I try never to open ports, but we need to configure an app called GS Wave by grand stream. It requires several ports to be opened. Is there a safe way to do this using firewall rules? Is it possible to only open the ports for certain devices (iPhones)? We would need to set up 3 or 4 iPhones with the grand stream app.

Thanks for any help.

Well No one can assure you that safe way of opening ports. It's all depends on security & your protection against it by considering your application. However once opening those port, if any kind of authentication required would be the safest way.

You can always allow certain devices to connect those open ports by creating firewall rules but that devices or iphones must have fixed public IP.

what u can do is forward ports from public ip to local ip with dst nat

..Is it possible to only open the ports for certain devices (iPhones)?

Yes,

A. Assign static IP addresses to IPhones with static function of DHCP server.
B. Make address list of these IP addresses.
C. Make rules which open ports with this address list as target addresses.

Bart the iPhone will be outside the home network so I don't think I will be able to assign them static ip addresses, unless I can do it via mac address?

If they are outside LAN then there is no sense to open ports.
Firewall DST/SRC tules are valid only for devices behind firewall.

Bart, the iPhones will connect to the server in the home. The server is a door station so when someone presses the doorbell, it sends audio/video the iPhone. I need to open the ports to make it work. I'm trying to accomplish this in the safest way possible.

If you have some documentation what exactly needs to be done, it might be good idea to share relevant parts, because currently we don't know any details.

But if it's some server in LAN and you want your iPhones to connect to it from internet, you'll probably need to forward required ports unconditionally for everyone. Because if iPhones can have any random address, depending on where they are connected, you can't easily recognize their connections from others.

Other approach would be using VPN to connect to router and through it to server, that would be secure. But I have no idea if it's something that iPhones can do.

As far I know your GS Wave by grand stream must have some username & password to login once you are connected to SIP port right?

Please correct me if I am wrong.

That is correct

A short & sweet way is that create strong password for all sip account login & open whatever ports you required to.

For port forwarding you can refer below link.
viewtopic.php?t=42331

Also for better security practise, you can add port scanner blocking & brute force attack blocking rules for open ports in mikrotik firewall.

I hope this would be safest solution for you right now. Please let us know if you face any issue in it.