2010
04.23

Setting ToS in Asterisk

Category: Asterisk / Tag:  / Add Comment

Recently I’ve installed the newest  Asterisk 1.6.2.6.  I dealt  with Asterisk few times in past but never focused on QoS capability. What I found interesting is that in sip.conf there are fields for setting ToS field (with default values provided):

  • tos_sip=cs3   (SIP signalling messages)
  • tos_audio=ef    (RTP audio)
  • tos_video=af41    (RTP video)
  • tos_text=af41    (RTP text)

Settings are also avaliable for other protocols:

Even those parameters are named ToS they actually set DSCP. It might be misleading, because ToS it is full byte, whilst DSCP is a 6-bits part of ToS field.

2010
04.15

Setting ToS using iptables

Category: Uncategorized / Tag:  / Add Comment

It is possible to set ToS using iptables. The pity is that only 5 values are valid: iptables -m tos -h

  • Minimize-Delay 16 (0×10)
  • Maximize-Throughput 8 (0×08)
  • Maximize-Reliability 4 (0×04)
  • Minimize-Cost 2 (0×02)
  • Normal-Service 0 (0×00)

As you noticed, only one of 4 bits (11, 12, 13, 14) from ToS octet can be set Sample firewall rules:

iptables -t mangle -N mark-tos
iptables -t mangle -A OUTPUT -j mark-tos
iptables -t mangle -A mark-tos -p icmp -j TOS --set-tos 16

In example only icmp packets are marked. Setting ToS using iptables isn’t so useful as setting DSCP.

2010
04.13

Setting DSCP using iptables – 2

Category: Iptables / Tag:  / Add Comment

Below is example of setting two classes for:

  • signaling
  • media

It was created for SIP and H.323. There is many differences between them and it seems that SIP is becoming much more popular nowadays thanks to its simplicity.

Both have got signaling and media layer. Usually network ports that are used for these purposes are:

1.For SIP:

  • signaling: TCP/UDP 5060, TCP 5061 (secure TCP)
  • media: UDP, depends on configuration

2. For H.323

As example was based on Avaya solution in which there are Communication Manager and Gateway/Gatekeeper.

  • signaling: TCP/UDP 1719, TCP/UDP 1720
  • media: UDP, depends on configuration

For signaling we ascribed DSCP class CS4 , whilst for media EF.

Iptables should look more or less like this

MEDIA:

#out
iptables -t mangle -A mark-media -p udp -s $IP_1 -d $IP_2 --dport $RTP_RANGE -j DSCP --set-dscp-class ef
#in
iptables -t mangle -A mark-media -p udp -s $IP_2 -d $IP_1 --sport $RTP_RANGE -j DSCP --set-dscp-class ef
where:

IP_1 and IP_2 – IP’s ranges of endpoints

RTP_RANGE – UDP ports ranges for RTP

SIGNALING:

#out
iptables -t mangle -A mark-signaling-sip -p tcp -s $SIP_ENDPOINT_IP -d $SIP_GW_IP --dport 5060:5061 -j DSCP --set-dscp-class cs4
#in
iptables -t mangle -A mark-signaling-sip -p tcp -s $SIP_GW_IP --sport 5060:5061 -d $SIP_ENDPOINT_IP -j DSCP --set-dscp-class cs4

where:

SIP_ENDPOINT_IP – SIP endpoint

SIP_GW_IP – SIP Proxy/Registrar
#out
iptables -t mangle -A mark-signaling-h323 -p tcp -s $AVAYA_ENDPOINT_IP -d $AVAYA_CM_IP --dport 1719:1720 -j DSCP --set-dscp-class cs4
iptables -t mangle -A mark-signaling-h323 -p udp -s $AVAYA_ENDPOINT_IP -d $AVAYA_GW_IP --dport 1719:1720 -j DSCP --set-dscp-class cs4
#in
iptables -t mangle -A mark-signaling-h323 -p tcp -s $AVAYA_CM_IP --sport 1719:1720 -d $AVAYA_ENDPOINT_IP -j DSCP --set-dscp-class cs4
iptables -t mangle -A mark-signaling-h323 -p udp -s $AVAYA_GW_IP --sport 1719:1720 -d $AVAYA_ENDPOINT_IP -j DSCP --set-dscp-class cs4

where:

AVAYA_ENDPOINT_IP – H.323 endpoint

AVAYA_CM_IP – Avaya Comunication Manager

AVAYA_GW_IP – Avaya Gateway/H.323 Gatekeeper

In example we assumed that there is proper FILTER chain in iptables configured allowing transmission over above TCP/UDP ports

Chains: mark-media, mark-signaling-sip, mark-signaling-h323 should be added to PREROUTING chain in mangle table:

ptables -t mangle -A PREROUTING -j mark-signaling-sip
iptables -t mangle -A PREROUTING -j mark-signaling-h323
iptables -t mangle -A PREROUTING -j mark-media

Now we are able to distinguish media and signaling for VoIP in our network and we can start dealing with queueing disciplines

2010
04.08

Setting DSCP using iptables – 1

Category: Iptables / Tag:  / Add Comment

If our hardware/software (i.e. IP Phone, gateway) doesn’t set proper DSCP value it can be done using iptables in the nearest linux machine. In scenario there are two hosts:

  • Ping Request is a linux (CentOS 5.3, 2.6.18-128.e15) with iptables v1.3.5
  • Ping Response is Windows 7 with Wireshark on board

In example, just for simplification, all traffic from Ping Request host is mark with DSCP value 46 (Critical).

Changes in firewall were done after fresh install (default iptables rules):

iptables -t mangle -N wawit-mark-dscp-46
iptables -t mangle -A POSTROUTING -j wawit-mark-dscp-46
iptables -t mangle -A wawit-mark -j DSCP --set-dscp 46

After ping command on Ping Response host we captured:

DSCP value 0×2e in hex is equal to 46 in decimal.

Example is trivial. Of course we should set DSCP value in packets according to available criteria, i.e. src/dst IP address, port, protocol etc.

After having proper DSCP values we can implement QoS mechanism in our network nodes according to them.