Hi everybody, Is there anyone having an idea on how to limit bandwidth on a linux gw doing vpns with freeswan, I.E. for a 1Mbit line with 1 ipsec tunnel on interface ppp0, limiting vpn traffic (esp) to 512kbit and internet traffic (non vpn) to 512kbit. Thanks in advance! Manu. -- Easter-eggs Spécialiste GNU/Linux 44-46 rue de l''Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37 - Fax: +33 (0) 1 41 35 00 76 mailto:elacour@easter-eggs.com - http://www.easter-eggs.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Monday 19 August 2002 18:29, Emmanuel Lacour wrote:> Hi everybody, > > > Is there anyone having an idea on how to limit bandwidth on a linux gw > doing vpns with freeswan, I.E. for a 1Mbit line with 1 ipsec tunnel on > interface ppp0, limiting vpn traffic (esp) to 512kbit and internet > traffic (non vpn) to 512kbit. > > > Thanks in advance!More info about shaping can be found on www.lartc.org. And I have some extra information on www.docum.org. You have to add a cbq or htb qdisc to your interfaces and create 2 classes. One for vpn traffic and one for non vpn traffic. I hope that you use fixed ports for the vpn traffic so you can use the dst/src port as a filter key. You can share the same 1mbit or you can limit each class to 512kbit. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Mon, Aug 19, 2002 at 07:01:32PM +0200, Stef Coene wrote:> > Is there anyone having an idea on how to limit bandwidth on a linux gw > > doing vpns with freeswan, I.E. for a 1Mbit line with 1 ipsec tunnel on > > interface ppp0, limiting vpn traffic (esp) to 512kbit and internet > > traffic (non vpn) to 512kbit. > More info about shaping can be found on www.lartc.org. And I have some extra > information on www.docum.org. > > You have to add a cbq or htb qdisc to your interfaces and create 2 classes. > One for vpn traffic and one for non vpn traffic. I hope that you use fixed > ports for the vpn traffic so you can use the dst/src port as a filter key. > You can share the same 1mbit or you can limit each class to 512kbit.If FreeS/WAN is used, adding a pair of classes to the external interface for ''normal'' and ''VPN'' traffic should suffice. VPN traffic is identifiable as traffic over UDP port 500 and protocols 50 or 51, although you may wish to give them their own class with high priority as they do key exchanges. If you gave each 512kbps, then add a root class to ipsec0 of 512kbps and work from there on it. -- Michael T. Babcock CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) http://www.fibrespeed.net/~mbabcock/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Mon, Aug 19, 2002 at 02:28:34PM -0400, Michael T. Babcock wrote:> On Mon, Aug 19, 2002 at 07:01:32PM +0200, Stef Coene wrote: > > > Is there anyone having an idea on how to limit bandwidth on a linux gw > > > doing vpns with freeswan, I.E. for a 1Mbit line with 1 ipsec tunnel on > > > interface ppp0, limiting vpn traffic (esp) to 512kbit and internet > > > traffic (non vpn) to 512kbit. > > More info about shaping can be found on www.lartc.org. And I have some extra > > information on www.docum.org. > > > > You have to add a cbq or htb qdisc to your interfaces and create 2 classes. > > One for vpn traffic and one for non vpn traffic. I hope that you use fixed > > ports for the vpn traffic so you can use the dst/src port as a filter key. > > You can share the same 1mbit or you can limit each class to 512kbit. > > If FreeS/WAN is used, adding a pair of classes to the external interface > for ''normal'' and ''VPN'' traffic should suffice. VPN traffic is identifiable > as traffic over UDP port 500 and protocols 50 or 51, although you may wish > to give them their own class with high priority as they do key exchanges.Thanks, I tried with marking packet with netfilter, but here is one of my pbms, I can mark esp proto but not non-esp proto: # This works # Marking outgoing vpn packets iptables -t mangle -A OUTPUT -o $IFEXT -p esp -j MARK --set-mark 29 iptables -t mangle -A OUTPUT -o $IFEXT -p udp --dport 500 -j MARK --set-mark 29 # This doesn''t works!! # Marking outgoing non-vpn packets iptables -t mangle -A OUTPUT -o $IFEXT -p ! esp -j MARK --set-mark 39 Any Idea??> > If you gave each 512kbps, then add a root class to ipsec0 of 512kbps and > work from there on it. > -- > Michael T. Babcock > CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) > http://www.fibrespeed.net/~mbabcock/ > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/-- Easter-eggs Spécialiste GNU/Linux 44-46 rue de l''Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37 - Fax: +33 (0) 1 41 35 00 76 mailto:elacour@easter-eggs.com - http://www.easter-eggs.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/