Question router QoS for destination subnets

[fleshins]

I'm searching for a solution which provides QoS (bandwidth guarantees and latency protection) to public subnets I connect to for audio/video conferencing (think Skype, Slack, Google Hangouts, etc.).

Literally the only thing I have found is this post/screenshot of a USR router QoS config (first time hearing of them) and this device is no longer in production.

Here's the screenshot itself (no need to click the link above unless you want to read the original post):

I imagine this type of QoS configuration is possible with iptables but I'd prefer to not go the custom DIY route unless that's actually the right thing to do here.

Thank you for helping me figure this puzzle out!

 

[VirtualLarry]

To public subnets? You trying to do QoS over the internet at large? Your local router's not going to enable you to do that, you realize. And you can only QoS your upstream, not your downstream.

 

[fleshins]

Of course, I have no control beyond my router - that’s where I want QoS applied. I want to ensure there is enough up/down capacity allocated to a public subnet (say Skype’s) so that my kids watching Netflix (as an example) do not negatively affect my Skype video conferencing.

I cross posted here for additional context/detail.

LMKWYT and thanks!

 

[VirtualLarry]

Well, honestly, that sounds like you're planning on doing this the "wrong way 'round".

Why not do QoS based on source LAN IP address instead? Surely, the kids aren't watching Netflix on the same PC, at the same time, that you're trying to use Skype, right? (Unless you have an uncommon multi-headed PC setup.)

So, just QoS prioritize your PC's upstream in a priority class above their PC/Roku/TV/whatever they're using for Netflix.

 

[fleshins]

So the reason that’s not ideal is because I noticed my own machine is at times negatively affecting latency to these services like Skype. To confirm this was possible I ran a speed test on my machine while pinging a public IP and my ping latency went through the roof. Perhaps this is expected? I’m interested in a more robust solution to minimize the chances that my a/v conferencing calls will be negatively impacted (even by my own machine).

Would love your thoughts here and thank you for the replies!

 

[thecoolnessrune]

If you need to protect your Skype traffic or Slack traffic, you're going to need to find the FQDNs or IP Blocks, as well as the port requirements, and set up QoS tuning on those. Hopefully you're using the business versions of these applications, as they tend to have well-published data on that.

That said, as @VirtualLarry mentioned, you're not going to be able to do jack about how much data is coming in except to force artificial contention on the track flow to force TCP traffic to go back into slow start mode and slow down data delivery. That being said, you can identify those traffic flows as mentioned above from those FQDNs or IP Blocks, and reserve them a minimum amount of bandwidth to ensure that traffic is not interrupted.

Note that unless you put a QoS policy in for ICMP as well, ICMP traffic gets treated as general traffic, and wouldn't be representative of what your reserved traffic is doing.

As for products, anything SOHO and higher should be able to give you some good options. How much nitty-gritty you have to get into vs. slick interface depends on your needs and how much you're willing to pay. PFSense can do this for free on an old x86 machine (or paid for NetGate Appliances). Fortinet and Sophos UTMs are also available that can do these things, but you start talking steady money, with about an $800 entry fee with 3 years of support, and support needing renewed after that.

 

[fleshins]

Ok, super helpful! If I understand correctly, you're saying the real issue is protecting my Slack/Skype traffic and the only way to do this is by forcing artificial contention for the traffic (say Netflix) that's likely to be the "bad actor" chewing through all the available bandwidth. Interesting.

Increasingly I'm interested in an open-source solution. Will checkout PFSense and thank you!