T38Fax owns 220.127.116.11/24 (AS7324) and 18.104.22.168/24 (AS396431), and all of our services operate out of these address blocks. We use SIP over UDP for call signaling. For outbound calling and registration via SIP, you can either use the standard UDP port 5060 or the nonstandard UDP port 5080. Use of the non-standard SIP port 5080 is recommended to avoid SIP ALGs: this is discussed in more detail here. For inbound calls, we will attempt to establish the call from port 5060, unless you are both using SIP registration and sending your registration to 5080. When both of these conditions are met, we will also send inbound calls from port 5080. The other ports referenced are for RTP or UDPTL: the media streams. Note that in a single session, the SIP packets will often flow between an IP address different from that of the RTP packets.
For simplicity, some customers may wish to whitelist the 22.214.171.124/24 and 126.96.36.199/24 ranges in their firewall or fail2ban, as doing so allows all traffic described above in a single firewall rule. Administratively opening ports, especially SIP ports, to receive traffic from any and all IPs is not recommended. Alternatively, if you would like to use the most specific ruleset possible, allow only the traffic from below:
SIP SIP RTP/UDPTL 188.8.131.52 UDP 5060, 5080, 35000-65000 184.108.40.206 UDP 5060, 5080, 35000-65000 220.127.116.11 UDP 5060, 5080, 35000-65000 18.104.22.168/30 UDP 16384-32768 22.214.171.124/26 UDP 16384-32768 126.96.36.199 UDP 5060, 5080, 35000-65000 188.8.131.52 UDP 5060, 5080, 35000-65000 184.108.40.206/25 UDP 16384-32768
When using registration authentication, most devices do not require any port forwarding to work with our service. If you use IP authentication, you will need to forward your SIP port: often UDP port 5060, 5160, or 5080, depending on which port your SIP driver is listening. If you are using an Asterisk-based PBX, please also note the port forwarding requirements mentioned in the Asterisk Design Guide.