How to separate sip traffic

Hi,

please post a screenshot of your firewall rules. I assume you have different rules for the SIP traffic from the other traffic?

Ian

Yes for outgoing calls this is the firewall rule…source zone: lan

source device: sip server

destination zone: wan

i tried added the red network also to the destination zone but still no audio.

the rules between the 2 offices are..

source zone: lan

source device: local network

destination zone: red

destination device: office 2 network.

I also have one for reverse traffic.

Hi,

you shouldn't need a reverse firewall rule. I assume you have the SIP service in your firewall rule?

Please try changing your destination zone to ANY in your SIP rule because the phones setup the connection to the SIP server so the XG knows where to send the traffic because a connection between the phones and the server is maintained even when there are no calls.

Ian

So here are my unchanged rules

This is for outgoing sip traffic

the last 2 are for going to and coming back. I have it going both ways because we have data that both locations share. 

now you are saying that I need to change the destination zone in my sip rule to Any?

is there anything else I should change?

I should also note that the 2 location have separate phone systems. They are 2 different units and our phone provider programmed the 2 to communicate. My issue I believe is when the call gets answered it’s trying to send the audio out the wan port and not down the tunnel.

Hi,

your RED rule with RED as source and destination is a bit strange. For a both way rule you would normally go something like this RED and LAN (or ANY) in Source zone and RED and LAN (or ANY for destination zone. with source a dn destination network being RED and the actual network in the office.

Ian

Hi,

your RED rule with RED as source and destination is a bit strange. For a both way rule you would normally go something like this RED and LAN (or ANY) in Source zone and RED and LAN (or ANY for destination zone. with source a dn destination network being RED and the actual network in the office.

Ian

So you are staying to have just 1 rule and add both lan and red to the source and destination zone?

Do you think those changes will fix my issue?

Hi,

I would go a little further and create a firewall rule at the top specifically for sip traffic because you can then assign the sip a qos policy.

ian

I can try that. But how do I get it to send audio down the red tunnel? That’s the issue I’m having. When I dial an extension from office 1 to office 2 the call connects then tries to send the audio out the wan connection.

I would review what logviewer shows the traffic routing during the call setup. Sounds like the XG is not associating the sip connection with the voice component. 
might be a server configuration as well as a firewall issue.

ian

SIP Is somehow hard to deal with. The SIP Helper will open the connections in the firewall, but the association between those SIP Packets and the UDP Data packets is hard. 

Likely the traffic looks completely different. See: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/troubleshooting/VoIPPhoneRingsNoAudio.html

Yeah I think this is where I’m struggling. 

 I have all my rules set correctly for it to work with outgoing calls but not no audio when dial extensions down the tunnel. If I add the destination network into my rule then normal outgoing calls fail. I guess I just don’t know how to separate the routing for the 2 different rules since I’m pretty sure it’s going to use whichever rule is first.