?
Solved

IPTables Mangle Table Slows Down Connection when Uploading Large Files

Posted on 2016-08-08
6
Medium Priority
?
76 Views
Last Modified: 2016-09-04
Greetings,

I am using Linux as a router, IPTables / Netfilter.

I have run into a problem with the MANGLE table rules slowing down the internet connection to a crawl when uploading files with various cloud based backup software. If I remove the Mangle table rules, the problem resolves. With the MANGLE rules in place and while uploading files, my ping times to google for example, are consistently above 500ms. If I remove the MANGLE rules, ping times are normal 14ms - 50ms.

The purpose of my mangle rules are to prioritize SIP and RTP traffic for VoIP, and then all else to the default queue.

Here are my mangle table rules:

-A PREROUTING -p udp -m udp --dport 10000:21099 -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -p udp -m udp --dport 10000:21099 -j RETURN
-A PREROUTING -p udp -m udp --dport 5060:5099 -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -p udp -m udp --dport 5060:5099 -j RETURN
-A PREROUTING -j MARK --set-xmark 0x2/0xffffffff
-A PREROUTING -j RETURN


Any ideas on how I can speed up the packets through the mangle table?
0
Comment
Question by:jkockler
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 35

Accepted Solution

by:
Duncan Roe earned 1800 total points (awarded by participants)
ID: 41749575
I think the dport ranges are the trouble. I believe I recall reading that it checks for each port in the range individually. (To verify this, try removing only the first 2 rules (with the big port ranges)).
If I'm right, you should get a major improvement by converting to use nftables. nftables uses the same filter framework as iptables but with a much improved packet classification method (modelled after that used by tcpdump).
The syntax of nftables is all new. I've been meaning to learn it since it came out - your question has piqued my interest again.
0
 
LVL 4

Author Comment

by:jkockler
ID: 41749600
Thank you. That actually makes sense about the port ranges. I can definitely trim that down if it ends up being the fix. I will let you know how it goes.
0
 
LVL 35

Assisted Solution

by:Duncan Roe
Duncan Roe earned 1800 total points (awarded by participants)
ID: 41753599
A couple of alternatives to converting to nftables
- Use the u32 target: this allows arithmetic comparisons as described in man iptables-extensions
- Use IP sets. See man ipset, also the set extension in man iptables-extensions
0
PowerShell Core for Advanced Linux Administrators

Understand advanced principals around Powershell Core with a focus on the Linux Administrator.  This course covers how to administer numerous environments across multiple platforms including Linux, Azure, AWS, and Google Cloud from a single shell instance.

 
LVL 4

Author Comment

by:jkockler
ID: 41753758
Interesting! Thank you for that. I will look into that as well.

I can report that dialing back the amount of ports in the mangle table definitely improved the situation. It's certainly not perfect, but the network is at least usable when the uploads are taking place. Ping times have dropped from spiking to 1,000ms to google, to about 100-300ms spikes.
0
 
LVL 40

Assisted Solution

by:noci
noci earned 200 total points (awarded by participants)
ID: 41758552
Another improvement...
first mark all packets with mark 2.

Then select the ones for mark 1 and mark those. That saves on the returns....
(and checks on ports for those returns).
0
 
LVL 35

Expert Comment

by:Duncan Roe
ID: 41783517
The author has acknowledged that the problem is identified and explained. However he has not posted a progress update for some time. Assume he will get there.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses
Course of the Month14 days, 22 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question