Prioritizing VoIP Traffic with MikroTik QoS: Complete Configuration Guide
Call quality is a critical business requirement. Poor voice quality costs businesses an average of $62,000 annually in lost productivity and customer satisfaction. MikroTik RouterOS provides enterprise-grade QoS capabilities that solve these problems at small and medium business prices.
This guide shows you how to configure MikroTik QoS for perfect VoIP performance. You will learn to identify VoIP traffic, create priority queues, and monitor call quality metrics.
Understanding VoIP Traffic and QoS Requirements
VoIP Protocol Components
VoIP systems use three main protocol types that need different QoS treatment:
SIP (Session Initiation Protocol) Traffic:
- Handles call setup, teardown, and modifications
- Uses ports 5060 (TCP/UDP) and 5061 (TLS)
- Low bandwidth requirement (< 5 kbps per call)
- Needs reliable delivery but tolerates moderate latency
RTP (Real-time Transport Protocol) Media:
- Carries actual voice data
- Uses dynamic port ranges (typically 10000-20000)
- High bandwidth requirement (64-128 kbps per call depending on codec)
- Extremely sensitive to latency, jitter, and packet loss
RTCP (Real-time Transport Control Protocol):
- Provides quality feedback and statistics
- Uses odd-numbered ports adjacent to RTP
- Low bandwidth requirement
- Important for monitoring but not critical for real-time delivery
Critical VoIP Quality Requirements
VoIP traffic demands strict network performance standards:
Latency Requirements:
- Maximum one-way delay: 150ms
- Preferred one-way delay: < 100ms
- Round-trip time should not exceed 300ms
- Each 100ms of additional latency reduces call quality significantly
Jitter Tolerance:
- Maximum acceptable jitter: 30ms
- Preferred jitter: < 20ms
- Jitter buffers help but add latency
- Consistent packet delivery prevents audio dropouts
Packet Loss Thresholds:
- Maximum acceptable loss: 1%
- Preferred packet loss: < 0.1%
- Lost RTP packets create audio gaps
- Retransmission is not possible for real-time media
Bandwidth Calculations:
- G.711 codec: 87.2 kbps per call (including overhead)
- G.729 codec: 31.2 kbps per call (including overhead)
- G.729 codec, including overhead is approximately 32kbps up/down per call
- Always plan for 20% additional bandwidth overhead
MikroTik QoS Architecture for VoIP
RouterOS QoS Components
RouterOS automatically calculates the required hardware descriptor and buffer count based on the user-specified packet limit and port’s MTU. The QoS system includes these key components:
Mangle Rules:
- Classify and mark packets based on various criteria
- Apply DSCP markings for standards-compliant QoS
- Create connection tracking for dynamic protocols
- Support Layer 7 protocol detection
Queue Trees vs Simple Queues:
- Queue Trees: Hierarchical structure for complex policies
- Simple Queues: Easy configuration for basic scenarios
- Queue Trees offer more granular control
- Simple Queues work well for per-user limitations
Priority Levels:
- 8 priority levels (1 = highest, 8 = lowest)
- Higher priority queues get bandwidth first
- Lower priority traffic gets remaining bandwidth
- Emergency traffic can preempt lower priorities
DSCP Standards for VoIP
To ensure optimal performance, it is best to use a consistent DSCP value across the network, preferably 46 (EF). Use these standard DSCP markings:
Voice Media (RTP):
- DSCP 46 (Expedited Forwarding – EF)
- Decimal value: 184
- Binary: 101110
- Highest priority treatment
VoIP Signaling (SIP):
- DSCP 24 (CS3 – Class Selector 3)
- Decimal value: 96
- Binary: 011000
- High priority but lower than media
Video Conferencing:
- DSCP 34 (AF41 – Assured Forwarding 41)
- Decimal value: 136
- Binary: 100010
- High priority for visual communication
Pre-Configuration Planning
Network Assessment Steps
Before implementing QoS, complete these assessment tasks:
1. Bandwidth Analysis:
# Test current bandwidth
/tool bandwidth-test address=8.8.8.8 duration=30s
# Monitor interface utilization
/interface monitor-traffic interface=ether1 duration=60
2. VoIP System Inventory:
- Document all SIP server IP addresses
- Record VoIP phone IP ranges
- Identify codec types in use
- Map peak concurrent call volumes
- Note any existing QoS markings
3. Traffic Flow Mapping:
- Internal phone-to-phone calls
- External calls via SIP providers
- Conference bridge traffic
- Voicemail system communications
Bandwidth Planning Guidelines
Small Office (1-25 users):
- Reserve 20% of total bandwidth for VoIP
- Plan for 50% of users on concurrent calls
- Minimum 10 Mbps internet connection recommended
- Consider asymmetric bandwidth requirements
Medium Business (25-100 users):
- Reserve 15% of total bandwidth for VoIP
- Plan for 30% of users on concurrent calls
- Minimum 50 Mbps internet connection recommended
- Implement redundant internet connections
Large Enterprise (100+ users):
- Reserve 10% of total bandwidth for VoIP
- Plan for 25% of users on concurrent calls
- Multiple internet connections required
- Consider MPLS or SD-WAN solutions
Step-by-Step MikroTik VoIP QoS Configuration
