VoIP Deployment Models and Troubleshooting Guide


A large number of companies are now going with cheaper, faster VoIP solutions for their integrated phone systems. With that in mind, Edge Threat Management products have a built in SIP NAT Helper to assist in the proper NAT addressing of the traffic. However, in most cases you can deploy VoIP behind the firewall without utilizing the helper at all. This document outlines different methods for deploying VoIP behind our devices. 



While there are some default rules included to bypass VoIP traffic on ports 5060 (SIP) and 4569 (IAX2), we recommend statically assigning IPs to VoIP-specific devices (like desk phones) and then creating bypass rules for those IPs. QoS rules (discussed below) only match bypassed traffic so creating bypass rules is essential to creating QoS rules. Bypass rules can be entered in the Config > Network > Bypass Rules tab.


When bypassing a specific IP, you will want to create two separate filter rules for each IP address. One with 'Source address' is [IP of computer/device] and the other with 'Destination address' is [IP of computer/device].

Bypass Source:


Bypass Destination:




You can use QoS to give VoIP traffic higher priority than everything else to get better performance. This option will work regardless of your network configuration.

QoS is available even on the "Free" versions of NG Firewall so this is a good place to start when discussing traffic prioritization.

To create QoS Rules, navigate to Config > Network > Advanced > QoS.

If not already enabled, you will need to enable QoS to proceed further.

IMPORTANT: Be sure to correctly set your WAN Bandwidth values in the WAN Bandwidth tab before saving any other changes in the QoS area.



As you can see, the system already has rules in place to give the default VoIP ports "Very High" priority. If you are using different ports you can create new rules to assign the same priority to them as well.

To create a new QoS Rule:

  1. Click the Add button under the "QoS Custom Rules" section.

  2. Give the rule a name.

  3. Click the Add button to assign the rule a condition.

  4. Select "Destination Port" for the Type. Enter the port or port range you are using in the Value field.

  5. Make sure the Priority is set to "Very High".

  6. Click Done, then click Save.



With NG Firewall in "Router Mode" and an unused Interface available, you can use that additional interface for VoIP.

Creating a second Internal interface

  1. Go to Config > Network > Interfaces.

  2. Edit the interface.


  3. Change the Config Type to "Addressed"

  4. Enter an Address and Netmask for the network you wish to create.
    IMPORTANT: The IP address must be different than any already in use on the device.

  5. You can enable DHCP if you wish in the DHCP Configuration tab.

  6. Click Done, then Save.

  7. Connect your VoIP network or PBX to the interface after assigning it an IP in the same range you just assigned to the new interface.


With the NG Firewall in "Bridged Mode" you can create a new network as an IPv4 Alias on the Internal Interface for VoIP.

  1. Go to Config > Network > Interfaces.

  2. Edit the Internal interface.

  3. Click the Add button under "IPv4 Aliases".

  4. Specify the IP Address and Netmask for the alias.
    IMPORTANT: The IP address must be different than any already in use on the device.

  5. Click Done, then Save.


This option is only used if standard traffic flow is not working properly and/or it has to traverse multiple layers of NAT. The helper only listens on standard SIP port 5060, so if you are using alternate ports this option will not work for you.

To enable the helper:

  1. Go to Config > Network > Advanced > Options.

  2. Check the box next to Enable SIP NAT Helper.

  3. Click Save.



Was this article helpful?
5 out of 7 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.

Powered by Zendesk