Traffic Shaping

Hi,

this is my scenario, i have two offices (main office and remote office) connected connected together trough a IPsec VPN connection made with two m0n0walls firewall over two adsl connection one with static ip and one with dynamc ip. The vpn is up and works fine, it connects the two lans with no problem. The purpose of the vpn is to use the VOIP pbx installed in the main office with some voip phones on the remote office. Everything works fine except the voice quality when placing a call from the remote office while there is traffic congestion trough the vpn, for example browsing the file server or loading the web page of the administration interface of pbx.
I have enabled the traffic shaping on both m0n0wall in order to prioritize traffic from some ips of the remote office network to the main office network, the rules are based on dedicated pipes, but nothing change when generating traffic trough the vpn.

here are the rules:

remote office:

PIPES

1    537 Kbit/s                        m_Total Upload      
2    6084 Kbit/s                        m_Total Download      
3    128 Kbit/s                        Dedicated VOIP Outbound      
4    128 Kbit/s                        dedicated VOIP Inbound 

RULES:

Target: Dedicated voip outbound
Interface: WAN
Protocol: any
Source: Single host 192.168.0.239 (ip of the sip voip phone "remote office")
Source port: any
Destination: Single host 10.3.10.4 (ip of the pbx "main office")
Destination port: any
Direction: out
lowdelay: yes
throughput: yes

Target: Dedicated voip inbound
Interface: WAN
Protocol: any
Source: Single host 10.3.10.4 (ip of the pbx "main office")
Source port: any
Destination: Single host 192.168.0.239 (ip of the sip voip phone "remote office")
Destination port: any
Direction: in
lowdelay: yes
throughput: yes

MAIN OFFICE

PIPES

1    241 Kbit/s                        m_Total Upload      
2    4074 Kbit/s                        m_Total Download      
3    128 Kbit/s                        Dedicated VOIP Outbound      
4    128 Kbit/s                        dedicated VOIP Inbound 

RULES:

Target: Dedicated voip outbound
Interface: WAN
Protocol: any
Source: Single host 10.3.10.4 (ip of the pbx "main office")
Source port: any
Destination: Single host 192.168.0.239 (ip of the sip voip phone "remote office")
Destination port: any
Direction: out
lowdelay: yes
throughput: yes

Target: Dedicated voip inbound
Interface: WAN
Protocol: any
Source: Single host 192.168.0.239 (ip of the sip voip phone "remote office")
Source port: any
Destination: Single host 10.3.10.4 (ip of the pbx "main office")
Destination port: any
Direction: in
lowdelay: yes
throughput: yes

if i enable or disable traffic shaping on both firewall nothing change on the voip service quality when i generate traffic on the vpn tunnel, any ideas?

Thanks in advance

kelo

Hello,

i have exactly the same problem.

Traffic shaping works good, but ipsec traffic kills my voice quality.

do you found any solution?

The problem may not be purely traffic shaping.

VPN uses a lot of CPU resources for the encryption, and this can impact network throughput.

Have you checked the CPU load while the problem is happening?

hello,

when the ipsec tunnel is under heavy traffic the CPU load is 20% to 30%

i am using a Soekris net5501-70

with no ipsec traffic the shaping looks fine, i fully utilize the WAN and VoIP sounds nice.

1    1331 Kbit/s      m_Total Upload      
2    18994 Kbit/s      m_Total Download   
3    512 Kbit/s           Dedicated VoIP Upload 
4    512 Kbit/s           Dedicated VoIP Download   

UDP    10.0.5.1    85.199.x.xxx    Dedicated VoIP Upload    m_Outbound VOIP from 10.0.5.1
UDP    85.199.x.xxx    10.0.5.1    Dedicated VoIP Download    m_Download VOIP from 85.199.x.xxx

is there any way to check if one connection hits a rule?