Simple VoIP Queue
-
Hey everyone,
I'm trying to get a simple VoIP going. I've used the Traffic Shaper Wizard to create my queues and rules. After setting up the queue I cannot see any data passing through it, even though I have a call going. I'm going to include some screen shots below showing what was done.
Now I am currently on a call between two phones. One phone is behind my pfSense router, the other is hooked up next to my desk. Quick overview of the toplogy
WAN -> LAN ( main network ) -> pfSense-WAN ( connected to company LAN )-> Private-LAN ( my private LAN at my desk )
So I can see data passing between my phone and our softswitch
SIP DATA:
07:00:53.967075 IP 209.203.x.x.5060 > 10.10.10.193.5060: SIP, length: 863
07:00:56.092746 IP 209.203.x.x.5060 > 10.10.10.224.5060: SIP, length: 683
07:00:56.107921 IP 10.10.10.224.5060 > 209.203.x.x.5060: SIP, length: 394RTP DATA:
07:01:26.066155 IP 10.10.10.224.21724 > 209.203.x.x.22038: UDP, length 32
07:01:26.066380 IP 209.203.x.x.22038 > 10.10.10.224.21724: UDP, length 32I run pfctl -vvs queue while the phone call is still active and here are the results
[admin@pfSense.reza.local]/root(43): pfctl -vvs queue
queue root_vr0 on vr0 bandwidth 102.40Mb priority 0 {qwanRoot}
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 ]
queue qwanRoot on vr0 bandwidth 102.40Mb priority 0 {qwandef, qwanacks, qVOIPUp}
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 ]
queue qwandef on vr0 bandwidth 1.02Mb qlimit 500 hfsc( default realtime 1.02Mb )
[ pkts: 3384 bytes: 3116488 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/500 ]
queue qwanacks on vr0 bandwidth 25.60Mb priority 7 hfsc( realtime 10.24Mb )
[ pkts: 18045 bytes: 2282816 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 ]
queue qVOIPUp on vr0 bandwidth 25.60Mb priority 7 hfsc( realtime 1.02Mb )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 ]
queue root_vr2 on vr2 bandwidth 102.40Mb priority 0 {qlanRoot}
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 ]
queue qlanRoot on vr2 bandwidth 102.40Mb priority 0 {qlandef, qlanacks, qVOIPDown}
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 ]
queue qlandef on vr2 bandwidth 1.02Mb qlimit 500 hfsc( default realtime 1.02Mb )
[ pkts: 16713 bytes: 1271154 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/500 ]
queue qlanacks on vr2 bandwidth 25.60Mb priority 7 hfsc( realtime 10.24Mb )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 ]
queue qVOIPDown on vr2 bandwidth 25.60Mb priority 7 hfsc( realtime 1.02Mb )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 ]and here are my rules
[admin@pfSense.reza.local]/root(44): pfctl -s rules|grep -i voip
pass in on vr0 inet from any to 209.203.x.x flags S/SA keep state tag qVOIPUp tagged unshaped
pass out on vr2 inet from any to 209.203.x.x flags S/SA keep state tag qVOIPDown tagged qVOIPUp
pass in on vr2 inet from 209.203.x.x to any flags S/SA keep state tag qVOIPDown tagged unshaped
pass out on vr0 all flags S/SA keep state tag qVOIPUp tagged qVOIPDown
pass out quick on vr0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qVOIPUp, qwanacks) tagged qVOIPUp
pass out quick on vr2 all flags S/SA keep state label "let out anything from firewall host itself" queue(qVOIPDown, qlanacks) tagged qVOIPDown
anchor "qVOIPUp" all tagged qVOIPUp
anchor "qVOIPDown" all tagged qVOIPDown
[1.2.3-RELEASE]Any help, tips, advice are certainly appreciated.
