SonicWall Configuration for Asterisk

How to configure Sonicwall to enable traffic toward a on-premise VoIP server without VLAN
 
1. Create Address Objects for VoIP Providers/Connections
2. Run wizard to enable SIP public server (which creates private & public address + three NAT policies)
3. Create custom Service Object for “Asterisk RTP” with UDP ports 10000-20000
4. Enable “Consistent NAT”
5. Create WAN to LAN firewall rule: Source = “VoIP Providers”, Destination = “{public_IP}”, Service =  SIP
6. Create WAN to LAN firewall rule: Source = “any”, Destination = “{public_IP}”, service = Asterisk RTP, Ethernet BWM = {set guaranteed/max Inbound bandwidth}
7. Create LAN to WAN firewall rule: Source = “PBX Private”, Destination = any, Service = SIP, (click Advanced tab, set UDP timeout to 3600)
8. Create LAN to WAN firewall rule: Source = “PBX Private”, Destination = any, Service = “Asterisk RTP” (click Advanced tab, set UDP timeout to 300 >> click Qos tab, set 802.1p QoS markings to “Explicit” and “voice (<10ms latency)” >> click BWM, set “Ethernet BWM” guaranteed/max Outbound bandwidth)
 
Sonicwall does not perform true QoS. Following is a work-around:
1. Create VoIP VLAN as 802.1q sub-interface of X0 (LAN) Interface
2. Use a QoS capable switch (Cisco 2960, 3550, or HP Procurve 2XXX)
3. Configure the switch to use SonicWall’s X0 as uplink trunk port with native VLAN set to VLAN ID of data subnet, and set Allowed VLAN of VoIP VLAN (this is known as “PVID” or “Tagged VLAN”)
4. Configure QoS Policy to prioritize DSCP markings (some switches require mapping DSCP to 802.1p “COS” value)
5. Set firewall rule LAN to WAN: use QoS table to explicitly set DSCP value to Map to COS of the switch’s settings. OR, for switches that have COS native capability, set SonicWall COS value of 5 of VoIP VLAN sub-interface Advanced tab
6. Note that not all providers tag DSCP values in their packets. If a provider does, set QoS to map if you are using COS/802.1p
 
Sonicwall VoIP settings:
– Disable SIP transformation within the VoIP settings
– Enable Consistent NAT
– Add Service Group with SIP ports 5060-5062 UDP, RTP 10000-20000 for TCP/UDP
– Add that new Service Group to the LAN > WAN Access Rule (source = any)
 
If server is on the cloud:
– Add VoIP server WAN IP address to the domain and proxy
– Edit the default LAN > WAN firewall rule and other SIP rules: Allow Fragmented Packets = checked, TCP timeout = 15, UDP timout = 1200
 
If server is on-premise:
– Add VoIP server WAN IP address to the domain and proxy
– Edit the default WAN > LAN firewall rule and other SIP rules: Allow Fragmented Packets = checked, TCP timeout = 15, UDP timout = 1200
– Add VoIP server to DMZ
– Add VoIP server to NAT Rule
 
———————————————————————–
 
How to configure Sonicwall to enable traffic toward a cloud VoIP server
 
Source: http://pbxinaflash.com/community/index.php?threads/former-sonicwall-resource-by-hbonath.12549
 
Create a VoIP zone:
Network >> Zones >> Create new Zone named VoIP >> Security Type = Trusted, “Allow Interface Trust” = checked
 
Create an Uplink to a tagged switch port:
Network >> Interfaces >> Add Interface >> select Zone “VoIP”, VLAN ID = 101, parent interface = X0 or LAN, IP = 192.168.101.1/24, enable HTTP/HTTPS & ping >> Advanced tab, 802.1p = checked, drop-down menu = 6 – Voice
 
Enable DHCP for VoIP subnet
Network >> DHCP >> Add Dynamic >> select Interface Pre-populate >> select VLAN Tagged interface X0:2
 
Bandwidth management
Firewall Settings >> BWM >> Bandwidth Management Type = Global >> Apply
Network >> Interfaces >> edit X1 (WAN) interface >> Advanced tab >> enable Ingress and Egress Bandwidth Management >> input bandwidth values as acquired via speedtest.net (note: 1Mbps = 1014 Kbps) >> OK
Firewall Settings >> BWM >> Global Mode = 4 – Medium category >> use this calculator to obtain reserved bandwidth requirement: http://www.asteriskguru.com/tools/bandwidth_calculator.php >> enter X1% Guaranteed Bandwidth in the Highest Category with 100% allowance >> X2% for SIP traffic in High Category, 100% max >> X3% = (X1+X2) percent for Medium Category, X3% max >> Accept & Apply
 
Enable Consistent NAT
VoIP >> Settings >> Enable Consistent NAT = Enabled >> Sonicwall SIP = Disabled
 
Firewall Rules for cloud PBX public IP
Firewall >> Service Objects >> click Custom Address Objects >> select Add >> name = PBX, zone = WAN (outside of firewall), type = host, input public IP of PBX >> click Add
 
Create RTP service
Firewall >> Service Objects >> click Custom Services >> select Add >> name = “RTP” >> protocol = UDP (17) >> default port range = 10000-20000 >> click Add
 
Create SIP firewall rules
Firewall >> Access Rules >> click on Matrix View >> select “from VoIP to WAN” >> Add >> Allow = selected, service = SIP, source = Subnet of VLAN interface being created earlier, destination = “PBX” address object >> Advanced tab >> UDP Connection Inactvity Timeout = 3600 (1 hour) >> Ethernet BWM tab >> enable inbound and outbound management >> select 2-High for both >> click Add
 
Create RTP firewall rules
Firewall >> Access Rules >> click on Matrix View >> select “from VoIP to WAN” >> Add >> Allow = selected, service = RTP, source = Subnet of VLAN interface being created earlier, destination = “PBX” address object >> Advanced tab >> UDP Connection Inactvity Timeout = 300 (5 minutes) >> Ethernet BWM tab >> enable inbound and outbound management >> select 1-Highest for both >> click Add
 
 
Other VoIP Considerations:
– Trunking over-subscription is between 4:1 to 10:1
– G711 equates to about 19 concurrent calls on a T1
– G729 takes less bandwidth

Leave a Reply

Your email address will not be published. Required fields are marked *