Phase 1: Basic VoIP Traffic Classification
1: Create Mangle Rules for SIP Signaling
# Mark SIP traffic (TCP and UDP port 5060)
/ip firewall mangle add chain=prerouting protocol=tcp dst-port=5060 action=mark-packet new-packet-mark=sip-signaling
/ip firewall mangle add chain=prerouting protocol=udp dst-port=5060 action=mark-packet new-packet-mark=sip-signaling
/ip firewall mangle add chain=prerouting protocol=tcp src-port=5060 action=mark-packet new-packet-mark=sip-signaling
/ip firewall mangle add chain=prerouting protocol=udp src-port=5060 action=mark-packet new-packet-mark=sip-signaling
# Mark secure SIP traffic (port 5061)
/ip firewall mangle add chain=prerouting protocol=tcp dst-port=5061 action=mark-packet new-packet-mark=sip-signaling
/ip firewall mangle add chain=prerouting protocol=udp dst-port=5061 action=mark-packet new-packet-mark=sip-signaling
/ip firewall mangle add chain=prerouting protocol=tcp src-port=5061 action=mark-packet new-packet-mark=sip-signaling
/ip firewall mangle add chain=prerouting protocol=udp src-port=5061 action=mark-packet new-packet-mark=sip-signaling
# Apply DSCP marking to SIP traffic
/ip firewall mangle add chain=prerouting packet-mark=sip-signaling action=mark-dscp new-dscp=24
2: Identify and Mark RTP Media Streams
# Mark RTP traffic (common port range 10000-20000)
/ip firewall mangle add chain=prerouting protocol=udp dst-port=10000-20000 action=mark-packet new-packet-mark=rtp-media
/ip firewall mangle add chain=prerouting protocol=udp src-port=10000-20000 action=mark-packet new-packet-mark=rtp-media
# Apply DSCP EF marking to RTP media
/ip firewall mangle add chain=prerouting packet-mark=rtp-media action=mark-dscp new-dscp=46
# Alternative: Mark based on VoIP server IPs
/ip firewall mangle add chain=prerouting src-address=10.1.1.100 protocol=udp action=mark-packet new-packet-mark=voip-server
/ip firewall mangle add chain=prerouting dst-address=10.1.1.100 protocol=udp action=mark-packet new-packet-mark=voip-server
/ip firewall mangle add chain=prerouting packet-mark=voip-server action=mark-dscp new-dscp=46
3: Mark VoIP Phone Subnet Traffic
# Mark all traffic from VoIP phone subnet
/ip firewall mangle add chain=prerouting src-address=192.168.10.0/24 action=mark-connection new-connection-mark=voip-conn
/ip firewall mangle add chain=prerouting dst-address=192.168.10.0/24 action=mark-connection new-connection-mark=voip-conn
/ip firewall mangle add chain=prerouting connection-mark=voip-conn action=mark-packet new-packet-mark=voip-traffic
/ip firewall mangle add chain=prerouting packet-mark=voip-traffic action=mark-dscp new-dscp=46
Phase 2: Queue Tree Implementation
1: Create Parent Queues
# Create download parent queue (LAN interface)
/queue tree add name=download-parent parent=ether2-LAN max-limit=95M priority=1
# Create upload parent queue (WAN interface)
/queue tree add name=upload-parent parent=ether1-WAN max-limit=95M priority=1
# Create VoIP priority queues
/queue tree add name=voip-download parent=download-parent packet-mark=rtp-media max-limit=10M priority=1 queue=default-small
/queue tree add name=voip-upload parent=upload-parent packet-mark=rtp-media max-limit=10M priority=1 queue=default-small
# Create SIP signaling queues
/queue tree add name=sip-download parent=download-parent packet-mark=sip-signaling max-limit=1M priority=2
/queue tree add name=sip-upload parent=upload-parent packet-mark=sip-signaling max-limit=1M priority=2
2: Add Other Traffic Classes
# Business critical applications (priority 3)
/queue tree add name=business-download parent=download-parent packet-mark=business-apps max-limit=40M priority=3
/queue tree add name=business-upload parent=upload-parent packet-mark=business-apps max-limit=40M priority=3
# Standard web traffic (priority 4)
/queue tree add name=web-download parent=download-parent packet-mark=web-traffic max-limit=30M priority=4
/queue tree add name=web-upload parent=upload-parent packet-mark=web-traffic max-limit=30M priority=4
# Bulk traffic (priority 7)
/queue tree add name=bulk-download parent=download-parent packet-mark=bulk-traffic max-limit=20M priority=7
/queue tree add name=bulk-upload parent=upload-parent packet-mark=bulk-traffic max-limit=20M priority=7
# Default traffic (priority 8)
/queue tree add name=default-download parent=download-parent max-limit=15M priority=8
/queue tree add name=default-upload parent=upload-parent max-limit=15M priority=8
Phase 3: Simple Queue Alternative
For smaller networks, Simple Queues offer easier management:
# Create VoIP priority simple queue
/queue simple add name=voip-priority target-addresses=192.168.10.0/24 max-limit=10M/10M priority=1/1 packet-marks=rtp-media,sip-signaling
# Create user-based simple queues with VoIP priority
/queue simple add name=user1-queue target-addresses=192.168.1.101/32 max-limit=10M/2M priority=8/8
/queue simple add name=user1-voip parent=user1-queue packet-marks=rtp-media,sip-signaling priority=1/1 max-limit=2M/1M
Complete Configuration Script
Here’s a comprehensive VoIP QoS configuration for a typical small business:
