Disable/Enable SIP ALG

Does the Shadow Router/Firewall have this ability? Cannot seem to find an option for it.

You need to check if sip kernel module is there.

The two kernel modules “nf_conntrack_sip” and “nf_nat_sip” is for SIP ALG.

If the 2 modules are there then SIP ALG is enabled.

Any idea on how to disable them on the Kernel? Thanks.

You can find in /etc/rc.module and remove them from loading in kernel

1 Like

one of my Mini-Routers is the GL-AR300M-16 and is dedicated to manage my Home LAN.
Using an ethernet switch I have connected an ATA Linksys PAP2T-NA for VoIP management.
Reading this page I was able to verify that SIP ALG is anabled in my Mini-Router.
After many days of testing I have ascertained that the VoIP problems are due to SIP ALG.
I was able to disable SIP ALG (only) temporarily and as long as it is disabled my VoIP works perfectly,
but once the router is rebooted or surprisingly even after a few hours of operation even without rebooting the two modules “nf_conntrack_sip” and “nf_nat_sip” are still there enabling again SIP ALG with the consequence that my VoIP stop working again.
I have tried with the command:

modprobe -r nf_conntrack_sip

…but OpenWRT seem don’t accept the -r option

So I have tried with rmmod…

modinfo nf_conntrack_sip

modinfo nf_nat_sip

rmmod /lib/modules/4.14.241/nf_conntrack_sip.ko

unloading the module failed

rmmod /lib/modules/4.14.241/nf_nat_sip.ko

so I was able to remove temporarly only the second one.

I was not able to find any /etc/rc.module or /etc/rc.modules

Maybe would be possible to comment with “nano” the module name in a file like above to remove from loading in kernel?
but where is the file?

I’m not familiar at all with system administration so I would really appreciate if you could write me down step by step the command lines to definitely remove this two modules from loading in kernel.
Thank you in advance.

If your VoIP provider supports SIP-TLS, then you can try switching to SIP-TLS to use a different port instead of 5060 that may bypass SIP ALG.

Your VoIP provider may support alternative SIP port(s), such as 42872 that my VoIP provider offers.

I do not work for and I do not have formal association with GL.iNet

Hi @wcs2228,
Your advice is interesting, but unfortunately my provider does not
support SIP-TLS neither alternative SIP port(s).

I learned from reading on the internet that SIP ALG in theory allow
VoIP working opening automatically any router’s ports for RTP.
The strange thing is that with the seconds module “nf_nat_sip” temporarly disabled like explained
VoIP works perfect without any port-forward rules on my Gl-iNet GL-AR300M-16.
Maybe SIP ALG was temporarly but also partially disabled because I have not port(s) forward rules on the firewall so seems still be able to open RTP port(s) automatically.
I have also disabled STUN server (that I had enabled before because I have a Dynamic IP) from the ATA PAP2T-NA,
because I read that STUN and SIP ALG can be in conflict, but this latest change in VoIP configuration seems to be irrelevant:
VoIP works perfectly (with or without STUN Server) only when the second module “nf_nat_sip” is disabled.
The only difference is that without STUN Server the system status of the ATA don’t show my External IP (dynamic IP).
So the problem still the same:
how to completely and definitely disable SIP ALG, or how to completely and definitely disable the second module “nf_nat_sip”.
The vast majority of website speaking about VoIP recommend to disable SIP-ALG altogether.
For the reasons above I suppose that if would be possible to only completely and definitely disable the second module “nf_nat_sip”
would be not necessary to create port-forward rules, while in the case of completely and definitely disable SIP ALG on the contrary
will be strictly necessary to create specific port-forward rules (like mentioned on the ATA PAP2T-NA user manual)
specifying that ports 5060-5061 (UDP), 53-53 (UDP), 69-69 (UDP), and 10000-20000 (UDP) are forwarded to the IP address of the Phone Adapter.
I’m wrong?
Any advice will be appreciated.
Thank you wcs2228.
Hoping in @alzhao for a step-by-step guide to definitely disable only the second module “nf_nat_sip” (if possible) or the SIP-ALG altogether.
Thank you so much in advance.

I had to disable SIP ALG on both my ISP router and on my Asus router (I have double NAT that works fine), in order for VoIP to work on UDP 5060. Previously, I had to bridge the ISP router before it got a firmware update that has a setting to disable SIP ALG. GL-iNet should really provide an setting to disable SIP ALG on their routers.

I have a Grandstream HT802, which replaced a Cisco SPA112 that used to freeze sometimes. With either over ~10 years, I never had to set up port forwarding, nor STUN, and it registers with my VoIP provider voip.ms every 30 seconds with reliable service.

I do not work for and I do not have formal association with GL.iNet

Know that will be not necessary to set up port forwarding gives me relief, since port forwarding is known to compromise security.
I agree with you, in fact a simply button of flag in the GUI to enable or disable SIP ALG would really improve the cutomer’s experience and and would increase the GL-iNet Mini Smart Routers compatibility with VoIP systems worldwide.
Meanwhile hoping in @alzhao for a step-by-step guide to definitely disable SIP ALG on my

Can you edit /etc/modules.d/nf-nathelper-extra and remove the two sip modules?

Then reboot the router.

Can also try to remove this package from the UI kmod-nf-nathelper-extra


Thank you so much @alzhao
I successfully used your first method on my GL-MT300A.
On my GL-MT300A I had to use your second method because I could not install the “nano” text editor in order to edit the file.
I’m glad to publish the screenshots related to the first method hoping could be helpful for people that are not familiar with terminal command lines.
First install “nano” from the GL-iNet interface.
Connect to the router via SSH with:
ssh root@
Insert you password when asked.

Looking for the file to edit:

edit the file “nf-nathelper-extra” with the “nano” text editor:
nano nf-nathelper-extra

the original content of the file “nf-nathelper-extra”

the file “nf-nathelper-extra” edited with the commented lines that prevent the kernel from loading the two modules.

“Ctrl+o” to save
“Ctrl+x” to exit
and then

1 Like

You can use vi. It is preinstalled and not difficult to do simple editing.

Also you can use winscp if you use windoes. It is just very easy to use.

Wonderful :ok_hand: I had issue to make my VOIP phone (grandstream) working over my GLi router, I followed the procedure described here by mri , and used vi (because nano was not installed) and after reboot of the router my VOIP phone worked !! Thanks !
Editing with vi can be a bit tricky for people used to more advanced editor, I found this link very useful : https://www.cyberciti.biz/faq/linux-unix-vim-save-and-quit-command/

Trapped into the same. A self-hosted installation of 3CX (not the SBC, the other variant) includes a Firewall checker with a SIP-ALG detector. Not on the first run but on the second, the headers VIA and FROM are changed from the public IP of the Internet access to the private IP of the host machine. Not in the request SIP message sended, only in the response from the remote server. In case of VIA, both the parameter received and the host part. Not sure what’s the benefit of that. Is that a software bug in that module?

That worked as well, thanks!
Web interface → Applications → Plug-ins: kmod-nf-nathelper-extra → Uninstall → Reboot

I am trying to do this for a MT300N but I cannot edit or change folders but keep getting “permission denied”?

root@GL-MT300N-V2:~# ls
root@GL-MT300N-V2:~# /
-ash: /: Permission denied

The 1st command “ls” worked, but you are in a directory with no files, so no output.
The 2nd command “/” does not work because it is trying to execute the root directory, which is not valid.

Try starting with commands:

cd /etc/modules.d
ls -l nf-nathelper-extra

Do you know how to edit files in SSH? It may be easier to use WinSCP if you have a Windows PC.

I do not work for and I do not have formal association with GL.iNet