US English (US)
CA French (Canada)

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Please fill out the contact form below using as much detail as possible so that our team can best assist you.

  • Home
  • Contact Us
  • Employee Log In
  • Getting Started
  • Using Your SpectrumVoIP Services
  • Working Remotely
  • Frequently Asked Questions
  • Troubleshooting
  • Training Resources
English (US)
US English (US)
CA French (Canada)
  • Home
  • Getting Started
  • Preparing to Use VoIP Services

Recommended UniFi Gateway Configuration and Firewall Policies

Understand the firewall settings for USG-series UniFi devices and learn how to optimize them for your network.

Written by Stephen Cornell

Updated at July 25th, 2025

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request. We’ll reach back to you via email as soon as possible.

Please fill out the contact form below using as much detail as possible so that our team can best assist you.

After clicking 'Submit Ticket' you wil receive an email confirmation that your ticket has reached a member of our support team. They will reply back to continue to supporting, or you can call in referencing the ticket number on the email. (469) 429-2500

  • Getting Started
    Policies Preparing to Use VoIP Services Billing Basics Register an SMS Campaign Connect Your Device Using Your Phones Web Portals
  • Using Your SpectrumVoIP Services
    Customer Announcements Basic Phone Use The Stratus Platform The Enswitch Platforms SMS Messaging Use Your Fax Service Manage Your Network Equipment
  • Working Remotely
    Relocate Your Phone Use Your Phone Remotely Stratus Working Remotely Enswitch Working Remotely
  • Frequently Asked Questions
    Getting Help Common Equipment and Feature Questions SMS Campaign Registry Billing and Accounting Questions LNP / Porting Telephone Numbers
  • Troubleshooting
    Common VoIP Issues and Solutions Fax Problems Phone Problems Share Your Screen
  • Training Resources
    Web Portal User Guides Phone Video Tutorials Phone Guides Fax Guides Stratus Mobile App Guides ES Mobile App Guides StratusHUB Guides ES Desktop App Guides
+ More

Table of Contents

Create a Smart Queue Implement a VLAN for Your Desk Phones OPTIONAL: Assign a VLAN to the Ports of a UniFi Switch Configure Firewall Policies for VoIP Traffic Method 1: Create a Zone-Based Firewall Policy Step 1: Start Configuring a Policy Step 2: Create an Address Group Step 3: Create a Port Group Step 4: Finish Configuring the Source Zone Step 5: Configure the Destination of the Policy Method 2: Create an Individual Rule Step 1: Start Configuring a New Rule Step 2: Create an Address Group Step 3: Create a Port Group Step 4: Finish Configuring the Source of the Rule Step 5: Set the Destination of the Rule UniFi Access Points and Switches

WARNING: Configuring the settings of your USG may result in a restart. It is recommended to perform these changes outside of your normal office hours.

 

 

Create a Smart Queue

A Smart Queue option is available with UniFi Security Gateway that prioritizes traffic and minimizes delays when the router/bandwidth becomes overloaded. 

WARNING: Activating the Smart Queue option may reduce the maximum throughput. It is strongly recommended to monitor the available speed with and without Smart QoS enabled.

If you have connection speeds greater than 300Mbps, then it is recommended to NOT enable smart queues.

 

To activate this option…

  1. Log into your UniFi's web interface.
  2. Navigate to Settings → Networks → Internet.
  3. In the Networks list, click the Internet 1 option listed.
  4. In the Advanced section, select Smart Queues and set the Downrate and Uprate to match 80% of your network's speeds.
  5. Click the Save button.

 

Implement a VLAN for Your Desk Phones

Creating a dedicated VLAN for your desk phones to connect to can be a great way to simplify managing your network and troubleshooting issues with your desk phones. It is generally recommended to use VLANs to isolate IP devices to reduce the risk of unauthorized access to these devices and limit the spread of potential threats within your network. Segmenting your network with VLANs can also help reduce congestion and improve your network's overall performance. 

IMPORTANT: It is highly recommended to share the VLAN ID with our Technical Support or Installation team so that we can take note of this VLAN ID to make provisioning and troubleshooting your desk phones easier. 

