[Solved] I can't getting firehol to work on latest lede trunk

i had download the latest firehol release from git hub,i download it and install it.
but i can't find a good tutorial to configure it,i had tried openwrt tutorial but its won't work for me,any help please.
i also need to configure fireqos.

I need that too. I tried installing fireqos but it gives me an error

here is my thread link Prioritizing Host with qos/qos-scripts
What i am trying to do is setting up minimum speed for my TV and limit my PC with fireqos as that user suggests me in that thread :slight_smile:

this error is happened to me yesterday.
i just updated my firmware to latest trunk then its installing normally.

you just need to upgrade your firmware ,then install firehol.

That's normal behaviour for a snapshot image.

From https://lede-project.org/releases/snapshot:

snapshots are built daily, and that sets time limits to installing new packages with opkg. Due to kernel version checksums, you can only install “kmod” kernel modules and other kernel version dependent modules from the exactly same snapshot build. So, a few hours after flashing the firmware you may not be able to install new modules with opkg any more (as the next snapshot has been built into the download repo and has different checksums).

i don't have any problems with installing.
but i can't config and run it.

I have built that version with patch for my router and i have included many things in that firmware. FInal size was ~24 MBs. I better find how to make what i need with qos. I do not want to go again through that build and then configuration process.

Start here: https://firehol.org/#fireqos then go to the new user tutorial: https://firehol.org/tutorial/fireqos-new-user/

FireQOS is quite easy to configure compared to trying to write tc commands yourself. It still requires a basic understanding of how QoS works though.

If you describe what you want to accomplish I can point you towards a starting configuration to work from.

but firehol and fireqos is not documented for lede,it's only documented for openwrt which openwrt config process is not working for lede.

this is fireqos output:

root@LEDE:~# /sbin/fireqos start
FireQOS 3.1.5
(C) 2013-2014 Costa Tsaousis, GPL

: interface pppoe-wan world-in input adsl local pppoe-llc input rate 10370kbit output rate 845kbit

ERROR: 37@/etc/firehol/fireqos.conf: interface:
Cannot add IFB device pppoe-wan-ifb.

FAILED TO ACTIVATE TRAFFIC CONTROL.

Clearing failed interface: world-in (pppoe-wan input => pppoe-wan-ifb)...

pppoe-wan-ifb: cleared traffic control input

No traffic control is operational by FireQOS.

bye...

i had used the default config file, i had uninstalled sqm before running fireqos.

when i run fireqos with /sbin/firehol start, i get :

IMPORTANT WARNING:
 ------------------
 FireHOL cannot find your current kernel configuration.
 Please, either compile your kernel with /proc/config,
 or make sure there is a valid kernel config in:
 /usr/src/linux/.config
 
 Because of this, FireHOL will simply attempt to load
 all kernel modules for the services used, without
 being able to detect failures.
 
FireHOL: Saving your old firewall to a temporary file: OK
FireHOL: Processing file /etc/firehol/firehol.conf: OK
FireHOL: Activating new firewall (533 rules): OK

but i can't access internet,ping any site give a request timeout.

when i use /sbin/firehol try or /sbin/firehol helpme /tmp/firehol-tmp.conf or /sbin/firehol wizard /tmp/firehol-tmp.conf

it's give error about SS_CMD not found or something like that.

firehol starts the firehol firewall whereas fireqos starts the qos script... don't use the firehol firewall unless you want to replace the LEDE standard firewall, which I don't really recommend unless you need some special features from firehol. To disable firehol itself do it under LuCI System->Startup

as for fireqos, the complaint "cannot add ifb device ..." indicates that it doesn't have the ifb kernel module that FireQOS uses to control inbound traffic. install kmod-ifb package.

1 Like

thanks.
what is the features that firehol have, that lede firewall lack it?
i will install kmod-ifb,then i will post again.

Package kmod-ifb (4.9.65-1) installed in root is up to date.
this package is already installed.


root@LEDE:~# /sbin/fireqos start
FireQOS 3.1.5
(C) 2013-2014 Costa Tsaousis, GPL


: interface pppoe-wan world-in input adsl local pppoe-llc input rate 10370kbit output rate 845kbit


ERROR: 37@/etc/firehol/fireqos.conf: interface:
Cannot add IFB device pppoe-wan-ifb.


