[Solved] I can't getting firehol to work on latest lede trunk

thanks for your help.
i will try your config and post back.
i think for skype/viber, we can use ipset with dnsmasq to prioritize these ip's.
can i use cake as a qdics.
iam still not able to start fireqos same problem, i tried to stop and disabled sqm but no luck.

The message about ifb not working seems to me very likely to be related to existing SQM scripts. Have you disabled SQM in startup menu and rebooted?

I imagine you can use cake as qdisc but I don't know if it will offer you any real benefits. My impression is that cake is trying to be a smart default, do some stuff automatically. Thus it may be "undoing" some of the purposeful prioritizing you're creating in the fireqos script. I just don't know enough about how cake works to tell you for sure. Also I don't think it's been tested with fireqos and fireqos may not like having "qdisc cake" somewhere because it may not recognize it as valid.... or maybe it's fine, I don't know.

if you still have problems with ifb device, you can try setting the interface only as output instead of input or bidirectional. once you get that working you can debug the ifb stuff.

1 Like

hi
i have disabled, uninstalled sqm but no luck,but i will try to do sysupgrade and see if that will fix it.
i will try fq_codel as qdisc then cake when i have fireqos to work,i will compare between qdisc's then i will inform you.

Edit:
i removed this line "interface pppoe-wan wanin input rate 15500kbit qdisc fq_codel overhead 8"
also this one "class voip rate 200kbit ceil 400kbit
match udp src myvoipserver"
i created a link to "ip" in /usr/sbin/ip

it's working now, also detect the real mtu > :

FireQOS 3.1.5
(C) 2013-2014 Costa Tsaousis, GPL


: interface pppoe-wan wanout out rate 5500kbit qdisc cake overhead 8 (pppoe-wan, 5500kbit, mtu 1480, quantum 1480, minrate 55kbit)
:       class highprio rate 300kbit ceil 700kbit (1:11, 300/700kbit, prio 0)
:               class voip rate 200kbit ceil 400kbit (1:12, 200/400kbit, prio 0)
Illegal "match"



ERROR:
tc failed with error 1, while executing the command:
/usr/sbin/tc filter add dev pppoe-wan parent 1:11 protocol ip prio 10 u32 match ip protocol 17 0xff match ip src myvoipserver flowid 1:12


FAILED TO ACTIVATE TRAFFIC CONTROL.

Clearing failed interface: wanout (pppoe-wan out => pppoe-wan)...

        pppoe-wan: cleared traffic control out

No traffic control is operational by FireQOS.

bye...
root@LEDE:~# fireqos start
FireQOS 3.1.5
(C) 2013-2014 Costa Tsaousis, GPL


: interface pppoe-wan wanout out rate 5500kbit qdisc cake overhead 8 (pppoe-wan, 5500kbit, mtu 1480, quantum 1480, minrate 55kbit)
:       class highprio rate 300kbit ceil 700kbit (1:11, 300/700kbit, prio 0)
:               class gaming rate 100kbit ceil 500kbit (1:12, 100/500kbit, prio 0)
:               class default (1:8001, 55/700kbit, prio 1)
:               committed rate 155kbit (51%), the remaining 145kbit will be spare bandwidth.
:       class google rate 15000kbit ceil 15000kbit
 WARNING: 9@/etc/firehol/fireqos.conf: class:
 ceil (15000kbit) is higher than its parent's ceil (5500kbit). Fixed it by settting ceil to parent's ceil.

 (1:14, 15000/5500kbit, prio 1)
:               class gvideo rate 90%
 WARNING: 12@/etc/firehol/fireqos.conf: class:
 ceil (5500kbit) is less than rate (13500kbit). Fixed it by setting ceil to rate.

 (1:15, 13500/13500kbit, prio 0)
:               class default (1:8002, 55/5500kbit, prio 1)
:               committed rate 13555kbit (90%), the remaining 1445kbit will be spare bandwidth.
:       class default rate 100kbit ceil 1500kbit (1:8000, 100/1500kbit, prio 2)
:       committed rate 15400kbit, (280%), overbooked by 9900kbit. PLEASE FIX.


  Traffic is classified:

      - on 1 interfaces
      - to 9 classes
      - by 4 FireQOS matches

  40 TC commands executed

All Done! Enjoy...
bye...

another edit:

now i added this line back to conf file "interface pppoe-wan wanin input rate 15500kbit qdisc fq_codel overhead 8"

it's working now without problems, the real problem is "ip" was not found in /usr/sbin/ip
now no more ifb device error,so we can config anything normally, have a look at output:

FireQOS 3.1.5
(C) 2013-2014 Costa Tsaousis, GPL


: interface pppoe-wan wanin input rate 15500kbit qdisc fq_codel overhead 8 (pppoe-wan-ifb, 15500kbit, mtu 1480, quantum 1480, minrate 155kbit)
:       class default (1:8000, 155/15500kbit, prio 0)
:       committed rate 155kbit (1%), the remaining 15345kbit will be spare bandwidth.

