Topic: HOWTO: port forwarding & QoS using tc-htb for vonage and

I just spent all day searching the net (including these forums) for answers on how to get this stuff working, and I figured I should share my results with the community so that the next person in my position can get it all done faster.

My situation:
- 1.5m down / 256k up DSL from speakeasy, 1 static ip
- linksys wrt54gs w/openwrt
- motorola voip device from vonage
- mac running ssh & apache, named spooge
- a few other computers, but none needing special treatment

I wanted to make sure that the vonage device got all the bandwidth it needed when making phone calls, but didn't want to put it in front of the wrt54gs.  I also wanted to give ssh enough bandwidth so I could continue chatting & reading e-mail on an outside machine, even when I'm downloading stuff.


Required packages:
ip (aka iproute2)

Here's my /etc/init.d/S45firewall</tt> with some extra comments:

#!/bin/sh -x
. /etc/

WAN=$(nvram_get wan_ifname)


for T in filter nat mangle ; do
  $IPT -t $T -F
  $IPT -t $T -X

$IPT -t filter -A INPUT -m state --state INVALID -j DROP
$IPT -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
$IPT -t filter -A INPUT -p icmp -j ACCEPT 

## port forwarding to spooge (my mac at
# ssh
$IPT -A FORWARD -p tcp -i $WAN --dport 22 -j ACCEPT 
$IPT -t nat -A PREROUTING -p tcp -i $WAN --dport 22 -j DNAT --to
# http
$IPT -A FORWARD -p tcp -i $WAN --dport 80 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -i $WAN --dport 80 -j DNAT --to
# bittorrent
#$IPT -A FORWARD -p tcp -i $WAN --dport 6881:6889 -j ACCEPT
#$IPT -t nat -A PREROUTING -p tcp -i $WAN --dport 6881:6889 -j DNAT --to

## port forwarding to vonage device
# control
$IPT -A FORWARD -p udp -i $WAN --dport 5060:5061 -j ACCEPT
$IPT -t nat -A PREROUTING -p udp -i $WAN --dport 5060:5061 -j DNAT --to
# data
$IPT -A FORWARD -p udp -i $WAN --dport 10000:20000 -j ACCEPT
$IPT -t nat -A PREROUTING -p udp -i $WAN --dport 10000:20000 -j DNAT --to
# may also need tftp, dns, ntp

## default continues
$IPT -t filter -A FORWARD -m state --state INVALID -j DROP 
$IPT -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
$IPT -t filter -A FORWARD -i $WAN -m state --state NEW,INVALID -j DROP
$IPT -t filter -A FORWARD -o $WAN -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu


## QoS using tc-htb package
TCADW="add dev $WAN"

# load kernel modules required for this config
insmod sch_htb.o
insmod cls_u32.o
insmod sch_sfq.o
# may need other modules for other queueing methods, etc

# create htb classes
$TC qdisc $TCADW root handle 1: htb default 30
$TC class $TCADW parent 1: classid 1:1 htb rate 256kbps burst 15k
$TC class $TCADW parent 1:1 classid 1:10 htb rate 160kbps ceil 256kbps burst 15k
$TC class $TCADW parent 1:1 classid 1:20 htb rate 64kbps ceil 250kbps burst 15k
$TC class $TCADW parent 1:1 classid 1:30 htb rate 32kbps ceil 250kbps burst 15k

# put vonage device in class 1:10 with prio 0
$TC filter $TCADW protocol ip parent 1:0 prio 0 u32 
    match ip src flowid 1:10
# put all ssh traffic in class 1:20
$TC filter $TCADW protocol ip parent 1:0 prio 1 u32 
    match ip dport 22 0xffff flowid 1:20

# assign queueing disciplines to each class
$TC qdisc $TCADW parent 1:10 handle 10: sfq perturb 10
$TC qdisc $TCADW parent 1:20 handle 20: sfq perturb 10
$TC qdisc $TCADW parent 1:30 handle 30: sfq perturb 10

What's going on here is that class 1 (the only parent class I've configured) has the full upstream bandwidth, 256kbps.  1:10, which is all traffic from the IP of the vonage device, is guaranteed up to 160kbps.  1:20, which is all ssh traffic, is guaranteed up to 64 kbps -- way more than I need for chatting & checking e-mail.  Everything else falls into 10:30, which is guaranteed a measly 32kbps. 

The important thing to remember is that whenever the vonage phone isn't using its 160kbps, that bandwidth can be borrowed by either of the other classes.  But when I get a phone call, any borrowed bandwidth will be returned if the vonage device needs it.

Above that, I had to load specific kernel modules in order for any of the tc stuff to work.  This was the most annoying part, actually.  If you vary from my example very for -- for example, if you want to use CBQ instead of HTB -- you'll need to load additional modules.  Look in /lib/modules/2.4.20/kernel/net/sched for the whole list.

Higher up is the port forwarding, which should be fairly straightforward.  I left bittorrent commented out because I don't use it much.

Hopefully this will be helpful to you.

Re: HOWTO: port forwarding & QoS using tc-htb for vonage and

Please see the lartc wondershaper script (openwrt has an ipkg for it) for more informations.
If your uplink is 256 and you use ADSL, you should not set ceil to 256 but only 80% to prevent adsl modem queueing.