How to Enable SIP VOIP SIP ALG Firewall settings
SIP FIREWALL ALG Settings
Topic:How to Enable SIP VOIP SIP ALG Firewall settings
ATTENTION:
The settings and potential configurations for equipment found on this page are provided for your benefit and may not necessarily reflect the same hardware, firmware, version, make or model of equipment you are attempting to implement or configure on your network.
Overview
The following list provides information about routers and firewalls and their ability to support VoIP. Suggested configurations should be used to prevent issues with VoIP traffic on your network, but do not represent all possible configuration options. Some equipment is incompatible with VoIP and as such requires replacement.
VOIP/SIP vs NAT
The problem with VoIP and NAT is that both ends of the conversation have to be able to initiate a connection to each other. Consider the simplified sequence of events that happens when PhoneA calls PhoneB using their respective SIP servers, PBXA and PBXB.
• PBXA sends a SIP invitation to PBXB on PhoneA's behalf. In this invitation, it is PhoneA's IP address.
• PBXB invites PhoneB to the conversation specifying PhoneA's IP address as the other end.
• If PhoneB accepts the call, PBXB responds to PBXA with an acknowledgment that includes PhoneB's IP address.
• PBXA tells PhoneA about PhoneB.
• PhoneA sends audio using the Real-Time Protocol (RTP) to PhoneB.
• PhoneB sends audio using RTP to PhoneA.
NAT can cause problems in several places. If one of the PBXes is behind a NAT gateway, the other PBX won't be able to contact it without some additional network setup. If one or more of the phones are behind a NAT gateway, the other phone will be trying to send audio to a non-routable address. This results in failed calls or missing audio.
General Settings
SIP ALG (Application Layer Gateway) and SPI (Stateful Packet Inspection) need to be disabled on most routers and firewalls, if equipped. This is usually found on theSecurity/Firewall tab in the device’s web interface. In cases where the router or firewall does not have these options or the options cannot be disabled, you may have to exchange the equipment for something more compatible.
Small Office / Home Office Routers
The following devices will often work with our service when properly configured. Please consult a network professional to ensure these settings are in place
Manufacturer
|
Model
|
Features
|
Setup and Notes
|
Apple Airport Extreme
|
A1354, A1408, A1521
|
No changes necessary
Replace if Wireless G Model |
|
Cisco
|
RV042/RV082/RV016
|
Dual WAN, 4/8/16 ports
|
Disable load balancing
|
Cisco
|
RV120
|
Disable Attack Checks, Disable SIP ALG,
Replace
|
|
Cisco
|
RV180W
|
Best Effort, Gigabit Ethernet, VPN,
Wireless N
|
Disable SIP ALG, Create Outbound Access
rule for phones
|
Cisco
|
WVR210-A v1
|
Check for new firmware, Disable SIP ALG
and SPI Firewall. Replace.
|
|
Cisco / Linksys
|
E4200 v1
|
Dual-Band, Wireless N, Gigabit
|
Turn off SPI Firewall and SIP ALG
|
D-Link
|
DIR655 Rev A
|
Disable
SIP ALG
|
|
D-Link
|
EBR2310
|
Wired Router
|
Disable
SIP ALG and SPI Firewall
|
D-Link
|
EBR2310 Rev C
|
Enable SIP ALG, replace.
|
|
D-Link
|
WBR2310
|
Wireless-G
|
No changes necessary.
|
Linksys
|
E900
|
Disable SIP ALG and SPI Firewall
|
|
Linksys
|
E2500
|
Disable SIP ALG and SPI Firewall
|
|
Linksys
|
E3200 v1
|
802.11a/b/g/n
|
Disable
SIP ALG and SPI Firewall
|
Linksys
|
E3500
|
||
Linksys
|
EA4500 v1
|
Gigabit, Wireless N
|
Disable
SIP ALG and SPI Firewall
|
Linksys
|
EA6900
|
Disable SIP ALG and SPI Firewall
|
|
Linksys
|
RV042 RV082
|
Dual WAN, 4 ports
|
Disable SIP ALG and SPI Firewall
|
Linksys
|
RVS210
|
Only 4 phones can register. Replace if
more than 4 phones needed.
|
|
Linksys
|
WRT54G Series
|
802.11b/g
|
Compatibility varies depending on Model
and Hardware Version.
