Mike,

I think the reality in most residential environments is much simpler. Firewalls distinguish between outgoing and incoming traffic. Moreover, incoming traffic is distinguished between solicited and unsolicited (I am simplifying, but not by much). For example, if you are running a web server and expect unsolicited requests from the internet, you need to somehow forward web port (typically, 80 or 443) to your computer.

That means that you should never put a Windows computer in DMZ, unless you REALLY know what you are doing. You might put a router into DMZ (since it has its own powerful firewall), but that's a topic for another post.

Now, let's apply this general information to VoIP traffic. I assume that you have a modem, router, and VoIP adapter (ATA). Sometimes modem and router is combined into a single device; Voipo-provided Grandstream adapter has built-in router - but logically, it's three different devices.

Adapter registers with VSP's server; so if everything is OK, the firewall treats incoming SIP traffic as solicited. Therefore, no port forwarding is needed. Occasionally, I saw that this is not the case (perhaps, SIP registration is longer than firewall timeout), and then forwarding ports 5060 and 5061 to your adapter really helps.

RTP traffic always is (or should be) solicited due to negotiation process that Mike mentioned. So, if you need (or think that you need) forwarding RTP ports to your adapter - I suggest that you talk to a specialist about what is the root cause of your problem.

So to answer OP about DMZ vs. port forwarding, the first answer is neither. If you run into problems, start troubleshooting them, and maybe the solution will be to forward SIP ports. However, don't start from it.

As far as UPnP goes... I think it's evil Again, this is over 10 years old, and if you really know why you need it, you may have a good reason for it (although, I haven't heard about good reason yet). Having VoIP service is certainly not a good reason.