Thanks -
I thought adding my full /tmp/rules.debug config here would help.
http://lethalnetworks.com/~reza/rules.debug
System Aliases
loopback = "{ lo0 }"
lan = "{ vr2 }"
wan = "{ vr0 }"
enc0 = "{ enc0 }"
OPT1 = "{ vr1 }"User Aliases
set loginterface vr0
set loginterface vr2
set loginterface vr1
set optimization conservative
set timeout { udp.first 300, udp.single 150, udp.multiple 900 }set skip on pfsync0
altq on vr0 hfsc bandwidth 102400Kb queue { qlanRoot }
altq on vr2 hfsc bandwidth 102400Kb queue { qwanRoot }queue qwanRoot bandwidth 102400Kb priority 0 hfsc { qwandef, qwanacks, qVOIPUp }
queue qlanRoot bandwidth 102400Kb priority 0 hfsc { qlandef, qlanacks, qVOIPDown }
queue qwandef bandwidth 1% priority 1 qlimit 500 hfsc ( default realtime 1% )
queue qlandef bandwidth 1% priority 1 qlimit 500 hfsc ( default realtime 1% )
queue qwanacks bandwidth 25% priority 7 hfsc ( realtime 10% )
queue qlanacks bandwidth 25% priority 7 hfsc ( realtime 10% )
queue qVOIPUp bandwidth 25% priority 7 hfsc ( realtime 1024Kb )
queue qVOIPDown bandwidth 25% priority 7 hfsc ( realtime 1024Kb )nat-anchor "pftpx/"
nat-anchor "natearly/"
nat-anchor "natrules/*"FTP proxy
rdr-anchor "pftpx/*"
Outbound NAT rules
nat on $wan from 192.168.1.0/24 to any -> (vr0) port 1024:65535
#SSH Lockout Table
table <sshlockout>persistLoad balancing anchor - slbd updates
rdr-anchor "slb"
FTP Proxy/helper
table <vpns>{ }
no rdr on vr2 proto tcp from any to <vpns>port 21
rdr on vr2 proto tcp from any to any port 21 -> 127.0.0.1 port 8021IMSpector rdr anchor
rdr-anchor "imspector"
UPnPd rdr anchor
rdr-anchor "miniupnpd"
block in all tag unshaped label "SHAPER: first match rule"
pass in on $lan proto udp from any to 209.203.104.37 keep state tagged unshaped tag qVOIPUp
pass out on $wan proto udp from any to 209.203.104.37 keep state tagged qVOIPUp tag qVOIPDown
pass in on $wan proto udp from 209.203.104.37 to any keep state tagged unshaped tag qVOIPDown
pass out on $lan proto udp from any to any keep state tagged qVOIPDown tag qVOIPUpanchor "ftpsesame/*"
anchor "firewallrules"We use the mighty pf, we cannot be fooled.
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0snort2c
table <snort2c>persist
block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"Block all IPv6
block in quick inet6 all
block out quick inet6 allloopback
anchor "loopback"
pass in quick on $loopback all label "pass loopback"
pass out quick on $loopback all label "pass loopback"package manager early specific hook
anchor "packageearly"
carp
anchor "carp"
permit wan interface to ping out (ping_hosts.sh)
pass quick proto icmp from 10.10.10.224 to any keep state
NAT Reflection rules
allow access to DHCP server on LAN
anchor "dhcpserverlan"
pass in quick on $lan proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server on LAN"
pass in quick on $lan proto udp from any port = 68 to 192.168.1.1 port = 67 label "allow access to DHCP server on LAN"
pass out quick on $lan proto udp from 192.168.1.1 port = 67 to any port = 68 label "allow access to DHCP server on LAN"allow our DHCP client out to the WAN
anchor "wandhcp"
pass out quick on $wan proto udp from any port = 68 to any port = 67 label "allow dhcp client out wan"
block in log quick on $wan proto udp from any port = 67 to 192.168.1.0/24 port = 68 label "block dhcp client out wan"LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)
antispoof for vr2
anchor "spoofing"
Support for allow limiting of TCP connections by establishment rate
anchor "limitingesr"
table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"pass traffic from firewall -> out
anchor "firewallout"
pass out quick on vr0 all keep state tagged qVOIPDown queue (qVOIPDown, qlanacks) label "let out anything from firewall host itself"
pass out quick on vr0 all keep state queue (qlandef, qlanacks) label "let out anything from firewall host itself"
pass out quick on vr2 all keep state tagged qVOIPUp queue (qVOIPUp, qwanacks) label "let out anything from firewall host itself"
pass out quick on vr2 all keep state queue (qwandef, qwanacks) label "let out anything from firewall host itself"
pass out quick on vr1 all keep state label "let out anything from firewall host itself"
