[strongSwan] Traffic shaping for multiple ipsec clients with Linux tc
noel at familie-kuntze.de
Thu Aug 6 05:59:30 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Okay, I missed the second point regarding the guaranteed bandwidth.
I looked around at lartc.org a bit and found the IMQ article
and the general article about filters relevant to your work.
It is not quite obvious to me how you can achieve your goal the "easy"
way. I think this is how far as I can help you, I haven't touched tc
or traffic shaping in general yet, so this is all unfamiliar ground for me.
Looking at the docs on lartc about traffic shaping is probably the first thing
I would do, followed by sending questions to the mailing list about lartc
for detail questions.
Mit freundlichen Grüßen/Kind Regards,
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 06.08.2015 um 05:49 schrieb Vitaly Repin:
> 2015-08-06 6:40 GMT+03:00 Noel Kuntze <noel at familie-kuntze.de>:
>> Why do you want to assign a unique mark to each IP?
>> You can simply create a filter for each type of traffic and then
>> apply QoS to that. There's no obvious need to track
>> each IP's connections seperately. TCP ACKs should be prioritized anyway,
>> together with ICMP, independent of the connection.
>> TCP packets always have the destination and source ports in the headers,
>> so you can tell them apart, too, if needed.
> May be I misunderstand something important. Let me try to clarify my
> needs again.
> I have N clients connected to VPN server. Every client is assigned a
> different (dynamic) IP. They can connect and disconnect at any time.
> I want to guarantee every client certain bandwidth. (Not shared by
> all the clients but to EVERY cleint, individually).
> E.g., I want to give bandwidth 64 kbps to client 1. Bandwidth 256 kbps
> to client 2. Etc.
> Inside these bandwidthes, I want to prioritize traffic: e.g., ping ans
> ssh go first, everything else second.
> If I understand right how linux traffic shaping works, in order to
> achieve these results I need to create 2*N classes and create filters
> which direct traffic to specific classes. Or do I miss something?
>> connmark is used if there are IPsec peers behind the same IP and they need to be distinguished.
> Yes. It was my understanding also. Not my case.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the Users