For the latest updates please refer to our Firewall Best Practices guide for the latest IP address ranges and services.
Base level configuration of a Ubiquiti Edgerouter device:
- eth0 is the connection to the internet.
- eth1 is the local area network.
- Downstream bandwidth is 5000 kbit.
- Upstream bandwidth is 1000 kbit.
- Guarantee:
- 25% of the downstream bandwidth is SIP RTP.
- 50% of the upstream bandwidth is SIP RTP.
- 5% of the downstream bandwidth is SIP signaling.
- 10% of the downstream bandwidth is SIP signaling.
- Allow:
- SIP RTP to use 100% of the upstream bandwidth.
- SIP signaling to use up to 100% of the downstream bandwidth.
- The phone tags RTP Audio with DSCP 46 (EF).
- The phone tags SIP Signaling with DSCP 24 (CS3). If the phone tags SIP signaling with DSCP 26 (AF31), then change DSCP to 24 to DSCP 26 per the instructions below.
Adjust each of these figures as needed by changing them where they appear below.
For example, if they have bridged eth1 and eth2 to br0, then change eth1 below to br0.
Action Steps:
Access the command line using PuTTY (for Windows) or a SSH client and then execute the following commands:
*NOTE: When using these commands make sure to apply your own "bandwidth" constraints based on the clients available download (DownStream) and upload (UpStream) limitations.
To get started:
configure
top
To set up DownStream QOS policy:
set traffic-policy shaper DownStream description "DownStream QoS policy"
set traffic-policy shaper DownStream bandwidth <replace with download speed>kbit
set traffic-policy shaper DownStream class 10 description "RTP"
set traffic-policy shaper DownStream class 10 bandwidth 25%
set traffic-policy shaper DownStream class 10 ceiling 100%
set traffic-policy shaper DownStream class 10 match VOIP-RTP ip dscp 46
set traffic-policy shaper DownStream class 20 description "SIP"
set traffic-policy shaper DownStream class 20 bandwidth 5%
set traffic-policy shaper DownStream class 20 ceiling 100%
set traffic-policy shaper DownStream class 20 match VOIP-SIP ip dscp 24
set traffic-policy shaper DownStream default bandwidth 70%
set traffic-policy shaper DownStream default ceiling 100%
To set up UpStream QOS policy:
set traffic-policy shaper UpStream description "UpStream QoS policy"
set traffic-policy shaper UpStream bandwidth <replace with upload speed>kbit
set traffic-policy shaper UpStream class 10 description "RTP"
set traffic-policy shaper UpStream class 10 bandwidth 50%
set traffic-policy shaper UpStream class 10 ceiling 100%
set traffic-policy shaper UpStream class 10 match VOIP-RTP ip dscp 46
set traffic-policy shaper UpStream class 20 description "SIP"
set traffic-policy shaper UpStream class 20 bandwidth 10%
set traffic-policy shaper UpStream class 20 ceiling 100%
set traffic-policy shaper UpStream class 20 match VOIP-SIP ip dscp 24
set traffic-policy shaper UpStream default bandwidth 40%
set traffic-policy shaper UpStream default ceiling 100%
The following steps will apply the policies to the interfaces:
set interfaces ethernet eth0 traffic-policy out UpStream
set interfaces ethernet eth1 traffic-policy out DownStream
Finally, commit, save, and exit:
commit
save
exit
Separately, Disabling SIP ALG and increasing UDP Timeout:
configure
set system conntrack modules sip disable
set system conntrack timeout udp stream 180
set system conntrack timeout udp other 180
commit
save
exit
Advanced Configuration of a Ubiquiti Edgerouter device:
*NOTE: This portion is if you have any extra rules previously applied that may hinder the flow of traffic to and from Cytracom servers and the configuration above does not perform as expected.
Within the Ubiquiti Web Interface of the firewall navigate to the "Firewall/Nat" tab
Depending on whether you have an available ruleset to add the Cytracom rule to go to the "Firewall Policies" tab and then "+ Add Ruleset". If you already have a WAN_In ruleset jump down to Rule Creation below.
Name the ruleset according to your own syntax but this is a default layout:
Rule Creation: Once the ruleset has been created (or a previous ruleset is being used) select the action tab on the right hand side and edit the ruleset.
Choose to add a new rule and follow the action steps below for each tab:
- Basic: If you are adding to an existing ruleset I would label as "Cytracom Services" in this instance
- Advanced: Untouched
- Source:
- Destination: Untouched but if you wanted to create an outbound rule you would go back to the original steps above and create a new Ruleset for the outbound rule as well using the IP address for source in this section instead of the source section.
- Time: Untouched
Once that has been filled out, choose the save option.
Next follow the action steps for completing the configuration of the Ruleset
- Rules: If the Cytracom rule was created for a previously existing ruleset just make sure the rule is set to #1 so that VoIP traffic isn't hindered in this section as well.
- Configuration:
- Interfaces: If this was an outbound rule you would choose the eth# that the phones are connected to and the direction as "out".
- Stats: In this section you should start to see packets and traffic if the phones are currently connected and registration has been established.