Overview
T38Fax owns 8.34.182.0/24 (AS7324) and 8.20.91.0/24 (AS396431), and all of our services operate out of these address blocks. We use SIP over UDP for call signaling. For outbound calling and registration via SIP, you can either use the standard UDP port 5060 or the nonstandard UDP port 5080. Use of the non-standard SIP port 5080 is recommended to avoid SIP ALGs: this is discussed in more detail here. For inbound calls, we will attempt to establish the call from port 5060, unless you are both using SIP registration and sending your registration to 5080. When both of these conditions are met, we will also send inbound calls from port 5080. The other ports referenced are for RTP or UDPTL: the media streams. Note that in a single session, the SIP packets will often flow between an IP address different from that of the RTP packets.
ACL Rules
For simplicity, some customers may wish to whitelist the 8.34.182.0/24 and 8.20.91.0/24 ranges in their firewall or fail2ban, as doing so allows all traffic described above in a single firewall rule. Administratively opening ports, especially SIP ports, to receive traffic from any and all IPs is not recommended. Alternatively, if you would like to use the most specific ruleset possible, allow only the traffic from below:
SIP SIP RTP/UDPTL 8.34.182.111 UDP 5060, 5080, 35000-65000 8.34.182.112 UDP 5060, 5080, 35000-65000 8.34.182.113 UDP 5060, 5080, 35000-65000 8.34.182.100/30 UDP 16384-32768 8.34.182.128/26 UDP 16384-32768 8.20.91.194 UDP 5060, 5080, 35000-65000 8.20.91.195 UDP 5060, 5080, 35000-65000 8.20.91.128/25 UDP 16384-32768
Port Forwarding
When using registration authentication, most devices do not require any port forwarding to work with our service. If you use IP authentication, you will need to forward your SIP port: often UDP port 5060, 5160, or 5080, depending on which port your SIP driver is listening. If you are using an Asterisk-based PBX, please also note the port forwarding requirements mentioned in the Asterisk Design Guide.
