[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: altq, pf and ipsec?



On 20/11/2002, Nicholas Lee <[email protected]> wrote To Philipp Buehler:
> Ah, so traffic goes like physical if -> out bound enc if -> ipsec tunnel
> -> inbound enc if -> phys if.
no. boot brain.
> So we can 'altq' traffic bound for the ipsec tunnel by filtering on dstn
> ip and physical if that traffic has to leave on?
> 
> > well, your ipsec is going to an IP, queue on this:
> > pass out on $ext_phy_if inet proto 50 from $yours $others queue ipsec
> 
> That queues the traffic, what about the traffic carried within the tunnel?
well *heck*, YOU KNOW YOUR DESTINATIONS. write rules for it.
pass in on $int from $Lan to $otherlan port $fuckit queue $bleargh
and just tune your queue parameters to match your requirements and
the maximum of external uplink.
no, you cannot "peek" into ipsec packets on the outside, this would 
reverse about anything ever introduced by ipsec. get it.
so just say "ok, 2Mb for ipsec on $ext is maximum, any subqueues go to
$int" .. period.