Configuring SonicWALL for VoIP Traffic

SonicWALL Enhanced OS:

The Enhanced OS is more consistent and reliable than the Standard OS, but there have been a few revisions of the Enhanced OS that have similar problems as well. This version of SonicWALL is not recommended, but in many cases can be supported.

The configuration steps below solve a number of issues:

  • SIP ALG: Disabling SIP ALG (SIP Transformations) prevents one-way audio, phone deregistration, and failed incoming calls
  • Consistent NAT: Enabling Consistent NAT prevents one-way audio, failed transfers, dropped calls and Call Group inconsistencies
  • Multicast: Enabling Multicast support ensures that simultaneous outbound calls are routed properly to prevent call failures, and inbound calls going to multiple devices (as in a Call Group) are routed properly
  • Firewall Access Rules: Entering Voip Firewall Access Rules ensures that all traffic to and from the VoIP Carrier’s servers are allowed.

NOTE: Due to the variety of software versions, the instructions below may not be entirely accurate, though should stay relatively consistent. Please ensure a Network Administrator familiar with the SonicWall device configures the settings below.

To Disable SIP ALG and Double NAT, and Enable Multicast:

  1. As a Network Administrator, log in to the SonicWall device through a web browser.
  2. Select the VoIP tab, typically located on the left navigational pane. To get to the settings below, you may need to also select Settings depending on the model of SonicWall you have. 
  3. Check the Enable Consistent NAT setting checkbox, then uncheck the Enable SIP Transformations checkbox (Figure 1-1).
Figure 1-1: Consistent NAT and SIP Transformations
  1. Select the Firewall Settings tab, usually located on the left navigational pane.
  2. Select Multicast
  3. Ensure the Enable Multicast checkbox is checked.
  4. Ensure that the Enable reception of all multicast addresses radio button is selected (Figure 1-2).
Figure 1-2: Enabling Multicasting
  1. Select the Network tab, usually located on the left navigational pane.
  2. Select Interfaces.
  3. Select the Edit or Pencil icon next to the WAN interface. The label will be Default WAN (Figure 1-3).
Figure 1-3: Editing WAN Interface
  1. Select the Advanced tab, usually located at the top of the window.
  2. Check the Enable Multicast Support checkbox (Figure 1-4).
Figure 1-4: Enabling Multicast Support
  1. Repeat steps 11 – 12 for the LAN interface. The label will be Default LAN.

To Enter VoIP Firewall Access Rules – LAN to WAN:

A total of four access rules will need to be created. Two access rules for LAN to WAN, and two access rules for WAN to LAN. Each rule will specify two different IP ranges for VoIP service provided by carrier.

  1. Select the Firewall tab, then select Access Rules. The Access Rules setting may also be under the Policies section on the left navigation pane.
  2. Select the Matrix view, then select the arrow from LAN to WAN (Figure 2-1). On some versions of SonicWall, you may need to select Add on the following screen if a popup window does not display.
Figure 2-1: LAN to WAN Zone Selection
  1. Select the Destination drop-down menu, then select Create new network…
  2. Enter the information below, then select Save to close the window (Figure 2-2).
  • Name: VoIP Custom 1
  • Zone Assignment: WAN
  • Type: Range
  • Starting IP Address: Provided By Carrier
  • Ending IP Address: Provided By Carrier
Figure 2-2: VoIP Custom 1 IP Range Creation
  1. Continue setup by selecting the following options (Figure 2-3).
  • From: Any
  • To: WAN
  • Source Port: Any
  • Service: Any
  • Source: Any
  • Destination: VoIP Custom 1 has populated
  • All Other Fields: Leave as default
Figure 2-3: Access Rule 1 Creation
  1. Select the Advanced tab at the top of the window, then enter 90 in the UDP Connection Inactivity Timeout (seconds) field (Figure 2-4).
Figure 2-4: UDP Timeout Adjustment
  1. Select the QoS tab and use the drop-down menus to select the following options (Figure 2-5).
  • DSCP Marking Action: Explicit
  • Explicit DSCP Value: 46 – Expedited Forwarding (EF)
  • 802.1 Marking Action: Explicit
  • Explicit 802.1p Value: 6 – Voice (<10ms latency)
  1. Select Add or OK to save the first Access Rule.
  2. Select the Matrix view again, then select the arrow from LAN to WAN to enter the second IP range. This will be the exact same process as above with the second set of VoIP Provider’s IP ranges.
  3. Select the Destination drop-down menu, then select Create new network…
  4. Enter the information below, then select Save to close the window.
  • Name: VoIP Custom 2
  • Zone Assignment: WAN
  • Type: Range
  • Starting IP Address: Provided By Carrier
  • Ending IP Address: Provided By Carrier
  1. Continue setup by selecting the following options from the drop-down menus:
  • From: Any
  • To: WAN
  • Source Port: Any
  • Service: Any
  • Source: Any
  • Destination: VoIP Custom 2 has populated
  • All Other Fields: Leave as default
  1. Select the Advanced tab at the top of the window, then enter 90 in the UDP Connection Inactivity Timeout (seconds) field.
  2. Select the QoS tab and use the drop-down menus to select the following options.
  • DSCP Marking Action: Explicit
  • Explicit DSCP Value: 46 – Expedited Forwarding (EF)
  • 802.1 Marking Action: Explicit
  • Explicit 802.1p Value: 6 – Voice (<10ms latency)
  1. Select Add or OK to save the second Access Rule.

Continuing Setup with VoIP Firewall Access Rules – WAN to LAN:

  1. Select the Matrix view, then select the arrow from WAN to LAN (Figure 3-1). On some versions of SonicWall, you may need to select Add on the following screen if a popup window does not display.
Figure 3-1: WAN to LAN Zone Selection
  1. Select the following options from the drop-down menus:  
  • From: Any
  • To: LAN
  • Source Port: Any
  • Service: Any
  • Source: VoIP Custom 1
  • Destination: Any
  • All Other Fields: Leave as default
  1. Select the Advanced tab at the top of the window, then enter 90 in the UDP Connection Inactivity Timeout (seconds) field.
  2. Select the QoS tab and use the drop-down menus to select the following options.
  • DSCP Marking Action: Explicit
  • Explicit DSCP Value: 46 – Expedited Forwarding (EF)
  • 802.1 Marking Action: Explicit
  • Explicit 802.1p Value: 6 – Voice (<10ms latency)
  1. Select Add or OK to save the third Access Rule.
  2. Select the Matrix view again, then select the arrow from WAN to LAN to enter the second rule.
  3. Select the following options from the drop-down menus.
  • From: Any
  • To: LAN
  • Source Port: Any
  • Service: Any
  • Source: VoIP Custom 2
  • Destination: Any
  • All Other Fields: Leave as default
  1. Select the Advanced tab at the top of the window, then enter 90 in the UDP Connection Inactivity Timeout (seconds) field.
  2. Select the QoS tab and use the drop-down menus to select the following options.
  • DSCP Marking Action: Explicit
  • Explicit DSCP Value: 46 – Expedited Forwarding (EF)
  • 802.1 Marking Action: Explicit
  • Explicit 802.1p Value: 6 – Voice (<10ms latency)
  1. Select Add or OK to save the final Access Rule.

Powered by BetterDocs