See Details |
Linksys
|
WRT610N
|
Upgrade to latest firmware
Disable SIP ALG and SPI Firewall |
|
MikroTik
|
Any
|
Disable SIP ALG
|
|
Netgear
|
DG834G
|
DSL Modem/Router
|
Disable
SIP ALG, DoS and Port Scan Protection
|
Netgear
|
FVG318
|
Disable SIP ALG. If issues continue,
update firmware.
|
|
Netgear
|
FVS318
|
Try to disable SIP ALG and SPI Firewall.
|
|
Netgear
|
FVS336G
|
Update firmware and Disable SIP ALG
|
|
Netgear
|
R6300 v1
|
Gigabit, AC1750, Dual Band
|
Update
firmware and Disable SIP ALG and Port Scan and DoS Protection
|
Netgear
|
WGR614
|
Wireless-G
|
Disable
SIP ALG and Port Scan and DoS Protection
(Hardware Version V8 and newer only) |
Netgear
|
WNDR3300
|
N300, Dual Band
|
Disable
SIP ALG and Port Scan and DoS Protection
|
Netgear
|
WNDR3400
|
N600, Dual Band
|
Disable
SIP ALG and Port Scan and DoS Protection
|
Netgear
|
WNDR3700 v1 v3 v4
|
Gigabit, Wireless N, USB NAS Capability
|
Disable
SIP ALG and Port Scan and DoS Protection
|
Netgear
|
WNR1000 v2 v3
|
Disable
SIP ALG and Port Scan and DoS Protection. Update firmware.
|
|
Netgear
|
WNR2000 v2 v3
|
Disable
SIP ALG and Port Scan and DoS Protection
|
|
Netgear
|
WNR3500L
|
N300
|
Disable
SIP ALG and Port Scan and DoS Protection
|
WesternDigital
|
MyNet N600
|
Dual Band, Wireless N, Hard Drive
|
Disable
SIP ALG
|
Modem/Router Gateway Devices
These devices are typically provided by an internet service provider. If the phones experience issues with registration and transfers, look first to disable SIP ALG or SPI Firewall settings. In the event that these settings aren’t available, most Modem/Router Gateways require bridging or replacement. Please see below for more details.
Manufacturer
|
Model
|
Features
|
Setup and Notes
|
2Wire
|
Any
|
Disable
SIP ALG and Attack Detection
|
|
Actiontec
|
GT704-WG-B, Most Models
|
Disable SIP ALG and SPI Firewall. If not
present, Bridge
device and use a third-party router.
|
|
Actiontec
|
PK5000
|
Disable SIP ALG at
http://192.168.0.1/support/utilites (IP address may be different). Disable
SIP ALG & SPI firewall. Or put into Bridge
Mode.
|
|
Ambit/Ubee
|
U10C037, Any
|
Put into Bridge
Mode/ replace. Incompatible with SIP
|
|
Calyptix
|
Any
|
Requires ISP Configuration
|
|
Clear
|
Modem/Router
|
Disable firewall and set to pass-through
mode.
|
|
Comtrend
|
Any
|
Disable SIP ALG in web interface,
pictures here
|
|
EdgeMarc
|
Most Models
|
Remove
option 66 settings. Remove SIP Server Address.
|
|
Motorola
|
3360
|
Set Passthrough.
|
|
Motorola
|
2210 (MSTATEA)
|
Set Passthrough.
|
|
Motorola
|
NVG510 (Uverse)
|
Not Recommended. Set Passthrough.
|
|
Motorola
|
NVG589 (Uverse)
|
Disable SIP ALG and Firewall settings.
Set Passthrough mode.
|
|
Motorola
|
SBG6580
|
Disable SIP ALG and set Pass-through
mode. Update Firmware to 3.3 (requires ISP support)
|
|
Motorola
|
SBG901
|
Bridge
|
|
Motorola
|
SBG941
|
Bridge
|
|
Motorola
|
Surfboard
|
Running firmware v3.3 or higher.
