I've already given you the answer about port ranges and it is in the docs.

In iptables, matching is by packet. Once a packet matched in a chain, it is not processed any further by the chain, so if the first rule has an IP match and the second rule has a port match, if the packet matches on both port and IP, only the first rule will be processed. QoS packets could be an exception to this as I don't know if the MARK target continues processing in the chain. If it does, you will end up with the second rule and not the first.

If your link is 25/45 it is odd as down is normally equal to or greater than up. Also the link is way slower than the ClearOS link and the line capacity will hardly make a dent in the ClearOS bandwidth. Unless there are some big hog on the ClearOS LAN, you may not even need QoS, but only you can tell.

I don't know about bonding options. I have to google them. There is something in the KB about bonding, but it does not go into the options. You also have to make sure your switches can handle bonded connections.

1. I changed my openvpn to priority 3 up and down on port 1194 UDP - the openvpn dhcp was also on priority 3; which I disabled tcp on openvpn - I will change/delete the openvpn dhcp priority 3 rule.

2. At mt physical location my pipe is 25Mb down/ 45 up. My plan is/was to have about 8 plex users amongst family members at remote locations. I was hoping to gain some load balancing/better bandwidth management amongst internal connections and also from remote connections. At the clearos location, it's a home/office which includes 2-3 voip phones over smart phones, 2 xboxs, synology server, 3 laptops, and soon another desktop. Where I reside remotely it's just me remoted in on that network. I do a lot of work with large files as an artist.

3. My clearos box has 3 nics - I guess I will team them and upgrade my switch just for the hell of it as a project. Any recommendation on what teaming mode? I know there is a how to floating around somewhere.

4.

There is also another issue where an IP address will trigger more than one rule. I believe the first rule hit will be the only one to operate. You can see the rules with "iptables -nvL -t mangle" but good luck working out which chains are going to be hit in which order. Just be aware of it.

* This is confusing - for a rule to trigger, wouldn't the port and ip address consist of the trigger itself making it a "match" for action? Are you saying it's best to minimize ip addresses in rules and go mainly by ports? That doesn't seem logical because there could be another machine doing the same/similiar job on one/same port that needs a different priority. I will post screens of what my config looks like now. It's way more simple thanks to you.

Edit: 5. Is there not a way to enter multiple ports like 6001-6999? Each port has to be entered by itself separated by commas?

Nick Howitt wrote:

By default OpenVPN runs on both udp:1194 and tcp:1194 in ClearOS. This is a bit of an odd concept. When you download your OpenVPN config file it is for UDP only. Longer term it is probably the intention to remove the tcp configuration but it is not really safe to do mid-release. You may as well close the firewall to tcp:1194. Having rules for tcp:1194 will do nothing as they will never get hit.

Yes, remove your OpenVPN-DHCP rules.

There is no point in a priority 7 rule as it is the default for unclassified traffic.

There is also another issue where an IP address will trigger more than one rule. I believe the first rule hit will be the only one to operate. You can see the rules with "iptables -nvL -t mangle" but good luck working out which chains are going to be hit in which order. Just be aware of it.

In terms of Priorities, it is generally recommended to leave priorities 1 and 2 alone. 1 in for small packets (SYN and SYN/ACK) and ICMP, 2 is for remote SSH.

Teaming may give you some advantage on your LAN but you won't double your bandwidth. Also, is it really worth it? Do you ever get much contention from your users with a 1Gb/s LAN? Your WiFi users are unlikely to ever hit those speeds for a start.

At the same time, how much QoS do you really need? If you external pipe is 1Gb/s how much contention do you get there? If the pipe does not get saturated, there is little point in QoS. If you remote device connecting by OpenVPN is not on a 1Gb link you probably don't need QoS at all.

By default OpenVPN runs on both udp:1194 and tcp:1194 in ClearOS. This is a bit of an odd concept. When you download your OpenVPN config file it is for UDP only. Longer term it is probably the intention to remove the tcp configuration but it is not really safe to do mid-release. You may as well close the firewall to tcp:1194. Having rules for tcp:1194 will do nothing as they will never get hit.

Yes, remove your OpenVPN-DHCP rules.

There is no point in a priority 7 rule as it is the default for unclassified traffic.

There is also another issue where an IP address will trigger more than one rule. I believe the first rule hit will be the only one to operate. You can see the rules with "iptables -nvL -t mangle" but good luck working out which chains are going to be hit in which order. Just be aware of it.

In terms of Priorities, it is generally recommended to leave priorities 1 and 2 alone. 1 in for small packets (SYN and SYN/ACK) and ICMP, 2 is for remote SSH.

