Recommendation Information:
-
These firewalls have a powerful Bandwidth Management (BWM) system, which customers have great success using to prevent or resolve many call quality problems.
-
BWM allows you to reserve the exact amount of bandwidth the devices need. This feature is rare to find on small-business grade firewalls at an economical price-point.
-
The least expensive model in the series is the USG20-VPN, but it does not have WiFi.
-
The USG20W-VPN does have WiFi.
-
Both models still have the same Bandwidth Management features that the pricier models have, but they only cost around $180 for the USG20-VPN or $242 for the USG20W-VPN on Amazon and other online stores. In comparison, a Linksys EA6900 costs $150 on Amazon and doesn't have BWM or many features needed for a small-business environment.
-
You will probably be unable to find this firewall at a local store. However, Staples & Fry's Electronics offer a ship-to-store option to save time & money.
Known Issues:
-
SIP ALG is enabled by default, but it is easy to disable.
-
The firewall intermittently interferes with phone registration but it does not when the changes below are made.
-
We recommend that you do not enable the IP/MAC Binding feature on the ZyXEL unless you are 100% aware of your network configuration:
-
This feature will not allow devices that are not getting an IP address from the ZyXEL DHCP server to access the internet or ping the ZyXEL.
-
It is a security feature that prevents a hacker from walking into your office, plugging their computer into the your firewall or switch, & gaining access to your network.
-
When this feature is enabled, the ZyXEL can appear as if it is locked up when it actually is not.
-
The ‘lock-up’ can occur due to one or more of the 3 situations below:
-
You are using a standalone DHCP server, such as running one on a Windows Server, instead of using the DHCP server on the ZyXEL.
-
A computer or other device was manually configured to use a static IP address and the ZyXEL is not aware of that static IP address assignment.
-
The MAC address of a computer or phone was incorrectly entered.
-
-
Firmware Information:
- Confirmed Stable Firmware:
- USG20W:
- Boot Module: 1.17.
- Current Version: 3.30(BDR.6).
- Released Date: 2014-09-29 07:33:21.
- Tested 12/9/14.
- USG50 and above:
- No reported issues with any firmware versions as of 12/9/14.
- USG20W:
Resolution:
-
By default, the ZyWall sets ports P2 & P3 to lan1.
-
Unless you want to change those ports to put the phones on a different VLAN from the computers, we recommend you only plug your phones into ports P2 & P3.
-
We cannot setup or configure on VLANs for you, but you or your IT can do this if you have a managed switch and know how to configure it.
-
We do not support putting the phones in the DMZ.
-
If you do not want to use VLANs but you still want to use P4, P5, and higher, you will need to login to the firewall and change Configuration > Interface > Port Role > Designate all unused ports to lan1.
-
-
Login to the firewall > Configuration (2-gears-icon) in the top-left-hand corner > Network > ALG:
-
Uncheck Enable SIP ALG.
-
Uncheck Enable SIP Transformations.
-
Uncheck Enable Configure SIP Inactivity Timeout.
-
Restrict Peer to Peer Signaling Connection: Uncheck.
-
Restrict Peer to Peer Media Connnection: Uncheck.
-
Click Apply.
-
-
Go to Configuration (2-gears-icon) > Object > Address:
-
You will need to create address objects that pertain to the VoIP product being used. Aline's server IP is 192.151.131.40
-
-
Click on the Address Group tab > Add:
-
Name: "Cloud_Voice_Servers".
-
Description: "Servers that the phone and fax devices use".
-
In the left-hand box, highlight the object(s) you just created.
-
Click the "->" button to move those Object(s) to the right.
-
Click OK.
-
-
-
Go to Object > Service:
-
You will need to create service objects for IP ports that pertain to the VoIP product being used.
- TCP: 10001, 5060-5069
- UDP: 4000-4999, 5060-5069, 10000-20000
-
Click on the Service Group tab > Add:
-
Name: "Cloud_Voice_Service_Ports".
-
Description: "Ports used by phone and fax devices".
-
In the left-hand box, highlight the Service Objects you created above.
-
Click the "->" button to move those Objects to the right.
-
Click OK.
-
-
-
Go to Firewall (Called Security Policy > Policy Control on newer firmware versions):
-
Click Add:
-
Enable: Check.
-
Name: "Cloud_Voice_Devices_Outbound".
-
Do not worry if you do not have this option. It only exists in newer firmware versions and models.
