knitatoms

Forum Replies Created

Viewing 15 posts - 1 through 15 (of 17 total)
  • Author
    Posts
  • in reply to: QOS nearly working – what am I missing? #49787

    knitatoms
    Member

    Thanks to the info in this thread:

    http://www.zeroshell.net/eng/forum/viewtopic.php?t=1831

    I have got VOIP SIP packets being detected for QOS as shown in my screenshot above.

    Based on the advice from ppalias I am now only limiting outgoing traffic from my network.

    However I still have a problem with VOIP calls: when the network is busy we are getting regular drop outs in the voice. However this is only affecting us: The caller hears everything OK but we miss parts of what they are saying. This suggests to me that the QOS I have applied for outgoing packets is working well but because there is not QOS on incoming packets we are losing information.

    As our internet connection is ADSL and the upload speed is much slower than the download speed surely it should be possible for me to get this working better. The outgoing call quality is fine. Incoming is the problem but there is much more bandwidth that way.

    Is there definitely no point in trying to prioritise incoming SIP packets? I’ve done some reading around and I’m not able to come up with anything that will help me set up ‘limiting outgoing rates of ACKs’ as suggested above.

    Any help gratefully received.

    in reply to: Firewall rule to allow OpenDNS updater to work? #49780

    knitatoms
    Member

    OK thanks for checking. Bug filed:

    http://www.zeroshell.net/eng/forum/viewtopic.php?t=2085

    in reply to: Firewall rule to allow OpenDNS updater to work? #49778

    knitatoms
    Member

    Just reviving this thread as I never managed to solve this problem. I set the output chain to Accept and disabled all other rules as suggested by ppalias but I still get the same error as in the original post.

    Anyone have any suggestions why OpenDNS is not updating for me? (Just to confirm that the same installation of ZeroShell used to update OpenDNS just fine before I changed it into a router.)

    [EDIT] Just to add – I tried updating a DYNDNS account and that worked fine….

    Also if I go to https://user:*password*@updates.opendns.com/nic/update? in my browser the update works fine (obviously replacing user with my username and inserting the password. So my PC that is inside the Zeroshell network can connect OK! [/EDIT]

    in reply to: Firewall rule to allow OpenDNS updater to work? #49776

    knitatoms
    Member
    root@zeroshell root> iptables -L -v

    Chain INPUT (policy DROP 1474 packets, 126K bytes)
    pkts bytes target prot opt in out source destination
    2539 248K SYS_INPUT all -- any any anywhere anywhere
    0 0 SYS_HTTPS tcp -- any any anywhere anywhere tcp dpt:http
    821 95124 SYS_HTTPS tcp -- any any anywhere anywhere tcp dpt:https
    56 5000 SYS_SSH tcp -- any any anywhere anywhere tcp dpt:ssh
    0 0 ACCEPT tcp -- BRIDGE00 any anywhere anywhere tcp spt:https dpt:https
    0 0 ACCEPT tcp -- BRIDGE00 any anywhere anywhere tcp spt:ssh dpt:ssh
    0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:https dpt:https

    Chain FORWARD (policy DROP 12542 packets, 721K bytes)
    pkts bytes target prot opt in out source destination
    2208K 264M ACCEPT all -- BRIDGE00 any anywhere anywhere
    3234K 3196M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED

    Chain OUTPUT (policy ACCEPT 2894 packets, 1104K bytes)
    pkts bytes target prot opt in out source destination
    3246 1133K SYS_OUTPUT all -- any any anywhere anywhere
    150 9900 DROP all -- any ppp0 anywhere anywhere

    Chain NetBalancer (0 references)
    pkts bytes target prot opt in out source destination

    Chain SYS_HTTPS (2 references)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- lo any anywhere anywhere
    4057 376K ACCEPT all -- BRIDGE00 any 192.168.1.0/24 anywhere
    0 0 ACCEPT all -- BRIDGE00 any 192.168.1.44 anywhere
    2 96 DROP all -- any any anywhere anywhere

    Chain SYS_INPUT (1 references)
    pkts bytes target prot opt in out source destination
    1011 115K ACCEPT all -- lo any anywhere anywhere
    223 58755 ACCEPT udp -- any any anywhere anywhere udp spt:domain state ESTABLISHED
    40 35390 ACCEPT tcp -- any any anywhere anywhere tcp spt:http state ESTABLISHED
    400 48000 ACCEPT tcp -- any any anywhere anywhere tcp spt:8245 state ESTABLISHED
    3399 258K ACCEPT udp -- any any anywhere anywhere udp spt:ntp state ESTABLISHED
    23952 2117K RETURN all -- any any anywhere anywhere

    Chain SYS_OUTPUT (1 references)
    pkts bytes target prot opt in out source destination
    1011 115K ACCEPT all -- any lo anywhere anywhere
    333 23664 ACCEPT udp -- any any anywhere anywhere udp dpt:domain
    40 2626 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
    501 37852 ACCEPT tcp -- any any anywhere anywhere tcp dpt:8245
    3606 274K ACCEPT udp -- any any anywhere anywhere udp dpt:ntp
    12212 3493K RETURN all -- any any anywhere anywhere

