* [LARTC] vpn control
@ 2004-01-05 4:03 Rick Marshall
2004-01-05 5:24 ` Damion de Soto
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Rick Marshall @ 2004-01-05 4:03 UTC (permalink / raw)
To: lartc
we have an external 2Mbit dsl connection and running on it are several
gre vpn tunnels
so far i've given priority to the vpn traffic (using htb)
can i now put rules in for the tunnels to control traffic within each
tunnel (that's where our video conferencing etc runs)? or can i only
control the real interface (eth1 in our setup)? if not can i somehow see
the packets inside the vpn packets and then control them?
thanks
rick
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [LARTC] vpn control
2004-01-05 4:03 [LARTC] vpn control Rick Marshall
@ 2004-01-05 5:24 ` Damion de Soto
2004-01-05 6:15 ` Rick Marshall
2004-01-05 6:46 ` Damion de Soto
2 siblings, 0 replies; 4+ messages in thread
From: Damion de Soto @ 2004-01-05 5:24 UTC (permalink / raw)
To: lartc
Hi Rick,
> can i now put rules in for the tunnels to control traffic within each
> tunnel (that's where our video conferencing etc runs)?
What type of VPNs are you using? IPSec ?
You can put htb rules on ipsecX interfaces and they will work.
the pppX interfaces for pptp and l2tp VPNs should work just as well.
> control the real interface (eth1 in our setup)? if not can i somehow see
> the packets inside the vpn packets and then control them?
With some clever kernel hackery, you probably could do this, I don't think it would
be any fun at all though.
regards,
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Damion de Soto - Software Engineer email: damion@snapgear.com
SnapGear - A CyberGuard Company --- ph: +61 7 3435 2809
| Custom Embedded Solutions fax: +61 7 3891 3630
| and Security Appliances web: http://www.snapgear.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--- Free Embedded Linux Distro at http://www.snapgear.org ---
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] vpn control
2004-01-05 4:03 [LARTC] vpn control Rick Marshall
2004-01-05 5:24 ` Damion de Soto
@ 2004-01-05 6:15 ` Rick Marshall
2004-01-05 6:46 ` Damion de Soto
2 siblings, 0 replies; 4+ messages in thread
From: Rick Marshall @ 2004-01-05 6:15 UTC (permalink / raw)
To: lartc
linux-linux using ip tunnels - modprobe ip_gre
eg
ip tunnel add china mode gre remote xxx.xxx.xxx.xxx local \
xxx.xxx.xxx.xxx ttl 255
ip link set china up
ip addr add 192.168.1.11 dev china
ip route add 192.168.5.0/24 dev china
ps - any hackers - don't bother - the firewalls will only accept
connections from specific ip addresses
On Mon, 2004-01-05 at 16:24, Damion de Soto wrote:
> Hi Rick,
> > can i now put rules in for the tunnels to control traffic within each
> > tunnel (that's where our video conferencing etc runs)?
> What type of VPNs are you using? IPSec ?
> You can put htb rules on ipsecX interfaces and they will work.
> the pppX interfaces for pptp and l2tp VPNs should work just as well.
>
> > control the real interface (eth1 in our setup)? if not can i somehow see
> > the packets inside the vpn packets and then control them?
> With some clever kernel hackery, you probably could do this, I don't think it would
> be any fun at all though.
>
> regards,
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] vpn control
2004-01-05 4:03 [LARTC] vpn control Rick Marshall
2004-01-05 5:24 ` Damion de Soto
2004-01-05 6:15 ` Rick Marshall
@ 2004-01-05 6:46 ` Damion de Soto
2 siblings, 0 replies; 4+ messages in thread
From: Damion de Soto @ 2004-01-05 6:46 UTC (permalink / raw)
To: lartc
Rick Marshall wrote:
> linux-linux using ip tunnels - modprobe ip_gre
>
> ip tunnel add china mode gre remote xxx.xxx.xxx.xxx local \
> xxx.xxx.xxx.xxx ttl 255
> ip link set china up
> ip addr add 192.168.1.11 dev china
> ip route add 192.168.5.0/24 dev china
Hrrm, not 100% sure on GRE tunnels, but I can't see why they wouldn't.
You should be able to just create all your tc rules on the 'china' device.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Damion de Soto - Software Engineer email: damion@snapgear.com
SnapGear - A CyberGuard Company --- ph: +61 7 3435 2809
| Custom Embedded Solutions fax: +61 7 3891 3630
| and Security Appliances web: http://www.snapgear.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--- Free Embedded Linux Distro at http://www.snapgear.org ---
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2004-01-05 6:46 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-01-05 4:03 [LARTC] vpn control Rick Marshall
2004-01-05 5:24 ` Damion de Soto
2004-01-05 6:15 ` Rick Marshall
2004-01-05 6:46 ` Damion de Soto
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.