Recommendation Information:
Price: ~$150 and above

  • These firewalls have a powerful Bandwidth Management (BWM) system, which customers have great success using to prevent or resolve many call quality problems.

  • BWM allows you to reserve the exact amount of bandwidth the devices need.  This feature is rare to find on small-business grade firewalls at an economical price-point.

  • The least expensive model in the series is the ZWUSG20, but it does not have WiFi. 

  • The ZWUSG20W does have WiFi. 

  • Both models still have the same Bandwidth Management features that the pricier models have, but they only cost around $150 for the ZWUSG20 or $182 for the ZWUSG20W on Amazon and other online stores.  In comparison, a Linksys EA6500 costs $170 on Amazon and doesn't have BWM or many features needed for a small-business environment.

  • You will probably be unable to find this router at a local store.  However, Staples & Fry's Electronics offer a ship-to-store option to save time & money.

Known Issues:

  1. SIP ALG is enabled by default, but it is easy to disable.

  2. The firewall intermittently interferes with phone registration but it does not when the changes below are made.

  3. We recommend that you do not enable the IP/MAC Binding feature on the ZyXEL unless you are 100% aware of your network configuration:

    • This feature will not allow devices that are not getting an IP address from the ZyXEL DHCP server to access the internet or ping the ZyXEL. 

    • It is a security feature that prevents a hacker from walking into your office, plugging their computer into the your firewall or switch, & gaining access to your network. 

    • When this feature is enabled, the ZyXEL can appear as if it is locked up when it actually is not.

    • The ‘lock-up’ can occur due to one or more of the 3 situations below:

      • You are using a standalone DHCP server, such as running one on a Windows Server, instead of using the DHCP server on the ZyXEL. 

      • A computer or other device was manually configured to use a static IP address and the ZyXEL is not aware of that static IP address assignment.

      • The MAC address of a computer or phone was incorrectly entered.

Firmware Information:

  • Confirmed Stable Firmware:
    • USG20W:
      • Boot Module: 1.17.
      • Current Version: 3.30(BDR.6).
      • Released Date: 2014-09-29 07:33:21.
      • Tested 12/9/14.
    • USG50 and above: 
      • No reported issues with any firmware versions as of 12/9/14.

Resolution:

  1. By default, the ZyWall sets ports P2 & P3 to lan1.

    • Unless you want to change those ports to put the phones on a different VLAN from the computers, we recommend you only plug your phones into ports P2 & P3.

    • We cannot setup or configure on VLANs for you, but you or your IT can do this if you have a managed switch and know how to configure it. 

    • We do not support putting the phones in the DMZ. 

    • If you do not want to use VLANs but you still want to use P4, P5, and higher, you will need to login to the firewall and change Configuration > Interface > Port Role > Designate all unused ports to lan1.

  2. Login to the firewall > Configuration (2-gears-icon) in the top-left-hand corner > Network > ALG:

    • Uncheck Enable SIP ALG.

    • Uncheck Enable SIP Transformations.

    • Uncheck Enable Configure SIP Inactivity Timeout.

    • Restrict Peer to Peer Signaling Connection: Uncheck.

    • Restrict Peer to Peer Media Connnection: Uncheck.

    • Click Apply.

  3. Go to Configuration (2-gears-icon) > Object > Address:

    • Add each of the following Address Objects below for HPBX 2.0

      • Name: Cloud_Voice_RTP_Server_Block1

        • Address Type: “SUBNET”.

        • Network: 64.28.114.0

        • Netmask: 255.255.255.0

        • Click OK.

          • For accounts after 5/15/2015 use:
            • Network: 64.28.124.0

            • Netmask: 255.255.255.0

            • Click OK.

      • Name: Cloud_Voice_RTP_Server_Block2

        • Address Type: “SUBNET”.

        • Network: 64.28.115.0

        • Netmask: 255.255.255.0

        • Click OK.

        • For accounts after 5/15/2015 use:
          • Network: 64.28.123.0

          • Netmask: 255.255.255.0

          • Click OK.

      • Name: Cloud_Voice_Config_Server1

        • Address Type: "HOST".

        • IP Address: 64.28.115.146

        • Click OK.

      • Name: Cloud_Voice_Config_Server2

        • Address Type: "HOST".

        • IP Address: 64.28.112.148

        • Click OK.

      • Name: Cloud_Voice_DNS-Time_Server1

        • Address Type: "HOST".

        • IP Address: 64.28.112.157

        • Click OK.