# ===============================================
# MikroTik VoIP QoS Configuration Script
# ===============================================
# Clear existing mangle rules (optional - be careful!)
# /ip firewall mangle remove [find]
# ===============================================
# STEP 1: VoIP Traffic Identification
# ===============================================
# SIP Signaling Traffic (ports 5060, 5061)
/ip firewall mangle add chain=prerouting protocol=tcp dst-port=5060,5061 action=mark-packet new-packet-mark=sip-signaling comment="SIP Signaling - Incoming"
/ip firewall mangle add chain=prerouting protocol=udp dst-port=5060,5061 action=mark-packet new-packet-mark=sip-signaling
/ip firewall mangle add chain=prerouting protocol=tcp src-port=5060,5061 action=mark-packet new-packet-mark=sip-signaling comment="SIP Signaling - Outgoing"
/ip firewall mangle add chain=prerouting protocol=udp src-port=5060,5061 action=mark-packet new-packet-mark=sip-signaling
# RTP Media Traffic (dynamic port range)
/ip firewall mangle add chain=prerouting protocol=udp dst-port=10000-20000 action=mark-packet new-packet-mark=rtp-media comment="RTP Media - Incoming"
/ip firewall mangle add chain=prerouting protocol=udp src-port=10000-20000 action=mark-packet new-packet-mark=rtp-media comment="RTP Media - Outgoing"
# VoIP Phone Subnet Alternative Method
/ip firewall mangle add chain=prerouting src-address=192.168.10.0/24 action=mark-connection new-connection-mark=voip-conn comment="VoIP Phone Subnet"
/ip firewall mangle add chain=prerouting dst-address=192.168.10.0/24 action=mark-connection new-connection-mark=voip-conn
/ip firewall mangle add chain=prerouting connection-mark=voip-conn action=mark-packet new-packet-mark=voip-phones
# ===============================================
# STEP 2: DSCP Marking
# ===============================================
# Mark RTP media with DSCP EF (46)
/ip firewall mangle add chain=prerouting packet-mark=rtp-media action=mark-dscp new-dscp=46 comment="RTP DSCP EF"
/ip firewall mangle add chain=prerouting packet-mark=voip-phones action=mark-dscp new-dscp=46
# Mark SIP signaling with DSCP CS3 (24)
/ip firewall mangle add chain=prerouting packet-mark=sip-signaling action=mark-dscp new-dscp=24 comment="SIP DSCP CS3"
# ===============================================
# STEP 3: Other Traffic Classification
# ===============================================
# Business Applications
/ip firewall mangle add chain=prerouting dst-port=443,80 action=mark-packet new-packet-mark=web-traffic comment="Web Traffic"
/ip firewall mangle add chain=prerouting src-port=443,80 action=mark-packet new-packet-mark=web-traffic
# Email Traffic
/ip firewall mangle add chain=prerouting dst-port=25,587,993,995 action=mark-packet new-packet-mark=email-traffic comment="Email Traffic"
/ip firewall mangle add chain=prerouting src-port=25,587,993,995 action=mark-packet new-packet-mark=email-traffic
# Bulk Downloads
/ip firewall mangle add chain=prerouting dst-port=21,20 action=mark-packet new-packet-mark=bulk-traffic comment="FTP Traffic"
/ip firewall mangle add chain=prerouting src-port=21,20 action=mark-packet new-packet-mark=bulk-traffic
# ===============================================
# STEP 4: Queue Tree Configuration
# ===============================================
# Parent Queues (adjust max-limit to your bandwidth)
/queue tree add name=download-parent parent=ether2-LAN max-limit=95M priority=1 comment="Download Parent - 100M connection"
/queue tree add name=upload-parent parent=ether1-WAN max-limit=9M priority=1 comment="Upload Parent - 10M connection"
# VoIP Priority Queues (Priority 1 - Highest)
/queue tree add name=voip-rtp-down parent=download-parent packet-mark=rtp-media max-limit=5M priority=1 queue=default-small comment="VoIP RTP Download"
/queue tree add name=voip-rtp-up parent=upload-parent packet-mark=rtp-media max-limit=5M priority=1 queue=default-small comment="VoIP RTP Upload"
/queue tree add name=voip-phones-down parent=download-parent packet-mark=voip-phones max-limit=5M priority=1 queue=default-small comment="VoIP Phones Download"
/queue tree add name=voip-phones-up parent=upload-parent packet-mark=voip-phones max-limit=5M priority=1 queue=default-small comment="VoIP Phones Upload"
# SIP Signaling Queues (Priority 2)
/queue tree add name=sip-down parent=download-parent packet-mark=sip-signaling max-limit=1M priority=2 comment="SIP Signaling Download"
/queue tree add name=sip-up parent=upload-parent packet-mark=sip-signaling max-limit=1M priority=2 comment="SIP Signaling Upload"
# Business Traffic (Priority 3)
/queue tree add name=email-down parent=download-parent packet-mark=email-traffic max-limit=20M priority=3 comment="Email Download"
/queue tree add name=email-up parent=upload-parent packet-mark=email-traffic max-limit=2M priority=3 comment="Email Upload"
# Web Traffic (Priority 4)
/queue tree add name=web-down parent=download-parent packet-mark=web-traffic max-limit=40M priority=4 comment="Web Traffic Download"
/queue tree add name=web-up parent=upload-parent packet-mark=web-traffic max-limit=3M priority=4 comment="Web Traffic Upload"
