VoIP Deployment Models and Troubleshooting Guide


A large number of companies are now going with cheaper, faster VoIP solutions for their integrated phone systems. With that in mind, Edge Threat Management products have a built in SIP NAT Helper to assist in the proper NAT addressing of the traffic. However, in most cases you can deploy VoIP behind the firewall without utilizing the helper at all. This document outlines different methods for deploying VoIP behind our devices. 



While there are some default rules included to bypass VoIP traffic on ports 5060 (SIP) and 4569 (IAX2), we recommend statically assigning IPs to VoIP-specific devices (like desk phones) and then creating bypass rules for those IPs. QoS rules (discussed below) only match bypassed traffic so creating bypass rules is essential to creating QoS rules. Bypass rules can be entered in the Config > Network > Bypass Rules tab.

When bypassing a specific IP, you will want to create two separate filter rules for each IP address. One with 'Source address' is [IP of computer/device] and the other with 'Destination address' is [IP of computer/device].

Bypass Source:


Bypass Destination:


Using multiple IP addresses in rules

If you're bypassing more than one IP, you can usually create a single rule for most or all of them: Can I use more than one IP address per rule?



You can use QoS to give VoIP traffic higher priority than everything else to get better performance. This option will work regardless of your network configuration.

To create QoS Rules, navigate to Config > Network > Advanced > QoS. If not already enabled, you will need to enable QoS to proceed further.

IMPORTANT: Be sure to correctly set your WAN Bandwidth values in the WAN Bandwidth tab before saving any other changes in the QoS area.

As you can see, the system already has rules in place to give the default VoIP ports "Very High" priority. If you are using different ports you can create new rules to assign the same priority to them as well.

To create a new QoS Rule:

  1. Click the Add button under the "QoS Custom Rules" section.

  2. Give the rule a name.

  3. Click the Add button to assign the rule a condition.

    • You can prioritize your VoIP devices by IP address, similar to the "bypassing" rules above. In this case the same principle applies: one rule to prioritize outbound traffic, with a second for inbound traffic.

    • You can also prioritize a port or range of ports used by the VoIP devices for the actual data transfer (not just the SIP handshake). Enter the port or port range you are using in the Value field.

  4. Make sure the Priority is set to "Very High".

  5. Click Done, then click Save.



With NG Firewall in "Router Mode" and an unused Interface available, you can use that additional interface for VoIP.

Creating a second Internal interface

  1. Go to Config > Network > Interfaces.

  2. Edit the interface you'll use for VoIP traffic.

  3. Set the Config Type to Addressed.

  4. Enter an Address and Netmask for the network you wish to create.
    IMPORTANT: The IP address must be different than any already in use on the device.

  5. You can enable DHCP in the DHCP Configuration tab if desired.

  6. Click Done, then Save.

  7. Bypass the interface you've just created in Config > Network > Bypass Rules. This will help ensure consistent performance.
  8. Connect your VoIP network or PBX to the interface after assigning it an IP in the same range you just assigned to the new interface.


With the NG Firewall in "Bridged Mode" you can create a new network as an IPv4 Alias on the Internal Interface for VoIP.

  1. Go to Config > Network > Interfaces.

  2. Edit the Internal interface.

  3. Click the Add button under "IPv4 Aliases".

  4. Specify the IP Address and Netmask for the alias.
    IMPORTANT: The IP address must be different than any already in use on the device.

  5. Click Done, then Save.


This option is only used if standard traffic flow is not working properly and/or it has to traverse multiple layers of NAT. The helper only listens on standard SIP port 5060, so if you are using alternate ports this option will not work for you.

To enable the helper:

  1. Go to Config > Network > Advanced > Options.

  2. Check the box next to Enable SIP NAT Helper.

  3. Click Save.



Was this article helpful?
5 out of 7 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.

Powered by Zendesk