Recommended Sonicwall Firewall Settings
Gain an understanding of how to set up your Sonicwall Firewall for VoIP services.
Table of Contents
Overview
Internet connections that are heavily utilized will experience call quality degradation and an overall poor experience with hosted voice. Like most hosted VoIP solutions, SpectrumVoIP’s services work best with consistently low ping times and 60-90 kbps per concurrent phone call.
This document provides guidance for configuring a SonicWALL for SpectrumVoIP services. Included are instructions for traffic prioritization. This uses features within the SonicWALL firewall to appropriately prioritize VoIP-related traffic above all other Internet traffic to help ensure a positive experience.
Subnet and Port Configuration
SpectrumVoIP Public Subnets
- 199.71.209.0/24
- 24.227.249.0/25
- 72.249.136.32/28
- 206.123.122.32/27
- 212.69.157.32/27
- 40.143.31.64/27
Ports - Stratus Platform
- 5060-5062 UDP - SIP
- 20,000-40,000 UDP - RTP
- 80, 443 TCP - HTTP/HTTPS
- StratusMEETING - TCP and UDP
- 54.188.133.147:3443
- 3.130.158.184:3443
- 35.183.150.146:3443
- Text To Speech Services - TCP and UDP
- 54.149.243.27:8000
- 35.175.185.150:8000
- 54.149.243.27:3001
- 35.175.185.150:3001
- StratusWEB PHONE
- 9002 - TCP - websockets
- Portal Dynamic Updates
- 8001 - TCP
Ports - Enswitch 1 and 2 Platforms
- 5060-5062 UDP - SIP
- 10,000-20,000 UDP - RTP
- 80, 443 TCP - HTTP/HTTPS
Bandwidth Requirements
Voice-only applications utilize G.711 U-Law as the primary codec and require 87.2 kbps of bandwidth per active call.
It is recommended to round the requirement up to 100 kbps to account for signaling and overhead.
For Example… A 10Mbps/1Mbps ISP connection solely dedicated to the phones would support 10 concurrent phone calls.
VoIP Configuration Settings
SonicOS includes VoIP configuration settings on the VoIP → Settings page.
Although there are many settings that can be adjusted on a Sonicwall firewall, this guide will only explore settings that affect the performance of your VoIP services with SpectrumVoIP.
NOTE: Not all settings on this page will be discussed.
If you have any questions about any settings present on your Sonicwall firewall, it is recommended to contact your IT team or Managed Service Provider (MSP) that services your firewall.
Enable Consistent NAT
Enabling Consistent NAT causes a slight decrease in overall security, because of the increased predictability of the address and port pairs. Most UDP-based applications are compatible with traditional NAT; therefore, we recommend enabling Consistent NAT unless your network uses applications that require this disabled.
To enable Consistent NAT, select Enable consistent NAT and click the Accept button. This option is disabled by default.
Disable SIP Transformations
In the Sonicwall's SIP Settings, the Enable SIP Transformations setting is enabled by default. Having this setting enabled can commonly cause quality of service issues with VoIP calls.
It is recommended to disable SIP Transformations to avoid one-way audio and issues with parking and transferring.
To disable SIP Transformations, deselect the Enable SIP Transformations option.
Prioritize SpectrumVoIP Traffic
One of the greatest challenges for VoIP is ensuring high speech quality over an IP network. VoIP and other types of media streaming are very sensitive to delay and packet loss. Managing access and prioritizing traffic are important requirements for ensuring high-quality, real-time VoIP communications.
To prioritize SpectrumVoIP traffic, you must create four Address Objects and combine them into an Address Group, then create firewall rules to allow and prioritize traffic destined for this Address Group.
Step 1: Create Address Objects
- Navigate to Network → Address Objects.
- Click Add to create the following new address objects listed in the table below.
Note: Ensure that the Zone Assignment is set as WAN and Type is set as Network for each.
Suggested Object Name | SpectrumVoIP Subnets | Netmask |
---|---|---|
SpectrumVoIP Subnet 1 | 199.71.209.0/24 | 255.255.255.0 |
SpectrumVoIP Subnet 2 | 24.227.249.0/25 | 255.255.255.128 |
SpectrumVoIP Subnet 3 | 72.249.136.32/28 | 255.255.255.240 |
SpectrumVoIP Subnet 4 | 199.71.209.0/24 | 255.255.255.0 |
SpectrumVoIP Subnet 5 | 24.227.249.0/25 | 255.255.255.128 |
SpectrumVoIP Subnet 6 | 72.249.136.32/28 | 255.255.255.240 |
SpectrumVoIP Subnet 7 | 206.123.122.32/27 | 255.255.255.244 |
Step 2: Add an Address Group
- After creating the address objects above, click Add Group.
- Name the group “SpectrumVoIP Subnets”.
- Add the seven, new SpectrumVoIP Address Objects to the group using the right arrow.
Step 3: Create Firewall Access Rules
- Navigate to Firewall → Access Rules.
- In the LAN to WAN rules section, click Add.
- In the General tab, configure the following:
- Service - Set to Any.
- Source - Set to Any.
- Destination - Select the SpectrumVoIP Subnets address group.
- On the BWM tab, do the following:
- Egress Bandwidth Management - Enable this function.
- Ingress Bandwidth Management - Enable this function.
-
Bandwidth Priority - Select 0 Realtime for both.
Note: Bandwidth Management will need to be enabled globally to allow the per-firewall rule BWM tab to be accessible.
Step 4: Add a Service Object
- Navigate to Network → Services and click Add.
-
Add a new Service Object with the following configured:
- Name - Type SpectrumVoIP RTP.
- Protocol - Select UDP (17).
- Port Range - Select 20,000-40,000.
Step 5: Create a Service Group
- Select Service Groups → Add Group.
- Give the new service group a Name, such as “SpectrumVoIP Voice”.
- Move the SIP and SpectrumVoIP RTP options the right section using the arrows.
- Click Add.
Quality of Service
QoS encompasses a number of methods intended to provide predictable network behavior and performance. Network predictability is vital to VoIP services. QoS, when configured and implemented correctly, can properly manage traffic and guarantee the desired levels of network service.
✔ SonicOS includes QoS features that add the ability to recognize, map, modify and generate the industry-standard 802.1p and Differentiated Services Code Points (DSCP) Class of Service (CoS) designators.
Manage Bandwidth on a WAN Interface
WARNING: The bandwidth specified should reflect the actual bandwidth available for the link. Oversubscribing the link (declaring a value greater than the available bandwidth) is not recommended.
Enable VoIP Logging
You can enable the logging of VoIP events on the Log → Settings page. Log entries are displayed on the Log → Monitor page. To enable logging of VoIP, see Log → Settings.