Hi, I have very little experience of QoS rules so I’m hoping somebody here can help.
I have a VyOS router where the outgoing traffic on an IPSec VTI connection is almost saturating my internet link, so I thought I’d apply a rate-control traffic-policy in the outgoing direction on the VTI interface. The trouble is, as soon as I apply the traffic-policy the throughput on the VTI goes down to 300mbit/s no matter what the actual limit is in the traffic-policy. When the policy isn’t applied the VTI is usually pushing through something like 700mbit/s.
I also applied an ingoing limiter policy for a few different services on the inbound direction on the internet connection and that policy doesn’t seem to limit throughput in the same way.
The rate-control policy for the VTI interface is as follows:
edit traffic-policy rate-control qos-Verne-out set description "Limit traffic to Verne DC to 600mbit/s" set bandwidth 600mbit set burst 800mbit exit set interfaces vti vti0 traffic-policy out qos-Verne-out
The OS version on the VyOS box is:
Version: VyOS 1.2.0-rolling+201902251818
Are there any performance pitfalls for QoS rules on VTI interfaces that I’m falling into? Is there some intrinsic limit on the throughput of traffic-policy on VTI interfaces? Am I simply being stupid and my config is all wrong?
The configuration for the VTI tunnel is this (edited slightly for anonymity):
edit vpn ipsec esp-group esp-default-outcompany set compression 'disable' set lifetime '3600' set mode 'tunnel' set pfs 'enable' set proposal 1 encryption 'aes256' set proposal 1 hash 'sha256' exit edit vpn ipsec ike-group ike-default-ourcompany set dead-peer-detection action 'restart' set dead-peer-detection interval '30' set dead-peer-detection timeout '30' set ikev2-reauth 'no' set key-exchange 'ikev2' set lifetime '28800' set proposal 1 dh-group '14' set proposal 1 encryption 'aes256' set proposal 1 hash 'sha256' exit edit vpn ipsec site-to-site peer 184.108.40.206 set authentication mode 'pre-shared-secret' set authentication pre-shared-secret 'xxxx' set connection-type 'initiate' set description 'Tunnel to fw-verne' set ike-group 'ike-default-ourcompany' set ikev2-reauth 'inherit' set local-address '220.127.116.11' set vti bind 'vti0' set vti esp-group 'esp-default-ourcompany' exit edit interfaces vti vti0 set address '169.254.22.1/30' set description 'VPN-tunnel-Verne' [...omitting some ospf stuff here...] set mtu '1436' set traffic-policy out qos-Verne-out exit
Edit: added version info