Firewall Rules
The below list is a set a of suggested firewall rules that enhance the performance of the Voice Over Cloud through firewalls and corporate routers.
Whitelist IPs
We strongly suggest to avoid any packet inspection on traffic coming from IPs:
103.135.87.3
103.135.87.14
103.135.87.35
The reason is because voice traffic can create a lot of network noise and firewalls can treat that suspicious
QoS ( Bandwidth Reservation )
Although the traffic is deemed high priority when it leaves our network, it may not arrive to your network in the same way, this is out of our control and is controlled by your ISP, or their upstream providers. As such we recommend to reserve some bandwidth on your router to ensure traffic flows in each direction even under high load.
The recommend settings is 100kbps both upload and download per user. E.g. if you have 10 users we recommend reserving 1Mbps in each direction
What is SIP ALG?
SIP ALG, or Session Initiation Protocol Application Layer Gateway, is a tool that some networks use to speed along SIP requests to initiate connections.
This tool involves rewriting the packet headers of SIP requests that pass through the router out to the internet. For some services, this tool may be useful.
Still, for many VoIP providers, the rewritten SIP packet header strips out information that is necessary to securely authorize the device making the connection.
More importantly, it responds directly to the device that is requesting the connection. This feature can lead to some of the most common issues that customers have with VoIP — phones losing connection, dropped calls, and one-way audio.
SIP ALG modifies SIP packets in unexpected ways, corrupting them and making them unreadable. This can give you unexpected behaviour, such as phones not registering and incoming calls failing. Therefore if you are experiencing problems we recommend that you check your router settings and turn SIP ALG off if it is enabled.
How do I turn off SIP ALG? | |
Most home/residential routers have a web interface. Typically this is 192.168.1.1 but you just check your default gateway by typing ipconfig in Windows command prompt or ifconfig on Linux systems from any connected device on the same LAN. | |
Asus Routers | Disable the option SIP Passthrough under Advanced Settings / WAN -> NAT Passthrough. |
AVM Fritz!Box | SIP ALG cannot be disabled. (See above on how to get around this) |
Barracuda Firewalls | Go to Firewall > Firewall Rules > Custom FirewallAccess Rules |
Billion | Navigate to the web interface |
BT (Homehubs) | SIP ALG cannot be disabled in the settings of BT HomeHubs but can be disabled with BT Business Hub versions 3 and higher. |
D-Link | In ‘Advanced’ settings –> ‘Application Level Gateway (ALG) Configuration’ un-tick the ‘SIP’ option. |
DD-WRT | No ALG function available – Consider using a public STUN server |
DrayTek | DrayTek Vigor 2760 devices, the option can be found in the regular interface at Network -> NAT -> ALG. If your device does not have a web interface then you’ll need a telnet client. You will be prompted to provide a username and/or password. These are the same credentials used to access the router’s web interface. Afterwards, type in these commands:
On Draytek Vigor2750 and Vigor2130 please use these commands instead:
|
EE | Huawei E5330 Navigate to the web interface |
Fortinet | Fortigate: Disabling the SIP ALG in a VoIP profile
|
Huawei | The SIP ALG setting is usually found in the Security menu.
|
Juniper | Type the following into the CLI
|
Linksys: | Check for a SIP ALG option in the Administration tab under ‘Advanced’. |
Mikrotik | Disable SIP Helper. |
Netgear | Look for a ‘SIP ALG’ checkbox in ‘WAN’ settings. Under ‘NAT Filtering’ uncheck the option ‘SIP ALG’ |
Speedtouch | To disable SIP ALG you need to telnet into your Speedtouch router and type the following: -> connection unbind application=SIP port=5060 |
TalkTalk | 2017/18 See Huawei (HG633)
|
Technicolor / ThompsonTG588 TG589 TG582 | Open Command Prompt – “Start” → “Run” → type “cmd” and press “Enter”. |
Tomato | Depending on the version of Tomato, SIP ALG can be found under Advanced then Conntrack/Netfilter in the Tracking/NAT Helpers section. If you find SIP checked then SIP ALG is enabled. Uncheck it to disable it. |
TP-Link | Navigate to your routers web interface. |
UBEE Gateways | Go to Advanced > Options. |
Ubiquiti | Use the configuration tree if supported: system -> conntrack -> modules -> sip -> disable Alternatively, you can SSH into the device and run the following commands:
|
Virgin SuperHub | SIP ALG cannot be disabled in the settings of SuperHubs. |
Vodafone | 2018 Onwards – See Huawei (HHG2500) |
Vyatta / Brocade: | Type the following into the CLI
|
Watchguard Firewall | Detailed instructions can be found here: https://www.voicehost.co.uk/help/watchguard-firewall-sip-configuration |
ZyXEL | Under Network or Advanced -> ALG un-tick the options Enable SIP ALG and Enable SIP Transformations.
|
ZyXEL (ZyWALL USG Routers) | Go to Settings > Configuration > Network > ALG. |