These firewalls have a powerful Bandwidth Management (BWM) system, which customers have great success using to prevent or resolve many call quality problems.

  • BWM allows you to reserve the exact amount of bandwidth the Intermedia devices need. This feature is rare to find on small-business grade firewalls at an economical price-point.

Known Issues:

  1. SIP ALG is enabled by default, but it is easy to disable.
  2. The firewall intermittently interferes with phone registration but it does not when the changes below are made.
  3. We recommend that you do not enable the IP/MAC Binding feature on the DRAYTEK. Testing has confirmed that this will lock up the device and cause it to constantly reboot.
    • This feature will not allow devices that are not getting an IP address from the DRAYTEK DHCP server to access the internet or ping the DRAYTEK.
    • It is a security feature that prevents a hacker from walking into your office, plugging their computer into the firewall or switch, & gaining access to your network.
    • When this feature is enabled, the DRAYTEK can appear as if it is locked up when it actually is not.
    • The ‘lock-up’ can occur due to one or more of the 3 situations below:
      • You are using a standalone DHCP server, such as running one on a Windows Server, instead of using the DHCP server on the DRAYTEK.
      • A computer or other device was manually configured to use a static IP address and the DRAYTEK is not aware of that static IP address assignment.
      • The MAC address of a computer or phone was incorrectly entered.

Firmware Information:

  • Confirmed Stable Firmware:
    • Vigor 2920: no confirmations of firmware issues
    • Vigor 2925: no confirmations of firmware issues

Resolution:

