Security and Firewalls

Owned by Tom Higgins
Last updated: May 22, 2024 by Eric Chavez
5 min read

Firewall Rules

The below list is a set a of suggested firewall rules that enhance the performance of the Voice Over Cloud through firewalls and corporate routers.

Whitelist IPs

We strongly suggest to avoid any packet inspection on traffic coming from IPs:

  • 103.135.87.3

  • 103.135.87.14

  • 103.135.87.35

The reason is because voice traffic can create a lot of network noise and firewalls can treat that suspicious

QoS ( Bandwidth Reservation )

Although the traffic is deemed high priority when it leaves our network, it may not arrive to your network in the same way, this is out of our control and is controlled by your ISP, or their upstream providers. As such we recommend to reserve some bandwidth on your router to ensure traffic flows in each direction even under high load.

The recommend settings is 100kbps both upload and download per user. E.g. if you have 10 users we recommend reserving 1Mbps in each direction

What is SIP ALG?

SIP ALG, or Session Initiation Protocol Application Layer Gateway, is a tool that some networks use to speed along SIP requests to initiate connections.

This tool involves rewriting the packet headers of SIP requests that pass through the router out to the internet. For some services, this tool may be useful.

Still, for many VoIP providers, the rewritten SIP packet header strips out information that is necessary to securely authorize the device making the connection.

More importantly, it responds directly to the device that is requesting the connection. This feature can lead to some of the most common issues that customers have with VoIP — phones losing connection, dropped calls, and one-way audio.

SIP ALG modifies SIP packets in unexpected ways, corrupting them and making them unreadable. This can give you unexpected behaviour, such as phones not registering and incoming calls failing. Therefore if you are experiencing problems we recommend that you check your router settings and turn SIP ALG off if it is enabled.


How do I turn off SIP ALG?

Most home/residential routers have a web interface. Typically this is 192.168.1.1 but you just check your default gateway by typing ipconfig in Windows command prompt or ifconfig on Linux systems from any connected device on the same LAN.
If your router does not have a web interface you will most likely need a Telnet client to login.

Asus Routers

Disable the option SIP Passthrough under Advanced Settings / WAN -> NAT Passthrough.
If your router doesn’t have this option SIP ALG may be disabled via Telnet.nvram get nf_sip
(It should return a “1”)nvram set nf_sip=0
nvram commit
Reboot

AVM Fritz!Box

SIP ALG cannot be disabled. (See above on how to get around this)

Barracuda Firewalls

Go to Firewall > Firewall Rules > Custom FirewallAccess Rules
Click the “Disabled” check box next to any rules named LAN-2-INTERNET-SIP and INTERNET-2-LAN-SIP
This disables SIP ALG.

Billion

Navigate to the web interface
-> Select Configuration
-> Select NAT
-> Select ALG
-> Disable SIP ALG

BT (Homehubs)

SIP ALG cannot be disabled in the settings of BT HomeHubs but can be disabled with BT Business Hub versions 3 and higher.

D-Link

In ‘Advanced’ settings –> ‘Application Level Gateway (ALG) Configuration’ un-tick the ‘SIP’ option.

DD-WRT

No ALG function available – Consider using a public STUN server

DrayTek

DrayTek Vigor 2760 devices, the option can be found in the regular interface at Network -> NAT -> ALG.

If your device does not have a web interface then you’ll need a telnet client.

You will be prompted to provide a username and/or password. These are the same credentials used to access the router’s web interface.

Afterwards, type in these commands:

sys sip_alg 0
sys commit

On Draytek Vigor2750 and Vigor2130 please use these commands instead:

kmodule_ctl nf_nat_sip disable
kmodule_ctl nf_conntrack_sip disable

EE

Huawei E5330

Navigate to the web interface
Click Settings.
Enter the required username and password, then click Log In.
Note: The default username and password is admin.
Click the Security dropdown.
Click SIP ALG Settings.
Untick the Enable SIP ALG box.
Click Apply.

