Support / Voice / Firewall / UniFi

Disable SIP ALG on Ubiquiti UniFi.

UniFi gateways (UDM, UDM Pro, UDM SE, USG, Cloud Gateway Ultra) inherit Linux nf_conntrack_sip behavior. The controller GUI doesn't expose a toggle; you disable it via SSH or the controller config-system override.

UDM / UDM Pro / UDM SE — SSH approach

  1. SSH into the gateway: ssh root@<gateway-IP> (or use the UniFi controller "Open SSH Console").
  2. Disable the SIP conntrack module: 
    modprobe -r nf_nat_sip
modprobe -r nf_conntrack_sip
  3. Persist across reboots — add to /etc/modprobe.d/voip.conf: 
    blacklist nf_conntrack_sip
blacklist nf_nat_sip
  4. Reboot the gateway to confirm.

Note: UDM firmware updates can revert manual config changes. Re-apply after firmware upgrades, or use config.gateway.json overrides on a self-hosted UniFi controller.

USG — config.gateway.json override

For self-hosted UniFi controllers, drop a config override at <controller-data>/sites/<site>/config.gateway.json:

{
    "system": {
        "conntrack": {
            "modules": {
                "sip": {
                    "disable": "''"
                }
            }
        }
    }
}

Force-provision the USG from the controller. The override survives provisioning runs.

Raise UDP conntrack timeout

UDM/USG inherit Linux conntrack defaults: UDP unidirectional timeout is 30 seconds, UDP bidirectional ("stream") is 180 seconds. SIP REGISTER refreshes typically run hourly, so the firewall closes the NAT mapping between registrations and inbound calls go unrouted until the next refresh.

# Persist via /etc/sysctl.d/voip.conf
echo 'net.netfilter.nf_conntrack_udp_timeout = 60' >> /etc/sysctl.d/voip.conf
echo 'net.netfilter.nf_conntrack_udp_timeout_stream = 600' >> /etc/sysctl.d/voip.conf
sysctl --system

UDM firmware updates may revert manual sysctl changes — re-apply after upgrades or use a self-hosted UniFi controller's config.gateway.json override:

{
    "system": {
        "sysctl": {
            "parameter": {
                "net.netfilter.nf_conntrack_udp_timeout": { "value": "60" },
                "net.netfilter.nf_conntrack_udp_timeout_stream": { "value": "600" }
            }
        }
    }
}

Verify

lsmod | grep sip
# Should print nothing

sysctl net.netfilter.nf_conntrack_udp_timeout_stream
# Should be 600 (or whatever you set)

Place a test call and confirm two-way audio for the full call duration.