QoS in VLAN-Bridges

I'm getting two tagged VLANS from my ISP.
The first VLAN (20) is for Internet-Traffic, the second VLAN (30) is for VoIP-Traffic. Both share the total bandwidith of 10 Mbit/s.
I'd like to give VLAN 20 untagged to port 1 of my Archer C7 and VLAN 30 untagged to port 2, so that I have the ip connection for internet terminating on my firewall and the ip connection for voip terminating on my VoIP gateway.

My goal is, that the VoIP will never be affected through downloads over the internet, streaming or something else.

Is there a way to map the packets coming on port 2 to a specified queue? Maybe through iptables or tc filter? What do you prefer and which queueing-algorithm do you use?

Thanks in advance!

Best Regards

This will probably not answer your questions, but here are my two cents:

  • I have a FFTH line coming to my home; the fiber is connected to a ONT, and then a router is connected to the ONT.
  • My ISP uses separate VLANs for internet, VoIP, and IPTV. However, traffic is not shared, so I get my full bandwidth on the internet connection, irregardless of the use of VoIP or IPTV; the fiber has bandwidth enough for that, and much more.
  • I get all the traffic on the same WAN port, but segregate it using the VLANs: eth0.x for internet, eth0.y for VoIP, and eth0.z for IPTV.
  • If you separate the ports on the switch (I do not see the advantage here), or use the VLANs to create separate intefaces, then you end with different interfaces; I guess you should queue your traffic according to the interface, then.

Using QoS, you would dedicate the bandwidth, and then specify by port/ip/protocol combinations to identify your VoIP traffic, then set a type (i.e. Express, Priority, Normal, Low). While I don't use separate VLANs on WAN, I do have QoS setup on multiple local VLANs needing different quality for: VoIP, video, etc. I also use QoS to prioritize one VLAN's regular traffic over another.

The graphical package to install is: luci-app-qos.

You don‘t use the tc command?
I‘d like to have 2 queues, one with higher prio for traffic coming from physical port 2 and the other queue with all the internet traffic. All the bandwidth should be available on port 1 as long as there is no traffic on port 2.
Means: the 10 mbit are availabe for downloading but when there is somebody trying call out or a call comes in, port 1 traffic for voip will be priorized, so that there is no jitter, delay or packet loss.
Is this possible with luci-app-qos?

There are a lot of queueing algorithms and I don‘t know which would fit best in my case. :confused:


QoS is not done by physical Ethernet ports. I was referring to TCP/UDP port. You have to describe the Layer 3 traffic. As I noted, you identify the traffic needing priority by:

Hope this helps.

You would need a sip helper then, as the rtp proto uses random ports handled out via sip?

When I would activate iptables on bridges I could mark all packets coming from a specified source range oder source port with a tos field?!

No, my LAN SIP server has a static IP address. The VoIP traffic uses UDP. It connects and uses a range of known ports to perform VoIP. Certain trunks on my system connect to certain IPs/ports. So, I simply configure: the Server's IP, destination IP (if needed), select protocol UDP and the ports used.

Here is an example of the standard VoIP rules I use:


If you install the app, you can see the Web GUI used to configure QoS traffic. QoS is disabled by default upon install, so nothing should "break" by downloading it.

I advise just installing the app and taking a look.

I think I'd need another setup. This one is too static, as I said, I need a voip gateway behind port 2 and this could be a different device from customers :confused:

It sounds like you want to simply pass through VLAN 30 in hardware. Here's my suggestion:

Buy a Zyxel Managed Switch: GS1900-x where x is some port count... depending on your budget. The 24 is the best deal per port, but the 8 is probably sufficient here and costs less overall.

Plug ISP ethernet into say port 1, and make this port a member of both VLAN 20 and VLAN 30 tagged. (make sure you forbid this port from the management vlan which is usually 1 but can be changed).

Plug your internet router into port say 2 making it a member of VLAN 20 tagged or untagged as you prefer.

Plug your voice device into port 3 making port 3 a member of VLAN 30.

Now go into QoS settings and make all packets coming in on port 3 have highest priority, and strict priority queueing. Now all packets sent by your voice device are immediately sent forcing some other packets on VLAN 20 to wait.

Inbound is a little different, not every packet that comes in port 1 needs to be high priority, in fact only those on VLAN 30. If your ISP already marks them with CoS or DSCP then you're ok.

I'd be shocked if your ISP went to the trouble of separating out a voice VLAN and yet didn't give it higher priority, so since the queue at the ISP level is probably controlling the jitter inbound is much less of an issue (the switch will switch at gigabit speeds so it's not the bottleneck, the bottleneck is the ISP connection to your house)

If you want to do your best to ensure flawless voice inbound, you can set up an egress limit on port 2 (the internet router port) at say 200kbit less than the inbound speed for your internet. This small loss of speed is an unavoidable aspect of trying to control inbound QoS.

@lleachii How do you setup QOS on multiple local VLANs and prioritize them without from CLI. I am trying to setup QOS in similar way so that VLAN which will be carrying Gaming consoles traffic has lowest latency and maximum bandwidth.

Thanks in advance.

#FOR QoS INSTALL: luci-app-qos

Thanks @lleachii . I have one more doubt. We will mark DSCP value to packets coming from wlan (LAN) and apply QOS based on DSCP value on wan interface. But how will we ensure that same QOS will be applied to packets coming to WAN interface from external network for wlan0.

You don't control inbound packets, the ISP does.

QoS applied to packets coming from WAN can only be applied during egress from some device, in particular when the router re-sends the packet to your LAN.

If you want to use iptables to set DSCP values on incoming packets and then control the output priority on sending to your LAN please see this recent thread: Ultimate SQM settings: Layer_cake + DSCP marks

1 Like

Thanks @lleachii and @dlakelan for you response.

It's very informative. I will try to use the same.