@falkowich As far as I know, that cannot be completely correct. Your outbound traffic-policy can perfectly work when applied to a SNAT outbound interface using fwmark
, but an inbound traffic-policy won’t be able to match addresses when using SNAT. Well, it is possible to make it happen, but I don’t think it is possible through VyOS CLI, at least for the time being (we have an open Phabricator task for it).
Currently, with VyOS CLI, if you are applying an ingress shaping policy to a SNATed interface, you won’t be able to match addresses of your inbound traffic, everything will be falling into default. If you just want to shape without classifying (all traffic going to default)
, everything will be good.
You can subscribe to the Phabricator task to get updated when there are any news.
In the meantime, you may want to consider applying a Shaper outbound policy to your INSIDE interface as a workaround, or configuring everything through the non-VyOS commands as in the provided link.
Regarding your question on ceiling
: it is applied per class
(being default
a class
too).