Nicholas Schmidt

Nicholas Schmidt

CTO, Dad, Husband, and lover of all things 1's and 0's.

Traffic Control on Linux with FireQOS

2 minute read

In order to make full use of my half-duplex WiMAX link, I started looking for anything and everything I could use to optimize it. Linux has some pretty decent utilities with iproute2 and netem to handle these type of configurations. They don’t compare to OpenBSD’s PF, but they work once you get the setup in place.

Due in part to how ugly TC is out of the box, I really like FireQOS for defining the basic configuration. The developer also makes a great iptables wrapper called FireHOL, but iptables rules are easy enough to write in my opinion.

I wanted to share my FireQOS script for those who may have similar needs. It prioritizes my traffic with the following basics:

  1. VOIP – Commits 30kbit no matter what else is going on. This is sufficient for a single G.729 SIP connection
  2. Interactive protocols such as DNS, SSH, and XMPP receive 20% of the bandwidth
  3. Facetime – Committed 200kbit for video streaming
  4. VPN connections (PPTP/IPSEC/OpenVPN) are given 20% of the bandwidth
  5. Surfing is given majority of bandwidth with 60%
  6. Synacks, Mail, and Usenet bring up the rear with whatever is left. They will consume available bandwidth if nothing else is going on

As I write this my network is function just spiffy with no issues streaming via SONOS and downloads via USENET. I am very happy with the config.

From /etc/firehol/fireqos.conf

DEVICE=enp3s0
INPUT_SPEED=1910kbit
OUTPUT_SPEED=200kbit
interface $DEVICE world-in input rate $INPUT_SPEED $LINKTYPE
 class voip commit 30kbit
 match udp port 5060 
 match udp dports 10000:10100
 match sports 3478,5349
class interactive commit 20%
 match udp port 53
 match tcp port 22
 match tcp port 2222
 match tcp port 8022
 match icmp
 match tcp sports 5222,5228
 match tcp sports 5223
class facetime commit 200kbit
 match udp ports 3478:3497,16384:16387,16393:16402
class vpns commit 20%
 match tcp port 1723
 match gre
 match dport 1195:1198
 match tcp port 1701
 match tcp port 500
 match udp port 500
 match udp port 4500
class surfing commit 60%
 match tcp port 80
 match tcp port 443
class synacks
 match tcp syn
 match tcp ack
class default
class mail
 match tcp port 143
 match tcp port 993
 match tcp port 25
 match tcp port 465
 match tcp port 587
class usenet
 match tcp port 563
interface $DEVICE world-out output rate $OUTPUT_SPEED $LINKTYPE
 class voip commit 30kbit
 match udp port 5060
 match udp sports 10000:10100
 match dports 3478,5349
class interactive commit 20%
 match udp port 53
 match tcp port 22
 match tcp port 2222
 match tcp port 8022
 match icmp
 match tcp dports 5222,5228
 match tcp dports 5223
class facetime commit 200kbit
 match udp ports 3478:3497,16384:16387,16393:16402
class vpns commit 20%
 match tcp port 1723
 match gre
 match sport 1195:1198
 match tcp port 1701
 match tcp port 500
 match udp port 500
 match udp port 4500
class surfing commit 6%
 match tcp port 80
 match tcp port 443
class synacks
 match tcp syn
 match tcp ack
class default
class mail
 match tcp port 143
 match tcp port 993
 match tcp port 25
 match tcp port 465
 match tcp port 587
class usenet
 match tcp port 563

 

Updated: