SonicWALL Client Side Configuration and QoS

Discussion in '3CX Phone System - General' started by 3cxBora, May 1, 2016.

Thread Status:
Not open for further replies.
  1. 3cxBora

    Joined:
    Jun 17, 2015
    Messages:
    35
    Likes Received:
    0
    Hi, I am looking for confirmation how to configure SonicWALL that on client side where the remote extensions are connected Yealink phones.

    Client Side
    [IP Phones via STUN ] ---- SonicWALL TZ100 ---- [ Internet ] ------> SonicWall ---- 3cx Virtual PBX v14 (instance 8)

    1. How to disable ALG
    2. how to enable QoS for 3cx Services
    3. For Virtual PBX, what the ports that needs to be open on Client Side firewall?
    For example, port 12060 is use SIP port and 12090 is used for tunnel, any other ports?

    Thx,
    Bora
     
  2. bardissi

    bardissi Member

    Joined:
    Jan 31, 2012
    Messages:
    318
    Likes Received:
    0
    Based on your list I think you need a bit more strategy here.

    STUN is only good for a few devices behind nat but not more than that.
     
  3. 3cxBora

    Joined:
    Jun 17, 2015
    Messages:
    35
    Likes Received:
    0
    Thank you for your reply, how many remote extensions can STUN support? 6 extension should work correct? Is there any official documentation?

    If STUN is limited, does the 3cx SBC work better and is any key consideration? My main concern is if Windows SBC is down for any updates or issue, the phone is dead?
     
  4. bardissi

    bardissi Member

    Joined:
    Jan 31, 2012
    Messages:
    318
    Likes Received:
    0
    How many remote extensions can STUN support? 6 extension should work correct? Is there any official documentation?
    2

    If STUN is limited, does the 3cx SBC work better and is any key consideration? My main concern is if Windows SBC is down for any updates or issue, the phone is dead?

    PI Device - 6

    Windows SBC - 20-30
     
  5. lneblett

    lneblett Well-Known Member

    Joined:
    Sep 7, 2010
    Messages:
    2,061
    Likes Received:
    56
    If possible, configure a VPN between the sites and eliminate the headache altogether.
     
  6. bardissi

    bardissi Member

    Joined:
    Jan 31, 2012
    Messages:
    318
    Likes Received:
    0
    VPN to every single site?
    Not super scalable
     
  7. lneblett

    lneblett Well-Known Member

    Joined:
    Sep 7, 2010
    Messages:
    2,061
    Likes Received:
    56
    Sorry, but did not see number of sites or phones mentioned.
     
  8. dig1234

    Joined:
    Jun 1, 2015
    Messages:
    75
    Likes Received:
    0
    Curious why you say STUN is limited to 2? Is that an official number, or your experience?


     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. DSXDATA

    DSXDATA New Member

    Joined:
    Oct 20, 2015
    Messages:
    170
    Likes Received:
    59
    My experience is 2 to 65 :)

    Stun support is keyed - in great part - to the gateway router's ability to support uPNP. Certain routers intentionally have a robust implementation of uPNP and in those cases, the numbers are impressive. We have a client with 65 Grandstream 2120 phones in a call center using stun. The router is a SimpleWAN advanced unit. They have been deployed for 2 years and running.

    But testing is the only proof. The words "supports VOIP" in a router's specs are close to meaningless. Many of the SIP support options are actually counter productive.

    There are a number of tricks you can pull to hard-code success - like incrementing the ports for each extension and hard-coding port redirection. Both solutions can work but introduce a support liability I wouldn't recommend.

    SBC's are an excellent approach, but they do require fine-tuning for reliability. The Raspberry PI3 is actually an excellent solution for up to 6 and maybe a few more. The operative factor is likely to be the number of BLFs on each extension because they result in a lot of network chatter. 6-20 extensions: look at the Dell MicroInspiron series. We run them headless and they work very nicely.

    However, some people stick to VPN since it is a familiar technology and it "fixes" most every issue with a remote hosted PBX talking to the phones. Beware of the latency introduced by cheap VPN routers though.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. NickD_3CX

    NickD_3CX Support Team
    Staff Member 3CX Support

    Joined:
    Jun 2, 2014
    Messages:
    1,255
    Likes Received:
    63
    I have seen Remote Sites with 100+ Remote Extensions with STUN working fine, however there was NAT rules for each and every one of them and unique Local SIP and RTP ports for the phones.

    To get back to the OP though, you could check out this link here:
    http://www.3cx.com/blog/voip-howto/sonicwall-firewall-configuration/
    It describes how to setup a firewall in front of the 3CX Server, but essentially it is the same with the difference of ports.

    Remember that it is always recommended when having STUN phones to have static NAT rules for the Remote Phone SIP ports as well. This is explained in section "Notes when using Remote Extension with STUN" here:
    http://www.3cx.com/blog/docs/provisioning-a-remote-extension/
     
  11. 3cxBora

    Joined:
    Jun 17, 2015
    Messages:
    35
    Likes Received:
    0
    Does any have good detail document of the PORTS required for virtual pbx instances that required at 3cx PBX and remote extension that are needed.

    Virtual PBX does not have good deployment for STUN when you a lot of extensions.

    At remote sites, RTP ports are used, does any one if we need to open both inbound and outbound on the firewall and NAT rules?

    TIA,
    Bora
     
  12. NickD_3CX

    NickD_3CX Support Team
    Staff Member 3CX Support

    Joined:
    Jun 2, 2014
    Messages:
    1,255
    Likes Received:
    63
    On the Virtual PBX side, you do not need to open anything additionally other than what the manual specifies:
    http://www.3cx.com/docs/virtual-pbx-installation/#h.ln54vd2m0lr3

    Now for the Remote Location where the Remote STUN phones are located, the exact same procedure applies regardless if it is a Single Instance or a Virtual PBX that they are connecting to.

    This means that it is recommended that:
    - For each Remote Extension that is that at the same Remote Location, in the Extension Settings to have a unique Local SIP Port and RTP range set for each phone.
    - On the Remote Location firewall, to forward the Local SIP Port and RTP ports you have set in the Extension Settings to the IP of the phone.
    - Disable SIP ALG and/or any other port remapping option on the Firewalls on both sides.

    On the Remote Location firewall, obviously you would also have to allow all outgoing traffic from the phones to at least the IP of the Virtual PBX, maybe also to pool.ntp.org so that they can also sync their time correctly.
     
Thread Status:
Not open for further replies.