Many routers, firewalls and even some modems come with a feature called SIP ALG that modifies SIP packets as they pass through the networking device. This feature should in theory make it easier for SIP calls to work through NAT but, especially for Fax over IP, it is often implemented incompletely. You can avoid SIP ALG through two measures:
- Disabling the SIP ALG feature on all network devices.
- Changing the SIP port usage to 5080, discussed in more detail here.
For most basic deployments, using UDP port 5080 as outlined in our guides is often sufficient. For critical deployments, the surest way to avoid SIP ALG is to employ both methods since neither one is totally foolproof. Various updates or resets of network equipment may enable SIP ALG even after it has been disabled. On the other hand, changing the SIP port to UDP port 5080 is not always adequate to bypass SIP ALG: some firewalls are intelligent enough to follow SIP traffic to non-standard ports.
Below is a list of known devices on which you must disable SIP ALG:
- Palo Alto Firewalls (instructions)
T38Fax owns 220.127.116.11/24 (AS7324) and 18.104.22.168/24 (AS396431), and all of our services operate out of these address blocks. For simplicity, some customers may wish to whitelist the 22.214.171.124/24 and 126.96.36.199/24 ranges in their firewall or fail2ban as doing so allows all necessary traffic in only 1-2 firewall rules.
If you would like to use the most specific ruleset possible, allow only the traffic from below:
|188.8.131.52||SIP||UDP 5060 + 5080 OR TCP 5060|
|184.108.40.206||SIP||UDP 5060 + 5080 OR TCP 5060|
|220.127.116.11||SIP||UDP 5060 + 5080 OR TCP 5060|
As mentioned in the SIP ALG section, use of UDP port 5080 for SIP is recommended. Opening SIP ports to receive traffic from any and all IPs is not recommended. The other ports referenced are for RTP or UDPTL: the media streams. Note that SIP and RTP/UDPTL traffic will flow between different IP addresses.
You can use either UDP or TCP for SIP call signaling. Registration auth trunks will automatically return traffic, such as inbound calls, from whichever port/transport you are using to register. For this you can use the standard UDP/TCP port 5060 or the nonstandard UDP port 5080. IP auth trunks will accept outbound calls from any of the SIP ports listed above but will only present inbound calls to you from either UDP or TCP port 5060, depending on which protocol your trunk is set to use. You can change this setting in the portal.
An important takeaway for avoiding SIP ALG: we will only send traffic to you from port 5080 when you are both using SIP registration and are sending your registration to UDP port 5080.
When using registration authentication, most devices do not require any port forwarding to work with our service. If you use IP authentication, you will need to forward your SIP port: often UDP port 5060, 5160, or 5080, depending on which port your SIP driver is listening. Only some devices will need to have all their media ports forwarded. Below is a list of many of the most common devices:
- Asterisk-based PBXs: UDP ports 4000-4999 by default (See Asterisk Design Guide).
- Grandstream UCM
- 3CX servers: UDP ports 9000-10999 by default.