Hi there,

we're using a RB2011 as a branch router for a remote office. There is an IPsec tunnel configured that connects the remote office's internal network to the main network. Among other internal traffic, there is also a VoIP connection between a SIP-DECT base station inside the remote office and our PBX host in the main network. So far, everything works great.

However, to be ready for increases in traffic from the remote office, I'd like to able to prioritize VoIP connections over all other connections--and I struggle to see how I could do this. If I understand the packet flow diagram at http://wiki.mikrotik.com/wiki/Manual:Packet_Flow ("IPsec encryption") correctly, the the HTB is only hit after the VoIP packets have been encapsulated in IPsec packets, so I don't know how I could set up the queues correctly as all they will ever see are ESP packets going to the other router.

Obviously what I could do is to setup two separate tunnels, one for VoIP and one for all the other traffic, but I'd prefer to keep it a bit more simple, especially because the RB2011 doesn't seem to be the most efficient at IPsec encryption.
Is there any other way to be able to prioritize the VoIP packets inside the IPsec tunnel? I'd be grateful for any pointers--if more details of the setup are required, I'll gladly provide them.

Thanks & best regards,
Dorian

You're looking at the wrong (old/outdated) diagram. For RouterOS v6 use the following diagram: http://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6. And as far as I can see, both HTB Global and Simple Queues are in the Postrouting, which happens before IPsec encryption. Interface HTB, though, can not be used to prioritize inner-tunnel IPsec traffic.

andriys, thanks for your response! If I understand it correctly that means that I can setup two simple queues in the Postrouting table, one for the VoIP traffic and another for all the other traffic that goes through the IPsec tunnel.
As a follow-up, it's not possible to prioritize flows without setting limits, right? So I can't just say "process the whole VoIP queue before even looking at the other one"?