I’m sitting here trying to configure an Asterisk PBX. What can I expect if I activate SIP in IP/Firewall–> Service Ports? Do I still need to forward ports to the internal PBX?
The service port is just an inspection helper that looks inside the SIP control channel to learn about what dynamic RTP data channels are being negotiated so that it can classify them as ‘related’, it (probably, I don’t use any SIP behind RouterOS, but Linux can do this) also can rewrite the IP information inside the SIP packets regarding the data channels.
Google ‘nf_conntrack_sip’ and ‘nf_nat_sip’ as the Linux/netfilter modules that are used for it. Turning on the SIP helper essentially is just making the router run ‘modprobe nf_conntrack_sip; modprobe nf_nat_sip;’.
You still need to destination NAT the SIP traffic itself, though. It can’t magically do this for you - for example, how would it know what destination address to forward to?