Support User Manuals

Allied Telesis AR440S Network Card User Manual

Open as PDF

of 53

Page 47 | AlliedWare™ OS How To Note: VPNs for Corporate Networks

branch office

1

# Create a pair of rules to allow office-to-office payload traffic to

# pass through the firewall without applying NAT.

# The rule for the public interface uses encapsulation=ipsec to

# identify incoming VPN traffic.

add firewall poli=branch1 ru=4 ac=non int=ppp0 prot=all enc=ips

# The rule for the private interface uses both source and destination

# addresses to identify outgoing VPN traffic.

add firewall poli=branch1 ru=5 ac=non int=vlan1 prot=all

ip=192.168.141.1-192.168.141.254

set firewall poli=branch1 ru=5 rem=192.168.140.0-192.168.144.254

# If you configured SSH, create a rule for SSH traffic.

add firewall policy=branch1 ru=6 ac=allo int=ppp0 prot=tcp po=22

ip=222.222.222.1 gblip=222.222.222.1 gblp=22

# If you use telnet instead (not recommended), create a rule for it.

# add firewall policy=branch1 ru=7 ac=allo int=ppp0 prot=tcp po=23

# ip=222.222.222.1 gblip=222.222.222.1 gblp=23

# INT configuration - if prioritising VoIP

set int=ppp0 mtu=256

set int=ppp0 frag=yes

# CLASSIFIER configuration - if prioritising VoIP

# Create a classifier to identify voice traffic (DSCP value 48 in

# this example).

create class=48 ipds=48

# Software QoS configuration - if prioritising VoIP

ena sqos

# Create a traffic class. This traffic class tags the classified

# traffic as high priority on the interface queue. Also,make the

# queue small - this is optimal for VoIP traffic.

cre sqos tr=1 prio=15 maxq=10

# Create a policy with a virtual bandwidth and assign the traffic

# class to this policy.

cre sqos poli=1 virt=120kbps

add sqos poli=1 tr=1

add sqos tr=1 class=48

set sqos interface=ipsec-hq tunnelpolicy=1

# TRIGGER configuration - if prioritising VoIP

# Create triggers to apply SQoS to the dynamic PPP interfaces of up

# to four simultaneous roaming VPN client connections. See page 34

# for the script each trigger runs.

enable trigger

create trigger=1 interface=ppp0 event=up cp=ipcp script=ppp0up.scp

create trigger=2 interface=ppp0 event=up cp=ipcp script=ppp1up.scp

create trigger=3 interface=ppp0 event=up cp=ipcp script=ppp2up.scp

create trigger=4 interface=ppp0 event=up cp=ipcp script=ppp3up.scp

previous next