Setting up PFsense for 27 8x8 VOIP phones (QOS)

  • I use 8x8 phones at the company I own.  It's a hosted PBX solution using voip phones.  We currently have 14 of these phones.

    We use an Edgewater router that was preconfigured for 8x8 and it works great, however we are moving to a larger location that will have 27 of these phones and the fiber that will be installed won't be installed until about a month or two after we are there and so we'll be stuck with having to use some 15/2 DSL connections which we would like to load balance.  So I would like to use PFsense for 2 or 3 WANs in a load balancing config, but I'm not clear how to make sure the QOS will work with the 8x8 phones.

    I purchased a gold membership and I'm going through the videos (the dual Wan one right now).  I'm also testing a PFsense box at my home so I can get some experience with it.  At the same time I'd like to be prepared to set this up for the QOS before the move.

    8x8 gives the following recommendations below and I'm assuming most of this can be done in Firewall/Rules but if anyone can guide me on this I'd appreciate it …

    Disable the following:

    SIP Normalization
    SPI (or set to Pass Thru)

    Enable or allow the following:

    https through firewall

    Unrestrict traffic to and from 8x8 subnets:  [ - ]  [ - ]  [ - ] (U.K. Only)

    Configure the ports with High Priority:

    UDP 30000-30040 (source port range for VOD aac)
    UDP 5196-5199 (SIP signaling)
    UDP 3478-3480 (STUN)
    UDP 2222-2269 (Polycom media)
    UDP 16384-16404 (Linksys media)

    Configure the Ports as Needed:

    UDP 5299 (KIRK/Spectralink signaling)
    UDP 58000-58050 (KIRK/Spectralink base media)
    UDP 15044 (MGCP - Aastra / BPG / BPA / Tango)
    UDP 15062 (MSRP)
    TCP 5199 (Virtual Office Mobile iOS/Android app over Wi-fi)
    TCP 8443 (Exchange/Outlook integration)
    TCP 15000 (Switchboard)
    TCP 2099 (Switchboard base registry)
    TCP20080-23080 (Switchboard OUTBOUND)

    To confuse matters, I looked at the settings for specific routers and th recommendations seem to vary wildly depending on the router …

    Disabling SIP-ALG is an essential part of setting QoS on a router and optimizing it for 8x8 service. Many ALGs (including Cisco's) have bugs which cause call flow and registration failures. Some ALGs (including Cisco's) intermittently miss some packets (read: do not perform fixup), or in the case of fragmented packets, do not even examine and change headers.

    When SIP-ALG is enabled, CP SBCs determine the endpoints are publicly addressed and therefore do not need frequent registration refreshes to keep the firewall port open between SBC and the endpoint. In this case, the firewall can close the port between the VoIPZone SBC and endpoint, causing an inability to receive incoming calls. The most common issues that result from enabled SIP-ALG when using Virtual Office applications include:

    Outbound call status stuck in Dialing...
    An inability to field incoming calls (call continues to ring and cannot be answered).
    Additional SIP-ALG information and settings can be found at

    Device Guidance

    It is highly recommended you have your network or IT administrator or a qualified professional configure the following in your router or firewall.

    If you don't see your router or manufacturer below, consult the manufacturer's documentation. You can also refer to additional information on generally recommended 8x8 Virtual Office QoS settings.

    Adtran Routers
    Add the following:

    no ip firewall alg sip


    ASA Routers
    Go to policy-map global_policy > class inspection_default.
    no inspect sip

    Cisco (non-ASA)
    On Cisco devices, SIP-ALG is referred to as SIP Fixup and is enabled by default on both routers and Pix devices. Because this is a default setting, no indication of it being "on" or "off" is visible in the configuration.

    To disable SIP Fixup, issue the following commands:

    General Routers

    no ip nat service sip tcp port 5060
    no ip nat service sip udp port 5060

    Enterprise-Class Routers

    no ip nat service sip tcp port 5060
    no ip nat service sip udp port 5060

    Pix Devices

    no fixup protocol sip 5060
    no fixup protocol sip udp 5060


    Fortinet Routers
    From CLI interface, type the following commands:
    config system session-helper
    show system session-helper
    (Look for the session instance that refers to SIP—likely to be #12)

    Delete 12
    (Or number corresponding to SIP reference)

    To confirm deletion, run show system session-helper again.
    Ensure there is no reference to SIP or port 5060.

    Linksys BEFSR41
    From the ADMIN page of the router, navigate to [APPLICATIONS & GAMING] > [PORT TRIGGERING].
    Enter [TCP] as the application.
    Enter [5060] into the Start Port and End Port for both the Triggering Range and Forwarded Range.
    Check Enable.
    Save Settings.
    Reboot IP phone.

    SonicWall Routers
    Uncheck the box for Use SIP Header Transformation.
    Disable consistent NAT.
    When setting the Global Default UDP timeout value on a SonicWall firewall, you must still fix the pre-existing rules' individual UDP timeout values. New rules will inherit the Global Default. Increase the UDP timeout to the suggested 300 seconds both globally on the firewall and the specific out-bound firewall rule (or the default rule, as the case may be).


Log in to reply