Solved

IPTables Mangle Table Slows Down Connection when Uploading Large Files

Posted on 2016-08-08
6
25 Views
Last Modified: 2016-09-04
Greetings,

I am using Linux as a router, IPTables / Netfilter.

I have run into a problem with the MANGLE table rules slowing down the internet connection to a crawl when uploading files with various cloud based backup software. If I remove the Mangle table rules, the problem resolves. With the MANGLE rules in place and while uploading files, my ping times to google for example, are consistently above 500ms. If I remove the MANGLE rules, ping times are normal 14ms - 50ms.

The purpose of my mangle rules are to prioritize SIP and RTP traffic for VoIP, and then all else to the default queue.

Here are my mangle table rules:

-A PREROUTING -p udp -m udp --dport 10000:21099 -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -p udp -m udp --dport 10000:21099 -j RETURN
-A PREROUTING -p udp -m udp --dport 5060:5099 -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -p udp -m udp --dport 5060:5099 -j RETURN
-A PREROUTING -j MARK --set-xmark 0x2/0xffffffff
-A PREROUTING -j RETURN


Any ideas on how I can speed up the packets through the mangle table?
0
Comment
Question by:jkockler
  • 3
  • 2
6 Comments
 
LVL 34

Accepted Solution

by:
Duncan Roe earned 450 total points (awarded by participants)
ID: 41749575
I think the dport ranges are the trouble. I believe I recall reading that it checks for each port in the range individually. (To verify this, try removing only the first 2 rules (with the big port ranges)).
If I'm right, you should get a major improvement by converting to use nftables. nftables uses the same filter framework as iptables but with a much improved packet classification method (modelled after that used by tcpdump).
The syntax of nftables is all new. I've been meaning to learn it since it came out - your question has piqued my interest again.
0
 
LVL 4

Author Comment

by:jkockler
ID: 41749600
Thank you. That actually makes sense about the port ranges. I can definitely trim that down if it ends up being the fix. I will let you know how it goes.
0
 
LVL 34

Assisted Solution

by:Duncan Roe
Duncan Roe earned 450 total points (awarded by participants)
ID: 41753599
A couple of alternatives to converting to nftables
- Use the u32 target: this allows arithmetic comparisons as described in man iptables-extensions
- Use IP sets. See man ipset, also the set extension in man iptables-extensions
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 4

Author Comment

by:jkockler
ID: 41753758
Interesting! Thank you for that. I will look into that as well.

I can report that dialing back the amount of ports in the mangle table definitely improved the situation. It's certainly not perfect, but the network is at least usable when the uploads are taking place. Ping times have dropped from spiking to 1,000ms to google, to about 100-300ms spikes.
0
 
LVL 40

Assisted Solution

by:noci
noci earned 50 total points (awarded by participants)
ID: 41758552
Another improvement...
first mark all packets with mark 2.

Then select the ones for mark 1 and mark those. That saves on the returns....
(and checks on ports for those returns).
0
 
LVL 34

Expert Comment

by:Duncan Roe
ID: 41783517
The author has acknowledged that the problem is identified and explained. However he has not posted a progress update for some time. Assume he will get there.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Home network with two AP's dropping WiFi connectivity 12 50
winscp where are logs stored 3 37
paypal ipn status 4 47
Internet Service Provider 3 51
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question