Disable SIP ALG. |
|
Netgear
|
7550
|
Netgear 7550Modem/Router Combo
AT&T Uses this |
|
Netopia
|
Any, 3000
|
Disable
SIP ALG
|
|
Pace
|
Pace (Uverse)
|
Disable Attack Detection and Set
Pass-through. Create custom service to allow SIP traffic for ports 5060-5080.
|
|
Siemens
|
SpeedStream 4200
|
Disable
SIP ALG in NAT tab
|
|
Siemens
|
SpeedStream 5100
|
Put in Bridge
Mode and use a recommended router.
|
|
SMC
|
3100
|
Bridge
|
|
SMC
|
8014
|
Turn off Smart Packet Detection. Put
into Bridge
Mode.
|
|
SMC
|
D3G
|
Bridge
|
|
Technicolor
|
TC8305C
|
Requires DMZ and Compatible Router
|
|
U-Verse
|
2-wire, Netgear, Pace, Other
|
Use
Third-Party Router in DMZ
|
|
Westell
|
A90, B90, Most Models
|
Put into Bridge
Mode.
|
|
ZHONE
|
Any
|
Disable SIP ALG, Use Third-Party Router
in DMZ
|
|
ZyXEL
|
P-660HW
|
Disable
SIP ALG
|
|
ZyXEL
|
P792H v2
|
Disable
SIP ALG
|
|
ZyXEL
|
PK5001Z (Qwest, CenturyLink)
|
Use
telnet to disable SIP ALG
|
Enterprise Equipment & Firewalls
Enterprise Equipment and Firewalls typically have rules restricting access to the network. It is important that the traffic destined for Vonage Business phones is not blocked. Please see below for details for your specific device.
Manufacturer
|
Model
|
Features
|
Setup and Notes
|
Adtran
|
Netvanta
|
Disable
SIP ALG
|
|
Cisco
|
All Enterprise-level devices
|
See
Recommendations
|
|
Cyberoam
|
Any
|
Create Firewall Exception Rules
|
|
DrayTek Vigor
|
Any
|
SIP ALG must be turned off.
|
|
Firebox
|
Any
|
Disable SIP ALG, Create access rules.
|
|
FortiGate
|
FortiNet, Any
|
Disable SIP Helper.
|
|
Juniper
|
NetScreen
|
Disable SIP ALG and UDP Flood Protection
|
|
Netgear
|
ProSafe VPN Firewall
|
Update to firmware 3.0.6-25 and disable
SIP ALG
|
|
Peplink
|
Any
|
Set SIP Pass-through to Standard Mode
|
|
Samsung
|
Ubigate iBG1000
|
Requires ISP Configuration – Disable SIP
ALG.
|
|
SonicWALL
|
Any
|
Disable
SIP ALG, Enable Consistent NAT, and Create access rules (if necessary).
|
|
ZyXEL
|
ZyWALL 5, ZyWall USG 50/80/100
|
Disable
SIP ALG, Check for new firmware.
|
Incompatible Network Equipment
The following devices are known to be incompatible with SIP or VoIP. These devices must typically be replaced.
Manufacturer
|
Model
|
Issues
|
Potential Solutions
|
Apple
|
Airport Extreme Wireless G Model
|
Doesn’t allow phones to Register
|
Replace
|
Apple
|
Airport Time Capsule
|
Registration Issues
|
If problems encountered, Replace, Bridge.
|
Arris
|
TM502G
|
Registration Issues
|
Reboot by removing battery. If no
improvement, replace.
|
Asus
|
RT-N10, RT-N66U
|
Dropped Calls, Registration issues with
old firmware
|
Check for new firmware, Disable SIP ALG
|
Belkin
|
F5D, F6D, F7D, FDS, and F9K Series, Any
|
Intermittent One Way Audio
|
Restart, issue will return with time.