-
-
Description: "Allow phones and fax devices outbound access and BWM".
-
From: Any.
-
To: Any (excluding ZyWALL).
-
Source: Any.
-
Destination: "Cloud_Voice_Servers".
-
Service: "Cloud_Voice_Service_Ports".
-
User: Any.
-
Schedule: None.
-
Action (Access): Allow.
-
Log matched traffic: Yes.
-
UTM Profile: All unchecked.
-
Do not worry if you do not have these options. They are not included on all USG firewalls.
-
-
Click OK.
-
-
Click Add:
-
Enable: Check.
-
Name: "Cloud_Voice_Devices_Inbound".
-
Do not worry if you do not have this option. It only exists in newer firmware versions and models.
-
-
Description: "To allow inbound BWM to phones and fax devices".
-
From: Any.
-
To: Any (excluding ZyWALL).
-
Source: "Cloud_Voice_Servers".
-
Destination: Any.
-
Service: "Cloud_Voice_Service_Ports".
-
User: Any.
-
Schedule: None.
-
Action (Access): Allow.
-
Log matched traffic: Yes.
-
UTM Profile: All unchecked.
-
Click OK.
-
-
Click Add:
-
The following rule is needed to allow the ZyWALL to respond to our Call Quality Monitoring Servers.
-
Enable: Check.
-
Name: "Cloud_Voice_Ping_Response".
-
Do not worry if you do not have this option. It only exists in newer firmware versions and models.
-
-
Description: "To allow response to the Call Quality Monitoring Ping Server".
-
From: WAN.
-
To: ZyWALL.
-
Source: "Cloud_Voice_Ping_Test_Server".
-
Destination: Any.
-
Service: PING.
-
User: Any.
-
Schedule: None.
-
Action (Access): Allow.
-
Log matched traffic: Yes.
-
UTM Profile: All unchecked.
-
Click OK.
-
-
Click Apply at the bottom of the Firewall page.
-
-
-
Go to Firewall (Security Policy) > Session Control tab > General Settings:
-
UDP Session Time Out: 300.
-
Click Apply.
-
-
The steps below are needed to reserve the exact amount of bandwidth the phones need to prevent call quality problems:
-
Go to BWM > BWM Global Setting:
-
Enable BWM: Check.
-
Enable Highest Bandwidth Priority for SIP Traffic: Uncheck.
-
We will be setting up manual BWM rules for voice/fax traffic.
-
This setting cannot be enabled or it will override our custom, more effective rules.
-
-
Click Apply at the bottom of the page.
-
-
On the same BWM page under Configuration > Add:
-
Configuration:
-
Enable: Check.
-
Description: "Reserve outbound bandwidth that phones and faxes need".
-
BWM Type: Shared.
-
Do not worry if you do not have this option. It only exists in newer firmware versions and models.
-
-
-
Criteria:
-
User: Any.
-
Schedule: None.
-
Incoming Interface: Any.
-
Outgoing Interface: Any.
-
Source: Any.
-
Destination: "Cloud_Voice_Servers".
-
DSCP Code: Any.
-
Service Type: Service Object.
-
Service Object: "Cloud_Voice_Service_Ports".
-
-
DSCP Marking:
-
Inbound Marking: Preserve.
-
Outbound Marking: Preserve.
-
-
Bandwidth Shaping:
-
Guaranteed Bandwidth:
-
Inbound: calculate this number: (#-of-phones * 50kbps) + (#-of-fax-adapters * 100kbps) + (50 kbps for 1 VoIP/Soak Test Tool).
-
Priority: 5.
-
Maximize Bandwidth Usage: Uncheck.
-
Maximum: calculate this number: (#-of-phones * 100kbps) + (#-of-fax-adapters * 100kbps) + (50 kbps for 1 VoIP/Soak Test Tool).
-
-
Outbound: calculate this number: (#-of-phones * 50kbps) + (#-of-fax-adapters * 100kbps) + (50 kbps for 1 VoIP/Soak Test Tool).
-
Priority: 5.
-
Maximize Bandwidth Usage: Uncheck.
-
Maximum: calculate this number: (#-of-phones * 100kbps) + (#-of-fax-adapters * 100kbps) + (50 kbps for 1 VoIP/Soak Test Tool).
-
-
Related Setting:
-
Log: Yes/Log.
-
-
Click OK.
-
-
On the same page under Configuration > Add:
-
Configuration:
-
Enable: Check.
