dleaberr
Read A Book
Premium
join:2003-11-13
Spanish Fork, UT
| [BroadVoice] Linux VOIP Router QOS script
I have a linux firewall router and have researched a while to figure out the best way to do QOS on my BroadVoice line. I stream music from my box to listen to at school and wanted to have guarenteed bandwidth for my wife if the phone rings. I looked at WonderShaper but it didn't really address the problem. I want one ip that has absolute precedence over everything else.
As long as you have QOS support in your kernel and HTB support this should work. It assumes you have tc and iptables also. I use it with shorewall by naming the thing tcstart and dropping it in /etc/shorewall/. I hope this helps someone else who might be looking for a script that has this dedicated to one ip bandwidth feature.
Some parts of the code are taken from the wondershaper script and this script is released under the GNU GPL license for anyone who cares.
This script works great. I can be saturating the bandwidth with any type of device/protocol and as soon as the phone rings or I call it gets it's bandwidth just fine.
Daniel |
|
garys_2k
join:2004-05-07
Farmington, MI | Wow, that's all there is to it? Would this work with the free version of Smoothwall? Where should it be placed and how is it called? Thanks! |
|
dleaberr
Read A Book
Premium
join:2003-11-13
Spanish Fork, UT
1 edit | said by garys_2k  :
Would this work with the free version of Smoothwall? Where should it be placed and how is it called? Thanks!
As long as smoothwall has htb in the kernel or as a module (ie lsmod shows htb) then I would go ahead and try it.
1) Download it anywhere on your firewall/router.
2) as root chmod 755
3) as root ./tcstart (or bash tcstart if the previous doesn't work) will start the script. ./tcstart status will show the 3 levels and whether they're working (traffic should flow through them)
4) as root ./tcstart stop will stop it and set the device back to pfifo which is the default.
Since smoothwall is a dedicated router/firewall I think the odds are very good it will work. It's important to note the only reason I coded this script was to give one ip an absolute priority. I don't care about limiting p2p/http/ftp or anything else I only care that my ssh sessions are fast, I can max download and upload at the same time (empty acks) and that when the phone rings I have perfect calls. This script can be easily modified to include these features if you want. Look at the wondershaper script for support. Most linux distros have the prerequisites mentioned. I use gentoo and built my own kernel.
Give it a try and see if it works. The script is fairly well documented. Finding the ip of your VOIP server might be trickiest part. I use BroadVoice so the IP in there might work if you do also.
Daniel |
|
garys_2k
join:2004-05-07
Farmington, MI
 ·Future Nine Corpor..
·Vonage
| reply to dleaberr
Cool, sounds easy enough, thank you again.
One question: When you say "the IP of your VOIP server," I assume you mean the provider's (in this case, Vonage) IP on the Internet that my ATA box calls, right? The ATA's IP behind the router is a known entity, as Smoothwall always gives it a static one based on its MAC.
If you do meant the server's IP (as you said), I'll hang a hub on the line between the ATA and the router and send all those packets to my 'puter. I'm sure Ethereal can wring out what's happening. |
|
dleaberr
Read A Book
Premium
join:2003-11-13
Spanish Fork, UT
| said by garys_2k :
One question: When you say "the IP of your VOIP server," I assume you mean the provider's (in this case, Vonage) IP on the Internet that my ATA box calls, right?
Yes, that is correct. This is done because the network is natted so the only thing you can do u32 matches on is the external VOIP servers ip.
Daniel |
|
freyder
Premium
join:2001-02-15
Plano, TX
 ·Verizon FIOS
|  some of the LINUX IPTABLES firewalls have QoS integrated.
I run Astaro Secure Linux Firewall and am hooked!
»www.astaro.com
Free for home use and it has QoS capabilities
as well as a large number of other features.
I am running V4.xx and couldn't be happier.
(although 5.xx has just been released its not ready for prime time.)
an install can be done in under 30 minutes.
and its all web based admin.
Grab one of your "old" PCs and slap a couple of NICs in there and I think you'll be pleasantly surprised.
I initially used a PII 400 PC
Performance is stellar.
I set up my QoS so port 5060 takes priority.
I also limit outbound HTTP and SMTP traffic. |
|
dleaberr
Read A Book
Premium
join:2003-11-13
Spanish Fork, UT
| said by freyder :
some of the LINUX IPTABLES firewalls have QoS integrated.
As far as I understand iptables doesn't do anything other than mark packets. It's tc that does the manipulation of qdiscs/classes/matching u32 expressions and actually provides traffic control (hence tc). It's entirely possible to have a firewall program (like shorewall which is just an iptables frontend) that calls a tc script (tcstart) automatically. this would give the appearance of the firewall doing QoS and makes startup easier.
said by freyder :
I set up my QoS so port 5060 takes priority.
