Archives

General Router Setup

Ensure you are NOT in a Double NAT situation.  ie.  You do not have one router operating behind another router.  For example, you want to put a Charter modem/router combo box into Bridge Mode, so that it is acting only as a modem, not a router, then, setup your dedicated router or firewall between the Charter modem/router combo box and the rest of the network.

Disable SIP ALG.  Sometimes this is called SIP Transformations or otherwise.

Allow traffic to/from the following servers:

Name:                    IP Address:
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
Ringfree Server 1 209.51.167.251
Ringfree Server 2 209.51.167.254
Ringfree Server 3 70.36.23.125
Ringfree Server 4 70.36.23.123

On the following ports:

UDP, Ports 5060-5061 and 10000-20000

Where QOS (Quality of Service) options are available, prioritize traffic to/from those IPs, on those ports.  Reserving 10% of the available bandwidth for phones is ideal, but not always necessary.  At a minimum, reserve 120k of bandwidth for each expected simultaneous phone call.

Ubiquiti EdgeRouterX Configuration

For the EdgeRouterX, SIP ALG must be disabled from the command line.

To access the command line from the GUI of the EdgeRouterX, use the CLI button in the top-right corner of the GUI.  Alternately, use an SSH tool to SSH to the IP of the EdgeRouter.  Once at the CLI, enter the following commands:

configure

set system conntrack modules sip disable

commit

save

exit

Additional configuration may be needed beyond these steps.  Contact Ringfree for more information.

Cisco Meraki Z1

The Meraki Z1 is fairly straightforward and doesn’t require the same granularity of configuration that something like a Sonicwall might.

The key change is going to be in traffic shaping where we’ll tell the device to prioritize traffic over a set of ports that we’ve specified. There does not appear to be a way to specify UDP or TCP. Access this configuration as follows:

  • Navigate to Teleworker Gateway, then Traffic Shaping
  • Click Create a New Rule
  • Add a new custom expression for ports 10000-20000, 5060-5061
  • Select a bandwidth limit
  • Set Priority to high
  • Click save

Tomato Settings

QOS

  • Navigate to QOS, then Basic Settings
  • Check Enable QOS
  • Set the maximum inbound and outbound bandwidth based on a per-location basis
  • Default values for rate limits are usually fine.
  • Navigate to Classification
  • Add new rules for SIP and RTP
    • SIP

      • Select Protocol: UDP
      • Select Src or Dst port: 5060
      • Select Class: Highest
      • Enter description: SIP
      • Click OK
    •  RTP

      • Select Protocol: UDP
      • Select Src or Dst port: 10000-20000
      • Select Class: Highest
      • Enter description: RTP
      • Click OK

Port Forwards

  • Navigate to Port Forwarding, then Basic
  • Select Protocol: Both
  • Leave Src Address blank
  • Enter Ext Port 65000
  • Enter Int Port 443
  • Enter Int. Address of the device you are connecting to
  • (Optional) Enter description

Watchguard Settings

Firewall Policies

  • Navigate to the Firewall Submenu and select Firewall Policies
  • Click on Add Policy
    • Select Custom under Policy Type
    • Click Add

      • Enter a policy name: Ringfree
      • Enter a policy description: Ringfree Ports
        • Click Add under Protocols

          • Select type: Single Port
          • Select Protocol: UDP
          • Enter Server port: 5060
        • Click Add under Protocols

          • Select type: Port Range
          • Select protocol: UDP
          • Enter Start Server Port: 10000
          • Enter End Server Port: 20000
        • Click Save
    • Select the new policy template Ringfree under Policy Type and verify that the ports are correct
    • Click Add Policy
  • Select the new Ringfree firewall policy and select Edit Policy from the action dropdown
    • Under the From box, click Add
      • Select Member Type: Alias
      • Select Any-Trusted
      • Click Ok
    • Under the To box, click Add
      • Select Member Type: Alias
      • Select Any-External
      • Click Ok

    • Make sure the enable box at the top is checked
    • Save

Bandwidth Management

  • Navigate to the Firewall submenu and select Traffic Management
  • Click Add
    • Enter a name: RF – UP
    • Enter a description
    • Select a type: All Policies
    • Enter the locations Maximum upstream bandwidth
    • Enter a guaranteed bandwidth for voice service
    • Click Save
  • Select the Ringfree Policy
  • Select RF – UP from the forward action dropdown
  • Save

Port Forwarding – NOTE: ONLY TO BE USED FOR TEMPORARY ACCESS TO A NONFUNCTIONING PHONE.  NOT NECESSARY FOR CALL QUALITY.

