Hi, I have very little experience of QoS rules so I’m hoping somebody here can help.
I have a VyOS router where the outgoing traffic on an IPSec VTI connection is almost saturating my internet link, so I thought I’d apply a rate-control traffic-policy in the outgoing direction on the VTI interface. The trouble is, as soon as I apply the traffic-policy the throughput on the VTI goes down to 300mbit/s no matter what the actual limit is in the traffic-policy. When the policy isn’t applied the VTI is usually pushing through something like 700mbit/s.
I also applied an ingoing limiter policy for a few different services on the inbound direction on the internet connection and that policy doesn’t seem to limit throughput in the same way.
The rate-control policy for the VTI interface is as follows:
edit traffic-policy rate-control qos-Verne-out
set description "Limit traffic to Verne DC to 600mbit/s"
set bandwidth 600mbit
set burst 800mbit
exit
set interfaces vti vti0 traffic-policy out qos-Verne-out
The OS version on the VyOS box is:
Version: VyOS 1.2.0-rolling+201902251818
Are there any performance pitfalls for QoS rules on VTI interfaces that I’m falling into? Is there some intrinsic limit on the throughput of traffic-policy on VTI interfaces? Am I simply being stupid and my config is all wrong?
The configuration for the VTI tunnel is this (edited slightly for anonymity):
edit vpn ipsec esp-group esp-default-outcompany
set compression 'disable'
set lifetime '3600'
set mode 'tunnel'
set pfs 'enable'
set proposal 1 encryption 'aes256'
set proposal 1 hash 'sha256'
exit
edit vpn ipsec ike-group ike-default-ourcompany
set dead-peer-detection action 'restart'
set dead-peer-detection interval '30'
set dead-peer-detection timeout '30'
set ikev2-reauth 'no'
set key-exchange 'ikev2'
set lifetime '28800'
set proposal 1 dh-group '14'
set proposal 1 encryption 'aes256'
set proposal 1 hash 'sha256'
exit
edit vpn ipsec site-to-site peer 1.2.3.4
set authentication mode 'pre-shared-secret'
set authentication pre-shared-secret 'xxxx'
set connection-type 'initiate'
set description 'Tunnel to fw-verne'
set ike-group 'ike-default-ourcompany'
set ikev2-reauth 'inherit'
set local-address '5.6.7.8'
set vti bind 'vti0'
set vti esp-group 'esp-default-ourcompany'
exit
edit interfaces vti vti0
set address '169.254.22.1/30'
set description 'VPN-tunnel-Verne'
[...omitting some ospf stuff here...]
set mtu '1436'
set traffic-policy out qos-Verne-out
exit
Edit: added version info