Been working on setting up and office desk phone for testing and I'm having issues with using SIP encryption when using a cloud SIP server. My phone will register and make calls correctly on my network using unencrypted SIP on port 5060 with UDP and RTP range 10001-20000 with UDP. A softphone client does indeed work correctly when configured with TLS on port 5061 and RTP range 10001-20000. At this point I think I'm hitting a limitation with the desk phone when using encryption.

How can I set my Mikrotik to capture the unencrypted data on port 5060 UDP and the outbound media connections and encrypt the data correctly? I'd like to use the encrypted traffic on my WAN port. On the desk phone do I need to set it to use a SIP proxy setting or can I use the native connection configuration to set up the connection? I see that the firewall settings has a page for service ports which includes SIP, but I've never used this. I appreciate the guidance.

The setting you see in IP -> Firewall -> Service Ports are the Application Layer Gateways ("ALG"), which transparently transform the traffic going through the Mikrotik. In the case of SIP, that is to rewrite the fields via and contact, to mention only two. Your router doesn't act as a SIP Proxy.

If your SIP devices support NAT, and it is often an option to set, disable the SIP ALG with the following command. That is often a better option that using the ALG.
If your devices don't have the option to do SIP NAT, then use the ALG but try disabling the SIP Direct Media. There was a MUM on SIP ALG: have a read and let me know if you have other questions: https://mum.mikrotik.com/presentations/ ... 084451.pdf

Very cool vingjfg and many thanks! I figured after having a long think about it that it makes sense that my router cannot function as a SIP gateway. Thanks though!