2

Here is the basic situation/topology of the network I manage:

  • Residential, but we are a co-op, so we have a business-class contract with ISP.

The residents are college students, so there is quite a bit of everything, including P2P (torrenting), gaming, file sharing (internal), as well as crucial needs for the basics like getting to websites for school/homework, email, FTP, etc. Basically, I get bad reviews when members can't have their fun, but then legitimate complaints when someone can't turn in an assignment.

  • There are at most 31 residents, but we are not always at full capacity. Of course, plenty of residents connect multiple devices (Laptop, Desktop, Mobile) all at once.

  • The property is spread out over 3 buildings, 2 of which are connected physically, the third is stand-alone but only a few steps from the main two buildings.

Here is the basic layout of the property:

==========================                   =====================
|                        |                   =            |Router=
|                        |                   =             ----- =
|   Main House           |                   =    Annex          =
|   (3 stories)          |                   =  (2 stories)      =
|(first floor is commons |====================  (No commons)     =
| area, ie TV Room,etc)  | Breeze Way        =                   =
==================================================================

                                        ======================
                                        =                    =
                                        =    Cottage         =
                                        =   (2 Stories)      =
                                        =  (No Commons)      =
                                        ======================

The cable comes into a closet in the Annex where it goes from the modem (ISP provided) to the D-Link DIR-625 Wireless router. So from the very start the set up is not ideal, as one of the WAPs is in a closet on the ground floor. C'est la vie.

Then it spreads out like so:

DIR-625 (DHCP Router and 
- Netgear 8-port switch (2nd floor Annex)
- Linksys 5-port switch (1st floor Annex)
- Netgear 8-port switch (Cottage)
    - D-Link WBR-1310 Wireless Router acting as WAP
- Netgear 16-port switch (Main House)
    - D-Link WBR-1310 Wireless Router acting as WAP for Common's Area
    - D-Link WBR-1310 Wireless Router acting as WAP for 2nd and 3rd floor

Okay, that's about all the backstory anyone should ever need. Sorry if that was a bit much, but when I try to get advice from friends, they tend to think either "Only 31 people, what's the problem?" or "3 buildings, and you don't have a T1?" etc, etc. It's a fairly simply network in terms of what we need and our small population, but made very complicated by our physical layout.

Oh, and we are paying for 10 down/ 1.5 up, as far as service.

Now, here's the actual question (one of many, I'm sure):

I need a QoS system that is as low maintainance as possible. Not only to make my job easier, but to make it so the next IT officer that gets this fantastic job after me doesn't have to do what I did, which was basically start from scratch.

Ideally, this what I want in terms of QoS:

  • Bob really wants to play WoW. It's 2pm and no one is home but him. He gets dynamite throughput.

  • Half an hour later, Joe gets home and his torrenting program immediately starts up. He is a good co-oper, so he has his client capped for uploads, so he and Bob are both getting pretty good bandwidth.

  • Bob signs out of WoW and goes off to class. Joe's torrents are now going super-fast.

  • Jill gets home an hour later. She goes to check her email and watches some Hulu. She is in no way aware that Joe is torrenting. Joe notices his torrents are doing pretty good.

  • Everyone else comes home and each of them are doing a mix of all of the above. Everyone doing basic HTTP stuff or email think "I love our network admin." All of the gamers, file-sharers, and Skype-ers think, "This will be even more awesome when everyone goes to bed!" No one comes by my room with murderous intent. No one is crying to me how the girl down the hall snuck in with scissors to literally cut off their torrents so they could read their homework.

Right now, I have the main router (the DIR-625) set up with its built-in QoS and with the DNS ports set to highest, the HTTP, email, and whatnot set to 2nd highest priority, and with anything higher than 3000 set to lowest priority.

But even so, this doesn't stop the fact that if Joe is torrenting 50GB worth of junk, and Bob is gaming all day, that they are just using MORE of the bandwidth. They get a lower priority, but they basically get all of the router's attention and all of the bandwidth.

