General Network Guidelines
Purpose
This document
describes how to configure your network for use with OneCloud
Services. Firewall and Network terminology varies between different
venders so some language used may not fit with your
exact configuration. This document does not cover the specifics of different
firewall or switch vendors; If you need specific information regarding your firewall
or switch you can check our other knowledgebase articles for commonly used equipment. If you have any questions or need
additional assistance, please open a
ticket at https://support.onecloud.us for clarification.
Terms
IP Network Alias – A group of IP addresses used in firewall rules for simpler firewall rules.
Voice Network – The network used by the physical phones, analog adapters, and session border controllers.
Data Network – The internal LAN network(s) used by users to access OneCloud from their computer.
SIP ALG – An Application Layer Gateway used by many modems and firewalls to modify SIP packets also known as “SIP Transformations”
Hybrid ports – This is a switch port that is configured with a native VLAN that sends untagged traffic as well as tagged VLANs.
Double NAT - Double NAT occurs when two or more routers on a network are performing Network Address Translation (NAT)
Firewall
It is recommended that an IP Network Alias be created with all OneCloud IP addresses and used for the firewall rules however port filtering is also acceptable. For a current list of the OneCloud IP addresses please contact us at https://support.onecloud.us. The voice network should be configured so that the firewall does not modify the source port.
This is generally called “Static port mapping” or “Consistent NAT”
All SIP ALG services should be disabled.
UDP connection timeout or state timeout should be configured for greater than 1 minute
QoS should be configured to give priority to the phone traffic in the event of a saturated network. A good bandwidth assumption is 100Kbps per concurrent call, so if you expect to have 10 concurrent calls during the busiest time then a reservation of 1000Kbps or 1Mbps should be set for the Voice Network.
No Double NAT
Use the below tables for strict firewall policies on the voice network.
Ingress Traffic Allowed
This is traffic
coming from the internet into your firewall. As all registration in initiated from the device; These rules are not generally needed
for a stateful firewall
but may be needed for Intrusion Prevention Systems.
|
Source IP
|
Source
Port
|
Destination IP
|
Destination
Port
|
Protocol
|
Description
|
|
OneCloud IP
Addresses
|
5060-
5069
|
Voice WAN
|
Any
|
UDP/TCP
|
SIP Signaling
|
|
OneCloud IP
Addresses
|
5090
|
Voice WAN
|
Any
|
UDP/TCP
|
SIP Signaling
|
|
OneCloud IP
Addresses
|
80
|
Voice and Data WAN
|
Any
|
TCP
|
HTTP
|
|
OneCloud IP
Addresses
|
443
|
Voice and Data WAN
|
Any
|
TCP
|
HTTPS
|
|
OneCloud IP
Addresses
|
8001
|
Voice and Data WAN
|
Any
|
TCP
|
WSS
|
|
OneCloud IP
Addresses
|
9002
|
Voice and Data WAN
|
Any
|
TCP
|
WSS
|
|
OneCloud IP
Addresses
|
20000-
29999
|
Voice and Data WAN
|
Any
|
UDP
|
RTP
|
|
Any
|
10000
|
Voice and Data
WAN
|
Any
|
UDP
|
Video Conference
|
Egress Traffic Allowed
This is traffic
coming from your local area network to the internet.
|
Source IP
|
Source
Port
|
Destination IP
|
Destination
Port
|
Protocol
|
Description
|
|
Voice WAN
|
Any
|
OneCloud IP Addresses
|
5060-5069
|
UDP/TCP
|
SIP Signaling
|
|
Voice WAN
|
Any
|
OneCloud IP Addresses
|
5090
|
UDP/TCP
|
SIP Signaling
|
|
Voice
and Data WAN
|
Any
|
OneCloud IP
Addresses
|
80
|
TCP
|
HTTP
|
|
Voice
and Data WAN
|
Any
|
OneCloud IP
Addresses
|
443
|
TCP
|
HTTPS
|
|
Voice
and Data WAN
|
Any
|
OneCloud IP Addresses
|
8001
|
TCP
|
WSS
|
|
Voice
and Data WAN
|
Any
|
OneCloud IP
Addresses
|
9002
|
TCP
|
WSS
|
|
Voice
and Data WAN
|
Any
|
OneCloud IP
Addresses
|
20000-29999
|
UDP
|
RTP
|
|
Voice and
Data
WAN
|
Any
|
Any
|
10000
|
UDP
|
Video Conference
|
Local Area Network
- All phones, Session Border Controllers, and other devices using SIP to communicate with OneCloud services should be configured on a separate VLAN or physical network from other applications. Except in a few use cases, there is no reason for the Voice network and the Data network(s) to be routable.
- Most modern switches have dedicated settings for a voice VLAN and we recommend using these settings for your phone network.
- We recommend the following DSCP policies be applied to the switches. We understand that settings vary based on switch manufacturer and model.
- DSCP 46 should be the second highest policy
- DSCP 34 should be the third highest policy
- We recommend using Auto-VoIP, LLDP, or similar features to force the VoIP phones to the voice network automatically. If those technologies are not available, a DHCP boot option will need to be added to the default VLAN DHCP server.
- DHCP option 66 may be needed to tell the phones where to provision. You can open a ticket with support@telware.com to get the specific string for your phone model and services.
- The passthrough port can be used on the phones to allow computers access to the data network if the switches support hybrid ports with both tagged and untagged VLANs on the same port..
Related Articles
Disabling SIP-ALG in your Router or Firewall
Overview SIP ALG (Application-Level Gateway) is a feature in which the network device (router, access point, or any Layer 2 or Layer 3 device) manipulates the payload section of a SIP Packet to change the Private address to be Public address. As the ...
Optimize SonicWall SOHO
Optimize Dell SonicWALL SOHO Router NOTE: Based on available ISP bandwidth of 10Mbps/10Mbps (download/upload); accounting for 10 concurrent calls, adjust your numbers accordingly. One call requires approximately 90Kbps download/upload. 100Kbps was ...
Teams Admin: Dynamic Locations
Dynamic Locations: Dynamic Locations can be used to dynamically update a user's emergency address based on various factors such as the IP address of their machine, the wireless access point, switch, or switch port they are connected to. How does it ...
OneCloud Teams Integration - Microsoft License Requirements
OneCloud for Teams - License Requirements If you're considering using OneCloud for Operator Connect or Direct Routing, you must first confirm that your Teams users are assigned the correct licenses. See the table below for a full list of supported ...
SIM Card: Cellular Settings Instructions
SINGLE SIM Device: STEP 1: Install SIM into your iPhone. STEP 2: APN Population (For Data): - Enable Network Carrier Settings. - Go to Settings > Cellular > Cellular Data Network: Make sure that "Use Carrier Settings" is toggled to disabled. Enter ...