For the latest updates please refer to our Firewall Best Practices guide for the latest IP address ranges and services.
Due to recent updates from SonicWall it is highly recommended that all phone configurations running on a network with a SonicWALL device using firmware of 6.3.X or higher only use port 5060. Using 5062 will cause packet loss due to a currently un-editable form of traffic shaping for all packets originating on port 5062 (not including Nat Traversal). The firewall will not know how to respond to the packet and instead of forwarding in or outbound as desired it will drop.
Connecting the SonicWall
In order to connect the SonicWall to the network:
- Ensure the modem or other ISP-provided equipment is in bridge mode. Anyone familiar with the local network setup will be able to assist with this.
- Note: If the IP address is static, it will be necessary to load this information into the SonicWall.
- Connect the router to the modem provided by the ISP, ensuring that it is the only device connected. All other devices will connect to the router or a switch connected to the router.
- In most cases, the router can be accessed locally at 192.168.0.1 or 192.168.1.1.
Bandwidth Management
In general practice, it is a good idea to set up bandwidth management for the phones, especially if they share the network with other devices. VoIP is an on-demand service and despite most devices relying on local caching methods, which mask the inconsistencies of ISP networks, VoIP is heavily dependent on a stable connection to perform consistently well.
- Navigate to Firewall Settings.
- Navigate to Bandwidth Management.
- Ensure Bandwidth Management Type is set to
Advanced
- Apply or save.
Increasing System UDP Timeout
- Navigate to Firewall Settings.
- Navigate to Flood Protection in the drop-down menu.
- Click on the UDP tab within this menu.
- Set Default UDP Connection Timeout (seconds) to 180.
Configuring Address Objects and Cytracom Group:
Address Objects allow IP addresses to be defined one time, and to be re-used in multiple instances throughout the SonicOS interface. The address object(s) and the group must be defined before the QoS option in the Access rules can be configured.
- Navigate to the Manage Tab.
- Under the Objects Drop Down
- Click
Address Objects
- Click
+ Add
- Set the Name to Cytracom DC_Dal.
- Set the Zone to WAN.
- Set the Type to Range.
- Press Add or ok when done (repeats steps for following IP ranges for other DataCenters).
Dallas DataCenter: Set the Starting IP Address and Ending IP Address to the Cytracom IP range. (209.105.249.194 - 209.105.249.252)
Kentwood DataCenter: Set the Starting IP Address and Ending IP Address to the Cytracom IP range. (184.175.130.161 - 184.175.130.186)
BLF DataCenter: Set the Starting IP Address and Ending IP Address to the Cytracom IP range.
(3.208.72.128-3.208.72.158)
Firmware Server: Set the IP Address to the Cytracom IP provided.
(52.90.29.99)
Cytracom Group
- Navigate to the Manage Tab.
- Under the Objects Drop Down
- Click
Address Objects
- Select the Address Groups Tab
- Click
+ Add
- Set the Name to Cytracom
- Add the Cytracom DC locations
The group above can contain possibly other Cytracom Address objects such as firmware or configuration (found in the firewall best practices guide) depending on how strict the implicit rules are but for general practice and bandwidth management only the DC locations are set here for now.
Configuring Bandwidth Object:
Bandwidth Objects allow inbound/outbound bandwidth expectations to be defined one time globally, and to be re-used in multiple instances throughout the SonicOS interface. The address object must be defined before the BWM option in the Access rules can be configured.
- Navigate to the Policies Tab.
- Under the Objects Tab
- Click
Bandwidth Objects
- Click
Add
- Set the Name to Cytracom.
- Set the Guaranteed Bandwidth to 150kbps multiplied by the number of phones at that location.
- Set the Maximum Bandwidth to the maximum bandwidth provided by the ISP unless desired otherwise.
- Set Traffic Priority to
0 Realtime
- Set the Violation Action to
Delay
- Press Add or ok when done.
Outgoing Traffic Rule [General, Advanced, QoS, & BWM]
- Navigate to the Policies Tab
- Under Rules -> Access Rules, click +add
- Set From Zone to LAN.
- Set To Zone to WAN.
- Set Service to Any.
- Set Source to Any.
- Set Destination to Cytracom (==== Address Groups ====).
- Set Users Allowed to All.
- Set Schedule to Always On.
- Enable Logging should be checked.
- Enable Seo-IP Filter should not be checked.
- Enable Botnet Filter should not be checked.
- Allow Fragmented Packets should be checked.
Click the Advanced
tab
- Set UDP Connection Inactivity Timeout (seconds) to [180]
- Create a reflexive rule (If applicable)
- Disable DPI (If applicable)
- Disable DPI-SSL Client (If applicable)
- Disable DPI-SSL Server (If applicable)
Click the QOS
tab
- Set DSCP Marking Action to Explicit.
- Set Explicit DSCP Value to 46 - Expedited Forwarding (EF).
Click the BWM
tab
- Check Enable Egress Bandwidth Management.
- Choose the Cytracom Bandwidth Object from the drop-down menu.
- Check Enabled Ingress Bandwidth Management.
- Choose the Cytracom Bandwidth Object from the drop-down menu.
- Save or Add the Rule when done.
Most SonicWall firmware's will offer the ability to create a recursive rule and this is necessary for bandwidth management and ensure incoming RTP streams are given priority. If a recursive rule option is not offered just create a WAN to LAN rule with the same settings as the LAN to WAN rule but with the respective logic reversed.
Disabling SIP ALG
Commercial routers implement SIP ALG (application-level gateway), with this feature enabled by default. SIP ALG could help in solving NAT-related problems, but many times SIP ALG implementations are wrong and break SIP. If SIP ALG is enabled on the SonicWall router, then the following will likely occur:
- Registration failure
- Call transfer issues
- DTMF issues
Note: The above list is not comprehensive and SIP ALG can cause many other issues depending on the setup of the network.
To disable SIP ALG:
- Log into the router.
- Navigate to the VoIP on the top.
- Check Enable Consistent NAT. (For older firmware 6.2 and below leave unchecked)
- Uncheck Enable SIP Transformations.
- Uncheck Enable H.323 Transformations.
- Click
Accept
Disabling SIP URI to use an explicit port
- In the URL of the firewall (e.g. 192.168.1.1/main.html) change the main.html to diag.html
- Scroll down to VoIP Settings
- Uncheck Transform SIP URIs to have an explicit port
-
The Gen7 appliances use a different operating system and file structure.
To get to the new screen you need to go to https://[ip-address]/sonicui/7/m/mgmt/settings/diag
On the previous Gen appliances it was https://[ip-address]/diag.html
Note: On Firmware 6.2 and below uncheck all of the options in this section as they add to CPU usage and slow down SIP signaling.