On Fri, 2 Dec 2016 12:14:56 +0000 (UTC) Stuart Henderson <s...@spacehopper.org> wrote:
> On 2016-11-25, Marko Cupać <marko.cu...@mimar.rs> wrote: > > Hi, > > > > I'd like to do limit bandwidth on gre tunnel protected with ipsec in > > transport mode. > I haven't tried this exact scenario. But I understand the general way > things work and I think this is correct: > > Assign packets to queue names as you are doing already, on the gre > interface. But for the "queue XX on YY bandwidth ZZ" bits, YY should > be the physical interface. Hi, this works as far as limiting total bandwidth that passes gre tunnel is concerned, thanks! I'd like to push this even further, and queue different types of traffic that passes gre tunnel into different queues (granting minimal bandwidth to ssh, limiting maximum bandwidth for http/https etc.). Is this possible? If so, how? I don't want to sound like some cisco guy (actually I am trying to gradually switch my 18-node wan from cisco to openbsd), but on cisco this is possible by setting 'qos pre-classify' on tunnel interface, and applying 'service policy output POLYCYNAME' on physical interface, where parent policy shapes total per-tunnel traffic, and child policy shapes different types of traffic. Something like this: policy-map BANDWIDTH class BANDWIDTH::WEB bandwidth percent 30 class BANDWIDTH::RDP bandwidth percent 15 class BANDWIDTH::E-MAIL bandwidth percent 10 class BANDWIDTH::DFS bandwidth percent 10 class BANDWIDTH::MSSQL bandwidth percent 3 class BANDWIDTH::NETMON bandwidth percent 2 class BANDWIDTH::EBANK bandwidth percent 5 class class-default bandwidth percent 25 policy-map APPLYTOPHYSICAL class TUNNEL1 shape average 9600000 service-policy BANDWIDTH Any pointers highly appreciated. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
