​Port Forwarding (NAT) Policies for Flowroute's Direct Audio

To ensure you receive all audio on your Flowroute calls, specific Port Forwarding/NAT policies should be put in place on your network. The following two Port Forwarding network address translation (NAT) policies are required: 

SIP signaling (call control): Forward UDP and TCP traffic on port 5060[1] to your PBX's local IP address.[2]
RTP media (call audio): To reduce latency, Flowroute uses Direct Audio. To receive Direct Audio, allow UDP packets from any source IP address with a destination port within your system's RTP media port range; forward to your PBX's local IP address.[3]

[1] If your system has issues connecting over port 5060, you can use 5160 as an alternate SIP port. 
[2] If your Port Forwarding configuration allows you to specify the source IP of your SIP traffic, you can restrict traffic on port 5060 or 5160 to either of the following server IP addresses: 216.115.69.144 or 70.167.153.130. 
[3] RTP media port range varies by phone system. Your system's RTP media port range will be configured locally on your system and/or detailed in your system documentation. 



* General Router Configuration Guidelines - talking platforms

The following check list offers some general settings that apply to most routers. These settings should create an optimal environment for VoIP interoperability.

Disable Application Layer Gateway (AKA – “SIP Awareness”)
Set UDP window timeout to 90 seconds
Disable STUN, ICE or any other local NAT traversal settings
Enable QoS for local devices

By IP address
By MAC address
By VLAN ID

Enable Bandwidth QoS (if available)

Set the upload speed of the internet connection. Router will prioritize based on the available bandwidth.

Create firewall policy if the local policy is blocking SIP and/or RTP.

Allow UDP port range 49152- 64512
Allow UDP+TCP port 5060

If your router is connected to broadband MODEM supplied by your internet service provider, it is possible that some or all of the above settings should be set within the supplied device as many MODEMs act as firewall/router devices. 


** Recommended Settings for SonicWall Firewalls-flowroute



​https://support.flowroute.com/customer/en/portal/articles/1852982-configure-sonicwall-firewall-

 *This configuration was made on a Sonicwall NAS 240 with Advanced OS*

Under VoIP settings:

Nothing turned on except Enable Consistent NAT

 Under Network:

Create object for External IP address assigned to PBX (Public IP address)

Create object for Internal IP address of PBX (Private IP address)

Create object for all SIP provider IPs (sip.flowroute.com, sip-la1.flowroute.com, sip-lv1.flowroute.com)

Create a NAT for 5060 UDP outgoing to a static IP

Create a NAT for 5060 UDP incoming to inside IP of PBX server (SIP)

Create a NAT for port 10000 to 20000 UDP incoming to inside IP of PBX server (RTP)

 
Under Firewall:

Create rule allowing 5060 from address object SIP (group with all SIP providers) to address object of external PBX (created in step 2 above). You can set it to be from anyone but it is more secure to be restricted.

Create rule allowing RTP from any address to external PBX (created in step 2 above).


Refresh your Registration on your PBX and then check your Interconnection tabwithin Flowroute Manager. You should now see your Active SIP Registration as coming from your public IP address on port 5060.Type your paragraph here.





-GENERAL ROUTER CONFIGURATION:-white label

If you have a firewall on a customer's site, you need to ensure that the below IP range and ports are open so our servers can properly communicate with the devices:

IP Range:  162.252.248.0/22

Port Ranges:  21, 22, 5060, 7000, 11000, and 15000 - 30000

Services:  Both UDP (voip traffic) and TCP (provisioning server)

 

- GENERAL SONICWALL CONFIGURATION-white label

SonicWalls are a common firewall deployed on many business networks. We need to ensure that the LAN subnet those phones reside on can seamlessly communication with our Atlas servers without dropped/blocked packets or jitter/delay.

