Quality of Service

From DD-WRT Wiki

Revision as of 16:12, 9 June 2011 by Rseiler (Talk | contribs)
Jump to: navigation, search

You are here: DD-WRT wiki mainpage / Web-GUI / NAT/QoS / QoS



Quality of Service (QoS) is a method to guarantee a bandwidth relationship between individual applications or protocols. This is very handy when you max out your connection so that you can allow for each application to have some bandwidth and so that no single application can take down the internet connection. This allows, for example, a full speed download via FTP without causing jittering on a VOIP chat. The FTP will slow down slightly as bandwidth is needed for the VOIP, provided VOIP was given greater priority.

If you would like to set hard coded bandwidth limits (throttling), this can be done using the tc command

NOTE: Ethernet Port Priority only works on old models with ADMtek switch chips. That is, the Linksys WRT54G v1.0, 1.1, 2.0, 2.1 and the WRT54GS v1.0. It appears that this Ethernet Port Priority option has been removed for many models that do not support it, but many Broadcom G spec models that do not support it still display it.

Initial Setup

  • Log into the Web Interface
  • Select the NAT/QoS tab and then the QoS sub-tab.
  • Tick "Enable"
  • Set Port to "WAN" or "LAN & WLAN". The term WAN here refers to the WAN connection on your router while the term "LAN & WLAN" refers to the combination of your local ports and Wifi connections. Selecting "WAN" will apply QoS only to traffic moving into or out of your network, while selecting "LAN & WLAN" will apply QoS to ALL traffic passing through the router on your network. Selecting "LAN & WLAN" will limit WLAN<->WLAN and LAN<->WLAN transfer speeds to the lowest of the uplink/downlink speeds that you set while also limiting the LAN&WLAN<->WAN rates, and thus will not be the preferred solution for most people. However, there is a known bug related to using the "WAN" setting that can be fixed with a firewall script.

Note: If you set "LAN & WLAN" then ebtables will be loaded which will cause iptables to see bridged traffic that it normally wouldn't. This often causes severe trouble for people using additional interfaces such as VPN tunnels. It is best to avoid the "LAN & WLAN" setting unless you're absolutely sure it does what you want and nothing more. Do not select "LAN & WLAN" to work around the WAN bug!

  • Select HTB as your Packet Scheduler if using a build older than 14390 due to a major bug with HFSC that has been fixed in 14390. If your build is higher than 14390 then you may use either HTB or HFSC.
  • Set your upload and download speeds. You can use a speed test like DSL Reports or Speedtest.net to check your actual connection speed. Some ISPs also provide their own bandwidth testing service, which may be more reliable than the links provided. The uplink/downlink setting in DD-WRT are with respect to the port selected above. It's a common error to get confused. When WAN is selected these match the uplink/downlink measured. When you select "LAN & WLAN" these are reversed. It is required that you enter 80% of the values you measure into the proper field. After you have everything set run the speed test again. If you get 80% of your previous measurement in each direction then things are cool. If you get results which are way off then chances are that you have reversed these values.
  • Ignore Optimize for gaming. It does not do anything and hopefully will be deleted one day.

You must enter a value for the uplink field but if you want you can enter 0 for the downlink field in which case no QoS will occur in that direction. I do not recommend setting your downlink field to zero.

It probably bugs you to set less than 100% of your available bandwidth in these fields but this is required. There will be a bottleneck somewhere in the system and QoS can only work if the bottleneck is in your router where it has some control. The goal is to force the bottleneck to be in your router as opposed to some random location out on the wire over which you have no control.

The situation can become confusing because most ISP's offer only "Best effort" service which means they don't actually guarantee any level of service to you. Some ISP's even have bursting (Comcast "PowerBoost") which will temporarily give you extra bandwidth when you first start using your connection but will later throttle down to a sustained rate. Fortunately there is usually a minimum level that you receive on a consistent basis and you must set your QoS limits below this minimum. The problem is finding this minimum and you may have to repeat speed tests many times before determining it. For this reason start with 80% of your measured speed and try things for a couple of days. If the performance is acceptable you can start to inch your levels up. If you go even 5% higher than you should be, your QoS will totally stop working (just too high) or randomly stop working (high when your ISP is slow). This can lead to a lot of confusion on your part so get it working first by conservatively setting these speeds and then optimize later.

