A mid-sized logistics company discovered $42,000 in fraudulent international calls on a Monday morning. The cause: an attacker had exploited an open SIP port on their firewall over the weekend, registered unauthorized extensions, and routed calls through their PBX for 48 hours straight. Their firewall was running default settings with SIP ALG enabled and no rate limiting on registration attempts. The breach was entirely preventable.
VoIP systems face the same threats as any internet-connected service — unauthorized access, denial-of-service attacks, eavesdropping, and toll fraud. A properly configured firewall filters signaling and media traffic, shields call data, and controls how your phones communicate with the outside world. But a misconfigured firewall can be worse than no firewall at all, creating hard-to-diagnose call quality problems while still leaving you exposed.
This guide walks you through firewall configuration for VoIP, from network planning through ongoing maintenance, so your business phone system stays secure and your calls stay clear.
Before configuring anything, understand the pitfalls that cause the most VoIP support tickets:
Recognizing these issues upfront saves you from chasing phantom call quality problems after deployment.
Firewall rules only work when they reflect your actual network topology. Complete these steps before writing a single rule.
Map your VoIP traffic flow. Document every component: PBX server IPs, SIP trunk provider IPs and their required ports, the RTP media port range your system uses, remote phone locations, and any VPN connections. This map becomes your firewall policy blueprint.
Segment voice traffic onto a dedicated VLAN. This is the single highest-impact security step you can take. A private VLAN isolates your phones and PBX from workstations, printers, and other devices. If an employee’s laptop gets compromised by malware, the attacker cannot reach your voice infrastructure without crossing a firewall boundary. Most managed switches support VLANs, and configuration takes minutes.
Choose a firewall with VoIP capabilities. Look for stateful packet inspection, deep packet inspection with SIP protocol awareness, configurable SIP ALG (so you can disable it), port range management with alias groups, and integrated logging with alerting. Many business routers include a built-in firewall, but you must configure it manually for VoIP — default settings almost never work correctly.
Coordinate with your VoIP provider. Your provider will specify which IP ranges and ports their SIP trunks use, whether they require TLS on port 5061 or standard SIP on 5060, and any specific NAT traversal requirements. When deploying business telephone services, aligning your firewall rules with your provider’s specifications prevents registration failures and call routing issues. If your network depends on high-speed connectivity like business internet services, synchronize your bandwidth management and QoS rules to keep voice traffic prioritized even under heavy load.
With your network mapped and segmented, apply these configurations in order.
1. Update firmware first. Before changing any settings, update your firewall to the latest firmware. This eliminates known vulnerabilities and often adds improved VoIP handling features.
2. Create zones and assign interfaces. Define separate zones for WAN, LAN, and your Voice VLAN. Set default policies to deny all traffic, then add explicit allow rules. This deny-by-default approach ensures nothing gets through that you have not specifically permitted.
3. Build address groups. Group your PBX servers, SIP trunk provider IPs, and voice subnets into named objects. Rules built with address groups are easier to read, maintain, and audit than rules using raw IP addresses.
4. Write SIP and RTP allow rules. Create explicit rules permitting SIP traffic (UDP/TCP 5060, or 5061 for TLS) and RTP media (UDP 10000-20000, or your configured range) between your PBX and your SIP trunk provider IPs. Do not use “any” as a source or destination. Enable QoS marking on these rules to prioritize voice packets over data traffic.
5. Configure NAT and port forwarding carefully. If your PBX sits behind NAT, forward only the specific SIP and RTP ports to your PBX’s internal IP. Never forward the entire RTP range to a wildcard address. Disable SIP ALG — your PBX and provider should handle NAT traversal through STUN, TURN, or outbound proxy settings.
6. Enable SIP-aware inspection selectively. If your firewall offers SIP inspection or VoIP helper modules, enable them but test thoroughly. Overly aggressive inspection rewrites SIP headers and causes the same problems as SIP ALG. Monitor call quality after enabling and disable the module if you see registration failures or audio issues.
7. Set up logging and alerts. Configure alerts for failed SIP registration attempts (a sign of brute-force attacks), excessive SIP INVITE requests (potential denial-of-service), and traffic on unexpected ports. Ship logs to a central syslog server or SIEM if available.
8. Test every call scenario. Place inbound calls, outbound calls, and calls from remote extensions. Test call transfer, hold, and conference. Verify audio flows in both directions. Run tests during peak network load to confirm QoS works correctly.
A firewall controls which traffic enters and leaves your network. These additional measures protect what happens within that traffic.
Encrypt signaling and media. Use TLS for SIP signaling and SRTP for voice media. This prevents eavesdropping even if an attacker intercepts packets. Ensure phones download their configuration files over HTTPS, not HTTP.