# Bulk Traffic (Priority 7 - Lower)
/queue tree add name=bulk-down parent=download-parent packet-mark=bulk-traffic max-limit=30M priority=7 comment="Bulk Download"
/queue tree add name=bulk-up parent=upload-parent packet-mark=bulk-traffic max-limit=1M priority=7 comment="Bulk Upload"
# Default Traffic (Priority 8 - Lowest)
/queue tree add name=default-down parent=download-parent max-limit=20M priority=8 comment="Default Download"
/queue tree add name=default-up parent=upload-parent max-limit=2M priority=8 comment="Default Upload"
# ===============================================
# STEP 5: Enable Connection Tracking
# ===============================================
/ip firewall connection tracking set enabled=yes
# ===============================================
# Configuration Complete
# ===============================================
Advanced VoIP QoS Optimization
Bidirectional QoS Configuration
Most internet connections have asymmetric bandwidth (different upload/download speeds). Configure QoS to handle this properly:
# Set realistic bandwidth limits (reserve 5% for overhead)
/queue tree add name=wan-download parent=ether1-WAN max-limit=95M
/queue tree add name=wan-upload parent=ether1-WAN max-limit=4750k
# Create separate VoIP queues for each direction
/queue tree add name=voip-down parent=wan-download packet-mark=rtp-media max-limit=2M priority=1
/queue tree add name=voip-up parent=wan-upload packet-mark=rtp-media max-limit=2M priority=1
Multi-Site VoIP QoS
For organizations with multiple sites connected via VPN:
# Mark inter-site VoIP traffic
/ip firewall mangle add chain=prerouting src-address=10.1.0.0/16 dst-address=10.2.0.0/16 action=mark-packet new-packet-mark=intersite-voip
/ip firewall mangle add chain=prerouting packet-mark=intersite-voip action=mark-dscp new-dscp=46
# Create dedicated queues for site-to-site VoIP
/queue tree add name=intersite-voip parent=vpn-tunnel packet-mark=intersite-voip max-limit=5M priority=1
Dynamic Bandwidth Adaptation
Monitor bandwidth usage and adjust VoIP allocations dynamically:
# Script to monitor VoIP queue utilization
:local voipqueue [/queue tree get [find name="voip-rtp-down"] bytes]
:local totalqueue [/queue tree get [find name="download-parent"] bytes]
:local utilization ($voipqueue * 100 / $totalqueue)
:if ($utilization > 80) do={
/queue tree set [find name="voip-rtp-down"] max-limit=7M
:log info "VoIP bandwidth increased due to high utilization: $utilization%"
}
Monitoring and Troubleshooting VoIP QoS
Built-in RouterOS Monitoring
1. Real-time Queue Statistics:
# View queue tree statistics
/queue tree print stats
# Monitor specific queue
/queue tree monitor [find name="voip-rtp-down"] duration=30
# Check packet marks
/ip firewall mangle print stats
2. Traffic Analysis with Torch:
# Monitor VoIP traffic on interface
/tool torch interface=ether1 port=any protocol=udp duration=60
# Filter for specific VoIP traffic
/tool torch interface=ether1 src-address=192.168.10.0/24 duration=30
3. Connection Tracking:
# View active VoIP connections
/ip firewall connection print where protocol=udp
# Monitor connection states
/ip firewall connection tracking print
VoIP Quality Monitoring
Performance Metrics to Track:
Call Quality Indicators:
- Mean Opinion Score (MOS) ratings
- Jitter measurements per call
- Packet loss percentages
- Round-trip time statistics
Network Performance:
- Queue utilization percentages
- Interface bandwidth usage
- CPU utilization during peak hours
- Memory usage for connection tracking
Monitoring Commands:
# Check interface utilization
/interface monitor-traffic interface=ether1 duration=300
# Monitor system resources
/system resource print
# View detailed queue information
/queue tree print detail where name~"voip"
# Check DSCP marking effectiveness
/tool torch interface=ether1 dscp=46 duration=60
Common Issues and Solutions
Problem 1: Asymmetric QoS Performance
Symptoms:
- Good inbound call quality, poor outbound quality
- One-way audio issues
- Choppy audio during heavy uploads
Solution:
# Verify upload/download queue configuration
/queue tree print where parent~"upload"
/queue tree print where parent~"download"
# Adjust upload bandwidth allocation
/queue tree set [find name="upload-parent"] max-limit=4M
/queue tree set [find name="voip-up"] max-limit=2M priority=1
Problem 2: DSCP Marking Not Working
Symptoms:
- VoIP traffic not prioritized by ISP
- Quality issues persist despite local QoS
- Provider reports unmarked traffic
Solution:
# Verify DSCP markings are applied
/ip firewall mangle print where action=mark-dscp
# Test DSCP preservation
/tool torch interface=ether1 dscp=46
# Alternative: Use packet marking only for local QoS
/queue tree set [find name="voip-rtp-down"] packet-mark=rtp-media
Problem 3: RTP Port Range Issues
Symptoms:
- Some calls have good quality, others don’t
- Intermittent audio problems
- VoIP system uses different ports than configured
Solution:
# Identify actual RTP ports in use
/tool torch interface=ether1 src-address=VoIP-SERVER-IP protocol=udp
