Community discussions

MikroTik App
 
pe1chl
Forum Guru
Forum Guru
Topic Author
Posts: 7784
Joined: Mon Jun 08, 2015 12:09 pm

Setting priority for IPsec traffic

Tue Oct 12, 2021 11:22 pm

Now that I have a new RB4011 router I am tinkering a bit with the optimization of queueing on my VDSL line.
I have a ZyXEL VMG4005-B50A VDSL modem. I need to do PPPoE-over-VLAN6 with my provider and this modem can do QoS using 802.1p tagging on the PPPoE packets sent from MikroTik to the modem (which operates in bridge mode).
So outgoing packets go like this: pppoe-client -> VLAN subinterface -> ether1 -> VMG4005-B50A -> VDSL line.
When I do a mangle "set priority from DSCP 3 bits" in the postrouting chain, the packets nicely get prioritized when routed to the pppoe-client interface, this priority gets copied into the priority field of the VLAN header, is transferred to the VMG4005-B50A which uses it to select the QoS queue, and I have good QoS on the uplink.

Now I am trying to get this to work with an L2TP/IPsec VPN connection (this router is the client). Unfortunately, L2TP has no "DHCP: inherit" setting so I cannot just copy the DSCP from the payload packet into the L2TP packet (hoping that it would be matched in the postrouting chain and the priority be set correctly).
I thought I may get by when I can skip the set priority the second time the packet goes through postrouting, assuming that it would keep the originally assigned priority of the inner packet. But that does not appear to work. Probably the L2TP layer, unlike the PPPoE layer, creates an entirely new packet (that passes through the output rather than the forwarding chain) and it does not transfer the priority field.

But this is where it gets weird: whenever I try to manipulate the priority of the IPsec (ESP) packets differently from what they were set before being encrypted, the connection cannot pass traffic anymore.
This surprises me... I could understand it when I tried to change the DSCP value of the packets, because they would invalidate the IPsec authentication, but I am not changing anything in the packet when I manipulate the priority, at least I think so...

What could be going on here, and would there be any way to set the priority of this traffic through the entire stack of:
IP traffic -> set priority from DSCP -> route to L2TP/IPsec interface -> route to pppoe-client -> VLAN subinterface -> ether1 -> VMG4005-B50A -> VDSL line.
It does not really matter that the DSCP of the ESP packet isn't copied from the inner DSCP value, as long as the priority (as determined from the inner DSCP value) ends up correctly in the VLAN header.
 
pe1chl
Forum Guru
Forum Guru
Topic Author
Posts: 7784
Joined: Mon Jun 08, 2015 12:09 pm

Re: Setting priority for IPsec traffic

Sun Oct 17, 2021 7:16 pm

Anyone of the resident IPsec experts understand what is going on here?
When I do a "set priority" on ESP packets (even a simple "match outgoing ESP packets and set priority 2") it instantly kills the L2TP/IPsec connection.
When I do packet marking on them (to later use it in a queue) it works fine.

I thought setting priority, similar to packet marking, only sets metadata in the packet header inside the router and would not affect the encryption/authentication on the wire.
Why is that not true?
 
sindy
Forum Guru
Forum Guru
Posts: 7907
Joined: Mon Dec 04, 2017 9:19 pm

Re: Setting priority for IPsec traffic

Sun Oct 17, 2021 8:33 pm

Setting priority in mangle should have an effect only transports that support some L2 priority field, which is normally Ethernet and wireless. So in this sense, yes, priority is a metadata item, until the packet reaches the Ethernet or wireless driver that can extract the value from that item and store it in the relevant frame field (the priority field in an 802.1Q tag or some WMM field in the wireless frame if I remember correctly). If the transport doesn't support any kind priority field, the value of the metadata item is silently dropped.

I've tested your suspected setup on a CHR - the action=set-priority mangle rule matching on the ISP packets counts but the L2TP/IPsec session keeps working fine. So I'd ask whether something further down the line doesn't look at the 802.1Q priority value and drop the frames if it doesn't like the value?

If it works when you set new-priority=0 in the rule, it's most likely this. If it fails even in this case, I'd assume it is a bug.
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
pe1chl
Forum Guru
Forum Guru
Topic Author
Posts: 7784
Joined: Mon Jun 08, 2015 12:09 pm

Re: Setting priority for IPsec traffic

Sun Oct 17, 2021 8:49 pm

Thanks for replying! At first I thought "that may be it" because until now I was mainly using increased priority for e.g. VoIP with this modem and now I wanted to have a lower priority for part of this L2TP/IPsec traffic and it may be that it does not like the below-normal priorities.
However, when I set the priority to a value I know is working for voice traffic, it still does not work.

I use a mangle prerouting rule to match some traffic before it is routed to the L2TP VPN by src/dst IP and port number, and set the DSCP to 16. Then I use the normal (for me) postrouting rule to set the priority from the top 3 bits of DSCP. I can see on a trace on the link between the router and the modem that this works OK for plain traffic: the priority is copied to the 3 bits in the VLAN header.
(there always remains the unclear situation with the relative priorities of the 3-bit values; I presume they are 1 2 0 3 4 5 6 7 in increasing order of priority so a DSCP value 8 is the lowest priority, 16 is higher, 0 is normal (default), then 24, 32, 40 etc are the higher priorities with e.g. 46 used for voice)

Now when I use a L2TP/IPsec client I see that all traffic related to the VPN goes out with DSCP 0 and priority 0, regardless of the DSCP value of the inner packet.
(with GRE and IPIP it is possible to set "DSCP: inherit" which copies the DSCP value from inner to outer packet, but L2TP does not offer that)
I think I will try to change the tunnel from L2TP to GRE and see if that works OK (I know that setting the priority works in that case, I use it at other sites).
 
pe1chl
Forum Guru
Forum Guru
Topic Author
Posts: 7784
Joined: Mon Jun 08, 2015 12:09 pm

Re: Setting priority for IPsec traffic

Mon Oct 18, 2021 7:48 pm

After lots of tinkering with GRE/IPsec, sending plain packets with different DSCP, etc, the only conclusion can be that there is a bug that only surfaces in very special circumstances...
Weird things are happening with DSCP and priority. I have rebooted the RB4011 and it behaves differently now.

I have no idea at all what is going on...
 
pe1chl
Forum Guru
Forum Guru
Topic Author
Posts: 7784
Joined: Mon Jun 08, 2015 12:09 pm

Re: Setting priority for IPsec traffic

Tue Oct 19, 2021 2:03 pm

It looks more and more like it is a bug in the ZyXEL VMG4005-B50A VDSL modem when operating in "QoS from ethernet priority" mode.
As far as the trace between router and modem shows (I have used a mirror port on the switch to listen to the ether1 traffic on a separate PC with wireshark) it all looks OK there, but apparently the modem gets confused by certain priority values. 0, 5 and 6 are OK but 3 and 1 are not. Strange.

Who is online

Users browsing this forum: Bing [Bot], jvanhambelgium and 43 guests