Re: [Shorewall-users] shorewall and openvpn and voip

[Tom Eastep]

Michael Thalmann wrote:

Hy list,


My config files are:

tcclasses
--------------------------

eth3            2       3*full/10       9*full/10       2
eth3            3       2*full/10       8*full/10       2               default

I wanted to prioritize Voice over IP traffic for two sites which are connected by openvpn. I tried various settings for the tc files, but it seems to be just ignored. As soon as some files were transferred over the same openvpn tunnel, Ms Stuttering and Mr Roboto are coming in ;-). eth3 1 5*full/10 full 1 tcp- ack,tos-minimize-delay

Problem A) -- OpenVPN traffic is encapsulated (and usually encrypted). So if the OpenVPN traffic is going in and out of eth3, it will most likely be as UDP packets with source and/or dest port = 1194. So all that traffic shaping on eth3 can distinguish is which traffic is OpenVPN -- it could be voip, ftp, http, anything. If you want to shape the unencrypted packets going through OpenVPN then you need to shape the OpenVPN interface (tapX or tunX).

tcdevices
------------------------
# cable modem
eth3            3000kbit        500kbit

tcrules
-----------------------
#pings are fastest
1                       0.0.0.0/0                       0.0.0.0/0               
icmp    echo-request
1                       0.0.0.0/0                       0.0.0.0/0               
icmp    echo-reply

# ssh is fast
2               0.0.0.0/0       0.0.0.0/0       tcp     -        22

# give voip a chance
2                       192.168.1.10            0.0.0.0/0                       
all

# make all others slow
3                       192.168.1.0/24                  0.0.0.0/0      all

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Problem B. The tcrules file is LAST MATCH WINS, not first match. So your VOIP rule never has any effect since any traffic that matches that rule also matches the following rule.

signature.asc
Description: OpenPGP digital signature

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users