beautypg.com

Branch office 1 – Allied Telesis AlliedWare AR440S User Manual

Page 47

background image

Page 47 | AlliedWare™ OS How To Note: VPNs for Corporate Networks

branch office

1

#

Create a pair of rules to allow office-to-office payload traffic to

#

pass through the firewall without applying NAT.

#

The rule for the public interface uses encapsulation=ipsec to

#

identify incoming VPN traffic.

add firewall poli=branch1 ru=4 ac=non int=ppp0 prot=all enc=ips

#

The rule for the private interface uses both source and destination

#

addresses to identify outgoing VPN traffic.

add firewall poli=branch1 ru=5 ac=non int=vlan1 prot=all

ip=192.168.141.1-192.168.141.254

set firewall poli=branch1 ru=5 rem=192.168.140.0-192.168.144.254

#

If you configured SSH, create a rule for SSH traffic.

add firewall policy=branch1 ru=6 ac=allo int=ppp0 prot=tcp po=22

ip=222.222.222.1 gblip=222.222.222.1 gblp=22

#

If you use telnet instead (not recommended), create a rule for it.

#

add firewall policy=branch1 ru=7 ac=allo int=ppp0 prot=tcp po=23

#

ip=222.222.222.1 gblip=222.222.222.1 gblp=23

#

INT configuration - if prioritising VoIP

set int=ppp0 mtu=256

set int=ppp0 frag=yes

#

CLASSIFIER configuration - if prioritising VoIP

#

Create a classifier to identify voice traffic (DSCP value 48 in

#

this example).

create class=48 ipds=48

#

Software QoS configuration - if prioritising VoIP

ena sqos

#

Create a traffic class. This traffic class tags the classified

#

traffic as high priority on the interface queue. Also,make the

#

queue small - this is optimal for VoIP traffic.

cre sqos tr=1 prio=15 maxq=10

#

Create a policy with a virtual bandwidth and assign the traffic

#

class to this policy.

cre sqos poli=1 virt=120kbps

add sqos poli=1 tr=1

add sqos tr=1 class=48

set sqos interface=ipsec-hq tunnelpolicy=1

#

TRIGGER configuration - if prioritising VoIP

#

Create triggers to apply SQoS to the dynamic PPP interfaces of up

#

to four simultaneous roaming VPN client connections. See

page 34

#

for the script each trigger runs.

enable trigger

create trigger=1 interface=ppp0 event=up cp=ipcp script=ppp0up.scp

create trigger=2 interface=ppp0 event=up cp=ipcp script=ppp1up.scp

create trigger=3 interface=ppp0 event=up cp=ipcp script=ppp2up.scp

create trigger=4 interface=ppp0 event=up cp=ipcp script=ppp3up.scp

See also other documents in the category Allied Telesis Hardware: