Internet networks that experience latency due to high network congestion can cause VoIP phones to experience poor call quality. Like most hosted VoIP phone systems, our services work best in networks that maintain consistently low ping times. This can be achieved by preparing your router(s) and firewall(s) for use in VoIP. This can entail creating VoIP VLANs or Zones, implementing bandwidth management policies, and protecting voice traffic that traverses your network to our services. 

This document provides guidance for configuring a SonicWALL for SpectrumVoIP services. Included are instructions for traffic prioritization. This uses features within the SonicWALL firewall to appropriately prioritize VoIP-related traffic to help ensure a positive calling experience for your team and callers.

Step 1: Create a VoIP Zone

It is best practice to create separate zones for your different groups of IP devices, such as your desk phones. Doing so can simplify managing your network and troubleshooting future issues with those devices. 

Setting VoIP devices in a separate zone will keep VoIP traffic separate from Data traffic. Using a VoIP zone can allow you to apply different bandwidth policies, disable specific Security Services, and disallow inspections on VoIP traffic to improve your calls' audio quality and prevent network congestion that can affect your phones.

To create a VoIP zone…

1. Go to the OBJECT page.
   
2. Navigate to Match Objects → Zones.
   
3. Click the Add icon.
4. In the GENERAL SETTINGS section, do the following:
    
   • Name - Type an identifiable name, such as VoIP.
   • Security Type - Trusted. 
   • Keep all of the Security services unselected and unchanged.
5. Click the Save button.

Step 2: Assign the VoIP Zone to an Interface

Now that a VOIP Zone has been created, the VOIP Zone will need to be assigned to the physical or virtual interface that the VoIP devices will be connected to. 

1. Go to the NETWORK page.
   
2. Navigate to System → Interfaces. 
   
3. In the Interface List, hover over the interface that the VoIP zone should be assigned to and click the Edit icon. 
   
4. Do one of the following depending on if the interface will be physical or virtual (VLAN):
   • For an existing, physical interface, input the following:
     
     • Zone - Select the VoIP Zone you created.
     • Mode / IP Assignment - Select Static IP Mode.
   • To assign the VoIP Zone to a VLAN or sub-interface that needs to be created, follow the dropdown menu below:
     

     Add a VLAN Interface for VoIP

     1. On the Interfaces page, click an interface you would like to add a VLAN interface to. 
     

     2. Click the + Add Interface button and select Virtual Interface.
     

     3. In the Add Virtual Interface menu, input the following:
     
         •  Zone - Select the VoIP zone that you created.
         •  VLAN Tag - Type the VLAN ID you would like to use based on your network's requirements, such as 20. 
         •  Parent Interface - Make sure the right parent interface is selected.
         •  Mode / IP Assignment - Select Static IP Mode.

     4. Move on to the next step in the Step 2: Assign the VoIP Zone to an Interface section.

      

      
5. Input the following:
   
   • IP Address - Enter the IP address for this interface based off of your network's needs.
   • Subnet Mask - Enter the subnet mask of your network.
   • Default Gateway - Do one of the following based off of the type of interface being edited:
     • For a WAN zone interface or the MGMT interface - Enter the IP address of the gateway device into the Default Gateway field. 
     • For a LAN zone interface or a DMZ zone interface - You can optionally enter the IP address of the gateway device into the Default Gateway (Optional) field.
6. If you entered a Default Gateway address, you can input up to 3 IP addresses of DNS servers that you would like to use.
7. For the Comment box, type a note that you would like shown for any other admins that are viewing your interfaces. 
8. Click the OK button.

Step 3: Enable DHCP for Your VoIP Interface

To allow the VoIP devices to automatically obtain an IP address when connected to the interface that the VOIP Zone has been assigned to, you can add and configure a Dynamic Range that will be used just for that interface. 

1. Stay on the NETWORK page and navigate to System → DHCP Server.
   
2. Click Add Dynamic. 
3. In the Dynamic Range Configuration menu, make sure the Range Start and Range End options are correct and match your network's needs. 
   
4. Enable Interface Pre-Populate and select the interface that the VOIP Zone has been assigned to.
   
5. Click the OK button.

Step 4: Create a VoIP Service Objects

To make sure traffic to our specific services is not blocked, Service Objects should be created for each of the different port ranges used by the SpectrumVoIP services your company uses. 

