sonicwall nsa240 / tz210 configuration guidedocshare01.docshare.tips/files/13374/133743134.pdf1...

1

Sonicwall Configuration Guide v1.0

Sonicwall NSA240 / TZ210 Configuration Guide

(Firmware: SonicOS Enhanced 5.8.1.1-35o & up)

169 Saxony Road, Suite 212 Encinitas, CA 92024 Phone & Fax: (800) 477-1477

2

Introduction Thank you for choosing FreedomIQ by FreedomVoice for your industry-leading cloud based phone system. We are glad to have you on board as part of our team and this document should help answer most questions you may have on setting up the Sonicwall router to best optimize voice quality with FreedomIQ. There are multiple sections in this document from Internet access and various basic settings to the QoS configuration monitoring. This guide will walk you through the following configurations:

1. Change the default password

2. Configuration of the Public Interface (Internet access)

3. Enable Remote Access

4. Set Measured WAN Speed

5. Configure Basic QoS

6. Configure Advanced QoS

7. Enable Netflow Monitoring

Sonicwall NSA240/TZ210

Product Information: Sonicwall NSA240

The Sonicwall NSA240 series is a Fixed-port Access Router that is ideal for medium to large business Internet access and/or IP Telephony using broadband access such as DSL, cable or T1 Ethernet handoff. The NSA240 includes six 10/100 ports and three 10/100/1000 ports, a built-in firewall for network security, QoS & BWM to prioritize delay sensitive traffic like VoIP, and a host of other features such as DHCP, Network Address Translation (NAT), and IPSec VPN.

Features:

Fixed-port Access Router for broadband access such as DSL, cable or T1 Ethernet handoff

Six 10/100 ports and three 10/100/1000 ports

High performance dual-core processor

Powerful threat management firewall

Quality of Service (QoS) & bandwidth management (BWM) for delay-sensitive traffic like Voice over IP (VoIP)

IPSec & SSL VPN

600 Mbps Stateful Throughput

Product Information: Sonicwall TZ210

The Sonicwall TZ210 series is a Fixed-port Access Router that is ideal for small to medium sized business Internet access and/or IP Telephony broadband access. The TZ210 includes one ADSL WAN port, integrated four port switch, built in firewall, QoS, DHCP, NAT, and an IPSec VPN.

Features:

Fixed-port Access Router for broadband access such as DSL, cable or T1 Ethernet handoff

Five 10/100 ports and Two 10/100/1000 ports

Powerful threat management firewall

Quality of Service (QoS) & bandwidth management (BWM) for delay-sensitive traffic like Voice over IP (VoIP)

IPSec VPN

200 Mbps Stateful Throughput

3

Change Default Username/Password

It is important that you change the default username and password to something secure. This new login information ensures that no one within the LAN can make unauthorized changes, but can also be used as the default remote login information for remote access to the router in the event changes need to be made remotely by a dealer or a FreedomIQ representative.

Default login information:

Gateway: “192.168.168.168”

Username: “admin”

Password: “password”

Follow these steps to update the admin login information:

1. From the “System” section in the left column, select “Administration”.

2. Find the section labeled “Administrator Name & Password”.

3. Enter the original or old password. Enter the new password twice.

4. Click the “Accept” button toward the bottom of the page.

- Changing username/password is now complete.

Set Up Internet Access

Follow these steps closely to set up the Sonicwall NSA240/TZ210 via the built in GUI. Your ISP should have provided you with general instructions related to your internet connection. If you are unsure what

these settings are, contact your ISP with regard to the settings you will need for your router. In most cases your service provider will either have you to set your router to DHCP mode or they will provide you with IP address, Gateway, Subnet and DNS server settings. You will need this information to continue the set up.

Follow these steps to configure internet access:

1. From the “Network” section in the left column, select “Interfaces”.

2. Under “Interface Settings” find the Zone column labeled “WAN” and click on the pencil icon under the “Configure” column.

3. Make sure the “Zone:” drop down says “WAN”.

4. Your ISP will have given you instructions to choose either DHCP or Static for an IP address type within your router. Choose this from the “IP Assignment:” drop down.

