Hi,
I am using IPSEC tunnels to connect my home office to our work site.
I am using a cisco voip phone which uses the vpn to talk to the call
manager.
I have worked for a bit to try to give the voip traffic highest priority
with ALTQ.
I have gotten some headway to what I want, but limitations brought on
from the
IPSEC link limits the effectivness of doing this. My VPN link is a gif
tunnel
To a PIX.
Basically, I cannot distinguish general vpn traffic from voip traffic
because pf
Cannot do filtering or classification on gif interfaces.
What does work though, is the DSCP values the voip phone sets on its way
out are
Transferred to the gif tunnel, ie the DSCP value for Expidite Forwarding
(0x2e) is set
On outgoing voip packets.
I also am aware that pf can look at the TOS values for lowdelay to
classify latency sensitve
Packets and queue them appropriatly.
Is it possible, or likely to be possible for pf to be able to examine
the TOS and DSCP
Fields to use for matching rulesets. Also, it would also be desirable
to rewrite these
Values.
If not, I would think that these features would be very desirable for
this software to consider implementing.
I know in the past that ISP's were less that reliable in utilizing
packet classification, but now that voip has become more popular, using
DSCP values set in packets may become more prevailent.
Also, given that there is somewhat support for doing this, it may be a
simple implementation to
Add in rules that may be utilized in the following way:
altq on $ext_if priq bandwidth 10Mb queue { std_out , tcp_ack_out ,
ef_out }
queue std_out priq(default)
queue tcp_ack_out priority 4
queue ef_out priority 7
pass out on $ext_if proto tcp from ($ext_if) to any modulate state flags
S/SA queue ( std_out , tcp_ack_out )
pass out on $ext_if proto { udp, icmp } from ($ext_if) to any keep state
pass out on $ext_if from ($ext_if) to any dscp 0x2e modulate state queue
( ef_out )
Or even if you have some hosts that are setting incorrect dscp values
pass in on $inf_if proto tcp from $internal_net to any port www dscp
0x2e set_dscp 0x00
These are features already available on commercial products like cisco
gear that allow traffic prioritisation
On standard IP attribtues.
Thanks for your time
Adam Clark
Network Administrator
National Gallery of Victoria
PO Box 7259 Melbourne Vic 8004
Telephone: +61 3 8620 2369
Fax: +61 3 8620 2565
www.ngv.vic.gov.au
Keep informed of the latest NGV exhibitions, special events and programs at The
Ian Potter Centre: NGV Australia and NGV International by subscribing to [EMAIL
PROTECTED], the NGV's free e-newsletter.
DISCLAIMER: This email and any files transmitted with it are confidential and
intended solely for [EMAIL PROTECTED] If you are not the named addressee you
should not disseminate, copy or alter this email. WARNING: Although National
Gallery of Victoria has taken reasonable precautions to ensure no viruses are
present in this email, the organisation cannot accept responsibility for any
loss or damage arising from the use of this email or attachment.
