In my case Im behind a commercial grade firewall and NAT with multiple devices going out to multiple SIP servers at one location, and behind the same type firewall and router equipment, but without a proxy at a second location.

At location one- SIP comes from 3 different sources in my case. (3 ata's) All Voipo but all different. RTP streams come from yet different sources. I have a SIP proxy on my router so it makes it a little easier. But on the firewall Ive had to allow not only each of the SIP servers a pin hole but the RTP servers as well pointed at the proxy. Since the RTP streams come from different servers than SIP, firewall devices should see them as unsolicited and therefore block them. If it didn't happen Id not have any faith in the firewall.

At location 2 I have only one ATA. In this case I simply have made a firewall rule allowing both the SIP server (sip-central01.voipwelcome.com) to my device, as well as the RTP servers that tend to talk to my ATA during calls. I have absolutely no issues with this setup.

I see attempts to connect to port 5060 on my firewall logs 100+ times a day from many other sources (mainly China) and they are always blocked.

Since the SIP header contains the ATA's private address on LAN on a NATted network Im a little apprehensive about the need for port forwarding. Unfortunately since most SOHO routers do not include any method to create firewall rules aside from tying them into the "port forward setting" your stuck.

In my case, (location 2) if I build a firewall rule for the Grandstream device, I stipulate the SIP server as UDP (sipcentral.voipwelcome.com:5060 to 172.31.125.50:5060-5061 (ata) and RTP UDP (RTP server address:* to 172.31.125.50:5004-5059

If you want more control than a SOHO router will ever give you look into some of the other options out there.

pfSense
monowall
untangle
DD-WRT
Sonicwall

just to name a few.