Deploy intrusion detection and prevention. IDS/IPS modules (often built into modern firewalls) identify brute-force registration attacks, SIP scanning, and abnormal traffic spikes. They catch threats that simple port-based rules miss.
Enforce rate limiting and geo-blocking. Set thresholds for SIP registration attempts (e.g., maximum 5 failures per minute per IP) and INVITE requests. Block SIP traffic from countries where you have no business operations — this alone eliminates the majority of toll fraud attempts.
Maintain a patch schedule. Update not just your firewall but also your PBX software, IP phone firmware, and router OS. Attackers target the weakest link, and an unpatched IP phone can provide a foothold into your voice network.
Monitor continuously. Review firewall logs weekly at minimum. Look for new source IPs attempting SIP registration, unusual call volume patterns, and calls to high-cost international destinations. Automated alerts reduce the time between breach and detection from days to minutes.
For organizations managing multiple locations or remote workers, integrated platforms like 1stConnect route all VoIP traffic through centrally managed, secure firewall policies, so you maintain consistent protection without configuring each site independently.
No audio or one-way audio. Verify that RTP ports are open and correctly forwarded to your PBX. Check that SIP ALG is disabled. Capture packets on both sides of the firewall to confirm RTP streams are flowing in both directions.
Softphones fail to register. Check NAT traversal settings on both the softphone and PBX. Verify that the firewall is forwarding SIP traffic to the correct internal IP. Confirm your public IP is correctly configured in the PBX’s NAT settings.
Dropped calls or high latency. Review QoS rules and confirm voice traffic is marked and prioritized. Check the firewall’s CPU usage — deep packet inspection under heavy load can delay packet processing enough to cause audio problems.
Repeated failed registration attempts from unknown IPs. This is a brute-force attack. Implement IP-based rate limiting, add the offending IP ranges to a blocklist, and enable geo-blocking for countries you do not do business with.
Calls blocked intermittently with no pattern. Check firewall rule order. Specific allow rules must appear before general deny rules. Also check for session table exhaustion — each active call consumes entries in the firewall’s connection tracking table, and a small table fills up quickly during peak hours.
What is SIP ALG and should I disable it? SIP ALG (Application Layer Gateway) is a firewall feature that modifies SIP packets as they pass through NAT. In theory, it helps SIP traffic traverse NAT boundaries. In practice, it rewrites SIP headers in ways that conflict with how modern PBX systems and VoIP providers handle NAT, causing one-way audio, dropped calls, and registration failures. Disable SIP ALG as your first troubleshooting step for any VoIP firewall issue. Most PBX platforms and SIP providers handle NAT traversal on their own through outbound proxies or STUN/TURN servers.
Which ports do I need to open for VoIP? At minimum, open SIP signaling on UDP and TCP port 5060 (or 5061 for SIP over TLS) and RTP media on a UDP port range, typically 10000-20000. Only open these ports to and from your SIP trunk provider’s specific IP addresses, not to the entire internet. Your VoIP provider will specify the exact ports and IP ranges their service requires.
How does VLAN segmentation protect my VoIP system? A dedicated voice VLAN places your phones and PBX on a separate network segment from workstations, servers, and other devices. Traffic between VLANs must pass through a router or firewall, which means an attacker who compromises a computer on your data network cannot directly access your phone system. Segmentation also reduces broadcast traffic on the voice network, improving call quality.
Can I use my existing office firewall for VoIP, or do I need a separate one? Most business-grade firewalls support VoIP when properly configured. You do not necessarily need a separate firewall. However, consumer-grade routers and basic firewalls often lack SIP awareness, adequate session table sizes, and QoS capabilities. If your current firewall cannot prioritize voice traffic, inspect SIP packets, or handle the number of concurrent call sessions your business requires, upgrade to a business-grade appliance.
How do I prevent toll fraud on my VoIP system? Toll fraud occurs when attackers register unauthorized extensions on your PBX and route expensive international calls through your account. Prevent it by restricting SIP registration to known IP ranges, enforcing strong passwords on all extensions, implementing rate limiting on registration attempts, geo-blocking SIP traffic from countries you do not call, and monitoring call detail records for unusual patterns like high-volume international calls outside business hours.
Firewall configuration is not a set-and-forget task. Threats evolve, your network changes, and every new office location or remote worker adds complexity. Getting it right from the start — and keeping it right — requires expertise in both networking and voice communications.
1stel helps businesses deploy and secure VoIP systems that work reliably from day one. Whether you need business telephone services with built-in security best practices, high-speed business internet with QoS optimized for voice traffic, or a fully managed unified communications platform through 1stConnect, our team configures and monitors your infrastructure so you can focus on running your business.
Contact 1stel today to discuss your VoIP security needs and get a network assessment from our team.