Network Guidelines

This page outlines the essential best practices for setting up your network to support VoIP devices. Following these steps ensures optimal voice quality, device interoperability, and overall network performance. Proper preparation helps prevent common pitfalls such as call quality issues, device discovery failures, and network congestion, providing a solid foundation for a successful VoIP deployment.

https://everblu.net/network#sip-alg

Disabling SIP ALG

When enabled on routers and firewalls, SIP ALG can cause various call quality and reliability issues by interfering with SIP packets. This needs to be disabled on the customer’s network level and sometimes on the internet provider’s level as well.

Ubiquiti
UniFi

Ubiquiti
EdgeRouter

MikroTik

Sonicwall

Fortinet

Cisco ASA

Other

Disabled by default

Settings > Routing > NAT > Firewall Connection Tracking
click the x beside “SIP” if it is in the list
click Apply Changes at bottom of the page

via CLI

configure
set system conntrack modules sip disable
commit ; save
Router reboot may be required

via web GUI

Open Config Tree (top right of main dashboard)
Select dropdowns beside: system > conntrack > modules > sip
Select the “+” icon beside “disable” to enable the disable command (seeing a “-” means it is already disabled)
Select “Preview” then “Apply” at the bottom to save changes
Router reboot may be required

IP > Firewall > Service Ports
Select and disable “sip”
Restart the router

Vendor Guide

https://www.sonicwall.com/support/knowledge-base/how-and-when-to-disable-sip-alg/210615065648977

Vendor Guide

https://kb.fortinet.com/kb/documentLink.do?externalID=FD36405

Vendor Guide

https://community.cisco.com/t5/network-security/asa-ho-do-i-disable-sip-alg/td-p/2329095

For a vendor not listed here, a Google search for “voip on VENDOR” and “disable sip alg on VENDOR” usually turns up with the correct information.

Download SIP ALG Detector

This Windows program can detect if SIP ALG is enabled on the network or internet provider.

https://everblu.net/network#vlan-configuration

VLAN Configuration

We highly recommend placing VoIP phones on their own dedicated VLAN.

VoIP phones perform best when their traffic is segregated from other network traffic. Setting up a dedicated VLAN for voice traffic ensures minimal interference, improved security, and optimized quality of service (QoS).

LLDP on managed switches and DHCP Option 132 are both ways to easily and automatically direct VoIP phones to live on a separate VLAN. We recommend using one or the other, not both simultaneously. Please let us know if you have configuration questions.

https://everblu.net/network#outbound-traffic

Outbound Traffic

All traffic from the local client (IP phone, softphone, smartphone) to the servers on the internet is defined as outbound traffic. All outbound traffic should be allowed from the network/VLAN on which the phones reside. If outbound port filtering/whitelisting is a requirement of your organization, please see the addresses and ports below.

It is also assumed that the local firewall or router allows all symmetric traffic. That is, if the phone sends RTP/RTCP to a public IP address and port, it will be able to receive RTP/RTCP from that same IP address and port. This is a default configuration. If this is not the case, any configuration required of the customer’s router to support this is not covered by this documentation.

The following IPs, ports, and FQDNs need to be able reach the internet from the network/VLAN on which the phones reside.

IPs:

3.130.158.184
34.235.12.107
34.238.237.220
35.153.119.139
35.183.150.146
44.212.88.215
52.201.1.15
52.5.133.228
52.71.103.102
54.70.235.134
54.174.154.29
54.188.133.147
64.181.211.116
76.76.30.200
76.76.30.201
76.76.30.202
76.76.30.203
129.153.199.150
129.159.64.66
132.226.145.153
155.130.141.193
155.130.141.196
170.9.234.51

Ports:

80 (HTTP)
443 (HTTPS)
3001
3443
4060
4061
5080
5082
8000
8001
8443
8446
9002
9090
9989
20000-27999

FQDNs:

core1-grr.personacloud.net
core1-mci.personacloud.net
core1-ord.personaplatform.net
core2-mci.personacloud.net
core2-phx.personaplatform.net
core3-iad.personaplatform.net
endpoints.personacloud.net
endpoints1-ord.personaplatform.net
endpoints2-phx.personaplatform.net
endpoints-grr.personacloud.net
endpoints-mci.personacloud.net
portal-mci.personacloud.net

https://everblu.net/network#packet-inspection

Packet Inspection

All traffic to and from VoIP systems and clients must be allowed and unmodified. This includes both hosting and client sites. Many firewalls have features that inspect, filter, other otherwise alter packets passing through for security purposes. These features must be disabled for the VoIP services provided to function correctly. Especially when relating to SIP, H323, or H225. These features can have different names depending on the firewall manufacturer. Below is a list of some of the names from popular manufacturers:

Application-Level Gateway
ALG
Application Layer Gateway
Application Gateway
Application Proxy
Application-Level Proxy
Firewall Proxy
Inspection
Application Control
Web Filtering (ESP Streaming Media)
Deep Packet Inspection
Session Helper

https://everblu.net/network#vulnerability-scanning

Vulnerability Scanning

We recommend that vulnerability scanning tools on your network are not configured to scan VoIP phones directly. In our experience, including VoIP devices in automated vulnerability scans can lead to degraded performance such as registration loss, general connectivity issues, or even unexpected reboots of the phones.

If scanning these devices is required as part of your organization’s security posture, we suggest configuring a single test phone on the network and scanning only that device. This approach helps validate security requirements while preserving service stability across all other phones.

https://everblu.net/network#multi-wan

Multi-WAN / SD-WAN

When using multiple external circuits, all traffic from the client must originate from the same IP address. If any of the traffic from the client starts originating from another external IP address, the voice services may behave unexpectedly or not work at all.

In the event of a fail-over (the primary circuit goes down, and traffic must come from a backup circuit for a period of time), clients may need to re-register to the server from the new IP address to regain functionality, depending on the solution. For phones, this can be accomplished via a reboot if required. In these situations, failing back to the primary may also require re-registering due to the IP change.

https://everblu.net/network#poe-usage

PoE Usage

PoE (Power over Ethernet) allows VoIP phones to be powered directly by a network switch through the ethernet cable, removing the need to connect a separate power adapter to each phone. This simplifies deployment and also allows for remote power-cycling of phones through managed switches.

Most VoIP phones can be powered by the IEEE 802.3af PoE standard (known as “PoE” or “Type 1”), with some larger models requiring IEEE 802.3at (known as “PoE+” or “Type 2”).

_{Last Updated: 2025-09-29}