Teaming may give you some advantage on your LAN but you won't double your bandwidth. Also, is it really worth it? Do you ever get much contention from your users with a 1Gb/s LAN? Your WiFi users are unlikely to ever hit those speeds for a start.

At the same time, how much QoS do you really need? If you external pipe is 1Gb/s how much contention do you get there? If the pipe does not get saturated, there is little point in QoS. If you remote device connecting by OpenVPN is not on a 1Gb link you probably don't need QoS at all.

I also have a side question. Would 1Gb NIC teaming be worth it on a 1Gb connection with roughly 10 devices locally and 2 devices remotely? Maybe for some load balancing? Eventually I would l would to upgrade my synology box to a model with dual NICS

Nick Howitt wrote:

As far as I understand, for the Synology, upstream, you'd have the source IP as the IP address of the Synology. Similarly if you had a downstream rule, you'd have the Synology as your destination IP.

OpenVPN is a little different. For a start, are you really using TCP? By default it uses UDP. If you are coming in from a fixed external IP, you could prioritise that. Otherwise as a generic couple of rules you could do downstream to destination port udp:1194 and upstream from source port usp:1194. You don't really want to prioritise traffic in the tunnel and the tunnel as well or they could fight over what is effectively the same traffic.

Plex can probably be prioritised by port - tcp:32400.

Upstream, destination is outside your network. Downstream, destination is ClearOS or the LAN.

[edit]
I note from your examples that you can also use port ranges. Check the documentation. For your audio station, you can do ports 1900,5353,6001:6007 and maybe more.
[/edit]

Ok, so get rid of the openvpn dhcp rules to eliminate this fight for traffic you speak of? I believe by default openvpn has tcp/udp enabled for 1194? Should I change this? Because if have OpenVPN rules for 1194 tcp and udp.I ended up giving my synology box a 2 priority up and down via "ip, all ports" since thats where all my services are and did lower priorities on certain ports it uses that I wanted to cap.

I tried attaching another image-had to use url

Ok, here are my corrections based on my understanding of your guidelines. Please reference the images. Thanks!

As far as I understand, for the Synology, upstream, you'd have the source IP as the IP address of the Synology. Similarly if you had a downstream rule, you'd have the Synology as your destination IP.

OpenVPN is a little different. For a start, are you really using TCP? By default it uses UDP. If you are coming in from a fixed external IP, you could prioritise that. Otherwise as a generic couple of rules you could do downstream to destination port udp:1194 and upstream from source port usp:1194. You don't really want to prioritise traffic in the tunnel and the tunnel as well or they could fight over what is effectively the same traffic.

Plex can probably be prioritised by port - tcp:32400.

Upstream, destination is outside your network. Downstream, destination is ClearOS or the LAN.

[edit]
I note from your examples that you can also use port ranges. Check the documentation. For your audio station, you can do ports 1900,5353,6001:6007 and maybe more.
[/edit]

Nick Howitt wrote:

Where? I don't see it. In the example you are prioritizing traffic to and from a single remote server with no mention of ports. In the "Source/Destination Port Specification" example you are prioritizing web browsing from your LAN to all internet sites. In this case you are prioritizing traffic going out to remote web servers, so upstream. The traffic will be going to ports 80 and 443 from a random high port on your LAN. Return traffic is downstream and will come from ports 80/443 back to the random high ports on your LAN devices.

My apologies. Maybe if I communicate more clearly what I'm trying to accomplish.

* I live in another city (A) and my resources are on a 1Gb pipe at another location (city B). At city B I have of course a clearOS gateway and a synology server. Along with those devices I have a wireless access point where the clear box does the heavy lifting. There are other wireless devices on prem at city B - phones, xbox's, computers. I assigned a priority of 4 to those wireless devices as you mentioned via ip.

* The Synology box serves out streaming Plex and Audio station along with files. I use a different port assignment for http/https for the synology box. The clearos handles openvpn which I gave a priority of 2. I would like to also put the ip scope of the vpn's at priority 2. I think you told me how to do that, have to read back. Plex is priority 2 via port and IP and the rest of the services such as audio station are by ip and ports. I might have gone over kill with rules. But, even reading the port assignment examples and following the preset rules that came with the package, everything Up says destination. So, it makes logical sense for what you are saying.

Destination is outside the network ? (which the document example of a particular server doesn't make it seem that. way.) So I will attach example screenshots of my current config and I guess I have to figure them out.

- So if I want to prioritize upstream from my synology box on all ports to priority 3 - then I would list it's ip as the source? I could probably go even further and add it's custom ports as the destination source as same UP rule?

