Part 1 of this series covered VoIP basics and introduced the topic of Quality of Service. This time, I'll look at Traffic Shaping and Power Considerations.
My experience has been that the QoS mechanisms covered previously don't provide a complete solution to the need for assured bandwidth when using VOIP over DSL. When the connection to the ISP becomes saturated for any reason VOIP traffic can be delayed, which is always a problem. When managed QoS was combined with "traffic shaping" our VOIP phone service became much more reliable. This has proven to be true even on a very busy connection to my ISP.
Like the QoS mechanisms covered previously, traffic shaping is an edge process that occurs in your router. Traffic shaping is actually a process of reserving bandwidth specifically for selected applications. That bandwidth will not be used for other forms of internet access. As before, this tends to be most critical with outbound traffic where available bandwidth is most limited. It's also true with inbound traffic, but this tends to be less of an issue.
By the time I was ready to put my Asterisk server into production I had shifted to using m0n0wall [reviewed] as my router. m0n0wall is simply outstanding. It's a router based upon FreeBSD and using a PHP-based GUI that's accessed as a web site.
It's available for a variety of hardware platforms including:
- Generic PC
- Soekris Net 4501 single board embedded computer
- Soekris Net 4801 single board embedded computer
- PC Engines Wrap series of single board embedded computers [review]
- PC Engines Alix series of single board embedded computers
Soekris Net 4801 embedded platform
I decided to use a Soekris Net4801 as the host platform for my m0n0wall. This is a small system based upon a National Semiconductor Geode 266 MHz CPU. It boots from a CF card and stores the router configuration on a USB key.
The Net4801 has three on-board Ethernet ports. These are typically used as; WAN, LAN and DMZ.
By default, the traffic shaping feature on m0n0wall is disabled. Before going about its setup, you need to know for certain what your actual upload and download speeds will be. To measure your internet access speeds, use a reliable series of speed test tools such as those found at Broadband Reports. It's also a good idea to take measurements at various times of day to see if there is any significant variability.
The online documentation for the traffic shaper is a little thin but can be found here.
Traffic Shaper Theory
The available bandwidth is forcibly divided into "pipes". Traffic may be buffered into a pipe by one of a series of "queues". Finally, "Rules" define what kind of traffic is directed into which queue or pipe.
It looks something like this.
Flow diagram describing the m0n0wall traffic shaper
The theory behind traffic shaping is fairly simple. You will create several "pipes" which are essentially separate paths through the router. Each pipe is assigned a certain slice of the available bandwidth. In my case, I have two pipes for outbound traffic and one for inbound traffic.
m0n0wall traffic shaper pipes menu
The sum of the bandwidth assigned to all the outbound pipes should be slightly less than your worst measured outbound connection speed. By doing this, you ensure that you will never actually saturate your outbound connection. As long as the connection is not saturated, the router is the defining factor in what traffic gets out first.
In addition to the pipes, you also establish queues within the router. Queues let you assign varying priorities to different types of traffic. Each queue can be directed to a specific pipe and assigned a "weight".
m0n0wall traffic shaper queues menu
Queues, by their nature, are buffers to handle traffic that is being delayed as it is passes through the router. You can select to direct VOIP traffic directly into a pipe, with no associated queue. This will assure minimum latency for VOIP traffic.
Traffic shaper rules are created to direct traffic based upon the properties you select. A rule can direct all traffic from a specific source or destination IP address, or in my case, IP range, into a particular queue & pipe. Selectivity can also be based upon port, protocol, network interface, etc.
It's also worth noting that this is the menu in m0n0wall where you can direct traffic based upon TOS (Type of Service) tags. So the basic mechanism of DiffServ QoS is actually a facet of the traffic shaper. This gives a lot of flexibility, which may be enough of a reason to go the extra cost of m0n0wall over a lower-priced consumer router.
m0n0wall traffic shaper rule editing menu
If all this seems a little much to understand, you're in luck. m0n0wall provides an automatic setup tool called "Magic Shaper". You only need to tell it the measured connection speeds. This function will then establish all the required pipes and queues.
m0n0wall traffic shaper Magic Shaper Wizard menu
My World Of Imperfection
My installation still has the dregs of the magic shaper process in a couple of ways. There is a "hated" outbound priority #5 that I don't use. Since it is assigned only 1% of the available bandwidth, I just left it in place. There's also a low priority download queue that goes unused.
Both of these are aspects of the magic shaper process that are part of a strategy for handling P2P programs. I don't use any P2P file sharing programs, so this goes unused. The queue is directed at the sole download pipe so its presence does not cost me any loss of download speed. The two higher priority queues access the same pipe and can fully saturate it when required.