: interface pppoe-wan wanout out rate 5500kbit qdisc cake overhead 8 (pppoe-wan, 5500kbit, mtu 1480, quantum 1480, minrate 55kbit)
:       class highprio rate 300kbit ceil 700kbit (1:11, 300/700kbit, prio 0)
:               class gaming rate 100kbit ceil 500kbit (1:12, 100/500kbit, prio 0)
:               class default (1:8001, 55/700kbit, prio 1)
:               committed rate 155kbit (51%), the remaining 145kbit will be spare bandwidth.
:       class google rate 15000kbit ceil 15000kbit
 WARNING: 10@/etc/firehol/fireqos.conf: class:
 ceil (15000kbit) is higher than its parent's ceil (5500kbit). Fixed it by settting ceil to parent's ceil.

 (1:14, 15000/5500kbit, prio 1)
:               class gvideo rate 90%
 WARNING: 13@/etc/firehol/fireqos.conf: class:
 ceil (5500kbit) is less than rate (13500kbit). Fixed it by setting ceil to rate.

 (1:15, 13500/13500kbit, prio 0)
:               class default (1:8002, 55/5500kbit, prio 1)
:               committed rate 13555kbit (90%), the remaining 1445kbit will be spare bandwidth.
:       class default rate 100kbit ceil 1500kbit (1:8000, 100/1500kbit, prio 2)
:       committed rate 15400kbit, (280%), overbooked by 9900kbit. PLEASE FIX.


  Traffic is classified:

      - on 2 interfaces
      - to 10 classes
      - by 4 FireQOS matches

  48 TC commands executed

All Done! Enjoy...
bye...

thank so much for your help,but i still need your help to config fireqos.

Good at least we are now able to run fireqos

yes, now the hard part: deciding how to match things and which classes to put them in etc.

you have some messages about incorrect ceil and rate parameters, so probably need some adjustment of your script. Please paste the fireqos.conf file here so I know exactly what it is looking at.

Next, please look into how to get things into ipsets and to set firewall marks based on ipsets

the lede firewall config page suggests ways to use ipsets and set marks: please read there for a bit and come back with ideas you have, https://lede-project.org/docs/user-guide/firewall_configuration

1 Like

@hisham2630 Your postings get much more readable when you use "Preformatted Text" in the message editor. (I did this now for you in the above postings)

1 Like

thank you so much, i'm new here

hi
this is the fireqos.conf contents:

# ------------- INTERFACES -------------
interface pppoe-wan wanin input rate 15500kbit qdisc fq_codel overhead 8
interface pppoe-wan wanout out rate 5500kbit qdisc cake overhead 8
	
	class group highprio rate 300kbit ceil 700kbit
      class gaming rate 100kbit ceil 500kbit
     match udp ports 5000:5500 ## this is what a google says LoL uses for game clients
   class group end

   class group google rate 15000kbit ceil 15000kbit
    ## requires some extra firewall kung fu to mark google traffic with mark 33
    ## this is just to get you moving in the right direction
       class gvideo rate 90% ## 90% of 15000kbit in the parent google group 
          match connmark 33
    ## more classes go here
   class group end

  class default rate 100kbit ceil 1500kbit


## output QoS separate from input because you've got asymmetric speeds

i know how to use ipset with dnsmasq i added this line "ipset=/googlevideo.com/videostream4" to dnsmasq.conf, when i initiate "ipset list videostream4" i get :

ipset list videostream4
Name: videostream4
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 180
References: 0
Members:
173.194.1.168
5.10.226.12
216.58.207.174

as i mentioned before i need to make "league of legends game" have the highest priority,should none of the clients can eat the whole bandwidth like "internet download manager" , i have about 16 Mbps youtube,google play,google drive bandwidth from isp so it can be shareable with clients,4Mbps for facebook,fast internet browsing,fight bufferbloat if possible,if there's any other settings that will make network responsive and reliable would be nice include them here.

I think you should model your bandwidth according to what you've told me, google gets so much, facebook so much... each group should have an ipset and a separate class or class group

just by matching udp ports 5000:5500 into the class gaming and putting that first, you should already have league of legends be prioritized. (but note, you need to do it for both input and output)

I'd recommend create an ipset for facebook stuff, which btw includes stuff like facebook.com as well as fbcdn.net (where they serve various raw data) so your ipset rules should include that domain, and/or anything else you can discover. Unless of course, your ISP doesn't prioritize fbcdn.net ... so you kind of need to experiment and/or ask them.

