On Sun, 20 Dec 2009 23:20:23 -0500 "Brian J. Murrell" <[email protected]> wrote:
> On Sun, 2009-12-20 at 19:47 -0700, Justin Pryzby wrote: > > > > It should be easy, > > Careful. :-) > > > just do the shaping on the TUN device. > > Which achieves the goal of prioritizing within the tunnel, yes. > However... > > > Depending > > on the details of your setup, perhaps also put the remote VPN > > host(s)' external IP tcp/1194 into a high-priority class for the > > external interface with a guaranteed minimum RATE sufficient to > > handle such high-prio traffic. > > No. That's unacceptable. That would mean that all traffic in the > OpenVPN tunnel (including bulkish transfers, like say site->site > backup, etc.) would get the priority of VOIP (or whatever else you > decided your priority band was for) and starve out other equally low > priority traffic outside the tunnel. > > What needs to happen is that marking for priority needs to be carried > up from the unencapsulated packet to the corresponding openvpn > packet, but given that openvpn is userspace, I don't see that likely > to happen. The solution here is to use IPSEC rather than OpenVPN; packet marks are preserved when IPSEC encrypts and encapsulates a packet. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
