Skip to content

Firewall and Network Configuration for SIP Trunks

Why Firewall Configuration Matters for SIP Trunks

SIP trunks rely on your internet connection to carry voice traffic, which means your firewall and network configuration directly impacts call quality and reliability. An incorrectly configured firewall is one of the most common causes of VoIP problems, including one-way audio, dropped calls and registration failures.

This guide covers everything you need to configure on your firewall and network to ensure reliable SIP trunk operation.

Required Ports and Protocols

SIP trunks use two main protocols that require specific ports to be open on your firewall:

SIP (Session Initiation Protocol) — Call Signalling

SIP handles call setup, teardown and registration. You need to allow the following:

  • UDP port 5060 — standard SIP signalling (most common)
  • TCP port 5060 — SIP over TCP (used when packets exceed UDP MTU size)
  • TLS port 5061 — encrypted SIP signalling (recommended for security)

RTP (Real-time Transport Protocol) — Audio/Media

RTP carries the actual voice audio during a call. The port range varies by provider but is typically:

  • UDP ports 10000–20000 — RTP media streams
  • SRTP — encrypted RTP for secure audio (uses the same port range)

Both inbound and outbound traffic must be permitted on these ports. Blocking either direction will cause one-way audio or complete call failure.

Additional Ports

  • UDP port 3478 — STUN (Session Traversal Utilities for NAT) used for NAT traversal
  • TCP port 443 — HTTPS for phone provisioning and web management
  • UDP port 53 / TCP port 53 — DNS resolution for SIP server addresses

Firewall Rules Configuration

Whitelist Your SIP Provider's IP Ranges

For maximum security, configure your firewall to only allow SIP traffic from your provider's IP addresses. This prevents unauthorised SIP traffic from reaching your PBX. Your provider will supply a list of their signalling and media server IP ranges — add these to your firewall's whitelist.

Recommended Firewall Rules

  • Allow outbound UDP/TCP 5060 and TLS 5061 to your provider's SIP servers
  • Allow inbound UDP/TCP 5060 and TLS 5061 from your provider's SIP servers
  • Allow outbound UDP 10000–20000 to your provider's media servers
  • Allow inbound UDP 10000–20000 from your provider's media servers
  • Allow outbound UDP 3478 for STUN
  • Deny all other SIP traffic from unknown sources

Important: Ensure SIP ALG is disabled on your router before configuring firewall rules. SIP ALG will interfere with your carefully configured rules.

NAT Traversal Configuration

Most business networks use NAT (Network Address Translation), which can cause problems for SIP traffic because SIP packets contain IP address information in their headers.

STUN (Session Traversal Utilities for NAT)

STUN allows your PBX or phones to discover their public IP address and include it correctly in SIP packets. Configure your PBX to use your provider's STUN server, typically on UDP port 3478.

SIP Keep-Alive Packets

NAT mappings expire after a period of inactivity. Configure your PBX to send SIP keep-alive packets (also called SIP OPTIONS pings) every 20–30 seconds. This keeps the NAT mapping open and ensures inbound calls can reach your system.

Static NAT / Port Forwarding

If your PBX has a static internal IP address, you can configure static NAT mappings (port forwarding) for SIP and RTP ports directly to your PBX. This is more reliable than relying on dynamic NAT traversal.

QoS (Quality of Service) Configuration

QoS ensures voice traffic is prioritised over other data on your network, preventing call quality issues during periods of high bandwidth usage.

DSCP Marking

Configure your network equipment to mark voice packets with appropriate DSCP (Differentiated Services Code Point) values:

  • EF (Expedited Forwarding / DSCP 46) — for RTP voice media
  • CS3 (DSCP 24) or AF31 (DSCP 26) — for SIP signalling

Traffic Prioritisation

Configure your router or firewall to prioritise packets with these DSCP markings. Most business-grade routers support QoS policies that can:

  • Guarantee minimum bandwidth for voice traffic
  • Limit bandwidth for non-critical traffic (downloads, streaming)
  • Prioritise voice packets in the output queue during congestion

VLAN Separation for Voice

For the best call quality, place your VoIP phones on a separate VLAN (Virtual LAN) from your data network. This provides:

  • Traffic isolation — voice traffic is not affected by data traffic spikes
  • Easier QoS — you can apply QoS policies to the entire voice VLAN
  • Improved security — voice and data networks are logically separated
  • Simpler troubleshooting — voice issues can be diagnosed independently

Most managed switches support VLANs. Configure a dedicated voice VLAN (commonly VLAN 100 or VLAN 200) and assign your phone ports to it.

Testing Your Configuration

After configuring your firewall and network, verify everything is working:

  • Check phone registration — all phones should register successfully
  • Test outbound calls — make calls to landlines and mobiles
  • Test inbound calls — call your numbers from external phones
  • Verify two-way audio — confirm both parties can hear each other clearly
  • Test under load — make multiple simultaneous calls while other staff use the internet normally
  • Monitor for 48 hours — some issues only appear intermittently

If you experience issues after configuration, consult our VoIP troubleshooting guides or contact our team for assistance.

Other articles in SIP Trunking & Configuration

What Is SIP Trunking? A Complete Business GuideWhat Is SIP ALG and Why You Should Disable ItVoIP Audio Codecs Explained: G.711, G.722 and OpusSIP Registration and Authentication: How It WorksWhat Is SIP? Session Initiation Protocol Explained

©Connection Technologies 2026. All Rights Reserved.

Connection Technologies Limited is authorised and regulated by the Financial Conduct Authority, reference FRN 958225

Registered office: Fareham Innovation Centre, Merlin House, 4 Meteor Way, Fareham, Lee-on-the-Solent, PO13 9FU.

Registered in England and Wales, Company No. 11630924

Connect with Us

Linkedin
Sitemap