Local Asterisk & Hosted PBX
My office may be a little unusual in that I have my own Asterisk server (several actually) and I rely upon an externally hosted IP-PBX. I also have a number of SIP hard phones and ATAs around the office and house.
Given the number of VOIP devices and services, I found the easiest way to direct VOIP traffic to the high priority outbound pipe was on the basis of IP address. I let each SIP device gets its IP address from the routers DHCP server. I then use MAC reservations to set all those IP addresses into 192.168.1.128 and higher. The traffic shaper rule for VOIP outbound traffic specifies that this address range connects to the high priority outbound pipe.
This arrangement also makes it very easy for me to add VOIP devices under test and know that they fit into my bandwidth management scheme. As long as they have IP address in the upper range, call quality is assured.
The only circumstance that isn't well handled by the arrangement is when I use a soft phone on my desktop. Since the desktop PC is in the lower IP address range, its traffic is not treated the same as the VOIP devices. Happily, I don't need to do this very often. Plus it's kind of gratifying to think that my VOIP traffic get priority even over Skype, which I use only reluctantly.
Within m0n0wall, dealing with things like IP address ranges uses CIDR notation. This was not something that I was familiar with previously. I posted a inquiry to the m0n0wall user list, which met with a great response from one of the project's lead developers. He posted some provisional documentation here.
m0n0wall CIDR notation example
It is also possible to assign priorities based upon ports & protocols. I've done this in the past, but I have no need of this any longer.
There is a lot of VOIP oriented information available online regarding virtual LANs, a.k.a. VLANs. VLANs are a means of separating network traffic over the same wire as if there were physically separate networks.
Each VLAN is treated as a separate segment on the LAN, even thought the traffic is all on one wire. With the traffic virtually separate there is then a means of establishing varying priorities for VOIP traffic by giving preference to traffic on the VOIP specific segment. This requires a router capable of VLAN functionality and some depth of knowledge in its configuration.
Much of the recent attention paid to VLANs in the VOIP space has been highlighting the fact that VLANs should not be considered a security mechanism. This is a little contrary to the common practice.
- Isolation vs. Integration by Dustin D. Trammell
- Telecom junkies Podcast, VoIP Hacking 2: The VLAN Hop
- VoIP Hopping: A Method of Testing VoIP security or Voice VLANs by Jason Ostrom, John Kindervag at Security Focus
In my office, I've managed to avoid the complexity of using VLANs. I am of the opinion that such solutions are more appropriate for enterprise installations than SOHO circumstances.
Alternatives to m0n0wall
While I've been using m0n0wall, you might also consider pfsense. m0n0wall is intended for small format hardware like the Soekris boards and its author has been very careful to avoid code bloat resulting from adding a myriad of features. pfsense is based on m0n0wall, but has a larger feature set and targets more capable hardware.
Astlinux is another interesting alternative. Astlinux is a full Linux & Asterisk distro build from the ground up for small form factor hardware. It runs happily on a Soekris Net 4801, booting from a CF card and storing the system config and voicemail on a USB key. Astlinux includes a built-in routing capability based upon iptables. Thus, using Astlinux, your phone server can actually be your router. The built-in router includes QoS and traffic shaping.
Some time ago, I wrote an article describing building an Astlinux server using a Net4801. While a little dated now, that article can be found here.
As stated at the outset, these articles describe my home office setup where every call placed or taken is handled over IP. It's not uncommon for me to have three simultaneous calls on the go (one on the home line, two in the office) and occasionally four or five.
By using G.729a when possible, combining QoS and traffic shaping I no longer have any trouble with call quality due to non-VOIP network activity. I can upload files via FTP or send and receive email while making calls without any problems at all.
One of the great things about the traditional PSTN is that it keeps working when the power goes out. I've repeatedly read articles recommending that people sustain traditional POTS service, at least in part because of this fact. Their theory being that VOIP service isn't sustained during a power outage. But this need not be the case, given just a little forethought.
Prior to migrating to Asterisk, we had been using a Panasonic KX-TG4000 KSU (below). This phone system has four FXO interfaces for analog lines.
Panasonic KX-TG4000B KSU with built-in battery backup
It also features a built-in battery backup so our phones stay up through power outages. In migrating to VOIP within our home and office, I felt it necessary to strive for this kind of reliability. It has certainly made my wife happier.
There are a number of factors involved in my consideration of power for the phone system as a whole.
I have long been a believer in embedded systems and my Asterisk servers reflect this fact. During my initial experimentation with Asterisk, I ran it on traditional PC hardware. But eventually I migrated to a mini-itx system, and then later to embedded systems like the Soekris Net 4801 and HP T5700 thin clients.
