I’ll show how I set up a Sophos XGS Firewall to get reliable voice calls, not flaky ones that drop mid-sentence. Short version: lock the rule set, expose only what the phone system needs, mark voice traffic for priority, and measure the result. I use the XGS 118 for examples, but the steps work on any XGS. Expect to touch firewall rules, application filters, QoS configuration and traffic management.
Start by assessing your current setup. Check NAT, public IPs, VLANs and where the PBX or phones sit. Confirm which devices do signalling and which handle media. For SIP, check the signalling ports your provider uses; SIP defaults are 5060 for UDP/TCP and 5061 for TLS, as described in RFC 3261 RFC 3261. List every IP and port the trunk or SIP provider needs. Don’t guess media ports. Look up the RTP/media ranges in the PBX or handset docs and note them. For initial firewall rules I choose a tight approach. Create explicit LAN-to-WAN rules for SIP signalling to the provider IPs and ports. Add a separate rule allowing the PBX to use its media range to the provider. Keep DNS (53), HTTP/HTTPS (80, 443) and any necessary management ports in their own rules. Lock management access to a single admin IP or a management VLAN. If you prefer the per-zone allow-any-to-WAN shortcut, pair it with strict application filters and logging so you do not silently open everything.
Use application filters to reduce collateral damage. Sophos application filters can block peer‑to‑peer apps or classify Teams and Zoom. Attach an application filter to the same firewall rule that permits conference apps, rather than opening wide port ranges. For traffic management, put phones and the PBX on a separate VLAN and assign a dedicated policy. Create traffic shaping rules that match the VoIP settings from your PBX: match source IPs, UDP/TCP ports, or DSCP markings from endpoints. My go-to is to mark media flows as high priority and place signalling in a lower priority but reliable queue. For DSCP, tag voice media with EF (46) and signalling with a lesser AF value; keep the queues simple: one priority queue for voice, one for interactive apps, a best-effort queue for everything else. If you use Sophos’ traffic shaping, create fixed bandwidth guarantees for voice on the WAN link so a bulk file transfer cannot starve calls.
QoS configuration must be measurable. On the XGS, create a QoS policy that matches your voice flows and set the queueing accordingly. Test both with phones that set DSCP and with devices that do not; if endpoints don’t mark, have the firewall mark traffic on egress. Disable or test SIP ALG. It can help in simple NAT cases but often mangles SIP headers for modern providers; flip it off and test. Monitor live sessions in the XGS logs and capture packets for failing calls. For acceptable call quality aim for low one‑way delay and tiny jitter. The ITU recommendation for conversational quality gives guidance on acceptable delays; keep one‑way delay well under 150 ms and jitter under about 30 ms where you can ITU G.114. Packet loss should be under 1% on the voice path.
Testing and regular updates finish the job. Run SIP registrations, make inbound and outbound calls, and check for one‑way audio. Use periodic RTP captures and measure MOS or at least latency, jitter and packet loss. If calls are choppy, raise the reserved bandwidth for the voice queue, or deprioritise non‑essential conference traffic. When a provider changes ports or an app update alters media ranges, update firewall rules and filters immediately rather than expanding wild card rules. Keep a short rule set: specific allow rules for known IPs and ports, application filters attached where possible, and traffic management that guarantees voice a slice of the WAN. That approach stops guesswork and keeps calls usable.