 

To implement a VLAN for your desk phones to connect to…

  1. While logged into your Unifi's web interface, navigate to Settings → Network.
  2. Click Create a new virtual network. 
  3. Give the new VLAN an identifiable name, such as “Voice VLAN”
  4. Select the name of your router.
  5. Select the Zone the phones will be connected in, such as Internal. 
  6. For the Protocol, Internet Source IP / NAT, and Gateway IP/Subnet settings, select and enter the information that matches your network's needs.
  7. In the Advanced section, select Manual.
  8. Select the VLAN ID to assign to your desk phones, such as 20. 
  9. Make sure that Isolate Network and Allow Internet Access are selected. 

  10. Click Apply Changes.

    ✔ Once you have saved and created your VLAN, you can start assigning it to your phones. This VLAN can also be assigned to managed switches that you are using for connecting your IP devices.

    REMINDER: It is highly recommended to share the VLAN ID you created with our Technical Support or Installation team so that we can take note of this VLAN ID to make provisioning and troubleshooting your desk phones easier. 

     
     

 

OPTIONAL: Assign a VLAN to the Ports of a UniFi Switch

If you also have managed UniFi switches that the phones or other IP devices are connected to, you can assign VLANs for your IP devices to their ports. 

If your network has switches and devices that support Link Layer Discovery Protocol (LLDP) and LLDP Media Endpoint Discovery (LLDP-MED), you can enable LLDP-MED for a switch's ports as well. 

Fun Fact: LLDP-MED is an extension of LLDP that operates between IP phones and network devices, such as switches for voice over IP (VoIP) applications. It does this by sending TLVs.

These TLVs (Type-Length-Value) are attributes that describe type, length, and value. Devices that support LLDP can use TLVs to receive and send information with neighboring devices. The information shared using this protocol can be configuration information, device capabilities, and device identity. 

Switches that have LLDP-MED enabled can use specialized TLVs that describe discovery capabilities, supported network policies, Power over Ethernet (PoE) capability, and inventory management. This can make connecting and managing IP devices, such as our desk phones, more streamlined. 

 

Below is an example of a UniFi switch that has port 1 assigned to a VLAN with LLDP-MED enabled:

 

Configure Firewall Policies for VoIP Traffic

To make sure the traffic from your SpectrumVoIP phones, softphones, and web applications do not experience any issues, a new firewall rule/policy will need to be created. This rule would be set up to recognize and allow traffic coming from IP addresses used by SpectrumVoIP services. This rule would also ensure the ports used by our services are open for use.

To set up firewall rules for your UniFi gateway, there are two ways to do so:

  1. Create a zone-based firewall policy if you have upgraded your UniFi to use zone-based rules. 
  2. Create a separate rule for SpectrumVoIP traffic.

 

Method 1: Create a Zone-Based Firewall Policy

Creating firewall zones for your UniFi gateway can help simplify managing your network security by grouping its interfaces (such as VLANs, WANs, or VPNs) into logical zones. 

These zones can have policies that define how these zones interact and how traffic should be handled from specific trusted, semi-trusted, or untrusted sources (e.g., IP addresses, protocols, applications, users, etc.) Policies applied to zones automatically affect all interfaces within those zones.

✔ The Zone Matrix grid of your UniFi gateway's web interface can provide a crisp, user-friendly view of the traffic flow between zones, making it easier to manage and understand policies.

While referencing the Zone Matrix grid, you will see how the different Source and Destination Zones handle traffic:
    •  Allow All - All traffic is allowed from the source zone to the destination zone
    •  Block All - All traffic is blocked from the source zone to the destination zone
    •  Allow Return - This value appears when there is a combination of "Allow All" and "Block All" between two zones. The source zone is allowed to send all traffic to the destination zone, but the destination zone can only reply to the traffic.
    •  Policies - According to multiple firewall policies, specific traffic is allowed and blocked from the source zone to the destination zone. The number of active policies affecting traffic is shown as the number in parentheses for a cell. By default, this applies to built-in policies associated with the External zone which is used for traffic coming and going to the internet.

 

If you currently use a zone-based firewall configuration, follow the steps below to review how you can add a policy for SpectrumVoIP traffic.

