We have a WR44 connected via GRE tunnels inside IPSec tunnels over GPRS via ppp1.
We have the FW enabled currently on ppp1 as follows:
#Allow outbound FTP traffic
pass out break end proto ftp from any to any port=ftpcnt flags S!A inspect-state
#Allow any other outbound traffic and the replies back in
pass out break end inspect-state
#Allow incoming IPSEC
pass break end proto 50
pass in break end proto udp from any to any port=ike
pass in break end proto udp from any to any port=4500
#Allow any traffic within an IPSEC tunnel in both directions
pass break end oneroute any
#Allow incoming SSH and SFTP
pass in break end proto tcp from any to any port=22222 flags S!A inspect-state
#Allow incoming HTTPS
pass in break end proto tcp from any to any port=443 flags S!A inspect-state
#Block and log everything else including incoming telnet, http and FTP
block log break end
This is working fine.
Our problem is, the instrumentation we have at the site sends a real-time stream over the link from source TCP port 5018 and this is the traffic we are interested in. The system also stores its data locally and at the top of the hour, the central server will check if any data is missing, if it is it will passively ftp it up from the instrument. The problem is this ftp session swamps the BW of the link causing the real-time data to get delayed during the ftp.
What we want to do is prioritize the source TCP port 5018 traffic over the ftp data.
This source data enters interface eth0 and leaves interface ppp1.
The FW rule to mark the data should be something like this:
dscp 46 in on eth0 proto tcp from any to any port=5018
Can someone confirm that?
Now, my thinking is that I should mark this packet as it comes INTO the router on eth0, is that correct?
Question: If I enable the fw on eth0 all FW rules will be in effect on eth0, right? I don't want to block anything on eth0 from coming into the router but there is only a single fw.txt file in the router which means whichever interface I enable this on, all the rules will apply, right? Which means I lock myself out of my http interface on eth0 if I enable the fw on eth0....so how do I do this?
Then, I enable QoS on interface ppp1, is that correct?
In short, I need a clarification on whether I need to enable the FW on eth0, on ppp1 or on both. If I do it on both, how do I do so that I don't block myself our of the web interface on eth0?
Sorry for the dump questions.