Need advice on moving PiaF from copper to ITSP

[lifespeed]

Re. checking voip.ms packets, here's an article I wrote on configuring a switch and checking for tagged packets:

Basic QoS Setup on a Cisco SG 200 Switch

Thanks, I'll look into that. I would expect that voip.ms packets are tagged. However, when I tried to QoS based on asterisk 1.4 defaults I wasn't successful. So verifying presence of ToS tagging from * 1.4 would be a good starting point.

As a workaround, I prioritized ports 10000-20000. Naturally, this works just as well, as those ports are forwarded to PIAF. If they were not this approach wouldn't work. But I need to forward them anyway, and am not interested in VoIP over VPN. Besides, iptables and fail2ban do just find at kicking out wannabe hackers trying to guess my strong passwords.

 

[mcbsys]

Thanks, I'll look into that. I would expect that voip.ms packets are tagged.

IIRC they were not tagged by the time they arrived at my PBX (3CX at the time). Maybe they sent the tags and some device in between stripped them off.

 

[mcbsys]

I opened a support ticket with voip.ms to ask about QoS:

Does voip.ms attach Quality of Service (QoS) tags to outbound RTP packets? If so, what protocol do you use and what value (e.g. DSCP 46 for Expedited Forwarding)?

Reply:

QoS can be configured from your side, most routers currently offer different options for this so you can assign priorities for your traffic, we do not tag the RTP packets. As well is recommended to ping all our servers to verify latency and choose the best option for your location.

I guess in a way it doesn't matter that they don't tag packets, since it seems unlikely that a generic ISP, or other hops along the way, would use the tags anyway. The best you can do is prioritize the traffic at the point that it enters your network.

 

[lifespeed]

Pretty sure that is a generic not-so-tech-support answer.

Also pretty sure * 1.4 tags packets by default, and that is what voip.ms uses. As always, I could be wrong.

If you can examine incoming packets from voip.ms and enlighten us all that would be very useful information. Here is the response I got when I asked the same question:

Hi, we don't set a TOS in our packet, calls are delivered by asterisk clusters. We can't tell your router how to prioritize our packets, this has to be done on your side.

Our Asterisk clusters are currently in the 1.4 branch, and we use the default asterisk TOS setting, I hope this help.

 

[bjeung]

Inbound QoS can only do so much, as the choke point usually isn't your router, but the DSL/cable modem ahead of it which is usually artificially choking your bandwidth to whatever you have subscribed anyways, and if that is already saturated you are usually SOL. Hence why most routers only worry about outbound. Also given most connections are asymmentrical, it's the outbound that chokes first.

Anyways as far as Tomato goes, there are a number of builds that have various features (advanced QoS, VLAN, captive portal, etc). The developer of regular tomato has stopped working on is as far as I'm aware, but there are plenty of other variants that are actively being developed. I use the one available at tomatousb.org with VPN since I do site to site or remote tele-worker via openvpn. For variants with captive portal I would look at something like toastman or victek builds, as they have builds with those features. Used both with good success. You do have to flash the routers with dd-wrt first, and then go to tomato, can't flash directly to tomato. Make sure you do the full erase nvram after each flash.

As far as why the e2000 vs the e3000 or e3500? Price. I picked up a pair of E2000's refurbs for like $20/each with free shipping, and wireless is not a important feature for me for how I'm using them. But the same firmwares will work on E3000, not sure about E3500 or E4xxx models.

 

[lifespeed]

Inbound QoS can only do so much, as the choke point usually isn't your router, but the DSL/cable modem ahead of it which is usually artificially choking your bandwidth to whatever you have subscribed anyways, and if that is already saturated you are usually SOL. Hence why most routers only worry about outbound. Also given most connections are.

No, incoming QoS works by delaying TCP ACK and/or dropping packets. This is how TCP/IP works. It is perfectly capable of adjusting competing users of bandwidth so that your VoIP call has perfect quality. Any time I mention incoming QoS I get responses like yours.

Your description of how this doesn't work is wrong.

As to Tomato, and DD-WRT, from what I have heard they have some good capabilitites, including incoming QoS. However, I see they are typically run on low-powered routers so the end result is less than high performance. I think if you're willing to go the custom firmware route you may as well just go straight to PFSense and run good hardware.

 

[mcbsys]

If you can examine incoming packets from voip.ms and enlighten us all that would be very useful information.

The "purest" test would be to plug the DSL/cable modem directly into a computer, register a softphone with voip.ms, run Wireshark, and make a call. More than I have time for.

What I did do is check QoS tags on packets at my PiaF box. Inbound packets went through my new Tomato router and switch to get to PiaF. Outbound packets are as tagged by Asterisk 1.8.5. I mirrored the port using my switch and used Wireshark to check the DSCP values. Summary:

voip.ms to PiaF, SIP: DSCP 0x00
voip.ms to PiaF, RTP: DSCP 0x00
PiaF to voip.ms, SIP: DSCP 0x18
PiaF to voip.ms, RTP: DSCP 0x2e

The last two values correspond to these settings in sip_general_additional.conf:

tos_sip=cs3
tos_audio=ef

cs3 = DSCP 24 = 0x18 (class selector 3)
ef = DSCP 46 = 0x2e (expedited forwarding)

Bottom line, either voip.ms is not tagging packets, or the tags are getting stripped (converted to 0x00) before arriving at PiaF inside my network.

BTW those tos values in sip.conf may be defaults, but do the defaults apply if those lines are missing? In other words, if voip.ms removed those lines, Asterisk might not tag the packets.

