Hello, I have a SIP port number + security question here.
We help some customers manage their PBX in the cloud and recently we decided to switch from a default SIP 5060 port to a custom one to enhance security. That helped a lot, especially with those where the SIP port is open to the public on a cloud server. Switching to a custom SIP port number created a lot of SIP traffic problems especially with some routers. Most routers SIP ALG is designed to work with default sip ports, not custom ones. And some routers, even after disabling SIP ALG there are still issues, particularly, you cannot receive a phone call on a phone under that router. With a default SIP port number that router and that phone were working great, with or without SIP ALG enabled on the router.
I was suggested a lot of times to switch from default ports to custom ones to add security, however, I’m seeing all the major cloud voip providers are still using default SIP port numbers and aren’t concerned about security issues. Does that mean their security mechanisms are secure enough that they are fine with using default sip ports?
You should not need SIP ALG services on your router if you use the NAT-handling features of Asterisk/FreePBX.
It differs slightly depending on whether you use PJSIP or chan_sip, but the options should allow you to have your extensions behind a NAT without relying on ALG.
Large SIP providers use standard ports for the same reason that web sites use standard ports. It is what is expected. If you’re doing your own small-outfit thing you can use any ports you like but you have to add it to your instructions/training for your users or admins.
Thanks for your response. We never had to deal with FreePBX NAT settings before.
I see there is ability to add a NAT local network in General SIP settings. Does that mean it will apply to both PJSIP and SIP protocols? We only use PJSIP extensions. Do I just add a local network of the router under which that phone resides? It’s a home user and they want to be able to call from home. The PBX is on a cloud server with a public IP.
No, the NAT settings in Asterisk SIP Settings are for when your PBX is behind the NAT. In your case, it’s not, so you should set it as having a public IP and not use the local networks fields.
When your PJSIP extensions are behind NAT, these settings in the extension (Advanced tab) config usually handle the situation:
Agreed with all said here. We have thousands of endpoints. They were all Chan_SIP, on alternate ports, no router/firewall ALG - zero issues and love the off port concept (shout out to Lorne Gaetz for this!!). We switched every PBX (and extension of course) to only PJSIP, alternate ports, no router/firewall ALG and still have zero issues. So yes - do off port and no ALG on the router.
