Objective
Configure a Unifi USG for use with 8x8 services.
Note: The purpose of this article is to provide a sample configuration. At the time of article creation, this device was in a known working state on the firmware used.
Keep in mind that different firmware versions will interact with hosted VoIP services in different ways. While this device may be fully functional on the tested and/or current firmware version, it is possible newer revisions will cause disruptions in service or make a device fully compliant with the required settings for hosted VoIP services where it was previously not.
Keep in mind that different firmware versions will interact with hosted VoIP services in different ways. While this device may be fully functional on the tested and/or current firmware version, it is possible newer revisions will cause disruptions in service or make a device fully compliant with the required settings for hosted VoIP services where it was previously not.
Applies To
- Ubiquiti Unifi USG and USG Pro
Procedure
Notes:
Firmware 4.4.44 and 4.4.50 have been found to cause potential issues with the NAT mapping over UDP. Alongside this, the update has been found to wipe the previously configured session timers. This is causing phones to share the same socket and causing routing issues, transfer failures, and misrouting.
To mitigate this there are 4 options available:
- Verify the session timers are set at 660 seconds
- Set local SIP ports on each device. This is a workaround and may fail over time.
- Downgrade the firmware in use to a known good revision such as: 4.4.36.5146617 and verify the session timers are set to 660 seconds
- If using a Configuration Manager account, enable TLS on all phones where supported
Adding 8x8 Subnets
Please note adding the subnets is only necessary on a restricted network.
1. Log in to the Unifi Controller
2. Navigate to Routing & Firewall
- Click Firewall
- Click Groups
3. Click Create New Group.
- Add a name for the group
- Leave type as "Address IPv4"
- Add the 8x8 Subnets, click "+Add" as needed
- Click "Save" once complete
Creating the WAN IN Rule
A rule needs to be created for WAN IN, WAN OUT, LAN IN, and LAN OUT with the 8x8 Subnets
4. Once the group has been created navigate to Firewall -> Rules IPv4 -> WAN IN
- Click "Create New Rule"
- Add a name for the rule
- Set Action to "Accept"
- Set Source to the 8x8 Subnet group
- Under Destination set the "Destination Type" to "Network"
- Under "Network" set "LAN"
- Click Save
Creating the WAN OUT Rule
Note: These steps will need to be duplicated for the LAN IN and LAN OUT rules as well.
5. Navigate to Firewall -> Rules IPv4 -> WAN OUT
- Click Create New Rule
- Create a name for the rule
- Set Action to "Accept"
- Set "Source Type" to "Network"
- Set Network to "LAN"
- Set Destination to "Address/Port Group"
- Add the 8x8 Subnet group as the destination group
Configure Firewall Settings
Disable SIP
6. Navigate to Routing & Firewall -> Firewall -> Settings.
7. Make sure SIP is set to OFF
Set Timeouts
8. Scroll down to "State Timeouts"
Set these values to 660:
- TCP Close
- TCP Close Wait
- UDP Other
- UDP Stream
Check DPI Restrictions
9. Navigate to Settings > DPI > DPI Restrictions.
Make sure there are no restriction settings for VoIP services. No setting needs to be added, the screenshot only shows this service added as an example.
Additional Information
Testing completed on firmware: 4.4.36.5146617
- The subnet white listing is not required for all configurations of USG devices, the white listing only needs to occur if inbound and outbound traffic is restricted through custom rules. But is suggested to white list the 8x8 subnets to ensure proper operations of phones.
- DPI does not need to be disabled on Ubiquiti USG devices, but it is required that there are no restrictions under the DPI settings for VoIP traffic.
- SSH commands can be run to configure the USG, but if any changes are made on the controller software the SSH configuration will be overwritten.
Note: To work around possible NAT issues with 4.4.44.5213871, SIP over TLS should be enabled.