Wow, didn't notice that you could change interfaces before you pointed 
it out.

What does that mean for VPN shaping/prioritizing? The packets are not AH 
and ESP until the WAN side of the m0n0wall, correct?

I would have to prioritize the TCP packets for my accounting software 
package (tcp ports 14000 through 15000) on the LAN side instead?

Andy

-------- Original Message  --------
From: "Marc Fargas" <telenieko at gmail dot com>
To: m0n0wall at lists dot m0n0 dot ch
Subject: Re:[m0n0wall] Does Traffic Shaper Suck??
Date: 04/10/2006 3:39 PM

> As far as I understand, you have 2 options. You can define the shaper rules
> over the LAN interface in which case you have the traffic "as-is" before
> hitting the world but you'll have to take in account that the VPN can do
> some overweight on the traffic (adding "real" ip headers and so) or you can
> define the rules on the WAN interface in which case you can't match
> speciffic VPN traffic but only the destination port on the other end.
>
> It's also possible that on FreeBSD shaping on WAN occurs before IPSec is
> done in which case you'd be safe on any solution. In my case I have all the
> rules applied on LAN (no OPT interfaces) so I can match all the VPN traffic
> (I have to prioritize VoIP over other packets going trhough it) and it goes
> like a charm.
>
> So, in brief, if you have no OPT interfaces (only LAN and WAN) and the VPN
> is done on the m0n0 box do all the traffic shaping on the LAN interface. If
> the VPN is done before arriving m0n0 put the rules wherever you wish :)
>
> On 4/10/06, Paul Taylor <PaulTaylor at winn dash dixie dot com> wrote:
>   
>> His pings are going through a VPN tunnel, so there would probably need to
>> be
>> some different rules used.
>>
>> I would expect that the traffic would be "inside" the tunnel before
>> hitting
>> the traffic shaper.  Or would the traffic coming in the LAN be seen as-is,
>> before hitting the tunnel?  I would definitely expect the WAN side traffic
>> (incoming) to be seen as VPN traffic.
>>
>> Paul
>>
>>
>> -----Original Message-----
>> From: Marc Fargas [mailto:telenieko at gmail dot com]
>> Sent: Monday, April 10, 2006 3:23 PM
>> To: C. Andrew Zook
>> Cc: m0n0wall at lists dot m0n0 dot ch
>> Subject: Re: [m0n0wall] Does Traffic Shaper Suck??
>>
>> Uhmm The first thing could be defining ONE unique pipe for all the
>> connection. So m0n0wall gets everything to 1.5Mbps, Then define some
>> queues
>> (or use the standard ones changing all to the same pipe) and set a unique
>> rule that matches everything and gets to the highest priority queue. Try
>> bandwidth then, if OK then change the default rule to be the lowest one.
>> Match ICMP echo-request and ICMP echo-reply to the highest priority queue
>> you have. And that should work fine.
>>
>> I think the important bit is the "unique pipe" as you have 1.5Mbps for
>> everything you cand define two 1.5Mbps pipes for upload/download and it's
>> non-sense to split it to 1.0Mbps and 500Kbps or something like that. A
>> unique pipe should go fine¡¡
>>
>> Let us know if that solves something.
>> Marc Fargas
>>
>> On 4/10/06, C. Andrew Zook <andrewzook at pdqlocks dot com> wrote:
>>     
>>> When using traffic shaper, should I have "share bandwidth evenly on LAN"
>>> checked? This sounds like it would be more suitable for an internet cafe
>>> or something.
>>>
>>> Andy
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>
>>>
>>>       
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>>