Traffic Shaping On CentOS

Home » CentOS » Traffic Shaping On CentOS
CentOS 4 Comments

I’m deploying a CentOS 7 box as a gateway and I’m trying to figure out how to set up traffic shaping. Historically I’ve used the Wondershaper script but apparently it’s not deprecated in favor of superior queue management. I
haven’t yet found a packaged solution and I’m wondering what others do to configure this kind of thing.

Apparently the new modules are available in many appliance router products
(eg. OpenWrt and Streamboost). Perhaps someone here knows of an RPM that wraps this up for RH-based distros?

Here’s an article arguing why Wondershaper was great in its day but is now bad for modern traffic flows.

4 thoughts on - Traffic Shaping On CentOS

  • I came across this on the Fedora devel list. I added
    /etc/sysctl.d/51-bufferbloat.conf containing the suggested line and it installs the new codel qdisc as desired. There’s probably more knobs that might be useful to tweak but this makes a good start. More reading on the bufferbloat site suggests that the later “cake” module will be even better, but it requires a newer kernel than CentOS currently ships with.


    # 51-bufferbloat.conf
    # Address bufferbloat net.core.default_qdisc = fq_codel

  • That looks nice. It appears to be a declarative front-end to tc that eliminates some of the boilerplate like setting defaults.

    The gateway is for a small business and I don’t want shell and remote desktop sessions to come to a crawl because someone’s uploading/downloading/mailing a big CAD file to a customer/vendor, or because several are watching Youtube videos.

  • Slowdown is probably going to happen since these days much file/bulk transfer and certainly all Google (YouTube) services use HTTPS and thus seem the same to any but the most intrusive inspection and dynamic shaping, i.e., SSL bump or peek’n’splice would be needed wherein at least the beginning of a session can be inspected so that the real purpose can be inferred and used to set the shaping on that single session — though usually they decrypt everything which has many concerns. Static shaping of HTTP(S) can help but certainly can’t assure that “interactive” sessions won’t be impacted by “heavy” sessions. If only SSH and RDP need more priority than anything else that should be easily handled by static policy (firehol, wondershaper, etc) though it fails when RDP is used for bulk file transfer (you can check TOS/DSCP on SSH sessions to de-prioritize SCP/SFTP transfers, provided such hasn’t been defeated by the sender).