Prioritizing by Application (Skype, Http) or Port Range (P2P)

  • Choose an available Service or Port Range from the list or create one, and then press "Add" next to it.
  • For P2P Applications, due to evolving protocols, encryption and obfuscation, it can be much better to define a Port Range [such as TCP/UDP, 60000-61000]. Set your P2P applications to operate within this range. This can significantly reduce the load on the router, avoid mis-identifying packets, and more efficiently shape your network traffic.
  • For Service definitions see here.
  • Add all your other selected Services and Port Ranges here
  • Choosing a Service (L7 Protocol) can work better than choosing a port range; though the router works harder.

If you wish to add more than one priority then use the "Add" button to create more entries.

Prioritizing by IP Address (Netmask Priority)

These are entered in CIDR notation including the network prefix.

For example, to specify a single IP address enter xxx.xxx.xxx.xxx / 32. Be careful to enter netmask as "32" because leaving it zero means ALL IP ADDRESSES.

The netmask is the number of bits of the IP address to match. For example, the entry matches 192.168.1.x addresses. An entry of matches 192.168.x.x addresses. If you're unsure of how to create CIDR subnet masks and what they mean, then use a subnet calculator.

After you have filled it out, press "Add" next to it.

Prioritizing by MAC Address

In the case you want to prioritize traffic from a particular device without a static IP address on your LAN, you can prioritize by MAC Address.

Enter the MAC Address of the device and press "Add" next to it.

This method works via the source MAC address only so traffic is only properly prioritized if the connection was initiated from this address. Traffic initiated from somewhere else will not be properly marked even if it is destined for one of the listed MAC addresses.

Priorities explained

Bandwidth classification based on the four categories will be enabled first on MAC addresses, then netmasks and finally services. If prioritizing by MAC addresses, highest priority should be express (exempt is 100mbps) - up-prioritize programs via the ports (sidenote: regular internet activities are already top prioritized via inherent software).

  • Exempt - This class gives 100mbps bandwidth regardless of what your actual bandwidth limits are set to. Use extremely sparingly for low bandwidth traffic that needs to avoid any delay. This may or may not work well for VoIP and gaming. If you have too much traffic set to Exempt then your other traffic won't be prioritized correctly because the other queues will think they can use more bandwidth than there really is available (because Exempt traffic used it without the other queues knowing). Any bandwidth that will be used by Exempt traffic should be deducted from the global limits.
  • Premium - The top bandwidth class. By default handshaking and icmp packets fall into this class. This class should be used sparingly. Occasionally VoIP and gaming services may be placed in this class so that they receive top priority.
  • Express - The Express class is for interactive applications (IRC, instant messaging, SSH, telnet, etc.) that require bandwidth above standard services so that interactive apps run smoothly.
  • Standard - All traffic that is not specifically classed will fall under the standard class. You should not need to explicitly set anything to this class.
  • Bulk - The bulk class is only allocated bandwidth when the remaining classes are idle. Use this class for P2P services and downloading services like FTP.

Detailed breakdown of traffic

If you'd like to know the specifics, bandwidth is allocated based on the following percentages of uplink and downlink values for each class:

  • Exempt: 100mbps - ignores global limits.
  • Premium: 75% - 100%
  • Express: 15% - 100%
  • Standard: 10% - 100%
  • Bulk: 1.5% - 100%

What this really means is that if you have 10,000kbit of uplink traffic, "Standard" class traffic can be reduced and de-prioritized to 10% or 1,000kbit when a concurrent Express service requires the uplink pipe at the same time.