      • Name: Cloud_Voice_DNS-Time_Server2

        • Address Type: "HOST".

        • IP Address: 64.28.115.137

        • Click OK.

      • Name: Cloud_Voice_DNS-Time_Server3

        • Address Type: "HOST".

        • IP Address: 64.28.126.9

        • Click OK.

      • Name: "Cloud_Voice_SVDNS_Server". - This entry is only required if you have the old DPS-V Vertical phone system.

        • Address Type: HOST.

        • IP Address: "64.28.126.29".

        • Click OK.

      • Name: "Cloud_Voice_PTS_Server". - This entry is only required if you have Vertical desk phones or RTX cordless phones.

        • Address Type: "HOST".

        • IP Address: "64.28.115.150".

        • Click OK.

      • Name: Cloud_Voice_VoIP_Test_Server1

        • Address Type: "HOST".

        • IP Address: 64.28.122.100

        • Click OK.

      • Name: Cloud_Voice_VoIP_Test_Server2

        • Address Type: "HOST".

        • IP Address: 64.28.122.102

        • Click OK.

      •  Name: Cloud Voice_Ping_Test_Server1
        •  Address Type: “HOST”.
        • IP Address: 64.28.122.103

        • Click OK.
      • Name: Cloud Voice_Ping_Test_Server2
        • Address Type: “HOST”.

        • IP Address: 64.28.122.110

        • Click OK.
      • Name:Cloud _Voice_Ping_Test_Server3
        • Address Type: “HOST”.
        • IP Address: 64.28.121.110

        • Click OK.

      • Name: Cloud_Voice_SIP_Register_Server
        • Address Type: “HOST”.
        • IP Address: 64.28.113.10

        • Click OK.

          • For accounts after 5/15/2015 use:
          • Network: 64.28.119.10
          • Subnet: 255.255.255.0
            • Click OK.
      • Add each of the following Address Objects below for HPBX 1.0 
        • Name: Cloud_Voice_RTP Server_Block1

          • Address Type: Network

          • IP Address: 206.225.167.64

          • Netmask: 255.255.255.192
          • Click OK.

        • Name: Cloud_Voice_RTP_Server_Block2

          • Address Type: Network

          • IP Address: 199.193.202.64

          • Netmask: 255.255.255.224

          • Click OK.

        • Click on the Address Group tab > Add:

          • Name: "Cloud_Voice_Servers".

          • Description: "Servers that the phone and fax devices use".

          • In the left-hand box, highlight the 12 Service Objects you created above.

          • Click the "->" button to move those Objects to the right.

          • Click OK.

    • Go to Object > Service:

      • Add each of the following Service Objects below for HPBX 2.0:

        • Name: "Cloud_Voice_RTP_Audio_Range".

          • IP Protocol: UDP.

          • Port Range: 30000 – 50000.

          • Click OK.

        • Name: "Cloud_Voice_SIP_Dest_Ports".

          • IP Protocol: UDP.

          • Port Range: 6060 – 6061.

          • Click OK.

        • Name: "Cloud_Voice_SIP_Local_Ports".

          • IP Protocol: UDP.

          • Port Range: 6100 – 6899.

          • Click OK.

        • Name: "Cloud_Voice_VoIP_Test_SIP_Range".

          • IP Protocol: UDP.

          • Port Range: 5678 – 6677.

          • Click OK.

        • Name: "Cloud_Voice_VoIP_Test_RTP_Range".

          • Protocol: UDP.

          • Port Range: 50000 – 60000.

          • Click OK.

      • Add each of the following Address Objects below for HPBX 1.0
        • Name: Cloud_Voice_SIP_TCP

          • Protocol: TCP

          • Port Range: 5060 – 5061

          • Click OK.

        • Name: Cloud_Voice_SIP_UDP

          • Protocol: UDP

          • Port Range: 5060 – 5061

          • Click OK.

        • Name: "Cloud_Voice_SIP_RTP_Range

          • Protocol: UDP

          • Port Range: 35000 – 50000.

          • Click OK.

      • Click on the Service Group tab > Add:

        • Name: "Cloud_Voice_Service_Ports".

        • Description: "Ports used by phone and fax devices".

        • In the left-hand box, highlight the 5 Service Objects you created above.

        • Click the "->" button to move those Objects to the right.

        • Click OK.

    • Go to Firewall (Called Security Policy > Policy Control on newer firmware versions):

      • Click Add:

        • Enable: Check.

