Configuration of the SIP proxy in the CLI of the UTM
New article: 09.2025
This article refers to a Beta version
Introduction
A SIP proxy prepares all SIP calls in the network of an IP telephone system. The SIP proxy of the UTM can be configured in the CLI using extc variables.
notemptyThe SIP proxy is not compatible with providers that use SRV DNS queries! (e.g. Deutsche Telekom)
notempty
The service must be restarted after configuration!
Restarting the service:
- / Line VoIP Proxy Button
- CLI: appmgmt restart application voip_proxy
Default Settings
The settings for the SIP proxy are visible on the CLI via the following commands.
extc value get application "voip_proxy"
If no settings have been made yet, the CLI looks as follows:
application|variable |value
-----------+------------------------+-----
voip_proxy |DBG_ACCESS |0
|DBG_AUTH |0
|DBG_BABBLE |0
|DBG_CONFIG |0
|DBG_DNS |0
|DBG_NET |0
|DBG_NETTRAF |0
|DBG_NOSPEC |0
|DBG_PROXY |0
|DBG_REG |0
|DBG_RTP |0
|DBG_SIP |0
|INBOUND_INTERFACE |LAN2
|OUTBOUND_INTERFACE |LAN1
|PROVIDER_DOMAIN |foo
|PROVIDER_PROXY |sip.foo
|PROVIDER_PROXY_PORT |5060
|RTP_PORT_RANGE_HIGH |7089
|RTP_PORT_RANGE_LOW |7070
|SILENCE_LOG_LVLS |1
|SIP_PORT |5060
|TIMEOUT |600
These variables can be edited using the CLI command extc value set application “voip_proxy” variable “VARIABLE_NAME”.
variable description
| Variable | Value | Description |
|---|---|---|
| DBG_ | 0 | Commands beginning with "DBG" can switch the debug messages on and off |
| Inbound_Interface | bond0 | Incoming interface |
| Outbound_Interface | wan0 | Outgoing interface for communication |
| Provider_Domain | tel.t-online.de | Registrar |
| Provider_Proxy | tel.t-online.de | Registrar proxy (optional) |
| Provider_Proxy_Port | 5060 | Destination port for SIP packets of the registrar |
| RTP_Port_Range_High | 11001 | Incoming top port on the firewall for the RTP packets (always odd) |
| RTP_Port_Range_Low | 10000 | Incoming, lowest port on the firewall for the RTP packets (always even) |
| Silence_Log_LVLS | 0 | Mutes the log level |
| SIP_Port | 5060 | Inbound port fpr internal SIP clients |
| Timeout | 600 | SIP session timeout |
Additional useful commands
| Command | Description | Example |
|---|---|---|
| tcpdump Only as root user via ssh |
Examine the outgoing interface of the firewall. Recommended if RTP packets arrive from only one direction or do not arrive at all. |
tcpdump -i interface -s0 -A -nn port 5060 |
| conntrack -L | grep 5060 Only as root user via ssh |
Output of timeout values for exercise verification | conntrack -L | grep 5060 |
| system sysctl new name net.netfilter.nf_conntrack_udp_timeout CLI command. As root user, first: spcli |
Adjust UDP session timeout | system sysctl new name net.netfilter.nf_conntrack_udp_timeout value 300 system update system system config save |
| system sysctl new name net.netfilter.nf_conntrack_udp_timeout_stream CLI command. As root user, first: spcli |
Adjust UDP session timeout stream. If the UDP connection is recognized as a stream, this command must be used instead of the one above. |
system sysctl new name net.netfilter.nf_conntrack_udp_timeout_stream value 300 system update system system config save |
| system sysctl new name net.netfilter.nf_conntrack_tcp_timeout CLI command. As root user, first: spcli |
Adjust TCP session timeout. The default value is 440000 seconds (5 days), which is why adjusting it usually does not make sense. | system sysctl new name net.netfilter.nf_conntrack_tcp_timeout value 300 system update system system config save |