UCM 6202 Network Configuration


#1

I have a UCM6202 working fine on the LAN for Internal use only. I want to add a SIP Trunk, but this has to use a static IP so I configured the WAN port. I added the trunk and outbound route, but when I make a matching call the phone makes no attempt to send any IP packets via the WAN port. Previously I had the SIP Trunk try to get to the Internet via the LAN port, and could see IP packets going out to the trunk provider’s IP. I have an IP route to the Internet via the WAN port, and if I use the in-built PING and TRACEOUTE they succeed. It is the same outbound route that was trying to make the call via the LAN, so I have no idea why the UCM is sending out no IP packets to the SIP provider via WAN or LAN. On the phone I get “Your call cannot be connected as dialled”. My logic is that the UCM should decide whether the SIP call needs to be routed via LAN or WAN based on the IP routing table.


#2

Put the router in switch mode, set up the SIP trunk then forward the SIP and RTP ports to the internal IP on your UCM.
You’ll need to set up NAT on the UCM but it’s all straightforward and should work


#3

Internet <= wan /Your router/default gateway lan => Switch <= UCM lan or wan, ports are bridged in switch mode UCM ( in switch mode) <= IP phones


#4

Just a heads up and a bit more information to the above answers, please be mindful that the telephone system is the role of the UCM and Firewall is the role of the Router.

Your SIP service provider will give you the host name or IP address to allow through your firewall to the UCM for VoIP calls. Make sure that you block all other IP addresses from external sources to the UCM and only open up the ports to the VoIP provider…

This is the safest method of operation and will remove the majority of external attacks to your telephone system.


#5

Totally agree

just this last week we been a log ahead with a network company managing a fortigate 92000 fail to ban logged by UCM all resources used no calls. The UCM is not a firewall does a good job of security when all else fails but you will have issues when resources are used up attending to registration request.

Fastest solution for me was add the fortigate admin email to the the events notification and let me get those emails.


#6

I agree. The UCM is a phone system not router. Use the UCM as such and use a router/firewall in front of your network

Firewall is the role of the Router.

A firewall is not a router! A router routes packets from one network to another…a firewall blocks/allows packets based on rules but doesn’t route.

Put the router in switch mode, set up the SIP trunk then forward the SIP and RTP ports to the internal IP on your UCM.
You’ll need to set up NAT on the UCM but it’s all straightforward and should work

I should have been clearer in my comments. Put the router in switch mode. Forward the SIP and RTP ports on your router/firewall to your UCM. Remember to configure the settings on the UCM at PBX Settings->SIP Settings->NAT and ToS at PBX Settings->SIP Settings->ToS and PBX Settings->RTP Settings


#7

100% true dat…

It was a loose translation - i use Mikrotik Routers that perform more than routing…


#8

It is important to understand the difference. Firewalls, especially those built into routers such as Mikrotik, Draytek etc work at layer 2 whereas routers operate at layer 3. There are specialist routers and firewalls that work at other level, such as layers 3 (firewalls) and 7 (routers) but it’s important we make the separation of functions clear if a poster is struggling to grasp the difference :slight_smile:


#9

Thanks for all the replies. I fixed the problem in the end which turned out to be three things. Firstly no matter what I did the firewall flatly refused to transform the public IP so packets were going out with the wrong one. Having fixed that we found a typo in the IP address registered by GAMMA so they ignored all our packets. Having fixed that the trunk needed to be a register SIP trunk not a peer, but with bogus username and password, because GAMMA only authenticates by the registered IP address agreed. All working now.


#10