Hello,

1. I have FortiGate 100D, firmware 5.2. We are going to migrate to VOIP and I have no clue how to configure VOIP on my firewall. How can I configure my firewall for VOIP?

We are using a Swedish company for VOIP: Telavox There support on how to configure the VOIP is:

CONFIGURE FIREWALL

For outgoing traffic:

Create a rule for all UDP and TCP ports for Telavox network 80.83.208.0/20. For this rule, there should be a Timeout (TTL) of at least 3720 seconds, because our phones contact us every 3600 seconds.

Full information about our network: Address: 80.83.208.0 Netmask: 255.255.240.0 = 20 Wildcard: 0.0.15.255 Network: 80.83.208.0/20 Broadcast: 80.83.223.255 HostMin: 80.83.208.1 HostMax: 80.83.223.254 Hosts / Net: 4094

For incoming traffic: There is no need for rules since the session is initiated from within the network. Disable all ALG / SIP features as well as Application Control on the traffic to Telavox if this is in the firewall. These usually cause more harm than benefit.

2. We have one internal subnet (private addresses) for the users, they get from DHCP server (firewall).

But since we gone implement VOIP, so there will be 2 VLANs (voice & Data). So I configured the switch port to be in automatic mode because IP phones are connected directly to PC.

Now my PC is getting IP address but not my IP phone since is on another VLAN. I can fix this with enabling the DHCP relay on the L3 switch. But I need the DHCP to distribute 2 different internal IP address (subnet).

How can I have 2 different subnets one for VOIP and one for DATA? How can I configure the DHCP to distribute 2 different internal IP addresses?

----------------------------------------------------------------------------------------------------------------------------------------- Current network setup: Modem ----> Firewall (router, DHCP, DNS) ----> L3 Switch (HP 1910, JG539A) ----> VOIP ----> PC

My current configuration: x.x.x.x - public IP y.y.y.y - private IP

Wan1: x.x.x.84 Wan2: x.x.x.83

created 2 VIPs for mail and 2 VIPs for web mail: x.x.x.84 --> y.y.y.11 port: 25 (mail server) x.x.x.84 --> y.y.y.11 port:443 (mail server)

web: x.x.x.83 --> y.y.y.12 port: 80 (web server) x.x.x.83 --> y.y.y.12 port:443 (web server)

I put these in 2 different VIPs groups: Mail traffic and web traffic

Created 2 policy:

Mail: incoming interface: wan1 source address: all outgoing interface: LAN destination address: Mail traffic (VIP) Schedule: always services: Https, Smtp Action: Accept NAT NOT ENABLED

Web: incoming interface: wan2 source address: all outgoing interface: LAN destination address: web traffic (VIP) Schedule: always services: Https, http Action: Accept NAT NOT ENABLED

There is another policy for internal users to surf the internet:

internet: incoming interface: LAN source address: all outgoing interface: wan1 destination address: all Schedule: always services: all Action: Accept NAT ENABLED: Use Outgoing Interface Address

Mail pool: x.x.x.84 for outgoing mail.

And finally static route: 0.0.0.0/0.0.0.0, wan1, gateway x.x.x.x -------------------------------------------------------------------------------------------------------------------------------------

I appreciate your input and help.

Thank you.