Create a new Address Object:
162.252.248.0/22 - the subnet mask of /22 is 255.255.252.0
Name the Address Object (in this example, "WLC_VOIP")

Create a new Service Object:
Enable ports 5060 - 65535 of UDP traffic
Name the Service Object (in this example, "VOIP_PORTS")

Create 2 Firewall Access Rules:
From LAN to WAN
Source - Any
Destination - WLC_VOIP
Service - VOIP_PORTS
Allow
Advanced Tab - Set UDP Timeout to 3600 seconds

From WAN to LAN
Source - WLC_VOIP
Destination - Any
Service - VOIP_PORTS
Allow
Advanced Tab - Set UDP Timeout to 3600 seconds




-ENABLING QOS ON A SONIC WALL-white label


The below configuration example is based on an ISP bandwidth of 10 Mbps downstream /
10 Mbps upstream accounting for 10 concurrent calls. 1 G.711 codec call requires around
90 Kbps downstream / upstream. Please adjust your numbers as per your local setup

Assessing The Firewall’s Interface

1. Enter the firewall's IP address in the address bar of your web browser.

2. Enter your firewall's username and password

VoIP Settings

1. Go to VoIP > Settings.
2. Check Enable Consistent NAT, uncheck/disable everything else.
3. Click Accept to save the settings.

Firewall Settings

1. Go to Firewall Settings > BWM.
2. Under Bandwidth Management Type, select Global.
3. Under Priority, disable EVERY category, except Medium.
Set values to:
Guaranteed: 50%
Burst: 90%
Enable Realtime and set values to:
Guaranteed: 50%
Burst: 100%
4. Click Accept to save the settings.

Network


1. Go to Network > Interfaces > X1 (WAN)

2. Click the Configure icon on far right.

3. Go to Advance > Link Speed, and then set to Auto Negotiate

> Bandwidth Management (at bottom)...

• Check Enable Egress; set interface egress bandwidth to 10000.000000 (type in the upload speed in Kbps from your ISP)

• Check Enable Ingress; set interface ingress bandwidth to 10000.000000 (type in the download speed in Kbps from your ISP).

4. Click OK to save the settings.

Firewall


1. Go to Firewall > Service Objects > Services

NOTE: There may be a need to scroll down, as there are two categories, Service Group and Services.

2. Click Add Name: N2P_UDP_service_ports

Protocol : UDP(17)

Port Range : 1000 - 65500

Sub type : none

3. Click OK to save the settings

4. Go to Address Objects

5. Click Add: Name : N2P_SIP_network

Zone Assignment : WAN

Type : Network

Network:206.20.196.0

Netmask: 255.255.254.0

Name : N2P_RTP_network

Zone Assignment : WAN

Type : Network

Network: 66.33.176.64

Netmask: 255.255.255.192

6. Click Add to save and then click Close

7. Go to Address Groups

8. Click Add Group

Name : N2P_networks group

9. Select N2P_SIP_network and N2P_RTP_network to add address object to group.

10. Click OK to save.

Access Rules


1. Go to Firewall > Access Rules

2. Click Add to add the rule for LAN > WAN

> in the General tab

Action : Allow

Service: Create New Service Group

Name : N2P_service_ports

Add the following port range to this group:

N2P_UDP_service_ports

Source : Any

Destination : N2P_networks group

Users Allowed : ALL Schedule :

Always on

 

> in the QoS tab

DSCP Marking Action : Explicit

Explicit DSCP Value : 46 - Expedited Forwarding (EF)

 

> in the Ethernet BWM tab

Enable both Inbound and Outbound Bandwidth Management; set both to 0 Realtime

3. Click Add to save and then click on Close

4. Click Add to add rule for WAN > LAN

> in 'General' Tab

Action : Allow

Service : N2P_service_ports

Source : N2P_networks group

Destination : Any

Users Allowed : ALL

Schedule : Always on

> in 'QoS' tab

DSCP Marking Action : Explicit

Explicit DSCP Value : 46 - Expedited Forwarding (EF)

 

> in the Ethernet BWM tab

Enable both Inbound and Outbound Bandwidth Management; set both to 0 Realtime

5. Click Add to save and then click Close