Known Issues

  1. SIP ALG is enabled by default on firmware 6.5.0 and above and needs to be disabled to prevent intermittent phone issues. 
  2. Also by default the firewall blocks the phones' Keep-Alive messages, causing the phones to fail to re-register every 5 - 10 minutes.  This causes the phones to lose registration 60 seconds after rebooting them, and which also causes transferring calls to fail.

Resolution

  1. Login to the firewall
  2. Go to Firewall > Network Objects > Add Network Object
    • Name: VoIP-Voice-Range
    • Description: To allow phones and computers to connect to VoIP Servers
    • Network Address: enter the following one-by-one and click '+'
    • For Hosted PBX 2.0:
        • RTP Servers:
          • 64.28.114.0/24
          • 64.28.116.0/24
        • SIP Registration Server:
          • 64.28.113.10

        OR For accounts created after 5/6/15 (UC70)
      • RTP Servers:
        • 64.28.124.0/24
        • 64.28.123.0/24
      • SIP Registration Server:
        • 64.28.119.10

      • DNS & Time Servers
        • 64.28.112.157
        • 64.28.115.137
        • 64.28.126.9
      • WAN Ping Test Servers:
        • 64.28.121.110
        • 64.28.122.110
      • VoIP/Soak Tester Server: 64.28.122.102
    • For Hosted PBX 1.0:
      • RTP Servers:
        • 206.225.167.64/26
        • 199.193.202.64/27
      • SIP Registration Servers:
        • 206.225.166.128/28
    • Legacy DPS-V Specific Servers Addresses:
      • SVDNS: 64.28.126.29
      • PTS: 64.28.115.150
  3. Go to Firewall > Firewall Rules > Custom FirewallAccess Rules
    • Click the "Disabled" check box next to any rules named LAN-2-INTERNET-SIP and INTERNET-2-LAN-SIP
      • This disables SIP ALG.
    • Click Save Changes
    • Go through the rest of the rules and disable any Custom rules that have anything to do with VoIP and/or SIP
    • Click Save Changes
  4. Go to Firewall-> Service Objects -> Custom Service Objects -> click Add Service Object
    • Enter the following:
      • Name: udp-extended-timeout
      • Description: To Allow Intermedia Devices to re-register every 5 minutes.
      • Protocol: UDP [017]
      • PortRange: *
        • Just type one asterisk -- this represents ports 1-65535
      • Timeout: 300
      • Click the "+" button
      • Click Add
  5. Go to Firewall > Firewall Rules > Custom FirewallAccess Rules > click Add Access Rule
    • Enter the following:
      • Name: LAN-2-VOICE-SERVERS
      • Description: To Allow Intermedia Devices and computers running CallScape
      • Action: Allow
      • Connection: Default (SNAT)
      • Bi-directional: Leave unchecked
      • Service:
        • Scroll through the list on the right > Select Any-TCP > click Add > it should show up in the left column
        • Scroll through the list on the right > Select udp-extended-timeout > click Add > it should show up in the left column
      • Source: Select Network Objects > click the drop-down box and select Trusted LAN > click the "+" button to add
      • Destination: Select Network Objects -> click the drop-down box and select VoIP-Voice-Servers > click the "+" button to add
      • Click on the Applications/Bandwidth tab at the top of the page > Bandwidth Policy > set it to VoIP
      • Click Save at the top of the window
    • Click-and-drage the LAN-2-VOICE-SERVERS rule to be the 1st rule in the list > Click Save Changes
  6. The following steps are necessary to prioritize Voice traffic to prevent call quality problems:
    • Go to Network > IP Configuration > Network Interface Configuration
    • Find the port that you're using as your WAN Interface [p1, p2, p3, or p4]
    • Move your cursor so it's under the "Use QoS" column > click on "No" for the WAN interface port.
    • See Example below for more information:
        • QoS Settings:
          • Interface Name: (this should already be set to the port number you selected - example: p4)
          • Available Outbound Bandwidth: enter in the Upload/Upstream bandwidth that you are paying your ISP for in Mbps -- example: 10 Mbps
            • Enable Bandwidth Management: Checked
          • Available Inbound Bandwidth: enter in the Download/Downstream bandwidth that you are paying your ISP for in Mbps -- example: 50 Mbps
            • Enable Bandwidth Management: Checked
          • Click Save
  7. The following optional step is needed for call quality monitoring and troubleshooting purposes:
    • Go to Network > IP Configuration
  8. The following steps are needed only if you have or plan to purchase Polycom phones:
    • Go to Network > DHCP Server > Look at where it says Enable DHCP Server >
      • If "Enable DHCP Server" is set to No, then that means your DHCP Sever is running on a separate device, like a Windows Server.  You will need to make the changes below on the standalone DHCP server and not on the Barracuda firewall.
      • If "Enable DHCP Server" is set to Yes, then do the following:
        • Scroll down to DHCP Server Subnets > click Edit next to the subnet that the phones are using -> make the following changes:
          • DNS server 1: 8.8.8.8
          • DNS server 2: 8.8.4.4
          • Click Save -> on the next page click Save Changes again to complete.