Slashdot Mirror
Ask Slashdot: Which Router Firmware For Bandwidth Management?
First time accepted submitter DeathByLlama (2813725) writes "Years ago I made the switch from DD-WRT to Tomato firmware for my Linksys router. I lost a couple features, but gained one of the best QoS and bandwidth management systems I have seen on a router to date. Admins can see graphs of current and historical bandwidth usage by IP, set minimum and maximum bandwidth limits by IP range, setup QoS rules, and see and filter graphs and lists of current connections by usage, class or source/destination — all from an elegantly designed GUI. This has allowed me to easily and intelligently allocate and adjust my network's bandwidth; when there is a problem, I can see where it's coming from and create rules around it. I'm currently using the Toastman's VPN Tomato firmware, which has about everything that I would want, except for one key thing: support for ARM-based routers (only Broadcom is supported). I have seen other firmware projects being actively developed in the last few years, so in picking a new 802.11ac router, I need to decide whether Tomato support is a deal-breaker. With solid bandwidth management as a priority, what firmware would you recommend? Stock Asuswrt? Asuswrt-Merlin? OpenWRT? DD-WRT? Tomato? _____?"
nuff said
toastman?
Aren't those builds really, really old?
If you're going to use tomatousb, use shibby.
Use merlin if you want custom firmware as close to stock looking as possible.
OpenWRT Is a real linux distro with package mgmt that spun out from the DD-WRT project. DD-WRT is really designed around the wrt54g and never really broke away from that model. Tomato and some other projects are front ends to OpenWRT. I think all the movement these days in this space comes from OpenWRT.
OpenWRT has said "linux kernel", other might but they just suck.
When you have linux kernel you follow linux tutorial: http://www.lartc.org/howto/lartc.cookbook.fullnat.intro.html [lartc.org]
You could give Gargoyle a try......
http://www.gargoyle-router.com...
Shibby recently announced an ARM branch of his tomato mod.
http://tomato.groov.pl/?p=590
The Shibby mod is fairly active, with updates every couple months. Use 117 for the OpenSSL heartbleed fix.
Personally I've been enjoying Mikrotik. I don't think it's in the range for you because I'm 98% sure you can't load it on your hardware (I have a RouterBoard-based router/AP) but it's been damn solid and gives me WAY more features that I really plan on using... If you plan on upgrading routers at some point I'd suggest looking at them.
Personally I use a build of Toastman tomato usb and love it. I did DD-WRT for a while but got tired of it. Sure it's got a ton of features, including a kitchen sink, but most things other than the basics seem like a total pain to setup. I setup USB printer sharing on an old Asus 802.11G router with a usb port and it was a total pain. Combine that with the mantra of you must always reset you settings when you flash a new version and you can't reimport your old settings file and it's just crazy to me that it is so popular. When I upgraded my Asus router to an N unit I made the switch to a Toastman tomato usb build and it is so much better. It has a few less feature than DD-WRT but it is so much easier to configure things and I can actually upgrade the firmware with out dreading the process.
I can't imagine moving back to DD-WRT. If you really need a new AC router go with something that Tomato supports IMO. DD-WRT is just too much of a step back.
Toastman Tomato, far and away. Tested DDWRT, Tomato, Asus-Merlin, stock Asus... none of them, except Toastman, did everything I needed (ipv6, dns, nat local redirect, upnp/nat-pmp, etc). Been using it for over 6 months, have never been happier with a home router. That said, pretty sure they haven't patched Heartbleed yet (supposed to be coming anytime).
The problem is all those consumer wifi+router deals tend to have kinda crap firmware. While there are, in theory, OSS alternatives they seem to be less than speedy with the updates and support for new hardware.
So I'd look elsewhere. The two things I'd put at the top of your list:
Monowall, on an APU.1C. It is like $150 for the unit, and then $20-30 for an enclosure and CF card. Monowall should support everything you need, it is really feature rich, is pretty easy to use, and the APU.1C is fast enough it shouldn't have issues even with fairly fast internet.
