The only way to secure any system is to keep it off of the internet. Do not forward ANY ports from your router to your PBX machine.
If you use a Registration String on your trunks, port forwarding is not necessary.
If you have remote extensions, set-up a VPN.
Again, I say: NEVER FORWARD PORTS!!!
That is completely incorrect. Try to not forward on a pfsense router and you will be in a world of hurt
If PFSense isn’t opening the necessary ports for reply packets after receiving the registration, then PFSense is behaving differently than almost every other router out there.
I would avoid using any router that required you to open a port to the world when most routers out there will automatically open the port just for the intended recipient.
If you use such a router, you should only open the port to the intended recipients and nobody else…
With respect, that is not really the job of a router, it should follow directions as given, If you have SPI and “helper” functions built in to your router then perhaps it works for you. Many so called “helpers/ALG” are just broken, consider yourself lucky if yours work.
I’m not talking about a helper. I’m talking about basic firewall actions.
When you request a web-page, your firewall must leave open the port to get the response. If you don’t, the response will be blocked.
By the same token, when you send a SIP Registration, the router has to leave the port open for the recipient so that you can get a response, for a certain period of time. Most routers wait about 60 seconds. If you set qualify=yes, the OPTIONS message will keep the port open continually.
This isn’t a helper issue. It’s basic NAT/routing functionality. If you configure IPTables (the firewall used in CentOS and other Linux Distros) to allow related and established, it works essentially the same way.
How well does that work for your external extensions with no NAT rules?
This is not a fault of the firewall or router. Just because SIP helper functions work on the cheap “best buy” model of routers does not mean it’s easy when you move up to more advanced routers. pfsense is no child’s toy and can not be found at your local best buy. Does that mean it’s broken? No. Is that the fault of pfsense? No.
EdgeLite routers do the same thing. Does that mean they are broken as well? No.
Outbound pin-holing is not the same as inbound.
UPNP is a consumer technology because “you” can’t open ports right. The same applies to SIP ALG and Port Triggering. Do you think someone would have created those if people knew what they were doing?
I have a netgear router at my house. I can make calls in and out fine to a remote server whether SIP ALG is on or off… however I have to turn off SIP ALG so that my BLFs work. If that doesn’t make you think twice about what the f-- SIP ALG actually does… it should!
I use the Edegrouter Lite, and it works just fine without opening any ports.
I’m not talking about SIP ALG, helper functions, or UPNP. I’m also not talking about remote extensions.
I’m talking about an Asterisk box that connects to remote trunks using a registration string, where the Asterisk box is behind a router.
Opening ports and remembering where to route the return packets is a basic firewall/NAT function.
If you want remote extensions to connect to an Astersk box that is behind a NAT/Firewall, you certainly can open ports. But, you shouldn’t - you should use a VPN. If you absolutely must open ports for a remote extension, you should use Ward Mundy’s Travellin’ Man so that inbound packets aren’t allowed through IPTables unless they come from an approved source…
It’s not that easy in the real world, explaining and supporting dozens if not hundreds of external clients using everything from windoze to IOS to android to whatever, the “howtos” and the gotchas of VPN’s will spoil many of your days, just learn to set up your firewall/router correctly and securely and save yourself a whole skinload of pain, it’s not brain surgery and has been used successfully by many people here and elsewhere for 30 years and more, call it the internet if you want 
Well, I support hundreds of external clients using everything from Windows to Android. Setting up a VPN is uber-easy with OpenVPN since it’s cross-platform. It’s even easier when you use Vyatta or an EdgeRouter and you set-up the VPN at the router level.
If you choose to keep your ports open to the world when you don’t need to, be prepared for a large phone bill. I guess Shain69 learned that the hard way…
And I’m pretty sure that NOBODY has been doing VOIP for 30 years. The first VOIP app wasn’t developed until 1991. SIP wasn’t finalized until 1999…
Perhaps uber-easy for adhominem, not so much for real-world clients with their real world routers and their often impaired “humility impaired attitudes”, do you go to each of your clients and do it for them?
Shain69 only for lack of experience in the real world made about every error of commission and omission common for a newbie.
Before VOIP came IP networking (see ARPANET) soon followed by WWW in the 80’s , it was about that time that it was discovered that routers would be a good thing, Cisco opened it’s doors in 1986. They were not the first to build one.
Do I go out and do it for them? Of course not. I VPN in and do it remotely…
Catch 22 there surely, How do you VPN into a network without a VPN? Perhaps you mean SSH but the same arguments pertain there also.
OK, I’m done playing, please go with your own god, and have the best of luck with her.
I require all of my customers to have an Edgerouter (or PepLink Router), and I configure it for VPN before I ship it to them… 
I appreciate that you spelled god with a lowercase g…
Then we can then agree that you original edict:-
Is only appropriate for your particular implementation of your idea of SIP over your highly restrictive intranet, one that I posit few would agree with as it just isn’t practical in the “real world”, most of us here use the internet, and can not afford to expose their clients to a couple of hundred dollars per route extra without mass insurrection, it’s hard enough to get $25 each 
No, my edict is appropriate for everyone.
VPNs don’t cost “a couple hundred dollars.” OpenVPN is free, and runs on every platform, including Windows, iOS, Linux, and Android. It uses a unified configuration file, so if you have the config for any platform, you have the config files for every platform. You can even run it on a VMWare Player and redirect your entire network traffic through it if you want to.
My SIP is not limited to an intranet. I use SIP over the open internet to make and receive calls all day long. But, I haven’t forwarded a single port. My router is configured to allow related and established packets only. I also setup Iptables on my Asterisk box and block everything but LAN traffic and related/established on it as well.
Security is always inconvenient, but it is priceless.
It is never necessary to forward ports. NEVER FORWARD PORTS!!
If you are unwilling to spend the ten minutes it takes to configure a VPN, at least take the 2 minutes it takes to install Travellin’ Man…
Or you could just wait for this to happen…
You’re both doing it your own way and you’re both right. @AdHominem just because we don’t do it your way doesn’t mean we don’t know what we are doing. The gist I get here is that you are trying to persuade us that we are both wrong. The needless history lesson about SIP was… well needless.
Because this completely diverged from the original post I have split this topic from the original.
We can just agree to disagree.
In my time I have officially and unofficially been present in an undetermined amount of systems and networks. Security can only ever be best effort. The easiest resources to access are the ones where some admin was super confident they knew what they were doing. There is always someone smarter than you. The only way to be truly secure is to not own or use a server. If it has data on it, there is a security risk. We all can’t live in concrete bunkers with no wires in or out. So we have to do the best we can and assume it is not good enough.
Andrew, I’m certainly not saying that you’re doing it “wrong.”
But, I do feel very strongly about my position, and I see how it might come off that way.
No offense was intended, and I’m happy to agree to disagree with you.
I still owe you lunch the next time you come to OC, so please remember to let me know in advance.
How bout instead of just creating a post just to lambast us wicked openers of ports, why not use your zeal for the topic and educate us who do not know how to do do the OpenVPN setup and create a tutorial?