OpenWRT with SIP client - inbound port auto opening

Installing and Using OpenWrt
1

Linphone VOIP client to a local SIP VOIP provider. Plain paid VOIP line with a local number. Client registers with provider correctly. Inbound and outbound calls work correctly.

However OpenWRT sees the SIP conversation, and thinks to itself, I'll be helpful and open port 5060 UDP to the outside world, so inbound SIP connects come straight through to your Linphone client.

Port scanners, using tools like sipvicious, quickly pick it up, and now my soft phone is getting inbound nuisance calls from all over the world, and attempts to get the softphone to redial expensive international numbers.

Incredibly, the upstream huawei fibre cpe router is repeating the same behaviour.

So this feature would seem to be ALG or UPNP.
However UPNP doesn't show any Active UPnP redirects.
ALG doesnt appear to have a status screen in LUCI

Any pointers on advice on this?

2

There is no SIP ALG in OpenWrt by default, so check Huawei.
Don't use port 5060 locally (in the client configuration).
Check if your SIP client has a setting like "accept incoming from proxy only".

1 Like
3

And make sure you disable it on the Huawei:

4

So I've removed kmod-nf-nathelper-extra from the installed modules in OpenWRT.

But the port still appears open.

outsideserver:~# nmap -sU -p 5060 somehostname.ddns.net
Host is up.
PORT     STATE         SERVICE
5060/udp open|filtered sip

There is more to this. Are there any tools that show the state of NF?

5

Tried reinstalling kmod-nf-nathelper-extra and instead turn off only the SIP nathelpers
https://www.reddit.com/r/openwrt/comments/sj011p/sip_alg/

However port is still open when the SIP client is running, and closed when the SIP client shuts down.

nft list ruleset doesn't show any sip or 5060.

6

conntrack (has to be installed) at least shows what is open...

conntrack -L | grep 5060

There doesn't appear to a LUCI display for conntrack, like the pfsense states table screen, which is very useful.