-
Description: "Reserve inbound bandwidth that phones and faxes need".
-
BWM Type: Shared.
-
-
Criteria:
-
User: Any.
-
Schedule: None.
-
Incoming Interface: Any.
-
Outgoing Interface: Any.
-
Source: "Cloud_Voice_Servers".
-
Destination: Any.
-
DSCP Code: Any.
-
Service Type: Service Object.
-
Service Object: "Cloud_Voice_Service_Ports".
-
-
DSCP Marking:
-
Inbound Marking: Preserve.
-
Outbound Marking: Preserve.
-
-
Bandwidth Shaping:
-
Guaranteed Bandwidth:
-
Inbound: calculate this number: (#-of-phones * 50kbps) + (#-of-fax-adapters * 100kbps) + (50 kbps for 1 VoIP/Soak Test Tool).
-
Priority: 5.
-
Maximize Bandwidth Usage: Uncheck.
-
Maximum: calculate this number: (#-of-phones * 100kbps) + (#-of-fax-adapters * 100kbps) + (100kbps for 1 VoIP/Soak Test Tool).
-
-
Outbound: calculate this number: (#-of-phones * 50kbps) + (#-of-fax-adapters * 100kbps) + (50 kbps for 1 VoIP/Soak Test Tool).
-
Priority: 5.
-
Maximize Bandwidth Usage: Uncheck.
-
Maximum: calculate this number: (#-of-phones * 100kbps) + (#-of-fax-adapters * 100kbps) + (100kbps for 1 VoIP/Soak Test Tool).
-
-
Related Setting:
-
Log: Yes/Log.
-
-
Click OK.
-
-
Click Apply at the bottom of the page.
-
-
-
-
-
-
Go to Network > Interface > Ethernet tab > Select the WAN interface the VoIP devices are using (it is usually wan1) > Edit:
-
Scroll down to Interface Parameters:
-
Egress Bandwidth:
-
Enter in only 80-95% of the Upload bandwidth you pay for.
-
If you do not know what it is, take the average of 3 Upload results at Telecom Speed Test.
-
-
Ingress Bandwidth (may need to select 'advanced settings' option in order to view):
-
Enter in only 80-95% of the Download bandwidth you pay for.
-
If you do not know what it is, take the average of 3 Download results at Telecom Speed Test.
-
If you do not have the Ingress Bandwidth option, do not worry.
-
The BWM rules you created in step 7 accomplish Ingress BWM via an alternate method.
-
-
Click OK.
-
-
Click Apply at the bottom of the page.
-
-
-
Go to Network > Interface > Ethernet tab > Select the LAN interface the VoIP devices are using (it is usually lan1) > Edit:
Scroll down to Interface Parameters:
Egress Bandwidth:
Enter in only 80-95% of the ***Download*** bandwidth you pay for.
If you do not know what it is, take the average of 3 ***Download*** results at Telecom Speed Test.
Ingress Bandwidth (may need to select 'advanced settings' option in order to view):
Enter in only 80-95% of the ***Upload*** bandwidth you pay for.
If you do not know what it is, take the average of 3 ***Upload*** results at Telecom Speed Test.
If you do not have the Ingress Bandwidth option, do not worry.
The BWM rules you created in step 7 accomplish Ingress BWM via an alternate method.
Click OK.
Click Apply at the bottom of the page.Close Window
-
The steps below are necessary efficient DNS resolution to the configuration and call servers the phones require:
-
These changes will take your computers, phones, and all other devices online for 10 minutes or much longer if an unexpected problem arises.
-
Make sure to only make the changes below when you can afford to take your network offline.
-
Click on Configuration (2-gears-icon) in the top-left-hand corner.
-
Go to Network > Interface > Ethernet tab:
-
Select lan1 > Edit > Scoll down to DHCP Setting > Do the following:
-
First DNS Server (Optional) > Set to Custom Defined > Enter:
-
"8.8.8.8".
-
-
Second DNS Server (Optional) > Set to Custom Defined > Enter:
-
"8.8.4.4".
-
-
Enable IP/MAC Binding: Leave unchecked unless you or your IT intentionally checked it.
-
Click OK to Save.
-
-
Test to make sure computers can reach common websites.
-
If they cannot, you will need to manually clear the DNS cache on the computers.
-
For computers running Windows, run the command below from Command Prompt:
-
“ipconfig /flushdns”.
-
-
-
-