Configuring BWM and QoS

One of the greatest challenges for VoIP is ensuring high speech quality over an IP network. IP was designed primarily for asynchronous data traffic, which can tolerate delay. VoIP, however, is very sensitive to delay and packet loss. Managing access and prioritizing traffic are important requirements for ensuring high-quality, real-time VoIP communications.

SonicWall’s integrated Bandwidth Management (BWM) and Quality of Service (QoS) features provide the tools for managing the reliability and quality of your VoIP communications.

Topics:
Bandwidth Management
Quality of Service
Configuring VoIP Access Rules
Using the Public Server Wizard
Bandwidth Management

For information on Bandwidth Management (BWM), see Bandwidth Management Overview.

Quality of Service

QoS encompasses a number of methods intended to provide predictable network behavior and performance. Network predictability is vital to VoIP and other mission critical applications. No amount of bandwidth can provide this sort of predictability, because any amount of bandwidth will ultimately be used to its capacity at some point in a network. Only QoS, when configured and implemented correctly, can properly manage traffic, and guarantee the desired levels of network service.

SonicWall <product name> includes QoS features that adds the ability to recognize, map, modify and generate the industry-standard 802.1p and Differentiated Services Code Points (DSCP) Class of Service (CoS) designators.

Configuring VoIP Access Rules

By default, stateful packet inspection on the SonicWall security appliance allows all communication from the LAN to the Internet and blocks all traffic to the LAN from the Internet. Additional network access rules can be defined to extend or override the default access rules.

If you are defining VoIP access for client to use a VoIP service provider from the WAN, you configure network access rules between source and destination interface or zones to enable clients behind the firewall to send and receive VoIP calls.

If your SIP Proxy or H.323 Gateway is located behind the firewall, you can use the SonicWall Public Server Wizard to automatically configure access rules.

* 
TIP: Although custom rules can be created that allow inbound IP traffic, the SonicWall security appliance does not disable protection from Denial of Service attacks, such as the SYN Flood and Ping of Death attacks.
* 
NOTE: You must select Bandwidth Management on the Network > Interfaces page for the WAN interface before you can configure bandwidth management for network access rules.
1
To add access rules for VoIP traffic on the SonicWall security appliance: Go to the Firewall > Access Rules page, and under View Style click All Rules.
2
Click Add at the bottom of the Access Rules table. The Add Rule dialog displays.

3
In the General tab, select Allow from the Action list to permit traffic.
4
Select the from and to zones from the From Zone and To Zone menus.
5
Select the service or group of services affected by the access rule from the Service list.
For H.323, select one of the following or select Create New Group and add the following services to the group:
H.323 Call Signaling
H.323 Gatekeeper Discovery
H.323 Gatekeeper RAS
For SIP, select SIP
6
Select the source of the traffic affected by the access rule from the Source list. Selecting Create New Network displays the Add Address Object window.
7
If you want to define the source IP addresses that are affected by the access rule, such as restricting certain users from accessing the Internet, select Range in the Type: drop-down menu. The enter the lowest and highest IP addresses in the range in the Starting IP Address: and Ending IP Address fields.
8
Select the destination of the traffic affected by the access rule from the Destination list. Selecting Create New Network displays the Add Address Object window.
9
From the Users Allowed menu, add the user or user group affected by the access rule.
10
Select a schedule from the Schedule menu if you want to allow VoIP access only during specified times. The default schedule is Always on. You can specify schedule objects on the system > Schedules page.
11
Enter any comments to help identify the access rule in the Comments field.
12
Click the Bandwidth tab.
13
Select Bandwidth Management, and enter the Guaranteed Bandwidth in Kbps.
14
Enter the maximum amount of bandwidth available to the Rule at any time in the Maximum Bandwidth field.
15
Assign a priority from 0 (highest) to 7 (lowest) in the Bandwidth Priority list. For higher VoIP call quality, ensure VoIP traffic receives HIGH priority.
* 
TIP: Rules using Bandwidth Management take priority over rules without bandwidth management.
Using the Public Server Wizard

The SonicWall Public Server Wizard provides an easy method for configuring firewall access rules for a SIP Proxy or H.323 Gatekeeper running on your network behind the firewall. Using this wizard performs all the configuration settings you need for VoIP clients to access your VoIP servers.

1
Click Wizards on the SonicOS navigation bar.
2
Select Public Server Wizard and click Next. The Public Server Type dialog displays.

3
Select Other from the Server Type list.
Select SIP from the Services menu if you are configuring network access for a SIP proxy server from the WAN.
Select H323 Gatekeeper RAS if you are configuring network access for a H.323 Gatekeeper from the WAN.
Select H.323 Call Signaling for enabling Point-to-Point VoIP calls from the WAN to the LAN.
4
Click Next.
* 
NOTE: SonicWallSonicWall recommends NOT selecting VoIP from the Services menu. Selecting this option opens up more TCP/UDP ports than is required, potentially opening up unnecessary security vulnerabilities.

5
Enter the name of the server in the Server Name field.
6
Enter the private IP address of the server. Specify an IP address in the range of addresses assigned to the zone where the server is located. The Public Server Wizard will automatically assign the server to the zone in which its IP address belongs. You can enter optional descriptive text in the Server Comment field.
7
Click Next.
8
Enter the public IP address of the server. The default is the WAN public IP address. If you enter a different IP, the Public Server Wizard will create an address object for that IP address and bind the address object to the WAN zone.
9
Click Next.

10
The Public Server Configuration Summary page displays a summary of all the configuration you have performed in the wizard. It should show:
Server Address Objects - The wizard creates the address object for the new server. Because the IP address of the server added in the example is in the IP address range assigned to the LAN zone, the wizard binds the address object to the LAN zone.
Server Service Group Object - The wizard creates a service group object for the services used by the new server.
Server NAT Policies - The wizard creates a NAT policy to translate the destination addresses of all incoming packets with one of the services in the new service group and addressed to the WAN address to the address of the new server. The wizard also creates a Loopback NAT policy
Server Access Rules - The wizard creates an access policy allowing all traffic to the WAN Primary IP for the new service.
11
Click Apply in the Public Server Configuration Summary page to complete the wizard and apply the configuration to your SonicWall.

The new IP address used to access the new server, both internally and externally, is displayed in the URL field of the Congratulations window:

12
Click Close to close the wizard.