Setup Behind Router - Consistent Nat

Need extra help installing your Ooma Hub or Telo system? Let us know.
Post Reply
Posts: 1
Joined: Thu Oct 29, 2009 11:53 pm

Setup Behind Router - Consistent Nat

Post by sleepmassa » Fri Oct 30, 2009 12:20 am

I hooked up my new Ooma Telo behind my router.
Everything worked except me being able to hear other party. They could hear me.
I had my vonage hooked up in same way and it was working.
After i enabled (on my router) "consistent nat" it worked perfectly.

I would rather not have consistent nat enabled. Are there certain ports i can open up and get this to work in another way?
I saw in my router logs that the public ip address of ooma was trying to connect through my wan port via udp 3480 and udp 1303 and was getting dropped. I tried to open these ports to no avail.

For the record what ports does Ooma use for outgoing and incoming?
Do i need to route certain packets to my Ooma telo?

Dante R

Re: Setup Behind Router - Consistent Nat

Post by Dante R » Fri Oct 30, 2009 10:38 am

Service Ports

ooma uses the following application ports for outbound data and voice traffic:
UDP 53, UDP 123, UDP 514, UDP 1194,UDP 3386, UDP 3480, UDP 10000-20000, TCP 53 and TCP 443.

Posts: 3
Joined: Sun Feb 14, 2010 2:14 pm

Re: Setup Behind Router - Consistent Nat

Post by noxid8 » Sat Mar 13, 2010 3:53 pm

Did you get this going without consistent NAT? I have a SonicWall also and only can get it to work by enabling consistent NAT. I tried setting up NAT policy for the ooma device to use UDP 53, UDP 123, UDP 514, UDP 1194,UDP 3386, UDP 3480, UDP 10000-20000, TCP 53 and TCP 443. Even with those ports mapped to the ooma I still can't hear anyone unless I turn consistent NAT back on.

Posts: 348
Joined: Fri Jan 22, 2010 6:22 am

Re: Setup Behind Router - Consistent Nat

Post by sfhub » Sat Mar 13, 2010 10:46 pm

Consistent NAT deals with the way your SonicWall router *changes* the *source* port used by Ooma during the NAT process of converting internal IP to external IP. It isn't dealing with a firewall issue of opening ports. It is dealing with a NAT issue of port translation so opening ports will not help.

If you don't have it enabled, SonicWall will constantly change the source port used by an Ooma request, even if the source port hasn't changed. This probably breaks some part of Ooma communication process.

I doubt you will get it working without Consistent NAT unless there are changes made by Ooma (assuming it is possible to avoid the problem) to allow it to work.

What is your concern with leaving Consistent NAT turned on?

Posts: 3
Joined: Sun Feb 14, 2010 2:14 pm

Re: Setup Behind Router - Consistent Nat

Post by noxid8 » Sun Mar 14, 2010 3:40 pm

Using consistent NAT causes a slight decrease in security. Most UDP-based applications are compatible with traditional NAT and don't need consistent NAT so hopefully ooma can fix it in the future. I hope they fix the need to press one to receive a forwarded calls first though :-).


Posts: 18
Joined: Sun Dec 06, 2009 10:29 am

Re: Setup Behind Router - Consistent Nat

Post by ifican » Mon Mar 15, 2010 5:26 pm

Consistent NAT is not a security risk, other then someone telling you it is. Have this someone give you a technical reason why consistent NAT is a security risk and why you should'nt use it.

Posts: 2
Joined: Sat Jun 08, 2013 6:10 am

Configuring a SonicWall for Ooma

Post by KCOtreau » Sat Jun 08, 2013 6:55 am

I wanted to post about getting an Ooma device working behind a SonicWall since I know some people have had some problems. Frankly, I never see the Standard OS anymore, so this is for the Enhanced OS.

I have been using SonicWalls for all my customers since about 1998, so I have a lot of experience with them. Recently, my personal TZ190’s WAN port died. I reconfigured it to temporarily use the OPT port, but I was not sure I could trust it anymore, so I picked up a new Pro 2040 on eBay (cheap, YEAH!). I configured it, but my Ooma flashed red.

You can probably skip this step for now, but I will include it just in case the next NAT Policy step is not enough, or you are very particular as I am. I have always had my Ooma set to a static IP on my network, so I created a custom host “Address Object” called Ooma_Phone (Network>Address Objects>Custom Address Objects>Add). This is probably not strictly necessary, but due to the specifics of my network, I created a LAN>WAN rule specifically allowing the source I just created, Ooma_Phone, a destination of “any” with a service of “any” (Firewall>Access Rules>All Rules>Add). At this point, it still flashes red, so if the step below does not work, then I would come back and make sure I did this too.

The key to making the Ooma work is to create this custom NAT Policy (Network>NAT Policies>Custom Policy>Add): Original Source “Any”, Translated Source “WAN Primary IP”, Original Destination “Any”, Translated Destination “Original”, Original Service “Any”, Translated Service “Original”, Interface Inbound “LAN” (or “X0” for some), Interface Outbound “WAN” (or “X1” for some). Check “Enable NAT Policy”. You should be flashing blue now. This is the key, and I did not have to open ANY ports coming into my network (i.e., no WAN>LAN Access Rules). This only allows connections allowed out to find their way back in.

Although I have a new Ooma Telo sitting in a box, I am still using my Ooma Hub. I don’t believe it will make a difference, but I will post back if I need to make any changes when I go to the Telo.

Good luck,

Kevin Cotreau

Post Reply