Configuring pfSense for best skype video.

stephenw10 · Aug 11, 2011, 1:34 PM

Hi All,
I'm looking for some advice on, as the title says, setting up Skype for video calling behind pfSense.
I'm not a big user of skype myself and when I have used it I have used audio only.
I now have several friends and family living abroad and the pressure to 'get with the program' and use Skype video has caused me to rethink.

I have spent several hours trying different things to get the best connection but Skype is still complaining.

It seems that Skype has several methods of connecting when behind a firewall/NAT. If nothing is changed from the default settings in pfSense 2.0 then Skype will default to using a third party relay to connect. This works well but is limited to 10kBps which is fine for voice calls, though there's some delay, but terrible for video.
Enabling UPNP on the appropriate internal interface along with NAT-PMP (which skype seems to use) will allow a direct UDP connection but the Skype diagnostics page still reports, UDP status: local bad.

I could setup port forwarding instead but I'm not sure how this would work with loadbalancing Multi-WAN. :-\

I'd be very interested in any experiences anyone may have had with this.

Steve

Metu69salemi · Aug 11, 2011, 1:38 PM

Try and let us know

Cino · Aug 11, 2011, 2:02 PM

I may have to do some testing with this.. I've done some video with Windows Messenger Live and haven't had any issues… But Skype Video is much much better then anything out there from what I can tell... Well Tanberg Movi quality is better but that's for video conferencing within a corporate environment.

stephenw10 · Aug 11, 2011, 3:50 PM

Thanks for reading. :)

As far as I can tell you should be able to get the best out of Skype video by using upnp and allowing it to do it's own thing.
Certainly after enabling upnp and NAT-PMP then when Skype starts it sets some port forwards and I can see them in the upnp status page. Also with this set Skype reports a direct UDP connection (not relayed) if I connect to a known good host.
However even with this the connection is not good subjectively and the video resolution drops down to the lowest setting.

Most of what I'm reading on the skype forums seems aimed at low level users. ::)
I had to disable load balancing for the subnet in order to get this working. I'd much rather not do that.

Steve

![upnp status.jpg](/public/imported_attachments/1/upnp status.jpg)
![upnp status.jpg_thumb](/public/imported_attachments/1/upnp status.jpg_thumb)

ll_hellBoy_ll · Aug 12, 2011, 1:10 PM

Forgive me if i interrupt your thread. But your Problem similar to my one….That is why i want to ask this here. I have never problem with skype vedio calling on my dual wan setup. But With Windows Live messenger i have always problem......

I cant call at all vedio call. It always shows its connecting but it never connects. Unless i just use single connection for live messenger.

we have 5 internet cafe and all those cafe has 40 plus workstation and Al those are multiwan setup. we can do all other stuff without any problem. only with live messenger vedio call. we can login and chat from live messenger but cant use video call. it never connects....

Please help me. how can i solve it. thank you

stephenw10 · Aug 12, 2011, 2:31 PM

You need to setup some kind of policy based routing to catch MSN traffic and send it to one WAN.
I haven't looked into it but I would first research which ports and protocols MSN video is using.
It's hard to do something similar with Skype since it uses a random high number port for outgoing connections, different every time.

Steve

Bai Shen · Aug 12, 2011, 5:44 PM

@stephenw10:

You need to setup some kind of policy based routing to catch MSN traffic and send it to one WAN.
I haven't looked into it but I would first research which ports and protocols MSN video is using.
It's hard to do something similar with Skype since it uses a random high number port for outgoing connections, different every time.

Steve

If you block your outbound ports, Skype will eventually fall back to 80/443 IIRC.

stephenw10 · Aug 12, 2011, 6:08 PM

@Bai:

If you block your outbound ports, Skype will eventually fall back to 80/443 IIRC.

Yes, as long as you haven't told it not to.
However this is the worst situation for getting decent video. This is Skypes fallback scenario with the most limited bandwidth.

Also it doesn't help with routing since port 80 is the one thing you most want to load balance.

The layer 7 traffic shaper has a skype setting but I've never used it. :-\

Steve

Mogli · Dec 9, 2011, 1:07 AM

Hey guys,

I ended up in enabling NAT-PMP. In some test connections to echo123 it then gave me udp status local: good. I also thought about adding port forwardings, but we have much and also changing clients.
Can anyone of you maybe tell me useful restriction rules, so that only Skype (more or less) could create NAT-PMP entries?