[Openswan Users] OpenSwan traffic shaping with HTB & sfq

Lewis Shobbrook lshobbrook at fasttrack.net.au
Wed May 4 18:34:21 CEST 2005


Hi All,

I've got an interoffice IPSEC VPN in place that I'm trying to give
priority to terminal service (tcp 3389) traffic.
I've created rules at each end, but have hit a bit of a dillemma.  As
the data is encrypted I must also give highest priority to protocol 50
otherwise the priority is lost as the packet gets encrypted.  
When I do this however, I can't slow people dragging large files across
the VPN and disrupting the Terminal users. 
This is an example of some of the rules in place.  I can protect the VPN
traffic from other internet traffic such as email etc, but not from
themselves if you know what I mean.

tc qdisc del dev $NET_IF root
tc qdisc add dev $NET_IF root handle 1: htb default 30

tc class add dev $NET_IF parent 1: classid 1:1 htb rate 512Kbit burst
15Kb
tc class add dev $NET_IF parent 1:1 classid 1:20 htb rate 128Kbit ceil
512Kbit burst 15Kb prio 1
tc class add dev $NET_IF parent 1:1 classid 1:30 htb rate 10Kbit ceil
512Kbit burst 15Kb prio 2

tc qdisc add dev $NET_IF parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev $NET_IF parent 1:20 handle 20: sfq perturb 10
tc qdisc add dev $NET_IF parent 1:30 handle 30: sfq perturb 10

tc class add dev $NET_IF parent 1:1 classid 1:10 htb rate 512Kbit burst
15Kb prio 0
tc filter add dev $NET_IF protocol ip parent 1:0 prio 1 match ip sport
3389 0xffff flowid 1:10
tc filter add dev $NET_IF protocol ip parent 1:0 prio 1 match ip src
$termserver_ip match ip sport 3389 0xffff flowid 1:10
Etc etc...

Has anyone come across this before and found a solution?

Any suggestions appreciated.

Cheers,

Lewis


More information about the Users mailing list