How to Enable SIP VOIP SIP ALG Firewall settings

SIP FIREWALL ALG Settings

Topic:How to Enable SIP VOIP SIP ALG Firewall settings

SIP ALG NAT issue

ATTENTION

    The settings and potential configurations for equipment found on this page are provided for your benefit and may not necessarily reflect the same hardware, firmware, version, make or model of equipment you are attempting to implement or configure on your network.

Overview

The following list provides information about routers and firewalls and their ability to support VoIP. Suggested configurations should be used to prevent issues with VoIP traffic on your network, but do not represent all possible configuration options. Some equipment is incompatible with VoIP and as such requires replacement.

VOIP/SIP vs NAT 

The problem with VoIP and NAT is that both ends of the conversation have to be able to initiate a connection to each other. Consider the simplified sequence of events that happens when PhoneA calls PhoneB using their respective SIP servers, PBXA and PBXB.
PBXA sends a SIP invitation to PBXB on PhoneA's behalf. In this invitation, it is PhoneA's IP address.
PBXB invites PhoneB to the conversation specifying PhoneA's IP address as the other end.
If PhoneB accepts the call, PBXB responds to PBXA with an acknowledgment that includes PhoneB's IP address.
PBXA tells PhoneA about PhoneB.
PhoneA sends audio using the Real-Time Protocol (RTP) to PhoneB.
PhoneB sends audio using RTP to PhoneA.

NAT can cause problems in several places. If one of the PBXes is behind a NAT gateway, the other PBX won't be able to contact it without some additional network setup. If one or more of the phones are behind a NAT gateway, the other phone will be trying to send audio to a non-routable address. This results in failed calls or missing audio.

General Settings

SIP ALG (Application Layer Gateway) and SPI (Stateful Packet Inspection) need to be disabled on most routers and firewalls, if equipped. This is usually found on theSecurity/Firewall tab in the device’s web interface. In cases where the router or firewall does not have these options or the options cannot be disabled, you may have to exchange the equipment for something more compatible.

Small Office / Home Office Routers

The following devices will often work with our service when properly configured. Please consult a network professional to ensure these settings are in place


Manufacturer
Model
Features
Setup and Notes
Apple Airport Extreme
A1354, A1408, A1521
No changes necessary
Replace if Wireless G Model
Cisco
RV042/RV082/RV016
Dual WAN, 4/8/16 ports
Disable load balancing
Cisco
RV120
Disable Attack Checks, Disable SIP ALG, Replace
Cisco
RV180W
Best Effort, Gigabit Ethernet, VPN, Wireless N
Disable SIP ALG, Create Outbound Access rule for phones
Cisco
WVR210-A v1
Check for new firmware, Disable SIP ALG and SPI Firewall. Replace.
Cisco / Linksys
E4200 v1
Dual-Band, Wireless N, Gigabit
Turn off SPI Firewall and SIP ALG
D-Link
DIR655 Rev A
Disable SIP ALG
D-Link
EBR2310
Wired Router
Disable SIP ALG and SPI Firewall
D-Link
EBR2310 Rev C
Enable SIP ALG, replace.
D-Link
WBR2310
Wireless-G
No changes necessary.
Linksys
E900
Disable SIP ALG and SPI Firewall
Linksys
E2500
Disable SIP ALG and SPI Firewall
Linksys
E3200 v1
802.11a/b/g/n
Disable SIP ALG and SPI Firewall
Linksys
E3500
Linksys
EA4500 v1
Gigabit, Wireless N
Disable SIP ALG and SPI Firewall
Linksys
EA6900
Disable SIP ALG and SPI Firewall
Linksys
RV042 RV082
Dual WAN, 4 ports
Disable SIP ALG and SPI Firewall
Linksys
RVS210
Only 4 phones can register. Replace if more than 4 phones needed.
Linksys
WRT54G Series
802.11b/g
Compatibility varies depending on Model and Hardware Version.
See Details
Linksys
WRT610N
Upgrade to latest firmware
Disable SIP ALG and SPI Firewall
MikroTik
Any
Disable SIP ALG
Netgear
DG834G
DSL Modem/Router
Disable SIP ALG, DoS and Port Scan Protection
Netgear
FVG318
Disable SIP ALG. If issues continue, update firmware.
Netgear
FVS318
Try to disable SIP ALG and SPI Firewall.
Netgear
FVS336G
Update firmware and Disable SIP ALG
Netgear
R6300 v1
Gigabit, AC1750, Dual Band
Update firmware and Disable SIP ALG and Port Scan and DoS Protection
Netgear
WGR614
Wireless-G
Disable SIP ALG and Port Scan and DoS Protection
(Hardware Version V8 and newer only)
Netgear
WNDR3300
N300, Dual Band
Disable SIP ALG and Port Scan and DoS Protection
Netgear
WNDR3400
N600, Dual Band
Disable SIP ALG and Port Scan and DoS Protection
Netgear
WNDR3700 v1 v3 v4
Gigabit, Wireless N, USB NAS Capability
Disable SIP ALG and Port Scan and DoS Protection
Netgear
WNR1000 v2 v3
Disable SIP ALG and Port Scan and DoS Protection. Update firmware.
Netgear
WNR2000 v2 v3
Disable SIP ALG and Port Scan and DoS Protection
Netgear
WNR3500L
N300
Disable SIP ALG and Port Scan and DoS Protection
WesternDigital
MyNet N600
Dual Band, Wireless N, Hard Drive
Disable SIP ALG

