Best way for sip bw mgmt



  • dear community,

    i have installed a pfsense firewall on a pcengines board.
    have a static openvpn tunnel to our datacenter with our hosted pbx.

    so if in this local network where the firewall is, if any user do an upload or download,
    the sip ping times are on 500ms plus.

    what i can do to provide a stable sip connection to our datacenter?

    thank you very much.

    many greets



  • @iceget:

    dear community,

    i have installed a pfsense firewall on a pcengines board.
    have a static openvpn tunnel to our datacenter with our hosted pbx.

    so if in this local network where the firewall is, if any user do an upload or download,
    the sip ping times are on 500ms plus.

    what i can do to provide a stable sip connection to our datacenter?

    thank you very much.

    many greets

    I'm not sure what the details of your setup are.  Do you currently have traffic shaping enabled at all?  I have a similar setup at a few of my sites.  I use an OpenVPN connection to the site where my VOIP server is at. Then I shape all the traffic to prioritize that tunnel.  Since the VPN is encrypted when leaving the WAN interface its a little more tricky to shape it because you can't "see" any of the traffic in the encrypted tunnel.  What I do is I setup my floating rules to match the UDP port number of the OpenVPN server I'm connecting to at the remote site.  Then all of the tunnel packets on that port will go into the queue you assign for VOIP traffic.  Then if you have it setup properly it will give you good call quality.  Keep in mind that "ping" is going to be ICMP traffic and may or may not traverse your VPN tunnel depending on the setup.  For my purposes I need to send Data to my datacenter, and also VOIP traffic.  So, I have two OpenVPN tunnels, one for VOIP and the other for Data. I shape them into different queues based on the port numbers.

    I hope this helps a little bit.



  • hello churchtechguy,

    thank you for your help.

    okay, that is exactly, what i need. how i can setup for openVPN UDP Port the floating rules?
    i have on my LAN site where are my phones, and on my datacenter a pfsense firewall.

    thank you very much,

    many greets



  • So, what firewall do you have at your remote site?  Are they both pfsense boxes?  I'll assume that you do.

    Here is a little picture I made of a possible setup…


    upload widget

    In this case on the Remote Site pfsense box you would setup a floating rule:
    Interface = WAN
    Protocol = UDP
    Direction = Out (I'm not sure if it matters really to leave it in/out)
    Destination port = 1197
    Optional - If your datacenter has a static IP address you could put Destination IP = DataCenter IP Address
    Advanced –> Queues set them to be None / qVOIP (or whatever the name of the priority queue is for the vpn)

    On the DataCenter side:
    You should have a rule on your WAN interface to permit the traffic to enter from the internet on port 1197 (or port your server is on).  You can simply go under Advanced --> Queues and set the queue right there without floating rules.  Set it to be None / qVOIP.

    Always remember when working with traffic shaping changes that you can have some unexpected results if you don't go to Diagnostics and reset the firewall state table after the changes.