This article explains some of the considerations required for making your Asterisk-based system T.38-ready. This guide is relevant for any Asterisk-based system; to name the more popular ones:

  • Asterisk
  • FreePBX
  • Grandstream UCM


Choosing Your Setup

Asterisk adds a lot of complexity to your deployment over directly connecting your ATA to our trunks. If you're only setting up one device, you should always provision that device directly to our trunks. If you're only setting up two or three devices, it may still be worth it to give each its own trunk with us but it's up to you. If you're setting up a fax server external to Asterisk, such as a GFI FaxMaker, Hylafax Enterprise, or XMediusFAX, definitely give it a trunk of its own.


That said, once configured correctly, virtually all ATAs in our Gateways & ATAs support guides work well with Asterisk. If you're having trouble choosing, check out our recommended list. Regardless of which ATA you pick, its configuration guides should still be followed as closely as possible even when connecting the ATA to Asterisk instead of our trunks.


SIP

Asterisk's advertised IP address is by default set to its interface's IP address; if you install Asterisk on a LAN, chances are it will pull a private IP address on that interface. If your configured IP address falls within a private IP address as specified by RFC1918, we will automatically perform NAT traversal for you. As a NAT traversal measure, Asterisk also supports the ability to hardcode a different IP address, usually an external one. If you have configured an external IP address in Asterisk, we will assume you know what you're doing and do exactly what Asterisk tells us to do. Whether you choose to hardcode your external IP or not, there is no perfect solution, but there may be one that works better for you and your client(s).


The external IP address setting is system-wide setting, so you may affect other functionality by removing this setting. If you don't have any limiting factors, it's best to keep it simple and not configure an external IP address in Asterisk. Limiting factors may include:

  • Your carriers require an external IP address to be set. It's pretty rare that they do so it's worth testing off hours.
  • You're servicing remote users.

If you have to set your external IP address for some reason, it's possible but you need to create a straight-through port forward for your SIP port. For example, port 5160 on the external side would map to port 5160 on the Asterisk server. There are risks associated with opening your SIP port to the world in such a way, so make sure you have the necessary safeguards in place to prevent unwanted access.


ALG

SIP ALG is a firewall feature that was designed to help SIP traffic traverse a firewall/NAT. Unfortunately they do not always process SIP message correctly, and T.38 poses one corner case for many SIP ALGs. While it may be tempting to disable SIP ALG on your firewall, it often isn't so easy as flipping a switch and it's best to use port 5080 instead.


UDPTL

The T.38 protocol requires firewall exceptions if you are behind an external firewall, or a router performing NAT/ACL filtering. Such devices include:

  • Dedicated firewall appliances such as Cisco ASAs, Sonicwalls or Fortigates.
  • Consumer WiFi routers such as those manufactured by Linksys, Netgear, ISP-branded routers, and many others.
  • Third party firewalls offered by VPS providers, such as AWS Security Groups.

On Asterisk, the default UDPTL port range is UDP ports 4000-4999. This range can be configured through Asterisk's udptl.conf file. 


If you are behind a device performing PAT, which is the case in most on-premise deployments, you will need to create a straight-through UDP port forward for all of Asterisk's UDPTL ports: you will need to map port 4000 on your external interface to port 4000 on your Asterisk server, UDP port 4001 on the external goes to 4001 on the Asterisk server, etc.. Additionally, if you're behind a firewall or one-to-one NAT, you will need to create an allow rule for our services. For consumer equipment, port forwarding and port opening is a single-step process called port forwarding. For many professional grade appliances, you will have to both explicitly forward the port and open it as two separate steps.


In some cases the networking device doesn't allow whole port ranges to be configured at once. In these cases, it may be cumbersome to configure a port forward/exception all 1000 UDP ports in Asterisk's default UDPTL port range. All ports specified in Asterisk's UDPTL range must be forwarded and opened. If you run into this we recommend limiting the UDPTL port range in udptl.conf to around 20 ports total instead. All ports specified in the range must be forwarded/opened.


Security

If you're interested in filtering all traffic except ours, you can find out IP address and port utilization here. The short version is to allow all IP addresses within the 8.34.182.0/24 subnet range. If you're using fail2ban, you should also whitelist this range.


Troubleshooting

If you're having trouble faxing reliably, run through the following:

- Am I using port 5080 on sip.t38fax.com?

- Is UDPTL traffic forwarded and allowed on the firewall?

- Are the calls are coming in / going out the right trunk?

- Have my devices been approved by T38Fax to work with their service?

- Are my device to the latest or recommended firmware?

- Have I followed the T38Fax configuration guide for my device(s)?

- Have I changed the transmission speed on my fax machine? 

- Does everything work if I connect the ATA directly to a T38Fax trunk? 

(Trunks and DIDs are prorated, so this is a relatively cheap and simple test even if you have to set up a new trunk temporarily.)