Hello Everyone,
We’ve set up an IPSec tunnel for one of our clients using RouterOS on both sides. The problem we’re running into is with trying to set up QOS. They have a DSL connection with 6Mb/s Down and 384Kb/s Up. Several of the employees like to stream Pandora, ITunes, etc while they work. The problem is that this interferes with the VPN traffic and cause RDP connections to run horribly slow and drop even drop momentarily.
The IPSec tunnel goes from their office to my datacenter. I’ve got QOS working for all traffic to my datacenter EXCEPT for IPSec traffic. So if I ping Google I get 300ms ping times, if I ping a public server in the datacenter I get 52ms ping times, yay… except if I ping 192.168.10.10 (private server in the datacenter through the IPSec tunnel), I get 300ms ping times. I’m guessing its because the packet is being encrypted after being marked???
Here’s what I’ve done:
Network Layout
Datacenter public network is: 1.1.1.0/24
Datacenter private network is: 192.168.10.0/24
Office public network is: 2.2.2.0/24
Office private network is: 192.168.20.0/24
NAT Mangle Rules
Postrouting Destination Address: 1.1.1.0/24 Mark Packet: DCOUT Passthrough: No
Prerouting Source Address: 1.1.1.0/24 Mark Packet DCIN Passthrough: No
Postrouting Destination Address: !1.1.1.0/24 Mark Packet: ElseOUT Passthrough: No
Prerouting Source: !1.1.1.0/24 Mark Packet: ElseIN Passthrough: No
Queue Tree
IN parent=global-in priority=1
DC_IN packet-mark=DCIN parent=IN priority=2
Else_IN packet-mark=ElseIN parent=IN priority=8 max-limit=2M
OUT parent=global-out priority=1
DC_OUT packet-mark=DCOUT parent=OUT priority=2
Else_OUT packet-mark=ElseOUT parent=OUT priority=8 max-limit=192k
So this works great for any NON IPSec traffic going to 1.1.1.0/24, but any traffic going through the tunnel to 192.168.10.0./24 doesn’t get prioritized. Since this is just IPSec and not an L2TP connection there’s no interface for the tunnel.
Can someone offer some advice please?
Thanks in advance,
Brian