Description:

This document shows you how to set up the QoS rules in a LANCOM router firewall in order for them to operate with the settings recommended for VoIP connections.


Requirements:


Procedure: 

The firewall settings described here depend on the following:
  • The Diff-Serv flag generated by the VoIP application (generally EF)
  • Which codec is used, as this determines the guaranteed bandwidth (e.g. G.711, G.729)
  • The ports (usually port 5060 for SIP signaling)

In order for the QoS to work properly, it is important that the bandwidth values made available by the provider are specified on the Internet connection, otherwise the mechanism has no reference values!

Please note the special notes on using Unify telecommunications systems from Deutsche Telekom in the following instructions!


1) Firewall rule 1:

The first firewall rule reserves bandwidth for the SIP signaling:

1.1) In LANconfig, open the configuration dialog for the LANCOM router and switch to the menu item Firewall/QoS → IPv4 rules → Rules.

A screenshot of a technical configuration interface showing various components such as firewall settings, management systems, location-based services, and predefined objects with options for modifications and logging details.

1.2) Enter a name for the firewall rule and set the priority to 1.

Screenshot of a firewall rule configuration panel named SIP SIGNALIZATION, outlining options for data packet management, active status, and tracking connection states, with fields for commenting and tagging.

1.3) The action must be set to the action object ACCEPT.

Image showing a partially visible technical user interface with configuration options and action triggers, containing obscured text and diagrams.

1.4) On the QoS tab you need to add a custom QoS action.

Image showing a configuration menu for Quality of Service settings, detailing parameters for bandwidth fragmentation, PMTU reduction, and priority routing of data packets.

1.5) Configure a guaranteed minimum bandwidth of 1 kbps per session.

Screenshot of a technical configuration menu showing options for Quality of Service, including settings for minimum bandwidth, packet fragmentation, and PMTU reduction.

1.6) On the Stations tab set the Connection source and Connection destination to all stations.

Screenshot of a technical configuration interface showing rules and connections for network stations.

1.7) On the Services tab, under Target services you add a new service object for the SIP service.

On the General tab, give the new service object a name.

Image of a configuration menu interface showing options under 'General Services' with fields to include objects to set specific criteria, labeled with the name 'IPI'.

1.8) On the Services tab, select the option Custom protocols → Edit custom protocols...

1.9) In the Ports field, enter the ports 5060 and 5061 separated by a comma.

Image of a technical user interface displaying options for configuring various Internet services and protocols, including HTTP, HTTPS, SMTP, POP, SNTP, FTP, TELNET, PPTP, L2TP, DNS, IPSec, and NetBIOS, with fields for entering protocol numbers and port numbers.

1.10) The new service object is entered in the List of target services. Finish the configuration of the first firewall rule with OK.

Image of a complex technical user interface displaying a variety of protocols and service configurations with partially obscured or incomplete text descriptions.



2) Firewall rule 2:

The second firewall rule prioritizes the RTP data. Your IP phones must be set so that the RTP data is marked with the EF flag.

This is a presetting for many IP phones. However, just to be on the safe side you should check the configuration of your phones.

2.1) In the Firewall objects section, click the button Action objects and add a new action object in the dialog that follows.

Image of a technical configuration interface displaying options for managing firewall settings, Quality of Service (QoS), interface settings, date and time, logs, and system rules.

2.2) On the General tab, give the action a descriptive name. On the Actions tab, click Add.

Image of a technical user interface displaying options for configuring general actions and object inclusion rules.

2.3) Enable the option for DiffServ-CP and select the flag EF. Close the dialog with OK.

Image of a complex technical user interface displaying various configuration options and settings such as physical and logical tags, packet action, and SNMP network monitoring, with partially obscured and unclear text.

The Unify telecommunications systems from Deutsche Telekom and also some telecommunications systems from other manufacturers send a dummy RTP packet at the beginning of a phone call, which has a wrong DiffServ tag. As a result, the created firewall rule would not apply if the DiffServ tag "EF" was used. We therefore recommend that when using these PBXs, you create an action object that does not use a DiffServ tag.

In addition, later in step 2.12, the firewall rule is restricted to the local IP address of the PBX so that it only applies to packets that are sent to the PBX.

Image of a technical configuration interface displaying options to set triggers and actions for packets sent and received, differentiating between physical and logical parameters.

2.4) In the Firewall objects section, click the button QoS objects and add a new QoS object in the dialog that follows.

Image shows a detailed technical configuration interface featuring filters for packet management, predefined firewall objects, and location-based services settings, with sections for log trace, date and time configuration, and quality of service adjustments.

2.5) On the General tab, give the action a descriptive name. On the Actions tab, click Add.

Image of a technical configuration interface detailing Quality of Service rules with the focus on object inclusion and packet routing priorities.

2.6) Add three QoS conditions. For each of the conditions, enable the option for DiffServ-CP and set the flag to EF.

  • Configure a guaranteed minimum bandwidth. You have to define these individually depending on your scenario. In this example, a minimum bandwidth of 94 kBit / s is configured per session. According to our experience, this value has proven to be sufficient and practicable.

Image showing a complex interface with various configuration options such as Physical Logical settings, packet transaction details, and SNMP LAN monitoring options.

Note for users of Internet connections with low bandwidth:

For Internet connections with low bandwidth (guide value <50 Mbit / s downstream & 10 Mbit / s upstream), it makes sense to also configure fragmentation and PMTU reduction:

  • Configure a maximum packet size of 576 bytes for the fragmentation of the remaining packets.
  • Configure a reduction of the PMTU to 576 bytes.

Image of a network configuration interface displaying options for Quality of Service, including settings for packet management, minimum bandwidth allocation, and PMTU reduction.

2.7) Confirm your configuration with the OK button.

Diagram detailing Quality of Service configurations with options for bandwidth guarantee, fragmentation, and PMTU reduction settings, prioritizing packet routing.

2.8) Navigate to the menu Firewall/QoS → IPv4 rules → Rules and add another firewall rule.

Image of a blurred or poorly formatted technical interface screen possibly showing navigation or configuration options.

2.9) On the General tab, enter a descriptive name.

Image showing a technical user interface detailing firewall rules, including options for transferring or dropping data packets, with settings for quality of service and connection state tracking.

2.10) On the Actions tab, select the action object you created in step 2.2.

An image displaying a technical interface showing a table of trigger actions for network packet analysis.

2.11) On the QoS tab, select the QoS object you created in step 2.4.

A screenshot of a technical interface showing the Quality of Service table, detailing settings for minimum bandwidth fragmentation and PMTU reduction to prioritize certain network packets.

2.12) On the Stations tab, set the Connection source and Connection destination to all stations.

The image shows a blurred or partially visible technical user interface related to configuring packet rules, potentially for networking or IT systems. 

When using a Unify PBX from Deutsche Telekom, you must specify the PBX as the connection source so that the rule only takes traffic to the PBX into account.

In the example, a firewall object was created and used for the local IP address of the PBX.

Image depicting a fragmented display of a technical user interface, possibly related to network or transport connections, featuring partial text and menu options.

2.13) On the Services tab you set the Protocol/source services and Protocol/target services to all protocols/source services.

Image of a partially visible technical user interface showing a list of protocols and their target services with some text blurred or unclear.

When using a Unify PBX from Deutsche Telekom, it makes sense to configure the UDP protocol here.

Image showing a technical user interface with various protocol sources and target services listed in a configuration menu.

2.14) Complete the configuration of the second firewall rule with OK and write the configuration back to the LANCOM router.

 

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH