I switched one of my main vpn links from ipsec to openvpn.
This has fixed the problem with counting traffic twice in incoming
traffic shaping.
My main goal is to make sure the voip traffic has preference. Most voip
is going via vpn .
While voip is working well packets are not going to the classes I had
expected.
At least I'm pretty sure it's not correct. I tested by making another
class for ifb0 in tcclasses and experimented with different rules and
saw if it got any traffic.
Currently this is what I have.
tos
#SOURCE DEST PROTOCOL SOURCE DEST TOS MARK
# PORTS PORTS
all all udp 4569 - 16
#ssh
all all tcp 22 - 8
all all tcp - 22 8
#rdesktop
all all tcp 3389 - 8
all all tcp - 3389 8
#
tcfilters
# 3389 is rdesktop
1:110 0.0.0.0/0 0.0.0.0/0 udp iax
1:110 0.0.0.0/0 0.0.0.0/0 udp - iax
1:120 0.0.0.0/0 0.0.0.0/0 tcp ssh
1:120 0.0.0.0/0 0.0.0.0/0 tcp - ssh
1:120 0.0.0.0/0 0.0.0.0/0 tcp https
1:120 0.0.0.0/0 0.0.0.0/0 tcp - https
1:120 0.0.0.0/0 0.0.0.0/0 tcp 3389
1:120 0.0.0.0/0 0.0.0.0/0 tcp - 3389
1:130 0.0.0.0/0 0.0.0.0/0 tcp smtp
1:130 0.0.0.0/0 0.0.0.0/0 tcp - smtp
#
# INCOMING TRAFFIC
#
2:110 0.0.0.0/0 0.0.0.0/0 udp iax
2:110 0.0.0.0/0 0.0.0.0/0 udp - iax
2:120 0.0.0.0/0 0.0.0.0/0 tcp ssh
2:120 0.0.0.0/0 0.0.0.0/0 tcp - ssh
2:120 0.0.0.0/0 0.0.0.0/0 tcp https
2:120 0.0.0.0/0 0.0.0.0/0 tcp - https
2:120 0.0.0.0/0 0.0.0.0/0 tcp 3389
2:120 0.0.0.0/0 0.0.0.0/0 tcp - 3389
2:130 0.0.0.0/0 0.0.0.0/0 tcp smtp
2:130 0.0.0.0/0 0.0.0.0/0 tcp - smtp
tcdevices
#INTERFACE IN-BANDWITH OUT-BANDWIDTH
1:eth1 - 1180kbit classify
2:ifb0 - 1180kbit - eth1
tcclasses
#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
1:110 - 3*full/10 6*full/10 1
tos=0x68/0xfc,tos=0xb8/0xfc,tos-minimize-delay
1:120 - 4*full/10 full 2
tcp-ack,tos-maximize-throughput
1:130 - 3*full/10 9*full/10 3 default
# ifb0
2:110 - 3*full/10 6*full/10 1
tos=0x68/0xfc,tos=0xb8/0xfc,tos-minimize-delay
2:120 - 4*full/10 full 2
tcp-ack,tos-maximize-throughput
2:130 - 3*full/10 9*full/10 3 default
As the voip is coming in ipsec or openvpn can only filter on tos.
First problem in tcclasses It looks like tos=0x68/0xfc does not work.
The standard tos values do work. It would be nice if one could select
on dscp values as at least for the case of sip it is usually already
set. Is it possible to select on dscp values? If not I suppose I'll
need to change sip traffic to tos-minimize-delay.
Next problem is ssh sets tos-minimize-delay for interactive traffic.
There can be a lot of ssh traffic. I can change the tos of ssh from all
sites I control but can not see any way to keep ssh that that comes from
else ware from going into my voip class 2:110. Apparently tos
overrides what is in tcfilters and changes settings in tos file do not
seem to have an effect on incoming traffic.
In time I expect there will be a lot of voip traffic so want to get it
set as good as possible.
What affect does priority in tcclasses have?
Any suggestions?
John
begin:vcard
fn:John McMonagle
n:McMonagle;John
org:Advocap Inc
adr;dom:;;2929 Harrison St;Oshkosh;WI;54936
email;internet:[EMAIL PROTECTED]
title:IT Manager
tel;work:920-426-0150
x-mozilla-html:FALSE
url:http://www.advocap.org
version:2.1
end:vcard
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
