VoIP Queuing Issues

Tue, 29 Nov 2005 11:01:41 -0800 

Hello,

I have the following pf rule set for my firewall and am having 
trouble queuing the VoIP.

I am running a LinkSys VoIP router on the inside of the firewall.


When I check the status of pf with pftop, I can see
packets routed through the std_out, dns_out, and the tcp_ack_out
queues.  It appears that all VoIP traffic is being routed
through the std_out queue.

Charles

p.s.  Since the VoIP router is on the inside of the firewall,
I have verified that there is an active connection
using UDP 5061 from the firewall out.

#---------------------------------------------------
#
#       MACROS
#
#---------------------------------------------------

ExtIF       = "tun0"
IntIF       = "xl0"
IntNet      = "10.0.1.0/24"

ssh_ports   = "{ 22 2022 }"
im_ports    = "{ 1863 5190 5222 }"
voip_ports  = "{ 5060 5061 10000:20000 }"

UpLoad      = "768Kb"
DownLoad    = "5.0Mb"
voip_bw     = "256Kb"

#----------------------------------------------------
#
#       SCRUB
#
#----------------------------------------------------

scrub in all

#----------------------------------------------------
#
#       QUEUEING
#
#----------------------------------------------------

altq on $ExtIF priq bandwidth $UpLoad queue { std_out, ssh_im_out,
dns_out, \
        tcp_ack_out, netstream_out, voip_out }

queue std_out         priq(default)
queue ssh_im_out      priority 3 priq
queue dns_out         priority 4 priq
queue voip_out      priority 6 priq
queue tcp_ack_out     priority 7 priq

#--------------------------------------------------------------
#
#       TRANSLATIONS
#
#--------------------------------------------------------------

nat on $ExtIF from $IntIF:network to any -> ($ExtIF)

#--------------------------------------------------------------
#
#       FILTER RULES
#
#--------------------------------------------------------------

block in  log on $ExtIF all
block out log on $ExtIF all

pass  out quick on $ExtIF inet proto udp from any port $voip_ports \
        to any keep state queue voip_out

pass  out on $ExtIF inet proto tcp from any to any flags S/SA \
        keep state queue(std_out, tcp_ack_out)

pass  out on $ExtIF inet proto { udp icmp } from any to any keep state

pass  out on $ExtIF inet proto { tcp udp } from any to any port domain \
        keep state queue dns_out

pass  out on $ExtIF inet proto tcp from any to any port $ssh_ports \
        flags S/SA keep state queue(std_out, ssh_im_out)

pass  out on $ExtIF inet proto tcp from any to any port $im_ports \
        flags S/SA keep state queue(ssh_im_out, tcp_ack_out)

pass  in log quick on $ExtIF inet proto tcp from any to $ExtIF \
        port $ssh_ports flags S/SA keep state

Reply via email to