Using OnSip™ with UniFi™ Firewall & Traffic Management (Network 7.1.68)

Posted byAmericanSpecialProjPosted inUncategorizedTags:, , ,

As of July 2022, several of our clients are using the cloud based OnSip Voice Over IP virtual private branch exchange phone system. OnSip was purchased by Intrado a while back and post-merger their customer service is still outstanding & the technical support is great. The level of uptime and reliability for all of our clients at their main offices and remote sites remains excellent.

Recently we have moved our clients from the UniFi Security Gateway Pro 4 on our AWS virtual controller over to the UniFi Dream Machine Pro (and the UniFi Dream Machine SE) on the UniFi Portal/Network. We are moving most of our clients into the UniFi Portal/Network and have started using the UID because it supports our NIST 800-171 and CMMC Level 1 missions.

Last week we had an issue at a client site which was causing unusually poor quality of service with OnSip. We researched several possibilities and tried many of the technical support suggestions; we even considered possible network to network issues or latency. We were able to return the quality of service by reverifying and/or making the following changes:

1. Identifying VOIP devices in the network by IP address
2. Creating a Profile for the VOIP Devices
3. Creating a Profile for the OnSIP CIDRs
4. Adding Specific Firewall Rules
5. Creating Traffic Routes (New Feature)
6. Creating New Rules in Traffic Management (New Feature)
7. Other quality measures

Here are the step-by-step instructions for ensuring a high quality of service for OnSip on your new UniFi Dream Machines.

Assign each telephone device a Static IP:

Select This Icon
Make note of IP Address
  1. Client Devices
  2. Select Device then Settings
  3. Give the device a name you can easily recognize in the list as being either a phone or part of the VOIP system.  This WILL be important in the Traffic Management section.
  4. Select Use Fixed IP Address
  5. Make note of the IP address
    • Advanced: Instead of assigning an address range in an existing network, you could create a new network, subnet and VLAN. This would help for quickly identifying the network instead of individual devices in the Traffic Rules setup.
  6. Apply the Changes
Enter the Settings:
1. Select Profiles
2. Create New Group OnSipPhones with Type IPv4 Address/Subnet
3. Add as many addresses as you have phones – this is the information gathered in the initial step.  Enter local IP Address in the Address box then click +Add
4. Apply the Changes
  1. Create a New Group OnSIPCIDR with Type IPv4 Address/Subnet
  2. Add at least these internet IP addresses
    • 199.7.172.0
    • 199.7.173.0
    • 199.7.174.0
    • 199.7.175.0
    • 199.7.175.104
    • 199.7.173.101
    • 199.7.172.27
    • 199.7.175.102
    • 199.7.172.128
  3. Apply the Changes
Select Firewall & Security
1. Scroll to Firewall Rules
2. Click Create New Rule (1st)
3. Type Internet In with Description OnSIPWANin Before Predefined Rules, Accept, All
4. Source. Source Type Port/IP Group, IPv4 Address Group OnSIPCIDR, Port Group Any
5. Destination. Destination Type Port/IP Group, IPv4 Address Group OnSipPhones, Port Group Any.
6. Leave Advanced as Auto
7. Apply Changes
Create a New Rule (2nd)
1. Type Internet Out with Description OnSIPWANOut Before Predefined Rules, Accept, All
2. Source. Source Type Port/IP Group, IPv4 Address Group OnSipPhones, Port Group Any
3. Destination. Destination Type Port/IP Group, IPv4 Address Group OnSIPCIDR, Port Group Any.
4. Leave Advanced as Auto
5. Apply Changes
Enter Traffic Management
  • Create a Traffic Route
    • Category: IP Address
    • Click Add IP Address range enter and add the Junction Network CIDR ranges between 199.7.172.0 through 199.7.175.255.  Unifi will NOT accept the 199.7.172.0/22 format.  Follow this pattern:
      • Start 199.7.172.0 Stop 199.7.172.255
      • Start 199.7.173.0 Stop 199.7.173.255
      • Start 199.7.174.0 Stop 199.7.174.255
      • Start 199.7.175.0 Stop 199.7.175.255
    • On the Source Dropdown select each individual device in the OnSipPhones group.  There is no way in this version to select a group profile so you will need to select each device one-by-one. Powertip: Include the admin PC in the source if you are going to run VOIP diagnostics from that machine to Junction Networks (OnSip/Intrado)
      • Advanced: If you had put the IP phones on their own network / VLAN there is the possibility of selecting by network profile instead of device.
    • Select Default (WAN1) as your Interface (Advanced: unless you are using a different Internet source)
    • Give it the Description Junction Networks
    • Add the Route
  • Create a New Rule (in Traffic Management)
    • Action: Allow
    • Category: IP Address
    • Click Add IP Address range enter and add the Junction Network CIDR ranges between 199.7.172.0 through 199.7.175.255.  Unifi will NOT accept the 199.7.172.0/22 format.  Follow this pattern:
    • Start 199.7.172.0 Stop 199.7.172.255
    • Start 199.7.173.0 Stop 199.7.173.255
    • Start 199.7.174.0 Stop 199.7.174.255
    • Start 199.7.175.0 Stop 199.7.175.255
    • On the Source Dropdown select each individual device in the OnSipPhones group.  There is no way in this version to select a group profile so you will need to select each device one-by-one. Powertip: Include the admin PC in the source if you are going to run VOIP diagnostics from that machine to Junction Networks (OnSip/Intrado)
    • Schedule is Always
    • Give it the Description OnSip Junction Networks
    • Add the Rule

Your Traffic Management Section should look something like the image:

In the UDMP Firewall Security Tab you should now be able to leave the H.323 box selected. Be sure that SIP is deselected.

Published by AmericanSpecialProj

Since 1992 available for technology consulting.

%d bloggers like this: