Monday 16 November 2009

Testing Vyatta with QoS and Asterisk(Elastix) - Howto

The Setup:

First setting up the Interfaces:
R1:

interfaces {
ethernet eth0 {
address 10.0.12.1/24
description R1TOR2
}
ethernet eth1 {
address 192.168.10.254/24
description LAN1
}
ethernet eth2 {
address 10.0.10.1/24
description R1TOR10
}
ethernet eth3 {
address 10.0.13.1/24
description R1TOR3
}
loopback lo {
address 1.1.1.1/32
}

R2:

interfaces {
ethernet eth0 {
address 10.0.12.2/24
description R1TOR2
}
ethernet eth1 {
address 192.168.2.254/24
description LAN2
}
loopback lo {
address 2.2.2.2/32
}

R3

interfaces {
ethernet eth0 {
address 10.0.13.3/24
description R1TOR3
speed auto
}
ethernet eth1 {
address 192.168.3.254/24
description LAN3

}
loopback lo {
address 3.3.3.3/32
}
}


Setting up the IGP:
R1:

protocols {
ospf {
area 0 {
network 10.0.12.0/24
network 10.0.13.0/24
}
area 1 {
network 1.1.1.1/32
network 192.168.10.0/24
}
area 10 {
network 10.0.10.0/24
}
parameters {
router-id 1.1.1.1
}
}

R2:

protocols {
ospf {
area 0 {
network 10.0.12.0/24
}
area 2 {
network 2.2.2.2/32
network 192.168.2.0/24
}
parameters {
router-id 2.2.2.2
}
}
}

R3:

protocols {
ospf {
area 0 {
network 10.0.13.0/24
}
area 3 {
network 192.168.3.0/24
network 3.3.3.3/32
}
}
}


Setting up the QoS Policy:
R1:

qos-policy {
traffic-shaper SITE1 {
bandwidth 125kbit
class 10 {
bandwidth 85Kbit
match VOIP-RTP {
ip {
dscp 46
}
}
}
class 20 {
bandwidth 15kbit
match VOIP-CONTROL {
ip {
protocol udp
source {
port 5060
}
}
}
}
class 30 {
bandwidth 10kbit
match OSPF {
ip {
protocol ospf
}
}
queue-type fair-queue
}
default {
bandwidth 10kbit
}
description QOS_for_SITE1
}



The applying it:

R1:

interfaces {
ethernet eth0 {
address 10.0.12.1/24
description R1TOR2
qos-policy {
out SITE1
}





Here is the video where I configure and test it:

Testing Quality Of Service (QOS) with Vyatta and Asterisk from Richard Vimeo on Vimeo.

13 comments:

Haris said...

Hi Roggy,

thanks so much for this Qos video, can you please post the steps for the qos, i am new to vyatta and i dont know how to understand the config. but i can follow the steps like you have in your internet gatevay for vyatta. i have tried a qos but when i appy it to the adapter it creates more havac. Thanks my config

interfaces {
ethernet eth0 {
address dhcp
hw-id 00:02:a5:79:78:1c
qos-policy {
}
}
ethernet eth1 {
address 192.168.0.1/24
hw-id 00:01:02:2b:e1:95
}
loopback lo {
}
}
qos-policy {
traffic-shaper DSCP {
bandwidth 5mbit
class 10 {
bandwidth 90%
description "Matches DSCP 46 - used for RTP & RTCP for VoIP - set by IP Phone & Asterisk"
match DSCP-46 {
ip {
dscp 46
}
}
}
class 30 {
bandwidth 5%
description "Matches DSCP 26 - used for RTP & RTCP for VoIP - set by IP Phone & Asterisk"
match DSCP-26 {
ip {
dscp 26
}
}
}
default {
bandwidth 5%
}
description "This policy enforces DSCP-based queuing"
}
}
service {
dhcp-server {
disabled false
shared-network-name LAN {
authoritative disable
subnet 192.168.0.0/24 {
default-router 192.168.0.1
dns-server 142.165.200.5
dns-server 192.168.0.1
start 192.168.0.10 {
stop 192.168.0.50
}
}
}



protocol all
source {
address 192.168.0.0/24
}
type masquerade
}
rule 2 {
destination {
address 0.0.0.0/0
port ssh
}
inbound-interface eth0
inside-address {
address 192.168.0.71
}
protocol tcp
source {
address 0.0.0.0/0
}
type destination
}
rule 3 {
destination {
address 0.0.0.0/0
port 5060
}
inbound-interface eth0
inside-address {
address 192.168.0.71
}
protocol udp
source {
address 0.0.0.0/0
}
type destination
}
rule 4 {
destination {
address 0.0.0.0/0
port 10000-20000
}
inbound-interface eth0
inside-address {
address

Roggy said...

Hi Haris,
first-
Try matching on destination port
5060 (class 30)

and destination port
10000-20000 (class 10)

(same as your nat rules)

Secondly-
Then using a packet sniffer check to see what the current dscp tags are. Once you know for sure what the dscp tags are in your signaling and data traffic then redo your rules matching on dscp.

Haris said...

what should i type to match on destinaton rules for port 5060 and 10000-20000.

hi Roggy, i have done sniff of incomming and outgoing data through the asterisk box but i am not able to completely understand it i was wondering if i can email that to you, since you are the expert.

thank happy new year

Roggy said...

I can take a quick look if you like
whats ur email?

Haris said...

my email is harisk@swaw.ca

also some ont said that as soon as a voip call hits the first gateway on the internet all tos bits are reset to 0. so DSCP does not work. is that true.

thanks

Roggy said...