You can run the tc command to check breakdown of traffic applied to each interface. Uplink limits are applied to the WAN interface (nvram get wan_iface) or LAN&WLAN bridge interface (br0) depending on which port you selected, while Downlink limits are applied to the imq0 interface.

tc class show dev `get_wanface`
tc class show dev br0
tc class show dev imq0

How Do You Check What QoS Priorities Were Applied

The DDWRT web UI doesn't display any live traffic. Short of doing a practical test, you can get your hands dirty by checking the conntrack entries via telnet or ssh access in the router. When you're logged in run:

cat /proc/net/ip_conntrack

It will list out all currently open connection and protocol that is currently being routed by the router. This is what it would look like:

tcp      6 113 ESTABLISHED src= dst= sport=48959 dport=21 src= dst= sport=21 dport=48959 [ASSURED] use=1 rate=73 l7proto=ftp mark=40
udp      17 29 src= dst= sport=56105 dport=53 src= dst= sport=53 dport=56105 use=1 rate=157 l7proto=dns mark=10

What you'll be interested to look at will be the first set of source and destination IP, including the port numbers. Next the presence of l7proto and the "mark" field. The entries indicate the current live connection QoS priority applied on them based on the "mark" field. The "mark" values corresponds to the following:

  • Exempt: 100
  • Premium: 10
  • Express: 20
  • Standard: 30
  • Bulk: 40
  • (no QoS matched): 0

I have "ftp" set to bulk, and "dns" set to premium priority. Thus the conntrack output confirmed that the right QoS rules were applied. Using this method requires that you know the destination IP, and port number of the service, and this must be checked while the connection is active. You may see "mark=0" for some l7proto service even though they are in configured in the list of QoS rules. This may mean that the layer 7 pattern matching system didn't match a new or changed header for that protocol. Custom service on port matches will usually take care of these.

Alternatively, you can also check applied QoS on active connections using either of the following commands (pipe to more if output is huge):

Generally try this first command, if you find the output to consistently state "Exempt" as I noticed for dd-wrt build SVN revision 13401M NEWD-2 K2.6 Eko, then use the second command

awk '{ gsub(/(src|dst|sport|dport|mark)=/, ""); printf "%s %-21s %-21s %s\n", $1, $1 == "tcp" ? $5 ":" $7 : $4 ":" $6, $1 == "tcp" ? $6 ":" $8 : $5 ":" $7, $NF == 0 ? "Default/Standard" : $NF == 10 ? "Premium" : $NF == 20 ? "Express" : $NF == 30 ? "Standard" : $NF == 40 ? "Bulk" : "Exempt" }' /proc/net/ip_conntrack

Second Command:

awk '{ gsub(/(src|dst|sport|dport|mark)=/, ""); printf "%s %-21s %-21s %s\n", $1, $1 == "tcp" ? $5 ":" $7 : $4 ":" $6, $1 == "tcp" ? $6 ":" $8 : $5 ":" $7, $(NF-2) == 0 ? "Default/Standard" : $(NF-2) == 10 ? "Premium" : $(NF-2) == 20 ? "Express" : $(NF-2) == 30 ? "Standard" : $(NF-2) == 40 ? "Bulk" : "Exempt" }' /proc/net/ip_conntrack

Time Based QoS

As described in this thread you can use CRON jobs to enable/disable QoS. This is just a simplistic approach but more complex things could be done if you put your mind to it. These commands will enable HTB QoS on the WAN port from 5PM to 1AM but you will still need to configure everything else in the GUI. If you want to use LAN&WLAN then change "`get_wanface`" to "br0". To change the times, see the CRON page for information.

1 17 * * * root /usr/sbin/svqos `nvram get wshaper_downlink` `nvram get wshaper_uplink` `get_wanface` `nvram get wan_mtu` 0
*/6 1-17 * * * root /usr/sbin/svqos stop 0 `get_wanface` 0 0

If you use HFSC then you would do something like this instead.

