Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

VOIP SIP Trunk Gen7 - best practice - novice needs help

Hi

I am trying to setup my TZ570 for a PBX and I honestly have never setup VOIP with a Sonciwall as before our Phones were still "old tech" and managed by our landlord. But now we need a new phone system and it is going to be VOIP as its the standard.


The PBX will sit behind the TZ570 on the "LAN side" and it is going to be a Mitel unit.

Will use a 30 channel SIP trunk.


What I have done so far:

Created a dedicated VOIP Zone without any security services on an extra port

Created VOIP Service Group (SIP UDP and TCP ports as well as RTP/media Ports)

created rule from LAN/VOIP to WAN for VOIP Service Group and added BWM and UDP timout to 180s

VOIP - SIP transformations in TZ570 are disabled


The SIP Trunk provider states:

if possible no ALG

STUN Server: no


so far so good :-) - here come my questions!


When I look at this guide:

https://www.sonicwall.com/support/knowledge-base/how-to-configure-voip-to-use-any-voip-phone-system-best-practices/210615132522720/


I should also create:

an access rule WAN to VOIP - so basically portforwarding (Step 10)

create 3 NAT rules

enable "consitent NAT"


I have read a lot about VOIP/SIP and mostly port forwarding should not be used.

Also the SIP trunk provider explicitly writes "sip seession only need to be open from LAN to WAN" - why does SW say I should open WAN to LAN?

Do I need the NAT rules in gen7 or are standard ones and "consistent NAT" sufficient - this confuses me NAAT rules + consistent NAT

thx for any help here!

Category: Entry Level Firewalls
Reply

Answers

  • ArkwrightArkwright Community Legend ✭✭✭✭✭

    You might need to forward ports to your Mitel [note that "Mitel" is a company that makes about 94 different phone systems, so you should probably be more specific] but you ONLY want to allow SIP from your SIP provider. Do not leave SIP open from the entire internet to your phone system.

    I suggest you don't attempt to follow generic guidance from Sonicwall about this - there are simply too many variables here and they won't be able to cover all scenarios from all vendors. Consult the documentation of your SIP provider and your phone system vendor to see what the requirements are. Use the Sonicwall documentation to help you make the relevant configuration changes on your Sonicwall,

  • blublubblublub Newbie ✭

    Hi

    Thx for the reply.

    All I know is "Mitel SMB" as far as the mode goes.


    The SIP provider doesn't say much:

    Session NAT timer 30s

    No ALG/SIP transformation

    ...and thats about it...


    Uh well I guess I better start with port forwarding :-) - and yeah ill include the SIP Server from the provider as source and not "all"

  • TKWITSTKWITS Community Legend ✭✭✭✭✭
    edited February 2022

    You need to obtain more information on both the SIP provider and the PBX... They have installation / 'turn up' guides for a reason.

    Read up on how your PBX handles RTP traffic (if it keeps RTP sessions active between itself and the phone, or if the phone handles all the RTP traffic after the initial setup).

    Unless your SIP provider is also acting as an SBC (or has a published list of RTP servers) you will need to open up inbound RTP traffic from any.

    While you are on the right track, you'll probably run into issues.

    Create a dedicated VLAN (sub-interface) for voice devices and traffic, and exempt it from any Security Services inspections. Do this instead of a dedicated physical interface on the Sonicwall.

    Make sure you can get internal phone to phone calls working first, then worry about the SIP trunk.

    Do NOT enable SIP Transformations on the Sonicwall.

    Contact your ISP and make sure they disable SIP ALG on their equipment (or do it yourself if you have access).

    Come back with very specific questions.

Sign In or Register to comment.