I also limit outbound HTTP and SMTP traffic.
This is wonderful, if all the voip traffic actually goes out 5060. I'm willing to bet however, that it goes through multiple ports (rtp over udp) which are not covered under your 5060 priority port setting. As long as you're happy with it though and it works for you everything's cool.
The easiest way to test whether everything is working like you expect is to fire up your implementation then issue
tc -s class ls dev eth0
this shows the classes and how much bandwidth is going through them. Make a call. Then check again. All the bandwidth should be in the class you assigned voip to.
As long as you have iptables and tc you're more than likely good to go with just running the script. You don't have to be an elite linux hacker to get things like this to work. Maybe to understand it  but not to have it work.
Daniel |
|
freyder
Premium
join:2001-02-15
Plano, TX
·Verizon FIOS
| my connection reports show that its on udp 5060...
but your point is well taken...
I should probably add a nat rule outbound from my Sipura and masq that to a unique IP ( which I have) and then add QoS rules for that IP.
my tests show that currently its working fine. no stutters in full upload etc.
but its a fun test in any even... |
|
sa2004
join:2004-04-05
| reply to dleaberr
said by dleaberr :
said by freyder :
I set up my QoS so port 5060 takes priority.
I also limit outbound HTTP and SMTP traffic.
This is wonderful, if all the voip traffic actually goes out 5060. I'm willing to bet however, that it goes through multiple ports (rtp over udp) which are not covered under
You're right, only the signaling would go out port 5060. Voice traffic (which is what one would really want to prioritize) will go out on a port number greater than 6000 (actually, depends on the range the Sipura is configured to use). If it is possible to prioritize based on MAC address, that is probably the easiest way to ensure all VoIP traffic to/from the Sipura gets priority. Of course, if you use another router in between your Sipura and the firewall/QoS prioritizer, this solution won't work. But then, there are other ways to deal with that. |
|
garys_2k
join:2004-05-07
Farmington, MI
·Future Nine Corpor..
·Vonage
| reply to dleaberr
quote:
One question: When you say "the IP of your VOIP server," I assume you mean the provider's (in this case, Vonage) IP on the Internet that my ATA box calls, right?
____________________________________________________________
Yes, that is correct. This is done because the network is natted so the only thing you can do u32 matches on is the external VOIP servers ip.
Daniel
OK, Ethereal did its job and I found two IPs, one for inbound calls and another for outbound. Would it be any problem to have both receive high priority?
Oh, and thanks again! |
|
dleaberr
Read A Book
Premium
join:2003-11-13
Spanish Fork, UT
| said by garys_2k :
OK, Ethereal did its job and I found two IPs, one for inbound calls and another for outbound. Would it be any problem to have both receive high priority?
I don't think so. Just copy the two lines in the script that do the ip filtering (they're commented as such) and paste it in. Add another variable to the script for the outbound or just hard code it. That's interesting to learn that Vonage has an incoming and outgoing server. I check every while to see if broadvoice has changed the server but so far they haven't. Maybe if I ever get motivated enough I could find a way that perl could automatically be able to detect the ip. |
|
freyder
Premium
join:2001-02-15
Plano, TX
·Verizon FIOS
|
you guys were correct about the ports used by calls etc.
A quick check of connections during a call revealed the other ports in use.
I took the path of least resistance and now NAT everything from the Sipura to one of my external IPs.
Then set QoS rule for that IP.
much cleaner.
Since I feed it a static internal IP via DHCP I don't have to worry about it changing... |
|
garys_2k
join:2004-05-07
Farmington, MI
·Future Nine Corpor..
·Vonage
| reply to dleaberr
quote:
I don't think so. Just copy the two lines in the script that do the ip filtering (they're commented as such) and paste it in. Add another variable to the script for the outbound or just hard code it. That's interesting to learn that Vonage has an incoming and outgoing server. I check every while to see if broadvoice has changed the server but so far they haven't. Maybe if I ever get motivated enough I could find a way that perl could automatically be able to detect the ip.
Thanks. I thought about it after I posted and figured that duplicating that filter line with, say, "VOIP2" set earlier and referenced would do it. Say:
> tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip src $VOIP2 flowid 1:10
> tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip dst $VOIP2 flowid 1:10
That should do it. I'm pretty green a UNIX/LINUX scripting but am slowly making progress. It's very cool that you can work on such low level functions with a script like that. |
|
aaronfitz
Premium
join:2004-03-06
Cedar Rapids, IA
1 edit | reply to freyder
Does Astaro require a dedicated linux PC to run? Or can you run on an existing machine with other daemons, as well?