I've taken to blocking people if they seem to be using more than 25% of the current network activity, but I'm not even sure the reporting tools I'm using are accurate. And I shouldn't have to do that, or if I should, I really don't understand what QoS does at all.

So, again, here's the real question:

Will a Linux-based router/firewall provide smarter/more customizable QoS than my current setup? I have to get all purchases voted on, so I can't just experiment as much as I want. I have looked at Tomato, Gargoyle, and SmoothWall. But each one makes me nervous.

Smoothwall can do anything, I'm told, but it requires me getting/building a machine and it apparently reveals more information than I'd like to have access to, or anyone who takes over after me, (like who's emailing who). Not to mention I just can't tell if it will meet my specific needs.

Tomato and OpenWRT require getting yet another router, taking the risk of bricking said router (and having to explain the loss to a committee), and still may not give me what I want.

2) If there is no magical QoS that can do Mac/IP based throttling (instead of Port-based), is there any software/router solution that will give me IP based bandwidth usage? All of the screenshots I see are port-based or give traffic usage in terms of packets instead of bits/second. Or only show one IP at a time (which is great when I want to COMPARE usage).

Right now, I have Excel pulling two XML files from the D-Link Router, one for MAC/IP/hostname, one for "current connections" that gives each connection per IP. I then combine all of the data into another sheet that shows number of connections per IP and then does the percentage per IP based on the total. If it's over 25%, I either shut them down for awhile or go and have words. But I'm not even sure if the total number of connections is a good measure of bandwidth usage!

I have tons of other issues, like computers not seeing each other, not being able to share, dropped wifi connections, low internal transfer rates, possibly misconfigured WAPs, just to name a few. But right now the question I get the most stress over is "Why is my internet so slow? Can't you keep people from torrenting?"

Thanks for reading all of this.

Anthony
  • 305
  • 4
  • 14
  • Note, network performance will be better if you cap your upload bandwidth to 90%. On asymmetric DSL connections, if your upload bandwidth runs out, it will cause your downloads to slow down. I have found that WOW gets really slow if a torrent client uses all the upload bandwidth. If it is restricted to only 80%, then WOW runs much better. – Walter Mar 17 '10 at 15:17

5 Answers5

2

Herea a shot in the dark, but if you look on ebay you can get some truly awesome deals on EoL'd Cisco's, I'm talking 2600/3600, with that you can do exactly what your proposing, There is a need for a little CLI config, but after that you will be truly impressed with what it can do for you, i.e shaping torrents to a minimum throughput during 5pm and 2am, but still not allocating them all the bandwidth the rest of the time, leaving space for everyone else to do their homework, and perhaps prioritzing http or reserving a minimum amount of bandwidth so that even if susy, joe, and! bob are torrenting and copying that ftp file, john can still browse, (and turn in his homework).

Let me know will be more than willing to help you out will a basic template config,

Bruce Grobler
  • 146
  • 1
  • 5
  • Another I would recommend is nTop + MySAR, help you nail down those miscreants :D I like to think of those tool as giving you a big fish, its your decision on who to slap :D – Bruce Grobler Aug 06 '09 at 14:42
0

This may not be what you expect, but why not consider a non-technical solution? Buying more equipment is not going to solve your problem as your problem is a human one. Find another way to share the bandwidth better. There are various possibilities:

  • Cap the number of active connections that a machine can have. This will effectively parcel out the available bandwidth to each user fairly.
  • Assign everyone a fair quota, say 1Gb per day each and if they exceed that quota, their bandwidth will be capped to say 56k speeds.

  • Improve communications. Link everyone together on some jabber/irc server. If someone needs to use the internet, they can buzz those torrenting to pause for a while. Or even better, ask those torrenting to run them over-night instead.