        • Name: "Cloud_Voice_Devices_Outbound".

          • Do not worry if you do not have this option.  It only exists in newer firmware versions and models.

        • Description: "Allow phones and fax devices outbound access and BWM".

        • From: Any.

        • To: Any (excluding ZyWALL).

        • Source: Any.

        • Destination: "Cloud_Voice_Servers".

        • Service: "Cloud_Voice_Service_Ports".

        • User: Any.

        • Schedule: None.

        • Action (Access): Allow.

        • Log matched traffic: Yes.

        • UTM Profile: All unchecked.

          • Do not worry if you do not have these options. They are not included on all USG firewalls.

        • Click OK.

      • Click Add:

        • Enable: Check.

        • Name: "Cloud_Voice_Devices_Inbound".

          • Do not worry if you do not have this option.  It only exists in newer firmware versions and models.

        • Description: "To allow inbound BWM to phones and fax devices".

        • From: Any.

        • To: Any (excluding ZyWALL).

        • Source: "Cloud_Voice_Servers".

        • Destination: Any.

        • Service: "Cloud_Voice_Service_Ports".

        • User: Any.

        • Schedule: None.

        • Action (Access): Allow.

        • Log matched traffic: Yes.

        • UTM Profile: All unchecked.

        • Click OK.

      • Click Add:

        • The following rule is needed to allow the ZyWALL to respond to our Call Quality Monitoring Server, 64.28.122.100.

          • Enable: Check.

          • Name: "Cloud_Voice_Ping_Response".

            • Do not worry if you do not have this option.  It only exists in newer firmware versions and models.

          • Description: "To allow response to the Call Quality Monitoring Ping Server".

          • From: WAN.

          • To: ZyWALL.

          • Source: "Cloud_Voice_Ping_Test_Server".

          • Destination: Any.

          • Service: PING.

          • User: Any.

          • Schedule: None.

          • Action (Access): Allow.

          • Log matched traffic: Yes.

          • UTM Profile: All unchecked.

          • Click OK.

        • Click Apply at the bottom of the Firewall page.

    • Go to Firewall (Security Policy) > Session Control tab > General Settings:

      • UDP Session Time Out: 300.

      • Click Apply.

    • The steps below are needed to reserve the exact amount of bandwidth the phones need to prevent call quality problems:

      • Go to BWM > BWM Global Setting:

        • Enable BWM: Check.

        • Enable Highest Bandwidth Priority for SIP Traffic: Uncheck.

          • We will be setting up manual BWM rules for voice/fax traffic.

          • This setting cannot be enabled or it will override our custom, more effective rules.

        • Click Apply at the bottom of the page.

      • On the same BWM page under Configuration > Add:

        • Configuration:

          • Enable: Check.

          • Description: "Reserve outbound bandwidth that phones and faxes need".

          • BWM Type: Shared.

            • Do not worry if you do not have this option.  It only exists in newer firmware versions and models.

        • Criteria:

          • User: Any.

          • Schedule: None.

          • Incoming Interface: Any.

          • Outgoing Interface: Any.

          • Source: Any.

          • Destination: "Cloud_Voice_Servers".

          • DSCP Code: Any.

          • Service Type: Service Object.

          • Service Object: "Cloud_Voice_Service_Ports".

        • DSCP Marking:

          • Inbound Marking: Preserve.

          • Outbound Marking: Preserve.

        • Bandwidth Shaping:

          • Guaranteed Bandwidth:

            • Inbound: calculate this number: (#-of-phones * 50kbps) + (#-of-fax-adapters * 100kbps) + (50 kbps for 1 VoIP/Soak Test Tool).

              • Priority: 5.

              • Maximize Bandwidth Usage: Uncheck.

              • Maximum: calculate this number: (#-of-phones * 100kbps) + (#-of-fax-adapters * 100kbps) + (50 kbps for 1 VoIP/Soak Test Tool).

            • Outbound: calculate this number: (#-of-phones * 50kbps) + (#-of-fax-adapters * 100kbps) + (50 kbps for 1 VoIP/Soak Test Tool).

              • Priority: 5.

              • Maximize Bandwidth Usage: Uncheck.

              • Maximum: calculate this number: (#-of-phones * 100kbps) + (#-of-fax-adapters * 100kbps) + (50 kbps for 1 VoIP/Soak Test Tool).

            • Related Setting:

              • Log: Yes/Log.

            • Click OK.