  • Navigate to Firewall, then SNAT
    • Click Add
      • Enter a name: PF
      • Enter a description: Port Forward
      • Under SNAT Members, click Add
        • Enter the local IP of the device to be accessed
        • Check Set internal port to a different port: 443
        • Click OK
      • Save
  • Navigate to Firewall Policies
    • Click Add Policy
      • Enter Policy name: PF
      • Select Custom Policy type: PF
      • Click Add Policy
  • Select the PF Firewall Policy and Click Edit
    • Set From to Any-external
    • Set to to the Port Forward SNAT
    • Check the Enable box at the top to activate the port forward (Be sure to disable it once maintenance is complete)
    • Click Save

TP-Link Settings

QOS

  • Navigate to Advanced, Then QOS Settings.
    • Check Enable QOS
    • Enter the upload and download bandwidth values appropriate for the location
    • Add QOS rule to high priority
      • Select type: By Application
      • Create Custom Application for SIP
      • Create Custom Application for RTP
    • Save

 

  • Goto NAT Forwarding
    • ALG
    • Uncheck Enable SIP ALG

 

Edgewater Settings

  Port Forwarding

  • Navigate to NAT, then Port Forwarding
    • Select Protocol: TCP
    • WAN_IP and WAN_SUBNET are filled in with default variables
    • Enter WAN Port: 65000
    • Enter LAN (Local) IP
    • Enter LAN Port: 443 (For HTTPS)
    • Click ADD
    • Click OK in pop-up
    • Click Submit All to apply. Be aware that all changes applied require a voice service restart that can kill any active phone calls

Bandwidth management

  • Navigate to Traffic Shaper
    • Check Enable Traffic Shaping
    • Enter the Primary WAN downstream bandwidth in kbps
    • Enter the Primary WAN upstream bandwidth in kbps
    • (Optional)Enter the Secondary WAN up/downstream bandwidths
    • Click Submit
  • Navigate to Advanced, then Classification Rules

    • Create classification rule for SIP
      • Leave IP Address blank
      • Select direction: Both
      • Select protocol: UDP
      • Leave Source port blank
      • Enter Destination port 5060
      • Select Expedited Forwarding
      • Click Add
    • Create classification rule for RTP
      • Leave IP address blank
      • Select direction: Both
      • Select protocol: UDP
      • Leave Source port blank
      • Enter Destination port: 1000-20000
      • Select Expedited Forwarding
      • Click Add
    • Submit All

Multi-WAN Failover

  • Navigate to Network, then WAN Failover
    • Check Enable WAN Link Redundancy
    • Check Enable Revertive Mode
    • Check Enable Dual WAN Ports
    • Submit
  • Navigate to Advanced
    • Enable Primary Ping Detection
      • Enter Primary Ping Host: 8.8.8.8
    • Enable Secondary Ping Detection
      • Enter Secondary Ping Host: 8.8.4.4
    • Submit
  • Configure both WAN interfaces as needed.
  • Submit All to Apply

Configuring an AT&T/Pace 5268AC for Hosted VoIP

Preliminary Information

Customers with business service through AT&T will not have a standard equipment setup. Rather AT&T provides the customer with a modem/router combination unit. No option exists for a standalone modem so in practically all Ringfree related cases, the AT&T unit must be configured to allow unhindered access to other devices behind it.

Previously AT&T was providing Motorola devices which could be configured in bridge mode in order to achieve the desired outcome. More recently they’re provicing customers with the Pace 5268AC modem/router combination unit which can not be configured for bridge mode.

Additionally, AT&T doesn’t provision static IP addresses in the same manner that is typical with most internet service providers. Rather they provision a range of sticky IP addresses (usually five of them) that will not change so long as the account and device provisioning does not change. Customer premises equipment can be configured to make use of any of the five IP addresses.

Configuration

  1. Connect the CPE to one of the LAN ports on the Pace and then reboot the Pace.
  2. Navigate to the Pace’s administration interface (usually at 192.168.1.254) and log in (the credentials, if not default, should be supplied by AT&T).
  3. Once logged in, navigate to Settings, then to Firewall, then to Applications, Pinholes, and DMZ.
  4. Select the CPE from the device list.
  5. Check the bubble for DMZ+ mode and click Save.
  6. Navigate to Settings, then to Firewall, then to Advanced Configuration and enter the password (which again should be supplied by AT&T if not default).
  7. Locate the Enhanced Security section.
  8. Uncheck both the Stealth Mode and the Block Ping boxes and click Save.

SonicWall Settings

There are optional settings as well as necessary settings to setup a SonicWall appliance to allow VoIP traffic to and from RingFree’s servers. Each section that is not necessary will go be noted with “optional” in case you are having more issues with jitter or dropped packets on your network or if you want to truly separate the voice traffic from the LAN. In a simple environment or, if your network does not have managed switches, you can skip to the Enable Consistent NAT section and set the minimal settings there.

