• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Simple VoIP Queue

Scheduled Pinned Locked Moved Traffic Shaping
7 Posts 3 Posters 5.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • X
    xibalba
    last edited by Jul 1, 2010, 11:03 PM

    Hey everyone,
    I'm trying to get a simple VoIP going. I've used the Traffic Shaper Wizard to create my queues and rules. After setting up the queue I cannot see any data passing through it, even though I have a call going. I'm going to include some screen shots below showing what was done.



    Now I am currently on a call between two phones. One phone is behind my pfSense router, the other is hooked up next to my desk. Quick overview of the toplogy

    WAN -> LAN ( main network ) -> pfSense-WAN ( connected to company LAN )-> Private-LAN ( my private LAN at my desk )

    So I can see data passing between my phone and our softswitch

    SIP DATA:
    07:00:53.967075 IP 209.203.x.x.5060 > 10.10.10.193.5060: SIP, length: 863
    07:00:56.092746 IP 209.203.x.x.5060 > 10.10.10.224.5060: SIP, length: 683
    07:00:56.107921 IP 10.10.10.224.5060 > 209.203.x.x.5060: SIP, length: 394

    RTP DATA:
    07:01:26.066155 IP 10.10.10.224.21724 > 209.203.x.x.22038: UDP, length 32
    07:01:26.066380 IP 209.203.x.x.22038 > 10.10.10.224.21724: UDP, length 32

    I run pfctl -vvs queue while the phone call is still active and here are the results

    [admin@pfSense.reza.local]/root(43): pfctl -vvs queue
    queue root_vr0 on vr0 bandwidth 102.40Mb priority 0 {qwanRoot}
      [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
      [ qlength:  0/ 50 ]
    queue  qwanRoot on vr0 bandwidth 102.40Mb priority 0 {qwandef, qwanacks, qVOIPUp}
      [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
      [ qlength:  0/ 50 ]
    queue  qwandef on vr0 bandwidth 1.02Mb qlimit 500 hfsc( default realtime 1.02Mb )
      [ pkts:      3384  bytes:    3116488  dropped pkts:      0 bytes:      0 ]
      [ qlength:  0/500 ]
    queue  qwanacks on vr0 bandwidth 25.60Mb priority 7 hfsc( realtime 10.24Mb )
      [ pkts:      18045  bytes:    2282816  dropped pkts:      0 bytes:      0 ]
      [ qlength:  0/ 50 ]
    queue  qVOIPUp on vr0 bandwidth 25.60Mb priority 7 hfsc( realtime 1.02Mb )
      [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
      [ qlength:  0/ 50 ]
    queue root_vr2 on vr2 bandwidth 102.40Mb priority 0 {qlanRoot}
      [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
      [ qlength:  0/ 50 ]
    queue  qlanRoot on vr2 bandwidth 102.40Mb priority 0 {qlandef, qlanacks, qVOIPDown}
      [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
      [ qlength:  0/ 50 ]
    queue  qlandef on vr2 bandwidth 1.02Mb qlimit 500 hfsc( default realtime 1.02Mb )
      [ pkts:      16713  bytes:    1271154  dropped pkts:      0 bytes:      0 ]
      [ qlength:  0/500 ]
    queue  qlanacks on vr2 bandwidth 25.60Mb priority 7 hfsc( realtime 10.24Mb )
      [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
      [ qlength:  0/ 50 ]
    queue  qVOIPDown on vr2 bandwidth 25.60Mb priority 7 hfsc( realtime 1.02Mb )
      [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
      [ qlength:  0/ 50 ]

    and here are my rules

    [admin@pfSense.reza.local]/root(44): pfctl -s rules|grep -i voip
    pass in on vr0 inet from any to 209.203.x.x flags S/SA keep state tag qVOIPUp tagged unshaped
    pass out on vr2 inet from any to 209.203.x.x flags S/SA keep state tag qVOIPDown tagged qVOIPUp
    pass in on vr2 inet from 209.203.x.x to any flags S/SA keep state tag qVOIPDown tagged unshaped
    pass out on vr0 all flags S/SA keep state tag qVOIPUp tagged qVOIPDown
    pass out quick on vr0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qVOIPUp, qwanacks) tagged qVOIPUp
    pass out quick on vr2 all flags S/SA keep state label "let out anything from firewall host itself" queue(qVOIPDown, qlanacks) tagged qVOIPDown
    anchor "qVOIPUp" all tagged qVOIPUp
    anchor "qVOIPDown" all tagged qVOIPDown
    [1.2.3-RELEASE]

    Any help, tips, advice are certainly appreciated.
    Thanks

    1 Reply Last reply Reply Quote 0
    • X
      xibalba
      last edited by Jul 6, 2010, 3:18 PM

      I thought adding my full /tmp/rules.debug config here would help.

      http://lethalnetworks.com/~reza/rules.debug

      System Aliases

      loopback = "{ lo0 }"
      lan = "{ vr2  }"
      wan = "{ vr0  }"
      enc0 = "{ enc0 }"
      OPT1 = "{ vr1 }"

