Community discussions

MikroTik App
  4. RouterOS
  5. General

Firewall/QoS rules for small office RB2011 and CRS125

Post Reply
 
servaris
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Tue May 20, 2014 4:30 pm
Location: Planet Earth
Contact:
Contact servaris

Firewall/QoS rules for small office RB2011 and CRS125

Wed Jul 02, 2014 10:12 pm

Hi,
I have searched around for simple firewall rules for small offices which include QoS for SIP. What I have found are very complicated sets and unsure if those are really needed.

Below is the network topology:
Code: Select all
Wireless Internet Access <-> RB2011iUAS <--> CRS125-24G-1S-2H <--> LAN

RB2011UiAS Wireless <--> LAN (clients with notebooks/tables et. al. can access the outside world or file servers on the LAN via either RB2011UiAS or the CRS125-24G Switch..... if it matters which, please inform me)
QoS Rules
Code: Select all
1) Network Protocols priority 1 

2) SIP and RTP (5060, 10000-15000 UDP) priority 2

3) VPN port 1194 tcp priority 3

4) eMail, ftp, www (surfing, no local apache or any other web server internally) priority 6

5) everything else (that is allowed ... is there such a thing with Mikrotik as first firewall rule being Deny In from any to any?) priority 8 or higher
On the CSR125, would there also be the need for QoS?

If you have a script that does the above, please share it.
Top
 
jkarras
Member Candidate
Member Candidate
Posts: 226
Joined: Fri Sep 06, 2013 3:07 am
Location: Utah, USA

Re: Firewall/QoS rules for small office RB2011 and CRS125

Thu Jul 03, 2014 8:50 am

Do your phones tag the packets with DSCP or COS values? It may be easy to pickup on those values for your QOS.
Top
 
servaris
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Tue May 20, 2014 4:30 pm
Location: Planet Earth
Contact:
Contact servaris

Re: Firewall/QoS rules for small office RB2011 and CRS125

Fri Jul 04, 2014 2:41 am

Do your phones tag the packets with DSCP or COS values? It may be easy to pickup on those values for your QOS.
Hi jkarras,

How can I tell? Since the phones here go through the RB2011 I cannot run a tcpdump. Can this be done on the RB2011?
Top
 
jkarras
Member Candidate
Member Candidate
Posts: 226
Joined: Fri Sep 06, 2013 3:07 am
Location: Utah, USA

Re: Firewall/QoS rules for small office RB2011 and CRS125

Fri Jul 04, 2014 3:00 am

The RB has a way to setup a mirror port if you want to go with looking at wireshark.

Do you manage the phones as well or are they a hosted setup? Looking at the manual for the phones/phone system it should tell you what its default DSCP values are. Logging into the mgmt interface on the phone will also tell you. On Avaya phones for example its shown on one of the status pages.
Top
 
servaris
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Tue May 20, 2014 4:30 pm
Location: Planet Earth
Contact:
Contact servaris

Re: Firewall/QoS rules for small office RB2011 and CRS125

Fri Jul 04, 2014 3:43 am

Hi,
We have Yealink T22P and HT502 ATA for analogue phone and Polycom VVX310

I am extremely new to Mikrotik and no network guru either. I want to setup our RB2011AiUS and have another RB2011AiUS and a CRS125 for client. Basically the same setup.

Thanks JKarras
Top
 
servaris
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Tue May 20, 2014 4:30 pm
Location: Planet Earth
Contact:
Contact servaris

Re: Firewall/QoS rules for small office RB2011 and CRS125

Fri Jul 04, 2014 3:46 am

By the way, I don't have a problem with wireshark. The problem is running wireshark on what? The phones here are not connected to computers. They run to switch and its not a Mikrotik switch either. Its an unmanaged 3com.
Top
 
jkarras
Member Candidate
Member Candidate
Posts: 226
Joined: Fri Sep 06, 2013 3:07 am
Location: Utah, USA

Re: Firewall/QoS rules for small office RB2011 and CRS125

Fri Jul 04, 2014 3:47 am

But at some point there is a choke point on the Mikrotik where you could sniff traffic correct?
Top
 
servaris
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Tue May 20, 2014 4:30 pm
Location: Planet Earth
Contact:
Contact servaris

Re: Firewall/QoS rules for small office RB2011 and CRS125

Fri Jul 04, 2014 4:03 am

On the Yealink 22P it shows:

Image

The T22P manual states:

Voice QoS
In order to make VoIP transmissions intelligible to receivers, voice packets should not be
dropped, excessively delayed, or made to suffer varying delay. DiffServ model can
guarantee high-quality voice transmission when the voice packets are configured to a
higher DSCP value.
SIP QoS
SIP protocol is used for creating, modifying and terminating two-party or multi-party
sessions. To ensure good voice quality, SIP packets emanated from IP phones should be
configured with a high transmission priority.
DSCPs for voice and SIP packets can be specified respectively.
Top
 
servaris
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Tue May 20, 2014 4:30 pm
Location: Planet Earth
Contact:
Contact servaris

Re: Firewall/QoS rules for small office RB2011 and CRS125

Fri Jul 04, 2014 4:07 am

But at some point there is a choke point on the Mikrotik where you could sniff traffic correct?
I tried the sniff app. I did not see the address. Actually, the phone is setup to use OpenVPN, and it uses a 10.8.0.x IP. The phone says though 192.168.10.11

In the sniff app, for 10.11 IP it did show a COS number:

Image
Top
 
jkarras
Member Candidate
Member Candidate
Posts: 226
Joined: Fri Sep 06, 2013 3:07 am
Location: Utah, USA

Re: Firewall/QoS rules for small office RB2011 and CRS125

Fri Jul 04, 2014 8:25 am

COS is on the VLAN tag not on the IP as TOS. TOS is different.

When you say things run over OVPN do you mean a OVPN connection on your Mikrotik or are the phones themselves connecting to OVPN? If the phones are the OVPN clients there will be no way to know the DSCP markings unless it marks the tunnel. If they are not the OVPN endpoints you should be ok. Moving the DSCP marks onto the tunnel packets won't do much good as your upstream ISPs are not going to honor them.
Top
Post Reply

Who is online

Users browsing this forum: powerox and 68 guests
  4. RouterOS
  5. General