1 17 * * * root /usr/sbin/svqos2 `nvram get wshaper_uplink` `nvram get wshaper_downlink` `get_wanface` `nvram get wan_mtu` 0
*/6 1-17 * * * root /usr/sbin/svqos2 stop 0 `get_wanface` 0 0 

As described in this thread you can also set different rates at different times by doing something like this which changes the HTB rates.

1 23 * * * root /usr/sbin/svqos [downlink rate] [uplink rate] `get_wanface` `nvram get wan_mtu` 0; nvram set wshaper_downlink=[downlink rate]; nvram set wshaper_uplink=[uplink rate];
1 10 * * * root /usr/sbin/svqos [downlink rate] [uplink rate] `get_wanface` `nvram get wan_mtu` 0; nvram set wshaper_downlink=[downlink rate]; nvram set wshaper_uplink=[uplink rate];

Script Generator

There is an old script generator available, which you may find useful to set up QoS. http://www.robsonn.user.icpnet.pl/generator.zip It generates a script which you can copy/paste at Administration -> Commands -> Save Firewall. Because of it's age, it often generates scripts that won't work properly. Sometimes this can be solved easily, for instance you will need to change any instances of "modprobe" to "insmod" to insert kernel modules. Other things are not easy, such as any iptables rule with iprange which is not included in most DD-WRT builds and so you should use netmasks as an alternative. There is also a fundamental flaw with the way it writes scripts that prevents any service rules from working properly so you must stick to IP/MAC/TCP/UDP/port based rules.


With all these ways of marking traffic its easy to get confused about how seemingly contradictory requirements are resolved. For example, what happens if you have an IP rule setting IP to priority "exempt" and have a MAC rule setting MAC AA:BB:CC:DD:EE:FF to priority "bulk"?

The order the precendence is as follows:

  • MAC - If you have specified a MAC address priority then it takes precedence over all others
  • Netmask - The IP address entries are applied in the order that they appear in your netmask table. Interestingly only the first match applies. For example if you have an entry marking as bulk followed by an entry marking (all 192.168.1 addresses) as premium the traffic from would be marked bulk because it was the first match. Also if a match is found in this table it does not matter what you put in the services table.
  • Services - The services entries are applied in the order that they appear in your services tables. Again, only the first match will apply.
  • Ethernet Ports - See the note in the Introduction

Note for PPTP Users:

There seems to be a problem by using PPTP and QoS at the same time. If you use DD-WRT with enabled PPTP server and want to activate QoS for the WAN interface then you are no longer able to connect to the PPTP server from your LAN. PPTP, L2TP and IPSec Passthrough also doesn't work.

The problem is reproducible on a WRT54GL 1.1 with DD-WRT v24-sp1.

(update July 2009) tested DD-WRT v24-sp2 Build 12548M on my Asus rotuer- the problem seems to be fixed.

Known Bugs

There are some bugs which can affect your success with QoS.

  • When the port is set to WAN and a downlink limit is set, uplink traffic also gets counted by the downlink queue. This also causes LAN traffic to the router (ie. if you're running a NAS on the router) to be put into the downlink queue. A solution that users can implement themselves is explained in ticket 1559.
  • Adding and deleting services, MAC address and netmasks is relatively simple with the web interface which is great, however, DD-WRT is not so good at actually updating its internal runtime data on the fly to reflect your selections. The result can be erroneous and conflicting iptables entries that can seriously hamper your performance. This can be especially confusing if you make a change then test, make another change the test, etc. Save your changes and reboot your router after you have completed your changes to avoid any problems. If you are able to reproduce this problem or want more information, please see ticket 1560.


Xipeng Xiao, "Technical, Commercial and Regulatory Challenges of QoS: An Internet Service Model Perspective", Morgan Kaufmann/Elsevier, 2008

Tim Szigeti and Christina Hattingh, "End-to-End QoS Network Design: Quality of Service in LANs, WANs, and VPNs", Cisco Press, 2004

External Links