Vodafone UK VOIP Residential FTTP Configuration notes

A reference for using your own VOIP hardware (Grandstream WP810) with Vodafone UK Residential FTTP + OPNSense

As of this writing, Vodafone ships a router with a built-in component that allows you to connect your existing PTSN phone to the Vodafone VOIP network. There is no sound technical reason preventing you from using your own VOIP hardware via your own router. However, for business reasons, Vodafone prefers that residential customers be unable to use their own equipment. Here it is in their own words:

  "As this is a consumer Home Broadband service and not a business service where this is explicitly provided, Vodafone are unable to offer this as a service to the customer"

[!NOTE]
It seems that Vodafone may have stopped giving out the voip information. They have also closed and removed their forums.

Sources

Most of the information contained here is from this thread on the vodafone forums.

This sprawling thread is essentially the authority on the subject. I'm going to condense it down for my own reference and deploy a WP810. In the hopes that this may help someone else, here are my notes. All credit goes to the members there sharing their hard work.

Configuring PFSense & OPNSense for VOIP via NAT

This section is only relevant if you are using OPNSense or PFSense as your router. If you are using different firmware you will need to find another way to achieve the following, though the basic principle should be the same. This section should also apply to other VOIP providers.

SIP uses RTP to transport audio data. By default, NAT rewrites the source port of traffic to enable multiple outbound connections to use the same source port, as no two devices can know which ports are in use. This causes a problem for SIP as described here

There are three ways to work around this, only one of which is safe.

Method one is to put your phone in a DMZ which will fully expose it to the internet. This is bad for obvious reasons, but there are lots of posts telling you to do this to make VOIP work. Don't do it, under any circumstance.

Method two is to port forward the relevant ports. This is ugly and it may appear to work. It allows anyone on the internet to send packets to your phone and you may have to forward a range of ports which now won't work for other devices causing connectivity issues. Many instructions online recommend this approach. Don't do it, it will break more than your VOIP. You're essentially unleashing a chaos monkey.

Method three is to use Outbound NAT rules to disable source port rewriting for packets originating from your VOIP phone(s). This does not expose your phone and safely allows RTP to traverse the NAT while reducing the chance of a port conflict.

• Step 1: Create a host alias that references your phone's IP or hostname.

• Step 2: Create a port alias that references the SIP port (5065 for Vodafone, may vary for other providers) and the RTP port range. The instructions below specify the starting port as 10000 with a range of 200. However, usually RTP uses a range of 10000-32767.

• Step 3: Apply a firewall rule(s) to the relevant LAN interface that allows OUTBOUND connections from the host alias we set up in step 1. Depending on your configuration you will need to allow TCP/UDP connections via the port ranges specified in the alias we created in step 2.

• Step 4: Go to Firewall -> NAT -> Outbound and select "Hybrid outbound NAT rule generation".

• Step 5: Go to Firewall -> NAT -> Outbound and add a manual rule, Interface: WAN Source:(The alias we created in step 1) Source Port: (The port alias we created in step 2) Destination:* Destination Port: tcp/udp/* NAT address: Interface Address NAT Port * Static Port: YES

“Static port” is the option that disables source port rewriting for connections that match the rule.

_{This information is based on instructions from here and here. Note that the 3CX document counter-intuitively refers to "port mapping" in the context of outbound NAT traversal, rather than the more common inbound port to host mapping.}

RTP Port Range Considerations

RTP by default uses a random UDP port from 10000-32767. The phone is unaware of which source ports are in use by other devices on the local network. If something else is (or has) been using UDP/10000 for example, the call will fail until the relevant state table entry expires. This is the problem that remapping aims to fix after all, and we have disabled it.

Ripshod's configuration restricts the RTP port range to 20 from a base port of 10000. In cases where you are unable to dynamically limit the scope of source port remapping (i.e., you're not using OPNsense/PFsense) this limits the ports that you 'lose' to the workaround and decreases the chance of a conflict. However, this is suboptimal and unnecessary when using Outbound NAT rules. A bigger range decreases the chance of a conflict and does not impact other devices. Relying on a single port or small pool increases the chances of port conflicts and intermittent connectivity issues.

WP810 Configuration

Ripshod very kindly posted screenshots of his configuration here but the original download is now missing. They are instead included in the section below.

I followed these settings almost exactly as is for my WP810 with one exception. I set "Local RTP Port Range" to 200, a higher number is better for the reasons noted above. I did not put a space between "Vox3.0". The one or two missing options were inconsequential.

If you are using the OPNSense configuration posted above the correct NAT traversal option is as shown in the screen shots: "No." I did provide a stun server address but I was unable to get this to work and instead opted to manually enter my IP. Selecting the STUN option for NAT traversal did not work.

Finally I applied the localisation settings as noted below.

Configuration Screenshots

Below are the configuration screenshots to help with setup. Click on any image to view it at full size.

<details> <summary>Click to expand all configuration screenshots</summary>

</details>

Known working phones

As of 17/01/2024 from this post

• GXP1620 - Wired Phone (Tested by g7omn)
• GXP1625 - Wired Phone (Tested by mdbloomfield)
• HT801 - ATA (Tested by many)
• HT802 - ATA (Tested by many)
• HT812 - ATA (Tested by many)
• WP810 - WiFi Phone (Tested by cf996 & Ripshod)
• WP822 - WiFi Phone (Tested by Ripshod)
• Cisco ATA 191
• Cisco ATA 192

Why these phones?

As per this and this post

Vodafone consider using your own VOIP equipment a business feature and have hidden behind an excuse of security to avoid providing anything more than username, password, and server. Further they have configured their system to require specific settings that are not exposed by all makes and models. For example, you must set the SIP User-Agent as Vox 3.0.

DNS

Vodafone answers DNS queries with SRV records. However your device MUST USE VODAFONE DNS SERVERS TO RESOLVE THE RELEVANT DOMAINS.

• Primary DNS: 90.255.255.91
• Secondary DNS: 90.255.255.255

[!IMPORTANT]
You will note in the configuration screenshots that DNS is set to "srv" and not "Use configured IP". This, dear reader, is a little bit silly because the two options should not be mutually exclusive. This means that your DHCP server must be set to provide the device with the Vodafone DNS servers above. They cannot be set on the phone. If you are using Opnsense you can do this on a per device basis.

Username & Password

You will need to contact Vodafone via their live chat to request your VOIP username, password & server. You may need to make it clear that you are requesting your VOIP credentials and not your broadband credentials. You should guard these credentials. You are unable to change them and, if obtained, can be used to place phone calls that will be billed to your account.

[!NOTE]
It seems that Vodafone may have stopped giving out the voip information. They have also closed and removed their forums.

The SIP Proxy Server

When you re