      User Aliases

      set loginterface vr0
      set loginterface vr2
      set loginterface vr1
      set optimization conservative
      set timeout { udp.first 300, udp.single 150, udp.multiple 900 }

      set skip on pfsync0
      altq on vr0 hfsc bandwidth 102400Kb queue { qlanRoot }
      altq on vr2 hfsc bandwidth 102400Kb queue { qwanRoot }

      queue qwanRoot bandwidth 102400Kb priority 0 hfsc { qwandef, qwanacks, qVOIPUp }
      queue qlanRoot bandwidth 102400Kb priority 0 hfsc { qlandef, qlanacks, qVOIPDown }
      queue qwandef bandwidth 1% priority 1 qlimit 500 hfsc (  default realtime 1% )
      queue qlandef bandwidth 1% priority 1 qlimit 500 hfsc (  default realtime 1% )
      queue qwanacks bandwidth 25% priority 7 hfsc (  realtime 10% )
      queue qlanacks bandwidth 25% priority 7 hfsc (  realtime 10% )
      queue qVOIPUp bandwidth 25% priority 7 hfsc (  realtime 1024Kb )
      queue qVOIPDown bandwidth 25% priority 7 hfsc (  realtime 1024Kb )

      nat-anchor "pftpx/"
      nat-anchor "natearly/
      "
      nat-anchor "natrules/*"

      FTP proxy

      rdr-anchor "pftpx/*"

      Outbound NAT rules

      nat on $wan from 192.168.1.0/24 to any -> (vr0) port 1024:65535

      #SSH Lockout Table
      table <sshlockout>persist

      Load balancing anchor - slbd updates

      rdr-anchor "slb"

      FTP Proxy/helper

      table <vpns>{  }
      no rdr on vr2 proto tcp from any to <vpns>port 21
      rdr on vr2 proto tcp from any to any port 21 -> 127.0.0.1 port 8021

      IMSpector rdr anchor

      rdr-anchor "imspector"

      UPnPd rdr anchor

      rdr-anchor "miniupnpd"

      block in all tag unshaped label "SHAPER: first match rule"
      pass in on  $lan proto udp from any  to 209.203.104.37  keep state tagged unshaped tag qVOIPUp
      pass out on $wan proto udp from any to 209.203.104.37 keep state tagged qVOIPUp tag qVOIPDown
      pass in on  $wan proto udp from 209.203.104.37  to any  keep state tagged unshaped tag qVOIPDown
      pass out on $lan proto udp from any to any keep state tagged qVOIPDown tag qVOIPUp

      anchor "ftpsesame/*"
      anchor "firewallrules"

      We use the mighty pf, we cannot be fooled.

      block quick proto { tcp, udp } from any port = 0 to any
      block quick proto { tcp, udp } from any to any port = 0

      snort2c

      table <snort2c>persist
      block quick from <snort2c>to any label "Block snort2c hosts"
      block quick from any to <snort2c>label "Block snort2c hosts"

      Block all IPv6

      block in quick inet6 all
      block out quick inet6 all

      loopback

      anchor "loopback"
      pass in quick on $loopback all label "pass loopback"
      pass out quick on $loopback all label "pass loopback"

      package manager early specific hook

      anchor "packageearly"

      carp

      anchor "carp"

      permit wan interface to ping out (ping_hosts.sh)

      pass quick proto icmp from 10.10.10.224 to any keep state

      NAT Reflection rules

      allow access to DHCP server on LAN

      anchor "dhcpserverlan"
      pass in quick on $lan proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server on LAN"
      pass in quick on $lan proto udp from any port = 68 to 192.168.1.1 port = 67 label "allow access to DHCP server on LAN"
      pass out quick on $lan proto udp from 192.168.1.1 port = 67 to any port = 68 label "allow access to DHCP server on LAN"

      allow our DHCP client out to the WAN

      anchor "wandhcp"
      pass out quick on $wan proto udp from any port = 68 to any port = 67 label "allow dhcp client out wan"
      block in log quick on $wan proto udp from any port = 67 to 192.168.1.0/24 port = 68 label "block dhcp client out wan"

      LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)

      antispoof for vr2

      anchor "spoofing"

      Support for allow limiting of TCP connections by establishment rate

      anchor "limitingesr"
      table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"

      pass traffic from firewall -> out

      anchor "firewallout"
      pass out quick on vr0 all keep state tagged qVOIPDown queue (qVOIPDown, qlanacks) label "let out anything from firewall host itself"
      pass out quick on vr0 all keep state queue (qlandef, qlanacks) label "let out anything from firewall host itself"
      pass out quick on vr2 all keep state tagged qVOIPUp queue (qVOIPUp, qwanacks) label "let out anything from firewall host itself"
      pass out quick on vr2 all keep state queue (qwandef, qwanacks) label "let out anything from firewall host itself"
      pass out quick on vr1 all keep state  label "let out anything from firewall host itself"
      pass out quick on $enc0 keep state label "IPSEC internal host to host"

      make sure the user cannot lock himself out of the webGUI or SSH

      anchor "anti-lockout"
      pass in quick on vr2 from any to 192.168.1.1 keep state label "anti-lockout web rule"