EDIT: I got a reply on the Astaro forums. Apparently running an an existing server would be "insecure" so they will NEVER support it. I really don't want to learn how to do all of the traffic shaping by hand, but I guess I have no choice... |
|
freyder
Premium
join:2001-02-15
Plano, TX
·Verizon FIOS
| in ASL QoS is managed via a simple web interface.
you don't need knowledge of tc to get QoS enabled.
But, Yes you do need a dedicated machine to run it.
but you can log in via SSH and they offer a compiler and many tools via the addon "pluspack". Its LINUX so you can add "other" things to it.. like TCPDUMP.. something I find very handy on my router.
Since they are moving towards certification it won't be an app that you can install on a "different" system.
a firewall should be separate anyway.
The product is simply wonderful.
I am running v4.021 and couldn't be happier.
V5 is out but it is a tad "new" for me to upgrade right now...And besides V4 is doing EVERYTHING I need right now.
Again.. I highly recommend this package..
once you have created the ISO you'll have it operational in about 20 minutes. |
|
aaronfitz
Premium
join:2004-03-06
Cedar Rapids, IA
| reply to dleaberr
Actually, you don't need to find the IP address that your DTA connects to externally. Here is one of the lines in the script you posted:
tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip src $VOIP flowid 1:10
The "src" checks the sorce IP, not the destination one. I removed the other line assigning to zone 10, and set VOIP equal to the LAN IP of the DTA, and it works just fine. Thanks for the submission! Time to toy with more QoS... |
|
garys_2k
join:2004-05-07
Farmington, MI
·Future Nine Corpor..
·Vonage
| said by aaronfitz :
Actually, you don't need to find the IP address that your DTA connects to externally. Here is one of the lines in the script you posted:
tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip src $VOIP flowid 1:10
The "src" checks the sorce IP, not the destination one. I removed the other line assigning to zone 10, and set VOIP equal to the LAN IP of the DTA, and it works just fine. Thanks for the submission! Time to toy with more QoS...
So you removed this line:
tc class add dev $DEV parent 1:1 classid 1:10 htb rate $VOIPRATE ceil $UPSTREAM
?
Any other changes, besides setting the VOIP variable value to the LAN-side address of the MTA? |
|
dleaberr
Read A Book
Premium
join:2003-11-13
Spanish Fork, UT
| reply to aaronfitz
said by aaronfitz :
Actually, you don't need to find the IP address that your DTA connects to externally. Here is one of the lines in the script you posted:
tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip src $VOIP flowid 1:10
The "src" checks the sorce IP, not the destination one. I removed the other line assigning to zone 10, and set VOIP equal to the LAN IP of the DTA, and it works just fine. Thanks for the submission! Time to toy with more QoS...
I had tried this. The issue I was having is that the VOIP box is natted. When the tc program sees the packet it has already been natted (this means the internal 192.168.254.40 voip ip has been replaced with the public ip) so it sees "packet 1 from mypublicip goes to myvoipserver". This is why the internal address is useless.
One of the lines, (the one mentioned above) in the script is useless but I left it in because it won't hurt anything. Unless your firewall is doing it's marking in a different chain (forwarding as opposed to pre-routing) then putting your internal ip makes no difference. This is because when the packet arrives from the internet the firewall sees it as "packet 1 from myvoipserver to mypublicip" This script figures that most of us have more than sufficient download and does no filtering on the download.
If you're happy with the way it works thats all that matters. I suggest testing doing the proceedures I mentioned above in the thread.
The easiest way to test whether everything is working like you expect is to fire up your implementation then issue
tc -s class ls dev eth0
this shows the classes and how much bandwidth is going through them. Make a call. Then check again. All the bandwidth should be in the class you assigned voip to. |
|
ricknmax
@159.121.x.x | reply to dleaberr
what VOIP software are you running |
|
dleaberr
Read A Book
Premium
join:2003-11-13
Spanish Fork, UT
| said by ricknmax:
what VOIP software are you running
If by VOIP software you mean what version of linux and what features then:
Gentoo linux on a 2.6 kernel. It does the firewall routing for the home. Iptables provides the routing/firewall engine and shorewall provides a nice front end for configuring that engine. tc is part of iptables I believe and stands for traffic control it deals with the bandwidth limiting. The kernel has htb and all the QoS routing features enabled. It's really nothing special, all linux distros within the last year should have these features enabled. They usually take the "build it with all the options and you'll never be without approach."
if that's not what you mean then I'm not running any voip software. It's a sipura 2000 box sitting behind my nat.
Daniel |
|
