How to Disable SIP ALG on a Mikrotik
Posted by Chris Popescu on 05 April 2019 04:16 PM

SIP ALG Explained - Technical

Many of today's commercial routers implement SIP ALG (Application-level gateway), this feature is almost always enabled by default. Many of the brand such as Cisco, Netgear, D-Link, Mikrotik... While ALG could help in solving NAT related problems, many routers' ALG implementations are brand specific, simply wrong and break SIP.

There are various solutions for SIP clients behind NAT, some of them in client side (STUN, TURN, ICE), others in server side (Proxy RTP as RtpProxy, MediaProxy). ALG works typically in the client LAN router or gateway. In some scenarios, some client-side solutions are not valid, for example, STUN with symmetrical NAT router. If the SIP proxy doesn't provide a server side NAT solution, then an ALG solution could have a place.

An ALG understands the protocol used by the specific applications that it supports (in this case SIP) and does a protocol packet-inspection of traffic through it. A NAT router with a built-in SIP ALG can re-write information within the SIP messages (SIP headers and SDP body) making signaling and audio traffic between the client behind NAT and the SIP endpoint possible.


You can verify if your router is SIP ALG ENABLED by downloading and running our SIP ALG TESTER Program

SIP ALG Tester Download


SIP ALG Problems

Poor implementations at SIP protocol level of most commercial routers and the fact that this technology is just useful for outgoing calls, but not for incoming calls explained:

  • Lack of incoming calls: When a UA is switched on it sends a REGISTER to the proxy in order to be localizable and receive incoming calls. This REGISTER is modified by the ALG feature (if not the user wouldn't be reachable by the proxy since it indicated a private IP in REGISTER "Contact" header). Common routers just maintain the UDP "connection" open for a while (30-60 seconds) so after that time the port forwarding is ended and incoming packets are discarded by the router. Many SIP proxies maintain the UDP keepalive by sending OPTIONS or NOTIFY messages to the UA, but they just do it when the UA has been detected as NATed during the registration. A SIP ALG router rewrites the REGISTER request so the proxy doesn't detect the NAT and doesn't maintain the keepalive (so incoming calls will be not possible).
  • Breaking SIP signaling: Many of the actual common routers with inbuilt SIP ALG modify SIP headers and the SDP body incorrectly, breaking SIP and making communication just impossible. Some of them do a whole replacing by searching a private address in all SIP headers and body and replacing them with the router public mapped address (for example, replacing the private address if it appears in "Call-ID" header, which makes no sense at all). Many SIP ALG routers corrupt the SIP message when writing into it (i.e. missed semi-colon ";" in header parameters). Writing incorrect port values greater than 65536 is also common in many of these routers.
  • Disallows server side solutions: Even if you don't need a client-side NAT solution (your SIP proxy gives you a server NAT solution), if your router has SIP ALG enabled that breaks SIP signaling, it will make communication with your proxy impossible.


Mikrotik Disable SIP ALG Procedure:

Mikrotik SIP ALG is called a SIP Helper and is located under /IP>Firewall>Service ports

Terminal: To disable, run this command from the terminal:

/ip firewall service-port disable sip

Winbox GUI

Navigate to IP > Firewall and then click on the Service Ports tab and disable it through the GUI.