Quick and Easy QoS with Tomato

November 21, 2009

SIP combined with Elastix is nothing short of amazing.

Cost savings, flexibility, functionality, and I’ll say it again: Cost savings!

When deploying Elastix to use SIP over ADSL (for example), many find their existing Broadband connection does not quite provide satisfactory call quality, usually due to sharing the connection with other traffic.

We will follow this post up later with another on Diagnosing connectivity / quality issues.

NOTE: This is not the only way to do QoS, but after having struggled with the likes of pfsense, the budget / useless junk that many routers build in, and a host of other software / hardware solutions, I found Tomato did it the easiest, the best, and the most reliably! It’s a breeze to setup, and you’ll be kicking yourself for not having set something like this up earlier.


  • Administrative access to the ADSL Router
  • The Router must either do DMZ or (most ideally) Half-bridging. The Linksys AM300 is recommended
  • A Linksys WRT54GL or Asus WL-52oGU — The WRT54GL was easiest to flash, but the WL-520GU is un-brickable
  • The Tomato Firmware, available from polarcloud.com/tomato
  • A quiet afternoon in the office, where nobody will jump up and down too much if you take down the internet for a little bit.

NOTE: I would *strongly* recommend you get permission to take and test this out on your home connection prior to trying to deploy it in a production environment. I promise you will suffer much less heartbreak compared to tearing down a corporate network and finding you cannot easily repair it to its original state.

Step 1) Selecting the Hardware

I’ll be honest, the Linksys WRT54GL is probably the easiest, and at around NZD$100 it’s a bargain price! See xe.com/ucc to convert that price to your currency, or check out the price at Newegg.com

Make sure its the GL model, the L standing for Linux, as some of the non-L models aren’t compatible, namely the WRT54G v5.

You also need a router that will hand the IP address / port-forwarding over to it, so you’re going to want something such as the Linksys AM300, it’s cheap, reliable and known to work well. Just make sure it has Firmware 1.19.04 or half-bridge won’t work. Other products such as the NetComm NB6PLUS4Wn will suffice if you put the Tomato in a DMZ, but half-bridging is a nicer solution than a DMZ, due to the Tomato router thinking it’s pretty much *the* connection to the Internet. I’ll leave the getting-connected-to-the-internet part to your imagination.

Step 2) Flashing Tomato

If you have the WRT54GL then this is dead easy. If you’ve previously used it, then reset it back to factory defaults. Connect via a cable (safer than wireless, even though technically speaking WiFi does work for upgrades), go into the Admin settings, select the firmware: WRT54G_WRT54GL.bin

Hit Upgrade, sit back, wait 2-3 minutes and then try re-logging in to the Web Interface.

devices such as the Asus WL-520GU also work well in my experience, though the WRT54GL is definitely the easiest.

Now there is a ton of features that we could go into which you may find useful, but now’s not really the time to go into all those. With that in mind we’re going to dive straight into the deep end. Fire up the WebGUI, Login with the default username:password of admin:admin and click on QoS –> Basic Settings on the left-hand side.

Step 3) Determining your speeds

This may sound like a silly thing for me to mention, but you absolutely must get this right. First stop: Speedtest.net !

Run a speedtest and see what speeds you get. Also if you check the sync speeds in your router, they’ll give you a rough indication of what speeds you’ll be getting.

Now, you’re not going to want to set your Max InboundBandwidth & Max Outbound Bandwidth in Tomato to your actual line max. For example if your DSL connection is sync’ing at 4.8m/bit down and 950kbps upload and you specify those values in Tomato, not only will you never actually attain those speeds, but if you re-sync at a slightly lower speed, it’ll throw things even more. Speedtest for me shows I’m getting around 4300kbps down and 890kbps upload, so we’re going to round things right down to 3500kbps download and 800kbps upload. Seriously, I can pretty much promise that none of your staff will notice the difference between the internet speeds downloading at 4300kbps vs 3500kbps so don’t feel as though you’re going to be slowing down their internet. You won’t! If anything, they’ll “feel” like it’s going faster by the time we’re done.

So, enter in those values of yours in the Max Bandwidth for inbound & outbound. Up the top we’re going to set:

  • Enable QOS
  • Prioritize small packets with these control flags: ACK
  • Prioritize ICMP
  • Reset class when changing settings
  • Default Class: C

Your Default Class can change, I’ve set it to C for un(C)lassified. Honestly it made sense when I first setup the router…

Now, we’re going to set the Outbound values, these are the most essential. Here’s a bit of an example of how mine looks:

  • Highest / 80% / 90%
  • High / 20% / 80%
  • Medium / 5% / 70%
  • Low / 3% / 60%
  • Lowest / 2% / 20%
  • Class A / 90% / 100%
  • Class B / 1% / 5%
  • Class C / 1% / 10%
  • Class D / 1% / 5%
  • Class E / 10% / 20%

Now I’ll explain my madness here. Class C is the default, so if it’s uncategorized it’s because it’s not important enough for me to spend the time writing rules for it, so you don’t want to give it much. Class B & D don’t get used by me, so again I leave them very low, as nothing should be using them. Class A is going to be my VoIP so I want it to always get priority.

