From: Vinod Chandran <vinod_chandran@multitech.co.in>
To: lartc@mailman.ds9a.nl, netfilter@lists.netfilter.org
Subject: [LARTC] Re: QoS and IPSec...
Date: Wed, 27 Jul 2005 04:55:23 +0000 [thread overview]
Message-ID: <42E7134D.3090809@multitech.co.in> (raw)
In-Reply-To: <42E6D57B.6050109@riverviewtech.net>
Hi Grant,
Add IPTABLE rules in the FORWARD mangle to handle the normal packets (
ICMP,etc) with specific mark values and add filters for the same .
As far as IPSEC traffic is concerned, its generally generated from the
box, unless its acting as an IPSEC pass thru. Hence u can add rules in
the POSTROUTING chain to mark all AH/ESP packets with some mark value. I
believe since IPSEC packet is generated from the box, the source ip will
be that of the incoming interface..... Not sure about this!!!!
Hope this helps.
Regards,
Vinod C
Grant Taylor wrote:
> Hi, I have what to me is an interesting issue. I am wanting to
> prioritize (QoS) traffic that will be passing through an IPSec
> (OpenS/WAN) VPN between two (identical) Linux routers. I know that I
> can apply the IPSec patches (1-4) to the kernel and IPTables (if they
> are not already applied by now) filter traffic before and after IPSec
> encapsulation. My problem is that I don't know if I will be able to
> QoS the traffic that will be encapsulated as far as I know QoS
> prioritization (via CBQ or HTB) only applies to traffic that is being
> dequeue from the skbuffers to go out the physical interface. In my
> mind the traffic that is to be encapsulated does not ""go out a
> physical interface to be dequeued in the order that I want to
> prioritize. I know that I can QoS IPSec VPN traffic (IP/ESP) to a
> higher priority than any other IP traffic but I'm not sure about the
> traffic that is being encapsulated. My (very) rough idea is to use
> something like dummy net or IMQ to provide an interface (or subnet if
> need be) that the traffic will traverse and be dequeued from where I
> can apply the QoS that I want to. I'm not quite sure how to go about
> this so any advice would be greatly appreciated.
>
> I would like to QoS / Prioritize LAN traffic that is destined to the
> other LAN based on the type of traffic that it is (ICMP, RDP, RFB,
> SMB, etc) before it is encapsulated. Once the traffic has been
> encapsulated I'd like to QoS / Prioritize the ESP traffic that is
> destined to the other LAN's globally routable IP before any other
> internet traffic goes out. This later part is not the problem, just
> the former part.
>
> My network layout(s) are below for those of you that will be asking:
>
> Lan A:
> - 172.30.12.x/24 subnet
> - 172.30.12.1-250 client systems and the likes
> - 172.30.12.254 is the default gateway which will be replaced by one
> of the boxen I'm asking about.
> - A.B.C.Z/24 globally routable IP on the router
>
> Lan B:
> - 172.30.13.x/24 subnet
> - 172.30.13.1-250 client systems and the likes
> - 172.30.13.254 is the default gateway which will be replaced by one
> of the boxen I'm asking about.
> - A.B.C.Y/24 globally routable IP on the router
>
> VPN:
> - The VPN in question will be between the A.B.C.Z and A.B.C.Y globally
> routable IP addresses.
>
> Note that both LANs have a DSL circuit from the same provider and thus
> are 1 IP off from each other on their globally routable IP.
>
>
> Grant. . . .
>
> P.S. I'm (cross) posting this to the NetFilter mail lists as I've
> seen some very complex questions and answers on the LARTC and
> NetFilter mail lists and I would like to pull from both pools of
> talent. So be mindful when replying to all. ;)
>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
WARNING: multiple messages have this Message-ID (diff)
From: Vinod Chandran <vinod_chandran@multitech.co.in>
To: lartc@mailman.ds9a.nl, netfilter@lists.netfilter.org
Subject: Re: QoS and IPSec...