    Chain SYS_SSH (1 references)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- lo any anywhere anywhere
    53 4832 ACCEPT all -- BRIDGE00 any 192.168.1.44 anywhere
    8 444 DROP all -- any any anywhere anywhere


    root@zeroshell root> iptables -t nat -L -v


    Chain PREROUTING (policy ACCEPT 45557 packets, 3349K bytes)
    pkts bytes target prot opt in out source destination
    12247 664K DNAT tcp -- ppp0 any anywhere anywhere tcp dpt:lotusnote to:192.168.1.44:1352
    0 0 DNAT udp -- ppp0 any anywhere anywhere udp dpt:sip-tls to:192.168.1.9:5061
    0 0 DNAT udp -- ppp0 any anywhere anywhere udp dpt:sip to:192.168.1.7:5060
    430 63541 DNAT udp -- ppp0 any anywhere anywhere udp dpts:ndmp:dnp to:192.168.1.7:10000-20000

    Chain POSTROUTING (policy ACCEPT 2228 packets, 347K bytes)
    pkts bytes target prot opt in out source destination
    31734 2139K SNATVS all -- any any anywhere anywhere
    29506 1793K MASQUERADE all -- any ppp0 anywhere anywhere

    Chain OUTPUT (policy ACCEPT 6135 packets, 439K bytes)
    pkts bytes target prot opt in out source destination

    Chain SNATVS (1 references)
    pkts bytes target prot opt in out source destination
    root@zeroshell root>
    in reply to: Firewall rule to allow OpenDNS updater to work? #49774

    knitatoms
    Member

    Thanks for the reply but OpenDNS updater is still not working. It used to work on the same ZS box until I changed it to a router / gateway from a wireless access point – so my password etc are definitely correct.

    I set the OUTPUT chain to ACCEPT and disabled all other OUTPUT rules. But I still get the same error as above.

    Anyone have any ideas?

    in reply to: QOS nearly working – what am I missing? #49785

    knitatoms
    Member

    Ok – thanks for the advice. No idea how to limit download speed by limiting outgoing rate of ACKs – time to read an iptables and TCP book I think!

    in reply to: QOS nearly working – what am I missing? #49783

    knitatoms
    Member

    OK – I put the classes onto ETH00 and ETH02 and it picks up the traffic as expected. This will do me for now – just won’t be able to copy files at full speed between wired and wireless LAN clients.

    in reply to: QOS nearly working – what am I missing? #49782

    knitatoms
    Member

    My understanding from Fulvio’s guide:

    http://www.zeroshell.net/eng/qos/

    was that to shape traffic both ways I need to activate QOS on two interfaces. This is especially important for me as we are on an asymmetric DSL line – so I need to allow more bandwidth down than up.

    I’ve set it up as shown because I’m hoping to leave the bridge between ETH00 (lan) and ETH02 (wireless) unrestricted so that the lan and wireless clients can communicate at full speed. But perhaps it’s not possible to do QOS between ppp0 and ETH01 because of how routing works (which I don’t really understand). Can I make it work as I’ve tried?

    in reply to: Error when updating l7 filters #49771

    knitatoms
    Member

    I am an idiot – I had downloaded the wrong file…. fixed now (hadn’t scrolled down to the protocol definition on Sourceforge page).

    in reply to: QoS tagging for SIP and RTP #49228

    knitatoms
    Member

    Excellent – thanks again!

    in reply to: Error when updating l7 filters #49770

    knitatoms
    Member

    Yes

    in reply to: QoS tagging for SIP and RTP #49226

    knitatoms
    Member

    Can someone give more details on how to set this up please?

    I’m not sure where to find “IPTABLE PARAMETERS” free form field.

    in reply to: What are basic firewall settings for home router / gateway? #49758

    knitatoms
    Member

    Based on info in this document:

    http://www.zeroshell.net/listing/1_1_NAT_in_ZeroShell.pdf

    I added a couple of rules to the forwarding chain and set default to drop as shown below:

    in reply to: What are basic firewall settings for home router / gateway? #49757

    knitatoms
    Member

    Fixed – thanks!

    in reply to: What are basic firewall settings for home router / gateway? #49755

    knitatoms
    Member

    Thanks again for the reply and for taking the time to walk me through this! I’ve really looked through docs and forum posts… anyhow I now have simple rules as shown below. I have internet access from the LAN and if I scan ports from web based port scanners it says everything is closed. Is this basically secure?!



    I will start a new thread in a minute regarding virtual servers / port forwarding as this is key to what I’m trying to achieve with Zeroshell – namely we have 2 sip ata’s for VOIP on the lan. One of my reasons for using Zeroshell is to get improved QOS for these over what my old router could offer.

    Thanks again for your help and I’m planning to write this up clearly as newbie documentation when it’s all working (with due credits)!

Viewing 15 posts - 1 through 15 (of 17 total)