Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Simple traffic shaping to prioritize VoIP traffic

    Scheduled Pinned Locked Moved Traffic Shaping
    6 Posts 2 Posters 4.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      amartin
      last edited by

      Hello,

      I am running pfSense 2.2.3 with a single LAN, single WAN connection, and an OpenVPN connection. I would like to enable PRIQ traffic shaping to prioritize all VoIP (SIP, RTP) traffic by marking the VoIP subnets. The VoIP traffic is originating either I followed this guide for configuring the traffic shaper, with the following differences:

      • for the wizard, I selected "Dedicated Links" instead of "Single Lan multi Wan"
      • for the floating firewall rules, I selected "Match" as the Action since "Queue" is no longer available

      Note that the floating firewall rules are as follows:

      rule 1:

      • Action: Match
      • Interface: LAN, WAN, OpenVPN
      • Protocol: UDP
      • Source: alias of VoIP subnets
      • Destination: any
      • Ackqueue/Queue: qACK/qVoIP

      rule 2:

      • Action: Match
      • Interface: LAN, WAN, OpenVPN
      • Protocol: UDP
      • Source: any
      • Destination: alias of VoIP subnets
      • Ackqueue/Queue: qACK/qVoIP

      However, after completing these steps, I cannot get any traffic to show up in the qVoIP queue under Status> Queues. What am I doing wrong?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        First off, setting qACK for UDP is pointless.  No ACKs in UDP.

        Second, how are your VOIP connections established?  What connects to what and on what interfaces?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • A Offline
          amartin
          last edited by

          Thanks for the clarification about qACK. The VoIP connections are established from clients via OpenVPN (so ovpns1) to clients and an asterisk server on the LAN interface.

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            OK.  That's what I thought it might be.

            Is your VPN traffic mostly VOIP?  Is there anything heavier going on?

            It gets complicated to shape inside a VPN tunnel.  It might be better to just prioritize the VPN traffic itself, which you should do anyway otherwise the shaping in the tunnel will be sort of worthless since it'll be going out WAN in qDefault or whatever.

            I do VOIP over OpenVPN, too.  But mostly the other traffic on the VPN is ssh so I just prioritize the tunnel itself.

            I guess you need to figure out if the VOIP needs shaping because of other VPN traffic or other WAN traffic.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • A Offline
              amartin
              last edited by

              The only traffic going over the VPN is VoIP, so I am fine with prioritizing the VPN traffic entirely. In fact, I think that is what I've tried to do already - the "alias of VoIP subnets" includes both the subnet on the LAN which has VoIP traffic but also the subnet of the VPN itself. Shouldn't this be prioritizing all VPN traffic since the VPN subnet should be getting tagged as qVoIP?

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                Nope.

                You want to forget about everything VoIP and OpenVPN and prioritize the tunnel endpoints and the VPN tunnel itself.

                You will have a firewall rule on the server passing inbound traffic to your OpenVPN server.  Prioritize that traffic using that rule.

                On the client, you will need a floating rule on WAN out UDP source WAN address dest Remote VPN Server address port OpenVPN port.  Prioritize that using a match rule.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.