Configuring QoS on SonicWall TZ190 for VoIP over VPN

I have recently set up a network connecting 3 physical locations (1 location has servers, other 2 locations have only workstations and VoIP phones) using SonicWall TZ190 units as border routers.

All 3 physical locations are connected logically via a VPN tunnel.

My problem is that I do not have enough working knowledge of QoS (and more specifically as implemented on the SonicWall TZ190 device).

I have attached a "code snippet" as a basic diagram of the network layout.  There will be VoIP phones in all 3 locations, and the Asterisk (VoIP) server is located in the network.

"Server Location" has a cable connection (16 mbit x 2 mbit).
"Remote Office 1" has a DSL connection (6 mbit x 768 kbit).
"Remote Office 2" has a cable connection (16 mbit x 2 mbit).

We are going to have around 10 phones total across all 3 locations, along with 2 other Windows 2003 based servers.  The Windows 2003 servers are online currently and it's almost impossible to tell that they aren't at the same physical location.

However, if anyone puts a load on the connection the VoIP gets choppy.  So I need to implement QoS on the SonicWall devices, and to be totally honest... I have no idea how to do it properly as this is my first roll out using SonicWall devices.

So... here I am asking for help...

(Thanks in advance!)
Remote Office 1 - LAN ( -----|
                                           | <-(VPN)
Server Location - LAN ( -----|
                                           | <-(VPN)
Remote Office 2 - LAN ( -----|

Open in new window

Who is Participating?
BrentConnect With a Mentor DevOpsCommented:
Actually i just got off the phone with sonicwall.  I was mistaken regarding the input/output source/destination rules.  The outbound rule on the remote site and the inbound rule on the main site.. are the only QoS rules needed.  The Sonicwalls automatically apply the rules based on the original sender.  So if the server is replying.. it uses the incoming rule from the main site.

So just create the rule for outgoing on the tz190 and incoming on the main site firewall.  The DSCP should prioritize when there is a backup ... or blip as you put it

I am currently working with them on the same type of issue.

The issue is that the TZ190 doesnt have QoS in its standard form.. you have to use DSCP.

Create a priority service group on the remote sonicwalls.  Setup a reflextive firewall rule on the LAN > VPN that specifies the priority services from your remote lan subnet to your corporate network then go to the QoS tab and set the DSCP priority to "Control" or higher.  You can also use bandwidth management if you specify the bandwidth available on the Tz190 WAN interface.  Make sure to set the rule priority to highest in both LAN > VPN and VPN > LAN

On your server host TZ190, you will need to do the same thing.

The issue i am having is that the packet priority back to the site does not work.  I have been escillating the case all over the place cause i have site i need to use QoS to and their appliances which said they could do it.. dont seem to be able to do source/destination QoS assignments.  I have a 3060 at my main site and a TZ190 at the remote sites.
triphiusAuthor Commented:
Over the last week or so, after consulting SonicWall support (read: useless) and talking to a SonicWall "guru" from a partner company of ours, the best case with the TZ190 seems to be the Bandwidth Management feature.

However, when implemented, the VoIP quality is much, much better, it's still not good enough to "go live"; since the Bandwidth Management function adjusts on the fly instead of creating a static QoS.  The end result is that I get occasional blips and choppiness as the flow of traffic is adjusted.

It's kind of like a freeway with an emergency vehicle... all the normal traffic has to get out of the way when one comes, but they just clog the lane up again after it passes.  When the next one comes, you repeat the same thing again.

I'll see if your suggestion to use DSCP helps the the occasional blips and choppiness.  Otherwise, it looks like I'm going to have to go to the fall back plan and put send the data on the WAN and the voice on the OPT WAN.

It'll probably Monday or Tuesday before I can try this out...
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Are you TZ190's using SonicWALL's Enhanced or Standard O/S?
PS... Don't forget that what you are trying to do here with the SonicWALL isn't really your problem.  Whilst the SonicWALL isn't providing you with a QoS service as such, the true QOS needed for successful VoIP traffic is at your provider level.  If using DSL, Cable etc. then QoS is not provided.  This is why many large VoIP companies require point to point lease lines or MPLS.

TZ190s automatically come with enhanced.
triphiusAuthor Commented:
Yeah, they come with the Enhanced OS.

VCBooth:  Of course dedicated lines would be the best option, but it's not within the budget. It is possible to have a solid phone call without dedicated lines.  I have the same Asterisk-based system at home and use it without issue.  The VoIP call does not require much bandwidth, and for the most part the call sounds fine... it's just that I need to be able to control the bandwidth used over the VPN, because data usage causes the call to break up.

Icetoad:  I'm hoping to have time tomorrow (Tuesday) to test DSCP suggestion...
Not all TZ190's come with Enhanced.  It is a current SonicWALL offer and likely here to stay, however, earlier TZ190's came with Standard and Enhaned was an upgrade.

Triphius - this article should be of help - BWM is your way to go but its not that great with QoS on the line.  This is what is out of control on any device, not just a SonicWALL.


They are offering a free upgrade for TZ180 down.

BTW: thats a really good doc to go off of.
triphiusAuthor Commented:
So I've had the time to test out the DSCP suggestion, and unfortunately it didn't fix anything.

To be more specific as to the results, when talking normally, it sounded fine. However, when I started to transfer files, it was very choppy.  It seems to be worse in that situation with the DSCP tags.

Unfortunately the TZ190 does not have any other form of QoS besides the BWM function.

Unless someone has another idea, I think I'm going to have to fall back to the secondary WAN connection idea.
VCBoothConnect With a Mentor Commented:
I really do think that the issue here is not the SonicWALL but the quality of DSL lines - experienced it so many times.  It gets worse as you add more users and start more data also.  We need to remember that the SonicWALL box is not a dedicated bandwidth management device.  I totally understand your frustration with this though.  The difference is, because its Voice and so has a timing element to it, its incredibly simple to "hear" the breaking up of packets etc - whereas with normal data, downloading etc, you wouldn't notice this.
triphiusAuthor Commented:
You do make a good point.

Normally, I'd agree completely. However, we've never had a problem with the quality of these lines, and when the lines are "idle", the voice sounds fine (besides the occasional blip due to the SonicWall adjusting the BWM on-the-fly.

I relatively sure that the provider is capable of giving us at least enough "dedicated" bandwidth to handle our calls (only 64k is required in and out per call).  It really seems like sharing the lines with data causes the real problems.

I'll leave this open for a day or two and see if I can collect any other ideas, however it looks like all signs are pointing to the secondary line as the next course of action.  Luckily they should be finished provisioning / installing them soon.

Thanks for your help so far Icetoad and VCBooth.
triphiusAuthor Commented:
It looks like we're going to need to use dedicated DSL/Cable circuits for the VoIP Traffic.  Thanks for the help, you two certainly pointed me in the right direction.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.