I'm trying to mark the actual traffic encrypted with IPsec (tunneled) so i can perform QoS.
I'm using queue-tree, forwarding chain and global-out.
Interface ether10-gateway is for WAN and includes NATting.
Interface l2tp-site1site2_cli is L2TP towards site2.
Traffic between local subnets on site1 and site2 is IPsec encrypted (tunnel mode) and then tunneled across L2TP.
Problem is that apparently interface l2tp-site1site2_cli sees both unencrypted (actual between site local subnets) and encrypted traffic (between ipsec peers).
When I mark e.g. upload traffic on that interface, PCQ sees two connections and behaves wrongly (halves speed to share among those "two" types of traffic).
I tried adding an accept rule in forward chain to ignore ipsec traffic on that interface. I also tried to specify src/dst addresses in the related mangle rules but that didn't help.
When I disable IPsec policy the PCQ immediately works properly.
RB2011UAS-2HnD @ 5.24
Please advise.
Thanks!
172.16.0.0 are the L2TP peers
10.0.0.0 are the site local subnets
As you can see both the original ssh session and ipsec encaps is seen on the l2tp-site1site2_cli interface.
Config:
Code: Select all
/ip firewall mangle
(...)
add action=mark-connection chain=forward comment="ALL TRAFFIC (shaping)" \
new-connection-mark=all-conn
add action=mark-packet chain=forward connection-mark=all-conn in-interface=\
ether10-gateway new-packet-mark=all-ds passthrough=no
add action=mark-packet chain=forward connection-mark=all-conn new-packet-mark=\
all-us out-interface=ether10-gateway passthrough=no
add action=mark-packet chain=forward connection-mark=all-conn in-interface=\
l2tp-site1site2_cli new-packet-mark=all-ds passthrough=no
add action=mark-packet chain=forward connection-mark=all-conn new-packet-mark=\
all-us out-interface=l2tp-site1site2_cli passthrough=no
Code: Select all
/queue tree
(...)
add max-limit=1100k name=Upload parent=global-out priority=1
add name=ALL-us packet-mark=all-us parent=Upload queue=DSL_upload
Code: Select all
/queue type
add kind=pcq name=DSL_download pcq-classifier=dst-address pcq-dst-address6-mask=\
64 pcq-limit=100 pcq-src-address6-mask=64
add kind=pcq name=DSL_upload pcq-classifier=src-address pcq-dst-address6-mask=64 \
pcq-limit=100 pcq-src-address6-mask=64