I would like place QOS on this tunnel for all traffic. I've created a config, but I don't think it is working. Anyone have this working successfully care to share their setup?
First, from my understanding, QOS only works outbound correct? If this is true, I would need an outbound at site A and an outbound at site B to get bidirectional QOS over vpn right?
Second, is the QOS applied to the external interface only for outbound traffic?
Third, if the traffic is encrypted once it reaches the External interface, can the astaro see the traffic in order to apply QOS to it?
At site A, you can use a QoS rule on the External interface for traffic like 'External (Address) -> IPsec -> {site B}', but you cannot do QoS on the traffic inside the tunnel. The exception is for packets that have TOS or DSCP bits set.
Since you can't control what comes through the pipe to you, you can't guarantee bandwidth to inbound traffic. As for the internal connections, they normally have ten times or more bandwidth than the WAN connection, so it usually doesn't make sense to put a QoS rule there. One example of an exception would be a limiting rule to combat someone or something that's a bandwidth hog.
Cheers - Bob
Sophos UTM Community Moderator Sophos Certified Architect - UTM Sophos Certified Engineer - XG Gold Solution Partner since 2005
The same principles apply, so it would be a rule on the External interface for traffic like 'External (Address) -> IPsec -> {site A}'. With rules like this on each side, you guarantee total bandwidth to the tunnel between the two sites. Is that what you were trying to accomplish?
Cheers - Bob
Sophos UTM Community Moderator Sophos Certified Architect - UTM Sophos Certified Engineer - XG Gold Solution Partner since 2005
...but you cannot do QoS on the traffic inside the tunnel...
I can't understand why Astaro does not support this very important feature!
Cisco implemented this function already in iOS 12.2 (year 2006!!):
"QoS for Virtual Private Networks
The QoS for Virtual Private Networks (VPNs) feature is designed for tunnel interfaces. When the feature is enabled, the QoS features on the output interface classify packets before encryption, allowing traffic flows to be adjusted in congested environments. The result is more effective packet tunneling..."
This is frustrating [:@]
It's so easy to create automatic QoS Rules from the Flow Monitor (I can even see all protocols passing the VPN tunnel), but this didn't work.
Now I know why... [:(]
I love Astaro firewalls and I hope that this feature will be implemented in a future release.
The exception is for packets that have TOS or DSCP bits set.
I think this is the same technique used by Cisco, except I think Cisco added the ability to mark packets instead of just prioritizing packets marked by other devices or applications. You might want to vote for this feature request.
Cheers - Bob
Sophos UTM Community Moderator Sophos Certified Architect - UTM Sophos Certified Engineer - XG Gold Solution Partner since 2005
![tom11011](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="44" height="44"><rect fill-opacity="0"/></svg>)
![Ely Sena](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="35" height="35"><rect fill-opacity="0"/></svg>)
