Firewall Configuration Guide for VoIP Systems

Proper firewall configuration is crucial for VoIP system performance and security. This guide covers everything you need to know about configuring firewalls for VoIP, from basic port settings to advanced security configurations.

Understanding VoIP Network Requirements

VoIP Traffic Types

VoIP systems use two main types of traffic:

1. SIP Signaling Traffic

   • Handles call setup, teardown, and control
   • Uses UDP/TCP port 5060 by default
   • Contains call metadata and control information

2. RTP Media Traffic

   • Carries actual voice data
   • Uses dynamic UDP ports (typically 10000-20000)
   • Requires real-time delivery for quality

Network Requirements

Minimum Bandwidth:

• Per Call: 100 Kbps (G.711 codec)
• HD Voice: 150 Kbps (G.722 codec)
• Recommended: 1 Mbps upload/download per concurrent call

Latency Requirements:

• Maximum: 150ms one-way
• Optimal: < 50ms one-way
• Jitter: < 30ms

Essential Firewall Configurations

1. Required Ports

SIP Signaling Ports

Protocol: UDP/TCP
Port: 5060
Direction: Both inbound and outbound
Purpose: SIP registration and call signaling

RTP Media Ports

Protocol: UDP
Port Range: 10000-20000 (configurable)
Direction: Both inbound and outbound
Purpose: Voice and video media streams

HTTPS Provisioning

Protocol: TCP
Port: 443
Direction: Outbound
Purpose: Device configuration and firmware updates

NTP (Network Time Protocol)

Protocol: UDP
Port: 123
Direction: Outbound
Purpose: Time synchronization for call logs

2. Router/Firewall Settings

Disable SIP ALG (Application Layer Gateway)

Why Disable SIP ALG:

• SIP ALG can interfere with VoIP traffic
• Causes one-way audio issues
• Breaks NAT traversal mechanisms

How to Disable:

For Common Routers:

Linksys:

1. Access router admin panel (192.168.1.1)
2. Go to Applications & Gaming → Port Range Forwarding
3. Look for "SIP" or "VoIP" settings
4. Disable SIP ALG

Netgear:

1. Access router admin panel (192.168.1.1)
2. Go to Advanced → WAN Setup
3. Find "Disable SIP ALG" option
4. Check the box to disable

TP-Link:

1. Access router admin panel (192.168.1.1)
2. Go to Advanced → NAT Forwarding → ALG
3. Disable SIP ALG

Asus:

1. Access router admin panel (192.168.1.1)
2. Go to WAN → NAT Passthrough
3. Disable SIP Passthrough

Configure NAT Settings

Static NAT (Recommended for VoIP):

External IP: Your public IP
Internal IP: VoIP device IP
Port: 5060 (SIP)

Port Forwarding Rules:

Rule 1:
- External Port: 5060
- Internal Port: 5060
- Protocol: UDP/TCP
- Internal IP: VoIP device IP

Rule 2:
- External Port: 10000-20000
- Internal Port: 10000-20000
- Protocol: UDP
- Internal IP: VoIP device IP

3. Quality of Service (QoS) Configuration

QoS Priority Settings

Traffic Classification:

1. Highest Priority: VoIP RTP traffic
2. High Priority: VoIP SIP signaling
3. Medium Priority: Web browsing, email
4. Low Priority: File downloads, streaming

Bandwidth Allocation:

VoIP Traffic: 20% of total bandwidth
SIP Signaling: 5% of total bandwidth
Other Traffic: 75% of total bandwidth

QoS Implementation

For Business Routers:

Cisco:

class-map match-all VOIP
 match dscp ef
 match dscp cs3
!
policy-map VOIP-POLICY
 class VOIP
  priority percent 20
 class class-default
  fair-queue
!
interface FastEthernet0/0
 service-policy output VOIP-POLICY

Ubiquiti:

1. Go to Settings → Traffic Management
2. Enable Smart Queues
3. Set upload/download speeds
4. VoIP traffic automatically prioritized

MikroTik:

/queue simple add name=voip target=192.168.1.0/24 max-limit=1M/1M priority=1
/queue simple add name=other target=192.168.1.0/24 max-limit=10M/10M priority=8

Advanced Firewall Configurations

1. VLAN Configuration

Benefits of VoIP VLAN:

• Traffic isolation
• Better QoS control
• Enhanced security
• Simplified management

VLAN Setup:

VLAN 10: Voice (VoIP devices)
VLAN 20: Data (computers, servers)
VLAN 30: Management (network devices)