  1. Telnet to the router to disable SIP ALG using PuTTYtel
    • Log in to the router in Telnet using the admin username and password
    • Enter the following command:
      • sys sip_alg ?
        • If the router says 'current SIP ALG is disabled' you don't need to do anything.
    • If SIP ALG is enabled enter the following commands
      • sys sip_alg 0
      • sys commit
      • sys reboot
    • DNS server addresses need to be changed to set of efficient DNS servers, like Google's DNS or another DNS, to prevent intermittent registration failures on Polycom phones.
    • SIP ALG is disabled by default, but if it was enabled, it needs to be disabled to prevent intermittent one-way audio and call and phone feature failures.
    • This router is capable of mutli-WAN interfaces for load balancing. The Hosted PBX interprets load-shared packets as being out of order and has a tendency to discard out of order packets, which would cause severe degradation in call quality. All Voice over IP systems would see this condition as a high jitter level. This problem may lead to a constant level of call quality degradation through the call. It is preferable to configure load sharing devices to operate by establishing VoIP calls through consistent routes and to avoid spreading packets from the same call over different paths.
    • There may be other issues with this router which have not been documented or tested.
  2. Log in to the router.
  3. This set up assumes the device is in its default configuration with no VLANs or multiple LAN subnets.
  4. Go to LAN > General Setup > Click OK > Select "Details Page" for LAN 1 and change the following under 'DNS Server IP Address':
    • Primary DNS: 8.8.8.8
    • Secondary DNS: 8.8.4.4
    • Click OK
  5. Go to LAN > General Setup > Click OK.
    • Enable "Force router to use 'DNS server IP address' settings specified in 'LAN1'"
  6. Telnet to the router to disable SIP ALG using PuTTYtel
    • Log in to the router in Telnet using the admin username and password
    • Enter the following command:
      • sys sip_alg ?
        • If the router says 'current SIP ALG is disabled' you don't need to do anything.
    • If SIP ALG is enabled enter the following commands
      • sys sip_alg 0
      • sys commit
      • sys reboot
    • This router is capable of bandwidth management however it has not been tested rigorously to ensure its efficacy. If you need assistance configuring bandwidth management on this router contact Intermedia for assistance.
  7. Go to Object Setting > IP Object:
    • You will need to create address object(s) that pertain to the Intermedia VoIP product being used. Please contact Intermedia to obtain the IPs that need to be whitelisted.
      • Click on the Address Group tab > Add:
        • Name: "CV_Servers".
        • In the left-hand box, you have to click each of the of the objects you just created and add them individually.
        • Click the "->" button to move each object to the right.
        • Click OK.
  8. Go to Object Settings > Service Type Object:
    • You will need to create service objects for IP ports that pertain to the Intermedia VoIP product being used. Please contact Intermedia to obtain the necessary Port ranges that need to be added as Service Objects to your firewall.
    • Click on the Service Type Group > Add:
      • Name: "CVoice_SrvPorts".
      • In the left-hand box, highlight the Service Objects you created above.
      • Click the "->" button to move those Objects to the right.
      • Click OK.
  9. Go to Firewall > Filter Setup:
    • Click on “Call Filter”
    • Click first index number available (first one may be for “NetBios” leave as is):
      • Click check box: Check to enable the Filter Rule.
      • Name: "VoIP_Outbound".
      • From: LAN/RT/VPN -> Wan
      • To: Any
      • Source: click the “Edit” button
        • Click the drop down for IP OBJECT and select: "CV_Servers"
      • Destination IP: Any
      • Service Type: click the “Edit” button
        • Click the drop down for Service Group and select: "CVoice_SrvPorts".
      • Quality of Service: Class 1
      • Syslog: check.
      • Click Add:
    • Click on next available index number
      • Click check box: Check to enable the Filter Rule.
      • Name: "VoIP_Inbound".
      • From: Any.
      • To: Wan -> LAN/RT/VPN
      • Source IP: click the “Edit” button
      • Click the drop down for IP OBJECT and select: "CV_Servers".
      • Destination: Any.
      • Service Type: click the “Edit” button
      • Click the drop down for Service Group and select: "CVoice_SrvPorts".
      • Quality of Service: Class 1
      • Syslog: check.
      • Click Add:
    • Click on next available index number
      • Click check box: Check to enable the Filter Rule.
      • Name: "CV_Png_Tst_Svr" (the name of the Address Object is that's associated with Intermedia WAN ping servers)
      • Direction: Wan -> LAN/RT/VPN
      • Source IP: click the “Edit” button
        • Click the drop down for IP OBJECT and select: "CV_Servers".
      • Destination IP: Any.
      • Service Type: click the “Edit” button
      • Click the drop down for Service Group and select: "CVoice_SrvPorts".
      • Click Add
  10. The steps below are needed to reserve the exact amount of bandwidth the phones need to prevent call quality problems:
    • Go to Bandwidth Management > Quality of Service
    • Select the appropriate WAN port > Setup
      • Enable the QoS Control: Select “Both”
      • Enable Highest Bandwidth Priority for SIP Traffic: Uncheck.
        • Set inbound and Outbound to speeds retrieved from the speedtest
        • Only adjust the classes if they have low bandwidth
        • Click the check box to “Enable UDP Bandwidth Control”
      • Click OK at the bottom of the page.
        • Inbound: calculate this number: (#-of-phones * 50kbps) + (#-of-fax-adapters * 100kbps) + (50 kbps for 1 VoIP/Soak Test Tool).
          • Priority: 5.
          • Maximize Bandwidth Usage: Uncheck.
          • Maximum: calculate this number: (#-of-phones * 100kbps) + (#-of-fax-adapters * 100kbps) + (100kbps for 1 VoIP/Soak Test Tool).
        • Outbound: calculate this number: (#-of-phones * 50kbps) + (#-of-fax-adapters * 100kbps) + (50 kbps for 1 VoIP/Soak Test Tool).
          • Priority: 5.
          • Maximize Bandwidth Usage: Uncheck.
          • Maximum: calculate this number: (#-of-phones * 100kbps) + (#-of-fax-adapters * 100kbps) + (100kbps for 1 VoIP/Soak Test Tool).

Additional Resources:

  1. Recommended Routers.
  2. Recommended Switches.
  3. Recommended LAN Configurations.
  4. Network Ports and Protocols for HPBX phones.