3 WAN PCC now needs QOS for VOIP - help pls

spookman · December 6, 2011, 6:42am

Hi Guys,

I have currently a working setup of a 3 WAN PCC on a RB1200, everything has been running well for a while but recently we have noticed that due to growth on the network all our VOIP services are experiencing problems.

I what to now implement QOS for the VOIP clients, giving them priority over all other traffic.
the VOIP are SIP phones and all communicate to a source port of 5060, and we could probably use a DST IP as well

any help would be appreciated.

/ip firewall mangle

add action=accept chain=prerouting comment="Hairpair Hosts" disabled=no dst-address-list=public-ips in-interface=LAN src-address-list=internal
add action=accept chain=prerouting comment="Internal Routing" disabled=no dst-address-list=internal in-interface=LAN
add action=mark-connection chain=prerouting comment="Voip SIP Pohnes - WAN2" connection-state=new disabled=no dst-port=5060 in-interface=LAN new-connection-mark=WAN2_conn passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment="SIP - WAN1" connection-state=new disabled=no dst-port=5060 in-interface=LAN new-connection-mark=WAN1_conn passthrough=yes protocol=udp src-address-list="SIP WAN1"
add action=mark-connection chain=prerouting comment="SIP - WAN2" connection-state=new disabled=no dst-port=5060 in-interface=LAN new-connection-mark=WAN2_conn passthrough=yes protocol=udp src-address-list="SIP WAN2"
add action=mark-connection chain=prerouting comment="WAN1 Web & Mail Traffic" connection-state=new disabled=no dst-address=41.x.x.114 dst-port=21,25,53,80,110,143,443,8080 in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="WAN1 Web & Mail Traffic" connection-state=new disabled=no dst-address=41.x.x.114 dst-port=53 in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment="WAN2 Web & Mail Traffic" connection-state=new disabled=no dst-address=41.x.x.2 dst-port=21,25,53,80,110,143,443,8080 in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="WAN2 Web & Mail Traffic" connection-state=new disabled=no dst-address=41.x.x.2 dst-port=53 in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment="MWeb SMTP" connection-state=new disabled=no dst-address=196.2.16.216 dst-port=25 in-interface=LAN new-connection-mark=WAN1_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="Vodacom SMTP" connection-state=new disabled=no dst-address=41.0.7.123 dst-port=25 in-interface=LAN new-connection-mark=WAN2_conn passthrough=yes protocol=tcp
add action=mark-connection chain=input comment="WAN1 Connection Mark" disabled=no in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=input comment="WAN2 Connection Mark" disabled=no in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=input comment="WAN3 Connection Mark" disabled=no in-interface=WAN3 new-connection-mark=WAN3_conn passthrough=yes
add action=mark-routing chain=output comment="WAN1 Routing Mark" connection-mark=WAN1_conn disabled=no new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output comment="WAN2 Routing Mark" connection-mark=WAN2_conn disabled=no new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output comment="WAN3 Routing Mark" connection-mark=WAN3_conn disabled=no new-routing-mark=to_WAN3 passthrough=yes
add action=mark-connection chain=prerouting comment="WAN1 PCC" connection-mark=no-mark disabled=no dst-address-type=!local in-interface=LAN new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting comment="WAN2 PCC" connection-mark=no-mark disabled=no dst-address-type=!local in-interface=LAN new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting comment="WAN3 PCC" connection-mark=no-mark disabled=no dst-address-type=!local in-interface=LAN new-connection-mark=WAN3_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting comment="LAN Routing Mark to WAN1" connection-mark=WAN1_conn disabled=no in-interface=LAN new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting comment="LAN Routing Mark to WAN2" connection-mark=WAN2_conn disabled=no in-interface=LAN new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting comment="LAN Routing Mark to WAN3" connection-mark=WAN3_conn disabled=no in-interface=LAN new-routing-mark=to_WAN3 passthrough=yes

/ip firewall nat

add action=masquerade chain=srcnat comment=Hairpin-NAT disabled=no dst-address-list=hairpin-hosts out-interface=LAN src-address-list=internal
add action=dst-nat chain=dstnat comment="WAN1 Web & Mail Traffic" disabled=no dst-address=41.x.x.114 dst-port=21,25,53,80,110,143,443,8080 protocol=tcp to-addresses=10.10.0.250
add action=dst-nat chain=dstnat comment="WAN1 Web & Mail Traffic" disabled=no dst-address=41.x.x.114 dst-port=53 protocol=udp to-addresses=10.10.0.250
add action=dst-nat chain=dstnat comment="WAN2 Web & Mail Traffic" disabled=no dst-address=41.x.x.2 dst-port=21,25,53,80,110,143,443,8080 protocol=tcp to-addresses=10.10.0.250
add action=dst-nat chain=dstnat comment="WAN2 Web & Mail Traffic" disabled=no dst-address=41.x.x.2 dst-port=53 protocol=udp to-addresses=10.10.0.250
add action=masquerade chain=srcnat comment="Masquerade WAN1 Out" disabled=no out-interface=WAN1
add action=masquerade chain=srcnat comment="Masquerade WAN2 Out" disabled=no out-interface=WAN2
add action=masquerade chain=srcnat comment="Masquerade WAN3 Out" disabled=no out-interface=WAN3

