esmith::event[25658]: Event: firewall-adjust
Mar 20 15:44:46 beast esmith::event[25659]: Event: nethserver-firewall-base-save firewall-adjust
Mar 20 15:44:47 beast esmith::event[25659]: Action: /etc/e-smith/events/nethserver-firewall-base-save/S02providers-cleanup SUCCESS [0.194664]
Mar 20 15:44:47 beast esmith::event[25659]: expanding /etc/lsm/lsm.conf
Mar 20 15:44:47 beast dbus[598]: [system] Activating via systemd: service name='org.freedesktop.timedate1' unit='dbus-org.freedesktop.timedate1.service'
Mar 20 15:44:47 beast dbus-daemon: dbus[598]: [system] Activating via systemd: service name='org.freedesktop.timedate1' unit='dbus-org.freedesktop.timedate1.service'
Mar 20 15:44:47 beast systemd: Starting Time & Date Service...
Mar 20 15:44:47 beast dbus[598]: [system] Successfully activated service 'org.freedesktop.timedate1'
Mar 20 15:44:47 beast dbus-daemon: dbus[598]: [system] Successfully activated service 'org.freedesktop.timedate1'
Mar 20 15:44:47 beast systemd: Started Time & Date Service.
Mar 20 15:44:47 beast esmith::event[25659]: expanding /etc/shorewall/actions
Mar 20 15:44:47 beast esmith::event[25659]: expanding /etc/shorewall/hosts
Mar 20 15:44:47 beast esmith::event[25659]: expanding /etc/shorewall/interfaces
Mar 20 15:44:47 beast esmith::event[25659]: expanding /etc/shorewall/maclist
Mar 20 15:44:47 beast esmith::event[25659]: expanding /etc/shorewall/mangle
Mar 20 15:44:47 beast esmith::event[25659]: Skipping /etc/e-smith/templates-custom//etc/shorewall/mangle/.90_set_VoIP_priority_by_IP.swp at /etc/e-smith/events/actions/gener
ic_template_expand line 64.
Mar 20 15:44:47 beast esmith::event[25659]: WARNING in /etc/e-smith/templates-custom//etc/shorewall/mangle/90_set_VoIP_priority_by_IP: Unquoted string "dest" may clash with
future reserved word at /etc/e-smith/templates-custom//etc/shorewall/mangle/90_set_VoIP_priority_by_IP line 1.
Mar 20 15:44:47 beast esmith::event[25659]: ERROR in /etc/e-smith/templates-custom//etc/shorewall/mangle/90_set_VoIP_priority_by_IP: Program fragment delivered error <<synta
x error at /etc/e-smith/templates-custom//etc/shorewall/mangle/90_set_VoIP_priority_by_IP line 1, near ""proto":">> at template line 1
Mar 20 15:44:47 beast esmith::event[25659]: ERROR: Template processing failed for //etc/shorewall/mangle: 1 fragment generated warnings, 1 fragment generated errors
Mar 20 15:44:47 beast esmith::event[25659]: at /etc/e-smith/events/actions/generic_template_expand line 64.
Mar 20 15:44:47 beast esmith::event[25659]: [WARNING] expansion of /etc/shorewall/mangle failed
Mar 20 15:44:47 beast esmith::event[25659]: expanding /etc/shorewall/masq
Mar 20 15:44:47 beast esmith::event[25659]: expanding /etc/shorewall/modules
Mar 20 15:44:47 beast esmith::event[25659]: expanding /etc/shorewall/nat
Mar 20 15:44:47 beast esmith::event[25659]: expanding /etc/shorewall/policy
Mar 20 15:44:47 beast esmith::event[25659]: expanding /etc/shorewall/providers
Mar 20 15:44:47 beast esmith::event[25659]: expanding /etc/shorewall/rtrules
Mar 20 15:44:47 beast esmith::event[25659]: expanding /etc/shorewall/rules
Mar 20 15:44:47 beast esmith::event[25659]: expanding /etc/shorewall/shorewall.conf
Mar 20 15:44:47 beast esmith::event[25659]: expanding /etc/shorewall/stoppedrules
Mar 20 15:44:47 beast esmith::event[25659]: expanding /etc/shorewall/tcinterfaces
Mar 20 15:44:47 beast esmith::event[25659]: expanding /etc/shorewall/tcpri
Mar 20 15:44:47 beast esmith::event[25659]: expanding /etc/shorewall/tunnels
Mar 20 15:44:47 beast esmith::event[25659]: expanding /etc/shorewall/zones
Mar 20 15:44:47 beast esmith::event[25659]: expanding /etc/shorewall/findgw
Mar 20 15:44:47 beast esmith::event[25659]: expanding /etc/shorewall/tcclasses
Mar 20 15:44:47 beast esmith::event[25659]: expanding /etc/shorewall/tcdevices
Mar 20 15:44:47 beast esmith::event[25659]: Action: /etc/e-smith/events/actions/generic_template_expand FAILED: 1 [0.622459]
Mar 20 15:44:47 beast systemd: Reloading.
Mar 20 15:44:48 beast kernel: ipt_ULOG: ULOG: fail to register logger.
Mar 20 15:44:48 beast pablo: Shorewall reloaded
Mar 20 15:44:48 beast esmith::event[25659]: [NOTICE] Shorewall restart
Mar 20 15:44:48 beast esmith::event[25659]: Action: /etc/e-smith/events/nethserver-firewall-base-save/S89nethserver-shorewall-restart SUCCESS [1.094898]
Mar 20 15:44:49 beast systemd: Reloading.
Mar 20 15:44:49 beast esmith::event[25659]: [INFO] service lsm is disabled: skipped
Mar 20 15:44:49 beast esmith::event[25659]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [0.274521]
Mar 20 15:44:49 beast esmith::event[25659]: Event: nethserver-firewall-base-save FAILED
Mar 20 15:44:49 beast esmith::event[25658]: Action: /etc/e-smith/events/firewall-adjust/S20firewall-adjust FAILED: 1 [2.283207]
Mar 20 15:44:49 beast esmith::event[25658]: Event: firewall-adjust FAILED

I’m sorry, curly braces have to be “protected”.
Add a backslash in front of them.

\{source:67.205.74.184, proto:-, dest:-, time:-, action:MARK(0x1/0xff):T, dport:-\}

Success!!!

Thank you so much!

I had checked the documentation[1] you cited earlier but there’s no mention of needing to escape the curly braces when they’re defined in the template. As I see the end result in /etc/shorewall/mangle, I understand the need to escape them.

What’s the best way to get the documentation updated? Thx!

Refernce
[1] - http://docs.nethserver.org/projects/nethserver-devel/en/v7/templates.html

A pull request on github.
Click on Edit on GitHub on the top right.
Thank you very much.

Hey Filippo,

I’ll work on updating the doc. A small contribution that I can do …

While I do the git pull etc, I have a few questions for the documentation:

  • Aside from curly braces, are there any other tokens which need to be escaped?
  • Aside from .../templates-custom, are there other sub-directories which require the escaping of tokens?

Thank you!
-pablo