3

I have a pfSense setup with two WANs (WAN1 and WAN2) and one LAN network. The two WANs are setup for failover.

However, QoS has recently been an issue for Skype calls in our office (about 30 people) so we want to dedicate WAN2 for Skype traffic (we use Skype for all VOIP calls, etc.)

As Skype is notoriously difficult to deal with, does anyone have any suggestions on how I should deal with this? A simple rule based on ports will not work, and using layer 7 inspection with a Skype profile on all incoming LAN packets doesn't seem like the way to go either. Here is a related pfSense forum post: Multi-WAN, single LAN; Route VOIP/Skype traffic over one WAN

Wesley
  • 32,320
  • 9
  • 80
  • 116
Eric
  • 31
  • 1
  • 1
  • 3

2 Answers2

2

From what I understand, the only traffic shaping library that successfully classifies Skype traffic is nDPI which is included with nTop. http://www.ntop.org/products/ndpi/

How can this interface with pfSense? I'm not sure, but they're both open-source projects, so perhaps you can convince one to work with the other through a bounty!

Seanny123
  • 370
  • 3
  • 15
  • from version 2.x pfsense got layer 7 build in using the ipfw-classifyd application. Own signatures can be uploaded. But there is all ready two default Skyle signatures. A general signature and another for SkypeOut. That should do for setting higher priority. For blocking same could be used. Else I read a pfsense+Snort guide on how to block Skype http://www.carbonwind.net/Firewalls/BlockingSkypewithPfsenseandSnort/BlockingSkypewithPfsenseandSnort.htm – Tillebeck Feb 27 '13 at 15:04
2

I guess layer7 is fine. You are probably on 2.0.x. at the moment.

Go to Traffic shaper and Layer7 tab. Create a new rule called "Skype" and add both "skyp2skype" and "skypeout" if you use that ifrom the office. Before saving you shall add the rule to the queue that you think Skype should go into (VOIP or OthersHigh or similar).

This is not sending Skype out on your backup WAN but generally setting Skype to a higher priority in your net.

I just created a rule like that and have so far no complaints. But no positive feedback either... so weather or not the build in layer7 rules actually work is still to be determined.

BR. Anders

Tillebeck
  • 511
  • 1
  • 4
  • 19