  • Educate the users on how to schedule stuff. If there is a large file that they need to download for school, schedule it to run over-night or something.
  • If users need to perform software updates regularly, set up a local caching proxy to help reduce the Internet cost.

Ultimately, you will need to get everyone to communicate better. That is the only way to solve the problem. No amount of LARTC is going to help you.

sybreon
  • 7,357
  • 1
  • 19
  • 19
  • Wow, thanks! As far as the overnight thing, we have tried that. It's very difficult to enforce and breeds discontent when people suspect that someone is violating it. As to your other suggestions: 1) How do I cap active connections? Is there a acronym or jargon I should be looking for? 2)If I could set a bandwidth cap, I would. Again, how? I thought I'd need a username type setup for that sort of thing. 3) Local caching proxy! that sounds awesome! I'll research that one on my own. And we are totally getting a jabber server setup, as soon as we have a username system set up. My idea! – Anthony Jul 23 '09 at 12:24
  • You don't need a username type setup for network control as you can use the MAC addresses of each person as ID for networking purposes. If you can force people to move their traffic through a transparent-proxy such as squid, you will have a lot of options to play with. You can cap live TCP connections per host but you will need to check out the LARTC to see what firewall rules to set up. Ditto with bandwidth speeds. I think that traffic shaping might be a good place to start looking. – sybreon Jul 29 '09 at 04:12
0

Tomato and OpenWRT require getting yet another router, taking the risk of bricking said router (and having to explain the loss to a committee), and still may not give me what I want.

I have upgraded two WRT54GL with the tomato firmware (http://en.wikipedia.org/wiki/Linksys_WRT54G_series#Hardware_versions_affect_firmware_compatibility), just make sure you get the open WRT54GL that is marked L and you don't have to worry about bricking the device. They are open and you are free to just upgrade them with whatever.

It has QoS but if it is good enough for your needs, but maybe it is good enough and combined with a little human communication it may be all you need...?

/Johan

Johan
  • 795
  • 2
  • 7
  • 13
0

A little late, but well...

I'm in almost the same position as you are, just with 150 residents. When wie startet out, we had one wireless link to the university, totalling in 4Mbit if you were really lucky.

Mowadays we have another 16/1 and one 32/2 line and are managing those via a lot of magic going on with iptables, iproute and tc. Since we have a high number of exchange students there is quite a bit of turnover, combined with the high number of residents this makes communication and mutual agreements rather difficult, so we mostly try to stay on top of it all via technical measures.

The firewall setup is pretty complex, and has grown over years of refinement. Basically we we assign connections to one of the lines based on a number of hand-crafted rules based on port numbers, target IPs, etc. (i.e. all connections to the university network go via the wireless link which obviously has less hops and so on). One problem alway is, you can only control what goes out, since all incoming traffic is already through your line when you see it. So you have to shape only to the outgoing capacity of your uplink.

For the P2P problem the best solution seems to be: a) block all P2P traffic entirely (ipp2p from xtables-addons works rather well) and b) set up a dedicated P2P box to keep the people off your back and only allo P2P for this one box. ;)

A lot of P2P software nowadays supports "watched directories", people then can upload their .torrents of in this directory and it will be downloaded for them. This also eliminates 2 residents pulling the same stuff through your line. Be advised, though, that you probably put your ass on the line for the stuff the residents do with that box, since it's under your control.

If you want to talk more specifics, like setup, scripts, etc. I'd be glad to help...

0

Just want to add to this for other readers that the QOS on that dlink router is only for upstream data not downstream.

  • I felt the need to add this based on Matt's comment above. His statement is completely misleading and untrue. QOS effects everything, the upstream data is controlled and limited which in turn limits and controls the amount of data returned to the router. So it does in fact effect upstream and downstream. (also there is no point in trying to directly use QOS on downstream data since your ISP already does it before it gets to you) This is a common misconception posted throughout the internet by people who don't actually understand what they are talking about. (sorry matt) You should probably all –  Mar 15 '13 at 22:08