# Expand RTP port range if needed
/ip firewall mangle set [find comment="RTP Media - Incoming"] dst-port=8000-30000
/ip firewall mangle set [find comment="RTP Media - Outgoing"] src-port=8000-30000
Problem 4: High CPU Usage
Symptoms:
- Router CPU above 80% during peak hours
- Slow response to management interface
- Dropped packets in queues
Solution:
# Simplify mangle rules
/ip firewall mangle remove [find where src-address~"192.168" and dst-address~"192.168"]
# Use connection marking instead of per-packet marking
/ip firewall mangle add chain=prerouting src-address=192.168.10.0/24 action=mark-connection new-connection-mark=voip-conn
/ip firewall mangle add chain=prerouting connection-mark=voip-conn action=mark-packet new-packet-mark=voip-traffic
# Consider hardware upgrade for high-throughput scenarios
Integration with Popular VoIP Systems
3CX Phone System Configuration
3CX systems require specific port ranges and protocols:
# 3CX Management and Provisioning
/ip firewall mangle add chain=prerouting dst-port=5060,5061,5090 action=mark-packet new-packet-mark=3cx-signaling
/ip firewall mangle add chain=prerouting src-port=5060,5061,5090 action=mark-packet new-packet-mark=3cx-signaling
# 3CX RTP Media (default range)
/ip firewall mangle add chain=prerouting dst-port=9000-9500 action=mark-packet new-packet-mark=3cx-media
/ip firewall mangle add chain=prerouting src-port=9000-9500 action=mark-packet new-packet-mark=3cx-media
# 3CX Web Client
/ip firewall mangle add chain=prerouting dst-port=443 src-address=3CX-SERVER-IP action=mark-packet new-packet-mark=3cx-web
/ip firewall mangle add chain=prerouting src-port=443 dst-address=3CX-SERVER-IP action=mark-packet new-packet-mark=3cx-web
# Apply appropriate DSCP markings
/ip firewall mangle add chain=prerouting packet-mark=3cx-media action=mark-dscp new-dscp=46
/ip firewall mangle add chain=prerouting packet-mark=3cx-signaling action=mark-dscp new-dscp=24
/ip firewall mangle add chain=prerouting packet-mark=3cx-web action=mark-dscp new-dscp=34
FreePBX/Asterisk Configuration
FreePBX systems often use configurable port ranges:
# FreePBX SIP Traffic
/ip firewall mangle add chain=prerouting dst-address=FREEPBX-IP protocol=udp dst-port=5060 action=mark-packet new-packet-mark=freepbx-sip
/ip firewall mangle add chain=prerouting src-address=FREEPBX-IP protocol=udp src-port=5060 action=mark-packet new-packet-mark=freepbx-sip
# FreePBX RTP Range (typically 10000-20000)
/ip firewall mangle add chain=prerouting dst-address=FREEPBX-IP protocol=udp dst-port=10000-20000 action=mark-packet new-packet-mark=freepbx-rtp
/ip firewall mangle add chain=prerouting src-address=FREEPBX-IP protocol=udp src-port=10000-20000 action=mark-packet new-packet-mark=freepbx-rtp
# IAX2 Protocol (if used)
/ip firewall mangle add chain=prerouting protocol=udp dst-port=4569 action=mark-packet new-packet-mark=iax2-traffic
/ip firewall mangle add chain=prerouting protocol=udp src-port=4569 action=mark-packet new-packet-mark=iax2-traffic
# DSCP markings
/ip firewall mangle add chain=prerouting packet-mark=freepbx-rtp action=mark-dscp new-dscp=46
/ip firewall mangle add chain=prerouting packet-mark=freepbx-sip action=mark-dscp new-dscp=24
/ip firewall mangle add chain=prerouting packet-mark=iax2-traffic action=mark-dscp new-dscp=46
Microsoft Teams Configuration
Microsoft Teams requires special consideration for its dynamic nature:
# Teams Media Traffic (Microsoft IP ranges - update regularly)
/ip firewall address-list add address=13.107.64.0/18 list=teams-media
/ip firewall address-list add address=52.112.0.0/14 list=teams-media
/ip firewall address-list add address=52.120.0.0/14 list=teams-media
# Mark Teams media traffic
/ip firewall mangle add chain=prerouting dst-address-list=teams-media protocol=udp action=mark-packet new-packet-mark=teams-media
/ip firewall mangle add chain=prerouting src-address-list=teams-media protocol=udp action=mark-packet new-packet-mark=teams-media
# Teams signaling (HTTPS)
/ip firewall mangle add chain=prerouting dst-address-list=teams-media protocol=tcp dst-port=443 action=mark-packet new-packet-mark=teams-signaling
# Apply DSCP markings
/ip firewall mangle add chain=prerouting packet-mark=teams-media action=mark-dscp new-dscp=46
/ip firewall mangle add chain=prerouting packet-mark=teams-signaling action=mark-dscp new-dscp=24
Performance Optimization and Best Practices
Hardware Considerations
RouterBoard Selection:
- Small Office (< 25 users): RB4011 or hEX S
- Medium Business (25-100 users): CCR1009 or CCR1016
- Large Enterprise (100+ users): CCR1036 or CCR1072
CPU and Memory Requirements:
- Connection tracking uses ~300 bytes per connection
- Complex mangle rules increase CPU usage
- Queue processing requires CPU cycles
- Monitor CPU usage during peak hours
Configuration Optimization Tips
1. Minimize Mangle Rules:
# Instead of multiple rules for each port, use port ranges
/ip firewall mangle add chain=prerouting protocol=udp dst-port=5060,5061,10000-20000 action=mark-packet new-packet-mark=voip-all