VLAN Configuration Example:

vlan 10
 name VOICE
!
interface FastEthernet0/1
 switchport mode access
 switchport access vlan 10
!
interface Vlan10
 ip address 192.168.10.1 255.255.255.0

2. Security Configurations

Access Control Lists (ACLs)

VoIP-Specific ACLs:

# Allow SIP traffic from trusted sources
permit udp any any eq 5060
permit tcp any any eq 5060

# Allow RTP traffic
permit udp any any range 10000 20000

# Deny unauthorized VoIP traffic
deny udp any any eq 5060 log
deny tcp any any eq 5060 log

Intrusion Prevention

VoIP Attack Prevention:

1. SIP Flood Protection

   • Limit SIP requests per second
   • Block suspicious SIP patterns
   • Monitor for DoS attacks

2. RTP Protection

   • Validate RTP packet headers
   • Monitor for media flooding
   • Block unauthorized media streams

3. Monitoring and Logging

Essential Logs to Monitor

SIP Traffic Logs:

• Registration attempts
• Call setup/teardown
• Authentication failures
• Unusual traffic patterns

RTP Traffic Logs:

• Media stream statistics
• Packet loss rates
• Jitter measurements
• Bandwidth utilization

Monitoring Tools

Free Tools:

• Wireshark: Packet analysis
• SIPp: SIP traffic testing
• Nagios: Network monitoring
• PRTG: Traffic analysis

Commercial Solutions:

• SolarWinds: Network monitoring
• ManageEngine: VoIP monitoring
• Paessler: PRTG Network Monitor

Troubleshooting Firewall Issues

Common Problems and Solutions

1. One-Way Audio

Symptoms: Can hear caller but they can't hear you (or vice versa)

Causes:

• Firewall blocking RTP traffic
• Incorrect NAT configuration
• SIP ALG interference

Solutions:

1. Check RTP port forwarding
2. Disable SIP ALG
3. Verify NAT settings
4. Test with different codecs

2. Registration Failures

Symptoms: VoIP device shows "No Service" or "Registration Failed"

Causes:

• Firewall blocking SIP port 5060
• Incorrect credentials
• Network connectivity issues

Solutions:

1. Verify SIP port 5060 is open
2. Check username/password
3. Test network connectivity
4. Review firewall logs

3. Poor Call Quality

Symptoms: Echo, static, dropped calls

Causes:

• Insufficient bandwidth
• High latency/jitter
• QoS not configured

Solutions:

1. Implement QoS policies
2. Increase bandwidth
3. Use wired connections
4. Optimize network settings

Diagnostic Commands

Network Testing

# Test SIP server connectivity
telnet your-sip-server.com 5060

# Test RTP ports
nc -u your-sip-server.com 10000

# Check packet loss
ping -c 100 your-sip-server.com

# Traceroute to identify bottlenecks
traceroute your-sip-server.com

Firewall Testing

# Check if ports are open
nmap -p 5060,10000-20000 your-sip-server.com

# Test UDP connectivity
nc -u your-sip-server.com 5060

# Check firewall rules
iptables -L -n -v

Best Practices

1. Security Best Practices

Network Security:

• Use strong passwords for all devices
• Enable firewall logging
• Regular security audits
• Keep firmware updated
• Implement VLAN segmentation

VoIP Security:

• Use SRTP (Secure RTP) when possible
• Enable SIP TLS encryption
• Implement strong authentication
• Monitor for suspicious activity
• Regular security updates

2. Performance Optimization

Network Optimization:

• Dedicated internet for VoIP
• Proper QoS implementation
• Regular bandwidth monitoring
• Optimize switch configurations
• Use PoE for power efficiency

Device Optimization:

• Keep firmware updated
• Optimize codec selection
• Regular device restarts
• Proper physical placement
• Monitor device health

3. Maintenance Schedule

Daily:

• Check call quality
• Monitor bandwidth usage
• Review error logs

Weekly:

• Test failover systems
• Review security logs
• Update documentation

Monthly:

• Full network assessment
• Security audit
• Performance optimization
• Firmware updates

Conclusion

Proper firewall configuration is essential for VoIP system reliability and security. By following this guide, you can ensure optimal performance while maintaining security standards.

Key Takeaways:

1. Disable SIP ALG on all routers
2. Configure proper port forwarding
3. Implement QoS policies
4. Monitor and log traffic
5. Regular maintenance and updates

For complex configurations or enterprise environments, consider consulting with network security professionals or ATCVoIP support team.

Need Help? Contact ATCVoIP support for assistance with:

• Complex firewall configurations
• Enterprise network setups
• Security audits
• Performance optimization
• Troubleshooting assistance