diff --git a/apps/telephony/telephony.yaml b/apps/telephony/telephony.yaml
index 985be22..d084cc2 100644
--- a/apps/telephony/telephony.yaml
+++ b/apps/telephony/telephony.yaml
@@ -202,7 +202,7 @@ spec:
   tls:
     secretName: cf-origin-flowercore-io
 ---
-# NetworkPolicy: deny-all baseline + Traefik ingress + DNS egress + edge1 TTS egress
+# NetworkPolicy: deny-all baseline + Traefik ingress + SIP/RTP ingress + DNS egress + TTS egress
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -219,6 +219,18 @@ spec:
         - namespaceSelector:
             matchLabels:
               kubernetes.io/metadata.name: traefik-system
+    # Allow SIP/RTP from external sources (Yealink phones, Twilio SIP trunk)
+    - from:
+        - ipBlock:
+            cidr: 0.0.0.0/0
+      ports:
+        - port: 5060
+          protocol: UDP
+        - port: 5060
+          protocol: TCP
+        - port: 10000
+          endPort: 20000
+          protocol: UDP
   egress:
     # Allow DNS resolution (CoreDNS in kube-system)
     - to:
@@ -248,6 +260,18 @@ spec:
       ports:
         - port: 443
           protocol: TCP
+    # Allow SIP/RTP responses (Asterisk → phones and Twilio)
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0
+      ports:
+        - port: 5060
+          protocol: UDP
+        - port: 5060
+          protocol: TCP
+        - port: 10000
+          endPort: 20000
+          protocol: UDP
     # Allow 1Password Connect for secret sync
     - to:
         - namespaceSelector: