QoS Traffic Policing giving priority to VOIP calls case scenario

Versions 3.0 & 5.0

Applies to platform: UTM 3.0, UTM 5.0, Hotspot 3.2, Hotspot 5.0
Last updated: 5th December 2016

QoS Traffic Policing giving priority to VOIP calls case scenario

In this tutorial we will explain how to control the download stream (this is why it's called "Traffic policing" and not "Traffic shaping" which is used as term when we want to limit the upload) by presenting a real-case scenario where we have four main traffic categories.

In this case scenario we have an 10Mbit (download / upload guaranteed) uplink and a gateway-to-gateway or "net-to-net" VPN connection with phones on both sites adding other traffics , listing according to our wanted categorizing of the traffic types:

1. VOIP traffic
2. NAS via FTP
3. Internal traffic
4. External HTTP / HTTPs which is currently saturating the bandwidth


The settings illustrated in this scenario are applicable also to other different scenarios as we will show during the tutorial and not limited to the scenario mentioned above.


1. Adding the Devices

In a situation when we want to limit only the upload adding only the RED interface would be enough, but in this case as when we want to policy the downstream we need to add also a second device which would be GREEN if we want to control the downloads on GREEN network, or ORANGE if we want to control the downloads on the ORANGE network or both of them and so on.

By logging to our GUI we go to Dashboard > Services > Traffic Shaping and than we add firstly the RED device and than the GREEN device:



Pay attention to add the correct values in kilobits , the Uplink Downstream/Upstream capacity/bandwidth information is usually provided to you by your ISP, using unreal values may result in a wrong configuration.
As for the GREEN (LAN) see below.


 To add the internal (Green, Orange or Blue) device you can verify the device speed as following:

root@endian:~# brctl show
bridge name    bridge id        STP enabled    interfaces
hotspotbr0       0000.525400154ff2    no        eth2
br2        0000.a272c876af51    no        hotspot0
br1         0000.525400e22cd0    no        eth1
br0         0000.525400871bee    no        eth0

 As you cans see br0 is bridged to eth0 and the Speed of eth0 is :

root@endian:~# ethtool eth0 | grep Speed
    Speed: 1000Mb

 2. Modifying the Classes


Where : Reserved is the bandiwdth reserved for the class, for example if the uplink is 10000 kbit 55% means that 5500 kbits will be reserved for the class, while Limit is the maximum a specific class can use from the bandwidth if free. And by example you see that the Green priority 2 rule has a 500kbit reserved and can't go up more than 7000kb (in case the bandwidth is unused).


As you can see in the screenshot above the values Reserved and Limit can be expressed both in percentage and kilobits with (kilobits) being recommended over the percentage.
Tips & Tricks : For an easy conversion if you have for example an uplink of 40000kb you can go to and type : 


  3. Adding the Rules.



Each rules priority should be taken in to consideration, the first rule is matched than the next one and so one, if a traffic is matched on the first rule than the second rule won't be applied, and the opposite, if isn't matched by the first rule it will try every single rule until it matches.
So for example having an ANY = ANY rule on top would practically make the other rules below pointless.

1 - VOIP
The four /32 subnets are all VOIP phones , so we create those as the first rules (from source first for the uplink / high priority and than from GREEN / high priority , and than 2 more rules with the subnets as destinations).

2 - NAS via FTP

Our server is and we want only the internal traffic to be medium priority so as all subnets on our network are 192.168.x.x than we can include them in to, and we add the rules in the same fashion (source than destination,  for the Uplink and for the Green interface also).

3 - Internal Traffic

This is easier as we have to add only 2 rules while the source and the destination is the same,(our internal network of course traffic priority will be "generic" for both Red and Green interface.

4 - Internet traffic.

In our scenario this is our lowest priority traffic which is basically what's left from the previous configuration, so for sure traffic generated from to will be already handled by the rules above , so by adding ANY = ANY the non-internal traffic will be managed and we give him the lowest priority which is "bulk" for both Green and Uplink.

Have more questions? Submit a request