      SSH lockout

      block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"

      anchor "ftpproxy"
      anchor "pftpx/*"

      User-defined aliases follow

      Anchors for rules that might be matched by queues

      anchor qwanRoot tagged qwanRoot
      load anchor qwanRoot from "/tmp/qwanRoot.rules"
      anchor qlanRoot tagged qlanRoot
      load anchor qlanRoot from "/tmp/qlanRoot.rules"
      anchor qwandef tagged qwandef
      load anchor qwandef from "/tmp/qwandef.rules"
      anchor qlandef tagged qlandef
      load anchor qlandef from "/tmp/qlandef.rules"
      anchor qwanacks tagged qwanacks
      load anchor qwanacks from "/tmp/qwanacks.rules"
      anchor qlanacks tagged qlanacks
      load anchor qlanacks from "/tmp/qlanacks.rules"
      anchor qVOIPUp tagged qVOIPUp
      load anchor qVOIPUp from "/tmp/qVOIPUp.rules"
      anchor qVOIPDown tagged qVOIPDown
      load anchor qVOIPDown from "/tmp/qVOIPDown.rules"

      User-defined rules follow

      pass in quick on $wan reply-to (vr0 10.10.10.1) proto tcp from any to any port = 80 keep state  queue (qlandef, qlanacks)  label "USER_RULE: allow remote management"
      pass in quick on $wan reply-to (vr0 10.10.10.1) proto tcp from any to any port = 22 keep state  queue (qlandef, qlanacks)  label "USER_RULE: allow remote management"
      pass in quick on $lan from 192.168.1.0/24 to any keep state  queue (qwandef, qwanacks)  label "USER_RULE: Default LAN -> any"

      VPN Rules

      pass in quick on vr2 inet proto tcp from any to $loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost"
      pass in quick on vr2 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"
      pass in quick on vr0 inet proto tcp from port 20 to (vr0) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection"

      enable ftp-proxy

      IMSpector

      anchor "imspector"

      uPnPd

      anchor "miniupnpd"

      #–-------------------------------------------------------------------------

      default deny rules

      #---------------------------------------------------------------------------
      block in log quick all label "Default deny rule"
      block out log quick all label "Default deny rule"</sshlockout></virusprot></virusprot></snort2c></snort2c></snort2c></vpns></vpns></sshlockout>

      1 Reply Last reply Reply Quote 0
      • D
        danswartz
        last edited by Jul 6, 2010, 6:17 PM

        the IP address should be the internal IP, not an external one.  also not sure what 209.203. is - were you snipping part of it for privacy?

        1 Reply Last reply Reply Quote 0
        • X
          xibalba
          last edited by Jul 8, 2010, 5:54 PM

          yes i was sniping it for privacy reasons. it's my work's ip range so i thought i should keep it private. i am basically trying to allocate all traffic to 209.203.x.y to the highest priority queue.

          On the "Voice over IP" Traffic Shaper Wizard page should I not have entered in the IP address of the hosted pbx - 209.203.x.y ?

          thanks for the assistance.

          1 Reply Last reply Reply Quote 0
          • D
            danswartz
            last edited by Jul 8, 2010, 6:16 PM

            No, that won't work.  If you look at your two voip rules, you can see the IP you gave is in the wrong position both times.  The IP in the wizard is supposed to be the internal IP.  What I think you want to do is add a rule in the LAN section that explicitly permits access to your hosted pbx (make it protocol udp to be safe).  In the advanced options for that rule you can select the queue to use and put down qVoip (or whatever it is called).  In the wizard, just leave blank the IP address.  NOTE: this is for 2.0, it may or may not be right for 1.2.3, which is what you are using?  If so, it might still work, give it a try…

            1 Reply Last reply Reply Quote 0
            • X
              xibalba
              last edited by Jul 9, 2010, 7:40 PM

              Dan,
              Thanks for your help, much appreciation . I swapped the IP in the SRC/DST in both rules and it's working now.

              1 Reply Last reply Reply Quote 0
              • L
                liza75
                last edited by Aug 12, 2010, 6:29 AM

                Hi,

                This simple queue is working just fine, however I'm now wanting to give VoIP priority in the simple queues, i.e. in the "5mb pool A" or "5mb pool B", if someone is doing a download at 5mbps and someone tries to make a voip call, the user doing the download must be slowed down and the voip call be given preference within the queue.I have set up a simple queue for my sip phone with ip address 192.168.15.250. Using winbox, double clicking on the "Sip phone" que and then on the Traffic tab, the graph shows neither Tx nor Rx traffic. However, when I click on the Torch button, I can see TX rates of 80kbits and RX of about 80 k bits.

                Company Name Ideas

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received