Yes there is some truth to it however with most vpn techs it will leave your dscp unchanged.

Either way when you are in control of both ends and the lan you do not have to worry about the cloud as the packets are already in the right order (and hopefully stay that way)

Unknown said...

Hi Roggy,

Great videos - Very helpful!
This video works great, but only for outbound traffic.
What if the downlink is saturated?

This is my setup
eth0 - internet
eth1 - lan
vtun0 - openVPN interface to sip gateway server

I implemented this rule based from your video:

# show qos-policy
traffic-shaper Oly {
bandwidth 1500kbit
class 10 {
bandwidth 25%
match OVPN {
ip {
protocol udp
source {
port 1196
}
}
}
}
default {
bandwidth 75%
}
}

I applied this policy to eth0 out
ethernet eth0 {
address x.x.x.x
firewall {
in {
name fw-eth0-in
}
}
hw-id 00:22:19:d6:9e:dd
qos-policy {
out Oly
}
}

All my VoIP traffic travels over the openVPN tunnel. So the purpose of this rule is to prioritize the tunnel , which runs on port 1196 over UDP.
I think the policy is working for outbound traffic

Interface Qos-Policy Sent Dropped Overlimit
eth0 traffic-shaper 590365329 145326 1721925
eth1 default 1759100263 0 0
vtun0 default 202421787 0 0


My problem is the inbound link is at 90-100% utilization almost ALL the time, and I cannot use traffic shaper, just traffic limiter.

I'm looking for ideas on how to use traffic-limiter to get incoming OpenVPN priority.
One thought was to limit all traffic on eth0 to 2mb and allow the remaing .5mb for vtun0.
My confusions lies in the fact vtun0, although a separate interface, travels over eth0.
Is there any way I can restrict all traffic to 2mb except OpenVPN (udp 1196)
Any other ideas?

Roggy said...

Hi Andy,

Thanks for the comments :)
Im assuming that 1196 is a typo? cos 1194 udp is the default port?
Anyhow, you can control downstream on your wan interface by controlling the upstream on your lan interface.
Sounds strange I know but it does work. I do something similar in a cisco lab here:http://roggyblog.blogspot.com/2009/06/using-rate-limit-for-traffic-shapping.html
Hope that helps.

Unknown said...

thanks for replying.
1196 is not a typo, I use separate tunnels for VoIP and data(data is left at default 1194),, they terminate at different servers.
I will try creating a new QoS policy and applying it to outbound on eth1.
Will let you know if it works.

Unknown said...

Roggy,

It seems to work! Thanks!
My setup is a little funky, since outbound shaping on eth0 is openVPN UDP and outbound shaping on eth1 is SIP/RTP streams.
I basically copied your QoS policy
(IP DSCP 46) and (SIP UDP 5060).
I've had to really play with the bandwidth values - since when the call leaves the firewall, it is compressed with GSM around 15kbit. However, when it passes back through eth1, it is an RTP stream of around 85 kbit. So I've set the total bandwidth to many times higher the the actual pipe bandwidth to factor in it will be compressed with it actually leaves the server.
My question is, if I set 40% of the bandwidth for SIP and IP DSCP 46, and no one is making any current calls, will the system allow data to eat into that bandwidth? Or is it wasted?
Ideally I would think data could use 100% of the pipe, then once a call was initiated, QoS kicked in and throttle the data connection back. Thoughts?

Roggy said...

No problem, glad it worked for you.
Remember that with vc6 you can create a qos-policy on the vtun interface.

As for whether the bandwidth is wasted while not used, pretty much "yes" even when dealing with MQC (the cisco Qos interface) and priority queuing the bandwidth is wasted.
This is the recommended setup with a congested line and voip traffic, no matter what queuing/router you are using.

However keep in mind that QoS only comes into play when the line is congested.

hope that helps

Unknown said...

Hi Roggy,


Thanks for you Videos it has really helped me out with a small project i'm busy with. Your video internet gatway.
The only think I'm missing is the QOS so i can use my VoIP phones to make calls, to a VoIP provider. I'm using my Vyatta 514 for home usage lol.now i have been trying to make some QOS but man oh man it killing me. im runnng Vyatta 6.1 betta and the minute i type in the command it gos wrong watch the command i'm trying to enter.

rooto@BorderCore-1# edit qos-policy traffic-shaper DSCP
Invalid node "qos-policy traffic-shaper DSCP" for the 'edit' command

and sorry but i can figure out what i'm doing wrong. I also want to have some other QOS for other services i'm running on my Lan.


edit qos-policy traffic-shaper DSCP

set bandwidth 750Kbps

set description "This policy enforces DSCP-based queuing"


edit class 10

set bandwidth 90%

set description "Matches DSCP 46 - used for RTP & RTCP for VoIP"
set by IP Phone & AsteriskÓ
set match DSCP-46 ip dscp 46

edit class 30

set bandwidth 5%

set description "Matches DSCP 26 - used for RTP & RTCP for VoIP -set by IP Phone & Asterisk"

set match DSCP-26 ip dscp 26


set interfaces ethernet eth0 qos-policy out DSCP

Regards

Michel Maduro

Rob said...

I'm using your rules for traffic-shaper, but my calls are randomly dropped. At the same time the call is dropped, all my SIP registrations drop as well. After this happens, I check the queuing and there are no dropped or overlimit packets for SIP or even RTP for that matter. Any idea? Do I need to allocate more bandwidth for SIP?