QoS and IPSec...

Daniel Lopes lopsch at lopsch.com
Wed Jul 27 13:59:41 CEST 2005


Grant Taylor schrieb:
>> What about this (only for one side ;) ):
>> Suppose we are on LAN A:
>> In the table mangle chain PREROUTING mark all packets coming in over 
>> the LAN device and destined for 172.30.13.0/24 and sourced from 
>> 172.30.12.0/24 for example with 1.
>> Then IPSec handles the packets.
>> In table mangle chain POSTROUTING mark all packets with AH/ESP 
>> outgoing over the internet device and destined for the routable IP of 
>> LAN B with 1. Don't know if they are marked twice with 1 but that's no 
>> problem. So we can be sure all IPSec packets are marked with 1.
>> Then you can apply the filters in the schedulers for the appropriate 
>> marks on the appropriate device in this case the internet device.
>> So we can prioritize outgoing packets.
>> Incoming should also be prioritized. So both directions get their 
>> priorities.
>> So in table mangle chain PREROUTING mark all AH/ESP packets coming in 
>> over the internet device and sourced from the routable IP of LAN B 
>> with 1.
>> Then IPSec handles the packets.
>> In table mangle chain POSTROUTING mark all packets destinded for 
>> 172.30.12.0/24 and sourced from 172.30.12.0/24 and going out over the 
>> LAN device with 1.
>> Then apply the filters for the marks in the schedulers of the LAN device.
>> This way IPSec should be prioritized in both directions on one router. 
>> If it works you can do it with canged addresses on the other one.
>> Don't know if it really works, because it's now 3am and I'm a bit 
>> confused and IPSec is already complex standalone ;).
>> But afaik every net device gets schedulers no matter if physical or 
>> virtual so it normally should be no problem. 
> 
> 
> Daniel (and others) thank you for the reply.  However I think you have 
> (re)touched on the QoS / Prioritization of IPSec (IP/ESP) traffic verses 
> regular internet bound traffic.  I am after how to prioritize just the 
> subset of the traffic from Lan A (or B) that is destined to the other 
> side.  More specifically I will be having SSH (interactive sessions 
> only) / Telnet, Terminal Services (RDP), VNC (RFB), ICMP, SMB/CIFS, FTP 
> / SCP (bulk data transfer), RSYNC, LPD, etc traffic from one LAN 
> destined to the other LAN through a VPN that has a finite amount of 
> bandwidth (128 kbps DSL (768/128)) which will spend a good deal of time 
> saturated with all of the traffic going through it.  Thus I want to 
> prioritize that interactive services, i.e. SSH / Telnet, RDP, VNC, and 
> ICMP, send their traffic through the VPN *BEFORE* any of the bulk data 
> transfer services thus hopefully yielding what will appear to be a 
> fairly responsive circuit.  Seeing as how all of this traffic is going 
> to be encapsulated with in the IPSec VPN and thus becoming IP/ESP 
> traffic I can not just prioritize the IP/ESP traffic on the egress of 
> the external interface of the router.  Naturally I will prioritize like 
> you have suggested to make sure that VPN traffic will have priority over 
> general web traffic on the external interface of the router.  However as 
> I understand it there is no ""egressing interface for the traffic that 
> will be encapsulated *BEFORE* it does become encapsulated thus putting 
> all afore mentioned VPN traffic in one priority level.
> 
> Here is a brief description of how I want to prioritize the traffic that 
> will be leaving any of the LANs.  There will be more LANs down the road, 
> each of which will (for now) have equal priority with each other.  I 
> will be denoting Priority Groups (PgN) as well as sub groups (sN).  All 
> VPN traffic from one LAN to another will be a Priority Group 1 with all 
> other traffic from the sending LAN being a Priority Group 2 or lower.  
> The only possible exception to this will be ICMP and similar traffic.
> 
> Pg1s1:  ICMP destined to other LANs (IP/ESP)
> Pg1s2:  SSH / Telnet / RDP / RFB destined to other LANs (IP/ESP)
> Pg1s3:  LPD / SMB / CIFS destined to other LANs (IP/ESP)
> Pg1s4:  FTP / RSYNC / SCP destined to other LANs (IP/ESP)
> Pg1s5:  (unused as of yet) destined to other LANs (IP/ESP)
> 
> Pg2s1:  ICMP destined to the world at large.
> Pg2s2:  SSH / Telnet / RDP / RFB destined to the world at large.
> Pg2s3:  LPD / SMB / CIFS destined to the world at large.
> Pg2s4:  FTP / RSYNC / SCP destined to the world at large.
> Pg2s5:  (unused as of yet) destined to the world at large.
> 
> I want any traffic that is in Priority Group 1 (IPSec VPN traffic) to be 
> sent out the internet connection first.  I also want Priority Group 1s 
> traffic to be prioritized based on the sub group priority.  However as 
> IP/ESP traffic is encapsulated and can thus not be prioritized on egress 
> of the external interface it has to be prioritized before it is 
> encapsulated.  Here in lies the problem.  Where / how do I prioritize 
> this traffic to the appropriate sub group priority.
> 
> 
> 
> Grant. . . .
> 
> 

OK as I said I don't know if the marks on packets are still there after 
encapsulation. If so there is no problem. Trial and error ;). If not I 
think the best solution is the IMQ device to do intermediate shaping 
before encapsulation. Wasn't there a discussion on the LARTC mailing 
list on how it works?



More information about the netfilter mailing list