Router / firewall settings
Ports
In order to communicate with the telephone system, the devices must have the capacity for outbound communication via the following ports:
| Protocol | Target port | Purpose | Destinations |
| TCP | 80, 83, 443, 18443 | Provisioning | all networks |
| UDP | 123 | NTP | all networks |
| UDP | 53 | DNS | Customer DNS server |
| UDP | all ports | SIP, RTP, T-38, FMC, etc. | 109.68.96.0/21 |
| TCP | all ports | SIP/TLS, SIP, FMC | 109.68.96.0/21 |
Under no circumstances should type 3 ICMP packets (Destination unreachable) be blocked, or the dynamic determination of the necessary transmission parameters will fail at network level.
Be extremely careful when filtering and block ICMP packets, since this could interfere with basic networking functions.
Using DNS / FQDN-based filter rules is explicitly not recommended; use these at your own risk!
UDP fragmenting
In some cases the size of the UDP packets transmitted between NFON and customer devices exceed the standard 1500 byte payload. In this case the packet will need to be fragmented. The customer is responsible for ensuring the internet connection and the network topology behind it support UDP fragmenting. We further recommend checking if other functions of the customer’s router interfere with fragmenting UDP packets.
If UDP fragmenting is not allowed, the following functions may not work properly:
- BLF (busy lamp field)
- Functions such as Do not Disturb (DND), call forwarding
- Inbound calls to phones following a series of internal call forwarding
Many routers have proven successful when configured correctly, we therefore do not have a special router which we recommend.
Tips for correct router configuration:
- UDP-NAT timeout between 120 and 130 seconds
- Disabling SIP-ALG, if applicable
- Enabling the “consistent nat” feature (if applicable – e.g. Sonicwall)
- Disabling Store&Forward for connections from / to the telephone system
We highly recommend disabling SIP ALG (SIP Helper) in the firewall for this purpose!
Due to the to some extent extreme complexity we are unable to provide support for telephone system function with SonicWall routers / firewalls!