Scheduled maintenance: Community will be offline Monday June 17th, 1:00 AM - 6:00 AM (PT)
New Member
Posts: 5
Registered: ‎06-18-2014
Kudos: 1

Is QOS over VPN possible with EdgeMAX?

One thing that I've done in the past with a few other high-end routers is QOS over VPN.  Having a main office with multiple site to site VPN's where all email traffic, file sharing traffic and so forth goes over the VPN, there is obviously a need to prioritize VPN traffic -- such as VOIP traffic.

So my first question is if I create an OpenVPN tunell from siteA to siteB, can I apply QOS rules to the vtun0 interface to prioritize specific traffic over the VPN?

If so, question two would be then can I QOS OpenVPN traffic over the eth1 interface so that OpenVPN traffic has a higher priority than generic internet traffic?

Thank you for your time.

Homer.

Regular Member
Posts: 367
Registered: ‎05-09-2014
Kudos: 128
Solutions: 7

Re: Is QOS over VPN possible with EdgeMAX?

absolutely, to both of your points. kernel "tc" rules can be applied to any adapter on the system, and as far as i can tell, the vyatta "traffic-policy" options are just a front end for those rules. you can apply them to "vtunX", "l2tpX", and so on, and i am doing so now on some other routers i'm managing (not Edgerouters, but nontheless). as well, if you want to control OpenVPN traffic on a physical adapter, just create a rule, then filter it by UDP port 1194 (or whatever port you've configured OpenVPN to use)

Member
Posts: 104
Registered: ‎03-24-2014
Kudos: 15
Solutions: 3

Re: Is QOS over VPN possible with EdgeMAX?

Actually, the answer is no to #1 and yes to #2. 

#1 - You cannot prioritise traffic contained within the IPSEC encapsulation, as it is encrypted. 

 

 

Regular Member
Posts: 367
Registered: ‎05-09-2014
Kudos: 128
Solutions: 7

Re: Is QOS over VPN possible with EdgeMAX?

but is openvpn traffic contained within IPSEC?

Member
Posts: 104
Registered: ‎03-24-2014
Kudos: 15
Solutions: 3

Re: Is QOS over VPN possible with EdgeMAX?

No
Regular Member
Posts: 367
Registered: ‎05-09-2014
Kudos: 128
Solutions: 7

Re: Is QOS over VPN possible with EdgeMAX?

so the original point still stands, that applying traffic shaping to the openvpn tunneling adapter will work, does it not?

Highlighted
Member
Posts: 104
Registered: ‎03-24-2014
Kudos: 15
Solutions: 3

Re: Is QOS over VPN possible with EdgeMAX?

[ Edited ]

No. You are mis-understanding the posters original question.

Having a main office with multiple site to site VPN's where all email traffic, file sharing traffic and so forth goes over the VPN, there is obviously a need to prioritize VPN traffic -- such as VOIP traffic 

You can _not_ shape traffic within a VPN tunnel. You can shape the two end points for priority against other traffic (ie, L2TP traffic is prioritised over, say, HTTP), but you cannot shape the traffic WITHIN the tunnel.

This is what the OP is referring to: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82310...

New Member
Posts: 5
Registered: ‎06-18-2014
Kudos: 1

Re: Is QOS over VPN possible with EdgeMAX?

On a few other routers I do have the ability to shape the traffic within the VPN Tunnel.  This has required me to use OpenVPN whereas it give me an interface to work with.

I have in the past given VOIP traffic priority as it goes thru the tunnel and all other traffic gets lower priority.  Works just like you would hope.  

Issue is that the routers that I've used in the past cost nearly $4000 and I'm looking to see if these EdgeMAX routers can do the same thing?  So yes, it is possible on other equipment.  My question is can EdgeMAX pull it off?

Thanks.

Homer.

Regular Member
Posts: 367
Registered: ‎05-09-2014
Kudos: 128
Solutions: 7

Re: Is QOS over VPN possible with EdgeMAX?

not sure exactly about prioritization, but i just enabled rate limiting as a test on my openvpn vtun0 on an edgerouter lite, and rate limiting here does work. i'm limiting traffic out to a certain IP address within the openvpn client pool and a certain port. i would think that prioritizing would work in the same fashion. though perhaps one of the official mods might be able to chime in about this?