How to configure Sonicwall to enable traffic toward a on-premise VoIP server without VLAN
1. Create Address Objects for VoIP Providers/Connections
2. Run wizard to enable SIP public server (which creates private & public address + three NAT policies)
3. Create custom Service Object for “Asterisk RTP” with UDP ports 10000-20000
4. Enable “Consistent NAT”
5. Create WAN to LAN firewall rule: Source = “VoIP Providers”, Destination = “{public_IP}”, Service = SIP
6. Create WAN to LAN firewall rule: Source = “any”, Destination = “{public_IP}”, service = Asterisk RTP, Ethernet BWM = {set guaranteed/max Inbound bandwidth}
7. Create LAN to WAN firewall rule: Source = “PBX Private”, Destination = any, Service = SIP, (click Advanced tab, set UDP timeout to 3600)
8. Create LAN to WAN firewall rule: Source = “PBX Private”, Destination = any, Service = “Asterisk RTP” (click Advanced tab, set UDP timeout to 300 >> click Qos tab, set 802.1p QoS markings to “Explicit” and “voice (<10ms latency)” >> click BWM, set “Ethernet BWM” guaranteed/max Outbound bandwidth)
Sonicwall does not perform true QoS. Following is a work-around:
1. Create VoIP VLAN as 802.1q sub-interface of X0 (LAN) Interface
2. Use a QoS capable switch (Cisco 2960, 3550, or HP Procurve 2XXX)
3. Configure the switch to use SonicWall’s X0 as uplink trunk port with native VLAN set to VLAN ID of data subnet, and set Allowed VLAN of VoIP VLAN (this is known as “PVID” or “Tagged VLAN”)
4. Configure QoS Policy to prioritize DSCP markings (some switches require mapping DSCP to 802.1p “COS” value)
5. Set firewall rule LAN to WAN: use QoS table to explicitly set DSCP value to Map to COS of the switch’s settings. OR, for switches that have COS native capability, set SonicWall COS value of 5 of VoIP VLAN sub-interface Advanced tab
6. Note that not all providers tag DSCP values in their packets. If a provider does, set QoS to map if you are using COS/802.1p
Sonicwall VoIP settings:
– Disable SIP transformation within the VoIP settings
– Enable Consistent NAT
– Add Service Group with SIP ports 5060-5062 UDP, RTP 10000-20000 for TCP/UDP
– Add that new Service Group to the LAN > WAN Access Rule (source = any)
If server is on the cloud:
– Add VoIP server WAN IP address to the domain and proxy
– Edit the default LAN > WAN firewall rule and other SIP rules: Allow Fragmented Packets = checked, TCP timeout = 15, UDP timout = 1200
If server is on-premise:
– Add VoIP server WAN IP address to the domain and proxy
– Edit the default WAN > LAN firewall rule and other SIP rules: Allow Fragmented Packets = checked, TCP timeout = 15, UDP timout = 1200
– Add VoIP server to DMZ
– Add VoIP server to NAT Rule
———————————————————————–
How to configure Sonicwall to enable traffic toward a cloud VoIP server
Source:
Create a VoIP zone:
Network >> Zones >> Create new Zone named VoIP >> Security Type = Trusted, “Allow Interface Trust” = checked
Create an Uplink to a tagged switch port:
Network >> Interfaces >> Add Interface >> select Zone “VoIP”, VLAN ID = 101, parent interface = X0 or LAN, IP = 192.168.101.1/24, enable HTTP/HTTPS & ping >> Advanced tab, 802.1p = checked, drop-down menu = 6 – Voice
Enable DHCP for VoIP subnet
Network >> DHCP >> Add Dynamic >> select Interface Pre-populate >> select VLAN Tagged interface X0:2
Bandwidth management
Firewall Settings >> BWM >> Bandwidth Management Type = Global >> Apply
Network >> Interfaces >> edit X1 (WAN) interface >> Advanced tab >> enable Ingress and Egress Bandwidth Management >> input bandwidth values as acquired via speedtest.net (note: 1Mbps = 1014 Kbps) >> OK
Firewall Settings >> BWM >> Global Mode = 4 – Medium category >> use this calculator to obtain reserved bandwidth requirement: https://www.asteriskguru.com/tools/bandwidth_calculator.php >> enter X1% Guaranteed Bandwidth in the Highest Category with 100% allowance >> X2% for SIP traffic in High Category, 100% max >> X3% = (X1+X2) percent for Medium Category, X3% max >> Accept & Apply
Enable Consistent NAT
VoIP >> Settings >> Enable Consistent NAT = Enabled >> Sonicwall SIP = Disabled
Firewall Rules for cloud PBX public IP
Firewall >> Service Objects >> click Custom Address Objects >> select Add >> name = PBX, zone = WAN (outside of firewall), type = host, input public IP of PBX >> click Add
Create RTP service
Firewall >> Service Objects >> click Custom Services >> select Add >> name = “RTP” >> protocol = UDP (17) >> default port range = 10000-20000 >> click Add
Create SIP firewall rules
Firewall >> Access Rules >> click on Matrix View >> select “from VoIP to WAN” >> Add >> Allow = selected, service = SIP, source = Subnet of VLAN interface being created earlier, destination = “PBX” address object >> Advanced tab >> UDP Connection Inactvity Timeout = 3600 (1 hour) >> Ethernet BWM tab >> enable inbound and outbound management >> select 2-High for both >> click Add
Create RTP firewall rules
Firewall >> Access Rules >> click on Matrix View >> select “from VoIP to WAN” >> Add >> Allow = selected, service = RTP, source = Subnet of VLAN interface being created earlier, destination = “PBX” address object >> Advanced tab >> UDP Connection Inactvity Timeout = 300 (5 minutes) >> Ethernet BWM tab >> enable inbound and outbound management >> select 1-Highest for both >> click Add
Other VoIP Considerations:
– Trunking over-subscription is between 4:1 to 10:1
– G711 equates to about 19 concurrent calls on a T1
– G729 takes less bandwidth
Categories:
RP Manni
I’m installing voip phones in a remote lan to connect to a cloud Asterisk VoIP server. I follow your suggestions and the registration to the pbx works very well and the phones are very stably, but I suppose to have a NAT problem for RTP protocol because there is non voice in the calls. Any suggestions? Thk in advance.
kimconnect
Hello RP Manni,
Please consider implementing NAT Traversal by one of these techniques:
– Socket Secure (SOCKS) is a technology created in the early 1990s that uses proxy servers to relay traffic between networks or systems.
– Traversal Using Relays around NAT (TURN) is a relay protocol designed specifically for NAT traversal.
– NAT hole punching is a general technique that exploits how NATs handle some protocols (for example, UDP, TCP, or ICMP) to allow previously blocked packets through the NAT.
– Session Traversal Utilities for NAT (STUN) is a standardized set of methods and a network protocol for NAT hole punching. It was designed for UDP but was also extended to TCP.
– Interactive Connectivity Establishment (ICE) is a complete protocol for using STUN and/or TURN to do NAT traversal while picking the best network route available. It fills in some of the missing pieces and deficiencies that were not mentioned by STUN specification.
UPnP Internet Gateway Device Protocol (IGDP) is supported by many small NAT gateways in home or small office settings. It allows a device on a network to ask the router to open a port.
– NAT-PMP is a protocol introduced by Apple as an alternative to IGDP.
– PCP is a successor of NAT-PMP.
– Application-level gateway (ALG) is a component of a firewall or NAT that allows for configuring NAT traversal filters.[2] It is claimed by numerous people that this technique creates more problems than it solves.
Source: Wikipedia