1. Introduction
The purpose of this document is to define the firewall and general router configuration necessary to implement Voice over Internet Protocol (VoIP) communications using a Panasonic PBX across a local area network.
Disclaimer:
The information contained within in this document is updated regularly to keep abreast of current trends. Best 4 Business Communications cannot accept responsibility for costs you may incur should it be necessary to update your network as a result of changes to this information.
2. IP Addresses
Two static IP Addresses required outside scope of DHCP. These must be assigned by the network administrator responsible for the site. These addresses are referred to as IP Address A and IP Address B throughout this guide.
- IP Address A - used for SIP
- IP Address B - used for Voice Media
If the installation is to use IP handsets, then a sufficient quantity of DHCP addresses should also be available. A separate article is available describing bespoke DHCP Options that automate the installation of Panasonic IP Phones.
3. Firewall Rules
Ingress and egress traffic from the following IP Addresses must be permitted.
Inbound Rules (Mandatory)
Source IP Address
| Destination IP Address
| Source Port
| Destination Port
| Purpose
|
194.50.56.0/24
| IP Address A
| TCP/UDP 5060
| TCP/UDP 35060
| SIP
|
194.50.56.0/24
| IP Address B
| UDP 10000 - 20000
| UDP 16000 - 16511
| Voice Media
|
194.50.55.0/24
| IP Address A
| TCP/UDP 5060
| TCP/UDP 35060
| SIP
|
194.50.55.0/24
| IP Address B
| UDP 10000 - 20000
| UDP 16000 - 16511
| Voice Media
|
46.102.218.72/29
| IP Address A
| Any
| TCP 35300 - 35301
| Admin
|
Outbound Rules (Mandatory)
Source IP Address
| Destination IP Address
| Source Port
| Destination Port
| Purpose
|
IP Address A
| 194.50.56.0/24
| TCP/UDP 35060
| TCP/UDP 5060
| SIP
|
IP Address B
| 194.50.56.0/24
| UDP 16000 - 16511
| UDP 10000 - 20000
| Voice Media
|
IP Address A
| 194.50.55.0/24
| TCP/UDP 35060
| TCP/UDP 5060
| SIP
|
IP Address B
| 194.50.55.0/24
| UDP 16000 - 16511
| UDP 10000 - 20000
| Voice Media
|
IP Address A
| 8.8.8.8 + 8.8.4.4
| UDP 53
| UDP 53
| DNS
|
IP Address A
| 216.239.35.0
| UDP 123
| UDP 123
| NTP
|
IP Address A
| 142.0.176.0/20
| Any
| TCP 587
| SMTP
|
Optional Inbound Rules (Only required if implementing IP Extensions over NAT)
Source IP
| Destination IP Address
| Source Port
| Destination Port
| Purpose
|
Any UK
| IP Address A
| Any
| UDP 2727
| Proprietary Panasonic
|
Any UK
| IP Address A
| Any
| UDP 9300
| Proprietary Panasonic
|
4. NAT Forwards
Mandatory Forwards
Port Number
| Destination
| Purpose
|
TCP/UDP 35060
| IP Address A
| SIP
|
UDP 16000 - 16511
| IP Address B
| Voice Media
|
TCP 35300 - 35301
| IP Address A
| Admin
|
Optional Forwards
The following NAT forwards are only required if 3rd Party SIP extensions or Proprietary Panasonic IP Phones are to be used from a remote location and a secure VPN is not practical. Please contact B4BC Support if you are uncertain if these ports are required or not.
Port Number
| Destination
| Purpose
|
UDP 2727
| IP Address A
| Panasonic Proprietary IP Phone
|
UDP 9300
| IP Address A
| Panasonic Proprietary IP Phone
|
Translate UDP 58453 to UDP 5060
| IP Address A
| 3rd Party SIP Phone
|
5. ICMP
Please set your firewall to permit ICMP packets from 194.50.56.0/24 and 194.50.55.0/24. These are purely intended to monitor the health of the SIP Trunk.
6. SIP ALG
SIP ALG must be disabled on all routers. SIP Application Layer Gateway (ALG) is common in many routers and in most cases enabled by default. Its primary use is to modify VoIP packets to aid NAT traversal. Active SIP ALG has been known to cause a mixture of problems by adjusting or terminating VoIP packets incorrectly, manifesting in a range of intermittent issues such as one way audio, dropped calls, problems transferring calls and handsets dropping registration. B4BC will be unable to accept any faults or issues with its VoIP service if SIP ALG is enabled. For instructions on disabling this feature please refer to the specific router user guide.
7. UDP NAT Session Timeout
B4BC configures its VoIP user agents to perform a SIP registration every 180 seconds with the ITSP. This is an outbound initiated connection utilising the UDP protocol. The purpose of the registration is to inform the ITSP how to route calls to the respective user agent. Many routers will terminate idle UDP sessions after only a few seconds. The effect of this is that following SIP registration, inbound calls will only be successful for those first few seconds after registration. After the UDP session expires, inbound calls will fail (Assuming the UDP connection has been idle) until the binding expires and the user agent re-registers. To prevent this scenario, it is vitally important that the edge router’s UDP NAT session timer is set to a value of at least 180 seconds . Please refer to your vendor’s documentation for instruction.
8. Quality of Service
Quality of service (QOS) refers to the ability of your router to prioritise voice traffic (VoIP) differently from regular internet traffic leaving your network. VoIP uses a real time protocol which means that if information is lost or delayed it will result in a noticeable drop in call quality or a complete loss of it. Symptoms of network congestion include garbled speech and dropped calls.
A VoIP call consists of two basic components, signalling and RTP (the actual conversation). B4BC uses the G711 codec to encode RTP which requires 87 kbps per call. SIP itself uses up to 65.5 kbps per call.
To this end, sufficient bandwidth should be reserved to satisfy the quantity of voice channels and/or remote extensions connected to the network.
9. Virtual LAN
If you require VLANs to be used, we will need to know which physical port/s to connect to in the case of port based VLANs.
In the event that an IEEE802.1Q tagged VLAN is to be used, we will need to know the required VLAN tag values.
Installations on VLANs do require prior planning, and often require cooperation between ourselves and the network administrator/s. If a installation on a VLAN is required, please make us aware of this as soon as possible.