T38Fax owns (AS7324) and (AS396431), and all of our services operate out of these address blocks. We use SIP over UDP for call signaling. For outbound calling and registration via SIP, you can either use the standard UDP port 5060 or the nonstandard UDP port 5080. Use of the non-standard SIP port 5080 is recommended to avoid SIP ALGs: this is discussed in more detail here. For inbound calls, we will attempt to establish the call from port 5060, unless you are both using SIP registration and sending your registration to 5080. When both of these conditions are met, we will also send inbound calls from port 5080. The other ports referenced are for RTP or UDPTL: the media streams. Note that in a single session, the SIP packets will often flow between an IP address different from that of the RTP packets.

ACL Rules

For simplicity, some customers may wish to whitelist the and ranges in their firewall or fail2ban, as doing so allows all traffic described above in a single firewall rule. Administratively opening ports, especially SIP ports, to receive traffic from any and all IPs is not recommended. Alternatively, if you would like to use the most specific ruleset possible, allow only the traffic from below:

                        SIP   SIP   RTP/UDPTL        UDP 5060, 5080, 35000-65000        UDP 5060, 5080, 35000-65000        UDP 5060, 5080, 35000-65000     UDP             16384-32768     UDP             16384-32768         UDP 5060, 5080, 35000-65000         UDP 5060, 5080, 35000-65000      UDP             16384-32768

Port Forwarding

When using registration authentication, most devices do not require any port forwarding to work with our service. If you use IP authentication, you will need to forward your SIP port: often UDP port 5060, 5160, or 5080, depending on which port your SIP driver is listening. If you are using an Asterisk-based PBX, please also note the port forwarding requirements mentioned in the Asterisk Design Guide.