I recommend a separate ipset for googlevideo.com and other google stuff since you'll want to prioritize video. For example, do you know what domain they actually serve drive data from? I don't. But for example there's a domain googleusercontent.com which might be the one.

Do you understand how to write a firewall rule that marks certain ipsets with a given mark? Choose a mark for each ipset. Then in fireqos you check for the mark to match.

my bandwidth is like follwing:
googletraffic= youtube+gdrive+googleplay >about 16 Mbps.
facebook=facebook.com+fbcdn.net, they said they use fna for facebook and whatsapp. >5Mbps.
for downloading files from any filehost is >1 Mbps.
upload is 6 Mbps.

these traffic's is isolated from each other by isp, also they have some sites cached like vlc player ,ubnt.com,and more they give about 16 Mbps,they have iptv on ip 10.6.6.8.

it's easy right now to write firewall rules and ipsets, i use dnsmasq to fill ipsets.

Please note that it should be sufficient to have no sqm instance enabled, the start-up menu should not matter at all.

I discovered a slight hiccup in the way this is going to work: apparently it's not possible to match marks on input (through a IFB device) without help from a special kernel module... this is because normally the packets haven't yet had their mark restored when they hit the IFB.

not sure if LEDE has that module it looks like maybe there's a new version of it via the kmod-sched-connmark package but I don't know if it's FireQOS compatible.

I think a better way anyway is to set DSCP based on the ipsets so you need a ste of firewall PREROUTING rules on the mangle table to change the DSCP values. This has the added value that it will also cause the wifi WMM queues to be used for the appropriate traffic. For example CS6 DSCP will cause the VOICE queue to be used on wifi, whereas AF41 will cause VIDEO queue to be used.

I suggest DSCP as follows:

First eliminate all dscp mark, set DSCP=0
then

For udp ports 5000:5500 set DSCP = 48 (CS6) this handles LoL games, make sure it tags for both src and destination ports as you want to prioritize your output traffic as well as input

For skype ipset set DSCP = 48 (CS6) this handles voip traffic

For googlevideo ipset set DSCP=34 (AF41)

For FB traffic and google traffic not video set DSCP=18 (AF21)

Now make your fireqos rules as follows for input (please try to write this for output according to your needs as a separate exercise)

interface pppoe-wan wanin input rate 15500kbit qdisc fq_codel overhead 8
   class highprio rate 300kbit ceil 500kbit
      match dscp CS6
   class group prio rate 14000kbit ceil 14000kbit
       class video rate 10000kbit 
           match dscp AF41
       class other rate 4000kbit
           match dscp AF21
   class group end
   class default ceil 1000kbit

interface pppoe-wan wanout output rate 5500kbit qdisc fq_codel overhead 8
   class highprio rate 300kbit ceil 500kbit
      match dscp CS6

EDIT: above I had accidentally had "class group default" instead of "class default" for the default group. Fixed that. Also fixed "class group end" instead of "end class group"

Note that for output it may not make sense to prioritize in the same way I don't know what your ISP does for your traffic if it gives you the same divided fastlanes for your output? I at least give you a special high priority thing for your games on output, but be sure to tag that DSCP value.

1 Like

i had removed sqm before run fireqos.
now i don't have problem with ifb device, i fixed that problem by create a link to "ip" in /usr/sbin/ip and insmod in "/usr/sbin/insmod"

i don't know about output,but i think they didn't have a good traffic prioritization.
now i set the new config :

  FireQOS 3.1.5
(C) 2013-2014 Costa Tsaousis, GPL


: interface pppoe-wan wanin input rate 15500kbit qdisc fq_codel overhead 8 (pppo             e-wan-ifb, 15500kbit, mtu 1480, quantum 1480, minrate 155kbit)
:       class default (1:8000, 155/15500kbit, prio 0)
:       committed rate 155kbit (1%), the remaining 15345kbit will be spare bandw             idth.

: interface pppoe-wan wanout out rate 5500kbit qdisc fq_codel overhead 8 (pppoe-             wan, 5500kbit, mtu 1480, quantum 1480, minrate 55kbit)
:       class highprio rate 300kbit ceil 500kbit (1:11, 300/500kbit, prio 0)
:       class prio rate 14000kbit ceil 14000kbit
 WARNING: 7@/etc/firehol/fireqos.conf: class:
 ceil (14000kbit) is higher than its parent's ceil (5500kbit). Fixed it by settt             ing ceil to parent's ceil.

 (1:12, 14000/5500kbit, prio 1)
:               class video rate 10000kbit
 WARNING: 8@/etc/firehol/fireqos.conf: class:
 ceil (5500kbit) is less than rate (10000kbit). Fixed it by setting ceil to rate             .