FAILED TO ACTIVATE TRAFFIC CONTROL.

Clearing failed interface: world-in (pppoe-wan input => pppoe-wan-ifb)...

    pppoe-wan-ifb: cleared traffic control input

No traffic control is operational by FireQOS.

bye...

You now need to actually write your config file, not use the example one that comes with FireQOS, it's trying to attach an IFB device to an interface that probably doesn't exist, namely the interface "pppoe-wan" that's probably not an actual interface on your router.

please provide a very basic idea of what you want to accomplish, and the output of "ip link show" and I will provide you a very basic starting script to get you going.

as for firehol it provides features like the use of ipsets to allow you to firewall groups of ip addresses, and probably some other features that are not standard in the LEDE firewall. But the LEDE firewall is good and supported by Luci so I don't recommend enabling FireHOL unless you know what you're doing. However FireQOS is great and its functions are not provided in standard LEDE packages so using that is a good idea.

1 Like

hi,
i really appreciate your help.
right now iam using sqm.
this is the “ip link show” output >

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether c0:4a:00:e7:23:46 brd ff:ff:ff:ff:ff:ff
3: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN mode DEFAULT group default qlen 1
    link/ipip 0.0.0.0 brd 0.0.0.0
4: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN mode DEFAULT group default qlen 1
    link/sit 0.0.0.0 brd 0.0.0.0
5: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether da:2f:80:96:14:fe brd ff:ff:ff:ff:ff:ff
6: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 32
    link/ether ba:39:11:f1:a9:78 brd ff:ff:ff:ff:ff:ff
7: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 32
    link/ether 72:97:10:64:24:5f brd ff:ff:ff:ff:ff:ff
8: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN mode DEFAULT group default qlen 1
    link/gre 0.0.0.0 brd 0.0.0.0
9: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
10: teql0: <NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 100
    link/void
18: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether c0:4a:00:e7:23:46 brd ff:ff:ff:ff:ff:ff
19: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP mode DEFAULT group default qlen 1000
    link/ether c0:4a:00:e7:23:46 brd ff:ff:ff:ff:ff:ff
20: eth0.4@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether c0:4a:00:e7:23:46 brd ff:ff:ff:ff:ff:ff
22: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP mode DEFAULT group default qlen 1000
    link/ether 78:44:76:be:90:39 brd ff:ff:ff:ff:ff:ff
23: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP mode DEFAULT group default qlen 1000
    link/ether c0:4a:00:e7:23:48 brd ff:ff:ff:ff:ff:ff
476: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1480 qdisc cake state UNKNOWN mode DEFAULT group default qlen 3
    link/ppp
478: ifb4pppoe-wan: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc cake state UNKNOWN mode DEFAULT group default qlen 32
    link/ether 76:fd:75:19:54:f5 brd ff:ff:ff:ff:ff:ff

"please provide a very basic idea of what you want to accomplish, and the output of “ip link show” and I will provide you a very basic starting script to get you going." > i need to prioritize gaming especially league of legends,calls-voip,also sharing bandwidth between clients by equal to ensure no one will saturate all the bandwidth, my connection speed is 2 Mbps download and 6 Mbps upload ,my isp isolate youtube and google traffic they provide 16 Mbps, i'd like to share that 16 Mbps between clients,is it possible to to divide the 2Mbps to 1Mbps for http and 1Mbps for https.
"as for firehol it provides features like the use of ipsets to allow you to firewall groups of ip addresses, and probably some other features that are not standard in the LEDE firewall. But the LEDE firewall is good and supported by Luci so I don’t recommend enabling FireHOL unless you know what you’re doing. However FireQOS is great and its functions are not provided in standard LEDE packages so using that is a good idea." > lede firewall is really great and somewhat easy to config so i will only use fireqos.

is it possible to make dnsmasq provide a custom ip's for youtube like if i ping youtube dnsmasq will provide the following ip's ex:> 5.10.226.xx , 5.10.226,xxx and so on.

how can i block some ip's by firewall.

best regards,

also i forget to say want to fight bufferbloat

Ok, first you will need to disable sqm and clear all the QoS that is already enabled via SQM scripts. I think those are what is causing fireQOS to have difficulty with the ifb as you already have an ifb4pppoe-wan probably created by SQM.

