Hello, I''ve been using Shorewall for a long time and really like it. I recently set up TOS using some of the online documentation and some guides online. It works great. However I''ve run into a new configuration which I''m not sure how to handle and was hoping some other users could give me some recommendations. In my other configs I have on an outside and inside interface. So defining the rules were fairly straight forward. However in my latest setup I am trying to wrap my brain around using traffic shaping when there are two external interfaces. One is obviously the external interface and the other is a tun0 which is the routed OpenVPN interface. I just don''t know how I should define the interfaces in tcinterfaces, especially since one is really just a virtual interface. My main reason for wanting traffic shaping is because I have VOIP traffic traversing my OpenVPN tunnel along with other traffic and I wanted to make sure there is always enough bandwidth for the voice traffic. I am hoping some other users have traffic shaping set up in the same way and can shed some light on how they handle having a two external interfaces, one real and one tunnel. Thanks.Simon ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
On 12-03-23 02:11 PM, Ryan on the Beach wrote:> > > Hello, > I''ve been using Shorewall for a long time and really like it. I recently set up TOS using some of the online documentation and some guides online. It works great. However I''ve run into a new configuration which I''m not sure how to handle and was hoping some other users could give me some recommendations. > In my other configs I have on an outside and inside interface. So defining the rules were fairly straight forward. However in my latest setup I am trying to wrap my brain around using traffic shaping when there are two external interfaces. One is obviously the external interface and the other is a tun0 which is the routed OpenVPN interface. I just don''t know how I should define the interfaces in tcinterfaces, especially since one is really just a virtual interface. My main reason for wanting traffic shaping is because I have VOIP traffic traversing my OpenVPN tunnel along with other traffic and I wanted to make sure there is always enough bandwidth for the voice traffic. > I am hoping some other users have traffic shaping set up in the same way and can shed some light on how they handle having a two external interfaces, one real and one tunnel.It''s actually more complicated than just two external interfaces. The problem is that you want to be able to convey the "importance" (i.e. priority) of the voip packets that have been taken off of the VPN and wrapped into openvpn''s udp packets at the next layer. That''s not currently possible, AFAIK. Such a thing is possible with IPsec AFAIU. Of course you could just tell the "real network" layer that all openvpn traffic has a high (i.e. voip) priority but if somebody starts doing some kind of bulk transfer through the VPN you''ve basically given that bulk the same high priority as voip and voided the priority of the voip traffic. Furthermore you end up putting the lower priority traffic on the real network behind all openvpn traffic, even if it''s bulk. b. ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
On 12-03-23 11:55 AM, Brian J. Murrell wrote:> On 12-03-23 02:11 PM, Ryan on the Beach wrote: >> >> >> Hello, >> I''ve been using Shorewall for a long time and really like it. I recently set up TOS using some of the online documentation and some guides online. It works great. However I''ve run into a new configuration which I''m not sure how to handle and was hoping some other users could give me some recommendations. >> In my other configs I have on an outside and inside interface. So defining the rules were fairly straight forward. However in my latest setup I am trying to wrap my brain around using traffic shaping when there are two external interfaces. One is obviously the external interface and the other is a tun0 which is the routed OpenVPN interface. I just don''t know how I should define the interfaces in tcinterfaces, especially since one is really just a virtual interface. My main reason for wanting traffic shaping is because I have VOIP traffic traversing my OpenVPN tunnel along with other traffic and I wanted to make sure there is always enough bandwidth for the voice traffic. >> I am hoping some other users have traffic shaping set up in the same way and can shed some light on how they handle having a two external interfaces, one real and one tunnel. > > It''s actually more complicated than just two external interfaces. The > problem is that you want to be able to convey the "importance" (i.e. > priority) of the voip packets that have been taken off of the VPN and > wrapped into openvpn''s udp packets at the next layer. > > That''s not currently possible, AFAIK. Such a thing is possible with > IPsec AFAIU. > > Of course you could just tell the "real network" layer that all openvpn > traffic has a high (i.e. voip) priority but if somebody starts doing > some kind of bulk transfer through the VPN you''ve basically given that > bulk the same high priority as voip and voided the priority of the voip > traffic. Furthermore you end up putting the lower priority traffic on > the real network behind all openvpn traffic, even if it''s bulk. > > b.I guess one workaround could be to establish 2 OpenVPN connections with different QoS properties and redirect bulk and voice traffic to one or another accordingly. Michael. ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
On 12-03-26 07:06 PM, Mchael Barabanov wrote:> On 12-03-23 11:55 AM, Brian J. Murrell wrote: >> On 12-03-23 02:11 PM, Ryan on the Beach wrote: >>> >>> >>> Hello, >>> I''ve been using Shorewall for a long time and really like it. I recently set up TOS using some of the online documentation and some guides online. It works great. However I''ve run into a new configuration which I''m not sure how to handle and was hoping some other users could give me some recommendations. >>> In my other configs I have on an outside and inside interface. So defining the rules were fairly straight forward. However in my latest setup I am trying to wrap my brain around using traffic shaping when there are two external interfaces. One is obviously the external interface and the other is a tun0 which is the routed OpenVPN interface. I just don''t know how I should define the interfaces in tcinterfaces, especially since one is really just a virtual interface. My main reason for wanting traffic shaping is because I have VOIP traffic traversing my OpenVPN tunnel along with other traffic and I wanted to make sure there is always enough bandwidth for the voice traffic. >>> I am hoping some other users have traffic shaping set up in the same way and can shed some light on how they handle having a two external interfaces, one real and one tunnel. >> >> It''s actually more complicated than just two external interfaces. The >> problem is that you want to be able to convey the "importance" (i.e. >> priority) of the voip packets that have been taken off of the VPN and >> wrapped into openvpn''s udp packets at the next layer. >> >> That''s not currently possible, AFAIK. Such a thing is possible with >> IPsec AFAIU. >> >> Of course you could just tell the "real network" layer that all openvpn >> traffic has a high (i.e. voip) priority but if somebody starts doing >> some kind of bulk transfer through the VPN you''ve basically given that >> bulk the same high priority as voip and voided the priority of the voip >> traffic. Furthermore you end up putting the lower priority traffic on >> the real network behind all openvpn traffic, even if it''s bulk. >> >> b. > > I guess one workaround could be to establish 2 OpenVPN connections with > different QoS properties and redirect bulk and voice traffic to one or > another accordingly.Looks like there''s no need to -- OpenVPN "passtos" option should take care of QoS. Michael. ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure