Prioritize Packets withhin IPsec tunnel
Posted: Fri Oct 09, 2015 3:14 pm
Hi there,
we're using a RB2011 as a branch router for a remote office. There is an IPsec tunnel configured that connects the remote office's internal network to the main network. Among other internal traffic, there is also a VoIP connection between a SIP-DECT base station inside the remote office and our PBX host in the main network. So far, everything works great.
However, to be ready for increases in traffic from the remote office, I'd like to able to prioritize VoIP connections over all other connections--and I struggle to see how I could do this. If I understand the packet flow diagram at http://wiki.mikrotik.com/wiki/Manual:Packet_Flow ("IPsec encryption") correctly, the the HTB is only hit after the VoIP packets have been encapsulated in IPsec packets, so I don't know how I could set up the queues correctly as all they will ever see are ESP packets going to the other router.
Obviously what I could do is to setup two separate tunnels, one for VoIP and one for all the other traffic, but I'd prefer to keep it a bit more simple, especially because the RB2011 doesn't seem to be the most efficient at IPsec encryption.
Is there any other way to be able to prioritize the VoIP packets inside the IPsec tunnel? I'd be grateful for any pointers--if more details of the setup are required, I'll gladly provide them.
Thanks & best regards,
Dorian
we're using a RB2011 as a branch router for a remote office. There is an IPsec tunnel configured that connects the remote office's internal network to the main network. Among other internal traffic, there is also a VoIP connection between a SIP-DECT base station inside the remote office and our PBX host in the main network. So far, everything works great.
However, to be ready for increases in traffic from the remote office, I'd like to able to prioritize VoIP connections over all other connections--and I struggle to see how I could do this. If I understand the packet flow diagram at http://wiki.mikrotik.com/wiki/Manual:Packet_Flow ("IPsec encryption") correctly, the the HTB is only hit after the VoIP packets have been encapsulated in IPsec packets, so I don't know how I could set up the queues correctly as all they will ever see are ESP packets going to the other router.
Obviously what I could do is to setup two separate tunnels, one for VoIP and one for all the other traffic, but I'd prefer to keep it a bit more simple, especially because the RB2011 doesn't seem to be the most efficient at IPsec encryption.
Is there any other way to be able to prioritize the VoIP packets inside the IPsec tunnel? I'd be grateful for any pointers--if more details of the setup are required, I'll gladly provide them.
Thanks & best regards,
Dorian