Author: Seth Scardefield 1/8/2013 pfsense VoIP QoS Guide This guide will walk you through configuring the traffic shaper in pfsense to prioritize VoIP traffic. This is a very basic configuration intended for most small to medium sized networks that utilize their internet connection for Voice over IP (VoIP) service. This guide also assumes that you only have two interfaces, a WAN and a LAN. If you have other interfaces (such as DMZ or an interface connecting to the corporate WAN) you will need to take that into consideration when setting the link bandwidths and which interfaces you will apply your firewall rules to (the firewall rules you use to specify what qualifies as VoIP traffic). Overview 1. Create an alias of all VoIP hosts 2. Use the traffic shaper wizard to set the scheduler and link bandwidth 3. Create new queues for VoIP traffic 4. Create firewall rules to classify VoIP traffic 5. Test the queues *If a field is not specifically mentioned in this guide leave it at its default setting
Create an alias for all VoIP hosts 1. Navigate to Firewall Aliases 2. Click the + to add a new Alias 3. Add all the hosts that will send/receive voice traffic that will need to be prioritized. In this example we are adding the IP address of the local PBX and the IP address of the Internet Telephony Service Provider (ITSP) that provides our SIP trunk. It is also possible to configure aliases with networks or ports which might make more sense depending on your environment.
Use the Traffic Shaper wizard to set the scheduler and link bandwidth 1. Navigate to Firewall Traffic Shaper 2. Click on the Wizards tab 3. Click the appropriate wizard (Single LAN multi WAN in most cases) 4. Use the following settings Download Scheduler: PRIQ Interface: WAN Upload Scheduler: PRIQ Connection Upload: The upload speed of your internet connection Connection Download: The download speed of your internet connection 5. Go through the rest of the wizard leaving all the remaining settings as default (not enabled)
Create new queues for VoIP traffic 1. Navigate to Firewall Traffic Shaper 2. On the By Interface tab click on WAN 3. Make sure it is Enabled, the Scheduler is set to PRIQ, and the Bandwidth is correct. 4. Click the Add new queue button 5. Use the following settings for the new WAN queue and then click the Save button Enable/Disable: Check the box to enable Queue Name: qvoip Priority: 7 Explicit Congestion Notification: Check this box to enable Description: High priority queue for VoIP traffic
6. On the By Interface tab click on LAN 7. Make sure it is Enabled, the Scheduler is set to PRIQ, and the Bandwidth is correct. 8. Click the Add new queue button 9. Use the following settings for the new LAN queue and click the Save button Enable/Disable: Check the box to enable Queue Name: qvoip (make this exactly the same name as you did for the WAN queue) Priority: 7 Explicit Congestion Notification: Check this box to enable Description: High priority queue for VoIP traffic
Create firewall rules to classify VoIP traffic 1. Navigate to Firewall Rules 2. Click on the Floating tab 3. Click on the + to add a new firewall rule 4. Use the following settings for the new firewall rule Action: Queue Interface: WAN and LAN Protocol: UDP Source Type: Single host or alias Source Address: VoIPHosts (the alias you created earlier) Description: VoIP hosts to be prioritized Ackqueue/Queue: qack/qvoip 5. Click Save 6. While still on the Floating tab click on the + again to create a second firewall rule 7. Use the following settings for the new firewall rule 8. Click Save Action: Queue Interface: WAN and LAN Protocol: UDP Destination Type: Single host or alias Destination Address: VoIPHosts (the alias you created earlier) Description: VoIP hosts to be prioritized Ackqueue/Queue: qack/qvoip
These rules are very basic. They will put ALL traffic to or from the local PBX into the high priority VoIP queue, including non-voip traffic. In most situations this won t be an issue as the PBX doesn t generally generate much non-voip traffic. But if you d like, you can definitely get more granular with what gets classified as high priority. You can accomplish this by modifying your Alias, the firewall rules, or both. For example, if you know the UDP ports that your PBX uses for RTP (the audio part of VoIP), you could specify the port range in the firewall rules along with the IP addresses of the VoIP hosts. So instead of all traffic to or from your VoIP hosts getting classified as high priority, it would only be traffic to or from your VoIP hosts on the audio ports. Test the queues 1. Navigate to Status Queues Here you will see a (near) real-time view of the amount of traffic falling into your various queues. A good way to verify that your VoIP traffic is falling into the VoIP queues is to place a call when there is as little traffic on the network as possible (after hours is generally a good time to do this). The amount of bandwidth used per call depends on the codec used. In most cases it will be the G.711 codec, which uses about 85-90Kbps. Wait until there are no active calls on your system, and then make an outbound call. You should see your VoIP queues go up to 90Kbps for the remainder of the call and then drop back to 0 (or close to it) when you hang up.