 (1:13, 10000/10000kbit, prio 0)
:               class other rate 4000kbit (1:14, 4000/5500kbit, prio 1)
/etc/firehol/fireqos.conf: line 12: end: command not found
:               class default ceil 1000kbit (1:8001, 55/1000kbit, prio 2)
:               committed rate 14055kbit, (100%), overbooked by 55kbit. PLEASE F             IX.
:       class default (1:8000, 55/5500kbit, prio 2)
:       committed rate 14355kbit, (261%), overbooked by 8855kbit. PLEASE FIX.

: interface pppoe-wan wanout output rate 5500kbit qdisc fq_codel overhead 8 (ppp             oe-wan, 5500kbit, mtu 1480, quantum 1480, minrate 55kbit)
:       class highprio rate 300kbit ceil 500kbit (1:11, 300/500kbit, prio 0)
:       class default (1:8000, 55/5500kbit, prio 1)
:       committed rate 355kbit (6%), the remaining 5145kbit will be spare bandwi             dth.


  Traffic is classified:

      - on 3 interfaces
      - to 10 classes
      - by 5 FireQOS matches

  34 TC commands executed

All Done! Enjoy...
bye...

please look at your config again. I think you've somehow mixed up input and output, the errors about rates exceeding parent rates suggests a problem with your script. Are you copying and pasting my script?

1 Like

also, please note I made a mistake, the end of a class group should be

class group end

not

end class group
1 Like

this is my config:

# ------------- INTERFACES -------------
interface pppoe-wan wanin input rate 15500kbit qdisc fq_codel overhead 8
interface pppoe-wan wanout out rate 5500kbit qdisc fq_codel overhead 8
	
	class highprio rate 300kbit ceil 500kbit
      match dscp CS6
   class group prio rate 14000kbit ceil 14000kbit
       class video rate 10000kbit 
           match dscp AF41
       class other rate 4000kbit
           match dscp AF21
     class group end
   class default ceil 1000kbit

interface pppoe-wan wanout output rate 5500kbit qdisc fq_codel overhead 8
   class highprio rate 300kbit ceil 500kbit
      match dscp CS6

Delete the second "interface" line, making your config as follows:

# ------------- INTERFACES -------------
interface pppoe-wan wanin input rate 15500kbit qdisc fq_codel overhead 8
	
class highprio rate 300kbit ceil 500kbit
  match dscp CS6
   class group prio rate 14000kbit ceil 14000kbit
   class video rate 10000kbit 
       match dscp AF41
   class other rate 4000kbit
       match dscp AF21
 class group end
   class default ceil 1000kbit

interface pppoe-wan wanout output rate 5500kbit qdisc fq_codel overhead 8
   class highprio rate 300kbit ceil 500kbit
  match dscp CS6

the first definition is supposed to be for inbound, the last one is for outbound so the extra outbound definition at the top was spurious

2 Likes

i did it as you said:

FireQOS 3.1.5
(C) 2013-2014 Costa Tsaousis, GPL


: interface pppoe-wan wanin input rate 15500kbit qdisc fq_codel overhead 8 (pppoe-wan-ifb, 15500kbit, mtu 1480, quantum 1480, minrate 155kbit)
:       class highprio rate 300kbit ceil 500kbit (1:11, 300/500kbit, prio 0)
:       class prio rate 14000kbit ceil 14000kbit (1:12, 14000/14000kbit, prio 1)
:               class video rate 10000kbit (1:13, 10000/14000kbit, prio 0)
:               class other rate 4000kbit (1:14, 4000/14000kbit, prio 1)
:               class default (1:8001, 155/14000kbit, prio 2)
:               committed rate 14155kbit, (101%), overbooked by 155kbit. PLEASE FIX.
:       class default ceil 1000kbit (1:8000, 155/1000kbit, prio 2)
:       committed rate 14455kbit (93%), the remaining 1045kbit will be spare bandwidth.

: interface pppoe-wan wanout output rate 5500kbit qdisc fq_codel overhead 8 (pppoe-wan, 5500kbit, mtu 1480, quantum 1480, minrate 55kbit)
:       class highprio rate 300kbit ceil 500kbit (1:11, 300/500kbit, prio 0)
:       class default (1:8000, 55/5500kbit, prio 1)
:       committed rate 355kbit (6%), the remaining 5145kbit will be spare bandwidth.


  Traffic is classified:

      - on 2 interfaces
      - to 9 classes
      - by 5 FireQOS matches

  29 TC commands executed

All Done! Enjoy...
bye...

now i need to get others like league of legends "lol",and i want to give less priority for downloading and torrents,