Answer the question
In order to leave comments, you need to log in
How to find out through which interface ipsec traffic passed after it was de-encapsulated to implement qos in mikrotik?
There are two mikrotik routers, each of them has two wan interfaces, each wan interface is connected to its own provider and has its own speed limit.
An ipSec tunnel is configured between mirtoik (in tunnel mode) without being tied to a specific interface (i.e. ipSec will encrypt traffic regardless of which interface it goes through, the main thing is that it will reach the target node via any available route).
This is convenient because there is only one tunnel between two routers and it will work if the provider fails, just rebuild through a different interface. Thus, it is not necessary to raise ipSec on each interface and have static addresses on all interfaces.
Inside ipSec, an IPIP tunnel runs, into which all traffic that needs to be transferred between the two networks is directed.
wan interface - wan ip address - ipsec bridege inteface - ipsec ip address - ipip interface - ipip ip
adress
You need to configure QOS, if the wan interfaces had the same speed, this would not be a problem.
But wan interfaces have different speeds, and therefore the traffic passing through each of them needs to be marked differently and placed in different queues. Marking ipSec traffic itself is not a problem, it receives a label on the interface through which it passed. But you need to mark up traffic inside ipSec( inside IPIP ).
For example, sip traffic that is decapsulated from ipSec traffic received via wan1 should receive one label, and the same traffic received from ipSec traffic received via wan2 should receive another label.
Is it possible to implement this?
As an example, put a label on the incoming ipSec packet, which will be saved on the IPIP packet, which will be saved on the already simple IP packet. But as far as I understand, the label is not saved during these transformations.
Answer the question
In order to leave comments, you need to log in
In general, this is possible.
Here are the traffic flow diagrams (about IPsec at the very bottom) https://wiki.mikrotik.com/wiki/Manual:Packet_Flow
Here is an example of setting up QoS inside the
tunnel https://www.youtube.com/watch?v=sm7QGWl7Xh8
two sets of rules, for two interfaces. Traffic will be affected only by those rules that apply to the currently active interface.
An ipSec tunnel is configured between mirtoik (in tunnel mode) without being tied to a specific interface (i.e. ipSec will encrypt traffic regardless of which interface it goes through, the main thing is that it will reach the target node via any available route).
This is convenient because there is only one tunnel between two routers and it will work if the provider fails, just rebuild through a different interface. Thus, it is not necessary to raise ipSec on each interface and have static addresses on all interfaces.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question