On Mon, Aug 19, 2002 at 02:28:34PM -0400, Michael T. Babcock wrote: > On Mon, Aug 19, 2002 at 07:01:32PM +0200, Stef Coene wrote: > > > Is there anyone having an idea on how to limit bandwidth on a linux gw > > > doing vpns with freeswan, I.E. for a 1Mbit line with 1 ipsec tunnel on > > > interface ppp0, limiting vpn traffic (esp) to 512kbit and internet > > > traffic (non vpn) to 512kbit. > > More info about shaping can be found on www.lartc.org. And I have some extra > > information on www.docum.org. > > > > You have to add a cbq or htb qdisc to your interfaces and create 2 classes. > > One for vpn traffic and one for non vpn traffic. I hope that you use fixed > > ports for the vpn traffic so you can use the dst/src port as a filter key. > > You can share the same 1mbit or you can limit each class to 512kbit. > > If FreeS/WAN is used, adding a pair of classes to the external interface > for 'normal' and 'VPN' traffic should suffice. VPN traffic is identifiable > as traffic over UDP port 500 and protocols 50 or 51, although you may wish > to give them their own class with high priority as they do key exchanges. Thanks, I tried with marking packet with netfilter, but here is one of my pbms, I can mark esp proto but not non-esp proto: # This works # Marking outgoing vpn packets iptables -t mangle -A OUTPUT -o $IFEXT -p esp -j MARK --set-mark 29 iptables -t mangle -A OUTPUT -o $IFEXT -p udp --dport 500 -j MARK --set-mark 29 # This doesn't works!! # Marking outgoing non-vpn packets iptables -t mangle -A OUTPUT -o $IFEXT -p ! esp -j MARK --set-mark 39 Any Idea?? > > If you gave each 512kbps, then add a root class to ipsec0 of 512kbps and > work from there on it. > -- > Michael T. Babcock > CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) > http://www.fibrespeed.net/~mbabcock/ > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- Easter-eggs Spécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37 - Fax: +33 (0) 1 41 35 00 76 mailto:elacour@easter-eggs.com - http://www.easter-eggs.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