Rear view of a H-P T5700 Thin Client
The embedded systems offer a number of advantages, but two of the biggest are low noise and low power consumption. Both of the embedded platforms mentioned draw less than twelve watts. That means that they can be kept running a long time from a relatively low cost UPS.
Along with low power consumption comes the added benefit of low heat output. This can be important if you lose power and your air conditioner stops running. Living in South Texas when the AC unit stops, the whole place can heat up quickly.
UPS Power For Network Components
Various key network devices also need to be on UPS power. In my case this includes:
- DSL modem
- Netgear 24 port gigabit switch
- Power over Ethernet insertion devices
- Wifi access point
- Charging cradle for Aastra cordless handset
I recommend that you keep your phones and network components on their own UPS. All of the devices listed have very low power requirements. This means that an inexpensive UPS (1500 KVA, approx. $120) can keep the entire network running for a good long while.
My office is actually in what some people would call the "Garage Apartment". I prefer to think of it as the "Carriage House" or "Executive Suite". There are a couple of underground CAT 5 runs from the office to the house, so it's all one network.
There is a small networking cabinet in the house that contains a 16 port switch and a Linksys ATA for the home phones. This gear needs to stay powered up 24/7 /365 so I also had to provide a second, smaller UPS (700 KVA) in the house.
Power Over Ethernet
In my opinion, this is one of the most overlooked conveniences in SOHO networking. Providing power-over-Ethernet (POE hereafter) is tremendously useful. It lets me keep my Polycom and Aastra phones powered by the same UPS as the rest of network closet. If ever I need to replace my ATAs, I will definitely seek new units that are POE capable.
A small Netgear switch capable of POE
I especially feel that POE is useful for Wi-Fi access points. It lets you position the AP in a location that is selected for ideal wireless propagation (even outside in a weatherproof housing), without concern for providing an AC outlet. It also makes it easy to provide physical security for your WLAN from the wiring closet. That is, when I'm out of office for a week, the AP is powered down by simply unplugging the cat 5 jumper running to the AP.
A small Linksys switch capable of POE
POE can be provided by careful selection of your network switch. Some low cost 8 and 16 port switches provide POE on a limited number of ports, ideal for SOHO use.
It's also possible to add POE via "mid-span insertion". This involves placing a small power insertion device on the network line, between the switch and the device to be powered. This is how I started using POE, as my Aastra 480i phones came with POE insertion devices. I was so happy with them that I purchased a couple more for my Polycom phones.
Midspan POE Inserters
Mid-span POE insertion devices come in single and multi-port models. The single port models look like "line bump" power supplies but with two RJ-45 jacks. Multi-port POE insertors look a lot like network switches.
POE capable switches are definitely more expensive than non-POE switches. If you shop wisely, you may find a POE capable switch that meets your needs, while superficially more expensive, is actually cheaper than a non-POE switch and a mid-span insertion device.
If you only need a few POE ports, then using mid-span insertion is typically less expensive.
In examining POE insertors or POE capable switches, it's worth noting how much current each port can provide. The Linksys 8 port switch pictured above, for instance, provides 15 watts per port when 4 ports are powered or only 7 watts per port when all 8 ports are powered.
You need to be aware of the power requirements of each of your upstream devices and be certain that the POE power source can handle all of them. Phones are not generally a large power draw. Wi-Fi access points and security cameras draw a little more.
The standard for POE is referred to as 802.3af and specifies not only the wiring standard, but also a protocol for POE power sources to detect if the upstream device is also POE capable.
Prior to this standard becoming widespread several manufacturers made equipment based upon their own standards. This is especially true for older Polycom and Cisco IP phones. These may require special network adapter cables to be powered by standard POE power sources.
Alternatively, some larger midspan POE inserters (ex Belden Power Sense) can switch between standard and device specific POE on a per-port basis. That can be very handy if you need to power a variety of devices.
While 100% VOIP, we are still able to keep our phones, our entire network for that matter, running when the power fails. The combination of a decent UPS and POE makes this possible.
Perhaps one day I'll pull the plug on the UPS and see how long everything runs. Its never been needed for more than 10-15 minutes at a time.
It's a truly amazing and wonderful thing to be sitting at my desk when the power goes out suddenly. Then, in the silence created by the total lack of PC noise, I find myself basking in the faint glow of the backlight from an Aastra 480i. The silence is shattered by the ringing of my phone. It's my wife calling from the house telling me that the power is out.
It's even more amazing when the entire network stays up throughout a power outage and I'm able to easily transition to working on a laptop complete with internet access over Wi-Fi.