Traffic Shaping

Hello everyone.

I am brand new to monowall and do not as of yet fully understand how to program the settings.  But rather than wait the few days/weeks it will take to become proficient, I was hoping one of you could help me out while I continue to learn.

I have configured the monowall as a passthrough device  (using advanced outbound NAT) from my Internet provider (6mb/6mb) to my internet switch.  The switch is where I have a bank of webservers, VPN servers, email servers, etc. that my users connect to.  I chose this setup because I would like to set up firewall rules/filtering/shaping before any internet data comes into the building.

Usually, towards the end of the day my internet usage gets maxxed out.  (yes, I have a bunch of internet hogs on my circuits)  I also have remote users who come in through the internet and establish VPN connections to work.  These people are having a hard time staying connected at the end of the day and their screens are extremely slow if they can stay connected.

My question is:

Is it possible to set up a rule to make sure my VPN users have priority to the internet bandwidth so they stay fast?

How would I go about doing that?

If I have understood correctly in past discussions, VPN traffic cannot be traffic shaped. 

That being said, you may be able to exploit that fact to prioritize vpn traffic above all else.  if you use the traffic shaper to specify a pipe speed that is less than your true pipe speed, you will be keeping a "reserve" that can only be seen by VPN users.

This of course does reduce your total utilization of the pipe somewhat. 

You could also use a separate m0n0wall unit for PPTP vpn, inside your LAN and have the external m0n0wall pass traffic to it.

If you want to prioritise pptp traffic as a whole, then you can use pipes or queues to reserve bandwidth for traffic of type GRE, as all pptp is tunnelled through GRE.

I guess a similar tactic would work for all of IPSEC traffic as well, but I don't know what it looks like, maybe ESP or something.

That should give you a start, anyway. There is, of course, still the task of learning how to use pipes and queues. A pipe will never share its bandwidth with another pipe, while a queue will 'lend' unused bandwidth to other queues in the same pipe. All queues run through a pipe.

So you will need to set up at least one pipe, with all pipes totally 6mbit or less in each direction, in your case. It's a good idea to go with about 20% less until you know exactly what you're getting from your ISP. For example, I was on a "512" uplink with a certain ISP, but discovered through experimentation that if I set my pipe to 499, I could maintain good control over realtime traffic, but if I set my pipe to 501, things got unresponsive when the link was full, indicating that my connection was actually throttled to 500 upstream. There has been ample discussion on this principle in the list archive, as well as in the Linux Advanced Routing and Traffic Control (lartc.org) manual (see the section on TBF).

Hope this helps get you on your feet at least.

db