[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: VPN hfsc

On Wed, Sep 14, 2005 at 01:26:12PM -0400, Brandon Mercer wrote:
> What I was figuring is that I need to shape the "general" bandwidth on
> the interface, i.e. give the VPN say 512Kb/512Kb and if that isn't in
> use let it be used by the other services that will be connecting to that
> interface.  Then within the VPN I need to allow 72Kb per phone, but give
> that bandwidth back up when it's not in use.  And I have to prioritize
> packets... so probably use hfsc.
  what comes to mind intially, is to take the real outgoing external
  iface, and setup queues on that such that there is one queue who will
  be used for outgoing esp, and then a queue used for outgoing everything-else.
  create children of the everything-else queue for your cleartext traffic
  as needed (eg, if you wanted simple basic ACK prio, make two of them under
  the everything-else queue)
  queue all outbound esp on the external iface equally.
  then setup altq on enc0 for the "queue in the VPN" stuff, with an 
  altq bandwidth equal to the same size you set up for the esp-only queue
  on the external iface.
  for all the queues on enc0, set those up as you want for the VPN queueing
  and just run from there.
  i'm thinking that traffic will come in, be queued out enc0 per the 
  'altq on enc0' into esp.  that stream of esp is already "interiorly" 
  queued as it goes out the external iface, and then as encapsulated esp, 
  has to obey the rules of the "vpn only" queue on the external.
  then, of course, make sure you don't prioritize traffic on the external
  such that the cleartext stuff ends up beating out the VPN-only traffic
  and mooting the queueing you did on enc0, relative to the big picture.
  if that's consistent with how altq/pf works wrt to the enc0 and actual
  interfaces, it would seem to be just a matter of imagining up how to 
  divvy the queues.
[ openbsd 3.7 GENERIC ( sep 1 ) // i386 ]