• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2381
  • Last Modified:

Prioritize VOIP traffic using a ZyWall USG 100

All,
We have 1 ZyXel ZyWALL USG 100 firewall and 2 ZyXel ZyWALL USG 20W firewalls.

Our main office is the USG 100
Our satellite offices have the USG 20W 's
We have full control of both.
We are NOT using VPN between the firewalls.

For the purpose of this discussion, let's forget VPN.

We are having a problem where the VOIP phones at the satellite locations are having audio dropouts.

I've spoken with the phone vendor and a few other people and they suggest we prioritize traffic so VOIP ALWAYS gets priority.

If possible, I don't want to have to "carve off" dedicated bandwidth for this because they aren't using the phones 90% of the time. So in a perfect world - anytime there is VOIP traffic, it gets priority over EVERYTHING.

I did some additional research and found that the ZyWall's have a feature called App Patrol which sounds like it can help with this - I signed up for the trial service so we have that available as well.

Can anyone help me figure out how to prioritize the traffic?

MUCH appreciated!
0
rheide
Asked:
rheide
  • 4
  • 4
1 Solution
 
nociSoftware EngineerCommented:
You can enforce DSCP markings using a route.
(DSCP/DiffServ/Tos all are different tagging schema's for the same IP header field TOS.
For DSCP you are looking for Expedited Forwarding. (EF). Which is equivalent to TOS  LowDelay.
It all depends on the routers in between your endpoints following the rules of the TOS field.
IPSEC should propagate the TOS of the wrapped packet to the encapsulating packet.

Here you can find a little more:
Exact info: (RFC)
http://datatracker.ietf.org/doc/rfc2474/
More explained:
http://www.hep.ucl.ac.uk/~ytl/qos/diffserv_01.html
Also:
http://www.voip-info.org/wiki/view/DiffServ

App-Patrol is more or less like snort. It uses signatures to identify certain packet in the allowed streams that might indicate problems with the content.  So it will not help to speed things up, it adversely may slow your Firewall.
0
 
rheideAuthor Commented:
I'm still trying to figure this out.
0
 
nociSoftware EngineerCommented:
if you need clarification then please state what needs to be clarified.
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
rheideAuthor Commented:
I was hoping to find someone that is an expert with ZyXel firewalls to get step by step instruction.

** I am very appreciative of the information that has been provided but my problem arises when I go into the ZyXel interface as there are 1,000 options ;-)
0
 
nociSoftware EngineerCommented:
Herewith I assume the you do known how to operate  mouse, keyboard, boot up  PC, logon into your OS, start a browser, open a session to the zyxel, logon there and select config from the menu, and select firewall.... and that you have reading abilities and a bunch more.

Ok, the DSCP markings are on the network, routing, network policy rule (keep DSCP markings, or you can set them).
Open a rule select the right marking and save...
and then you can save the rules with the settings i mentioned before.
0
 
rheideAuthor Commented:
Funny stuff - I'll assume you are joking and NOT being an a$$ ;-)

The problem is that I'm not an expert at networking which is why I asked the question. So when you say "save the rules with the settings I mentioned before" or "open a rule select the right marking and save", I'm still not sure what to save or set SPECIFICALLY.

** You may have a tendency to think I should research/search more about this but that is why I PAY for Expert-Exchange and I don't just google for results.

If you are just giving me a hard time, please respond back. If you are being serious (with the operating a mouse instructions), then don't waste the time.

Thanks!
0
 
nociSoftware EngineerCommented:
yes it was meant jokingly..., (had a not too serious call before i wrote that..) rereading later i probably would have rephrased it.
the setting is called DSCP marking...

In my first answer there are 3 links..., and you do need to read them. Just pushing values doesn't help a lot and may just get you the wrong results. as the RIGHT setting heavily depends on what else is set.
(All setting work relative to each other)... If you set all to the same value they won't help a lot.
You should know what traffic passes the FW (filter/nat rules) and how they should compare.

And App-Patrol  would not help in to solve this.
0
 
rheideAuthor Commented:
Noci-
Thanks for the nice response!! I will read up on that and get it figured out.

Also - thanks for the heads-up on app-patrol - I'm sure I would have ended up going down that path!!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now