[Swan] qos
Paul Wouters
paul at nohats.ca
Fri Mar 6 00:31:38 EET 2015
On Wed, 4 Mar 2015, Bob Miller wrote:
> I have been investigating the last few days about getting qos to work on a
> libreswan firewall. it has a limited upload speed, and two subnets behind it
> in addition to the vpn subnet, and all 3 groups are getting shutdown from
> time to time due to activity of the others.
What do you mean with "shutdown"? Do you mean the dpd/liveness probes
are restarting tunnels? Or you just mean "flooded and locked out" ?
> I read in several places that one can mark packets in iptables and tc will
> recognize them after encapsulation. However, after quite a bit of
> experimentation, such as placing the mark at various locations in the
> tables/chains of iptables, matching esp/udp protocol, or the ip of the
> internal server or the vpn users, or matching the encrypted packets with dst
> port 4500, etc., I am finding that the mark either doesn't stay put, or tc
> matches very little of the marked traffic.
In theory that should work, but any hop can remove any qos bits, so it
all depends on the network path too.
> So since iptables isn't really working out for me, I am wondering if there
> are other options or methods. I note xl2tpd has an rx/tx bps, but it sets a
> maximum and not a minimum, so not quite what I am looking for. I also note
> mention of qos in klips patches in the source code for libreswan, but seems
> for older kernels and I am not sure I want to convert to klips. Is there
> some cool tool built into libreswan that I am not finding, or a recommended
> method documented somewhere to use tc in conjunction with libreswan?
I'd stay away from xl2tpd/pppd. That's just adding another layer and
adding mtu issues.
Paul
More information about the Swan
mailing list