/ip firewall filter

add action=accept chain=input comment="Std established" connection-state=established disabled=no
add action=accept chain=input comment="Std related" connection-state=related disabled=no
add action=drop chain=input comment="Std invalid" connection-state=invalid disabled=no
add action=accept chain=input comment="Allow DNS & NTP" disabled=no dst-port=53,123 in-interface=LAN protocol=udp
add action=accept chain=input comment="Allow DNS" disabled=no dst-port=53 in-interface=LAN protocol=tcp
add action=accept chain=input comment="Allow Admin_Hosts on LAN" disabled=no in-interface=LAN src-address-list=admin_hosts
add action=accept chain=input comment="Allow Admin_Hosts on LAN" disabled=no in-interface=WAN3 src-address-list=admin_hosts
add action=accept chain=prerouting comment="Allow Internal Routing" disabled=no in-interface=LAN src-address-list=internal
add action=accept chain=input comment="Allow Internal ICMP" disabled=no in-interface=LAN protocol=icmp
add action=log chain=input comment="Drop Traffic to Router Log" disabled=no log-prefix=drop_traffic
add action=drop chain=input comment="Drop Traffic to Router" disabled=no
add action=log chain=forward comment="Log all non Mail Server STMP" disabled=yes dst-port=25 log-prefix=smtp_ out-interface=!LAN protocol=tcp src-address-list="!SMTP Log"
add action=drop chain=forward comment="Drop all non Mail Server STMP" disabled=no dst-port=25 out-interface=!LAN protocol=tcp src-address=!10.10.0.250
add action=accept chain=forward comment="MARS Traffic" disabled=no dst-address=10.10.0.250 dst-port=53 protocol=udp
add action=accept chain=forward comment="Std established" connection-state=established disabled=no
add action=accept chain=forward comment="Std related" connection-state=related disabled=no
add action=drop chain=forward comment="Std invalid" connection-state=invalid disabled=no
add action=accept chain=forward comment="Allow WAN Traffic" disabled=no in-interface=LAN
add action=accept chain=forward comment="MARS Traffic" disabled=no dst-address=10.10.0.250 dst-port=21,22,25,53,80,110,143,443,8080 protocol=tcp
add action=drop chain=forward comment="Drop everything else" disabled=no

/ip address

add address=10.10.0.1/24 disabled=no interface=LAN network=10.10.0.0
add address=41.x.x.114/29 disabled=no interface=WAN1 network=41.x.x.112
add address=41.x.x.115/29 disabled=no interface=WAN1 network=41.x.x.112
add address=41.x.x.116/29 disabled=no interface=WAN1 network=41.x.x.112
add address=41.x.x.117/29 disabled=no interface=WAN1 network=41.x.x.112
add address=41.x.x.118/29 disabled=no interface=WAN1 network=41.x.x.112
add address=41.x.x.2/29 disabled=no interface=WAN2 network=41.x.x.0
add address=41.x.x.3/29 disabled=no interface=WAN2 network=41.x.x.0
add address=41.x.x.4/29 disabled=no interface=WAN2 network=41.x.x.0
add address=41.x.x.5/29 disabled=no interface=WAN2 network=41.x.x.0
add address=41.x.x.6/29 disabled=no interface=WAN2 network=41.x.x.0
add address=41.x.x.98/29 disabled=no interface=WAN3 network=41.x.x.96
add address=41.x.x.99/29 disabled=no interface=WAN3 network=41.x.x.96
add address=41.x.x.100/29 disabled=no interface=WAN3 network=41.x.x.96
add address=41.x.x.101/29 disabled=no interface=WAN3 network=41.x.x.96
add address=41.x.x.102/29 disabled=no interface=WAN3 network=41.x.x.96

