[ previous ] [ next ] [ threads ]
 
 From:  "Marc Fargas" <telenieko at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Does Traffic Shaper Suck??
 Date:  Mon, 10 Apr 2006 21:39:16 +0200
As far as I understand, you have 2 options. You can define the shaper rules
over the LAN interface in which case you have the traffic "as-is" before
hitting the world but you'll have to take in account that the VPN can do
some overweight on the traffic (adding "real" ip headers and so) or you can
define the rules on the WAN interface in which case you can't match
speciffic VPN traffic but only the destination port on the other end.

It's also possible that on FreeBSD shaping on WAN occurs before IPSec is
done in which case you'd be safe on any solution. In my case I have all the
rules applied on LAN (no OPT interfaces) so I can match all the VPN traffic
(I have to prioritize VoIP over other packets going trhough it) and it goes
like a charm.

So, in brief, if you have no OPT interfaces (only LAN and WAN) and the VPN
is done on the m0n0 box do all the traffic shaping on the LAN interface. If
the VPN is done before arriving m0n0 put the rules wherever you wish :)

On 4/10/06, Paul Taylor <PaulTaylor at winn dash dixie dot com> wrote:
>
>
> His pings are going through a VPN tunnel, so there would probably need to
> be
> some different rules used.
>
> I would expect that the traffic would be "inside" the tunnel before
> hitting
> the traffic shaper.  Or would the traffic coming in the LAN be seen as-is,
> before hitting the tunnel?  I would definitely expect the WAN side traffic
> (incoming) to be seen as VPN traffic.
>
> Paul
>
>
> -----Original Message-----
> From: Marc Fargas [mailto:telenieko at gmail dot com]
> Sent: Monday, April 10, 2006 3:23 PM
> To: C. Andrew Zook
> Cc: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] Does Traffic Shaper Suck??
>
> Uhmm The first thing could be defining ONE unique pipe for all the
> connection. So m0n0wall gets everything to 1.5Mbps, Then define some
> queues
> (or use the standard ones changing all to the same pipe) and set a unique
> rule that matches everything and gets to the highest priority queue. Try
> bandwidth then, if OK then change the default rule to be the lowest one.
> Match ICMP echo-request and ICMP echo-reply to the highest priority queue
> you have. And that should work fine.
>
> I think the important bit is the "unique pipe" as you have 1.5Mbps for
> everything you cand define two 1.5Mbps pipes for upload/download and it's
> non-sense to split it to 1.0Mbps and 500Kbps or something like that. A
> unique pipe should go fine¡¡
>
> Let us know if that solves something.
> Marc Fargas
>
> On 4/10/06, C. Andrew Zook <andrewzook at pdqlocks dot com> wrote:
> >
> > When using traffic shaper, should I have "share bandwidth evenly on LAN"
> > checked? This sounds like it would be more suitable for an internet cafe
> > or something.
> >
> > Andy
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>