 

Step 1: Start Configuring a Policy

To determine how the Source and Destination zone of your UniFi gateway will manage SpectrumVoIP traffic, you can create a new policy for those zones. To do so…

  1. Access your UniFi's web interface.
  2. Navigate to Settings → Security.
  3. Scroll to the bottom of the page and click Create Policy. 

    Quick Tip: Alternatively, you can click the cell in the Zone Matix where the Source and Destination Zones the policy would use intersect and select Create Policy. 

    Doing it this way will select the Source and Destination Zones for the new policy automatically. 

     
  4. Give the new policy an identifiable name, such as "SpectrumVoIP".
  5. In the Source Zone section, select External.
  6. Select IP.

     

Step 2: Create an Address Group

In the Source Zone section of the policy, it will prompt you to select an Address Group, which will need to be created. This new Address Group would define the IP addresses used by SpectrumVoIP services.

To create an Address Group for the Source Zone…

  1. Select Object.
  2. Click the New hyperlink.
  3. In the New Object menu, click Add Multiple.
  4. Type in the following IP addresses:
    • 199.71.209.0/24
    • 24.227.249.0/25
    • 72.249.136.32/28
    • 206.123.122.32/27
    • 212.69.157.32/27
    • 40.143.31.64/27
    • Text To Speech Services - TCP and UDP
      • 54.149.243.27:8000
      • 35.175.185.150:8000
      • 54.149.243.27:3001
      • 35.175.185.150:3001
    • StratusMEETING - TCP and UDP
      • 54.188.133.147:3443
      • 3.130.158.184:3443
      • 35.183.150.146:3443
  5. Click the Add button.
  6. In the New Object menu, click the Create button.

 

Step 3: Create a Port Group

The Port section of the policy will ask you to select a Port Group.

To have the policy manage the different ports the traffic of SpectrumVoIP services will need to traverse, a Port Group will need to be created. To do so…

  1. In the Port section, select Object.
  2. Click the New hyperlink.
  3. In the New Object menu, type an identifiable Name, such as VoIP Ports.
  4. In the Port section, input the following ports:
    • Main Utilized Ports
      • 5060-5062 UDP - SIP
      • 20,000-40,000 UDP - RTP
      • 80, 443 TCP - HTTP/HTTPS
    • Portal Dynamic Updates
      • 8001 - TCP
    • Google's Firebase Cloud Messaging (FCM)
      • 443, 5228, 5229, 5230 - TCP
    • Apple's Push Notification Service (APNs)
      • 5223, 443, 2197 - TCP
    • StratusWEB PHONE
      • 9002 - TCP - websockets
  5. Click the Create button.

 

Step 4: Finish Configuring the Source Zone

Now that an address group and port group have been created, they can be selected to finish setting up the Source Zone section of the new policy. 

  1. In the Source Zone section, make sure the following is selected:
    • Zone - Select External.
    • Source - Select IP.
    • Address Group - Select Object and the VoIP Address Group that was created.
    • Port - Select Object and the VoIP Port Group that was created.
  2. In the Action section, select Allow.

 

Step 5: Configure the Destination of the Policy

Now that the Source Zone settings have been adjusted, the Destination Zone section of the policy will need to be set up as well so that the UniFi gateway knows how to handle traffic from the Source Zone. 

  1. For the Destination Zone, select the zone the phones are connected to.

    Note: If you have created a VLAN for your desk phones and it is located in a different zone, the Destination Zone has to be set as that zone.

    For example… If your network has a VLAN for the phones in the Internal zone, the Destination Zone would be set as Internal. 

     
  2. In the Port section, select Object and the VoIP Port Group that was created,
  3. In the IP Version section, select IPv4.
  4. In the Protocol section, select TCP/UDP. 
  5. In the Connection State section, select All. 
  6. In the Schedule section, select Always. 

 

Method 2: Create an Individual Rule

If you prefer to configure your own rules for your firewall without zones, you can still do so. To ensure your SpectrumVoIP devices and services work as intended, you should create an additional rule that allows ingress traffic from the IP addresses used by our services.