/ip route

add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.1.1.1 routing-mark=to_WAN1 scope=30 target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.2.2.2 routing-mark=to_WAN1 scope=30 target-scope=10
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=10.3.3.3 routing-mark=to_WAN1 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.2.2.2 routing-mark=to_WAN2 scope=30 target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.3.3.3 routing-mark=to_WAN2 scope=30 target-scope=10
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=10.1.1.1 routing-mark=to_WAN2 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.3.3.3 routing-mark=to_WAN3 scope=30 target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.1.1.1 routing-mark=to_WAN3 scope=30 target-scope=10
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=10.2.2.2 routing-mark=to_WAN3 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.1.1.1 scope=30 target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.2.2.2 scope=30 target-scope=10
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=10.3.3.3 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=10.1.1.1/32 gateway=196.2.63.110 scope=10 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=10.1.1.1/32 gateway=67.195.160.76 scope=10 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=10.2.2.2/32 gateway=74.125.230.146 scope=10 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=10.2.2.2/32 gateway=41.1.224.101 scope=10 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=10.3.3.3/32 gateway=41.203.21.137 scope=10 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=10.3.3.3/32 gateway=152.111.193.28 scope=10 target-scope=10
add comment=VodaCom disabled=no distance=1 dst-address=41.1.224.101/32 gateway=41.x.x.1 scope=10 target-scope=10
add comment=MyADSL disabled=no distance=1 dst-address=41.203.21.137/32 gateway=41.x.x.97 scope=10 target-scope=10
add comment=Yahoo disabled=no distance=1 dst-address=67.195.160.76/32 gateway=41.x.x.113 scope=10 target-scope=10
add comment=Google disabled=no distance=1 dst-address=74.125.230.146/32 gateway=41.x.x.1 scope=10 target-scope=10
add comment=News24 disabled=no distance=1 dst-address=152.111.193.28/32 gateway=41.x.x.97 scope=10 target-scope=10
add comment=MWeb disabled=no distance=1 dst-address=196.2.63.110/32 gateway=41.x.x.113 scope=10 target-scope=10

/ip firewall address-list

add address=10.10.0.232 disabled=no list=admin_hosts
add address=10.10.2.10 disabled=no list=admin_hosts
add address=10.10.0.2 disabled=no list=admin_hosts
add address=10.10.0.10 disabled=no list=admin_hosts
add address=10.10.2.9 disabled=no list=admin_hosts
add address=41.x.x.114 disabled=no list=public-ips
add address=41.x.x.115 disabled=no list=public-ips
add address=41.x.x.116 disabled=no list=public-ips
add address=41.x.x.117 disabled=no list=public-ips
add address=41.x.x.118 disabled=no list=public-ips
add address=41.x.x.2 disabled=no list=public-ips
add address=41.x.x.3 disabled=no list=public-ips
add address=41.x.x.4 disabled=no list=public-ips
add address=41.x.x.5 disabled=no list=public-ips
add address=41.x.x.6 disabled=no list=public-ips
add address=10.10.0.0/24 disabled=no list=internal
add address=10.10.1.0/24 disabled=no list=internal
add address=10.10.2.0/24 disabled=no list=internal
add address=10.10.3.0/24 disabled=no list=internal
add address=10.10.4.0/24 disabled=no list=internal
add address=10.10.5.0/24 disabled=no list=internal
add address=10.10.6.0/24 disabled=no list=internal
add address=10.10.7.0/24 disabled=no list=internal
add address=10.10.8.0/24 disabled=no list=internal
add address=10.10.9.0/24 disabled=no list=internal
add address=10.10.10.0/24 disabled=no list=internal
add address=10.10.100.0/24 disabled=no list=internal
add address=10.10.101.0/24 disabled=no list=internal
add address=10.10.100.0/24 disabled=no list=internal
add address=10.10.2.10 disabled=no list=hairpin-hosts
add address=10.10.0.232 disabled=no list=hairpin-hosts
add address=10.10.0.245 disabled=no list=hairpin-hosts
add address=10.10.0.246 disabled=no list=hairpin-hosts
add address=10.10.0.247 disabled=no list=hairpin-hosts
add address=10.10.0.250 disabled=no list=hairpin-hosts
add address=10.10.0.250 disabled=no list=admin_hosts
add address=10.10.0.250 disabled=no list="SMTP Log"
add address=10.10.0.2 disabled=no list="SMTP Log"
add address=10.10.1.0/24 disabled=no list="SIP WAN1"
add address=10.10.2.0/24 disabled=no list="SIP WAN2"
add address=10.10.3.0/24 disabled=no list="SIP WAN1"
add address=10.10.4.0/24 disabled=no list="SIP WAN2"
add address=10.10.5.0/24 disabled=no list="SIP WAN1"
add address=10.10.6.0/24 disabled=no list="SIP WAN2"
add address=10.10.7.0/24 disabled=no list="SIP WAN1"
add address=10.10.8.0/24 disabled=no list="SIP WAN2"
add address=10.10.9.0/24 disabled=no list="SIP WAN1"
add address=10.10.10.0/24 disabled=no list="SIP WAN2"
add address=10.10.11.0/24 disabled=no list="SIP WAN1"
add address=10.10.12.0/24 disabled=no list="SIP WAN2"
add address=10.10.101.0/24 disabled=no list="SIP WAN1"
add address=41.x.x.98 disabled=no list=public-ips
add address=41.x.x.99 disabled=no list=public-ips
add address=41.x.x.100 disabled=no list=public-ips
add address=41.x.x.101 disabled=no list=public-ips
add address=41.x.x.102 disabled=no list=public-ips

cbrown · December 6, 2011, 4:08pm

You are going to need another router for the QoS. Either 1 powerful router to run metarouters or 3 smaller routers, one for each connection.

http://mikrotikuniversity.com/index.php/2010/11/mikrotik-layer3-gateway-load-balancing/