Topic
This article discusses how to set up a pfSense firewall for use with Cytracom UCaaS.
Environment
- Cytracom UCaaS
Description
See our Firewall Best Practices guide for the latest IP address ranges and services.
Before you begin
- Ensure the modem or other ISP-provided equipment is in bridge mode.
- If the IP address is static, it will be necessary to load this information into the pfSense.
- In most cases, the router can be accessed locally at 192.168.0.1 or 192.168.1.1.
Connect the pfSense Firewall
Connect the router to the modem provided by the ISP, ensuring that it is the only device connected. All other devices will connect to the router or to a switch connected to the router.
Creating network address aliases
The pfSense network appliances let you create address aliases. These allow multiple IP addresses or ranges to be managed in a single definition.
In the pfSense UI:
1. Navigate to Firewall Settings→Aliases then select New Alias.
3. Configure the settings as follows:
- Name: Cytracom (suggested)
- Type: Host(s)
- Add address range: 209.105.249.194-209.105.249.252 (first address range)
- Add address range: 184.175.130.161-184.175.130.186 (second address range)
- Add address range: 3.208.72.128-3.208.72.158 (third address range)
- Add address range: 3205.142.242.20-205.142.243.254 (fourth address range)
- Add the following domains: fw.cytracom.com, tftp.cytracom.net, and register.cytracom.net, kr1.cytracom.net
Figure 1: Add network address aliases (click to enlarge)
Configure firewall optimization
1. In the PFSense UI, navigate to System→Advanced→Firewall&NAT.
2. Scroll down to Firewall Optimization Options and select Conservative in the drop-down menu.
Figure 2: Firewall Optimization Options (click to enlarge)
Set up Traffic Shaping
HFSC is the type of traffic shaper this setup will use, We strongly suggest using HFSC because it has a hierarchy of queues and is capable of real-time traffic guarantees.
Enter LAN/WAN link information
1. In the PFSense UI, navigate to Firewall→Traffic Shaper→Wizards.
2. Select Multiple Lan/Wan.
3. Enter the number of WAN links.
4. Enter the number of LAN links.
5. Click Next.
Figure 3: LAN/WAN selection (click to enlarge)
Configure traffic speeds
Configure settings on this page as follows:
Setup connection speed and scheduler information for interface LAN #1
- Interface: Select the desired LAN interface.
- Interface Schedule: Select HFSC.
Setup connection speed and scheduler information for interface WAN#1
- Interface: Select the desired WAN interface.
- Interface Schedule: Select HFSC.
- Upload (1): This is the upload speed. Enter the value provided by your ISP.
- Upload (2): Select the upload speed denomination.
- Download (1): This is the download speed. Enter the value provided by your ISP.
- Download (2): Select the download speed denomination.
When finished, click Next. A new options window will appear.
Configure interface schedulers
Under Setup connection speed and scheduler for interface WAN #(1-5):
- Interface: Select the desired WAN interface.
- Interface Schedule: Select HFSC.
- Upload (1): This is the upload speed. Enter the value provided by your ISP.
- Upload (2): Select the upload speed denomination.
- Download (1): This is the download speed. Enter the value provided by your ISP.
- Download (2): Select the download speed denomination.
When finished, click Next. A new options window will appear.
Figure 4: Traffic Shaper configuration (click to enlarge)
Configure VOIP settings
Calculating VOIP bandwidth
Each phone typically uses between 75kbps to 100kbps of bandwidth during a call. Therefore, a recommended approach is to plan for the upper limit of 100kbps to accommodate web services (on desktops, mobile devices, etc.), Busy Lamp Field (BLF) traffic, and voice calls simultaneously.
For example, if a customer has 50 phones, you would calculate the bandwidth requirement as 100kbps multiplied by the number of phones (100 * 50), totaling 5000kbps up/down concurrently, which is approximately 5mbps
Configure settings on this page as follows:
- Prioritize Voice over IP traffic: Check this box.
- Provider: Generic (lowdelay).
- Upstream SIP Server: Cytracom (You must type 'Cytracom' manually; this setting tells the firewall to use the alias you created earlier).
- Upload rate: Enter the upload speed
- Units: Select the upload speed denomination.
- Download Rate: Enter the download speed.
- Units: Select the download speed denomination.
When finished, click Next. A new options window will appear.
Figure 5: VoIP configuration (click to enlarge)
Disable the Penalty Box
- The Penalty Box lets you to deprioritize traffic from devices using large amounts or a specific bandwidth threshold. You should ignore this step, and leave the Penalty Box disabled, regarding any IP addresses or services related to Cytracom.
Figure 6: Disabled Penalty Box feature (click to enlarge)
Configure priority for applications and games
These options let you change priorities for well-known programs or games. In most cases, you can leave these settings and select Next. On the last page, the system will alert you that it will create the traffic shaper once you click Finish.
Figure 7: Application and game priority screens (click to enlarge)
Complete the Traffic Shaper setup
On the last page, the system will alert you that it will create the traffic shaper and reload the profile. Click Finish to complete traffic shaper setup.
Figure 8: Profile reload alert (click to enlarge)
Set up Floating Rule Adjustments (Created from the Traffic Shaping Wizard)
1. In the PFSense UI, navigate to Firewall→Rules→Floating.
Figure 9: Floating rules (click to enlarge)
2. Edit the first generated rule (which includes Cytracom) as follows:
- Action: Pass.
- Quick: Check this box.
- Protocol: Any (to cover all Cytracom services).
When finished, click Save.
Figure 10: Floating rule configuration (click to enlarge)
3. Repeat steps 1 and 2, above, for the other floating rule pertaining to Cytracom. This ensures that all traffic will pass and will be attached to the higher-priority queue.
Still have questions? Click here to learn how to contact Cytracom Technical Support.