 

[mcbsys]

I've set up TomatoUSB VPN on the E2000. A little disappointing that it doesn't respect or add QoS tags, making all my efforts to check QoS tags (previous post) pretty much pointless. However it does seem to do bidirectional QoS based on filters. I couldn't get the Layer 7 filter to detect SIP but filtering by port range works.

Basic info on Tomato QOS is here. I think that's the official doc.

I slogged through this enormous article which was, I hope, more advanced than I need. (The author sets up Tomato routers for apartment buildings, says about 100 active users sharing a connection.) He does address inbound traffic shaping, makes a big deal about controlling inbound traffic by limiting outbound requests.

BTW, interesting point, bjeung, that the modem limits speed. I guess the question is whether the router can still shape the inbound traffic by rejecting more of one type of packet than another. Hopefully yes.

This post is closer to how I set mine up.

Next step is site-to-site VPN. bjeung, do you have a reference on that? Do I need to go through the whole OpenVPN PKI config?

 

[lifespeed]

Heard rumors that ISPs strip QOS tags. Your wiresharking seems to support this.

So inbound must be done by IP, physical port, or port range.

 

[lifespeed]

BTW, interesting point, bjeung, that the modem limits speed. I guess the question is whether the router can still shape the inbound traffic by rejecting more of one type of packet than another. Hopefully yes.

It absolutely can. Been there, done that, checked the priority of packets real-time as they traversed the router.

Modem doesn't ACK or drop packets, router does.

 

[mcbsys]

Modem doesn't ACK or drop packets, router does.

Or maybe they both do? Something slows down the packets when you downgrade the speed that you buy from the ISP. I guess the throttle could be further upstream.

 

[lifespeed]

Or maybe they both do? Something slows down the packets when you downgrade the speed that you buy from the ISP. I guess the throttle could be further upstream.

The provisioned speed limit you pay for with your provider is often controlled in the modem. But the modem is only going to limit when you are at the maximum.

The modem does not limit speeds at or below the maximum provisioned speed. There your QoS in the router will drop the competing packets, and this lack of ACK goes back through the modem to the sending computer. I don't know how many different ways I can explain this

Set it up yourself. Run a test at speedtest.net or somewhere that can reliably saturate your downlink. Watch your router priority in/out queues, watch the downlink speed, and initiate a VoIP call.

See for yourself. I've already done it and know it works.

 

[mcbsys]

I think we agree. Just "thinking out loud" about how it works.

Assume flooded inbound. Presumably if bandwidth is throttled by the modem, it is rejecting packets above the maximum rate until the sending server(s) slows down the transmissions.

Then the router, next in line, rejects some low-priority packets but doesn't complain about high-priority packets. That further throttles the server of low-priority packets, but the server of high-priority packets keeps on sending at the (modem's) max rate.

And yes, I called Dell while running speedtest.net and that lady sounds as clear as ever!

 

[lifespeed]

That's the difference between a great VoIP setup, and merely OK . . . No robot voice ever, even if the internet is in high demand by other applications.

 

[sigmaz]

I have several TZ series Sonicwalls and have lost alot of hair trying to get any sip product to work with them reliably

I finally gave up and followed the groups hardware recommendations.

 

[Stewart]

I've been using the RV042's and RV082's with good success. You just need to turn off SPI since they can't handle the load of inspecting all the RTP packets. Also, the new V3's don't give the WAN and VPN SNMP visibility as the previous versions.

 

[mcbsys]

I ultimately implemented Linksys E2000 and E3000 routers running a "Toastman" build of TomatoUSB. This gives me QoS, VLAN with isolated wireless guest network, and VPN. Not bad for a $38 (refurb) router! I've written a couple articles in the process:

Set Up Guest Wireless with Tomato
Set Up VLAN and Site-to-Site VPN with Tomato

Currently experimenting with using voip.ms as a hosted solution including time conditions and multi-level IVR. Pretty powerful functionality for no charge. I did discover that the Busy Lamp Field will not work when extensions register directly to voip.ms, but I doubt that the client will consider BLF functionality enough reason to warrant running an in-house PiaF server.

 

[powerontech]

To answer the OP's question. We recommend at least 512k up/down and a router with QoS. Even if you just need 1 extension. I would recommend going with a better internet connect if at all possible before I would recommend trying compression to get around a slow connection.

Internet speeds and QoS routers are not much of a problem now a days.

 

[mcbsys]

To answer the OP's question. We recommend at least 512k up/down and a router with QoS. Even if you just need 1 extension. I would recommend going with a better internet connect if at all possible before I would recommend trying compression to get around a slow connection.

So that 512k recommendation is based on G711u? Should that be able to handle 2 simultaneous calls? I think I could upgrade them to 3000/512 DSL. It's failed in the past (too far from C.O.), but last I heard, the phone company installed some repeaters or whatever to strengthen the signal. Unfortunately, business-grade cable is prohibitively expensive in this location.

I've started the testing on G729a and no major complaints, just "a little tinny." Also switched to G729a in my office so I can get a feel for it. If anything, it seems less susceptible to echo, but I really only get echo when converting to analog through my SPA3102 (especially when talking to someone on a cell phone).

 

[lifespeed]

. . . but I really only get echo when converting to analog through my SPA3102 (especially when talking to someone on a cell phone).

ATAs are an abomination! In my admittedly limited experience they are nearly always the cause of echo.

I use only real SIP phones with SW echo cancellation turned off. No echo problems.