Sie sind auf Seite 1von 12

Sonicwall Configuration Guide v1.

Sonicwall NSA240 / TZ210 Configuration Guide


(Firmware: SonicOS Enhanced 5.8.1.1-35o & up)

169 Saxony Road, Suite 212 Encinitas, CA 92024 Phone & Fax: (800) 477-1477

Introduction
Thank you for choosing FreedomIQ by FreedomVoice for your industry-leading cloud based phone system. We are glad to have you on board as part of our team and this document should help answer most questions you may have on setting up the Sonicwall router to best optimize voice quality with FreedomIQ. There are multiple sections in this document from Internet access and various basic settings to the QoS configuration monitoring. This guide will walk you through the following configurations: 1. 2. 3. 4. 5. 6. 7. Change the default password Configuration of the Public Interface (Internet access) Enable Remote Access Set Measured WAN Speed Configure Basic QoS Configure Advanced QoS Enable Netflow Monitoring

Sonicwall NSA240/TZ210
Product Information: Sonicwall NSA240
The Sonicwall NSA240 series is a Fixed-port Access Router that is ideal for medium to large business Internet access and/or IP Telephony using broadband access such as DSL, cable or T1 Ethernet handoff. The NSA240 includes six 10/100 ports and three 10/100/1000 ports, a built-in firewall for network security, QoS & BWM to prioritize delay sensitive traffic like VoIP, and a host of other features such as DHCP, Network Address Translation (NAT), and IPSec VPN.

Features:
Fixed-port Access Router for broadband access such as DSL, cable or T1 Ethernet handoff Six 10/100 ports and three 10/100/1000 ports High performance dual-core processor Powerful threat management firewall Quality of Service (QoS) & bandwidth management (BWM) for delay-sensitive traffic like Voice over IP (VoIP) IPSec & SSL VPN 600 Mbps Stateful Throughput

Product Information: Sonicwall TZ210


The Sonicwall TZ210 series is a Fixed-port Access Router that is ideal for small to medium sized business Internet access and/or IP Telephony broadband access. The TZ210 includes one ADSL WAN port, integrated four port switch, built in firewall, QoS, DHCP, NAT, and an IPSec VPN.

Features:
Fixed-port Access Router for broadband access such as DSL, cable or T1 Ethernet handoff Five 10/100 ports and Two 10/100/1000 ports Powerful threat management firewall Quality of Service (QoS) & bandwidth management (BWM) for delay-sensitive traffic like Voice over IP (VoIP) IPSec VPN 200 Mbps Stateful Throughput

Change Default Username/Password


It is important that you change the default username and password to something secure. This new login information ensures that no one within the LAN can make unauthorized changes, but can also be used as the default remote login information for remote access to the router in the event changes need to be made remotely by a dealer or a FreedomIQ representative.

Default login information: Gateway: 192.168.168.168 Username: admin Password: password


Follow these steps to update the admin login information: 1. 2. 3. 4. From the System section in the left column, select Administration. Find the section labeled Administrator Name & Password. Enter the original or old password. Enter the new password twice. Click the Accept button toward the bottom of the page. Changing username/password is now complete.

Set Up Internet Access


Follow these steps closely to set up the Sonicwall NSA240/TZ210 via the built in GUI. Your ISP should have provided you with general instructions related to your internet connection. If you are unsure what these settings are, contact your ISP with regard to the settings you will need for your router. In most cases your service provider will either have you to set your router to DHCP mode or they will provide you with IP address, Gateway, Subnet and DNS server settings. You will need this information to continue the set up. Follow these steps to configure internet access: 1. 2. 3. 4. 5. 6. 7. From the Network section in the left column, select Interfaces. Under Interface Settings find the Zone column labeled WAN and click on the pencil icon under the Configure column. Make sure the Zone: drop down says WAN. Your ISP will have given you instructions to choose either DHCP or Static for an IP address type within your router. Choose this from the IP Assignment: drop down. Enter your IP Address, Subnet Mask, Default Gateway, DNS Server 1 and DNS Server 2 information. Click the OK button at the bottom of the window. Click the Accept button at the top of the page.

