Traffic policy and IPSec VTI

there is a local office network behind VyOS with access to the Internet for users via NAT. VyOS keeps the IPSec VTI tunnel with another remote office network.
The bandwidth of Internet channel is 10 mb/s.

  • Provide a guaranteed bandwidth for incoming traffic from the remote network - 4 Mb/s.
  • for the rest incoming traffic (whole Internet) to give 6 Mb/s
    But if the traffic from the remote network needs more than 4 Mb/s, it can safely occupy the entire band.
    I’m new to using tc. Tell me, is this really done and about how?

shape on LAN interface, in outgoing direction.
Use shaper, and make 2 classes:
:Default (=InternetDownload)
Create outer BW limit of about 9Mbit.
VPN class matches on source IP network of remote network. give it 45% BW , and ceiling of about 100% and best prio
Default class needs no match as it captures the rest, give it BW 10% Ceiling 100% and worse prio