Looking for traffic shaping and/or QoS capability for my home network

[jamesp81]

Part of this is just for fun, part of it is for just having a network set up to learn on. I want to be able to throttle the bandwidth of various applications that run on my network at home so I can enforce some QoS and/or traffic shaping. For example, if someone is running a huge Steam download, I want to be able to throttle that some so that web browsing doesn't slow to a crawl. I'd like to be able allocate some bandwidth to a mail server as well to ensure that IMAP and SMTP get all the bandwidth they need when they ask for it, etc.

NetLimiter as a software solution seems to do this for a single machine, but I am looking for a piece of managed hardware that could do it for my entire network. What are my options?

 

[drebo]

You can't traffic shape traffic that you don't originate. You can, however, police that traffic. That will cause TCP to window itself down to a lower rate. UDP, however, you will have no control over.

If you want to play with policing, you could use a Cisco router of some kind. Old 1841s are pretty popular for playing with.

 

[rsutoratosu]

my pos actiontec router does some sort of traffic shaping, i limit my fios connection to people that dont split up to 5 megs on all traffic, you can go granular in detail for applications... but go with cisco, its good to learn anyway

 

[billyb0b]

a router with tomato firmware

 

[evongugg]

m0n0wall. It's professional solution.

 

[zephxiii]

Pfsense....

 

[JoeMcJoe]

Pfsense....

yep, pfsense.

 

[Cooky]

You can't traffic shape traffic that you don't originate. You can, however, police that traffic. That will cause TCP to window itself down to a lower rate. UDP, however, you will have no control over.

If you want to play with policing, you could use a Cisco router of some kind. Old 1841s are pretty popular for playing with.

+1

Even in enterprise networking, you can only shape in the outbound direction, unless you utilize expensive gear such as BlueCoat (former Packeteer)'s PacketShaper.
I doubt any SOHO or SMB solution can do inbound shaping at all.

 

[JoeMcJoe]

On pfsense you can limit the amount of incoming data a connection can use.
For example, if you have a 20 Mbps connection and 50 connections, you can set it so no user can use more than 1 Mbps at any one time.

 

[Red Squirrel]

Pfsense is tricky but you can definitely get really granular with it. I have it setup so http traffic has high priority than torrents so if I'm torrenting I can still go on the internet, otherwise my connection is pretty much saturated.

 

[drebo]

On pfsense you can limit the amount of incoming data a connection can use.
For example, if you have a 20 Mbps connection and 50 connections, you can set it so no user can use more than 1 Mbps at any one time.

And that will apply (after a period) to TCP connections only.

With UDP, the sender is going to send as fast as they can, because there is no windowing with UDP. To the receiver, it may look like only 1mbps, but the upstream connection will still be saturated.

How the actual protocols work is much more important than what a POS application says it can do.

 

[theevilsharpie]

And that will apply (after a period) to TCP connections only.

With UDP, the sender is going to send as fast as they can, because there is no windowing with UDP. To the receiver, it may look like only 1mbps, but the upstream connection will still be saturated.

How the actual protocols work is much more important than what a POS application says it can do.

If a router can rate-limit TCP, then for all practical purposes, it can rate limit an Internet connection. Nobody uses UDP for bulk transfers over the Internet, for pretty much exactly the reasons you've described.

 

[drebo]

If a router can rate-limit TCP, then for all practical purposes, it can rate limit an Internet connection. Nobody uses UDP for bulk transfers over the Internet, for pretty much exactly the reasons you've described.

Even with TCP, something like BitTorrent which opens many TCP connections will cause the same issues.

Bottom line: you have no control over what is sent to you.

 

[theevilsharpie]

Even with TCP, something like BitTorrent which opens many TCP connections will cause the same issues.

I'm not sure how.

BitTorrent is not immune to routers that are shaping traffic and actively shutting down low priority traffic flows.

 

[drebo]

I'm not sure how.

BitTorrent is not immune to routers that are shaping traffic and actively shutting down low priority traffic flows.

It takes time for a TCP flow to window itself down when policed. Initially, that TCP flow will utilize the maximum bandwidth. When some of the packets are dropped by the policer, TCP recognizes that and says "woah there, server, slow down a bit". It'll then cut the bandwidth. So each TCP connection will initially run at max speed and slow itself down. As the client sees less and less drops, it'll start to window itself back up. Then the drops will cause it to go back down. As an average, yes, it'll be policed down to whatever rate you use. But in reality, it's actually fluctuating significantly higher and significantly lower than the policer is configured for.

If bittorrent is configured to use 200 active connections, each connection will go through that process. So initially, you'll have 200 connections all sending data as fast as they can, and TCP will window itself down for each of the connections to whatever it ends up able to do.

The reason I make a distinction between policing and shaping is because shaping involved the router queuing traffic, whereas policing does not. What this does is it normalizes the connection for both UDP and TCP by queuing excess traffic before it sends it out. That's why shaping is used on egress and policing is used on ingress. It makes no sense to queue on ingress...after the point at which you're trying to prioritize traffic.

For these reasons, it's better simply to tell customers that they can't do it. Yes, you can kind of halfway trick TCP into being slower, but you're never going to be able to limit the traffic that other networks are sending to you. QoS needs to be implemented at the point of congestion...i.e. the point at which bandwidth is lowest...for it to be effective. It's better to tell someone that it can't be done than to implement the half solution and have it work 80% of the time.

The basic rule still stands, however: you cannot prioritize or QoS or otherwise affect the traffic that is being set to you. If you own both ends of the link (a point-to-point T1 for instance) you could implement priority queuing on both sides to give certain traffic preference or ensure certain traffic always has bandwidth available...but you do that on the sending side, not the receiving.

This is a good read: http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_note09186a00800a3a25.shtml