firewall settings

Sip Trunking and Firewall Settings

You’ll want the correct firewall settings for the best quality voice calls. Not having it could threaten the quality of the call and your security. What you’ll need are a firewall and high-quality SIP trunking.

You’ll also need a solid setup to get your calls to come through. Your router and/or firewall could be causing connection issues. Take care of problems with SIP trunking by troubleshooting the troubleshoot.

Learn more about sip trunking, finding a cheap sip trunk, and sip trunk providers below!

Better than NATing

Your network’s endpoints should all connect through a central router. Every router comes with an IP address that your Internet Service Provider assigns. To reach the Internet, your endpoint must travel through that IP address.

A Network Address Translation (NAT) helps with sending email and internet searches. Your router assigns an internal address to each device. This allows you to know where information is being sent and received from.

But for two-way connections required for SIP trunking, it’ll cause issues.

SIP trunking allows for two parties to deliver parameters for a connection. An example is where a call’s audio is sent after an IP address configuration. That’s because it’s hard to route an internal private IP address.

The communication doesn’t know where to go once it’s returned from the opposite end. An example is when someone can hear you, but you can’t hear them on the phone. One-way audio calls are beyond frustrating.

Stronger than SIP ALG

You usually find SIP Application-level gateway (ALG) enabled by default. It’s designed to change SIP packets by retrieving connection information first.

It replaces the private address with your public address. Then the router forwards the communication to the private address. This process is known as packet mangling.

But here’s the issue: there is poor implementation for SIP standards. SIP ALG helps for outgoing calls but it’s not the best for incoming calls. Endpoints registered under the SIP proxy still have to maintain a connection.

They’re called “keep-alives” and only function with a NATed endpoint. This forces the SIP ALG to rewrite the request, causing the NAT to go undetected. 

The SIP ALG could also break SIP signals.

Many commercial routers fail to modify SIP headers properly. Replacing a private IP address to the endpoint with the public IP address can be a problem. The router must keep a record of which private IP and port to direct the returning communication towards.

This break in the process fails to create or keep these records, which is necessary for a SIP call. This failure drops the signal and the media, resulting in a one-way audio call. And though sometimes an ALG can re-write wrong ports, the return communications could still get lost.

Know Your Firewall Settings

Many firewalls use complex techniques in concert. Troubleshooting when an issue pops up doesn’t have to be as complex. If you run into issues using your router, try the following methods:

Digitcom SIP Trunks

  • Forward outside traffic from port-5060 (UDP/TCP) to the IP office IP address.
  • Port forwards to your firewall must be Digitcom’s IP Subnets 199.175.43.0/24 and 45.42.27.0/24. This prevents unauthorized access from outside internet IP addresses.
  • For audio, open RTP ports with the default IP Office ports at 46,750-50,750. You may also check for audio ports via your PBX.
  • Ensure that there is no SIP inspection or SIP Transformations enabled. This depends on your firewall as well.
  • Shut off the Application Layer Gateway (ALG)

Cisco Firewall

Use the following commands:

  • No ip nat service allow-sip-even-RTP-port
  • No ip nat service sip tcp port 5060
  • No ip nat service sip udp port 5060

The following Cisco Firewall information is sourced from the Routers SIP ALG.

Sonic Firewall

  • For a Sonic Firewall, use the following settings:
  • Disable SIP Transformations
  • Check inbound firewall/NAT rules on sip ports you need
  • Disable Consistent NAT and create NAT policies for traffic

Fortinet

Usually, you can find two VOIP profiles for Fortinet firewalls. Try disabling both profiles to disable ALG. Type these commands:

  • config VoIP profile
  • edit VoIP_Pro_2
  • config
  • sip set status
  • disable
  • end
  • end 

Not every operating system has a built-in firewall, either. Those like Windows and macOS already have firewalls installed. Making troubleshooting them different than those listed above.

There are third-party firewalls available. Those like Norton Personal Firewall and McAfee Personal Firewall have free version packages.

Other Troubleshooting

With a functional SIP ALG, there are hardly any worries. When an active ALG works, you’ll know from your calls’ success rate. But if you’re experiencing many dropped calls or one-way audio calls, SIP ALG can be to blame.

Here are two go-to fixes to issues with a cheap sip trunk:

Turn Off the SIP ALG:

Disabling SIP ALG eliminates a lot of the problems. Each router has its own settings configurations. Log into the router configuration interface to deactivate SIP ALG.

There should be a simple toggle to turn on and shut off. If you don’t see it, find your guide for disabling your router’s SIP ALG.

Getting around SIP ALG:

Don’t stress if you cannot disable your SIP ALG yourself. Some ALGs will only find the SIP signals on the default port, 5060. Use a sip trunk provider that allows you to use 5160 as an alternative to bypass broken SIP ALGs.

Bottom Line

Having the best firewall settings not only protects you but will save you a lot of frustration. Some of the biggest issues with improper sip trunking are the materials used and their functionality. You can increase your odds of successful connections by knowing the right sip ports for your router. 

You might be able to troubleshoot issues with your firewall settings on your own. Most SIP trunk providers have either comprehensive guides for routers or a 24-hour call center. 

Before you attempt to configure which ports need to be open, re-review this guide on SIP trunks. Browse our other blog posts to learn more and contact us when you’re ready for your next best sip trunk provider!