A Ubiquiti Edgerouter Lite. This is a funny looking and named lil' router with quite a bit of performance under the hood, thanks to the hardware routing logic its chip has. $100 and it can push gigabit speeds for basic routing setups. It is also extremely configurable, since it runs a Vayetta fork, which is a Linux OS customized for routing. However to configure the kind of things you want, you might have to hop in to the CLI, I don't know that the GUI has what you need. It supports that though, and you can even hop out of the specialized routing CLI and get a regular Linux prompt where you can install packages and such.
If you want a more supported solution, you could look at a Cisco RV320. Costs like $200 and is a fast lil' wired router (uses the same basic chip as the Edgerouter, just slower). I haven't used one but I'm given to understand you can make them do a lot. Sounds like they firmware may be a little flakey though.
You then just set your consumer WAP+router in to "access point" mode and have it just do the wireless functions.
This is all more expensive and complex than just running on a consumer WAP+router, but more likely to be able to do what you require. It also means you can change out components without as much trouble. Like say your WAP gets flakey, and you want a new one with the latest technology. No problem, just buy it. You don't have to worry if it supports the routing features you need because it doesn't do that for you.
If you are stuck on doing an all in one, then you could look at a Netgear Nighthawk R7000 or the new Linksys WRT1900AC. The Netgear does have bandwidth management and QoS in its native firmware (I haven't played with the features, but I can confirm they are there as I own one) and there is a "myopenrouter" site that has OSS firmware for it (ddwrt mod I think). The Linksys router supposedly is going to have OpenWRT support soon as Linksys worked directly with the OpenWRT team for it.
I've had really good luck with my RB2011UAS-2HND-IN from Mikrotik. It's pretty easy to configure queues by interface, all the way down to tagging the packets and throttling down to individual TCP/UDP ports.
Costs slightly more than a cheap home router, but you have something pretty sturdy and extremely flexible to work with.
It's possibly the most expensive router on the market now at $249 but the new, retro looking, dual-core ARM-powered WRT1900AC will eventually have open source firmware available at openWRT.org:
"While the Linksys WRT1900AC provides an outstanding experience via SMART Wi-Fi immediately out of the box, advanced users can further modify the router, which will have Open Source firmware available from third-party websites such as openWRT.org. Developed for use with OpenWRT, an open source, Linux-based operating system, the router offers an additional layer of customization to suit an individual's needs."
http://www.pcworld.com/article/2143623/linksys-wrt1900ac-wi-fi-router-review-faster-than-anything-we-ve-tested.html
No open source router firmware other than Gargoyle allows you to set a bandwidth quota easily. I can't for the life of me figure out why all the Tomato derivatives ignore this much needed feature in favor of setting rate limits.
That includes Cisco shit, which is flaky even in "enterprise" level products.
If you just need a basic home or small office router find a mobo with 2 ethernet ports and install Linux.
tomato of is old they are still running k2.6.* no real progress has been made in terms of core functionality or fixes in -lit years
running QOS on a router is a silly idea gargoyel looks like something 1998 threw back
on a Netgear R6300 and it has been very fast, great with signal quality, and the QoS features are working as expected.
Both the R6250 and R6300 have a dual-core 800MHz CPU, so they have the power to handle a decent QoS requirement without bogging down potential throughput too much. I'm satisfied, and it wasn't that expensive. If your situation isn't too terribly complex (many dozens of users and extensive QoS rules) then it might be a good choice.
The R7000 is even faster and supports external antennas, so I second that suggestion, but it's also twice the price of the 6250/3000, which can be found on sale from $100-$125 brand new if you're a good comparison shopper and/or patient.
STOP . AMERICA . NOW
Before I posted, I searched to see if someone else had mentioned Gargoyle already. And, indeed... someone had. I really like it. It's *NOT* as powerful as (say) OpenWRT, but jeepers, it's got a nice GUI and pretty much all the features you discuss, and a decent (but not great) slate of plugins. I'd definitely recommend kicking the tires on it.
