Hi,
I have searched around for simple firewall rules for small offices which include QoS for SIP. What I have found are very complicated sets and unsure if those are really needed.
Below is the network topology:
Wireless Internet Access <-> RB2011iUAS <--> CRS125-24G-1S-2H <--> LAN
RB2011UiAS Wireless <--> LAN (clients with notebooks/tables et. al. can access the outside world or file servers on the LAN via either RB2011UiAS or the CRS125-24G Switch..... if it matters which, please inform me)
QoS Rules
1) Network Protocols priority 1
2) SIP and RTP (5060, 10000-15000 UDP) priority 2
3) VPN port 1194 tcp priority 3
4) eMail, ftp, www (surfing, no local apache or any other web server internally) priority 6
5) everything else (that is allowed ... is there such a thing with Mikrotik as first firewall rule being Deny In from any to any?) priority 8 or higher
On the CSR125, would there also be the need for QoS?
If you have a script that does the above, please share it.
Do your phones tag the packets with DSCP or COS values? It may be easy to pickup on those values for your QOS.
Hi jkarras,
How can I tell? Since the phones here go through the RB2011 I cannot run a tcpdump. Can this be done on the RB2011?
The RB has a way to setup a mirror port if you want to go with looking at wireshark.
Do you manage the phones as well or are they a hosted setup? Looking at the manual for the phones/phone system it should tell you what its default DSCP values are. Logging into the mgmt interface on the phone will also tell you. On Avaya phones for example its shown on one of the status pages.
Hi,
We have Yealink T22P and HT502 ATA for analogue phone and Polycom VVX310
I am extremely new to Mikrotik and no network guru either. I want to setup our RB2011AiUS and have another RB2011AiUS and a CRS125 for client. Basically the same setup.
Thanks JKarras
By the way, I don’t have a problem with wireshark. The problem is running wireshark on what? The phones here are not connected to computers. They run to switch and its not a Mikrotik switch either. Its an unmanaged 3com.
But at some point there is a choke point on the Mikrotik where you could sniff traffic correct?
On the Yealink 22P it shows:
The T22P manual states:
Voice QoS
In order to make VoIP transmissions intelligible to receivers, voice packets should not be
dropped, excessively delayed, or made to suffer varying delay. DiffServ model can
guarantee high-quality voice transmission when the voice packets are configured to a
higher DSCP value.
SIP QoS
SIP protocol is used for creating, modifying and terminating two-party or multi-party
sessions. To ensure good voice quality, SIP packets emanated from IP phones should be
configured with a high transmission priority.
DSCPs for voice and SIP packets can be specified respectively.
I tried the sniff app. I did not see the address. Actually, the phone is setup to use OpenVPN, and it uses a 10.8.0.x IP. The phone says though 192.168.10.11
In the sniff app, for 10.11 IP it did show a COS number:
COS is on the VLAN tag not on the IP as TOS. TOS is different.
When you say things run over OVPN do you mean a OVPN connection on your Mikrotik or are the phones themselves connecting to OVPN? If the phones are the OVPN clients there will be no way to know the DSCP markings unless it marks the tunnel. If they are not the OVPN endpoints you should be ok. Moving the DSCP marks onto the tunnel packets won’t do much good as your upstream ISPs are not going to honor them.