10-04-2007, 02:43 AM
|
| Junior Member | | Join Date: Sep 2009
Posts: 0
| |
 Re: altq and IPsec - queue on incoming interface
Danilo Kempf wrote:
>
>> Sometimes there is really need for ALTQ on incoming traffic:
>
> ALTQ on incoming traffic won't work -- obviously.
It works when pf (and ALTQ) is running in the other side of the communication
channel. :-)
Someone should be able to implement some ALTQ-like traffic control for
incoming traffic selectively dropping packages to simulate network
congestion but it will be certainly ugly -and I will certainly never
recommend something like that to be implemented!- and rulesets will become
a nightmare (what machines should be added? the end points of the
communication channels -local machines-)?. ;-)
> I've had the very same problem a while ago (need to priorize VoIP traffic
> accross my well saturated VPN connection) and tried a lot of things to no
> avail.
>
> Suprisingly, tags (as in the pf "tag" statement) survive IPSEC encryption.
> I've done something like this:
Is packet tagging done before or after encryption? If it is done before
encryption and traffic is decrypted before tags are analyzed on the
other end, it should work, though.
Igor.
 |