Configuring a Draytek 2820 Firewall


This document describes the configuration of a Draytek 2820 for use with ECLOUD Phone System. We will look into the NAT configuration necessary for ECLOUD Phone System and the QoS configuration to prioritize SIP and RTP traffic. This guide is based on firmware version 3.3.3, dated 23 October 2009.

Note: We cannot assist you in the configuration of your firewall.

Configuring a Draytek 2820 Firewall with 3CX

Step 1: Disable SIP ALG

You first need to disable SIP ALG on your Draytek Router by following the steps outlined below:

  1. Open a Command Prompt and telnet to the Draytek router by typing the following command:
telnet IP-Vigor_Router
  1. Enter the following two commands to disable the SIP ALG Handler on the device:
sys sip_alg 0
sys commit
  1. If you are using model Vigor2750 or Vigor2130, instead use the following commands:
kmodule_ctl nf_nat_sip disable
kmodule_ctl nf_conntrack_sip disable

Step 2: Configure Port Forwarding (NAT)

  1. Browse to the Router’s Web Interface (default IP address is
  2. Go to the “NAT > Open Ports” menu item.

Go to the first free position in the <b>“Open Port”</b> menu, and configure.

  1. Go to the first free position in the “Open Port” menu, and configure as follows:
  • Ensure the “Enable Open Ports” checkbox is enabled
  • Set the “Comment” field value to “ECLOUD”
  • Set the “WAN Interface” field to “WAN1”
  • Set the “Local Computer” field to the assigned IP address of the ECLOUD machine (in this example
  • Each line is used to open a single port or port range and set the protocol. Open all ports required by ECLOUD. For an up to date list of the ports required to be open check here.
  1. Click on the “OK” button at the bottom of the page. This will send you back to the “Open Ports” summary page.


Step 3: QOS Configuration – Bandwidth Management

  1. Browse to the Router’s Web Interface (the device’s default IP address is

<b>“Bandwidth Management”</b> -> <b>“Quality of Service”</b> menu item

  1. Go to the “Bandwidth Management > Quality of Service” menu item.
  2. Click the “Edit” link in the “Service Type” column.
  3. For each port and port range your ECLOUD installation uses, fill in the following fields. Add:
  • Service Name”: use a suitable name to denote what this port is used for.
  • Service Type”: TCP and/or UDP depending on the port you are opening.
  • Type”: Single or Range
  • Port Number”: the service port number or range to add
  1. Repeat step 4 for all ports used by your ECLOUD installation.

Note: An updated list of the default ports used by ECLOUD can be found here.

Step 4: Creating a Class Rule

  1. Click on the “Edit” link in the “Class 1” row in the “Rule” column
  2. Set the “Name” field to “ECLOUD VoIP”
  3. Click on the “Add” button
  4. Set the:
  • “ACT” field to enabled
  • “Local Address” field to the IP address of the PBX machine (in this example
  • Ensure the “Remote Address” field is set to “Any”
  • Ensure the “DiffServ CodePoint” field is set to “Any”
  • In “Service Type” add one of the service types you created in Step 3.
  1. Click the “OK” button
  2. Repeat steps 1-5 for all services created in Step 3.
  3. When finished click on the “OK” button to save the Class Rule.

Step 5: Assign a Priority Level

Now we need to instruct the router to assign a priority level to traffic of class “ECLOUD VOIP”.

  1. In  “Bandwidth Management” → “Quality of Service” click on the “Setup” link on the “WAN1” row.
  2. Check the “Enable the QoS Control” checkbox, and set the traffic direction to “BOTH”
  3. Set the “Reserved_bandwidth Ratio” field for traffic of class “ECLOUD VOIP” to 70%
  4. Set the “Reserved_bandwidth Ratio” field for traffic of Class 2 and Class 3 to 10%
  5. Click on the “OK” button to complete the configuration

Note: The “Reserved_bandwidth Ratio” percentage does not reserve bandwidth at all times, but only when other traffic types are competing with the “ECLOUD VOIP” class traffic for bandwidth.

Step 6:Validating Your Setup

Log into your ECLOUD Management Console → Dashboard → Firewall and run the ECLOUD Firewall Checker. This will validate if your firewall is correctly configured for use with ECLOUD.

Users of Draytek VoIP Models

If you have a Draytek VoIP model you also need to perform the following steps in addition to the steps described above to enable it to work with ECLOUD Phone System:

  1. Log in to your Draytek Router’s Web Interface
  2. Select VoIP” and then click on SIP Accounts” in the Draytek Management Console
  3. Select Change the SIP port in VoIP” to something else other than 5060

Note: All SIP account ports should be changed.

  1. Press OK” to save your changes.

When you finish modifying all your accounts, restart your Draytek Router.