# Use connection marking to reduce per-packet processing
/ip firewall mangle add chain=prerouting src-address=192.168.10.0/24 action=mark-connection new-connection-mark=voip-conn
/ip firewall mangle add chain=prerouting connection-mark=voip-conn action=mark-packet new-packet-mark=voip-traffic
2. Optimize Queue Structure:
# Use fewer, broader queues instead of many specific ones
/queue tree add name=priority-traffic parent=global max-limit=20M priority=1
/queue tree add name=standard-traffic parent=global max-limit=60M priority=4
/queue tree add name=bulk-traffic parent=global max-limit=20M priority=8
3. Buffer Size Tuning:
# Adjust queue buffer sizes for VoIP
/queue tree set [find name="voip-rtp-down"] queue=default-small
/queue tree set [find name="voip-rtp-up"] queue=default-small
# Create custom queue type for VoIP
/queue type add name=voip-queue kind=pfifo pfifo-limit=10
Security and QoS Integration
Firewall Rules with QoS:
# Allow VoIP traffic through firewall with QoS intact
/ip firewall filter add chain=forward protocol=udp dst-port=10000-20000 action=accept comment="Allow RTP media"
/ip firewall filter add chain=forward protocol=udp dst-port=5060,5061 action=accept comment="Allow SIP signaling"
# Drop malicious traffic before QoS processing
/ip firewall filter add chain=input protocol=udp dst-port=5060 src-address-list=blacklist action=drop
/ip firewall raw add chain=prerouting protocol=udp dst-port=5060 src-address-list=ddos-attackers action=drop
DDoS Protection for VoIP:
# Rate limit SIP registration attempts
/ip firewall filter add chain=input protocol=udp dst-port=5060 limit=10,20:packet action=accept
/ip firewall filter add chain=input protocol=udp dst-port=5060 action=drop
# Protect against VoIP scanning
/ip firewall address-list add address=0.0.0.0 list=voip-blacklist timeout=1d
/ip firewall filter add chain=input protocol=udp dst-port=5060 src-address-list=!local-networks limit=5,10:packet action=add-src-to-address-list address-list=voip-blacklist
Real-World Implementation Case Studies
Case Study 1: Small Accounting Firm (15 Users)
Environment:
- 15 desktop VoIP phones
- 3CX phone system
- 50/10 Mbps internet connection
- MikroTik hEX S router
Implementation:
# Simple configuration focusing on ease of management
/ip firewall mangle add chain=prerouting src-address=192.168.20.0/24 action=mark-connection new-connection-mark=phones
/ip firewall mangle add chain=prerouting dst-address=192.168.20.0/24 action=mark-connection new-connection-mark=phones
/ip firewall mangle add chain=prerouting connection-mark=phones action=mark-packet new-packet-mark=voip-priority
# Simple queue implementation
/queue simple add name=voip-phones target-addresses=192.168.20.0/24 max-limit=5M/2M priority=1/1
/queue simple add name=internet-users target-addresses=192.168.1.0/24 max-limit=40M/8M priority=4/4
Results:
- Call quality improved from 3.2 to 4.6 MOS rating
- Eliminated choppy audio during file uploads
- Zero complaints during peak business hours
- Easy to manage and troubleshoot
Case Study 2: Manufacturing Company (75 Users)
Environment:
- 75 IP phones across 3 buildings
- FreePBX system with SIP trunks
- 200/20 Mbps fiber connection
- MikroTik CCR1009 router
Implementation:
# Building-specific VoIP subnets
/ip firewall mangle add chain=prerouting src-address=10.1.10.0/24 action=mark-connection new-connection-mark=building1-voip
/ip firewall mangle add chain=prerouting src-address=10.1.20.0/24 action=mark-connection new-connection-mark=building2-voip
/ip firewall mangle add chain=prerouting src-address=10.1.30.0/24 action=mark-connection new-connection-mark=building3-voip
# Consolidated VoIP marking
/ip firewall mangle add chain=prerouting connection-mark=building1-voip,building2-voip,building3-voip action=mark-packet new-packet-mark=company-voip
# Queue tree with guaranteed bandwidth
/queue tree add name=voip-guaranteed parent=global max-limit=10M limit-at=5M priority=1
/queue tree add name=business-apps parent=global max-limit=100M limit-at=50M priority=3
/queue tree add name=internet-general parent=global max-limit=90M priority=5
Results:
- Supported peak usage of 45 concurrent calls
- Maintained call quality during network maintenance
- Reduced help desk calls by 80%
- Enabled expansion to remote workers
Case Study 3: Call Center (200 Agents)
Environment:
- 200 agent workstations with softphones
- Cloud-based VoIP provider
- Redundant 500/50 Mbps connections
- MikroTik CCR1036 with load balancing
Implementation:
# Multiple WAN interface load balancing with VoIP priority
/ip route add dst-address=0.0.0.0/0 gateway=ISP1-GW distance=1 check-gateway=ping routing-mark=wan1
/ip route add dst-address=0.0.0.0/0 gateway=ISP2-GW distance=1 check-gateway=ping routing-mark=wan2
# VoIP traffic routing to primary connection
/ip firewall mangle add chain=output packet-mark=voip-traffic action=mark-routing new-routing-mark=wan1
# Per-agent bandwidth management
/queue tree add name=agents-parent parent=global max-limit=400M
/queue tree add name=voip-priority parent=agents-parent packet-mark=voip-traffic max-limit=50M limit-at=25M priority=1