Fortinet

Fortigate:

Disabling the SIP ALG in a VoIP profile
SIP is enabled by default in a VoIP profile. If you are just using the VoIP profile for SCCP you can use the following command to disable SIP in the VoIP profile.

config voip profile
edit VoIP_Pro_2
config sip
set status disable
end

Huawei

The SIP ALG setting is usually found in the Security menu.

  1. Vodafone / Huawei (HHG2500)

  2. TalkTalk / Huawei (HG633)

  3. EE / Huawei (E5330)

Juniper

Type the following into the CLI
To check if currently enabled or disabled run show security alg status | match sip
To disable run:

configure
set security alg sip disable
commit

Linksys:

Check for a SIP ALG option in the Administration tab under ‘Advanced’.
You should also disable the SPI Firewall option.

Mikrotik

Disable SIP Helper.

Netgear

Look for a ‘SIP ALG’ checkbox in ‘WAN’ settings.

Under ‘NAT Filtering’ uncheck the option ‘SIP ALG’
Port Scan and DoS Protection should also be disabled.
Disable STUN in VoIP phone’s settings.

Speedtouch

To disable SIP ALG you need to telnet into your Speedtouch router and type the following:

-> connection unbind application=SIP port=5060
-> saveall

TalkTalk

2017/18 See Huawei (HG633)

  1. Navigate to the web interface

  2. Select ‘Port Forwarding’ from the menu

  3. Uncheck SIP-ALG from the ALG section at the bottom of the page.

Technicolor / Thompson
TG588 TG589 TG582

Open Command Prompt – “Start” → “Run” → type “cmd” and press “Enter”.
In Command Prompt, type “telnet 192.168.1.254” and press enter. 192.168.1.254 is the default IP address of the router. If you are running on Windows 7/8/8.1/10, you might need to install the telnet client from “Control Panel” → “Programs and Features” → “Turn Windows features on and off”.
The default username is “Administrator”, and there is no default password, leave blank.
Type “connection unbind application=SIP port=5060” and press “Enter”.
Type “ saveall ” and press “Enter”.
Type “exit” and press “Enter” to exit the telnet session.

Tomato

Depending on the version of Tomato, SIP ALG can be found under Advanced then Conntrack/Netfilter in the Tracking/NAT Helpers section. If you find SIP checked then SIP ALG is enabled. Uncheck it to disable it.

TP-Link

Navigate to your routers web interface.
The default username is admin and the default password is admin.
On the left, click on Advanced Setup and then click on NAT and then click on ALG.
Uncheck the box by SIP Enabled. (Some TP firmware shows this as SIP Transformations which is the same thing).
Click Save/Apply.

UBEE Gateways

Go to Advanced > Options.
Disable (uncheck) SIP.
Disable (uncheck) RTSP.
Click Apply.

Ubiquiti

Use the configuration tree if supported: system -> conntrack -> modules -> sip -> disable

Alternatively, you can SSH into the device and run the following commands:

configure
set system conntrack modules sip disable
commit
save
exit

Virgin SuperHub

SIP ALG cannot be disabled in the settings of SuperHubs.
Please see our workarounds at the top of the page.

Vodafone

2018 Onwards – See Huawei (HHG2500)

Vyatta / Brocade:

Type the following into the CLI

configure
set system conntrack modules sip disable
commit
save
exit

Watchguard Firewall

Detailed instructions can be found here: https://www.voicehost.co.uk/help/watchguard-firewall-sip-configuration

ZyXEL

Under Network or Advanced -> ALG un-tick the options Enable SIP ALG and Enable SIP Transformations.
Telnet commands must be used to disable SIP ALG with some other Zyxel routers.

  1. Telnet into the router.

  2. Select menu items 24 then 8.

  3. To display the current SIP ALG status run the following command:

  4. ip nat service sip active

  5. To turn off SIP ALG:

  6. ip nat service sip active 0

ZyXEL (ZyWALL USG Routers)

Go to Settings > Configuration > Network > ALG.
Disable SIP ALG.
Turn ON Enable SIP Transformations.
Turn OFF Enable Configure SIP Inactivity Timeout.