Sunday, 13 February 2011

It could be nice if some people who have experience in this field would like to share best practice in VOIP. How do you handle Firewall,vlan,que,mangle, and so on.

1: How to control SKYPE, and other p2p voice services (not file share), and get the best benefit out.

2: Make priority queue´s that handle normal VoIP

Layer 3 priortorization.

The priority of VoIP can be increased over other traffic by marking the traffic and then using queue tree to assign a priority to that marked traffic.

Marking can be done of various things that identify the traffic as VOIP.

If you are trying to prioritize your VoIP or a known partnering VoIP service, you could mark traffic based on IP range. Here is an example. a.a.a.0/24 would be a network that includes the VoIP servers.

/ip firewall mangle
add chain=forward src-address=a.a.a.0/24 action=mark-packet new-packet-mark=VoIP\
passthrough=no comment="VoIP" disabled=no

add chain=forward dst-address=a.a.a.0/24 action=mark-packet new-packet-mark=VoIP\
passthrough=no comment="VoIP" disabled=no

Many VoIP hardware use TOS in the IP packet headers to express their preferred priority. If the VoIP equipment configuration does not say what the TOS value is, you can capture packets from it using /tool sniffer on your Mikrotik and look at those packets using wireshark/ethereal on your desktop computer. The RTP packets coming from the VoIP equipment will show the TOS in binary and hex. This value should be converted to decimal for use with Mikrotik's packet marking. Here is an example, using xxx as the decimal value of the TOS information we gathered using sniffer and wireshark.

/ip firewall mangle
add chain=forward tos=xxx action=mark-packet new-packet-mark=VoIP passthrough=no \
comment="voip tos xxx" disabled=no

After the packet is marked, queue tree can assign proper higher priority to the packets marked as VoIP. A queue should be setup on each interface which needs to assign a proper priority. Mikrotik priorities range from 1-8 with 8 being the lowest priority. (This differs from the unrelated but popular LAN CoS priority where 8 is the highest priority.) In my example, I set the priority for 2, which is higher than other traffic, but not the highest, which is typically reserved for routing protocol or other important network functionality.

/ queue tree
add name="ether1_voip" parent=ether1 packet-mark=VOIP limit-at=0 queue=default priority=2 \
max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="ether2_voip" parent=ether2 packet-mark=VOIP limit-at=0 queue=default priority=2 \
max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no

You can use Winbox to observe packet count of the various items in queue tree when making a VoIP phone call. If the counters increase, your marks are getting the right traffic and prioritizing it. If the counters are not increasing, you are not prioritizing the proper data.

Layer 2 prioritization.

On a busy LAN is may be desirable to separate your VoIP traffic from your normal data traffic. Many small networks aren't sufficiently busy or burst to even need this. Some administrators keep the voice and data separate for better security or management using the same techniques.

You setup a separate IP range for your IP phones and equipment, assign that network to your Mikrotik using a Vlan interface (or an additional Ethernet card). Your other traffic would use a different VLAN (or network card). You need a managed Ethernet switch to keep VLANs separate on a LAN infrastructure. A single Ethernet port capable of VLAN tagging on the Mikrotik can support multiple VLANs. Some network cards don't do VLAN tagging well, for those you are best not putting VLAN tagged data on them.

On the managed Ethernet switch, configure ports going to equipment for their respective proper VLAN and to be untagged. (Voip phone on switch port 23 should be part of VoIP VLAN, file server on switch port 22 should be on the other VLAN.) Ports going to other managed switches or to a VLAN tagging Mikrotik should be part of both VLANs with tagging enabled. If you use separate Ethernet cards in the Mikrotik for voice and data, tagging would not be used.

Managed switches and other smart vlan capable layer 2 equipment have vlan prioritization called CoS. This lets you give your voice vlan traffic a higher priority than other vlans. Prioritization must be enabled and configured on every device the data passes through. CoS priorization is the opposite numbering of Mikrotik prioritization, so 8 will be the highest priority. If you have two ethernet switches, both must support Vlans and prioritization and be configured for it. Since it is layer 2, it does not pass through routers. Thus if you use a Mikrotik to route between two networks, both networks would need to be independently configured. CoS is not needed on the Mikrotik itself, but you should implement layer 3 QoS so that priority is maintained as it passes through the Mikrotik and goes out another Mikrotik interface.

3: Make firewall rules that stop supernodes, handle amount of connections on udp with out loose understanding of voice.


Added on 01/10/2010 - By McHutchy

I found THIS works perfectly for both registration and quality of the calls

/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=yes limit-at=0 max-limit=0 name="IN" packet-mark="" parent=global-in priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=yes limit-at=0 max-limit=0 name="OUT" packet-mark="" parent=global-out priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=yes limit-at=0 max-limit=0 name="SIP_IN" packet-mark=SIP_IN parent=IN priority=2 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=yes limit-at=0 max-limit=0 name="SIP_OUT" packet-mark=SIP_OUT parent=OUT priority=2 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=yes limit-at=0 max-limit=0 name="ALL_ELSE_IN" packet-mark=ELSE_IN parent=IN priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=yes limit-at=0 max-limit=0 name="ALL_ELSE_OUT" packet-mark=ELSE_OUT parent=OUT priority=8 queue=default



/ip firewall mangle
add action=mark-packet chain=prerouting comment="SIP Only" disabled=yes in-interface=ether3 new-packet-mark=SIP_IN passthrough=no src-address=192.168.0.16
add action=mark-packet chain=postrouting comment="" disabled=yes dst-address=192.168.0.16 new-packet-mark=SIP_OUT out-interface=ether3 passthrough=no
add action=mark-packet chain=prerouting comment="All Else" disabled=yes in-interface=ether3 new-packet-mark=ELSE_IN passthrough=no src-address=!192.168.0.16
add action=mark-packet chain=postrouting comment="" disabled=yes dst-address=!192.168.0.16 new-packet-mark=ELSE_OUT out-interface=ether3 passthrough=no
add action=mark-packet chain=prerouting comment="SIP Web Server" disabled=yes in-interface=ether3 new-packet-mark=ELSE_IN passthrough=yes protocol=tcp src-address=192.168.0.16 src-port=80
add action=mark-packet chain=postrouting comment="" disabled=yes dst-address=192.168.0.16 dst-port=80 new-packet-mark=ELSE_OUT out-interface=ether3 passthrough=yes protocol=tcp

Please note that ether3 in here is my INTERNET interface...

0 comments:

Post a Comment