Date: Wed, 27 Jul 2005 10:23:33 +0530 [thread overview]
Message-ID: <42E7134D.3090809@multitech.co.in> (raw)
In-Reply-To: <42E6D57B.6050109@riverviewtech.net>
Hi Grant,
Add IPTABLE rules in the FORWARD mangle to handle the normal packets (
ICMP,etc) with specific mark values and add filters for the same .
As far as IPSEC traffic is concerned, its generally generated from the
box, unless its acting as an IPSEC pass thru. Hence u can add rules in
the POSTROUTING chain to mark all AH/ESP packets with some mark value. I
believe since IPSEC packet is generated from the box, the source ip will
be that of the incoming interface..... Not sure about this!!!!
Hope this helps.
Regards,
Vinod C
Grant Taylor wrote:
> Hi, I have what to me is an interesting issue. I am wanting to
> prioritize (QoS) traffic that will be passing through an IPSec
> (OpenS/WAN) VPN between two (identical) Linux routers. I know that I
> can apply the IPSec patches (1-4) to the kernel and IPTables (if they
> are not already applied by now) filter traffic before and after IPSec
> encapsulation. My problem is that I don't know if I will be able to
> QoS the traffic that will be encapsulated as far as I know QoS
> prioritization (via CBQ or HTB) only applies to traffic that is being
> dequeue from the skbuffers to go out the physical interface. In my
> mind the traffic that is to be encapsulated does not ""go out a
> physical interface to be dequeued in the order that I want to
> prioritize. I know that I can QoS IPSec VPN traffic (IP/ESP) to a
> higher priority than any other IP traffic but I'm not sure about the
> traffic that is being encapsulated. My (very) rough idea is to use
> something like dummy net or IMQ to provide an interface (or subnet if
> need be) that the traffic will traverse and be dequeued from where I
> can apply the QoS that I want to. I'm not quite sure how to go about
> this so any advice would be greatly appreciated.
>
> I would like to QoS / Prioritize LAN traffic that is destined to the
> other LAN based on the type of traffic that it is (ICMP, RDP, RFB,
> SMB, etc) before it is encapsulated. Once the traffic has been
> encapsulated I'd like to QoS / Prioritize the ESP traffic that is
> destined to the other LAN's globally routable IP before any other
> internet traffic goes out. This later part is not the problem, just
> the former part.
>
> My network layout(s) are below for those of you that will be asking:
>
> Lan A:
> - 172.30.12.x/24 subnet
> - 172.30.12.1-250 client systems and the likes
> - 172.30.12.254 is the default gateway which will be replaced by one
> of the boxen I'm asking about.
> - A.B.C.Z/24 globally routable IP on the router
>
> Lan B:
> - 172.30.13.x/24 subnet
> - 172.30.13.1-250 client systems and the likes
> - 172.30.13.254 is the default gateway which will be replaced by one
> of the boxen I'm asking about.
> - A.B.C.Y/24 globally routable IP on the router
>
> VPN:
> - The VPN in question will be between the A.B.C.Z and A.B.C.Y globally
> routable IP addresses.
>
> Note that both LANs have a DSL circuit from the same provider and thus
> are 1 IP off from each other on their globally routable IP.
>
>
> Grant. . . .
>
> P.S. I'm (cross) posting this to the NetFilter mail lists as I've
> seen some very complex questions and answers on the LARTC and
> NetFilter mail lists and I would like to pull from both pools of
> talent. So be mindful when replying to all. ;)
>
next prev parent reply other threads:[~2005-07-27 4:55 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-07-27 0:29 [LARTC] QoS and IPSec Grant Taylor
2005-07-27 0:29 ` Grant Taylor
2005-07-27 1:09 ` Daniel Lopes
2005-07-27 5:08 ` Grant Taylor
2005-07-27 11:59 ` Daniel Lopes
2005-07-27 4:17 ` [LARTC] " Andreas Unterkircher
2005-07-27 4:53 ` Vinod Chandran [this message]
2005-07-27 4:55 ` [LARTC] " Vinod Chandran
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42E7134D.3090809@multitech.co.in \
--to=vinod_chandran@multitech.co.in \
--cc=lartc@mailman.ds9a.nl \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.