This article explains some of the considerations required for making your Asterisk-based system T.38-ready. This guide is relevant for any Asterisk-based system; to name a few popular platforms in use:
- Grandstream UCM
Choosing Your Setup
Once configured correctly, virtually all ATAs in our Gateways & ATAs support guides work well with Asterisk. If you're having trouble choosing, check out our recommended list. Regardless of which ATA you pick, that ATA's T38Fax configuration guide still applies, even when connecting to your Asterisk server: usually only the username, password, and server address need changed.
When choosing to route your calls through Asterisk, it should be noted that correctly configuring Asterisk to host ATAs can pose certain challenges over directly connecting your ATA to a T38Fax trunk. If you're only setting up one analog gateway or fax server, you should always provision that device directly to our trunks. Even if you're only setting up two or three devices, for ease of use it may still be worth it to give each ATA its own T38Fax trunk.
Asterisk's advertises its interface's IP address by default; therefore, if you install Asterisk on a LAN, chances are it will be advertising a private IP address. It is also possible to override this default to advertise its external IP address for the purpose of NAT traversal. Of these two options, the Asterisk's server external IP address, even if it needs hard-coded, provides the best performance when using a T38Fax trunk. Additionally, if you are behind NAT you will need to create a straight-through port forward for your SIP port: for example, UDP port 5160 on the external side would map to port UDP 5160 on the Asterisk server. Asterisk uses UDP port 5060 by default for chan-sip and UDP port 5160 by default for pjsip. There are risks associated with opening your SIP port to the world in such a way, so make sure you have the necessary safeguards in place to prevent unwanted access (see the Security section below).
SIP ALG is a firewall feature that was designed to help SIP traffic traverse a firewall/NAT. Unfortunately they do not always process SIP message correctly, and T.38 poses one corner case for many SIP ALGs. Some SIP ALGs are deeper than others, such as those included on appliances made by Palo Alto, Meraki, and Sonicwall, and therefore need disabled completely. In most cases, however, it's sufficient to use port 5080 where possible. At minimum, always prefer sip.t38fax.com:5080.
We don't recommend using direct media on your trunk with us. Asterisk is able to perform direct media for audio calls, but requires that all T.38 be proxied. For this reason, using direct media may result in a scenario where you send media from two different IPs on a single call. Using direct media on fax calls passing through an Asterisk server isn't recommended for this reason - it will introduce significant complexity into the call flow. All Asterisk installations, regardless of whether they're using direct media or not, need to follow the recommendations outlined in the T.38 section below.
T.38 on Asterisk requires firewall exceptions if you are behind a third party firewall, or an edge router performing NAT or ACL filtering, or have strict firewall rules on the Asterisk server itself. Such devices include:
- Dedicated firewall appliances such as Cisco ASAs, Sonicwalls or Fortigates.
- Consumer WiFi routers such as those manufactured by Linksys, Netgear, ISP-branded routers, and many others.
- Third party firewalls offered by VPS providers, such as AWS Security Groups.
UDPTL transports the T.38 protocol. All ports specified in Asterisk's UDPTL range must be forwarded and opened. On Asterisk, the default UDPTL port range is UDP ports 4000-4999. This range can be configured through Asterisk's udptl.conf file through the udptlstart and udptlend parameters. All T.38 traffic passes through your Asterisk system even if direct media is enabled so these step must be completed on all Asterisk installations.
If you are behind a NAT device, you will need to create a straight-through UDP port forward for all of Asterisk's UDPTL ports: you will need to map port 4000 on your external interface to port 4000 on your Asterisk server, UDP port 4001 on the external goes to 4001 on the Asterisk server, etc.. Additionally, you will need to permit traffic from us to these ports by opening the ports. For consumer equipment, port forwarding and port opening is a single-step process labelled as port forwarding. For many professional grade appliances, you will have to separately forward the port and open it.
Some networking devices don't allow whole port ranges to be configured at once. In these cases, we recommend limiting the UDPTL port range in udptl.conf to around 20 ports total instead. All ports specified in this range must be forwarded/opened.
If you're interested in filtering all traffic except ours, you can find out IP address and port utilization here. The short version is to allow all IP addresses within the 126.96.36.199/24 subnet range. If you're using fail2ban, you should also whitelist this range.
If you're having trouble faxing reliably, run through the following:
- Am I using port 5080 on sip.t38fax.com?
- Is UDPTL traffic forwarded and allowed on the firewall?
- Have I configured my other devices to work correctly with T38Fax?
- Have my devices been approved by T38Fax to work with their service?
- Are my device to the latest or recommended firmware?
- Have I followed the T38Fax configuration guide for my device(s)?
- Have I changed the transmission speed on my fax machine?
- Are the calls are coming in / going out the right trunk on the Asterisk server?
- Does everything work if I connect the ATA directly to a T38Fax trunk?
(Trunks and DIDs are prorated, so this is a relatively cheap and simple test even if you want to set up a new trunk just for this purpose.)