Configuring WatchGuard Firebox for Cloud VoIP Service

🎯 Problem Description

Incoming calls experience intermittent no-audio or one-way audio while outbound calls work normally. This occurs when the WatchGuard firewall isn’t properly handling NAT translation for RTP media streams.

Symptoms

❌ No audio on incoming calls (intermittent)
❌ Caller cannot hear the called party
✅ Outgoing calls work fine
✅ Internal calls work fine

Note: TELAIR centrally manages all phone configurations. This guide focuses exclusively on WatchGuard firewall settings.

✅ Prerequisites

Before starting, ensure you have:

Requirement	Details
WatchGuard Firebox	Any model with supported Fireware OS
Admin Access	Login credentials for WatchGuard Web UI
SIP ALG Status	MUST BE DISABLED
TELAIR Server IPs	`[TELAIR_PRIMARY_IP]` `[TELAIR_SECONDARY_IP]`
TELAIR RTP Range	`UDP 10000-65535`
Phone RTP Range	`UDP 2222-2269` (Polycom default)

⚠️ Critical: SIP ALG must be disabled as it interferes with proper NAT handling.

🔧 Configuration Steps

Step 1: Disable SIP ALG (If Not Already Done)

⚠️ MANDATORY FIRST STEP

Navigate to System > Global Settings
UNCHECK “Enable SIP ALG”
Click Save
Reboot the Firebox for changes to take effect

Without this step, all other configurations may fail!

Step 2: Configure 1-to-1 NAT for VoIP Subnet

🔑 This is the KEY solution - It ensures the firewall properly rewrites the phone’s private IP in SDP to your public IP

Create 1-to-1 NAT Rule:

Navigate to Network > NAT > 1-to-1 NAT
Click Add
Configure:

Setting	Value
Name	`TELAIR-VoIP-NAT`
Enable	`✅ Checked`
Type	`IP Range` or `Network`
Internal IP Range	Your phone subnet (e.g., `192.168.1.0/24`)
External IP	Your public IP
Direction	`Bidirectional`

Advanced Options:
- ✅ Enable NAT Reflection (if available)
- ✅ Enable Sticky Connections
- Set Connection Timeout: 300 seconds
Click Save

💡 Why this works: 1-to-1 NAT automatically handles SDP rewriting without requiring SIP ALG, ensuring the phone’s private IP is replaced with your public IP in all SIP messages.

Step 3: Configure Outbound NAT with Port Preservation

If 1-to-1 NAT isn’t available, use Dynamic NAT with special settings:

Navigate to Network > NAT > Dynamic NAT
Click Add
Configure:

Name: TELAIR-VoIP-Outbound
From: Internal phone network
To: Any-External
NAT Type: Dynamic NAT
NAT to: Use Interface IP

Critical Settings:
- ✅ Preserve Source Port (CRITICAL!)
- ✅ Enable Sticky Connections
- Set UDP Timeout: 300 seconds
Click Save

⚠️ “Preserve Source Port” is essential - it maintains the same port number through NAT, preventing RTP stream mismatches.

Step 4: Create Firewall Policies

📤 A. Outbound SIP Policy

Setting	Value
Name	`TELAIR-SIP-Outbound`
From	`Internal Network`
To	`[TELAIR_PRIMARY_IP]`, `[TELAIR_SECONDARY_IP]`
Service	`SIP` (or Custom UDP 5060)
Action	`Allow`
NAT	`Use policy-based NAT` → Select the NAT rule from Step 2/3

📥 B. Inbound RTP Policy (CRITICAL FOR INCOMING AUDIO)

⚠️ THIS IS THE MOST IMPORTANT POLICY FOR FIXING INCOMING AUDIO

Setting	Value
Name	`TELAIR-RTP-Inbound`
From	`Any-External`
To	`Firebox`
Service	`Custom`
Protocol	`UDP`
Port Range	`2222-2269` (Polycom) AND `10000-65535` (TELAIR)
Action	`Allow`
NAT	`1-to-1 NAT` (use the rule from Step 2)

Advanced Settings:

✅ Handle as VoIP Traffic
✅ Disable Deep Packet Inspection
✅ Enable Fast Path

📤 C. Outbound RTP Policy

Setting	Value
Name	`TELAIR-RTP-Outbound`
From	`Internal Network`
To	`Any-External`
Protocol	`UDP`
Port Range	`10000-65535`
Action	`Allow`
NAT	`Use policy-based NAT`

Step 5: Configure UDP Session Timeout

🔐 Prevents calls from dropping due to timeout

Navigate to Firewall > Firewall Settings > Global Settings
Set timeouts:

Timeout Type	Value
UDP Timeout	`300 seconds`
UDP Stream Timeout	`300 seconds`
VoIP Session Timeout	`3600 seconds` (if available)

Click Save

Step 6: Enable NAT Traversal Helper (If Available)

Some WatchGuard models have a NAT traversal helper that’s better than SIP ALG:

Navigate to System > Packet Handling
Look for NAT Traversal or STUN Helper
If present, ENABLE it
Configure:
- Protocol: UDP
- Ports: 3478, 5060, 10000-65535

🔍 Verifying the Configuration

Test Procedure:

Make an inbound test call
During the call, check System Manager > Active Connections
Look for:
- ✅ UDP 5060 connections to TELAIR IPs
- ✅ UDP connections in the 2222-2269 range (phone RTP)
- ✅ UDP connections in the 10000-65535 range (TELAIR RTP)

What You Should See:

Internal_IP:2242 ↔ Firewall ↔ TELAIR_IP:##### (NAT translated)

If you see connections but no audio, the NAT translation isn’t working properly.

🚨 Troubleshooting

If Incoming Calls Still Have No Audio:

1. Verify SIP ALG is truly disabled:

# In Traffic Monitor, SIP packets should NOT show "ALG" tag

2. Check if private IPs leak in SDP:

In Traffic Monitor, filter for port 5060
Look at SIP 200 OK packets
If you see c=IN IP4 192.168.x.x or c=IN IP4 10.x.x.x, NAT isn’t working

3. Try Static Port NAT:

Instead of dynamic NAT, create specific port mappings:
- External: YourPublicIP:2222-2269 → Internal: PhoneSubnet:2222-2269

4. Enable logging on all VoIP policies:

Check for denied packets during calls
Look for packets arriving on unexpected ports

💡 Alternative Solution: SNAT Rules

If standard NAT doesn’t work, try Source NAT (SNAT) rules:

Navigate to Network > SNAT
Create rule:

Name: Force-VoIP-SNAT
From: Internal phone network
To: TELAIR IPs
Action: SNAT
SNAT to: Your Public IP
Preserve Ports: YES

This forces proper source IP rewriting for VoIP traffic.

⚠️ Critical Points Summary

The Three Keys to Success:

SIP ALG MUST be disabled - It breaks NAT traversal
1-to-1 NAT or SNAT - Ensures proper IP translation in SDP
Inbound RTP ports open - Both Polycom (2222-2269) and TELAIR (10000-65535) ranges

Why Other Customers Don’t Have This Issue:

Many firewalls handle NAT traversal automatically
Some routers have working SIP helpers (not ALG)
WatchGuard requires explicit configuration for proper SDP NAT translation