[ previous ] [ next ] [ threads ]
 
 From:  "Marc Fargas" <telenieko at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Does Traffic Shaper Suck??
 Date:  Mon, 10 Apr 2006 23:28:17 +0200
On the shaper configuration you have "Pipes", then "Queues" which can
be more than one for each pipe and then Filters, which match a packet
and assign it to a queue. Then, every queue has a priority, which
means "for every N packets pass X from QueueHighPriority, Y from
QueueLowPriority" being Y less than X. So you define how many packets
from the high prio queue go before one packet of low prio.

IPSec is done before/after going trhough the traffic shaping depending
on the platform (I don't know how FreeBSD handles that) so you'll be
safer applying filters on LAN as there will always be readable packets
:)

And yes, you should prioritize traffic on the LAN side, but remember
than from the m0n0 point of view, Download on the LAN is what you mean
for Upload on WAN, and vice-versa!

On 4/10/06, C. Andrew Zook <andrewzook at pdqlocks dot com> wrote:
> Wow, didn't notice that you could change interfaces before you pointed
> it out.
>
> What does that mean for VPN shaping/prioritizing? The packets are not AH
> and ESP until the WAN side of the m0n0wall, correct?
>
> I would have to prioritize the TCP packets for my accounting software
> package (tcp ports 14000 through 15000) on the LAN side instead?
>
> Andy
>
> -------- Original Message  --------
> From: "Marc Fargas" <telenieko at gmail dot com>
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: Re:[m0n0wall] Does Traffic Shaper Suck??
> Date: 04/10/2006 3:39 PM
>
> > As far as I understand, you have 2 options. You can define the shaper rules
> > over the LAN interface in which case you have the traffic "as-is" before
> > hitting the world but you'll have to take in account that the VPN can do
> > some overweight on the traffic (adding "real" ip headers and so) or you can
> > define the rules on the WAN interface in which case you can't match
> > speciffic VPN traffic but only the destination port on the other end.
> >
> > It's also possible that on FreeBSD shaping on WAN occurs before IPSec is
> > done in which case you'd be safe on any solution. In my case I have all the
> > rules applied on LAN (no OPT interfaces) so I can match all the VPN traffic
> > (I have to prioritize VoIP over other packets going trhough it) and it goes
> > like a charm.
> >
> > So, in brief, if you have no OPT interfaces (only LAN and WAN) and the VPN
> > is done on the m0n0 box do all the traffic shaping on the LAN interface. If
> > the VPN is done before arriving m0n0 put the rules wherever you wish :)
> >
> > On 4/10/06, Paul Taylor <PaulTaylor at winn dash dixie dot com> wrote:
> >
> >> His pings are going through a VPN tunnel, so there would probably need to
> >> be
> >> some different rules used.
> >>
> >> I would expect that the traffic would be "inside" the tunnel before
> >> hitting
> >> the traffic shaper.  Or would the traffic coming in the LAN be seen as-is,
> >> before hitting the tunnel?  I would definitely expect the WAN side traffic
> >> (incoming) to be seen as VPN traffic.
> >>
> >> Paul
> >>
> >>
> >> -----Original Message-----
> >> From: Marc Fargas [mailto:telenieko at gmail dot com]
> >> Sent: Monday, April 10, 2006 3:23 PM
> >> To: C. Andrew Zook
> >> Cc: m0n0wall at lists dot m0n0 dot ch
> >> Subject: Re: [m0n0wall] Does Traffic Shaper Suck??
> >>
> >> Uhmm The first thing could be defining ONE unique pipe for all the
> >> connection. So m0n0wall gets everything to 1.5Mbps, Then define some
> >> queues
> >> (or use the standard ones changing all to the same pipe) and set a unique
> >> rule that matches everything and gets to the highest priority queue. Try
> >> bandwidth then, if OK then change the default rule to be the lowest one.
> >> Match ICMP echo-request and ICMP echo-reply to the highest priority queue
> >> you have. And that should work fine.
> >>
> >> I think the important bit is the "unique pipe" as you have 1.5Mbps for
> >> everything you cand define two 1.5Mbps pipes for upload/download and it's
> >> non-sense to split it to 1.0Mbps and 500Kbps or something like that. A
> >> unique pipe should go fine¡¡
> >>
> >> Let us know if that solves something.
> >> Marc Fargas
> >>
> >> On 4/10/06, C. Andrew Zook <andrewzook at pdqlocks dot com> wrote:
> >>
> >>> When using traffic shaper, should I have "share bandwidth evenly on LAN"
> >>> checked? This sounds like it would be more suitable for an internet cafe
> >>> or something.
> >>>
> >>> Andy
> >>>
> >>>
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> >>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >>>
> >>>
> >>>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> >> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >>
> >>
> >>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>