Questions on Traffic Shaping VPN/VoIP?

  • Fellow pfSense disciples, I'm looking for some insight and/or assistance in addressing some issues I'm having with pfSense in a multi-site VPN environment with VoIP for a small-to-medium business with <50 users and ~ 35 VoIP phones.

    Specifically, I've got serious issues with VoIP calls suffering from latency/quality issues and dropped calls. I've tried implementing TrafficShaping as I've seen outlined in several guides/HOWTOs and people's suggestions here on the forum, without any luck.

    tl;dr – how should I prioritize/QoS VoIP across VPNs? What type of scheduler should I use?

    I'm running pfSense 2.1.3 at all 3 sites, the main office hosts the OpenVPN Server that connects to the two other OpenVPN Clients at the remote offices. The main office is on Verizon FiOS, and the remote offices are on DSL (1.9/1.0 Mbps and 1.5/.768 Mbps U/D).

    We've got an AllWorx VoIP Server at the home office running behind the firewall, using one of the public IPs and with all the necessary Rules for port-forwarding in place. The AllWorx phones in each of the offices register and connect to the VoIP server successfully, and if users aren't thrashing the network, then everything's peachy, but when I have multiple users making calls and enough LAN/VPN/WAN traffic then call quality suffers, calls get dropped, and people start cursing.

    When I initially setup pfSense, OpenVPN and the VoIP system I had all the phones pointed at the VoIP server's internal IP, thus putting all the VOIP streams and overhead traffic across the VPN. This has generally worked well, but once I've got multiple people in a remote office making calls and surfing the web, voice quality gets impacted and calls get dropped entirely.

    I believe that with my relatively small number of users and simple use-case, that PRIQ should be the simplest solution and satisfactory for our needs. However, when I configured it previously it didn't resolve the VoIP issues and I wasn't seeing traffic listed in the Status>Queues page.

    As a test, I altered the phones in one office to use the VoIP server's public IP (instead of the LAN IP), thus bypassing the VPN tunnel. At that point users reported slightly less echo/latency during normal use, but calls were still affected and dropped when traffic across the limited DSL links got congested.

    I'm looking for any insight someone can provide to an otherwise competent IT admin who loves pfSense, but is currently at wit's end trying to determine the best way to setup Traffic Shaping in such a way that VOIP is prioritized above all other traffic.

    If there are any good resources to help me work this out, please let me know and I promise to read them before I come back again, hat in hand, looking for further assistance. If there is any other information I can provide to clarify my network environment or needs, I'm glad to do so.

    If this is the wrong place to pose this question, please move my post as needed. Thanks again to the pfSense team and all the forum contributors who make OSS projects like this one viable alternatives to expensive, closed-source solutions.

  • When you ran the Traffic Shaper wizard, what did you select on the Voice over IP page?  If everything was correctly setup then you should have seen zero-drop active traffic in qVoIP and drops in other queues (Status - Queues) when under load.  On the Voice over IP page of the wizard, which IP address were you using for your Upstream SIP server for the AllWorx, its internal or external IP address?

  • Unfortunately, I already deleted the original TS rules I setup. I have gone back and re-run the wizard as a simple 1 WAN/1 LAN environment. I also created a FW Alias that contains the destinations for both my VoIP Trunk providers and the AllWorx server's LAN address. I then used this alias as the Upstream SIP server on the Voice over IP section of the wizard.

    I will watch the Status - Queues page tomorrow when I have folks running both phones and web-traffic. Thanks for the assist, and please let me know if I'm jumping the gun with my changes, or can provide further clarification.

  • I have less users and a slightly different setup but I am glad to share what I did to get this working.  At least it appears to be working :)

    I have about 10 phones that connect locally to my Asterisk box and 8 that connect through VPN (love those yealink phones) I decided to use PRIQ because my needs are simple and voip traffic is most important to me.

    I created an alias that included my local Asterisk box and all my service providers ip's ( and vitelity).
    I ran the traffic shaping wizard and filled in all the relevant fields, pretty self explanatory.
    I looked at the floating rules that were created and noticed that none of the interfaces were selected (bug?) so I chose them all.  Not sure if that is right but I need the rule on all interfaces.
    I added a floating rule for my rtp ports and my sip ports.  I think this was redundant, but I was worried that the rtp ports were not being handled.  i did this by copying one of the voip rules created by the wizard.

    So after I did all this I made some calls and the voip bucket appeared to fill up.  I am not sure how else to actually determine what packets are going to what queues, if anyone knows how to do that please share.

    I took the screenshots after hours so the system was not really being used but you get the idea

  • I don't believe that you need to select an interface with floating rules unless you need to limit the rule to particular interfaces.  Selecting all is the same as selecting none, I think.  Your setup looks good and as you can see, all your non-VoIP traffic is going to qOthersHigh, and that queue is dropping packets when there is contention with qVoIP.  qVoIP should never have any drops, and the other queues should have more or less depending on how busy the link is.

  • As far as I know, you cannot shape within an OpenVPN tunnel, but the whole tunnel. This is because on the WAN interface, the system sees the encrypted packets so it cannot determine what to do with them (maybe using the option to copy the ToS and shape based on that could be a possibility? Mmmm…)

    With IPsec tunnels you can shape within the tunnel because packets are seen unencrypted out of the virtual "IPsec" interface. I have this running at work, with 5 locations with around 20 phones each, all connected to the main office via IPsec links, and has been working flawlessly for quite some time.

    Anyway, since you mention that voice quality also suffers when going on the outside of the tunnel, I guess that the shaper is not configured properly. Post your config and we'll see.


  • Hi Georgeman,

    I'm really interested in the solution you're using, we have to connect 4 remote sites and bring phones trafic to central site and priorise VOip in the VPN tunnel.

    Could you post the TS configuration you've done?



Log in to reply