- So, all the ports in my config will be source ports from what you are saying and the IP's unless it's outside my network>

- If I want to priortize my openvpn remote ip's those would be source as well for up and down?

- I attached the screenshot of the on prem wireless dhcp - I would need to switch those ip's to source correct?

Where? I don't see it. In the example you are prioritising traffic to and from a single remote server with no mention of ports. In the "Source/Destination Port Specification" example you are prioritising web browsing from your LAN to all internet sites. In this case you are prioritising traffic going out to remote web servers, so upstream. The traffic will be going to ports 80 and 443 from a random high port on your LAN. Return traffic is downstream and will come from ports 80/443 back to the random high ports on your LAN devices.

I'm scratching my head because this is described in reverse. https://documentation.clearos.com/content:en_us:7_ug_qos

Nick Howitt wrote:

For priority 7, you don't need any rules as it is the default.

For upstream rules, Destination IP is your external target server and Source IP is your ClearOS server or your LAN machine you are prioritising. The ports are more confusing but are similar. The source and destination ports are defined in the same way, but what do you use? It really depends on the application. If you are trying to prioritise browsing a particular site then the destination port is 80 and/or 443. The source port is a random high port (so leave it empty). On the other hand, if you want to prioritise your web server, upstream is outbound traffic, and this will be replying to the remote IP, so the source port is 80 and/or 443 and the destination port is a random high port (again, leave it empty).

For downstream rules it is the reverse with the destination IP being your server or device on the LAN behind and the source IP being on the internet. The destination port becomes the port on your server or LAN and the source port is on the internet. Again you have to be clear in your mind if ClearOS (or the LAN device) is acting as a server or client. If it is the server, then you can specify its port and if it is the client, you can specify the remote port.

If you can find an easy way of explaining this, I am all ears.

For priority 7, you don't need any rules as it is the default.

For upstream rules, Destination IP is your external target server and Source IP is your ClearOS server or your LAN machine you are prioritising. The ports are more confusing but are similar. The source and destination ports are defined in the same way, but what do you use? It really depends on the application. If you are trying to prioritise browsing a particular site then the destination port is 80 and/or 443. The source port is a random high port (so leave it empty). On the other hand, if you want to prioritise your web server, upstream is outbound traffic, and this will be replying to the remote IP, so the source port is 80 and/or 443 and the destination port is a random high port (again, leave it empty).

For downstream rules it is the reverse with the destination IP being your server or device on the LAN behind and the source IP being on the internet. The destination port becomes the port on your server or LAN and the source port is on the internet. Again you have to be clear in your mind if ClearOS (or the LAN device) is acting as a server or client. If it is the server, then you can specify its port and if it is the client, you can specify the remote port.

If you can find an easy way of explaining this, I am all ears.

Hello Nick,

I think I'm confused when it comes to source/destination ports and addresses. I have a server that I want to have 7 priority on a particular port when it comes to upstream. According to the QoS documentation, I would list the server's IP and port as the destination under Upstream - then create the "down rule" as source. *Scratching head; is this correct to documentation?

If your Wireless router is performing NAT, you could create a rule for the WAN IP of the router. If it is not performing NAT, so connected ClearOS LAN <-> Router LAN, then your rule needs to cover your device IP's.

For OpenVPN (and almost any rule except NTP) that won't work as most traffic is from a client high port to server explicit port and return traffic is from a server explicit port to a client high port. This means you want two separate rules, a downstream rule from any port to udp:1194 and an upstream rule from udp:1194 to any port.

Hello Nick,

I hope the holiday season has been treating you well.

* I went with your recommendation for the dhcp rule. As stated only wireless devices use dhcp. I was kind of curious if creating an up/down rule for the wireless router IP would work as well instead of 10.43.30.128/27

* As far as openvpn I created rules that had 1194 as the source and destination port in the same rule for up and also down. Thank you for your reply and I'm always keen to hear your thoughts.

Bandwidth and QoS has definitely improved the quality of streaming for my Plex server.

1 - no that is not correct. You can use a single IP address, or IP/subnet in either CIDR format (e.g./26) or with a netmask, e.g 255.255.255.64. You will find decimal IP ranges do not fit well into this scenario. For your IP's the closest you can get in a single rule is 10.43.30.128/27 (google supernet calculator). Otherwise you'll need to break it down into more mini-subnets, but you can have multiple priority 4 rules.
2 - I don't know if you can prioritise OpenVPN like that as it is traffic inside traffic. If you can, you might as well use the whole /24 subnet. If I were to do it, I'd use port-based rules. If you have an asymmetric line, it is probably only worth prioritising upstream traffic with a source port of udp:1194