10.11. Bandwidth Management and VoIP Prioritization

10.11.1. Bandwidth Management

Internet protocols such as TCP are optimized to fully utilize the available bandwidth between client and server in order to transport data as fast as possible. For example, a large amount of data is continuously being downloaded, and an interactive remote maintenance session (where the user performs only one action every now and then) are happening simultaneously. They compete with each other on one line. The download will dominate the line as it is constantly transferring data, and the remote maintenance session packets do not all pass through the line on the first attempt and must be repeated, which is perceived by the user as "stuttering".

Bandwidth management can use rules to ensure that the packets of interactive sessions are not slowed down by large downloads or other large packets of data traffic. This works purely on the basis of packet size and acknowledgment of receipt, without prioritizing special protocol types.

In order for bandwidth management to be effective, it must keep the connection buffers in the modem or router cascaded before the Intra2net system empty and take over the buffering of pending data packets completely by itself. This requires precise knowledge of the bandwidth that is available. If the bandwidth management sends more data to the Internet than can pass through the line, the modem or router will start buffering again. This buffer is not prioritized, which renders bandwidth management ineffective. If the bandwidth management sends less data to the Internet than can pass through the line, the additional bandwidth is left unused.

Precise knowledge of the actual bandwidth is therefore crucial for configuring bandwidth management. We recommend the following procedure for determining the bandwidth (bandwidth management must be deactivated):

  1. Open the main page of the Intra2net system in one browser window.

  2. In a separate browser window, prepare to download the contents of the installation CD for the Intra2net system from https://www.intra2net.com, but do not start it yet.

  3. In yet another separate browser window, prepare downloads of 2 other large program files from different vendors (e.g. a Linux Live CD and a free Office package), but do not start them yet.

  4. Start all 3 downloads simultaneously.

  5. Check the line load in the "Incoming" field of the main page.

  6. Small variations in the measurement time and the effects of buffers can lead to erratic utilization. Ignore any anomalous data and calculate the average data transfer rate over a period of approximately 30 seconds.

  7. Prepare an email to an external recipient with a large (e.g. 15 MB) attachment, but do not send it yet.

  8. Prepare to upload a large file to a cloud storage service provider, but do not yet start it.

  9. Send the email with the large attachment. On the main page, watch how the email is queued, scanned and then sent.

  10. Start the upload as soon as the email is being transferred over the line.

  11. Observe the load on the line in the "Outgoing" field on the main page. Calculate the average as in step 6.

  12. Since many Internet access technologies dynamically adapt the bandwidth in response to line disturbances etc., this should be repeated 3 times at different times of the day. Use the lowest values calculated for bandwidth management.

Bandwidth management can be configured in the Network > Provider > Profiles : Firewall menu.

10.11.2. Prioritize VoIP and Real-time Data

If bandwidth management is used, it can further prioritize Internet telephony and the connection of real-time applications. The affected IP packets are detected by DiffServ entries in the packet header. Bandwidth management responds to the DiffServ group Expedited Forwarding (EF). For this, a DSCP value of 46 / 0x2E is used, which corresponds to the entry 184 / 0xB8 in the ToS byte.

Many VoIP devices automatically set the DiffServ group Expedited Forwarding or can be configured accordingly.

We recommend not to connect VoIP devices to the regular local network, but to configure a separate network for all VoIP devices and PBXs, and to connect it to the Intra2net system via a different interface. Ensure that not only different IP addresses are used for this network, but that the Ethernet networks are clearly separated from each other. This has the following advantages:

  • VoIP calls can also be prioritized when they pass through a VPN tunnel, (e.g. to another branch office). A prioritization is only possible if a different IP network is used for VoIP and therefore a separate VPN tunnel is used. Otherwise, the VPN's replay protection would prevent a change in the packet order.

  • Many manufacturers and service providers of VoIP infrastructure do not apply the same high security standards for security testing, patch management and long-term product maintenance as other IT products. Telecommunication equipment is also used much more often than other IT products, making it more difficult for the manufacturer to maintain. Therefore, VoIP products should be used with increased caution. By separating VoIP devices into a dedicated LAN, the firewall can restrict VoIP devices' access to the rest of the network.

  • Large data transfers in the LAN can utilize the network switch to its full capacity. If a separate switch is used for VoIP, the VoIP remains unaffected.

An alternative to using VoIP prioritization is the use of a completely independent Internet access exclusively for VoIP. This allows an even higher quality of service. In addition to this, a connection implemented via another access provider, can also be used as a substitute if the primary Internet access fails (see Section 10.10, „Switching to Other Providers in the Event of an Error (Fallback)“). With this variant, too, the separation between LAN and VoIP network described above must be implemented.