[strongSwan] Traffic shaping for multiple ipsec clients with Linux tc

Noel Kuntze noel at familie-kuntze.de
Thu Aug 6 05:59:30 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Vitaly,

Okay, I missed the second point regarding the guaranteed bandwidth.
I looked around at lartc.org a bit and found the IMQ article[1]
and the general article about filters[2] relevant to your work.
It is not quite obvious to me how you can achieve your goal the "easy"
way. I think this is how far as I can help you, I haven't touched tc
or traffic shaping in general yet, so this is all unfamiliar ground for me.
Looking at the docs on lartc about traffic shaping is probably the first thing
I would do, followed by sending questions to the mailing list about lartc
for detail questions.

[1] http://lartc.org/howto/lartc.imq.html
[2] http://lartc.org/howto/lartc.qdisc.filters.html

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 06.08.2015 um 05:49 schrieb Vitaly Repin:
> Hello,
>
> 2015-08-06 6:40 GMT+03:00 Noel Kuntze <noel at familie-kuntze.de>:
>
>> Why do you want to assign a unique mark to each IP?
>> You can simply create a filter for each type of traffic and then
>> apply QoS to that. There's no obvious need to track
>> each IP's connections seperately. TCP ACKs should be prioritized anyway,
>> together with ICMP, independent of the connection.
>> TCP packets always have the destination and source ports in the headers,
>> so you can tell them apart, too, if needed.
>
>
> May be I misunderstand something important.  Let me try to clarify my
> needs again.
>
> I have N clients connected to VPN server. Every client is assigned a
> different (dynamic) IP. They can connect and disconnect at any time.
>
> I want to guarantee every client certain bandwidth.  (Not shared by
> all the clients but to EVERY cleint, individually).
>
> E.g., I want to give bandwidth 64 kbps to client 1. Bandwidth 256 kbps
> to client 2. Etc.
> Inside these bandwidthes, I want to prioritize traffic: e.g., ping ans
> ssh go first, everything else second.
>
> If I understand right how linux traffic shaping works, in order to
> achieve these results I need to create 2*N classes and create filters
> which direct traffic to specific classes. Or do I miss something?
>
>> connmark is used if there are IPsec peers behind the same IP and they need to be distinguished.
>
> Yes. It was my understanding also. Not my case.
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVwtugAAoJEDg5KY9j7GZYb5UP/2K61KR/QHQi0fJuoox4zkmS
1F/cd/zKl7Jhfbtflw7FfhurMmVIe9yyFVxsxMwh3sj+T3XH/krHBB44wXtpT12A
L12ZB/JTSZGDhd5LXRsUbWeAEvv95631xcq7VTVOuzJDgdFbisrrOF7a/xUvrC9C
55hf+8bi5TH2Dqc6Vc1Q5vLxiCamSS4QPEFWxMWx1ipIOZypFUimNQeTuyligg6l
Ospwzk66k7uTGZwgK6HKskWVCHYDW0Z6oGaeZd+MX1Hp1glxk38fcg75jsgNZ8kd
OAtYW9gfLHOvT+uyik1JYOuWxIvVDqZT36L7b2oJ6Lzsd6FQlIlKJtsADb5aTHCU
hAuAj9Xn6VjZPdQWFX7yxZDD4GWOy0ZczpeyT5aGP1Y8cNr91vEUgOSKMdUO3JDp
2pwFLpxN2SCMSIZBygHDr1iKKlakwcIi++tVi4m69BdJ+DhG0TWnel6dvaRG1pUc
FO1mhfGhDaaUbKRn622y3rf1+LbcH3N/YacFBkpLokGvht07Wlo7Ml+YJKE6PlRn
4ScFORsnH2M+bh79AIRpfu5wowlOl1IsCQe/UU290w8whZbG36ztlZK1RRmozQIW
gIFS5IqdIv0BcvqlGtQfXaTkBVgbHpaIz9qk092scPeLEjhI4hMZYZ3pBU0i9pi9
G9hBZRcCjeww850qTMnK
=f778
-----END PGP SIGNATURE-----




More information about the Users mailing list