From: Emmanuel Lacour <elacour@easter-eggs.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Limit bandwidth for ipsec vpns
Date: Tue, 20 Aug 2002 15:56:02 +0000 [thread overview]
Message-ID: <marc-lartc-102985905712992@msgid-missing> (raw)
In-Reply-To: <marc-lartc-102977464604347@msgid-missing>
On Mon, Aug 19, 2002 at 02:28:34PM -0400, Michael T. Babcock wrote:
> On Mon, Aug 19, 2002 at 07:01:32PM +0200, Stef Coene wrote:
> > > Is there anyone having an idea on how to limit bandwidth on a linux gw
> > > doing vpns with freeswan, I.E. for a 1Mbit line with 1 ipsec tunnel on
> > > interface ppp0, limiting vpn traffic (esp) to 512kbit and internet
> > > traffic (non vpn) to 512kbit.
> > More info about shaping can be found on www.lartc.org. And I have some extra
> > information on www.docum.org.
> >
> > You have to add a cbq or htb qdisc to your interfaces and create 2 classes.
> > One for vpn traffic and one for non vpn traffic. I hope that you use fixed
> > ports for the vpn traffic so you can use the dst/src port as a filter key.
> > You can share the same 1mbit or you can limit each class to 512kbit.
>
> If FreeS/WAN is used, adding a pair of classes to the external interface
> for 'normal' and 'VPN' traffic should suffice. VPN traffic is identifiable
> as traffic over UDP port 500 and protocols 50 or 51, although you may wish
> to give them their own class with high priority as they do key exchanges.
Thanks, I tried with marking packet with netfilter, but here is one of
my pbms, I can mark esp proto but not non-esp proto:
# This works
# Marking outgoing vpn packets
iptables -t mangle -A OUTPUT -o $IFEXT -p esp -j MARK --set-mark 29
iptables -t mangle -A OUTPUT -o $IFEXT -p udp --dport 500 -j MARK
--set-mark 29
# This doesn't works!!
# Marking outgoing non-vpn packets
iptables -t mangle -A OUTPUT -o $IFEXT -p ! esp -j MARK --set-mark 39
Any Idea??
>
> If you gave each 512kbps, then add a root class to ipsec0 of 512kbps and
> work from there on it.
> --
> Michael T. Babcock
> CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc)
> http://www.fibrespeed.net/~mbabcock/
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
--
Easter-eggs Spécialiste GNU/Linux
44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité
Phone: +33 (0) 1 43 35 00 37 - Fax: +33 (0) 1 41 35 00 76
mailto:elacour@easter-eggs.com - http://www.easter-eggs.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
prev parent reply other threads:[~2002-08-20 15:56 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-08-19 16:29 [LARTC] Limit bandwidth for ipsec vpns Emmanuel Lacour
2002-08-19 17:01 ` Stef Coene
2002-08-19 18:28 ` Michael T. Babcock
2002-08-20 15:56 ` Emmanuel Lacour [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-102985905712992@msgid-missing \
--to=elacour@easter-eggs.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.