06-18-2014 12:06 PM
One thing that I've done in the past with a few other high-end routers is QOS over VPN. Having a main office with multiple site to site VPN's where all email traffic, file sharing traffic and so forth goes over the VPN, there is obviously a need to prioritize VPN traffic -- such as VOIP traffic.
So my first question is if I create an OpenVPN tunell from siteA to siteB, can I apply QOS rules to the vtun0 interface to prioritize specific traffic over the VPN?
If so, question two would be then can I QOS OpenVPN traffic over the eth1 interface so that OpenVPN traffic has a higher priority than generic internet traffic?
Thank you for your time.
06-18-2014 12:47 PM
absolutely, to both of your points. kernel "tc" rules can be applied to any adapter on the system, and as far as i can tell, the vyatta "traffic-policy" options are just a front end for those rules. you can apply them to "vtunX", "l2tpX", and so on, and i am doing so now on some other routers i'm managing (not Edgerouters, but nontheless). as well, if you want to control OpenVPN traffic on a physical adapter, just create a rule, then filter it by UDP port 1194 (or whatever port you've configured OpenVPN to use)
06-19-2014 07:23 AM - edited 06-19-2014 07:25 AM
No. You are mis-understanding the posters original question.
Having a main office with multiple site to site VPN's where all email traffic, file sharing traffic and so forth goes over the VPN, there is obviously a need to prioritize VPN traffic -- such as VOIP traffic
You can _not_ shape traffic within a VPN tunnel. You can shape the two end points for priority against other traffic (ie, L2TP traffic is prioritised over, say, HTTP), but you cannot shape the traffic WITHIN the tunnel.
This is what the OP is referring to: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82310...
06-19-2014 07:53 AM
On a few other routers I do have the ability to shape the traffic within the VPN Tunnel. This has required me to use OpenVPN whereas it give me an interface to work with.
I have in the past given VOIP traffic priority as it goes thru the tunnel and all other traffic gets lower priority. Works just like you would hope.
Issue is that the routers that I've used in the past cost nearly $4000 and I'm looking to see if these EdgeMAX routers can do the same thing? So yes, it is possible on other equipment. My question is can EdgeMAX pull it off?
06-19-2014 09:13 AM
not sure exactly about prioritization, but i just enabled rate limiting as a test on my openvpn vtun0 on an edgerouter lite, and rate limiting here does work. i'm limiting traffic out to a certain IP address within the openvpn client pool and a certain port. i would think that prioritizing would work in the same fashion. though perhaps one of the official mods might be able to chime in about this?