Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
Highlighted
New Member
Posts: 14
Registered: ‎05-19-2017
Kudos: 1
Accepted Solution

Mark L2TP/IPSec Upload Traffic

I want to mark (firewall-wise or DSCP) the upload (LAN to WAN) L2TP/IPSec traffic, in order to prioritize it with QoS policies. My upload bandwidth is low (1Mbps) and it's important to guarantee some bandwidth for remote troubleshooting during peak hours.

 

Applying a firewall policy on the inbound interface doesn't seem possible, since 'l2tp0' is a temporary interface brought up only upon IPSec connection establishment. Therefore I have no interface to assign an 'in' firewall rule for that.

 

I could create an 'input' interface (ifb0) and redirect all LAN-to-WAN traffic trhrough that virtual interface, but I fear that may require significant changes in my existing configuration.

Is there a simple(r) way to do that (i.e. I'm missing the obvious way) ?

 

Another idea was to create an advanced QoS filter/leaf (under a root node attached to my WAN) for all traffic with source UDP ports 500, 1701 and 4500. That should filter all WAN outbout traffic (to the internet) originating from the LNS (I hope).

 

Any other idea, or something wrong with the above?

thanks!

 


Accepted Solutions
Senior Member
Posts: 3,352
Registered: ‎03-24-2016
Kudos: 974
Solutions: 410

Re: Mark L2TP/IPSec Upload Traffic

Prioritizing udp ports 500, 1701 and 4500 will work for sure.

 

But how about turning things upside down?  All WAN upload traffic, containing both encrypted  traffic to L2TP peers and regular internet upload, also passes your LAN interface.

Use ifb redirect on LAN, and do your WAN upload shaping on ifb, on redirected LAN interface).

QOS rules filtering on destination IP matching the L2TP pool will select traffic going to L2TP clients

 

This way, you can even prioritize different kinds of traffic within the tunnel.

When assigning bandwidth to queues, take into account that encryption also  includes encapsulation, increasing packet size.  Compensate for this when assigning bandwidth to queues

View solution in original post


All Replies
Senior Member
Posts: 3,352
Registered: ‎03-24-2016
Kudos: 974
Solutions: 410

Re: Mark L2TP/IPSec Upload Traffic

Prioritizing udp ports 500, 1701 and 4500 will work for sure.

 

But how about turning things upside down?  All WAN upload traffic, containing both encrypted  traffic to L2TP peers and regular internet upload, also passes your LAN interface.

Use ifb redirect on LAN, and do your WAN upload shaping on ifb, on redirected LAN interface).

QOS rules filtering on destination IP matching the L2TP pool will select traffic going to L2TP clients

 

This way, you can even prioritize different kinds of traffic within the tunnel.

When assigning bandwidth to queues, take into account that encryption also  includes encapsulation, increasing packet size.  Compensate for this when assigning bandwidth to queues

New Member
Posts: 14
Registered: ‎05-19-2017
Kudos: 1

Re: Mark L2TP/IPSec Upload Traffic

I ping from a VPN road-warrior client a LAN host, capture the traffic on the LAN interface (eth2) but can't see the icmp packets.
When i capture the packets on the l2tp0 interface, I can see the icmp packets.
Doesn't that mean something, like eth2 LAN is not the i/f receiving the VPN traffic from LAN?

I also tried prioritizing UDP ports 500,1701, 4500 but I'm not sure how I can check this ('tc show' looks like Greek to me, at least most of it). I though of limiting the leaf queue and see if there's a dependency, but limiting an already sluggish 1Mbit connection doesn't help me reach a definite conclusion. I may have to try harder, like with 64kbps : )
Senior Member
Posts: 3,352
Registered: ‎03-24-2016
Kudos: 974
Solutions: 410

Re: Mark L2TP/IPSec Upload Traffic

tcpdump should see packets on your layer3 wan interface.  If eth2 is on switch0, use tcpdump on switch 0.

 

New Member
Posts: 14
Registered: ‎05-19-2017
Kudos: 1

Re: Mark L2TP/IPSec Upload Traffic

tcpdump indeed is more enlightening compared to the EdgeOS capture utility I was using; never crossed my mind : )
Now I can see the L2TP IP Pool packets going through my eth2 i/f (I use ERL without switch0, eth2 is my only LAN i/f).
On the WAN side I can see my UDP/4500 packets and ESP carried over.
I also matched my VPN traffic by checking the stats (during low traffic) on 'show queueing ethernet' and the assigned PFIFO queue counters increase.

I did notice though (out of scope) that when using an incoming interface to filter on Advanced QoS, that doesn't work right, either on a root node attached to global or to a WAN interface. No matter which i/f I set in the filter, it always matches (i tried with i/c WAN, i/c LAN, i/c VLAN). I'll test some more and maybe open a new thread.
Reply