Solved

TZ170 VPN and phone

Posted on 2009-04-07
8
694 Views
Last Modified: 2012-05-07
In a remote office, we have a VPN tunnel from their Sonicwall TZ170 to our Sonicwall Pro1260. This VPN is serving both our data and phones. I need  to get the phones off of the VPN tunnel. All the phones need is internet access. Whats the best way to accomplish this task?
0
Comment
Question by:RLAInc
  • 4
  • 4
8 Comments
 
LVL 16

Expert Comment

by:ccomley
Comment Utility
The phone will HAVE internet access, unless you are explicitly blocking it, already.

The phone will only takl down the VPN if

- you have set it up to communicate with a SIP server (say) on the LAN range of your Pro1260.
- you have set up the VPN tunnel to force ALL traffic from the remote site to go via head office.

If you have done the second you will need to review the policy coz I assume it was done for a reason, and turning it off will therefore upset something else.

if the former, simply, change the SIP Server address (etc) that the phone logs in to from a LAN address on your  Pro 1260 to any other address. If you still need it to log in to teh same server which is ON your 1260 LAN range, then you will need to make sure the SIP server has a NAT mapping to a pubic IP address - and then point the phone at that rather than the LAN address.

0
 

Author Comment

by:RLAInc
Comment Utility
It's the latter. What I am thinking is setting up the phones w/ a static IP w/ a range that is differnet from the IP ranged that is using the VPN. I am a little lost on how to do this on a TZ170. Any help would be appreicated.

0
 
LVL 16

Expert Comment

by:ccomley
Comment Utility
Why are you looking to do this? What do you hope to gain?

If you mean the phone is on the LAN side of the TZ1xx alongside one or more PCs, then you can do it by adding the second range to the Sonicwall router table and pointing the route destination at the LAN port.

0
 

Author Comment

by:RLAInc
Comment Utility
I am having issues w/ the phones cliping in and out and slow data. Both are on the VPN. I am wanting to move the phones off of the VPN since they don't need to be secured w/ VPN encryption. All the phones need is internet access. I am also going to want to have some sort of QoS on these phones.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:RLAInc
Comment Utility
I've been working w/ Sonicwall and my options are getting very limited w/out spending money. Here are my options:

1. According to Sonicwall, my only option to pull the voice off of the VPN is to have it configured to use the OPT which will help the performance slightly but not significant enough to make a difference.

2. Upgrade the OS to Enhanced. I am hesitant on this because I do not know how well the TZ170's QoS will perform.

3. Segment our T1 for voice and data. This would be done outside of the firewall. I am working w/ our California ISP (Velocity) to see if this is possible.

What do you think?
0
 
LVL 16

Accepted Solution

by:
ccomley earned 500 total points
Comment Utility
Can I suggest a lateral approach.

Work out WHERE the bandwidth is being used so heavily that the VOIP traffic is being squeezed out.

Last time I had a similar problem with a home user, we found his son was running eMule flat-out 24x7 and using all the "spare" bandwidth to download pr0n. A stern talking to later, eMule was put to bed without any tea, and the VOIP was just fine.

If your main internet connection is a T1, that's quite slow by current broadband standards even though it's way better in Service Level standards. Have you a secondary/backup link? If not, consider getting one, using a nice fast ADSL service. With a low usage cap it'll only cost you a few bux a month. The Pro1260 can be set up to talk to TWO wan connections at once, with load sharing and.or failover. If you set it up so that the main traffic uses the T1 (except when it fails) and reserve the DSL for VOIP and VPN. All this is easy to set up in the Dual Wan config screens of the main Sonicwall.

(If you do this, DO choose a DSL supplier without too much contention. Do you have an ITSP? See if they offer a DSL service direct to the VOIP gateway.)
0
 

Author Comment

by:RLAInc
Comment Utility
Ran this test at our California site:

http://www.whichvoip.com/voip/speed_test/ppspeed.html

One thing I keep reading is that QoS is a very important factor. I am in the process now of working w/ our ISP's to get some costs togther to have a link w/ QoS for voice.

You mention the VOIP gateway. What's that?
0
 
LVL 16

Expert Comment

by:ccomley
Comment Utility
VOIP gateway is the device which converts your outgoing VOIP calls to packet-switched (where necesssay) and your incoming calls from PS to VOIP. It's generally a BIG voip pbx run by your ITSP.

QoS has *two* aspects.
1) On your INTERNAL network you MUST make sure that the VOIP traffic gets to the PBX/Router as fast as necessary. On a small network this is generally not a problem, but on a big busy network you will probably find you ahve to start using network switches which can prioritise VOIP traffic over everything else (web pages still work perfectly and email is 100% reliabland e if some of the packets are delayd for a few milliseconds, VOIP doesn't and isn't!)
2) On your INTERNET link(s), you need to make sure you're not holding up VOIP traffic for web/email/other traffic to get by. Now on a large system, this is normally coveered by the above. But on a small system where you don't *need* to worry so much about your internal traffic, you DO need worry about backbone.

But start by seeing if it's a problem. IF it *is*, then generally I recommend putting in a *dedicated* ADSL line for the VOIP system to use, so no non-voip traffic uses it. Then I normally set the two WAN connections up with a load balancing firewall - but configure it so that in NORMAL use the web and email uses WAN 1 and the VOIP uses Wan 2.

You can't impose QoS over a *single*  WAN link unilaterally, you will need to work with your ISP. Who wil no doubt charge. SO my advice would be first, try and see if it's OK. Then consider a dual link, or see what your ISP can offer.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Skype is a P2P (Peer to Peer) instant messaging and VOIP (Voice over IP) service – as well as a whole lot more.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now