You'll probably need IGMP proxying enabled if you use a multicast streaming television service with a YouView, BT or SkyQ box setup or something similar. If you don't have a viewing box like these, disable it and see if anything breaks. Services to devices like an Apple TV / Roku / Amazon Firestick don't need it enabled.

It's good that switching off SIP ALG helped. One site I manage had a Netgear D7000 and I disabled SIP ALG without any adverse effects. The four Snom VoIP phones there work fine.

I don't like the Netgear routers because they lack the ability to do basic firewalling such as blocking or allowing specific IP addresses and ranges. Drayteks can do this but I usually use a dedicated firewall between the router and the LAN.

In reply to a post by jaba:

I have started to get daily entries like this in my router's log relating to my Cisco SP122 ATA:

[LAN access from remote] from 51.75.147.31:5168 to 192.168.0.222:5061 Sunday, Dec 13,2020 00:53:14
[LAN access from remote] from 103.145.13.18:5311 to 192.168.0.222:5061 Saturday, Dec 12,2020 17:53:36
[LAN access from remote] from 103.145.13.63:5236 to 192.168.0.221:5061 Thursday, Dec 10,2020 23:34:04

I am a bit puzzled by this as the dect base station plugged in to the ATA is not powered on so the log is not referring to calls initiated here and if I call my voip number there is no log entry so what are these entries? The ip addresses do look suspicious as they don't seem to relate to my sipgate account.
As a diagnostic step I have changed the ip address of the ATA and its password too but this has not made a difference as I still get 2 or 3 entries per day.
How safe from hacking are these ATAs? Can access to my LAN be made through them in any way? I am surprised that my Router firewall is allowing this through.

Does anyone have any insights please.

What ISP/Router combo do you have?

These guys are certainly persistent now they have discovered me even though I have changed my IP address twice they are just as frequent.And its only been plugged permanently since Saturday.

It isn't personal and not just you, these are automated bots and probing ports happens to all of us hundreds or thousands of times a day, there are legitimate probes by security companies and our ISPs checking for open ports and potential exploits happening, and those from people wanting to use the exploits. Usually these probes are dropped by a "Deny All" firewall rule that is never by default set to write a log of that attempt as the router would spend most of its CPU power managing the log.

This isn't a new probing of your IP address, just one that has happened to be drawn to your attention. It could go on indefinitely, or likely will stop after a while to be replaced by a different IP probing the port.

In reply to a post by danielhyde:

What ISP/Router combo do you have?

I am with BT as ISP since May this year, not using the Smart Hub but a Netgear DGND3700.
Since moving to BT from Uno I have noticed an increase, during the course of a week of roughly double the number of DOS attacks logged.
This maybe concidence or an indication of BT's range of IPs being an attractive target as the largest ISP.
I have switched the Cisco ATA off now as I do not need to use it for a while and I hope to have a daily log with a couple of entries instead of over 20.

Thank you for the warning.

In reply to a post by jaba:

In reply to a post by danielhyde:

What ISP/Router combo do you have?

I am with BT as ISP since May this year, not using the Smart Hub but a Netgear DGND3700.
Since moving to BT from Uno I have noticed an increase, during the course of a week of roughly double the number of DOS attacks logged.
This maybe concidence or an indication of BT's range of IPs being an attractive target as the largest ISP.
I have switched the Cisco ATA off now as I do not need to use it for a while and I hope to have a daily log with a couple of entries instead of over 20.

We've noticed before on ISP supplied routers that when a SIP ATA or Phone opens its connection to the SIP server it allows inbound connections from any IP.
We also found that Cisco devices drop these connection attempts automatically, but other brand devices get phantom calls.
When we replaced the routers with DrayTek routers there was no connection attempts made at all.