5. Enter your “IP Address”, “Subnet Mask”, “Default Gateway”, “DNS Server 1” and “DNS Server 2” information.

6. Click the “OK” button at the bottom of the window.

7. Click the “Accept” button at the top of the page.

See screenshots below…

4

Configuration Screen 1 of 2

Configuration Screen 2 of 2

- Internet configuration is now complete.

5

Enable Remote Access

The Sonicwall NSA240/TZ210 allows you to configure remote access to the GUI or command line interface. Follow these steps to configure remote access:




4. In the “Management” section check the boxes appropriate to the type of remote access you want to allow (HTTP or HTTPS is most common).


6. Click the “Accept” button at the top of the page.

- Remote access is now complete.

Set the measured WAN speed

The Sonicwall NSA240/TZ210 works best when you specify the amount of internet bandwidth that is allocated to you from your ISP. This step is always important but it is absolutely critical to proper QoS functionality. Don’t always take your ISP’s word for the up and down speeds, the values entered here should be an average of three speed tests. A recommended place to run these tests is at www.speedtest.net. Follow these steps to set the WAN bandwidth:




4. Click on the “Advanced” tab.

5. Check the box “Enable flow reporting”.

6. Under the heading “Bandwidth Management”, check “Enable Egress Bandwidth Management”.

7. In the field “Available Interface Egress Bandwidth (Kbps):” enter your measured internet speed. If you have a single T-1 this might be “1500.00”. If you have a cable modem that measures 10Mbps down, you would enter “10000.00”.

8. Under the heading “Bandwidth Management”, check “Enable Ingress Bandwidth Mangement”.

9. In the field “Available Interface Ingress Bandwidth (Kbps):” enter your measured internet speed. If you have a single T-1 this might be “1500.00”. If you have a cable modem that measures 2Mbps up, you would enter “2000.00”.


- WAN speed setup is now complete.

http://www.speedtest.net/

6

Configure basic QoS (Quality of Service)

The Sonicwall NSA240/TZ210 comes preconfigured for basic QoS (UDP packet priority & bandwidth

management) when ordered directly from FreedomVoice. You may need to modify the bandwidth allocations

depending on the bandwidth available to the customer in each direction. Also, depending on the type of

traffic on the network, you may want to modify the QoS so it is based on a specific VLAN or specific device(s)

instead of giving priority to all UDP traffic. We cover these alternate QoS configurations under “Advanced

QoS” later on in this document.

Configure basic QoS within the GUI, Step 1: Select a type of Bandwidth Management

Start by setting BWM to WAN:

1. Login to the Sonicwall router GUI (default is 192.168.168.168).

2. Click on the “Firewall Settings” section in the left column, select “BWM”.

3. Next to “Bandwidth Management Type:” make sure “WAN” is selected.

4. Next to “0 Realtime” check the “Enable” box.

5. Next to “2 High” uncheck the “Enable” box.

6. Next to “4 Medium” set “Guaranteed” to 0 %.

7. Next to “6 Low” set “Guaranteed” to 0 %.

8. Click the “Accept” button.

Configure basic QoS within the GUI, Step 2: Create Service Objects

Now, create a UDP 5060 signal service object:


10. Click on the “Firewall” section in the left column, select “Service Objects”.

11. Under “Services” click “Add”.

12. Enter a descriptive name such as “SignalUDP”.

13. Select the protocol “UDP”.

14. Enter the port range of 5060 – 5060.

15. Click “Add”.

Next, create a TCP 5061 signal service object:



3. Enter a descriptive name such as “SignalTCP”.

4. Select the protocol “TCP”.


6. Click “Add”.

Next, create a UDP audio service object:



3. Enter a descriptive name such as “AudioUDP”.

4. Select the protocol “UDP”.


6. Click “Add”.

Next, create a group that contains all three service objects:


2. Under “Service Groups” click “Add Group”.

3. Enter a descriptive name such as “FreedomIQ”.

4. Find the three service objects you created earlier.

7

5. Highlight each of them and click the arrow to add them to the group.

6. Click “OK”.

Configure basic QoS within the GUI, Step 3: Apply Service Objects to the firewall

Lastly, create a new firewall rule:

1. Click on the “Firewall” section in the left hand column, select “Access Rules”.

2. Under “Access Rules (ALL>ALL)” click “Add”.

3. Next to “From Zone:” select “LAN”.

4. Next to “To Zone:” select “WAN”.

5. Next to “Service:” select the group (“FreedomIQ”) that was set up in the last step.

6. Next to “Source:” select “Any”.

7. Next to “Destination:” select “Any”.

8. Check “Enable flow reporting”.

9. Check “Enable packet monitor”.

10. Click on the “Ethernet BWM” tab.

For the next steps you’ll need to determine how much bandwidth you want to guarantee for this particular service group (the phones). This can be done by percentage of total bandwidth or by a set Kbps (Kilobits Per Second). When using the G.711 codec, each phone needs 88Kbps in both directions (Outbound, Inbound) to properly function. Many administrators like to allocate 90-100Kbps per phone to keep a slight cushion of bandwidth. Example: 1.44Mbps T-1 with 4 phones (using 90Kbps per phone) would require either 25% of available bandwidth or 360Kbps.

11. Check “Enable Outbound Bandwidth Management”.

12. In the field “Guaranteed Bandwidth:” enter your number and select the proper corresponding allocation type (% or Kbps).

13. In the field “Maximum Bandwidth:” enter 100 and select % from the drop down.

14. Check “Enable Inbound Bandwidth Management”.

15. In the field “Guaranteed Bandwidth:” enter the same number and corresponding allocation type (% or Kbps) you choose in the above (Outbound) section.


17. Make sure the “Bandwidth Priority:” drop down is set to “0 Realtime” for both Outbound and Inbound.

18. Check “Enable Tracking Bandwidth Usage”.


- Basic QoS is now complete.

8

Configure Advanced QoS (Prioritize by Network, IP or Device)

The Sonicwall NSA240/TZ210 comes preconfigured for basic QoS (UDP packet priority & bandwidth

management) when ordered directly from FreedomVoice. If your network is running applications that run

over UDP such as torrents, gaming or video conferencing, you shouldn’t use generic UDP prioritization. In

these cases prioritizing an entire Subnet, MAC addresses, or statically assigned IP addresses will be best

practice. We only need to create one rule for QoS by network, IP or MAC since we’re going to be prioritizing

ALL traffic from those addresses rather than specific types of traffic. This is safe as long as the addresses

are only those of phones and no other types of devices.

Configure Advanced QoS within the GUI, Step 1: Select a type of Bandwidth Management

Start by setting BWM to WAN:


2. Click on the “Firewall Settings” section in the left column, select “BWM”.

3. Next to “Bandwidth Management Type:” make sure “WAN” is selected.

4. Next to “0 Realtime” check the “Enable” box.

5. Next to “2 High” uncheck the “Enable” box.

6. Next to “4 Medium” set “Guaranteed” to 0 %.

7. Next to “6 Low” set “Guaranteed” to 0 %.

8. Click the “Accept” button.

Configure Advanced QoS within the GUI, Step 2: Create an Address Object

Now, create an address object for the network, IP’s or devices you wish to give priority.


2. Click on the “Firewall” section in the left column, select “Address Objects”.

3. Under “Address Objects” click “Add”.

4. Enter a descriptive name such as “Phone Network” or “Ext 800” depending on the type of address you’re choosing.

5. “Zone Assignment:” should be “Range” (LAN IP’s), “Network” (Voice Subnet), or “MAC” (a specific phone).

6. Enter the applicable information (IP range, Network or MAC) into the next field.

7. Click “Add”.

NOTE: If you chose type “MAC” you’ll need to repeat this process for each phone. Once all phones have been added to the “Address Objects” section, you’ll want to go to “Address Groups” and create a single group for all of the MAC entries.

