VoIP Firewall Configuration

1. VoIP ports to open

VoIP requires two separate port ranges for SIP signaling and RTP media:

The RTP port range varies by platform. Asterisk defaults to 10000-20000. FreeSWITCH uses 16384-32768. Check your PBX settings and open the matching range bidirectionally — both inbound AND outbound.

2. Why SIP ALG breaks VoIP — disable it immediately

SIP ALG (Application Layer Gateway) inspects and modifies SIP packets to help with NAT traversal. In practice it almost always breaks VoIP by rewriting headers incorrectly, breaking authentication, dropping packets it does not understand, and corrupting REGISTER packets.

Disable SIP ALG on every router and firewall in the call path.

3. Firewall rule examples

4. NAT and VoIP

NAT breaks VoIP because SIP endpoints advertise their private IP addresses in SDP and Contact headers. Solutions:

5. Testing your VoIP firewall configuration

Capture SIP on both sides of the firewall. If Contact header IPs differ between captures, SIP ALG is rewriting packets.

6. QoS marking for VoIP

Mark SIP and RTP with DSCP EF (46) to give voice packets priority over data traffic on shared links.

Frequently asked questions

What ports does VoIP use?

VoIP uses UDP/TCP port 5060 for SIP signaling, TCP port 5061 for SIP over TLS, and UDP ports 10000-20000 for RTP media. STUN uses UDP port 3478. All ports must be open bidirectionally on every firewall in the call path.

Should I disable SIP ALG for VoIP?

Yes — disable SIP ALG on every router and firewall in the call path. SIP ALG attempts to rewrite SIP headers for NAT but almost always corrupts them, causing registration failures, one-way audio, and dropped calls.

Why does VoIP not work through my firewall?

Most common VoIP firewall issues: SIP ALG enabled, RTP port range not open bidirectionally, asymmetric rules allowing outbound but blocking inbound RTP, or UDP state timeout too short. Capture SIP on both sides of the firewall to find exactly where packets are being dropped.