Step 1: Start Configuring a New Rule

To create a new rule for your Unifi router…

  1. Access your UniFi's web interface.
  2. Navigate to Settings → Security.
  3. Create a new rule.
  4. In the top section, do the following:
    • Type - Select Internet In.
    • Name - Type an identifiable name, such as SpectrumVoIP
    • Action - Select Accept.
    • Protocol - Select TCP and UDP.

 

Step 2: Create an Address Group

For the Source section, an Address Group and Port Object will need to be created to ensure the IP addresses and ports used by SpectrumVoIP services are allowed.

  1. For the Address Group option of the Source section, click New.
  2. In the New Object menu, click Add Multiple.
  3. Type in the following IP addresses:
    • 199.71.209.0/24
    • 24.227.249.0/25
    • 72.249.136.32/28
    • 206.123.122.32/27
    • 212.69.157.32/27
    • 40.143.31.64/27
    • Text To Speech Services - TCP and UDP
      • 54.149.243.27:8000
      • 35.175.185.150:8000
      • 54.149.243.27:3001
      • 35.175.185.150:3001
    • StratusMEETING - TCP and UDP
      • 54.188.133.147:3443
      • 3.130.158.184:3443
      • 35.183.150.146:3443
  4. Click the Add button.
  5. In the New Object menu, click the Create button.

 

Step 3: Create a Port Group

To allow traffic for SpectrumVoIP services to traverse the ports they need, a Port Group will need to be created. To do so…

  1. For the Port Object option of the SOURCE section, click New.
  2. In the New Object menu, type an identifiable Name, such as VoIP Ports.
  3. In the Port section, input the following ports:
    • Main Utilized Ports
      • 5060-5062 UDP - SIP
      • 20,000-40,000 UDP - RTP
      • 80, 443 TCP - HTTP/HTTPS
    • Portal Dynamic Updates
      • 8001 - TCP
    • Google's Firebase Cloud Messaging (FCM)
      • 443, 5228, 5229, 5230 - TCP
    • Apple's Push Notification Service (APNs)
      • 5223, 443, 2197 - TCP
    • StratusWEB PHONE
      • 9002 - TCP - websockets
  4. Click the Create button.

 

Step 4: Finish Configuring the Source of the Rule

Once you have created the “VoIP” Address Group and the “VoIP Object” Port Object, be sure to select these in the Source section of the new rule. 

 

Step 5: Set the Destination of the Rule

Now that the Source of the rule has been set up, the Destination of the rule will need to be configured so that the UniFi gateway knows how to handle traffic from the Source.

  1. In the Destination section, use the Network dropdown to select the network or VLAN the phones will be connected to.
  2. Click the Add Rule button.

    ✔ You should now see a new Rule created that will protect SpectrumVoIP traffic.

     

 

UniFi Access Points and Switches

By default, The UniFi access points and switches will automatically map the DSCP value to a Wi-Fi Multimedia (WMM) priority. Voice is then automatically given highest priority on these devices, so no further changes are needed.

settings recommendation unifi firewall usg unifi security gateway configure firewall firewall settings for voip smart queue set firewall rules create address group create port group open firewall ports firewall zones vlan voip vlan lldp lldp-med

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • Phone Numbers for Placing Test Calls
  • Customer Stories
  • Hardware
  • Channel Partners
  • Pricing
  • Blog
  • Contact Us

Main Products

  • Business Phone Software
  • VoIP Features
  • VoIP Integrations
  • Stratus Managed Network
  • AI Business Surveillance
  • Internet

More Products

  • Stratus Web Portal
  • Stratus Fax
  • Emergency Lines
  • Business Texting
  • Business Cellular
  • Business Phone Hardware

Resources

  • About Us
  • FAQ
  • Careers
  • Support
  • Training
  • SpectrumVoIP Store

Connect

  • Facebook Fill 1 Created with Sketch.
  • Twitter Fill 1 Created with Sketch.
  • LinkedIn Group 2 Created with Sketch.
  • YouTube
  • Instagram
  • Pinterest

SpectrumVoIP Status

© SpectrumVoIP™ 2022. All Rights Reserved


Knowledge Base Software powered by Helpjuice

Main — (972) 312-0388 Sales — 866-506-3457 Support — (469) 429-2500 Terms of Service Privacy Policy
Expand