pass out quick on $enc0 keep state label "IPSEC internal host to host"make sure the user cannot lock himself out of the webGUI or SSH
anchor "anti-lockout"
pass in quick on vr2 from any to 192.168.1.1 keep state label "anti-lockout web rule"SSH lockout
block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
anchor "ftpproxy"
anchor "pftpx/*"User-defined aliases follow
Anchors for rules that might be matched by queues
anchor qwanRoot tagged qwanRoot
load anchor qwanRoot from "/tmp/qwanRoot.rules"
anchor qlanRoot tagged qlanRoot
load anchor qlanRoot from "/tmp/qlanRoot.rules"
anchor qwandef tagged qwandef
load anchor qwandef from "/tmp/qwandef.rules"
anchor qlandef tagged qlandef
load anchor qlandef from "/tmp/qlandef.rules"
anchor qwanacks tagged qwanacks
load anchor qwanacks from "/tmp/qwanacks.rules"
anchor qlanacks tagged qlanacks
load anchor qlanacks from "/tmp/qlanacks.rules"
anchor qVOIPUp tagged qVOIPUp
load anchor qVOIPUp from "/tmp/qVOIPUp.rules"
anchor qVOIPDown tagged qVOIPDown
load anchor qVOIPDown from "/tmp/qVOIPDown.rules"User-defined rules follow
pass in quick on $wan reply-to (vr0 10.10.10.1) proto tcp from any to any port = 80 keep state queue (qlandef, qlanacks) label "USER_RULE: allow remote management"
pass in quick on $wan reply-to (vr0 10.10.10.1) proto tcp from any to any port = 22 keep state queue (qlandef, qlanacks) label "USER_RULE: allow remote management"
pass in quick on $lan from 192.168.1.0/24 to any keep state queue (qwandef, qwanacks) label "USER_RULE: Default LAN -> any"VPN Rules
pass in quick on vr2 inet proto tcp from any to $loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on vr2 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on vr0 inet proto tcp from port 20 to (vr0) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection"enable ftp-proxy
IMSpector
anchor "imspector"
uPnPd
anchor "miniupnpd"
#–-------------------------------------------------------------------------
default deny rules
#---------------------------------------------------------------------------
block in log quick all label "Default deny rule"
block out log quick all label "Default deny rule"</sshlockout></virusprot></virusprot></snort2c></snort2c></snort2c></vpns></vpns></sshlockout> -
the IP address should be the internal IP, not an external one. also not sure what 209.203. is - were you snipping part of it for privacy?
-
yes i was sniping it for privacy reasons. it's my work's ip range so i thought i should keep it private. i am basically trying to allocate all traffic to 209.203.x.y to the highest priority queue.
On the "Voice over IP" Traffic Shaper Wizard page should I not have entered in the IP address of the hosted pbx - 209.203.x.y ?
thanks for the assistance.
-
No, that won't work. If you look at your two voip rules, you can see the IP you gave is in the wrong position both times. The IP in the wizard is supposed to be the internal IP. What I think you want to do is add a rule in the LAN section that explicitly permits access to your hosted pbx (make it protocol udp to be safe). In the advanced options for that rule you can select the queue to use and put down qVoip (or whatever it is called). In the wizard, just leave blank the IP address. NOTE: this is for 2.0, it may or may not be right for 1.2.3, which is what you are using? If so, it might still work, give it a try…
-
Dan,
Thanks for your help, much appreciation . I swapped the IP in the SRC/DST in both rules and it's working now. -
Hi,
This simple queue is working just fine, however I'm now wanting to give VoIP priority in the simple queues, i.e. in the "5mb pool A" or "5mb pool B", if someone is doing a download at 5mbps and someone tries to make a voip call, the user doing the download must be slowed down and the voip call be given preference within the queue.I have set up a simple queue for my sip phone with ip address 192.168.15.250. Using winbox, double clicking on the "Sip phone" que and then on the Traffic tab, the graph shows neither Tx nor Rx traffic. However, when I click on the Torch button, I can see TX rates of 80kbits and RX of about 80 k bits.