Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Shaper ipsec: is it enough to specify rules for traffic inside tunnel?

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    4 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mxx
      last edited by

      Hi,

      I have a WAN connection with 4 ipsec tunnels (site to site). The local LAN is also utilizing this connection for a tiny bit.
      The remote locations have access to a file and sql server in the local lan.

      Is it enough to shape traffic into higher priority queues originating from those tunnels, i.e. specify shaping fw rules for interface ipsec, or would I also have to shape ESP traffic as a whole?

      Also would I have to shape traffic coming in from lan destined for a host reachable by an ipsec tunnel? I ask because the LAN interface's shaper is limiting the bandwidth for LAN to the sum of all available WAN connections, so in my understanding it would make some sense to do that, or am I wrong?

      Thanks very much!

      Max

      1 Reply Last reply Reply Quote 0
      • J
        jlepthien
        last edited by

        IMHO when shaping IPSec only the complete tunnel (ESP) is done. You cannot say that you want Citrix/RDP in a tunnel to be high prio and then http/s be lower prio in that tunnel…

        | apple fanboy | music lover | network and security specialist | in love with cisco systems |

        1 Reply Last reply Reply Quote 0
        • E
          eri--
          last edited by

          You can shape inside tunnels.

          1 Reply Last reply Reply Quote 0
          • J
            jlepthien
            last edited by

            And how? Thanks for the info…

            | apple fanboy | music lover | network and security specialist | in love with cisco systems |

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.