SIP/VOIP Audio Quality Issues SonicWall

Before doing anything take a backup of the current configuration.

Enable consistent NAT & disable security scanning on VOIP server/PBX.

Enable consistent NAT (75% improvement in audio quality):

Now to get that remaining 25%.

Then create a zone for your PBX and disable security scanning services on that device

VoIP: Poor quality or calls getting dropped | SonicWall

Image

Then we’ll create an address object for the IP PBX.

Manage – > Objects -> address objects -> add

Select the “VOIP” zone that we just created.

This is only helpful when your phones and your data traffic are on different LANS or VLANS.

If your PBX and data devices are on the same LAN then change the zone assignment to match the zone type of the interface that the PBX is connected to (most likely LAN). Then, disable the features from each feature per the address object that was just created.

In essence, we have to exclude the IP within each security service.

First up is the Content Filter. We don’t need the content filter trying to read SIP traffic data.

Manage -> Security Services -> Content Filter -> CFS Exclusion -> Select the address object.

Next is the Gateway Anti-Virus

Manage -> Security Services -> Gateway Anti-Virus -> Configure Gateway AV Settings -> Gateway AV Exclusion List -> select address object

Next is Intrusion Prevention

Manage -> Security Services -> Intrusion Prevention -> Enable IPS exclusion list checkbox -> select address object

Next is Anti-Spyware

Manage -> Security Services -> Anti-Spyware -> Configure anti-spyware settings -> Enable exclusions -> select IP PBX address object

Next is App Control

We want to leave it on for the subnet just not for the specific device.

Manage ->Rules -> App Control -> Configure App Control Settings -> tick exclusion checkbox. Can manually select the address object or the IPS exclusion checklist.

Ping across SonicWall Site-to-Site tunnel

If you have any 2 modern Sonicwalls the feature “ping” will be disabled by your IPS (Intrusion Protection System) settings on your site-to-site tunnel.

Remember that one side has to be the primary with a default route of 0.0.0.0 and the other one to point to the public IP address of the primary.

To enable ping only without disabling the protection of “low priority attacks” ping can be enabled specifically. This can be done by:

  1. Log into router web interface
  2. Click on “Manage” (for newer models) or “security services”
  3. Click on “Intrusion Prevention”
  4. Find “IPS Policies” heading
  5. Locate ‘ICMP”
  6. Click “Configure” button next to ICMP
  7. Match these settings

I left the “detection” set to on. This way pings are logged but not blocked. If you only want ping to work across the tunnel but not from the internet to the SonicWall you will need to change the “Included IP address range” to the range of the remote location’s RFC1918 subnet.