TZ170 VPN and phone

Posted on 2009-04-07
Last Modified: 2012-05-07
In a remote office, we have a VPN tunnel from their Sonicwall TZ170 to our Sonicwall Pro1260. This VPN is serving both our data and phones. I need  to get the phones off of the VPN tunnel. All the phones need is internet access. Whats the best way to accomplish this task?
Question by:RLAInc
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
LVL 17

Expert Comment

ID: 24095290
The phone will HAVE internet access, unless you are explicitly blocking it, already.

The phone will only takl down the VPN if

- you have set it up to communicate with a SIP server (say) on the LAN range of your Pro1260.
- you have set up the VPN tunnel to force ALL traffic from the remote site to go via head office.

If you have done the second you will need to review the policy coz I assume it was done for a reason, and turning it off will therefore upset something else.

if the former, simply, change the SIP Server address (etc) that the phone logs in to from a LAN address on your  Pro 1260 to any other address. If you still need it to log in to teh same server which is ON your 1260 LAN range, then you will need to make sure the SIP server has a NAT mapping to a pubic IP address - and then point the phone at that rather than the LAN address.


Author Comment

ID: 24139261
It's the latter. What I am thinking is setting up the phones w/ a static IP w/ a range that is differnet from the IP ranged that is using the VPN. I am a little lost on how to do this on a TZ170. Any help would be appreicated.

LVL 17

Expert Comment

ID: 24145922
Why are you looking to do this? What do you hope to gain?

If you mean the phone is on the LAN side of the TZ1xx alongside one or more PCs, then you can do it by adding the second range to the Sonicwall router table and pointing the route destination at the LAN port.

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 24148495
I am having issues w/ the phones cliping in and out and slow data. Both are on the VPN. I am wanting to move the phones off of the VPN since they don't need to be secured w/ VPN encryption. All the phones need is internet access. I am also going to want to have some sort of QoS on these phones.

Author Comment

ID: 24151509
I've been working w/ Sonicwall and my options are getting very limited w/out spending money. Here are my options:

1. According to Sonicwall, my only option to pull the voice off of the VPN is to have it configured to use the OPT which will help the performance slightly but not significant enough to make a difference.

2. Upgrade the OS to Enhanced. I am hesitant on this because I do not know how well the TZ170's QoS will perform.

3. Segment our T1 for voice and data. This would be done outside of the firewall. I am working w/ our California ISP (Velocity) to see if this is possible.

What do you think?
LVL 17

Accepted Solution

ccomley earned 500 total points
ID: 24155298
Can I suggest a lateral approach.

Work out WHERE the bandwidth is being used so heavily that the VOIP traffic is being squeezed out.

Last time I had a similar problem with a home user, we found his son was running eMule flat-out 24x7 and using all the "spare" bandwidth to download pr0n. A stern talking to later, eMule was put to bed without any tea, and the VOIP was just fine.

If your main internet connection is a T1, that's quite slow by current broadband standards even though it's way better in Service Level standards. Have you a secondary/backup link? If not, consider getting one, using a nice fast ADSL service. With a low usage cap it'll only cost you a few bux a month. The Pro1260 can be set up to talk to TWO wan connections at once, with load sharing and.or failover. If you set it up so that the main traffic uses the T1 (except when it fails) and reserve the DSL for VOIP and VPN. All this is easy to set up in the Dual Wan config screens of the main Sonicwall.

(If you do this, DO choose a DSL supplier without too much contention. Do you have an ITSP? See if they offer a DSL service direct to the VOIP gateway.)

Author Comment

ID: 24158686
Ran this test at our California site:

One thing I keep reading is that QoS is a very important factor. I am in the process now of working w/ our ISP's to get some costs togther to have a link w/ QoS for voice.

You mention the VOIP gateway. What's that?
LVL 17

Expert Comment

ID: 24570701
VOIP gateway is the device which converts your outgoing VOIP calls to packet-switched (where necesssay) and your incoming calls from PS to VOIP. It's generally a BIG voip pbx run by your ITSP.

QoS has *two* aspects.
1) On your INTERNAL network you MUST make sure that the VOIP traffic gets to the PBX/Router as fast as necessary. On a small network this is generally not a problem, but on a big busy network you will probably find you ahve to start using network switches which can prioritise VOIP traffic over everything else (web pages still work perfectly and email is 100% reliabland e if some of the packets are delayd for a few milliseconds, VOIP doesn't and isn't!)
2) On your INTERNET link(s), you need to make sure you're not holding up VOIP traffic for web/email/other traffic to get by. Now on a large system, this is normally coveered by the above. But on a small system where you don't *need* to worry so much about your internal traffic, you DO need worry about backbone.

But start by seeing if it's a problem. IF it *is*, then generally I recommend putting in a *dedicated* ADSL line for the VOIP system to use, so no non-voip traffic uses it. Then I normally set the two WAN connections up with a load balancing firewall - but configure it so that in NORMAL use the web and email uses WAN 1 and the VOIP uses Wan 2.

You can't impose QoS over a *single*  WAN link unilaterally, you will need to work with your ISP. Who wil no doubt charge. SO my advice would be first, try and see if it's OK. Then consider a dual link, or see what your ISP can offer.

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question