Grandstream Wave Securety


Hi Everyone,
I need some advice on a grandstream wave setup. My provider is making excuses and giving me stories about security when I ask to setup the wave app. I do suspect they want to sell me a expensive firewall, so they tell me that if I do not do it on a firewall someone could call and get a super expensive bill for me.
So I try to find out what other people do, obviously other people use the Wave app to gave some field people be able to get calls transferred.
I would really be happy to get some feedback of any of you that have experience with this setup.
I do have a dynamic IP so I use, I have the Model: UCM6204.
Do you guys see it as a huge risk to not have a firewall for this?
What is the best router that maybe lets me do this securely.

I tried to talk to them, to see if we can specify the MAC address of every phone. The app is installed on 4 phones and of course I know exactly what phones they are and what ID they have. So there should be a way to ensure only these 4 phones can connect.

Any tip or shared experience would be make my day. Thank you everyone for assisting me.


Using an app for road warriors is very convenient, so I understand your interest.

The most secure way is to have them connect via a VPN through the smartphone, but we all know that it is not always an option (some users don’t want to deal with that on their mobile phones) and might require new equipment for the VPN to work.

Anyway, there are secure ways to do it without a VPN:

  • Strong extension’s passwords: no explanation needed.
  • Secure the extensions not used remotely: for the extensions that are in a phone/device in the local network, use the “Strategy” setting set to “local subnet only” in the extension settings in the UCM. That will block that extension from being used outside of your network. Only the remote extensions should have “allow all”.
  • Permissions: you can limit the remote extensions to “national” calls only, if the outbound calls are configured accordingly.
  • Limit simultaneous registrations: Keep them at 1 per remote extension.
  • Enable “fail2ban”: and set it aggressively to ban for long periods of times (like for hours or a whole day).
  • Shutdown the app when not in used: That will reduce the amount of traffic to the UCM making it “less popular” in the internet. And save precious battery live.

Next level:

  • Change SIP port: you can change the SIP port on the UCM or in the port forward in the external firewall (in the UCM is preferred since it’s more stable.)
  • PINs: you can force the remote extension to use an outbound route that requires a PIN after dialing.
  • Dialing Prefixes: you can “make up” prefixes that you can force people to use. On the phones you can configure the “Dial plan” to add the prefixes automatically, but unsure if the Wave allows that so some testing/confirmation is required.
  • Call time limits: you can limit the call duration (it might be a pain but for a 1 hour call that gets disconnected from a cell, people might understand.)

All those settings should be use even if you upgrade your firewall.

Even though I’m sure these recommendations are somewhere in the forum. I saw a good opportunity to compile them in this new version/revision of the forum.

Hope that is helpful and please share your concerns and ideas.