[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

pfSense QoS (aka Traffic Shaper) VoIP issue

Posted on 2012-08-10
15
Medium Priority
?
7,143 Views
Last Modified: 2012-08-30
Hello all,

I'm sure quite a few of us out there, even veteran pfSense users such as myself get a little uneasy when it comes to certain topics like QoS. We have a client currently utilizing a pfSense system. They're just a small office and they doesn't see much traffic at all. Recently they decided to pickup a Cisco VoIP phone (without telling us ofcourse) and assumed it would work by just plugging it in. Unfortunately, since this wasn't planned out properly, there are no managed switches, no VLANs for voice, no QoS as of right now. Basically nothing to support VoIP. At this point we're just trying to work with what we have on hand at the moment to get them up and running. Considering its just a single phone I guess there really isn't all that much need for special configs outside of QoS. They have enough bandwidth to support it, we just have to work on call quality. So I dont have any experience with QoS in pfSense. It seemed simple enough at first. Before I explain what I did though, we're using version 2.0. Also this first link below is the topology of the network.

http://host.atomiklan.com/forums/voip_qos/topology.png


So I started the Traffic shaper wizard and selected multiWAN, single LAN since this is a very basic network with two WANs (primary and backup) and just a single LAN.

http://host.atomiklan.com/forums/voip_qos/screenshot_1.png


Next I obviously set the WAN connections to 2.

http://host.atomiklan.com/forums/voip_qos/screenshot_2.png


This is where the questions start to come in. From everything I have read, I should leave it on HFSC. Then below for each WAN connection I should specify the connections speed but I should subtract a little bit of the available bandwidth to account for overhead. I'm not sure what are proper values to use here based on the speeds of my connections which you can see in my topology screenshot.

http://host.atomiklan.com/forums/voip_qos/screenshot_3.PNG


The next page raises even further questions. The only obvious choice is to select "Prioritize VoIP traffic". Other than that I have no idea how much bandwidth I should allocate to a single VoIP phone. I tried several Google searches for the required bandwidth for a single VoIP user and got so many different values (depending on Codex etc). Really I just need kinda a ball park here for a single VoIP phone. Problem is, nothing seems to help. I have tried several different settings here and I can never seem to get any results (more on this in a bit).

http://host.atomiklan.com/forums/voip_qos/screenshot_4.PNG


After that, I just click though the rest of the wizard using the defaults since im only interested in VoIP traffic. Finally I click finish. Everything reloads and looks like its working.

http://host.atomiklan.com/forums/voip_qos/screenshot_5.PNG


However, if I test VoIP quality, I still get the same result with or without traffic shaper on. In fact, traffic shaper appears to just be hurting download speeds and not helping VoIP at all.

http://host.atomiklan.com/forums/voip_qos/withqos.PNG

Please help me! I'm not sure what we're doing wrong here. We have this client breathing down our necks to get this VoIP phone up and running.

Thank you!
0
Comment
Question by:nccguys
  • 6
  • 6
  • 3
15 Comments
 
LVL 20

Expert Comment

by:agonza07
ID: 38282594
I've not used pfSense before, but I'll try to help you out the VoIP side.

1) If you are not sure what codec you are using, just use 80k of bandwidth for that single phone.

2) QoS should be managed end-to-end. So that fact that you have an unmanaged switch, and have internet connections instead of dedicated lines is going to make things difficult for you.

a) How do you know the other computers in the switch are not causing you those issues.

b) QoS going out the internet you can only manage for outbound, you cannot manage inbound... which is where you are most likely to notice the issues because you can hear them...

c) as for that VoIP test, I think it's referring to you internet connection not being able to handle a good connection, not necessarily speaking of your internal network.

If possible, I suggest using the DSL as a dedicated internet line for that one phone and see how your call quality looks from there.
0
 

Author Comment

by:nccguys
ID: 38282629
Excellent point, I will try to create a firewall rule that pushes all the VoIP traffic out that link. Since its not being used at this point anyways it only makes sense to utilize that link. Will update configs over the weekend and get back to you Monday or sooner if possible. In response to your second point, (end-to-end) that's what really concerned me. I know very little about QoS. The Cisco books on QoS and Voice scare me lol, but I do recall from my NP Switching class that as you said, it must be controlled from L3 edge all the way down to the VoIP device. Thanks for the help, hopefully we'll get a little closer over the course of the next few days.
0
 
LVL 20

Expert Comment

by:agonza07
ID: 38282647
Sometimes if it's a small network, QoS is not such a big deal, but always good to have.

For example, I have a small lawyers office I maintain, 6 computers, 6 phones, small Linksys switch and router with all 6 phones using VoIP off the internet on a cable modem without any QoS... no issues whatsoever... but they have a really stable connection on the cable side.
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 15

Expert Comment

by:Phonebuff
ID: 38285811
@nccguys --

   I do pfSense with VoIP all the time.  But before I try and address your questions can you answer a couple background ones for me.  

    What are the Lan connections and are they from the same provider ? What speeds and are they Symmetrical or Asymmetrical ?

    What is the Cisco Phone connecting to ?  A BYOD service, Asterisk in another office, a corporate Call Manager installation ?  

     An just how is it connecting SIP or SCCP and across the LAN/WAN (NAT) or VPN Tunnel ?

     As you said this is not a plug and play device.
    ======
0
 

Author Comment

by:nccguys
ID: 38286546
What are the Lan connections and are they from the same provider?

