Nice, good options. Although I don’t think SIP ALG is the problem here since there really is no problem 99% of the time, except for when registration drops on some phones. Like you suggested before, it probably has to do with the router firewall expiring (or not expiring when it should) connections/ports.
Most probably, this problem can be solved by tweaking the timing between the re-registration on the phones and the PBX.
It depends upon what you mean by “unsolicited requests.” If you mean an incoming call from an Internet Telephone Service Provider (Callcentric, voip.ms, etc.) that you send registration or options (qualify) packets to, then those incoming calls are not treated as unsolicited requests. Rather, because those come from the same IP and Port that you have already initiated communications with via register/options packets, your router will let those incoming calls through to your PBX.
On the other hand, if you get an unsolicited SIP URI call from an IP/Port that you’ve never communicated with in the last 60 seconds (plus or minus), your router will not let that call in unless you explicitly forward that port to your PBX.
Note that, very rarely, routers do screw up the translation. When that happens, you can experience incoming call failures. When/if that happens, rebooting your router (or disabling the affected trunk for a minute or two) will usually resolve it.
With respect to options/qualify packets, yes, Asterisk treats phones and trunks identically. If qualify is enabled (which it is by default on extensions) and there is no response, Asterisk treats that device as down and won’t send any calls to it until it comes back up.
If you have phones behind your firewall and you’re connecting them with an Asterisk server outside your firewall (or an ITSP), then yes, the same principles apply. Some phones will send keep-alive packets and some ITSP’s will send qualify packets to keep the firewall open for you, but if they don’t, you’ll want to shorten the registration timer to 60 seconds to ensure that the registration packets keep the firewall open for incoming calls. If you can control the outside Asterisk server, you can also enable qualify packets and/or shorten their frequency using qualifyfreq=(seconds).
If you have phones that are outside of your firewall and your PBX is inside of your firewall, then everything is reversed. The phones are the things sending the registration packets, and not your PBX. They cannot traverse your firewall because your PBX will never reach out to them until it receives a registration packet.
However, you may be able to fix this if your phones have a static IP address by changing the host= field in the extension settings from “dynamic” to the phone’s static IP and ensuring qualify is set to yes. In that case, registration would not be required since Asterisk already knows where to find your phone, and the qualify packets should keep the firewall open to allow the phone to make calls. In this situation, however, you could also just forward the port only for the remote IP address if your router supports doing so, or set-up a permanent OpenVPN link between the remote destination and your network.