#!/bin/bash # rc.qos-inet # By Champ Clark [champ at softwink.com] # Softwink, Inc [800-538-9357 ext 101] # This file is to control the flow between ofice to office via OpenVPN. # Unlike rc.qos-inet, we can control the flow a bit more, since we # control the tunnel devices. So, after rc.qos-inet runs (and does # what it can to help us), we apply some QoS rules to the VPN # tunnel interfaces. IPT="/usr/sbin/iptables" # The upload/download should be about 5% (sometimes more) than the # total link. This keeps the link from being completely saturated # with data. When that happens, you can't get ACK's back from # connections, and this brings everything to a halt. These is # in kbits. DOWNLINK=710 UPLINK=710 DEVICE="tun0 tun1" # OpenVPN tap/tun devices. VOIPPORTS="4569" # IAX2 uses this in/out [UDP] for DEV in $DEVICE do # Cleanup. tc qdisc del dev $DEV root 2> /dev/null > /dev/null tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null # Upstream traffic.... tc qdisc add dev $DEV root handle 1: htb default 20 tc class add dev $DEV parent 1: classid 1:1 htb rate ${UPLINK}kbit burst 6k # VoIP/VPN stuff will go here tc class add dev $DEV parent 1:1 classid 1:10 htb rate ${UPLINK}kbit \ burst 6k prio 1 # Everything else, will go here. tc class add dev $DEV parent 1:1 classid 1:20 htb rate $[9*$UPLINK/10]kbit \ burst 6k prio 2 # But share, when you can. tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10 tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10 # We only do OUTPUT, since that's all we need. for I in $VOIPPORTS do $IPT -A OUTPUT -t mangle -p udp --dport $I -j TOS --set-tos Minimize-Delay $IPT -A FORWARD -t mangle -p udp --dport $I -j TOS --set-tos Minimize-Delay done # TOS Minimum Delay [SSH is autoset, but we set VoIP above, just in case. # Asterisk actually will set the ToS flag.. but just to be safe.... tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \ match ip tos 0x10 0xff flowid 1:10 tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \ match ip protocol 1 0xff flowid 1:10 # To speed up downloads while an upload is going on, put ACK packets in # the interactive class: tc filter add dev $DEV parent 1: protocol ip prio 10 u32 \ match ip protocol 6 0xff \ match u8 0x05 0x0f at 0 \ match u16 0x0000 0xffc0 at 2 \ match u8 0x10 0xff at 33 \ flowid 1:10 # ------ Limit inbound/ingree traffic as much as possible -------- tc qdisc add dev $DEV handle ffff: ingress # filter *everything* to it (0.0.0.0/0), drop everything that's # coming in too fast: tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \ 0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1 done