It's a pretty new product, which is why you haven't heard of it. It isn't the greatest thing EVAR, as its web UI could use some work, and some of the features it has can hit the limited CPU pretty hard (VLANs and encryption notably) but it is pretty damn good.
It is what lives at the edge of my home network, and I'm real happy with it.
They also make larger models, should you have the need.
Seriously, dont rely on a consumer grade router for this, add a consumer grade managed switch for it. I use a Netgear GS108T. That way your router can keeps its CPU dedicated to encryption and throughput. I'm sure there are some badass routers out there, but this is an easy and relatively cheap add-on that works for sure.
Good-bye
I set hard limits, ran speedtest.net, seems to work. No idea how bulletproof it is.
Tomato RAF is an up to date branch of Tomato that has support for AC routers. Here is their router list:
http://victek.is-a-geek.com/downloads.html
The 2.4 on this thing is terrible. My 5GHz devices are fine, but I have some older rigs that hate it. Should have bought a used Dark Knight for the same price.
Lag the bleeding edge by a week or so and you'll have rather good performance (:-))
davecb@spamcop.net
Only if you Pick AR71XX hardware though.
Which I use the WDR4300/TPLINK
Does an excellent job for managing QoS bandwidth in my house.
It has a nice GUI if you are not a technical person, and you can build the firmware source by yourself.
Got Geometrodynamics? Awe, too hard to figure out? Too bad.
Almost all router bandwidth management is shit.
Bandwidth management schemes currently used by everything you mention are all base on rate limiting packet delivery based on some mythical QoS value, and they ignore the actual problem that the people who are using these things are attempting (and failing) to address.
The problem is that the point of a border routers is to hook a slower border uplink to a faster interior connection; on the other end of the slower uplink, you have a faster ISP data rate. In other words, you have a gigabit network in your house, and the ISP has a gigabit network at their DSLAM, but your DSL line sure as hell is *NOT* a gigabit link.
What that means is that software that attempts to "shape" packets ignores an upstream-downloads or a downstream-uploads ability to overwhelm the available packet buffers on the high speed side of the link when communicating to the low speed side of the link.
So you can start streaming a video down, and then start an FTP transfer, and your upstream router at the ISP is going to have its buffers full of untransmitted FTP download packets worth of data, instead of your streaming video data, and it doesn't matter how bitchy you are about letting those upstream FTP packets through your router on your downstream side of the link, it's not going to matter to the video stream, since all of the upstream router buffers that you want used for your video are already full of FTP data that you don't want to receive yet.
The correct thing to do is to have your border router lie about available TCP window size to the router on the other end, so that all intermediate routers between that router and the system transmitting the FTP packets in the first place also lie about how full the window is, and the intermediate routers don't end up with full input packet buffers with nowhere to send them in the first place.
Does your border router do this? No? Then your QoS software and AltQ and other "packet shaping" software is shit. Your upstream routers high speed input buffers are going to end up packed full of packets you want less, and you will be receiver live-locked and the packets that you *do* want won't get through to you because of that.
You can either believe this, or you can get a shitty router and not get the performance you expect as the QoS software fails to work.
Then you can read the Jeffrey Mogul paper from DEC Western Research Labs from 1997 here: http://citeseerx.ist.psu.edu/v... ...after which, you should probably ask yourselves why CS students don't read research papers, and are still trying to solve problems which were understood 27 years ago, and more or less solved 17 years ago, but still have yet to make their way into a commercial operating system.
BTW: I also highly recommend the Peter Druschel/Guarav Banga paper from Rice University in 1996 on Lazy Receiver Processing, since most servers are still screwed by data buss bandwidth when it comes to getting more packets than they can deal with, either as a DOS technique against the server, or because they are simply overloaded. Most ethernet firmware is also shit unless it's been written to not transfer data unless you tell it it's OK, separately from the actual interrupt acknowledgement. If you're interested, that paper's here: http://citeseerx.ist.psu.edu/v... and I expect that we will be discussing that problem in 2024 when someone decides it's actually a problem for them.
I just use a fanless box (made by cappuccino pc, but there are other vendors too) with several ethernet ports (at least two for WAN and LAN) running standard debian.