If you are using multiple services with different port ranges, then multiple service objects will need to be created for each port range. These Service Objects can be grouped together into a single Service Group.

1. Go to the OBJECT page.
   
2. Navigate to Match Objects → Services.
   
3. Click + Add.
   
4. In the Service Objects menu, input the following:
   
   • Name: Type an identifiable name for the service using this port range.
     

     Quick Tip: It is recommended to add VoIP to the name of the object to make searching for and adding this object to a service group easier later. 

      
   • Protocol: Type of IP protocol in use for these ports.
   • Port Range: Range of the ports used by the SpectrumVoIP services you use.
     

     Port Ranges Used by SpectrumVoIP Services

     For Stratus Accounts

     IMPORTANT: These ports only need to be opened if you are utilizing our Stratus platform. If you are using our Enswitch (ES) platforms, these ports do not need to be opened. 

     If your company does not use the StratusHUB desktop app, the SpectrumVoIP Stratus mobile app, StratusMEETING, or StratusWEB PHONE, the ports/subnets for those services do not need to be allowed or opened.

     If you are not sure which services you are utilizing, contact your Installer or our Technical Support team for more information.

      

     Service	Port Range(s)	IP Protocol
     Main Utilized Ports	5060-5062 UDP - SIP	UDP, SIP
     	20,000-40,000	UDP, RTP
     	80 and 443	TCP, HTTP/HTTPS
     Portal Dynamic Updates	8001	TCP
     Text-to-Speech Services	35.175.185.150:3001	TCP, UDP
     	35.175.185.150:8000
     	44.212.88.215:8000
     	54.149.243.27:3001
     	54.149.243.27:8000
     	54.70.235.134:3001
     	54.70.235.134:8000
     StratusFAX 2.0	5066	TCP, HTTP/HTTPS
     StratusHUB Desktop App	199.71.209.150:8082	TCP
     Stratus Mobile App  (For Android and Google Devices) Google's Firebase Cloud Messaging, aka FCM	443, 5228, 5229, 5230	TCP
     Stratus Mobile App  (For Apple Devices) Apple Push Notification Service, aka APNs	5223, 443, 2197	TCP
     StratusMEETING	54.188.133.147:3443	TCP, UDP
     	3.130.158.184:3443
     	35.183.150.146:3443
     StratusWEB PHONE	9002	TCP, websockets

      

     For Enswitch 1 and 2 Accounts

     IMPORTANT: These ports only need to be opened if you are utilizing one of our Enswitch (ES1 or ES2) platforms. If you are using our Stratus platform, these ports do not need to be opened. 

     If you are not sure which service you are utilizing, contact your Installer or our Technical Support team for more information.

      

     Port Range(s)	IP Protocol
     5060-5062	UDP, SIP
     10,000-20,000	UDP, RTP
     80, 443	TCP, HTTP/HTTPS

      

      
5. Click the Save button.
6. Repeat steps 3-5 to create more service objects for other port ranges used by the SpectrumVoIP services your company uses. 

Step 5: Add Service Objects to a Service Group

Now that there are multiple service objects created for the different port ranges used by your SpectrumVoIP services, these groups can be grouped into a single Service Group to make it easier to review and update these objects. This service group will later be selected when creating Access Rules and NAT Rules. 

1. Go to the Service Groups tab of the OBJECT page. 
   
2. Click + Add.
3. In the Adding Service Object Group menu, do the following:
   
   
   • Name - Type an identifiable name for this group of VoIP service objects.
   • Not in Group - Select the different service objects created for your SpectrumVoIP services and click the Left arrow button to move them to the In Group section.
4. Click the Save button.

Step 6: Create Access Rules for VoIP Traffic

Now that a Service Group has been created, access rules can be added that will determine how traffic flows from your WAN to devices connected to your VOIP interface, and vice versa. 

