Shorewall users - Aug 2008 - shorewall and openvpn and voip

Hy list,

I wanted to prioritize Voice over IP traffic for two sites which are  
connected by openvpn. I tried various settings for the tc files, but  
it seems to be just ignored. As soon as some files were transferred  
over the same openvpn tunnel, Ms Stuttering and Mr Roboto  are coming  
in ;-).
My config files are:

tcclasses
--------------------------
eth3            1       5*full/10       full            1       tcp- 
ack,tos-minimize-delay
eth3            2       3*full/10       9*full/10       2
eth3            3       2*full/10       8*full/10       2		default


tcdevices
------------------------
# cable modem
eth3            3000kbit        500kbit

tcrules
-----------------------
#pings are fastest
1			0.0.0.0/0			0.0.0.0/0		icmp    echo-request
1			0.0.0.0/0			0.0.0.0/0		icmp    echo-reply

# ssh is fast
2               0.0.0.0/0       0.0.0.0/0       tcp     -        22

# give voip a chance
2			192.168.1.10		0.0.0.0/0			all

# make all others slow
3			192.168.1.0/24			0.0.0.0/0      all

tos
-------------------------
# this is empty
# should I use rather this?


At the end of the day, I dont mind how the other traffic is managed. I  
would really like a stable VoIP connection and reserve some bandwidth  
for this exclusively than trying to squeeze the maximum out of the  
line. Should I use the tos field and forget the other stuff? Some  
working realworld examples are really appreciated!







-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Michael Thalmann wrote:
> Hy list,
> 
> I wanted to prioritize Voice over IP traffic for two sites which are  
> connected by openvpn. I tried various settings for the tc files, but  
> it seems to be just ignored. As soon as some files were transferred  
> over the same openvpn tunnel, Ms Stuttering and Mr Roboto  are coming  
> in ;-).
> My config files are:
> 
> tcclasses
> --------------------------
> eth3            1       5*full/10       full            1       tcp- 
> ack,tos-minimize-delay
> eth3            2       3*full/10       9*full/10       2
> eth3            3       2*full/10       8*full/10       2		default
Problem A) -- OpenVPN traffic is encapsulated (and usually encrypted). 
So if the OpenVPN traffic is going in and out of eth3, it will most 
likely be as UDP packets with source and/or dest port = 1194. So all 
that traffic shaping on eth3 can distinguish is which traffic is OpenVPN 
-- it could be voip, ftp, http, anything.

If you want to shape the unencrypted packets going through OpenVPN then 
you need to shape the OpenVPN interface (tapX or tunX).
> 
> 
> tcdevices
> ------------------------
> # cable modem
> eth3            3000kbit        500kbit
> 
> tcrules
> -----------------------
> #pings are fastest
> 1			0.0.0.0/0			0.0.0.0/0		icmp    echo-request
> 1			0.0.0.0/0			0.0.0.0/0		icmp    echo-reply
> 
> # ssh is fast
> 2               0.0.0.0/0       0.0.0.0/0       tcp     -        22
> 
> # give voip a chance
> 2			192.168.1.10		0.0.0.0/0			all
> 
> # make all others slow
> 3			192.168.1.0/24			0.0.0.0/0      all
Problem B. The tcrules file is LAST MATCH WINS, not first match. So your 
VOIP rule never has any effect since any traffic that matches that rule 
also matches the following rule.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/