But then I apply linux's best-kept traffic shaping secret, HFSC. See https://gist.github.com/eqhmco... .You should be able to apply that same script to any linux distro or mini-distro.
The idea is you do AQM first, and QoS only later or even not at all, to get both low-latency for interactive TCP sessions and throughput for bulk session.
AQM is all about dropping packets to throttle TCP and prevent it from overwhelming your ISP's bandwidth caps. When done properly, it works amazingly well, and HFSC + SFQ can do it properly.
The problem with bandwidth management at the DSL router is that you cannot control inbound traffic that gets inside the uplink bottleneck. You would need to control the DSLAM to do it properly.
Its a heavy weight but the only thing you are missing is mpls.
Other wise it is on par with Cisco and Juniper
CeroWrt is designed to manage your bandwidth intelligently without needing to fiddle with all kinds of QoS settings.
http://www.bufferbloat.net/projects/cerowrt
CeroWrt is a project built on the OpenWrt firmware to resolve the endemic problems of bufferbloat in home networking today, and to push forward the state of the art of edge networks and routers. Projects include proper IPv6 support, tighter integration with DNSSEC, and most importantly, reducing bufferbloat in both the wired and wireless components of the stack.
Shibby on the Asus RT-N66U just works for my clients. I made the mistake of getting the AC66N for myself. It works fine, just a little more difficult to setup.
best QOS ever. A local phone provider uses this for custom router installations and bandwidth management.
New version 1.17 just came out this week.
I'm still running DD-WRT. I know people like tomato, but I haven't tried it so I don't really know. Sounds like it has some nice features.
Stock firmware of the TP-Link Routers does a decent job of bandwidth mgt. and it is pretty simple to set up. MAC assigned IPs to control who gets what IP, then IP based bandwidth rules ensures my kids don't take all my torrent bandwidth.
Just get a better router, such as one of these:
http://www.balticnetworks.com/mikrotik-routerboard-493-assembled-to-order.html
Yes it's a nightmare for newbies, however RouterOS is more feature packed than everything else I've seen on the opensource front. http://www.mikrotik.com/softwa...
Why do people spend $150 on a shitty little computer for which they then spend a week of their time trying to find an ideal firmware that manages to squeeze all of the features they want into a measly 4 MB of flash memory? ...and, fuck, last I checked I still couldn't find one with IPv6 support.
You know that PC you have in the closet that's always on, doing whatever the fuck important task you have it performing 24/7? For a mere $30 you can add a wireless network card, a second ethernet card, and a five port switch. Holy shit, you just turned your spare CPU cycles in a router! What's more, due to being a full installation of Linux, it has all of those features you can't seem to find anywhere else, like full IPv4 support, and the ability to install any software you want. You can use it as a file server, a print server, even install MythTV on it and make it record television shows. The possibilities are endless!
Routers just suck. They're great for your average user who doesn't know what a switch is and couldn't configure Windows to do NAT if their life depended upon it, but if you know enough to install a custom firmware on a router, there's no reason you can't meet your routing goals with $30 plus a computer you already have.
The ONLY thing you'd lack is the stateful packet inspecting abilities of a true firewall. You've got the NAT end, doing what you're up to, but you lack the filtering.
APK
P.S.=> Feel free to correct me where I am off, OR if you know a way to augment the PC acting as a router via dual homing for not only NAT, but also true 'stateful packet inspecting' firewall filtering abilities - probably MIGHT be out there nowadays via a usermode front-end + a layered filtering driver (or NOT that tough to make really) - that (my 1 constraint) is FREEWARE & no licensing involved... apk
I've done EXACTLY what you noted (didn''t get that in my last post) using what's in my subject-line above - however/again: I lacked the stateful packet inspecting abilities a "True firewalling router" has... I had the NAT end of it though, that way, & VERY easily.