Huh? The LAN connections are local... never from a provider. Are you asking what the WAN providers are? That would be Sudden Link (Cable) and Century Link (DSL) and speeds etc were posted in the links I provided above. Both links are Async. Again please see the links above (First link).

Phone is a Cisco SPA525G which connects up to a SIP provider (would be my guess). Specifically 8x8.com is the offsite provider. No * or any other onsite systems.

No VPNs, again probably just SIP but I cant know for sure just yet. Need to get a little more info from client.

"As you said this is not a plug and play device." Sigh... wish clients knew that... grumble grumble. Thanks again for the help.
0
 
LVL 15

Expert Comment

by:Phonebuff
ID: 38288733
@nccguys --

     Sorry, yes I typed WAN my fingers entered LAN..

    So here is what I would recommend.  Forget about QoS, because it will be ignored beyond your pfSense box anyway,  and unless you already have a network congestion problem on the LAN side it is not going to buy you anything.  

    On the pfSense box map the ports to your phone (SIP 506n/UDP & RTP 0K-25K/UDP)  then add rules outbound for the Source Device or any Device and the Ports to force them to the WAN connection that 8*8 is using as a target to the device.  (Note: if the phone is DHCP add it to the DHCP server so that the MAC always get's the same IP.)

     Most SIP connects need to be locked to one WAN/IP or the other.

    Hope this helps..
0
 

Author Comment

by:nccguys
ID: 38292977
SIP provider handles all connections on their end so no need for forwarding. Connections are established inside the network headed outbound through stateful firewall. I did however set the VoIP to utilize the second WAN link exclusively.

Graph
You can clearly see the VoIP call now going out the dedicated link while other traffic is still sent over WAN1. I ended up just setting an alias for the range of current and future IP phones (Static address mappings via DHCP) Disabled QoS. Ideally, we need to implement a managed L2 device with a data and voice VLAN. Then push service out to phone and piggy back computers off the phones via the data VLAN. Really though, I would imagine that QoS really would never be an issue if we do end up implementing things this way assuming we keep the dedicated WAN link for voice.

Well... now that I think about it, that link is still used as failover in the event of a cable outage so if WAN1 dropped, then we would need QoS on WAN2 to prioritize the voice traffic until the cable line came back up. In the future though.

We tested the phones and they appear to be working fine. I dont have enough experience with VoIP phones to be able to troublshoot symptoms, but the only complaint from customer right now is that the phone call sounds like hes in a tunnel. In otherwords, the persons voice from outside coming into VoIP phone sounds like a tunnel. I could hear him just fine going the other direction. Any thoughts here? Based on the graph, we can probably confirm that the connection utilized the dedicated link both directions as it should. Not sure what would cause the "tunnel" sound. Codec maybe? Too compressed? Possibly a setting on the IP phone?
0
 
LVL 20

Expert Comment

by:agonza07
ID: 38292998
You might need to get with the provider on that. They can change the codec on their end.
0
 
LVL 15

Expert Comment

by:Phonebuff
ID: 38293077
Okay,

    Two thing you can do --

    * First get wth the provider and see what Codec / Bandwidth they are using on this phone and maybe go to something that does compression.   http://www.voip-sip.org/voip-codecs/

    * Then most ISPs will ignore any QOS so it will not help you.  As you grow you should really consider placing an Asterisk or FreeSwitch on site, connecting to the Server and then "Trunking" to the provider.  At that point VLANS and QoS will help a lot and any extension to extension traffic is kept in house.

       There is a process I have used to control the bandwidth by setting the inbound a little below actual so that the pfSense box reserves room for the UDP Voice.   I will ask the person who wrote it up where I can get a copy of the procedure.
  _____
0
 

Author Comment

by:nccguys
ID: 38293352
Looks like they default to G.729A but have the option to switch to G.722 or G.711

Seems like G.722 is going to be their clearest and best option for now just using this single phone with the dedicated link. Thoughts?
0
 
LVL 15

Expert Comment

by:Phonebuff
ID: 38293405
If in fact you are on G.729 that's the best you are going to do..

If you have a *NIX system on site you might run the mtr utility and see if you are loosing packets anywhere in the route ..

http://linux.die.net/man/8/mtr
0
 

Author Comment

by:nccguys
ID: 38293463
Hmm, I guess I understood G.722 to be the better quality codec. Higher bit rate (80 Kbps vs 32 Kbps) and a wider range (7 kHz).

The only *NIX system is the router currently; however, we can plug in something temp to run that test.
0
 
LVL 15

Expert Comment

by:Phonebuff
ID: 38293482
I was thinking minimum bandwidth not maximum quality --

---------------------
0
 
LVL 15

Accepted Solution

by:
Phonebuff earned 2000 total points
ID: 38305063
@nccguys

    Talked to my friend and he reminded me of of what the process was, basically he calls it Red Neck QoS.  

    In the setup set the band width of the WAN Receive path about three to five percent below the total bandwidth available.   When it reaches that level pfSense will start  sending congestion / pacing messages to the ISP.  Leaving the remaining percentage free for the UDP / RTP Voice traffic and protecting voice quality from network hogs.

   -----------
0
 

Author Closing Comment

by:nccguys
ID: 38352786
Thanks for all of your help with this.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In my office we had 10 Cisco 7940G IP phones that were useless as they were showing PROTOCOL APPLICATION INVALID when started. I searched through Google and worked for a week continuously on those phones, and finally got them working. This is a di…
FreeBSD on EC2 FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question