/queue tree add name=web-apps parent=agents-parent max-limit=300M priority=4
/queue tree add name=general-traffic parent=agents-parent max-limit=200M priority=6
# Connection tracking optimization for high session count
/ip firewall connection tracking set tcp-established-timeout=1h tcp-close-timeout=10s udp-timeout=30s
Results:
- Achieved 99.5% call completion rate
- Average MOS score of 4.4 across all agents
- Seamless failover during ISP outages
- Scaled to handle Black Friday call volumes
Advanced Monitoring and Alerting
Automated Monitoring Scripts
VoIP Quality Monitoring Script:
# Script: voip-monitor.rsc
:local voipBytes [/queue tree get [find name="voip-priority"] bytes]
:local totalBytes [/queue tree get [find name="global"] bytes]
:local voipPercent ($voipBytes * 100 / $totalBytes)
:if ($voipPercent > 25) do={
:log warning "VoIP traffic exceeds 25% of total bandwidth: $voipPercent%"
/tool e-mail send to="admin@company.com" subject="High VoIP Usage Alert" body="VoIP traffic is at $voipPercent% of total bandwidth"
}
:local queueDrops [/queue tree get [find name="voip-priority"] drops]
:if ($queueDrops > 0) do={
:log error "VoIP queue drops detected: $queueDrops packets"
/tool e-mail send to="admin@company.com" subject="VoIP Packet Drops" body="VoIP queue has dropped $queueDrops packets"
}
Connection Monitoring:
# Monitor active VoIP connections
:local voipConns [:len [/ip firewall connection find where connection-mark="voip-conn"]]
:local maxConns 50
:if ($voipConns > $maxConns) do={
:log info "High VoIP connection count: $voipConns active calls"
}
:if ($voipConns = 0) do={
:log warning "No active VoIP connections - possible system issue"
}
SNMP Monitoring Integration
Configure SNMP for external monitoring:
# Enable SNMP
/snmp set enabled=yes contact="IT Admin" location="Main Office"
/snmp community add name=voip-monitor addresses=192.168.1.100/32 read-access=yes
# Monitor specific OIDs for VoIP queues
# Queue bytes: 1.3.6.1.4.1.14988.1.1.2.1.1.2.X
# Queue packets: 1.3.6.1.4.1.14988.1.1.2.1.1.3.X
# Queue drops: 1.3.6.1.4.1.14988.1.1.2.1.1.6.X
Integration with monitoring systems:
- PRTG: Use MikroTik device template with custom sensors
- Nagios: Monitor queue statistics and call quality metrics
- Zabbix: Import MikroTik template and add VoIP-specific items
- LibreNMS: Automatic discovery of MikroTik queues and interfaces
Future-Proofing Your VoIP QoS Implementation
Emerging Technologies Integration
WebRTC Traffic Handling:
# WebRTC uses STUN/TURN servers and dynamic ports
/ip firewall mangle add chain=prerouting dst-port=3478,5349 protocol=udp action=mark-packet new-packet-mark=webrtc-signaling
/ip firewall mangle add chain=prerouting dst-port=3478,5349 protocol=tcp action=mark-packet new-packet-mark=webrtc-signaling
# WebRTC media can use any UDP port - monitor and adjust
/ip firewall mangle add chain=prerouting protocol=udp connection-state=new action=mark-connection new-connection-mark=potential-webrtc
5G and Mobile Integration:
# Prepare for increased mobile VoIP traffic
/ip firewall mangle add chain=prerouting src-address-list=mobile-devices protocol=udp action=mark-packet new-packet-mark=mobile-voip
/queue tree add name=mobile-voip parent=wireless-interface packet-mark=mobile-voip max-limit=20M priority=2
Cloud VoIP Evolution:
# Dynamic provider IP address handling
/ip firewall address-list add address=PROVIDER-SUBNET list=voip-providers
/ip firewall mangle add chain=prerouting dst-address-list=voip-providers protocol=udp action=mark-packet new-packet-mark=cloud-voip
# API integration for automatic updates
/system script add name=update-voip-providers source={
/tool fetch url="https://voip-provider.com/api/ip-ranges" dst-path=provider-ips.txt
# Process and update address lists
}
Scalability Planning
Capacity Planning Guidelines:
Network Growth Factors:
- Plan for 25% annual user growth
- Consider peak usage patterns (lunch hours, Monday mornings)
- Account for seasonal variations (holiday call volumes)
- Reserve bandwidth for emergency scenarios
Hardware Upgrade Path:
- Current: hEX S (< 25 users)
- Upgrade 1: RB4011 (25-50 users)
- Upgrade 2: CCR1009 (50-150 users)
- Upgrade 3: CCR1036 (150+ users)
Configuration Scalability:
# Use address lists instead of hardcoded subnets
/ip firewall address-list add address=192.168.10.0/24 list=voip-phones
/ip firewall address-list add address=192.168.11.0/24 list=voip-phones
/ip firewall mangle add chain=prerouting src-address-list=voip-phones action=mark-packet new-packet-mark=voip-all
# Template-based queue configuration
/queue tree add name=site1-voip parent=site1-parent packet-mark=site1-voip max-limit=5M priority=1
/queue tree add name=site2-voip parent=site2-parent packet-mark=site2-voip max-limit=5M priority=1
Compliance and Documentation
PCI DSS Considerations:
- VoIP systems processing payment card data need special protection
- Segment VoIP traffic from PCI environment
- Document QoS policies in PCI compliance reports
- Regular security assessments including QoS configuration
Change Management:
# Configuration backup before changes
/export file=voip-qos-backup-20241207