APK
P.S.=> In fact, & I almost *hate* to say this? It was free, easy, & easier than doing it with Windows... apk
I checked out the wiki page, and looks like out of the 11 models, 6 support IPv6 (and a few other features such as VLANs, 5GHz) while the other 5 don't. How exactly does one know if one is getting Tomato which ones do? Also, the bandwidth management & superior QoS - is that there for both IPv4 AND IPv6? Also, except Shibby, none of them have IPSEC support.
Incidentally, which CPU is Tomato geared towards? MIPS? Given that it's there for Broadcom routers?
Get yourself a Routerboard that comes with RouterOS and use that. You can damn near do anything you want to with it. Way more powerful than any of those you listed, and it runs great, especially on good hardware.
CeroWRT could be worth a try. It's focused on traffic management, and has had good reviews in terms of handling throughput intelligently.
Hardware support is a bit limited though (it's beta and somewhat of a development/research platform, so they're not aiming for multi-platform support).
waste your time with the ultra cheap and low end routers you buy from local electronic stores? For less than $300 you can buy a Juniper SRX that will do 10x more than the $60 router from wally world.
Well, you might want to reread the first paper, which talks about live lock, which is a completely different cause than the one you describe, although similar. You seem to understand what the problem is, but I fail to see how you don't understand why your solution is so wrong.
Live lock as described in the paper you linked was solved over a decade ago using the method described in the paper under section 5.1, at least under windows. It's a standard property to rate limit the interrupts under heavy load, and many network cards have many setting that allow you to tweak this from off to fixed to multiple dynamic methods.
TCP window sizes are on a per-connection basis, and obviously only affects TCP traffic. Most VoIP, gaming, and many common file sharing protocols don't use TCP so any of these would be unaffected by QoS using the above techniques. Also, having many multiple simultaneous TCP connections in the order of hundreds or thousands would also render this technique useless as you would need to shrink each window so small so in case they all filled up that you could respond in a reasonable time frame that latency (vs inflight buffer) would kill the throughput of any TCP link. Which are reasons why this wouldn't work, and why it isn't implemented in anything beyond niche experimental stuff.
I'm not sure I understand what you're asking, as I had to look up "dual-homed" as I've never heard the term before, and it sounds like a contradiction as the descriptions I'm seeing say that dual-homed hosts specifically don't route between their two network connections, which would rule out NAT.
Are you not aware of iptables? The kernel itself supports routing, or if you want a "dual-homed" host it also supports not routing, and it certainly does the stateful packet inspection necessary for NAT. There's no need for any additional software, you just have to be willing to spend a week learning to use iptables. ...and apparently next month you get to toss that knowledge and learn its replacement, nftables, since they can't seem to stop replacing their routing configuration tool.
In any event, all of these custom firmwares are Linux-based, so I can't imagine how they accomplish anything you can't do in Linux on a PC.
I do wish Slashdot would tell me when ACs reply to my posts so that I don't have to manually check them all. This war on ACs is retarded.
If you want to know how much each device uses by hour, day, month, then you need wrtbwmon.
It is a simple shell script that uses iptables, and runs on OpenWRT just fine.
wrtbwmon shows a graph for each device by MAC address. if you configure OpenWRT to use a fixed IP address per MAC address, then you see the device name that you assign on all graphs.
The original is here. There is also this fork.
I have modified it to run off of a USB memory stick, and store its data there as well. It does not use much storage, barely 85 to 100 kilobytes per day. So even an old 512MB USB stick should last for many years.
2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
If you want to do all in one ap/router/switch on consumer grade hardware, with a magical GUI to solve all your networking problems, you are going to be looking a long time. Most issues are due to exceeding the capacity of the horrible chip set.
Here is what I have setup at my house as my production network:
Pfsense edge router running on a foxcon barebones oem nettop.
|
Cisco 3560 core switch
|
WNDR3800 AP (multiple SSID/vlans trunked up to the Cisco core)
With this setup the household is happy. Wife, myself, room mate can all be streaming netflix/youtube etc, I can have large downloads going, also regular browsing. This is all over wifi. All without setting up ANY QoS at all.
So give yourself a proper network and you'll be much happier.
Charles Wyble System Engineer