Disable sqm script in LuCI and then run

fireqos clear_all_qos

which will get you back to ground state

next, you have definite complex requirements here, specifically the isp "fastlane" for YouTube and Google traffic. It is hard to know what that means on the ISP end (ie. what traffic they include). But google actually serves their youtube video data from googlevideo.com I used this fact to put those urls into an ipset as seen here:

http://models.street-artists.org/2016/11/25/qos-throttling-netflix-and-youtube/

This "bug" report suggests that if you use the appropriate options in /etc/config/dhcp
https://bugs.lede-project.org/index.php?do=details&task_id=269

and you create the ipsets in fireqos, then dnsmasq will fill the ipsets so you'll get a set of "google" related ips. Then you can use a firewall rule to mark your traffic with a mark (in my example I mark it with the number 33) which you can match in fireQOS.

With that fairly complicated requirement in mind, you can then do something like this in /etc/firehol/fireqos.conf to get you started...

EDIT: I made some changes to move the traffic priority higher for voip and gaming, and that should match your needs better.


interface pppoe-wan wanin input rate 15500kbit qdisc fq_codel linklayer adsl ## you should check the linklayer settings yourself
   class group highprio rate 300kbit ceil 700kbit
   class voip rate 200kbit ceil 400kbit
        match udp src myvoipserver
   class gaming rate 100kbit ceil 500kbit
     match udp ports 5000:5500 ## this is what a google says LoL uses for game clients
   class group end

   class group google rate 15000kbit ceil 15000kbit
    ## requires some extra firewall kung fu to mark google traffic with mark 33
    ## this is just to get you moving in the right direction
       class gvideo rate 90% ## 90% of 15000kbit in the parent google group 
          match connmark 33
    ## more classes go here
   class group end

  class default rate 100kbit ceil 1500kbit


interface pppoe-wan wanout out rate 5500kbit qdisc fq_codel  linklayer adsl
## output QoS separate from input because you've got asymmetric speeds
.....

class voip rate 200kbit ceil 400kbit
    match udp dst myvoipserver
...



This is a sketch to get you going. note also some extra complexity: do you use ipv6 + ipv4 dual stack? this requires you to use "interface46" instead of "interface" for example... also you'll need rules for ipv6 ip matches and also ipv4 matches...

2 Likes

thanks for your effort.
but my connection type is not adsl it's wisp they use pppoe to manage their users.
iam using only ipv4,their ipv6 is not working.
now can i use the config you provide directly, i mean copy thne paste it in fireqos.conf.
i mean by voip apps like viber whatsapp and skype.
thank you again.

Ah for wisp, I think instead you should use something like:

interface pppoe-wan wanin input rate 15500kbit qdisc fq_codel overhead 8
interface pppoe-wan wanout out rate 5500kbit qdisc fq_codel overhead 8

since according to wikipedia the pppoe overhead on "ethernet" is 8 bytes

Can you copy and paste my code? No, it is meant to help you start to configure your system and see where to read fireQOS manual for more info. For example, how do you know which traffic is "voip" system? with my SIP based phone I know the ip address of the server so I could do on the input interface definition:

match udp src 1.2.3.4

(where 1.2.3.4 is replaced by my server's actual ip address)

but with skype/viber/whatsapp? not so much. On the other hand, skype may tag their traffic with DSCP values (a kind of QOS / priority tag on the individual packets), and so you could write a match rule using DSCP values

using wireshark you can watch the skype/viber/whatsapp traffic and look at how they DSCP tag things. Usually the standard way is voice gets EF46 and video gets AF41 tags but I don't know what those apps actually do. FireQOS can match these DSCP tags and classify this to the high priority classes.

if the apps don't tag their traffic, then you'll have to come up with another way to identify it.

the basic idea is this: figure out what makes a given set of traffic uniquely identified, and then match that set of criteria in the appropriate class definition.

1 Like