FreshJR
Very Senior Member
So all VPN traffic goes through interface tun21.
Inbound WAN traffic goes through interface eth0
Outbound WAN traffic goes through interface br0.
Qos sets up TC rules for eth0 and br0 interfaces. Unfortunately this seems to mean that VPN clients are not bound by QOS rules and can drain network performance (mainly upload).
I would like Tun21 traffic to go through a queuing discipline already in place on interface br0. This will constrain the VPN clients to share upload bandwidth set by QOS rules.
Traffic control is used to set queuing disciplines for a single interface. I am not aware of an ability to have two interfaces share a queuing discipline.
I think to achieve what I need I have to study iptables mangle routing. Here is the default mangle table.
Note: I have the option
Direct clients to redirect Internet traffic = Yes
So all internet traffic should be going encrypted from the client to my router and then into the internet, instead of the directly from the client to the internet unencrypted. I am trying to use the VPN for all WAN access instead of accessing my LAN traffic only.
I will try learning the in's and out's of this table, but if anyone has an answer to my need, I would appreciate the shortcut.
What I don't understand is that wouldn't all VPN traffic have to pass through the br0 & eth0 interfaces first before passing through the VPN? If so, then why aren't QOS limits followed at those boundary points. I do not see how I am getting speeds in excess of my QOS limits on the VPN client.
Can it be compression applied to the data? Or is it possible that the VPN client is not following the "Direct clients to redirect Internet traffic" direction.
I may be barking up the wrong tree. I will have to experiment more to see what is happening with the data paths.
Inbound WAN traffic goes through interface eth0
Outbound WAN traffic goes through interface br0.
Qos sets up TC rules for eth0 and br0 interfaces. Unfortunately this seems to mean that VPN clients are not bound by QOS rules and can drain network performance (mainly upload).
I would like Tun21 traffic to go through a queuing discipline already in place on interface br0. This will constrain the VPN clients to share upload bandwidth set by QOS rules.
Traffic control is used to set queuing disciplines for a single interface. I am not aware of an ability to have two interfaces share a queuing discipline.
I think to achieve what I need I have to study iptables mangle routing. Here is the default mangle table.
Code:
Chain PREROUTING (policy ACCEPT 26724 packets, 7256K bytes)
pkts bytes target prot opt in out source destination
469 35727 MARK all -- tun21 any anywhere anywhere MARK xset 0x1/0x7
2536 1558K BWDPI_FILTER udp -- eth0 any anywhere anywhere
Chain INPUT (policy ACCEPT 15660 packets, 3255K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 11060 packets, 4000K bytes)
pkts bytes target prot opt in out source destination
0 0 MARK all -- any br0 192.168.2.0/24 192.168.2.0/24 MARK xset 0x1/0x7
Chain OUTPUT (policy ACCEPT 15843 packets, 6579K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 27083 packets, 11M bytes)
pkts bytes target prot opt in out source destination
Chain BWDPI_FILTER (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- eth0 any anywhere anywhere udp spt:bootpc dpt:bootps
64 24352 DROP udp -- eth0 any anywhere anywhere udp spt:bootps dpt:bootpcNote: I have the option
Direct clients to redirect Internet traffic = Yes
So all internet traffic should be going encrypted from the client to my router and then into the internet, instead of the directly from the client to the internet unencrypted. I am trying to use the VPN for all WAN access instead of accessing my LAN traffic only.
I will try learning the in's and out's of this table, but if anyone has an answer to my need, I would appreciate the shortcut.
What I don't understand is that wouldn't all VPN traffic have to pass through the br0 & eth0 interfaces first before passing through the VPN? If so, then why aren't QOS limits followed at those boundary points. I do not see how I am getting speeds in excess of my QOS limits on the VPN client.
Can it be compression applied to the data? Or is it possible that the VPN client is not following the "Direct clients to redirect Internet traffic" direction.
I may be barking up the wrong tree. I will have to experiment more to see what is happening with the data paths.
Last edited:
