VOIP traffic through your firewall?

Can you send your VOIP traffic through your firewall and still expect good quality of service?

The answer is “that depends”. Most firewalls are not built to handle VoIP traffic. Firewalls actually stop and look at every single packet that passes through them for IDS (Intrusion Detection Signatures). This is a problem for VOIP packets because they depend on low latency delivery. Firewalls that ‘packet inspect’ introduce latency and further, may not be able to apply QoS techniques. So, as your users download files and your firewall becomes busy, it is going to inspect each packet in the queue and make your VOIP packet wait. This gives your phone calls problems like echo, static, or even dropped calls.

Most firewall vendors have recognized this and have rushed to upgrade thier firmware to support VoIP traffic. Yet the results have been disappointing - so you may need to buy a new firewall, or bypass your firewall altogether because VoIP traffic is just too sensitive.

I recommend you bypass your firewall completely for all VOIP traffic or IP Phones. Here’s how:

#1- Setup an alternate gateway IP on your WAN router. This is done with a secondary private IP address (such as 192.168.1.254) doing simple NAT in addition to a WAN IP (Public) address on your WAN router. Ask your ISP to do this for you, (California Telecom does it for you).

#2 - Now do something that may seem dangerous, but is actually harmless. Plug your LAN (trusted) and WAN (untrusted) ports of your firewall into your LAN switch. It’s harmless because your switch is smart enough to keep track of which ports are talking to which IP without bleeding over to the other ports.

#3 - Then plug your WAN router port (which normally plugs into your firewall untrusted side) into your LAN Switch. Since all your host traffic will go to your firewall LAN IP gateway (192.168.1.1), you need to direct your VoIP phones to your alternate IP gateway, directly to your WAN secondary IP (192.168.1.254). This will bypass your firewall completely.

#4 - You definately want to put a simple ACL (Access Control List) that only allows traffic to and from a specific IP (your VoIP switch IP) so your users don’t get any wise ideas and use the alternate .254 gateway to bypass their own traffic. This will also protect your network, but your VoIP traffic is free to pass through this 2nd gateway.

#5 - Last step is to configure your DHCP server for MAC reservation and have your IP phones pull a different DHCP scope that sets the alternate IP Gatway.

This will ensure that your VOIP IP phones are troublefree.

Any further questions you can email me: jim@californiatelecom.com