Modem/Router Gateway Devices

These devices are typically provided by an internet service provider. If the phones experience issues with registration and transfers, look first to disable SIP ALG or SPI Firewall settings. In the event that these settings aren’t available, most Modem/Router Gateways require bridging or replacement. Please see below for more details.


Manufacturer
Model
Features
Setup and Notes
2Wire
Any
Disable SIP ALG and Attack Detection
Actiontec
GT704-WG-B, Most Models
Disable SIP ALG and SPI Firewall. If not present, Bridge device and use a third-party router.
Actiontec
PK5000
Disable SIP ALG at http://192.168.0.1/support/utilites (IP address may be different). Disable SIP ALG & SPI firewall. Or put into Bridge Mode.
Ambit/Ubee
U10C037, Any
Put into Bridge Mode/ replace. Incompatible with SIP
Calyptix
Any
Requires ISP Configuration
Clear
Modem/Router
Disable firewall and set to pass-through mode.
Comtrend
Any
Disable SIP ALG in web interface, pictures here
EdgeMarc
Most Models
Remove option 66 settings. Remove SIP Server Address.
Motorola
3360
Set Passthrough.
Motorola
2210 (MSTATEA)
Set Passthrough.
Motorola
NVG510 (Uverse)
Not Recommended. Set Passthrough.
Motorola
NVG589 (Uverse)
Disable SIP ALG and Firewall settings. Set Passthrough mode.
Motorola
SBG6580
Disable SIP ALG and set Pass-through mode. Update Firmware to 3.3 (requires ISP support)
Motorola
SBG901
Bridge
Motorola
SBG941
Bridge
Motorola
Surfboard
Running firmware v3.3 or higher.
Disable SIP ALG.
Netgear
7550
Netgear 7550Modem/Router Combo
AT&T Uses this
Netopia
Any, 3000
Disable SIP ALG
Pace
Pace (Uverse)
Disable Attack Detection and Set Pass-through. Create custom service to allow SIP traffic for ports 5060-5080.
Siemens
SpeedStream 4200
Disable SIP ALG in NAT tab
Siemens
SpeedStream 5100
Put in Bridge Mode and use a recommended router.
SMC
3100
Bridge
SMC
8014
Turn off Smart Packet Detection. Put into Bridge Mode.
SMC
D3G
Bridge
Technicolor
TC8305C
Requires DMZ and Compatible Router
U-Verse
2-wire, Netgear, Pace, Other
Use Third-Party Router in DMZ
Westell
A90, B90, Most Models
Put into Bridge Mode.
ZHONE
Any
Disable SIP ALG, Use Third-Party Router in DMZ
ZyXEL
P-660HW
Disable SIP ALG
ZyXEL
P792H v2
Disable SIP ALG
ZyXEL
PK5001Z (Qwest, CenturyLink)
Use telnet to disable SIP ALG

Enterprise Equipment & Firewalls

Enterprise Equipment and Firewalls typically have rules restricting access to the network. It is important that the traffic destined for Vonage Business phones is not blocked. Please see below for details for your specific device.


Manufacturer
Model
Features
Setup and Notes
Adtran
Netvanta
Disable SIP ALG
Cisco
All Enterprise-level devices
See Recommendations
Cyberoam
Any
Create Firewall Exception Rules
DrayTek Vigor
Any
SIP ALG must be turned off.
Firebox
Any
Disable SIP ALG, Create access rules.
FortiGate
FortiNet, Any
Disable SIP Helper.
Juniper
NetScreen
Disable SIP ALG and UDP Flood Protection
Netgear
ProSafe VPN Firewall
Update to firmware 3.0.6-25 and disable SIP ALG
Peplink
Any
Set SIP Pass-through to Standard Mode
Samsung
Ubigate iBG1000
Requires ISP Configuration – Disable SIP ALG.
SonicWALL
Any
Disable SIP ALG, Enable Consistent NAT, and Create access rules (if necessary).
ZyXEL
ZyWALL 5, ZyWall USG 50/80/100
Disable SIP ALG, Check for new firmware.

Incompatible Network Equipment

The following devices are known to be incompatible with SIP or VoIP. These devices must typically be replaced.

