There are many different models of SonicWall as well as firmware versions. Not all routers will have all of these settings. Also these settings are not guaranteed to resolve voice issues, but they can help alleviate. We recommend using a separate router for your phones if possible.
I. Create Service Objects
You will need 2 Service Objects which you can group together for ease of management.
i. VOIP Registration for port 5060 to 5069 (default SIP registration ports)
ii. VOIP Media for port 10000 to 20000 (UDP) (main range for voice traffic)
II. Set Firewall Rules
Part 1: Inbound
Create a Firewall Rule for WAN to LAN to allow all traffic from VOIP Service.
Within the same rule, under the Advanced tab, change the UDP timeout to 350.
Part 2: Outbound
The default outbound rule (LAN to WAN) allows all traffic. Repeat Part 1 on this outbound rule and set the UDP Timeout to 350 seconds.
The Firewall Rules should then look like this:
III. Other
- In the VOIP Section, make certain that "Enable Consistent Nat" is checked.
- Under firewall settings, disable SPI (Stateful Packet Inspection)
- Under Firewall Settings, Advanced, set UDP Timeout to 350 seconds
- If you are not receiving any 'ringback' when dialing out the Sonicwall may be blocking the ringback tone. In 'Security Services', under 'IPS Global Settings' if 'Enable IPS' is checked then ensure that 'Low Priority Attacks' is not checked under the 'Prevent All' column.
Great article, however, I'm curious why the need to disable SPI, SPI is a very good security feature to have and is required for PCI compliance. Is there a way to just ignore SPI on the VOIP traffic? We are using the 5.9.0.4 firmware which is a little outdated i know,
Excellent question! SPI inspects every packet that comes through your network, thus creating extra overhead. This can (but does not always) create issues for live voice traffic. SPI is good to use for data networks for security reasons, so our best recommendation is to segregate your voice and data networks onto 2 different routers.