For the latest updates please refer to our Firewall Best Practices guide for the latest IP address ranges and services.

Connecting the pfSense

In order to connect the pfSense to the network:

  • Ensure the modem or other ISP-provided equipment is in bridge mode. Anyone familiar with the local network setup will be able to assist with this.
  • Note: If the IP address is static, it will be necessary to load this information into the pfSense.
  • Connect the router to the modem provided by the ISP, ensuring that it is the only device connected. All other devices will connect to the router or a switch connected to the router.
  • In most cases, the router can be accessed locally at or

Creating network address aliases

                The pfSense network appliances allow for the creation of an address alias. This allows for multiple IP addresses or ranges to be managed in a single definition.

  • Navigate to Firewall Settings.
  • Navigate to Aliases.
  • Select New
  • Name the aliases Cytracom
  • Add the address range
  • Add the address range
  • Add the address range
  • Also add,, and


Increasing System UDP Timeout

  • Navigate to System.
  • Navigate to Advanced.
  • Navigate to Firewall & NAT
  • Scroll down to the bottom of the page.
  • Update all UDP options to 180 (seconds).



Outgoing Traffic Rule

  • Navigate to Firewall.
  • Navigate to Rules.
  • Select the LAN tab.
  • Select the Add button with upward arrow.



  • Set the action to pass.
  • Set the interface to LAN.
  • Address Family will automatically set to IPv4.
  • Set the protocol to TCP/UDP.
  • Set source to Any.
  • Set destination to Single host or alias, then type in the name of the alias that was created earlier (Cytracom).
  • Check Log under extra options. (Note that logs will take up internal storage on the device unless logs are sent to a remote Syslog server.)


Inbound Traffic Rule

  • Navigate to Firewall.
  • Navigate to Rules.
  • Select the WAN tab.
  • Select the Add button with upward arrow.


Creating Traffic Shaping

  • Navigate to Firewall
  • Navigate to Traffic Shaper
  • Navigate to Wizards
  • Select Dedicated Links Wizard


  • Enter the number of WAN links.
  • Select Next


  • On the first Local interface select LAN.
  • On the second Local Interface select HFSC.
  • On the first WAN interface select WAN.
  • On the second WAN interface select HFSC.
  • Configure the upload/download bandwidth based upon tested speeds.

(HFSC is the type of traffic shaper that will be used, We highly suggest using HFSC due to it having a hierarchy of queues and is capable of real-time traffic guarantees.)

  • Select Next


  • Check the box for “Prioritize Voice over IP traffic”.
  • Set Provider to Generic (low delay)
  • Set Upstream SIP Server to Cytracom. (You will have to manually type in Cytracom, this will tell it to use the alias that was created earlier.)
  • Set bandwidth upload/download limits for the phones. The phones will normally use up to 90kbps on a call. (5 phones x 90kbps = 450kbps upload and download.)
  • Select Next.


  • Step three will allow you to set up a feature called Penalty Box, this allows for you to deprioritize traffic of devices that are using large amount or a specific threshold of bandwidth. It is recommended to ignore this step in regard to any IP's or services in relation to Cytracom.


  • The next few steps will allow changing prioritizes of well-known programs. In most cases, you can leave these settings as they are and just select next. On the last page, you will be alerted that after pressing finish it will create the new traffic shaper and enable it.


  • Lastly, reboot all of the phones for the traffic shaper to take effect.
Was this article helpful?
3 out of 3 found this helpful