First of all, English is not my primary language and I had a rather long day, so I would like to apologize of any Spelling or grammatical mistakes.
Secondly while I'm not a complete nooby when It comes to networking (and linux) however I am new to openwrt.
I recently had to switch my ISP to a new one. And choose to use my own router (GL-MT6000) instead of the OEM provided.
My new ISP only offers VOIP/SIP Phone connections but they do handles the SIP server (I have all needed credentials to connect to it).
The plan is now to use an existing android phone as a softphone and a regular IP phone.
I assume that I need to install additional firm/software on my router like Asteriks or Siproxd and those require a few open ports to function.
Given the Security risks of opening Ports to WAN what hardening steps could I take to minimise said risks or outright close the new attack vectors or am I simply overthinking?
SIP phones make an outgoing connection much like a web browser. Generally they will work through default router settings including the standard firewall.
Software like Asterisk is for running your own phone service. It is not needed if you're connecting to a commercial server.
Yes. When someone calls you, it is not really a new connection in the IP sense. The command to make your phone ring is sent on the same IP addresses and ports that your phone has been holding open by staying "registered" to the phone company.
The problem is that ‘registration’ renewals are typically only at 3600 second intervals. When behind a NAT router, you will usually also need to configure a ‘keep alive’ interval in the SIP device. This is typically around 20 seconds and causes dummy UDP packets so be sent which ensure that a NAT ‘pinhole’ is kept open in the router, thus allowing the incoming call ‘invite’
Yes they should send an OPTIONS request at intervals less than 1 minute as a keep-alive ping. OPTIONS will elicit a canned response that requires little processing by the SIP server compared to REGISTER.
Yes, the keep alive can either be an OPTIONS request or just a NOTIFY message. NOTIFY doesnt require a response but will still keep the NAT pinhole open. Some SIP clients allow you to specify whether OPTIONS or NOTIFY should be used but most just have a simple keep alive setting.