Here’s a summary of my understanding of how the QoS works. It could be totally wrong, however it’s done me well thus far:

You’ve got a limited amount of outgoing bandwidth, lets say for arguments sake its 100kbps.
Now lets pretend you’re saturating that with a variety of traffic, including VoIP, sending email attachments through Gmail (http traffic) and FTP uploading (website changes?). So, VoIP is only going to use a tiny little bit, if you’re using iLBC then it’ll be 13.3kbps + overheads = 44kbps (See here). If you’ve classified VoIP to Class A, it’s going to try and reserve 90% at least. You only need 44kbps so that’s still leaving 66kbps for HTTP & FTP. Now, if HTTP is Highest, then it’s going to try and reserve 80% of the 100kbps for it, essentially leaving FTP with nothing. For this reason you’d set HTTP to High perhaps, and FTP to Medium. Both have a “max” of 80% & 70% respectively, so it’ll do it’s best to share the remainder after VoIP between the two of them, at all times giving HTTP a minimum of 20% and FTP at least 5%.

In a nutshell, set the minimum amount to be reserved on the left, and the max that it should be allowed on the right. Assume worst-case scenario that your line is going to be 100% full all the time, and try and give each a bit of “wiggle room”

Next we setup Inbound also:

  • Highest / 90%
  • High / 80%
  • Medium / 70%
  • Low / 60%
  • Lowest / 20%
  • Class A / 100%
  • Class B / 5%
  • Class C / 10%
  • Class D / 5%
  • Class E / 5%

You can turn on TCP Vegas if you want, I choose not to, you can read more about it and what it does on Wikipedia. Scroll down and hit Save.

Now on to the next part:

Step 4) Classification of Traffic types

On the left-hand side we’re now in QoS –> Classification

We need to classify the types of traffic that fall in to each of the classes we setup just earlier. We’re going to start by going through and clearing out all the standard rules and we’ll put in a few of our own:

  • UDP / Src or Dst / 5060 / Class A / SIP
  • UDP / Src or Dst / 10000-20000 / Class A / RTP
  • TCP or UDP / Dst Port / 53 / Highest / DNS
  • TCP / Dst Port / 80,443 / High / HTTP & HTTPS
  • TCP / Src or Dst / 25,110,143 / Medium / Email (SMTP POP3 IMAP)
  • TCP or UDP / Src or Dst / Class C Bulk Traffic
  • GRE / Src or Dst / Class E / PPTP VPN (GRE)

Why? We prioritize VoIP first of all, at all times we want our voice to be perfect. Next we do DNS so that pages “feel” like they’re loading quickly (Especially with OpenDNS). We want HTTP & HTTPS in their own little queue, followed by Email.
Im also putting PPTP VPN into a class of it’s own, as I use that a bit myself for a variety of things.
Finally, we’re already technically classifying anything that isnt classified as Bulk Traffic / Class C, but this rule just re-affirms it.

Scroll down, hit Save, then make a call to a local freephone number out your local SIP connection to see if this is working.

Step 5) Confirmation and Corrections

Now comes the testing part. You should be able to click on QoS –> View Graphs, and while you’re on a call you’ll see Class A has a bit of traffic in it. If you click on the Class A title it will take you to a screen where you can now also see the IP that the traffic is going to. With a bit of luck, this should be your Elastix box (If you’ve got a remote extension) or your ITSP (If your Elastix box is local).

From here, it’s a matter of keeping an eye on the graphs over the next few days / weeks and seeing what really goes on through your Internet Connection. You may be quite surprised at what you see.

If you run into any troubles, feel free to post on the Elastix Forums and either myself or one of the many other helpful regulars will be able to assist.



  1. Hey.

    There are a lot of other, more complex posts out there on this topic, which confused me and didn’t work very well to make my calls sound good. Yours did. Hard to argue with that.


  2. Thanks for the write-up on setting Tomato’s QOS. I ran through your setup and made a couple of changes for my own situation and I’m confused by what I’m seeing in my results. Like you, I have HTTP and HTTPS set at HIGH (20-80%). However I’ve added an item for a file transfer program I’m running that sends to Dst port 84 on a home computer and I set TCP/UDP DST Port 84 to Class A (90-100%). With a heavy upload to Carbonite running on port 443, My graphs are showing a roughly 50/50 distribution of bandwidth for HIGH and Class A. Shouldn’t Class A be running at 90% and HIGH limping along with whatever is left?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: