How to configure VoIP to use any VoIP phone system (best practices)

Description

Voice over IP or VoIP is an umbrella term for a set of technologies that allow voice traffic to be carried over Internet Protocol (IP) networks. VoIP transfers the voice streams of audio calls into data packets as opposed to traditional, analog circuit-switched voice communications used by the public switched telephone network (PSTN).

VoIP is the major driving force behind the convergence of networking and telecommunications by combining voice telephony and data into a single integrated IP network system. VoIP is all about saving cost for companies through eliminating costly redundant infrastructures and telecommunication usage charges while also delivering enhanced management features and calling services features.

This article describes the recommendations to setup a VoIP on SonicWALL when the VoIP phone system is behind SonicWALL firewall.

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

TIP: We recommend setting up a VoIP phone system on a separate zone than the Data Zone or LAN Zone, this separates VoIP traffic from Data Traffic and we can apply different bandwidth policies, disable Security Services, and useless inspections on VoIP traffic for a better call flow and audio quality.

Navigate to Object | Match Objects | Zones
Click the Add icon. The Add Zone dialog displays.
Type a name for the new zone in the Name field as VoIP and from Security Type, select Trusted. Keep all the Security services unchecked as per the screenshot below
Navigate to Network | System | Interfaces. Either configure a physical interface with zone - VoIP or a VLAN interface with zone - VoIP
To Configure a Physical interface with static IP, click on How To Configure A Physical Interface On SonicWALL With Static IP and select the zone - VoIP
To Configure a Virtual interface with static IP, click on How Can I Configure Sub-Interfaces? and select zone - VoIP
Configure DHCP for the VoIP interface. Navigate to Network | System | DHCP Server.
Click on Add Dynamic. And check the box Interface Pre-Populate. Select the respective interface.
Navigate to OBJECT | Match Object|Services. Create Service objects for all the ports required by the VoIP phone system for its functioning and club those together in a Service Group called VoIP Services. To configure the Service object, click on How Can I Configure Service Objects?
Navigate to POLICY | Rules and policies| Access Rules. Create an Access rule from zone - WAN to zone - VoIP with Source - Any, Destination - WAN Interface IP , Service - VoIP Services.
Under Security profile, check for DPI and Disable DPI
Create another Access rule from zone - VoIP to zone - WAN with Source - VoIP subnet, Destination - Any, Service - Any. Under Security profile, check for DPI and Disable DPI. Under User & TCP/UDP optionally increase the UDP timeout between 120-300 seconds to avoid disruption on the calls
Create two NAT policies as below. Check the box, create a reflexive policy on VoIP NAT Policy and keep it Uncheck on VoIP Loopback NAT.
Create VOIP Loopback NAT policy
Navigate to Network | VOIP| Settings
To Enable Consistent NAT, click on Enable Consistent NAT check box.

NOTE: Consistent NAT enhances standard NAT policy to provide greater compatibility with peer-to-peer applications that require a consistent IP address to connect to, such as VoIP. Consistent NAT uses an MD5 hashing method to consistently assign the same mapped public IP address and UDP Port pair to each internal private IP address and port pair.

CAUTION: Enabling Consistent NAT causes a slight decrease in overall security, because of the increased predictability of the address and port pairs.
1. To Enable SIP Transformations, click on Enable SIP Transformations check box.
TIP: If the Public Branch Exchange (PBX) that the SIP Server communicates with is located behind the SonicWall then SIP transformations should be disabled in most deployments. Consult with your VoIP vendor. TIP: If the PBX is located outside the SonicWall, usually on the public Internet, then SIP transformation should be enabled in most deployments. Consult with your VoIP vendor.
To Disable SIP ALG, click on How To Disable SIP ALG

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

TIP: We recommend setting up VoIP phone system on a separate zone than the Data Zone or LAN Zone, this separates VoIP traffic from Data Traffic and we can apply different bandwidth policies, disable Security Services and useless inspections on VoIP traffic for a better call flow and audio quality.

Navigate to MANAGE | Network | Zones.
Click the Add icon. The Add Zone dialog displays.
Type a name for the new zone in the Name field as VoIP and from Security Type, select Trusted. Keep all the Security services unchecked as per screenshot below:
Navigate to MANAGE | Network | Interfaces. Either configure a physical interface with zone - VoIP or a VLAN interface with zone - VoIP.
To Configure a Physical interface with static IP, click on How To Configure A Physical Interface On SonicWALL With Static IP and select the zone - VoIP.
To Configure a Virtual interface with static IP, click on How Can I Configure Sub-Interfaces? and select zone - VoIP.
Configure DHCP for the VoIP interface. Navigate to MANAGE | Network | DHCP Server.
Click on Add Dynamic. And check the box Interface Pre-Populate. Select the respective interface.
Navigate to MANAGE | Objects. Create Service objects for all the ports required by the VoIP phone system for it's functioning and club those together in a Service Group called VoIP Services. To configure Service object, click on How Can I Configure Service Objects?
Navigate to MANAGE | Rules | Access Rules. Create an Access rules from zone - WAN to zone - VoIP with Source - Any, Destination - WAN Interface IP , Service - VoIP Services.
Under Advanced, check the box, Disable DPI.
Create another Access rule from zone - VoIP to zone - WAN with Source - VoIP subnet, Destination - Any, Service - Any.
Under Advanced, check the box Disable DPI and optionally increase the UDP timeout to 120 seconds
Create two NAT policies as below. Check the box, create a reflexive policy on VoIP NAT Policy and keep it Uncheck on VoIP Loopback NAT.
Navigate to MANAGE | VoIP.
To Enable Consistent NAT, click on Enable Consistent NAT check box.

NOTE: Consistent NAT enhances standard NAT policy to provide greater compatibility with peer-to-peer applications that require a consistent IP address to connect to, such as VoIP. Consistent NAT uses an MD5 hashing method to consistently assign the same mapped public IP address and UDP Port pair to each internal private IP address and port pair.

CAUTION: Enabling Consistent NAT causes a slight decrease in overall security, because of the increased predictability of the address and port pairs.
To Enable SIP Transformations, click on Enable SIP Transformations check box.

TIP: If the Public Branch Exchange (PBX) that the SIP Server communicates with is located behind the SonicWall then SIP transformations should be disabled in most deployments. Consult with your VoIP vendor. TIP: If the PBX is located outside the SonicWall, usually on the public Internet, then SIP transformation should be enabled in most deployments. Consult with your VoIP vendor.
To Disable SIP ALG, click on How To Disable SIP ALG