See screenshots below

Configuration Screen 1 of 2

Configuration Screen 2 of 2

- Internet configuration is now complete.


4

Enable Remote Access


The Sonicwall NSA240/TZ210 allows you to configure remote access to the GUI or command line interface.

Follow these steps to configure remote access: 1. 2. 3. 4. 5. 6. From the Network section in the left column, select Interfaces. Under Interface Settings find the Zone column labeled WAN and click on the pencil icon under the Configure column. Make sure the Zone: drop down says WAN. In the Management section check the boxes appropriate to th e type of remote access you want to allow (HTTP or HTTPS is most common). Click the OK button at the bottom of the window. Click the Accept button at the top of the page. Remote access is now complete.

Set the measured WAN speed


The Sonicwall NSA240/TZ210 works best when you specify the amount of internet bandwidth that is allocated to you from your ISP. This step is always important but it is absolutely critical to proper QoS functionality. Dont always take your ISPs word for the up and down speeds, the values entered here should be an average of three speed tests. A recommended place to run these tests is at www.speedtest.net. Follow these steps to set the WAN bandwidth: From the Network section in the left column, select Interfaces. Under Interface Settings find the Zone column labeled WAN and click on the pencil icon under the Configure column. 3. Make sure the Zone: drop down says WAN. 4. Click on the Advanced tab. 5. Check the box Enable flow reporting. 6. Under the heading Bandwidth Management, check Enable Egress Bandwidth Management. 7. In the field Available Interface Egress Bandwidth (Kbps): enter your measured internet speed. If you have a single T-1 this might be 1500.00. If you have a cable modem that measures 10Mbps down, you would enter 10000.00. 8. Under the heading Bandwidth Management, check Enable Ingress Bandwidth Mangement. 9. In the field Available Interface Ingress Bandwidth (Kbps): enter your measured internet spee d. If you have a single T-1 this might be 1500.00. If you have a cable modem that measures 2Mbps up, you would enter 2000.00. 10. Click the OK button at the bottom of the window. 1. 2. WAN speed setup is now complete.

Configure basic QoS (Quality of Service)


The Sonicwall NSA240/TZ210 comes preconfigured for basic QoS (UDP packet priority & bandwidth management) when ordered directly from FreedomVoice. You may need to modify the bandwidth allocations depending on the bandwidth available to the customer in each direction. Also, depending on the type of traffic on the network, you may want to modify the QoS so it is based on a specific VLAN or specific device(s) instead of giving priority to all UDP traffic. We cover these alternate QoS configurations under Advanced QoS later on in this document.

Configure basic QoS within the GUI, Step 1: Select a type of Bandwidth Management
Start by setting BWM to WAN: 1. 2. 3. 4. 5. 6. 7. 8. Login to the Sonicwall router GUI (default is 192.168.168.168). Click on the Firewall Settings section in the left column, select BWM. Next to Bandwidth Management Type: make sure WAN is selected. Next to 0 Realtime check the Enable box. Next to 2 High uncheck the Enable box. Next to 4 Medium set Guaranteed to 0 %. Next to 6 Low set Guaranteed to 0 %. Click the Accept button.

Configure basic QoS within the GUI, Step 2: Create Service Objects
Now, create a UDP 5060 signal service object: 9. 10. 11. 12. 13. 14. 15. Login to the Sonicwall router GUI (default is 192.168.168.168). Click on the Firewall section in the left column, select Service Objects. Under Services click Add. Enter a descriptive name such as SignalUDP. Select the protocol UDP. Enter the port range of 5060 5060. Click Add.

Next, create a TCP 5061 signal service object: 1. 2. 3. 4. 5. 6. Click on the Firewall section in the left column, select Service Objects. Under Services click Add. Enter a descriptive name such as SignalTCP. Select the protocol TCP. Enter the port range of 5061 5061. Click Add.

Next, create a UDP audio service object: 1. 2. 3. 4. 5. 6. Click on the Firewall section in the left column, select Service Objects. Under Services click Add. Enter a descriptive name such as AudioUDP. Select the protocol UDP. Enter the port range of 6000 55000. Click Add.