To create these access rules…

1. Go to the POLICY page.
   
2. Navigate to Rules and policies → Access Rules. 
   
3. Scroll down to the bottom of the page and click the + Add button.
   
4. In the Adding Rule menu, input the following:
   
   • Name - Type a name for this access rule, such as "VOIP access rule".
   • Action - Select Allow. 
   • SOURCE Section
     • Zone/Interface - WAN
     • Address - Any
     • Port/Services - Any
   • DESTINATION Section
     • Zone/Interface - VOIP
     • Address - WAN Interface IP
     • Port/Services - Select the VoIP service group you created.
5. Go to the Security Profile tab and deselect DPI in the DECRYPTION SERVICES section. 
   
6. Click the Save button.
7. Add a second Access Rule and input the following:
   
   • Name - Type a name for this access rule, such as "VOIP".
   • Action - Select Allow. 
   • SOURCE Section
     • Zone/Interface - VOIP
     • Address - VOIP Subnets
     • Port/Services - Any
   • DESTINATION Section
     • Zone/Interface - WAN
     • Address - Any
     • Port/Services - Any
8. Go to the User and TCP/UDP tab and increase the UDP Timeout to 300 seconds to further avoid disruption on calls. 
   
9. Go to the Security Profile tab and deselect DPI in the DECRYPTION SERVICES section.
10. Click the Save button.

Step 7: Create NAT Policies for VoIP Traffic

Create two NAT policies to ensure VoIP traffic traversing your network is addressed and delivered to the correct endpoints. 

1. Stay on the POLICY page and navigate to Rules and Policies → NAT Rules.
    
2. Add a new NAT rule and input the following:
   
   • Name - Type “VOIP NAT Policy” or something similar.
   • ORIGINAL section:
     • Source - Any
     • Destination - WAN Interface IP
     • Service - Select the VOIP service group you created
     • Inbound Interface - Select the interface for inbound VoIP traffic that calls will traverse through
     • Outbound Interface - Any
   • TRANSLATED section:
     • Source - Original
     • Destination - VOIP Subnets
     • Service - Original
3. Go to the Advanced / Actions tab and enable Create a reflexive policy.
   
   

   Quick Tip: When you select Create a reflexive policy, a mirror, outbound, NAT policy is automatically created according to the settings configured in this Adding NAT Rule menu. 

    
4. Click the Add button.
5. Click the + Add button to create an additional Loopback NAT rule and input the following:
   
   • Name - Type “VOIP Loopback NAT
   • ORIGINAL section:
     • Source - Firewalled Subnets
     • Destination - WAN Interface IP
     • Service - Select the VOIP service group you created
     • Inbound Interface - Any
     • Outbound Interface - Any
   • TRANSLATED section:
     • Source - Original
     • Destination - VOIP Subnets
     • Service - Original
6. On the Advanced / Actions tab, make sure that Create a reflexive policy is NOT selected. 
   
7. Click the Add button.

Step 8: Configure Your SonicWall's VoIP Settings

SonicWalls offer a VOIP Settings page where you can find two settings that need to be updated for networks utilizing VoIP services: Consistent NAT and SIP Transformations. 

1. Go to the NETWORK page.
   
2. Navigate to VOIP → Settings.
   
3. Adjust the following SIP settings:
   
   • Consistent NAT - Enable this setting.
     

     More Info: Consistent NAT needs to be enabled for your SonicWall's VoIP settings. 

     This setting improves compatibility between peer-to-peer applications that require a consistent IP address to route traffic to, such as VoIP reliant devices and softphones. 

     This feature is important for VoIP applications since endpoints within a call need to be able signal to each other and send media back and forth without any interruptions. Consistent NAT prevents sudden call disruptions by mapping internal IP addresses and ports to the same external IP addresses and ports as the SonicWall filters traffic using its NAT rules.

      
   • SIP Transformations - Make sure this setting is Disabled.
     

     More Info: For VoIP systems, SIP Transformations almost always need to be disabled. 

     SIP Transformations (also referred to as SIP ALG) allows your SonicWall to rewrite the destination addresses of the SIP packets sent during VoIP calls. Since the destination IP addresses of the packets being sent during a call are overwritten by the Application Layer Gateway (ALG), this causes the call's packets to not reach their destination. This can result in one-way audio during calls where only one side of the call is able to hear the other caller. 

      
4. Click the Accept button to save these changes.