SIP ALG in uOS: Understanding and Configuring VoIP Traffic Handling

Zyxel_Claudia

SIP ALG (Session Initiation Protocol - Application Layer Gateway) is a firewall feature that helps manage SIP-based VoIP traffic across NAT (Network Address Translation) devices. The uOS firewall implementation of SIP ALG focuses on SIP and RTP pinholes, while SIP transformation is not supported due to its potential to cause unintended behavior.

1. What is SIP ALG and Why is it Needed?

SIP is a widely used protocol for VoIP (Voice over IP) calls, handling both signaling (call setup) and media connection (actual voice data). However, when SIP devices are behind a NAT firewall, communication issues can occur because:

• The SIP server may not recognize the public IP address of the VoIP phone
• The SIP signaling and media ports do not match, leading to one-way audio or dropped calls
• NAT timeouts can terminate VoIP sessions prematurely

uOS FirewallSIP ALG Solutions

To resolve these issues, SIP ALG uses two key techniques:

• SIP Pinholes – Keeps NAT session open longer for SIP signaling. Purpose: Extends the NAT timeout for SIP connections.
• RTP Pinholes – Creates temporary firewall rules for media connections. Purpose: Allows the firewall to dynamically open ports for RTP (voice) traffic.

uOS DOES NOT support SIP Transformation (modifying SIP payloads) because:

• It can cause unpredictable behavior
• Modern SIP servers should handle NAT traversal without needing transformation

2. How to Configure SIP ALG in uOS

Navigate to: Network → ALG → SIP ALG

Main Settings:

• Enable SIP ALG Globally – Activates SIP ALG on the firewall
• SIP Service Port – Default is 5060 (UDP/TCP)
• SIP Signaling Timeout – Default 1800 seconds (30 minutes)
• Media (RTP) Timeout – Default 120 seconds

3. Advanced Settings: Restricting SIP & RTP Sessions

Restrict Peer-to-Peer Media Connection

• ON → Only allows RTP from the intended peer
• OFF → Allows RTP from any external IP (useful if the SIP server has multiple IPs)

Restrict Peer-to-Peer SIP Signaling

• ON → Only the SIP server can initiate calls
• OFF → Any client can initiate a SIP session

4. Verifying SIP ALG is Working

To check if SIP ALG is correctly creating pinholes, run the following CLI command:

show conntrack | match Dport 5060

• If SIP ALG is working:You will see timeouts for SIP and RTP sessions
• Calls will connect faster and have fewer audio issues

5. Recommendations

uOS SIP ALG has tested in certain scenarios

SIP server on the internet then IP phones or voice clients are connected under H Series through VPN connections.