Check for new firmware/Replace
|
Cisco
|
DPC3939
|
SIP ALG cannot be disabled and still has
issues after bridging
|
Replace
|
D-Link
|
DIR-601
|
One-way audio
|
Check for new firmware/Replace
|
D-Link
|
DIR615, DIR600
|
On Firmware 3.X, SIP ALG must be enabled
for phone to register. When enabled, it mangles SIP traffic.
|
Check for new firmware/Replace
|
D-Link
|
DIR-628, DIR-825, DIR-835
|
Current firmware version is Incompatible
with SIP
|
Check for new firmware/Replace
|
D-Link
|
DIR655 Rev B (or newer)
|
SIP problems
|
Check for new firmware/Replace.
|
Linksys
|
BEFSR Series (BEFSR41, BEFSR81, BEFSRX1,
etc.)
|
Phones Can’t Register or Transfer
|
Check for new firmware/Replace
|
Linksys
|
E1200
|
Internet Connection problems.
|
Disable SIP ALG and SPI Firewall. Replace
if issues persist.
|
Linksys
|
E3000
|
No-way audio
|
Check for new firmware/Replace
|
Linksys
|
RVS4000
|
One Way Audio after Attended Transfers
|
Check for new firmware/Replace
|
Linksys
|
WRT110N, WRT120N, WRT160N, WRT320N,
WRT350N
|
Dropped calls, Transfer issues,
Registrations issues, No SIP ALG option
|
Check for new firmware/Replace
|
Linksys
|
WRT55AG
|
Various issues.
|
Use third-party router in DMZ or replace.
|
Linksys
|
WRT54Gv1-4, WRT54G2, WRT54GL
|
Various, Doesn’t allow phones to Register
or Transfer
|
Check for new firmware/Replace.
|
Linksys
|
WRTU54G-TM v1
|
Various issues.
|
Check for new firmware/Replace.
|
Linksys
|
WRV54G
|
Various issues.
|
Check for new firmware/Replace.
|
Linksys
|
WRV200, WRV210
|
Registration, loss of audio after
transfers, and dropped calls
|
Check for new firmware/Replace
|
Linksys
|
WRV210
|
Various issues.
|
Check for new firmware/Replace.
|
Netgear
|
CG814WCOM, CG814WG, CG814WT
|
Modem/Router Gateway w/ Proprietary
Firmware
|
Bridge/Replace
|
Netgear
|
CGD24G
|
Modem/Router Gateway w/ Proprietary
Firmware, CD, 1WA
|
Bridge/Replace
|
Netgear
|
FVS318
|
SIP ALG cannot be disabled, various
quality problems. Avoid
|
Check for new firmware/Replace
|
Netgear
|
CG3000
|
Modem/Router Gateway w/ Proprietary
Firmware
|
Bridge/Replace
|
Netgear
|
WGR614 v1-v7
|
No SIP ALG option. Registration issues.
|
Incompatible. Replace.
|
Netgear
|
WGT624
|
one-way/no-way audio and dropped calls.
|
Check for new firmware/Replace
|
Netgear
|
WNDR3700 v2
|
Failed registrations. Stripped nonce.
|
Check for new firmware/Replace
|
Netgear
|
WNDR4000 v1
|
Transfer issues, Dropped calls, Dropped
calls on hold
|
Check for new firmware/Replace
|
Netgear
|
WNR1000 v1
|
No SIP ALG option. Registration issues.
|
Check for new firmware/Replace
|
Netgear
|
WNR2000 v.1
|
Incompatible, SIP Ringing message never
arrives
|
Check for new firmware/Replace
|
Netgear
|
WNR2500
|
Registration issues, one-way audio
|
Check for new firmware/Replace
|
Netgear
|
WNR3500
|
Incompatible with SIP
|
If v1, try firmware 1.0.15. Disable SIP
ALG and SPI. Replace
|
Netgear
|
WNR834B v.2
|
Drops Transfers (Attended)
|
Check for new firmware/Replace
|
Tenda
|
Any
|
Various issues.
|
Replace
|
Thomson
|
DWG-855
|
Various issues
|
Disable SIP ALG. Check for new firmware.
Replace
|
Thomson
|
TG585 v8
|
Various issues
|
Disable SIP ALG. Check for new firmware.
Replace
|
Thomson
|
TG587n v2-v7
|
Various issues
|
Disable SIP ALG. Check for new firmware.
Replace
|
TP-Link
|
TL-WR741N v2
|
Various issues.
|
Check for new firmware. Replace.
|
TRENDnet
|
TEW-639GR
|
Various issues.
|
Check for new firmware. Replace.
|
TRENDnet
|
TEW-652
|
Various issues.
|
Use Third-Party Router in
|
SIP / VOIP SIP ALG Firewall settings