Everyone is right about the incoming traffic not utilizing QoS. I ran into this same issue with a customer of mine. The ISP (AT&T) was not offering any QoS on their side for the T-1 circuit, so we ended up going to a 10mbit fast ethernet handoff from TW Telecom with QoS applied on the ISP side.

Setting up VLANs will not help to improve VOIP because the VLAN will only be applicable internally behind the T-1 router. Really your best option is to increase bandwidth. Check with your building to see if they are fiber lit with any other ISPs besides your T-1 vendor. The cost of a T-1 is pretty high for the bandwidth you get, and in our case, we were able to save 400 dollars a month on our ISP bill.

What kind of QoS/CoS are you doing, and how are you classifying the traffic for prioritization? Are you doing any queuing and prioritization on your switch and router ports?

Contrary to what some of the other people are saying, QoS may be moderately effective for you with just having it on one side of the circuit. Depends on the traffic types on the network and the QoS that you have setup. Most internet (i.e. http) traffic is TCP based and QoS can throttle down TCP performance by dropping/delaying packets which forces TCP's congestion mechanisms to kick in.

What codec are you using? Big bandwidth differences based on codec types as others have pointed out. Just curious, what's the PBX platform?

Is your ISP also your SIP provider? If so, they are almost certainly doing QoS on the line and it would be worth knowing how much of that 1.5 Mb has been allocated for SIP. If there is some sort of QoS on the T1, any voice going through the VPN (It's IPSEC I presume) is probably not part of the traffic profile that is being prioritized.

Do not discount the local LAN, virus or trojan outbreaks can cause havoc on even a small network.

I've not done a lot of work with them, but Edgemark has a reputation for making some GREAT QoS appliances for small office VoIP systems.

John

Thanks all for the input.

Everything on the local lan is VOIP traffic. Only PCs running are the Pfsense Boxes and PBX.

I consulted with the ISP and got some metrics.

We are using about 90% of the pipeline, this is including VPN data and other stuff.

I already shared this info with the I.T. Director and yet he regresses that we don't need to separate traffic.

I also shared this info with the operations manager and the CEO.

I hate to step over toes but I hate being stressed upon when my hands are tied.

Anybody hiring out there?

VOIP requires a 64k channel, so a T1 will suit you pending you have few users...

If you have cisco gear its too easy, just set up a dedicated 128k or so to ensure at least two phone calls can go at a time without a hitch. If you need more, than dedicate more

What is his reasoning? You have solid viewable data on the 90% util? Can you segregate that utilization to service and node? I mean it's not complex here on a T-1 and a small shop especially if you can stare right at the problem.

This is the problem often with small office voip, people keep trying to put it into a small pressure cooker and still expect 99.99%

Yes, I have charts from the Past Few Days which I forwarded.

His reasoning is that we are not sure that is the "problem".

IMO, he don't know anything about networking. He is a code monkey that got promoted because he is dating one of the higher ups.

To be honest, he is trying to look good for management but whenever **** happens, I get the bulk of the heat and I am getting sick of it.

Whenever something works flawlessly, he likes to take the credit though I did most of the footwork and research.

I can't wait to leave.

Ill talk to the ISP and see what they can do from their end.

You need to separate the traffic.

At my office we have a dedicated T1 for our PBX system specifically to avoid that type of BS. We have a similar setup. T1 for PBX, WiMax (don't ask, ugh) for web traffic. pfsense is a good piece of software. For the life of me I can't get the friggin' VPN to work though.

--B

If you need data collection to validate usage, check if your router supports netflow and put together an ntop system.

As others have mentioned already...

1) you're doing QOS at the wrong place -- needs to happen on the T1 router

2) where is this office? your location says Daly City. In the bay area there are better choices that would give you better bandwidth for the price of a
traditional T1.

3) If you can't do QOS on the T1 router but want a cheap fix, this is what I'd do --
1. add another interface on the pfsense box $35-$50
2. set up and new network/DMZ on this new interface
3. move the vpn and squid to this new network -- now if you can get your ISP to give you another IP allocation that can be routed through the first block of 5 would be good, otherwise, you'd need to do NAT from the current IPs to IPs on the new network.
4. redo QOS on the pfsense box

In short, you need to promote/move your QOS capability infront of all the bandwidth users.


5) I'm hiring. PM me.

I had the IPSec VPN Tunnels working by ping the Remote Gateways after I threw in the settings.

You would expect that it would work instantly but I found out I had to ping the gateways to get the VPN tunnel established.

PM incoming.

Nope, IPSEC doesn't work that way. Tunnels get built on-demand, so if no tunnel exists the whole encryption "Security Associations" have to be setup prior to passing traffic. If you're using Cisco gear there are some tricks you can do to keep the tunnel nailed up, there are some keepalive options available to you as well as my favorite: build a GRE tunnel with a dynamic routing protocol running inside of it, then wrap the GRE tunnel with the IPSEC. Setup up syslog correctly and you can get an email notice every time the tunnel fails, which should be almost never.

I was screwing with PPTP for remote users to be able to connect to local office resources. Mainly so I can monkey with settings when I'm not at the office, but we occasionally would like remote employees to be able to connect directly to local office resources.

I can run a SOCKS proxy over SSH for most of what I need though.

--B