# Document all changes in comments
/queue tree add name=new-voip-queue parent=global max-limit=10M priority=1 comment="Added 2024-12-07 for new department - Ticket #12345"
# Version control for scripts
/system script add name=voip-qos-v2.1 source={ # configuration here }
Troubleshooting Quick Reference
Diagnostic Commands
Essential troubleshooting commands:
# Check queue statistics
/queue tree print stats where name~"voip"
# Monitor real-time traffic
/tool torch interface=ether1 protocol=udp port=10000-20000
# Verify mangle rules are matching
/ip firewall mangle print stats where packet-mark~"voip"
# Check connection tracking
/ip firewall connection print where protocol=udp
# Monitor interface utilization
/interface monitor-traffic interface=ether1 duration=60
# Check system resources
/system resource print
# Test bandwidth
/tool bandwidth-test address=VOIP-SERVER duration=30s protocol=udp
Performance Benchmarks
Acceptable Performance Thresholds:
Queue Statistics:
- VoIP queue drops: 0 packets per hour
- Queue utilization: < 80% of allocated bandwidth
- Buffer overflow: 0 occurrences
- Average queue depth: < 5 packets
Network Metrics:
- Round-trip time: < 100ms to VoIP servers
- Jitter: < 20ms standard deviation
- Packet loss: < 0.1% over 24-hour period
- Bandwidth utilization: < 70% of total capacity
System Performance:
- CPU usage: < 60% average, < 80% peak
- Memory usage: < 75% of available RAM
- Connection tracking: < 80% of maximum entries
- Disk usage: < 80% for logging and configuration
Common Error Messages and Solutions
“Queue tree: parent not found”
- Solution: Create parent queue before child queues
- Verify parent queue name spelling and case
“Connection tracking table full”
- Solution: Increase connection tracking limits
- Clean up old connections with shorter timeouts
“Interface queue full”
- Solution: Increase interface queue size
- Optimize queue configuration to prevent buildup
“Packet mark not found”
- Solution: Verify mangle rules are creating the packet marks
- Check rule order and matching criteria
Conclusion and Implementation Roadmap
Implementing effective VoIP QoS with MikroTik RouterOS requires systematic planning, proper configuration, and ongoing monitoring. This guide provides the foundation for enterprise-grade voice quality at small business costs.
Key Implementation Steps
1: Assessment and Planning (Week 1)
- Document current network infrastructure
- Identify VoIP system requirements and traffic patterns
- Plan bandwidth allocation and QoS policy structure
- Backup existing configuration
2: Basic QoS Implementation (Week 2)
- Configure mangle rules for VoIP traffic identification
- Implement basic queue structure with VoIP priority
- Apply DSCP markings for standards compliance
- Test configuration with limited user group
3: Advanced Optimization (Week 3)
- Fine-tune queue parameters based on usage patterns
- Implement monitoring and alerting systems
- Optimize for specific VoIP system integration
- Document configuration and procedures
4: Production Deployment (Week 4)
- Roll out to all users during maintenance window
- Monitor performance metrics closely
- Address any quality issues immediately
- Provide user training and support documentation
Success Metrics
Technical Objectives:
- Achieve < 150ms one-way latency for all calls
- Maintain < 1% packet loss during peak usage
- Eliminate audio quality complaints
- Support planned growth without degradation
Business Outcomes:
- Reduce VoIP-related support tickets by 75%
- Improve customer satisfaction scores
- Enable remote work capabilities
- Support business continuity requirements
Ongoing Maintenance
Monthly Tasks:
- Review queue statistics and utilization trends
- Check for firmware updates and security patches
- Validate configuration backups
- Monitor system performance metrics
Quarterly Reviews:
- Assess capacity planning and growth requirements
- Review and update VoIP provider configurations
- Test disaster recovery procedures
- Update documentation and training materials
Annual Assessments:
- Complete security audit including QoS policies
- Evaluate hardware upgrade requirements
- Review compliance with industry standards
- Plan for emerging technology integration
MikroTik RouterOS provides powerful QoS capabilities that, when properly configured, deliver enterprise-grade VoIP performance. Following this guide ensures reliable voice communication that supports your business objectives while maintaining cost-effective network infrastructure.
The investment in proper VoIP QoS configuration pays immediate dividends in improved communication quality and user satisfaction. As your organization grows and evolves, this foundation supports scalable expansion and integration of new voice technologies.
Remember that QoS implementation is not a one-time project but an ongoing process of monitoring, optimization, and adaptation to changing business needs. Regular attention to VoIP quality metrics ensures your communication infrastructure continues to support business success.
Check our list of MikroTik guides.