Next, create a group that contains all three service objects: 1. 2. 3. 4. Click on the Firewall section in the left column, select Service Objects. Under Service Groups click Add Group. Enter a descriptive name such as FreedomIQ. Find the three service objects you created earlier.
6

5. 6.

Highlight each of them and click the arrow to add them to the group. Click OK.

Configure basic QoS within the GUI, Step 3: Apply Service Objects to the firewall
Lastly, create a new firewall rule: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Click on the Firewall section in the left hand column, select Access Rules. Under Access Rules (ALL>ALL) click Add. Next to From Zone: select LAN. Next to To Zone: select WAN. Next to Service: select the group (FreedomIQ) that was set up in the last step. Next to Source: select Any. Next to Destination: select Any. Check Enable flow reporting. Check Enable packet monitor. Click on the Ethernet BWM tab.

For the next steps youll need to determine how much bandwidth you want to guarantee for this particular service group (the phones). This can be done by percentage of total bandwidth or by a set Kbps (Kilobits Per Second). When using the G.711 codec, each phone needs 88Kbps in both directions (Outbound, Inbound) to properly function. Many administrators like to allocate 90-100Kbps per phone to keep a slight cushion of bandwidth. Example: 1.44Mbps T-1 with 4 phones (using 90Kbps per phone) would require either 25% of available bandwidth or 360Kbps. 11. Check Enable Outbound Bandwidth Management. 12. In the field Guaranteed Bandwidth: enter your number and select the proper corresponding allocation type (% or Kbps). 13. In the field Maximum Bandwidth: enter 100 and select % from the drop down. 14. Check Enable Inbound Bandwidth Management. 15. In the field Guaranteed Bandwidth: enter the same number and corresponding allocation type (% or Kbps) you choose in the above (Outbound) section. 16. In the field Maximum Bandwidth: enter 100 and select % from the drop down. 17. Make sure the Bandwidth Priority: drop down is set to 0 Realtime for both Outbound and Inbound. 18. Check Enable Tracking Bandwidth Usage. 19. Click Add.

Basic QoS is now complete.

Configure Advanced QoS (Prioritize by Network, IP or Device)


The Sonicwall NSA240/TZ210 comes preconfigured for basic QoS (UDP packet priority & bandwidth management) when ordered directly from FreedomVoice. If your network is running applications that run over UDP such as torrents, gaming or video conferencing, you shouldnt use generic UDP prioritization. In these cases prioritizing an entire Subnet, MAC addresses, or statically assigned IP addresses will be best practice. We only need to create one rule for QoS by network, IP or MAC since were going to be prioritizing ALL traffic from those addresses rather than specific types of traffic. This is safe as long as the addresses are only those of phones and no other types of devices.

Configure Advanced QoS within the GUI, Step 1: Select a type of Bandwidth Management
Start by setting BWM to WAN: 1. 2. 3. 4. 5. 6. 7. 8. Login to the Sonicwall router GUI (default is 192.168.168.168). Click on the Firewall Settings section in the left column, select BWM. Next to Bandwidth Management Type: make sure WAN is selected. Next to 0 Realtime check the Enable box. Next to 2 High uncheck the Enable box. Next to 4 Medium set Guaranteed to 0 %. Next to 6 Low set Guaranteed to 0 %. Click the Accept button.

Configure Advanced QoS within the GUI, Step 2: Create an Address Object
Now, create an address object for the network, IPs or devices you wish to give priority. 1. 2. 3. 4. 5. 6. 7. Login to the Sonicwall router GUI (default is 192.168.168.168). Click on the Firewall section in the left column, select Address Objects. Under Address Objects click Add. Enter a descriptive name such as Phone Network or Ext 800 depending on the type of address youre choosing. Zone Assignment: should be Range (LAN IPs), Network (Voice Subnet), or MAC (a specific phone). Enter the applicable information (IP range, Network or MAC) into the next field. Click Add. NOTE: If you chose type MAC youll need to repeat this process for each phone. Once all phones have been added to the Address Objects section, youll want to go to Address Groups and create a single group for all of the MAC entries.

