How to custom port for SIP Trunk

This is kind of a continuation of my earlier SIP trunk post but I really need some help understanding the bigger picture with Asterisk FreePBX and SIP ports

The reason for the confusion is this, heres what ive learned

  • Asterisk can only bind to one port for sip

But! How is it that i have extensions on different ports then. For example, using OpenVPN to a remote office there is nat going on because the OpenVPN client connects multiple phones from the address I learned that they cant all use 5060, they each need a different port so that Asterisk can talk SIP to each phone. So i have 1 phone 5060 another 5160 5260 etc.

The same thing happened when i had an internal SIP trunk to a Pstn gateway w multiple fxo ports. The voice gateway is but i have several sip trunks connecting from it using 5060 5160 5260 etc to connect to diff fxo ports.

Okay, all makes sense to me.

So why is it a problem when i get a sip trunk provider now and want a custom sip port, instead of 5060, say 9191. So i forward 9191 to my pbx, but pbx refuses to accept sip on that port even thought i put port=9191 in the trunk config

Can someone clear this up so I can understand?

The provider tells me that its safe to leave 5060 open and i just need to harden the pbx. If my secrets are not rockyou.lst (massive password list) crackable, am I fairly “safe”, or are there other things to worry about besides secrets getting cracked? Is there a risk of ddos from all the password crack attempts that could happen if 5060 is left open?