Configure Advanced QoS within the GUI, Step 3: Apply Address Objects to the firewall

Lastly, create a new firewall rule:

1. Click on the “Firewall” section in the left hand column, select “Access Rules”.

2. Under “Access Rules (ALL>ALL)” click “Add”.

3. Next to “From Zone:” select “LAN”.

4. Next to “To Zone:” select “WAN”.

5. Next to “Service:” select the address object (or address group) that was set up in the last step.

6. Next to “Source:” select “Any”.

7. Next to “Destination:” select “Any”.

8. Check “Enable flow reporting”.

9. Check “Enable packet monitor”.

10. Click on the “Ethernet BWM” tab.

Continue on next page…

9

For the next steps you’ll need to determine how much bandwidth you want to guarantee for this particular service group (the phones). This can be done by percentage of total bandwidth or by a set Kbps (Kilobits Per Second). When using the G.711 codec, each phone needs 88Kbps in both directions (Outbound, Inbound) to properly function. Many administrators like to allocate 90-100Kbps per phone to keep a slight cushion of bandwidth. Example: 1.44Mbps T-1 with 4 phones (using 90Kbps per phone) would require either 25% of available bandwidth or 360Kbps.

11. Check “Enable Outbound Bandwidth Management”.

12. In the field “Guaranteed Bandwidth:” enter your number and select the proper corresponding allocation type (% or Kbps).


14. Check “Enable Inbound Bandwidth Management”.

15. In the field “Guaranteed Bandwidth:” enter the same number and corresponding allocation type (% or Kbps) you choose in the above (Outbound) section.


17. Make sure the “Bandwidth Priority:” drop down is set to “0 Realtime” for both Outbound and Inbound.

18. Check “Enable Tracking Bandwidth Usage”.


- Advanced QoS is now complete.

Configure Sonicwall to export Netflow data The Sonicwall TZ210/NSA240 comes with the ability to export valuable data to an external program that provides technical visuals on a variety of network specs. At FreedomVoice we use software called “Netflow Analyzer”. This allows us to see devices within the remote network that may be contributing to call quality issues by flooding the router or available bandwidth with heavy usage. Netflow setup

1. Click on the “Network” section in the left hand column, select “Interfaces”. 2. Under the “Configure” column, click the pencil icon for the “WAN” interface. 3. Under the “General” tab in the “Management” field, check the “Ping” & “SNMP” boxes. 4. Click on the “Advanced” tab. Make sure “Enable flow reporting” is checked. 5. At the bottom of the page click “OK”. 6. On the “Interfaces” page click “Accept”.

Continue on next page…

10

Netflow continued…

7. Click on the “Log” section in the left hand column, select “Flow Reporting”.

8. Check the box “Report to EXTERNAL flow collector”.

9. In “External collector’s IP address” enter “69.43.168.87”.

10. Under “External collector’s UDP port number” enter “3000”.

11. Every other setting on this page should be left at the default.

12. At the top of the page click “Accept”.

Netflow continued…

13. Click on “System” in the left hand column and select “Administration”. 14. Scroll down to “Advanced Management” and check “Enable SNMP”. 15. Next to the “SNMP” checkbox, click the “Configure” button. 16. In the “Get Community Name:” field type “ops$3cur3!”. 17. At the bottom of the page click “OK”. 18. Scroll to the top of the page and click “Accept”. 19. Click on “System” in the left hand column and select “Restart”. 20. Click on the “Restart” button.

11

- Netflow setup is now complete.

12

Technical Support

Technical support for FreedomIQ is available from 3:00 AM PST to 6:00 PM PST, Monday through

Friday, Saturday from 6:30am PST to 3:30pm PST and can be reached either by phone or by email.

Emergency support is available 24/7.

Phone: 888-955-3520 ext. 2

Use this number to reach a trained FreedomIQ technical support representative during normal support hours. If

calling outside of normal hours, you will be provided the option to either leave a voicemail message or connect

to the emergency support service (see below).

Numerous documents and support materials are available through the FreedomIQ Weblink. Please log into

Weblink and select the support tab and review the documentation that is available online there.

Support Email: [email protected]

Emails are automatically forwarded to our ticketing system. An auto-reply will be sent within a few minutes

indicating the case number generated. Emails are generally returned within two hours during normal support

hours, but may take longer depending on the current volume of tickets received. All emails should, however,

be returned same day. For an issue that requires a faster turn-around time, please use the phone numbers

listed above.

mailto:[email protected]

sonicwall nsa240 / tz210 configuration guidedocshare01.docshare.tips/files/13374/133743134.pdf1...

Documents