VoIP behind a OpenWrt NAT router

I had some issues with my Gigaset Go Box 100 (it's a VoIP DECT station) connected to an OpenWRT router (it's a TP-Link Archer C2600 with the latest 18.06.4 firmware).
I can't establish phone connections to some numbers of my callers. Sometimes I can't even here a free line signal on some phone numbers. And sometimes I can hear the ring signal and when the call is answered the connection can't establish.
If I quickly change my network to a router from my provider and connect there the Gigaset Go Box 100 it just works.
In the manual of the Gigaset it's described that I could change the SIP and RTP ports of the device and test it and furthermore if it's still not working to enable port forwarding to the Gigaset device.

Now I forwarded the ports 5060-5074 UDP for the SIP connection to my local Gigaset device and also the ports 5004-5020 for the RTP streams.

Now it seems to work. But I wonder why this works?

Normally the connection is initiated by the Gigaset device and I should not need to forward the ports. Also without the forwarding the Gigaset box is able to connect to my ISP and I can phone some (not all!) numbers.

I read that's not common to port forward all ports to the voip device. Especially I'm planning to use a second voip device and here I can't port forward the same standard ports to my provider (which seems just to accept the port 5060 for the SIP connection).

Is someone using voip from Deutsche Telekom AG (Magenta TV) in combination with an OpenWRT router?

Thanks in advance!

I am using a Gigaset C530 IP, but I never had to open any ports for both my SIP providers.
Chances are that your SIP provider requires some ports to be opened and with your provider's router the ports are opened automatically with upnp. Ask them just to be sure and if necessary install upnp on OpenWrt.

Just by searching for the solution I think what I'm missing on the router is the stun-client? The Gigaset Go Box 100 does support stun and also my provider.


The registration was working even without the port forwarding. So I think I can disable the forwarding of the ports for SIP. The issues I experienced are related to the RTP, because all issues are beginning when the call line should be established.

Stun should normally handle the UDP-NAT-forwarding between the voip phones and the provider. I think I'll give it a try!

My spa941 and the gigaset support the stun, so check if you need to activate/deactivate on your unit too.
From gigaset faq:

  • If either you can only hear your call partner or your call partner can only hear you, change the STUN-settings in the web configurator of the base (activate if disabled and vice versa). If a call is possible afterwards, configure the send connection for all registered handsets.
  • If no call is possible after that, you can check your VoIP-line by echo test via Gigaset.net. The echo-service is available at the following telephone number: 12345#9 . After an announcement the echo-service will send back(directly as an echo) the voice data received from you. Please contact your provider if the echo test is okay.
1 Like

I'm successfully using a Magenta VDSL connection with VoIP/ SIP using an OpenWrt router (nbg6817) and an AVM Fritz!Box 7430 in IPoE Client mode, used exclusively as SIP pbx/ ATA and DECT base station behind it (modem disabled, wlan disabled, no routing/ NAT etc. involved, it's merely a client of the OpenWrt router), locked into its own locked down VLAN/ subnet. I don't forwards any ports, but because of this and the NAT situation, the Fritz!Box needs to keep the SIP connection to the SIP servers open from the inside, by regularly pinging the ISP SIP servers and thereby keeping the conntrack table fresh ("Portweiterleitung des Internet-Routers für Telefonie aktiv halten", 30s intervals). This setup also allows multiple (independent) SIP devices to work in parallel (e.g. a fb7430 and a fb7362sl or throwing a native SIP phone into the mix).


So normally there is no port forwarding or installation of a siproxd or stun-client on the router needed? Than I have to tweak the settings on the VoIP client. I would love to close the port range again and still have a working telephone.

I don't need siproxd or stun-client, there's absolutely no special configuration on my OpenWrt router to make SIP work. The SIP client (in my case the Fritz!Box 7430) takes care of 'fooling' the firewall (conntrack table) by keeping the connection fresh (automated SIP pings in 30s intervals), to retain a 'tunnel' for the SIP server to reach it.


You will however see fun issues if you have multiple SIP clients behind NAT especially if your provider enforces UDP.

This can be resolved by setting each SIP client to use a unique set of ports - see here.

I know, it's still a bit dodgy however :frowning:

Works fine without needing uPnP or STUN in my experience across a number of different router environments (both OpenWrt and OEM). Probably works better with more recent SIP implementations though (i.e. those written with CG-NAT in mind - and I have tested this behind a CG-NATted ISP connection).


The following changes on the router (OpenWrt 18.06.1) made VoIP work for me:

  • install the kmod-nf-nathelper-extra package
  • increase the net.netfilter.nf_conntrack_expect_max sysctl parameter to 16
1 Like

Toady I'll reverted the port forwardings and disabled the STUN protocol in the VoIP device. Now it seems to work but I could only test it with one number at the moment. So definitely more testing is needed.