Setting DSCP (ToS) bits on your voice packets

I have seen many people struggle wondering why their setting of:

[/code:1]in sip.conf (or its equivalent in iax.conf) are not doing anything for them. And many more people probably think it is. Unless something has changed - this has always been a limitation because Asterisk does not run as root and would need to for these settings to have effect. (And you don’t want to run asterisk as root!). There are some patches I recall that can address this - but I never bothered to go that route since this can easily be accomplished using iptables to obtain your desired results.

If you are runninning with a ‘standard’ configuration using 4569 for iax, 5060 for Asterisk’s SIP binding and UDP ports 10000-20000 for your rtp ports, then you need simply apply a set of iptables rules on your box that will set these bits for you. The following rules will do this for you. You can simply add them to /etc/rc.local and they will get executed at boot. Or - if you do anything else with iptables on your system, use what ever method you are already using (webmin, etc.) to set these rules.

[code:1]/sbin/iptables -A OUTPUT -t mangle -p udp -m udp --sport 4569 -j DSCP --set-dscp-class ef
/sbin/iptables -A OUTPUT -t mangle -p udp -m udp --sport 10000:20000 -j DSCP --set-dscp-class ef
/sbin/iptables -A OUTPUT -t mangle -p udp -m udp --sport 5060 -j DSCP --set-dscp-class ef
[/code:1]Hope that helps answer the question of why the bits are not being set. (unless something changed since the last time I looked into this.)

For anyone finding this page through a search, Asterisk has been able to directly set DSCP/DiffServ bits without running with root permissions for some years now – it uses the libcap library to do this.

This has been true since Asterisk 1.4.18 – see

The iptables workaround above is only needed for older versions of Asterisk than 1.4.18 unless Asterisk was for some reason compiled without using libcap available.

1 Like