Cytracom UCaaS: Setting up a pfSense firewall

Topic

This article discusses how to set up a pfSense firewall for use with Cytracom UCaaS.

Environment

  • Cytracom UCaaS

Description

See our Firewall Best Practices guide for the latest IP address ranges and services.

Before you begin

  • Ensure the modem or other ISP-provided equipment is in bridge mode
  • If the IP address is static, it will be necessary to load this information into the pfSense.
  • In most cases, the router can be accessed locally at 192.168.0.1 or 192.168.1.1.

Connect the pfSense Firewall

Connect the router to the modem provided by the ISP, ensuring that it is the only device connected. All other devices will connect to the router or to a switch connected to the router.

Creating network address aliases

The pfSense network appliances let you create address aliases. These allow multiple IP addresses or ranges to be managed in a single definition.

In the pfSense UI:

1. Navigate to Firewall SettingsAliases then select New Alias.

3. Configure the settings as follows:

  • Name: Cytracom (suggested)
  • Type: Host(s)
  • Add address range: 209.105.249.194-209.105.249.252 (first address range)
  • Add address range: 184.175.130.161-184.175.130.186 (second address range)
  • Add address range: 3.208.72.128-3.208.72.158 (third address range)
  • Add address range: 3205.142.242.20-205.142.243.254 (fourth address range)
  • Add the following domains: fw.cytracom.com, tftp.cytracom.net, and register.cytracom.net, kr1.cytracom.net

2024-05-08_14-43-01.png

Figure 1: Add network address aliases (click to enlarge)

Configure firewall optimization

1. In the PFSense UI, navigate to SystemAdvancedFirewall&NAT.

2. Scroll down to Firewall Optimization Options and select Conservative in the drop-down menu. 

UCaaS_AddPFSense_FirewallOptions.png

Figure 2: Firewall Optimization Options (click to enlarge)

Set up Traffic Shaping 

HFSC is the type of traffic shaper this setup will use, We strongly suggest using HFSC because it has a hierarchy of queues and is capable of real-time traffic guarantees.

Enter LAN/WAN link information

1. In the PFSense UI, navigate to FirewallTraffic ShaperWizards.

2. Select Multiple Lan/Wan.

3. Enter the number of WAN links.

4. Enter the number of LAN links.

5. Click Next

UCaaS_AddPFSense_TrafficShaperWizard.png

Figure 3: LAN/WAN selection (click to enlarge)

Configure traffic speeds 

Configure settings on this page as follows:

Setup connection speed and scheduler information for interface LAN #1

  • Interface:  Select the desired LAN interface. 
  • Interface Schedule: Select HFSC.

Setup connection speed and scheduler information for interface WAN#1

  • Interface:  Select the desired WAN interface. 
  • Interface Schedule: Select HFSC.
  • Upload (1): This is the upload speed. Enter the value provided by your ISP. 
  • Upload (2): Select the upload speed denomination. 
  • Download (1): This is the download speed. Enter the value provided by your ISP. 
  • Download (2): Select the download speed denomination. 

When finished, click Next. A new options window will appear. 

Configure interface schedulers

Under Setup connection speed and scheduler for interface WAN #(1-5):

  • Interface:  Select the desired WAN interface. 
  • Interface Schedule: Select HFSC.
  • Upload (1): This is the upload speed. Enter the value provided by your ISP. 
  • Upload (2): Select the upload speed denomination. 
  • Download (1): This is the download speed. Enter the value provided by your ISP. 
  • Download (2): Select the download speed denomination. 

When finished, click Next. A new options window will appear. 

UCaaS_AddPFSense_TrafficShapers.png

Figure 4: Traffic Shaper configuration (click to enlarge)

Configure VOIP settings

Calculating VOIP bandwidth

Each phone typically uses between 75kbps to 100kbps of bandwidth during a call. Therefore, a recommended approach is to plan for the upper limit of 100kbps to accommodate web services (on desktops, mobile devices, etc.), Busy Lamp Field (BLF) traffic, and voice calls simultaneously.

For example, if a customer has 50 phones, you would calculate the bandwidth requirement as 100kbps multiplied by the number of phones (100 * 50), totaling 5000kbps up/down concurrently, which is approximately 5mbps

Configure settings on this page as follows:

  • Prioritize Voice over IP traffic: Check this box.
  • Provider: Generic (lowdelay).
  • Upstream SIP Server: Cytracom (You must type 'Cytracom' manually; this setting tells the firewall to use the alias you created earlier).
  • Upload rate: Enter the upload speed 
  • Units: Select the upload speed denomination.
  • Download Rate: Enter the download speed.
  • Units: Select the download speed denomination. 

When finished, click Next. A new options window will appear. 

UCaaS_AddPFSense_VoIPSettings.png

Figure 5: VoIP configuration (click to enlarge)

Disable the Penalty Box

  • The Penalty Box lets you to deprioritize traffic from devices using large amounts or a specific bandwidth threshold. You should ignore this step, and leave the Penalty Box disabled, regarding any IP addresses  or services related to Cytracom.

UCaaS_AddPFSense_PenaltyBoxBorder.png

Figure 6:  Disabled Penalty Box feature (click to enlarge)

Configure priority for applications and games

These options let you change priorities for well-known programs or games. In most cases, you can leave these settings and select Next. On the last page, the system will alert you that it will create the traffic shaper once you click Finish.

UCaaS_AddPFSense_Priorities.png

UCaaS+AddPFSense_Priorities2.png

Figure 7:  Application and game priority screens (click to enlarge)

Complete the Traffic Shaper setup

On the last page, the system will alert you that it will create the traffic shaper and reload the profile. Click Finish to complete traffic shaper setup.

UCaaS_AddPFSense_FinishShaperAlert.png

Figure 8:  Profile reload alert (click to enlarge)

Set up Floating Rule Adjustments (Created from the Traffic Shaping Wizard)

1. In the PFSense UI, navigate to FirewallRulesFloating.

UCaaS_AddPFSense_Rules.png

Figure 9:  Floating rules (click to enlarge)

2. Edit the first generated rule (which includes Cytracom) as follows:

  • Action: Pass.
  • Quick: Check this box.
  • Protocol: Any (to cover all Cytracom services).

When finished, click Save

UCaaS_AddPFSense_RuleEdits.png

Figure 10:  Floating rule configuration (click to enlarge)

3. Repeat steps 1 and 2, above, for the other floating rule pertaining to Cytracom. This ensures that all traffic will pass and will be attached to the higher-priority queue. 

Still have questions? Click here to learn how to contact Cytracom Technical Support.

Was this article helpful?
4 out of 4 found this helpful