Prerequisites

  • SonicWall admin credentials
  • VLAN setup for the voice network
  • Accurate bandwidth numbers for the WAN (such as from speedtest.net)
  • The number of phones behind the appliance

Create Voice Zone (optional)

  1. Login to SonicWall and navigate to Network
  2. Click on Zones and create a new zone for the voice traffic
  3. Click Add Zone and name the zone VOIP
  4. Set the security type to Trusted and select Allow Interface Trust
  5. Click OK to save

Create Interface (optional)

We need to create a VLAN tagged sub-interface (virtual interface).

Virtual Port

  1. Navigate to Network and click on Interface
  2. Under Add Interface, select Virtual Interface
  3. Set the Zone to VOIP that we created earlier. Set the VLAN Tag to your voice VLAN on your switch.
  4. Set the Parent Interface to your XO or LAN interface or whichever one that connects to your switch.
  5. Change the Mode/IP Assignment to Static IP Mode
  6. Set an IP for the router that is not on the same subnet as the LAN. If the LAN is 192.168.1.1, set the IP to something like 192.168.2.1
  7. Enable management by selected HTTP or HTTPS. If you don’t want management on this interface, at the very least enable Ping for troubleshooting purposes.
  8. If you want QoS, go to the Advanced tag and select Enable Default 802.1p CoS. Set it to 6 – Voice
  9. Click OK to save

Edit/Create DHCP for the New Interface

If DHCP was already enabled on the device a DHCP scope will be created automatically to be edited for the network environment. If DHCP was disabled, create a DHCP scope.

  1. Navigate to Network and then to DHCP.
  2. Click Add Dynamic and select Interface Pre-Populate
  3. Select the VLAN Tagged interface and let it fill out the scope automatically
  4. Edit the scope as needed

Bandwidth Management (optional)

  1. Click on Firewall Settings and then BMW
  2. Set the Bandwidth Management Type to Global and click Apply
  3. Navigate back to Network and click on Interfaces
  4. Click the pencil icon next to your WAN interface and go to the Advanced tag
  5. Select Ingress and Egress Bandwidth Management
  6. Enter your Egress (upload) and Ingress (downlaod) speeds in Kbps. You can achieve that by multiplying your Mbps by 1024.
  7. Navigate back to Firewall Settings and then BWM
  8. Enable only Medium and High

We now need to calculate the amount of bandwidth the phones will require. Each call takes about 80 Kbps each direction. There is also about 15 Kbps of overhead if you are not using QoS. Simply multiply 95 Kbps by how many phones you have behind the router. Then calculate what percentage of the bandwidth that will take.

In this example, we will use a 10Mbps X 10Mbps connection with 11 phones/devices. When calculated the devices will take about 1Mbps. That is about 10% of the 10Mbps connection.

  • On the High Category set the Guaranteed to 10% and the Maximum/Burst to 100%
  • On the Medium Category set the Guaranteed to 0% and the Maximum to 90%
  • Click Accept to apply the changes

Consistent NAT / SIP Settings

  1. Navigate to VoIP and click on Settings
  2. Enable Consistent NAT
  3. Disable anything else in the VoIP section, particularly SIP transformations.
  4. Click Apply to save

Configure Firewall Rules

Address Objects

  • Navigate to Firewall and click on Address Objects
  • Click on Add under Address Objects. Set the Zone Assignment to WAN and Type to Host
  • Create an Address Object for each Ringfree IP address
Name:                IP Address:
-----------------------------------
Ringfree Server 1    209.51.167.251
Ringfree Server 2    209.51.167.254
Ringfree Server 3    70.36.23.125
Ringfree Server 4    70.36.23.123
  • Once finished click Close
  • Click Add Group and name it Ringfree Servers
  • Add the four servers just created into the group and click OK to save

RTP Ports Object

  1. Navigate to Firewall and click on Service Objects
  2. Click Add under Services
  3. name the service RTP and set the protocol to UDP(17)
  4. Set the port range to 10000 – 20000 and click Add and Close

Build Firewall Rules

SIP Ports

  1. Click on Firewall and then Access Rules. Click on Matrix view and then select “From VOIP to WAN” (or “LAN to WAN” if you didn’t set up the VOIP Zone)
  2. Click Add to add a new rule
  3. Make sure Allow is selected. Under Service select SIP from the drop-down
  4. The Source will be the interface created earlier (i.e. X0:2 Subnet)
  5. If an interface wasn’t set earlier, set this to LAN Primary Subnet
  6. Set the destination to Ringfree Servers
  7. Click Advanced and set the UDP timeout to 3600 seconds
  8. Click the Ethernet BWM tab and check inbound and outbound management
  9. Set the priority to High for inbound and outbound
  10. Click Add to save

RTP Ports

  1. Just change the service to RTP and leave everything else the same
  2. Click Advanced and set the UDP timeout to 300 seconds
  3. Click Add and Close to save

Notes

If App Rules are enabled, you may run into some issues with calls as well. Simply add the RingFree Servers address group to the app rule exceptions.