Support / Voice / Firewall

Routers, firewalls, and the SIP ALG problem.

Almost every consumer router ships with SIP ALG enabled by default. It tries to "help" by rewriting SIP packets — and almost always breaks call audio, registration, or both. The fix is the same on every device: turn it off.

Free trial SDN appliance

Why SIP ALG breaks calls

  • Header rewriting — ALG modifies SIP Contact and Via headers, often inserting wrong public IPs or ports.
  • RTP pinholes timing out — Custom keepalive logic conflicts with the platform's NAT keepalive.
  • One-way audio — RTP arrives but isn't forwarded back to the caller.
  • Call drops at ~30 min — Default re-INVITE handling fails when ALG is in the path.

Disable SIP ALG on your edge device. Use the VoiceTel SDN appliance if your network uses CGNAT or aggressive symmetric NAT.

UDP NAT timeout — the second silent killer

Even with SIP ALG off, SIP registration over UDP fails if the firewall closes the NAT translation between REGISTER refreshes. Default UDP NAT timeouts on consumer routers run as low as 30 seconds. The recommended VoiceTel REGISTER interval is 360 seconds. Without something keeping the NAT mapping alive in between, registration silently drops, inbound calls fail, then the device re-REGISTERs and recovers.

Fix one of three ways, in order of preference:

  1. Raise the firewall's UDP NAT timeout to 600 seconds or more. Best fix; covered per-vendor below where the knob exists.
  2. Set the SIP REGISTER interval on the device to 360 seconds, paired with NAT keepalive at 30 seconds. Keepalive refreshes the NAT mapping; the longer REGISTER interval keeps signaling load low.
  3. Enable SIP NAT keepalive on the device. Most IP phones and softphones have a "NAT keepalive" or "OPTIONS ping" interval — set to 25–30s.

VoiceTel sends OPTIONS pings on registered SIP trunks at 30-second intervals by default. If your firewall closes UDP translations faster than that, raise the timeout or shorten the device REGISTER interval.

NAT mode: prefer endpoint-independent / "consistent"

SIP devices announce their RTP port in the SDP body. Firewalls that randomize the source port per destination (port-restricted or symmetric NAT) break NAT keepalive and one-way audio. Configure outbound NAT to endpoint-independent mapping (a.k.a. "static port", "consistent NAT", "full-cone NAT") for SIP signaling and RTP source ranges.

If your edge can't do endpoint-independent mapping (CGNAT and some carrier-managed firewalls fall in this bucket), use the VoiceTel SDN appliance — it tunnels SIP and RTP from the LAN to VoiceTel and sidesteps the NAT entirely.

Vendors

  • ASUS

    RT-AX, ZenWiFi, Nighthawk-class consumer routers.

  • Netgear

    Nighthawk, Orbi, business ProSAFE routers.

  • pfSense

    Open-source firewall. Disable conntrack SIP helper plus static-port outbound NAT.

  • Fortinet FortiGate

    FortiGate FG-series. Disable SIP session helper and SIP ALG profile.

  • Ubiquiti UniFi

    UniFi Dream Machine, USG, Cloud Gateway.

  • SonicWall

    SonicWall TZ and NSA series. Disable SIP transformations.

  • ISP cable / DSL / fiber gateways

    Comcast, Spectrum, AT&T, Verizon, Cox, CenturyLink. Bridge mode is usually the only fix.