Manufacturer
Model
Issues
Potential Solutions
Apple
Airport Extreme Wireless G Model
Doesn’t allow phones to Register
Replace
Apple
Airport Time Capsule
Registration Issues
If problems encountered, Replace, Bridge.
Arris
TM502G
Registration Issues
Reboot by removing battery. If no improvement, replace.
Asus
RT-N10, RT-N66U
Dropped Calls, Registration issues with old firmware
Check for new firmware, Disable SIP ALG
Belkin
F5D, F6D, F7D, FDS, and F9K Series, Any
Intermittent One Way Audio
Restart, issue will return with time. Check for new firmware/Replace
Cisco 
DPC3939 
SIP ALG cannot be disabled and still has issues after bridging 
Replace 
D-Link
DIR-601
One-way audio
Check for new firmware/Replace
D-Link
DIR615, DIR600
On Firmware 3.X, SIP ALG must be enabled for phone to register. When enabled, it mangles SIP traffic.
Check for new firmware/Replace
D-Link
DIR-628, DIR-825, DIR-835
Current firmware version is Incompatible with SIP
Check for new firmware/Replace
D-Link
DIR655 Rev B (or newer)
SIP problems
Check for new firmware/Replace.
Linksys
BEFSR Series (BEFSR41, BEFSR81, BEFSRX1, etc.)
Phones Can’t Register or Transfer
Check for new firmware/Replace
Linksys
E1200
Internet Connection problems.
Disable SIP ALG and SPI Firewall. Replace if issues persist.
Linksys
E3000
No-way audio
Check for new firmware/Replace
Linksys
RVS4000
One Way Audio after Attended Transfers
Check for new firmware/Replace
Linksys
WRT110N, WRT120N, WRT160N, WRT320N, WRT350N
Dropped calls, Transfer issues, Registrations issues, No SIP ALG option
Check for new firmware/Replace
Linksys
WRT55AG
Various issues.
Use third-party router in DMZ or replace.
Linksys
WRT54Gv1-4, WRT54G2, WRT54GL
Various, Doesn’t allow phones to Register or Transfer
Check for new firmware/Replace.
Linksys
WRTU54G-TM v1
Various issues.
Check for new firmware/Replace.
Linksys
WRV54G
Various issues.
Check for new firmware/Replace.
Linksys
WRV200, WRV210
Registration, loss of audio after transfers, and dropped calls
Check for new firmware/Replace
Linksys
WRV210
Various issues.
Check for new firmware/Replace.
Netgear
CG814WCOM, CG814WG, CG814WT
Modem/Router Gateway w/ Proprietary Firmware
Bridge/Replace
Netgear
CGD24G
Modem/Router Gateway w/ Proprietary Firmware, CD, 1WA
Bridge/Replace
Netgear
FVS318
SIP ALG cannot be disabled, various quality problems. Avoid
Check for new firmware/Replace
Netgear
CG3000
Modem/Router Gateway w/ Proprietary Firmware
Bridge/Replace
Netgear
WGR614 v1-v7
No SIP ALG option. Registration issues.
Incompatible. Replace.
Netgear
WGT624
one-way/no-way audio and dropped calls.
Check for new firmware/Replace
Netgear
WNDR3700 v2
Failed registrations. Stripped nonce.
Check for new firmware/Replace
Netgear
WNDR4000 v1
Transfer issues, Dropped calls, Dropped calls on hold
Check for new firmware/Replace
Netgear
WNR1000 v1
No SIP ALG option. Registration issues.
Check for new firmware/Replace
Netgear
WNR2000 v.1
Incompatible, SIP Ringing message never arrives
Check for new firmware/Replace
Netgear 
WNR2500 
Registration issues, one-way audio 
Check for new firmware/Replace
Netgear
WNR3500
Incompatible with SIP
If v1, try firmware 1.0.15. Disable SIP ALG and SPI. Replace
Netgear
WNR834B v.2
Drops Transfers (Attended)
Check for new firmware/Replace
Tenda
Any
Various issues.
Replace
Thomson
DWG-855
Various issues
Disable SIP ALG. Check for new firmware. Replace
Thomson
TG585 v8
Various issues
Disable SIP ALG. Check for new firmware. Replace
Thomson
TG587n v2-v7
Various issues
Disable SIP ALG. Check for new firmware. Replace
TP-Link
TL-WR741N v2
Various issues.
Check for new firmware. Replace.
TRENDnet
TEW-639GR
Various issues.
Check for new firmware. Replace.
TRENDnet
TEW-652
Various issues.
Use Third-Party Router in

Sources /referrals

1 Comments
  • Ajit Kumar
    Ajit Kumar April 4, 2022 at 11:14 AM

    SIP / VOIP SIP ALG Firewall settings

Add Comment
comment url