Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Shaping of traffic inside VPN tunnel?

    Traffic Shaping
    3
    5
    3.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dhatz
      last edited by

      What's the current situation wrt shaping traffic inside an IPsec tunnel? Are there any limitations one should be aware of ?

      I was under the impression that IPsec had some limitations (due to the way IPsec traffic is passed in the FreeBSD kernel) but I noticed this old message by Ermal:

      Re: Traffic Shaping and IPSEC
      « Reply #3 on: November 19, 2009, 11:04:36 am »

      Actually on 1.2.3 you can shape inside the tunnel but i am not sure if the rules allow this to be setuped.
      On 2.0 it is surely possible.

      http://forum.pfsense.org/index.php/topic,19985.msg106174.html#msg106174

      TIA.

      1 Reply Last reply Reply Quote 0
      • D
        dhatz
        last edited by

        It seems that traffic shaping within an IPsec VPN is doable under OpenBSD, but I couldn't find any references on it for FreeBSD and enc(4) doesn't seem to be included in pfSense's interfaces.inc as an ALTQ-capable interface (function is_altq_capable()), whereas ovpns/c, pppoe, ng etc are.

        Am I missing something here?

        1 Reply Last reply Reply Quote 0
        • M
          MLIT
          last edited by

          It can kind of apply traffic shaping to items in the tunnel. You aren't creating queues for the tunnel for itself, but you are creating the queues on the physical interfaces in your PFsense box.

          For instance:

          We have a main office and a branch office. There is an IPsec VPN between the two offices. VoIP traffic and data transfers between our servers both use the same IPsec VPN. With PFsense, I can easily assign VoIP traffic to one queue (It is all to/from a certain network) and all other IPsec traffic to another queue. The shaping is done on the WAN or on the LAN interface.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            @dhatz:

            It seems that traffic shaping within an IPsec VPN is doable under OpenBSD, but I couldn't find any references on it for FreeBSD and enc(4) doesn't seem to be included in pfSense's interfaces.inc as an ALTQ-capable interface (function is_altq_capable()), whereas ovpns/c, pppoe, ng etc are.

            Am I missing something here?

            enc is never an assigned interface hence it's not needed there. You can shape within IPsec, it gets a bit complicated because part of your shaping has to accommodate the fact it's ESP traffic on WAN.

            1 Reply Last reply Reply Quote 0
            • D
              dhatz
              last edited by

              @cmb:

              it gets a bit complicated because part of your shaping has to accommodate the fact it's ESP traffic on WAN.

              Ah, I see …

              I wonder if it would be possible to copy the ToS byte from the original IP header to the new ESP header (or perhaps it's being done already?) In Cisco it's done by default, it's called the “ToS Byte Preservation” feature.

              Edit: Based on a quick Google search, there seems to be a system tunable net.inet.ipsec.ah_cleartos that is set by default, but I don't see a corresponding ESP tunable.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.