Коллеги, подскажите как правильно помечать IPSec трафик, чтобы потом маркер навесить в Queue и чтобы этот маркер воспринимался очередью? Хочу задать приоритет VPN траффику между площадками. Настроен site-to-site VPN (IPSec).
На просторах интернета нашел кучу инструкций, но в Mangle счетчики бегают, а в очереди Queue - тишина. ROS 6.48.6.
Пробовал так:
Код: Выделить всё
;;; IPSec01-in
chain=prerouting action=mark-connection new-connection-mark=IPSec01-connection passthrough=yes in-interface-list=WAN log=no log-prefix="" ipsec-policy=in,ipsec
chain=prerouting action=mark-packet new-packet-mark=IPSec01-packet passthrough=no connection-mark=IPSec01-connection in-interface-list=WAN log=no log-prefix=""
;;; IPSec01-out
chain=postrouting action=mark-connection new-connection-mark=IPSec01-connection passthrough=yes out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,ipsec
chain=postrouting action=mark-packet new-packet-mark=IPSec01-packet passthrough=no connection-mark=IPSec01-connection out-interface-list=WAN log=no log-prefix=""
Пробовал еще вот так:
Код: Выделить всё
;;; IPSec-forward-in
chain=forward action=mark-connection new-connection-mark=IPSec01-connection passthrough=yes log=no log-prefix="" ipsec-policy=in,ipsec
chain=forward action=mark-packet new-packet-mark=IPSec01-packet passthrough=no connection-mark=IPSec01-connection log=no log-prefix=""
;;; IPSec-forward-out
chain=forward action=mark-connection new-connection-mark=IPSec01-connection passthrough=yes log=no log-prefix="" ipsec-policy=out,ipsec
chain=forward action=mark-packet new-packet-mark=IPSec01-packet passthrough=no connection-mark=IPSec01-connection log=no log-prefix=""
И вот так:
Код: Выделить всё
chain=input action=mark-connection new-connection-mark=IPSec01-connection passthrough=yes protocol=ipsec-esp log=no log-prefix=""
chain=input action=mark-packet new-packet-mark=IPSec01-packet passthrough=no connection-mark=IPSec01-connection log=no log-prefix=""
chain=output action=mark-connection new-connection-mark=IPSec01-connection passthrough=yes protocol=ipsec-esp log=no log-prefix=""
chain=output action=mark-packet new-packet-mark=IPSec01-packet passthrough=yes connection-mark=IPSec01-connection log=no log-prefix=""
И вот так:
Код: Выделить всё
chain=input action=mark-connection new-connection-mark=IPSec01-connection passthrough=yes log=no log-prefix="" ipsec-policy=in,ipsec
chain=input action=mark-packet new-packet-mark=IPSec01-packet passthrough=no connection-mark=IPSec01-connection log=no log-prefix=""
chain=output action=mark-connection new-connection-mark=IPSec01-connection passthrough=yes log=no log-prefix="" ipsec-policy=out,ipsec
chain=output action=mark-packet new-packet-mark=IPSec01-packet passthrough=no connection-mark=IPSec01-connection log=no log-prefix=""
Очередь:
Код: Выделить всё
0 ;;; Parrent01
name="Parrent01" target=bridge dst=ether1 parent=none packet-marks="" priority=8/8 queue=pcq-upload-default/pcq-download-default limit-at=0/0 max-limit=49M/49M burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s bucket-size=0.1/0.1
3 ;;; IPSec-traffic01
name="IPSec-traffic01" target=bridge dst=ether1 parent=Parrent01 packet-marks=IPSec01-packet priority=3/3 queue=pcq-upload-default/pcq-download-default limit-at=5M/5M max-limit=49M/49M burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s bucket-size=0.1/0.1