QoS + VOIP, SIP client phones to Internet server

Hi, 

QoS Prioritization is possible with our Next Gen Firewall, ' The Sophos XG'. You may be interested in migrating to the SF-OS version now as the migration tool is ready. Refer the guide here to compare both the products.

Alongside, raise this as a feature request for Sophos UTM here.

Cheers-

I don't understand how something this simple is not built into this product that costs this kind of money already.

I'm wondering if the VoIP feature in the GUI would come into play here? I've not used it but I understand that it does a few things behind the scenes, so to speak.

And I think it's geared towards your setup too ie using VoIP via the internet.

https://community.sophos.com/kb/en-us/120284

Although I'm not sure whether it does any QoS transparently.....

Already have that in use, and it doesn't do anything for this.

This link any help?

https://community.sophos.com/kb/en-us/115020

You will have to apply some sort of download/upload rule because the UTM will have to know about the maximum bandwidths it can use. We have to do this on Cisco's routers etc.

At that point, you can then apply the prioritization to a bandwidth eg guarantee DSCP 46 1000kb/s

I'm sorry, but that is NOT priority.  That is throttling and bandwidth guarantee.  Priority says this packet always gets precedence down the pipe over this packet, or this class of packets vs that class. So with true priority it doesn't matter how much bandwidth you have, the highest priority data packets will always be pushed down the pipe first over every other lower priority packet.

If you have a pipe that is 10 lanes wide.  That means you can send 10 packets at once.  In your case you want to allocate say 5 number of lanes IF that data gets found.  So you are hard setting a number.  What happens if you use less than that, say only 1 lane?  Oh well the rest of the 4 lanes are blocked because of that guarantee until that 1 guy gets done.  In true priority you say all people with a orange flange above them get to go first.  So if 1 guy shows up, 1 lane given to him, if 10 show up, all 10 are given to him and the rest are forced to wait until the orange flags go away.  It doesn't matter then if your pipe is 1 lane wide, or a million wide, the people with the flags get to go as soon as they show up.  Hence, priority.  All you have to do to define priority is make sure that the flags are set correctly.   Which there are some nice RFCs out there that standardize all of that.

The current implementation is entirely too complicated for what is needed.

Straeter, as a mod, I can see that you're in the USA, so this is not a cultural difference.  People come here to get and give help.  If you're here to argue or pick fights, you're not a participant in our community.  You're welcome here if you play nicely.  Otherwise, please move on.

Cheers - Bob

I'm sorry but what does a cultural difference have to do with anything?  I'm asking how to do QoS prioritization.  Sophos UTM does not currently have that option it seems.  Everyone just has workarounds for it.  I was hoping to find a true prioritization option somewhere; but alas, it does not exist.  The only option I got was to buy yet another piece of hardware from Sophos, when I just purchased this one last year because my last one become obsolete.  With QoS prioritization missing, this product does not seem to be ready for commercial use. 

I appreciate the answers that I received, but they're not the answer to the question that I have posed.  Priority queuing has been around in other devices for years.

I'm sorry but what does a cultural difference have to do with anything?  I'm asking how to do QoS prioritization.  Sophos UTM does not currently have that option it seems.  Everyone just has workarounds for it.  I was hoping to find a true prioritization option somewhere; but alas, it does not exist.  The only option I got was to buy yet another piece of hardware from Sophos, when I just purchased this one last year because my last one become obsolete.  With QoS prioritization missing, this product does not seem to be ready for commercial use. 

I appreciate the answers that I received, but they're not the answer to the question that I have posed.  Priority queuing has been around in other devices for years.

Ok, I haven't tried it but on the UTM under traffic selectors there is the ability to select DSCP types. Now bear in mind, that those types will most likely be tagged by other devices ie your ip phone etc.

If you set say 2 different DSCP types in the UTM and bind them to an interface and give that interface the full bandwidth amount, what will the UTM do with the traffic? My guess is it will prioritise between those two types of traffic. The question would be.... what does it do with the remainder of the other traffic?
You would generally say the rest goes into a fair queue eg it's best effort but that has to be specified even on a Cisco.

Well I think that is a little closer, but I believe if I make that selector (which I currently have DSCP value 46 setup in my firewall as it seems to be the only way to make it work) and then bind it to my interface with a guaranteed bandwidth of the whole pipe, as soon as 1 phone call gets setup, the whole uplink gets dedicated to that 1 call.  I currently have mine setup to 400 k/bit and seems to stop the VOIP stuttering while uploading.  The problem comes in that if I only have 1 call (most of the time in my office) then I'm wasting a good bit of my uplink to unused guaranteed bandwidth.  If I'm to use guaranteed BW, I need a way to dynamically allocate more and more based on the needs of the phone system in order to keep everything else chugging along as fast as possible.  Especially if I add more phones in my office. 

Which leads me to the request for a priority queue.  It is almost like I just need the Traffic Selectors tab to be able to be turned into the priority, based on the order of the list.  I don't have that XG appliance that was recommended, so it would be interesting to see that setup.

I'm not 100% sure how the QoS works on the UTM. Perhaps each source gets a guaranteed bandwidth? eg 1 call would get 40kb, 2 calls would get 80kb etc?

Might be worth looking at what Codec your voice is using. I know we can quite happily get away with an 8kb codec at opposed to a 64kb. We've always found that users don't need the full fat voice codec and can't tell the difference

So all the UTM does is when it sees a DSCP with a value of 46, it then commits X amount of  KBit (not KByte, hate this swapping back and forth from byte to bit in the systems) of guaranteed bandwidth.  It doesn't matter if you have 1 call going or 100 calls going, it just know it sees a DSCP 46 and guarantees that.

If I wanted to do what you said, I'd need to define a traffic selector with a source for each single phone IP, best to make sure DSCP 46 was set as well as the source to make sure stupid things like NTP fetch wouldn't keep flagging it.  Then I could set each of them to have a small bandwidth guarantee.  That would work a little better, and I may end up swapping to that, but that makes for a lot of admin overhead on the phone system.  Either the UTM has to be doing your DHCP (doesn't really happen in a corporate environment usually) or you need to have your phones setup as static IP.  You will then always have to add and delete the phones in each of these traffic selectors and bandwidth pools if you ever change phones around.

I like your idea as it keeps the most bandwidth available for other applications when not in use.  However, the whole point is to make this easy for an admin, and with a priority queue it would be a lot more dynamic and wouldn't have to be touched if the phone changed IPs or you added or deleted them, etc.  As more and more businesses get away from analog lines, and even dedicated Ts for their phone systems, this is a big must have for good small to medium business firewall appliances.