          • On the same page under Configuration > Add:

            • Configuration:

              • Enable: Check.

              • Description: "Reserve inbound bandwidth that phones and faxes need".

              • BWM Type: Shared.

            • Criteria:

              • User: Any.

              • Schedule: None.

              • Incoming Interface: Any.

              • Outgoing Interface: Any.

              • Source: "Cloud_Voice_Servers".

              • Destination: Any.

              • DSCP Code: Any.

              • Service Type: Service Object.

              • Service Object: "Cloud_Voice_Service_Ports".

            • DSCP Marking:

              • Inbound Marking: Preserve.

              • Outbound Marking: Preserve.

            • Bandwidth Shaping:

              • Guaranteed Bandwidth:

                • Inbound: calculate this number: (#-of-phones * 50kbps) + (#-of-fax-adapters * 100kbps) + (50 kbps for 1 VoIP/Soak Test Tool).

                  • Priority: 5.

                  • Maximize Bandwidth Usage: Uncheck.

                  • Maximum: calculate this number: (#-of-phones * 100kbps) + (#-of-fax-adapters * 100kbps) + (100kbps for 1 VoIP/Soak Test Tool).

                • Outbound: calculate this number: (#-of-phones * 50kbps) + (#-of-fax-adapters * 100kbps) + (50 kbps for 1 VoIP/Soak Test Tool).

                  • Priority: 5.

                  • Maximize Bandwidth Usage: Uncheck.

                  • Maximum: calculate this number: (#-of-phones * 100kbps) + (#-of-fax-adapters * 100kbps) + (100kbps for 1 VoIP/Soak Test Tool).

                • Related Setting:

                  • Log: Yes/Log.

                • Click OK.

              • Click Apply at the bottom of the page.

    • Go to Network > Interface > Ethernet tab > Select the WAN interface the VoIP devices are using (it is usually wan1) > Edit:

      • Scroll down to Interface Parameters:

        • Egress Bandwidth:

          • Enter in only 80-95% of the Upload bandwidth you pay for.

          • If you do not know what it is, take the average of 3 Upload results at Telecom Speed Test.

        • Ingress Bandwidth:

          • Enter in only 80-95% of the Download bandwidth you pay for.

          • If you do not know what it is, take the average of 3 Download results at Telecom Speed Test.

            • If you do not have the Ingress Bandwidth option, do not worry. 

            • The BWM rules you created in step 7 accomplish Ingress BWM via an alternate method.

          • Click OK.

        • Click Apply at the bottom of the page.

    • Go to Network > Interface > Ethernet tab > Select the LAN interface the VoIP devices are using (it is usually lan1) > Edit:

      • Scroll down to Interface Parameters:

        • Egress Bandwidth:

          • Enter in only 80-95% of the Upload bandwidth you pay for.

          • If you do not know what it is, take the average of 3 Upload results at Telecom Speed Test.

        • Ingress Bandwidth:

          • Enter in only 80-95% of the Download bandwidth you pay for.

          • If you do not know what it is, take the average of 3 Download results at Telecom Speed Test.

            • If you do not have the Ingress Bandwidth option, do not worry.

            • The BWM rules you created in step 7 accomplish Ingress BWM via an alternate method.

          • Click OK.

        • Click Apply at the bottom of the page.

    • The steps below are necessary efficient DNS resolution to the configuration and call servers the phones require:

      • These changes will take your computers, phones, and all other devices online for 10 minutes or much longer if an unexpected problem arises.

      • Make sure to only make the changes below when you can afford to take your network offline.

        • Click on Configuration (2-gears-icon) in the top-left-hand corner.

        • Go to Network > Interface > Ethernet tab:

          • Select lan1 > Edit > Scoll down to DHCP Setting > Do the following:

          • First DNS Server (Optional) > Set to Custom Defined > Enter:

            • "8.8.8.8".

          • Second DNS Server (Optional) > Set to Custom Defined > Enter:

            • "8.8.4.4".

          • Enable IP/MAC Binding: Leave unchecked unless you or your IT intentionally checked it.

          • Click OK to Save.

        • Test to make sure computers can reach common websites.

        • If they cannot, you will need to manually clear the DNS cache on the computers.

          • For computers running Windows, run the command below from Command Prompt:

            • “ipconfig /flushdns”.

    Additional Resources:

    1. Recommended Routers.
    2. Recommended Switches.
    3. Recommended LAN Configurations.
    4. Network Ports and Protocols for HPBX phones.