Configure Advanced QoS within the GUI, Step 3: Apply Address Objects to the firewall
Lastly, create a new firewall rule: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Click on the Firewall section in the left hand column, select Access Rules. Under Access Rules (ALL>ALL) click Add. Next to From Zone: select LAN. Next to To Zone: select WAN. Next to Service: select the address object (or address group) that was set up in the last step. Next to Source: select Any. Next to Destination: select Any. Check Enable flow reporting. Check Enable packet monitor. Click on the Ethernet BWM tab.

Continue on next page


8

For the next steps youll need to determine how much bandwidth you want to guarantee for this particular service group (the phones). This can be done by percentage of total bandwidth or by a set Kbps (Kilobits Per Second). When using the G.711 codec, each phone needs 88Kbps in both directions (Outbound, Inbound) to properly function. Many administrators like to allocate 90-100Kbps per phone to keep a slight cushion of bandwidth. Example: 1.44Mbps T-1 with 4 phones (using 90Kbps per phone) would require either 25% of available bandwidth or 360Kbps. 11. Check Enable Outbound Bandwidth Management. 12. In the field Guaranteed Bandwidth: enter your number and select the proper corresponding allocation type (% or Kbps). 13. In the field Maximum Bandwidth: enter 100 and select % from the drop down. 14. Check Enable Inbound Bandwidth Management. 15. In the field Guaranteed Bandwidth: enter the same number and corresponding allocat ion type (% or Kbps) you choose in the above (Outbound) section. 16. In the field Maximum Bandwidth: enter 100 and select % from the drop down. 17. Make sure the Bandwidth Priority: drop down is set to 0 Realtime for both Outbound and Inbound. 18. Check Enable Tracking Bandwidth Usage. 19. Click Add. Advanced QoS is now complete.

Configure Sonicwall to export Netflow data


The Sonicwall TZ210/NSA240 comes with the ability to export valuable data to an external program that provides technical visuals on a variety of network specs. At FreedomVoice we use software called Netflow Analyzer. This allows us to see devices within the remote network that may be contributing to call quality issues by flooding the router or available bandwidth with heavy usage. Netflow setup 1. 2. 3. 4. 5. 6. Click on the Network section in the left hand column, select Interfaces. Under the Configure column, click the pencil icon for the WAN interface. Under the General tab in the Management field, check the Ping & SNMP boxes. Click on the Advanced tab. Make sure Enable flow reporting is checked. At the bottom of the page click OK. On the Interfaces page click Accept.

Continue on next page

Netflow continued 7. 8. 9. 10. 11. 12. Click on the Log section in the left hand column, select Flow Reporting. Check the box Report to EXTERNAL flow collector. In External collectors IP address enter 69.43.168.87. Under External collectors UDP port number enter 3000. Every other setting on this page should be left at the default. At the top of the page click Accept.

Netflow continued 13. 14. 15. 16. 17. 18. 19. 20. Click on System in the left hand column and select Administration. Scroll down to Advanced Management and check Enable SNMP. Next to the SNMP checkbox, click the Configure button. In the Get Community Name: field type ops$3cur3!. At the bottom of the page click OK. Scroll to the top of the page and click Accept. Click on System in the left hand column and select Restart. Click on the Restart button.

10

Netflow setup is now complete.

11

Technical Support
Technical support for FreedomIQ is available from 3:00 AM PST to 6:00 PM PST, Monday through Friday, Saturday from 6:30am PST to 3:30pm PST and can be reached either by phone or by email. Emergency support is available 24/7. Phone: 888-955-3520 ext. 2 Use this number to reach a trained FreedomIQ technical support representative during normal support hours. If calling outside of normal hours, you will be provided the option to either leave a voicemail message or connect to the emergency support service (see below). Numerous documents and support materials are available through the FreedomIQ Weblink. Please log into Weblink and select the support tab and review the documentation that is available online there. Support Email: iqsupport@freedomvoice.com Emails are automatically forwarded to our ticketing system. An auto-reply will be sent within a few minutes indicating the case number generated. Emails are generally returned within two hours during normal support hours, but may take longer depending on the current volume of tickets received. All emails should, however, be returned same day. For an issue that requires a faster turn-around time, please use the phone numbers listed above.

12