SIP ALG
Many routers, firewalls and even some modems come with a feature called SIP ALG that modifies SIP packets as they pass through the networking device. This feature should in theory make it easier for SIP calls to work through NAT but, especially for Fax over IP, it is often implemented incompletely. You can avoid SIP ALG through two measures:
- Disabling the SIP ALG feature on all network devices.
- Changing the SIP port usage to 5080 on one or ideally both sides of the connection.
To ensure both sides of the connection use port 5080, each side of the connection must be updated individually. For the T38fax side, this is typically accomplished by using sip.t38fax.com:5080 as the remote proxy. On the local side, most devices can change the SIP service's port binding from 5060 to 5080 in their config. The T38Fax guides will walk you through this process for all capable devices.
For most deployments, using UDP port 5080 as outlined in our guides is often sufficient. For critical deployments, the surest way to avoid SIP ALG is to employ both methods from the bullet points above since neither one is totally foolproof. Various updates or resets of network equipment may enable SIP ALG even after it has been disabled. On the other hand, changing the SIP port to UDP port 5080 is not always adequate to bypass SIP ALG: some firewalls are intelligent enough to follow SIP traffic to non-standard ports.
Below is a list of known devices on which you must disable SIP ALG:
- Palo Alto Firewalls (instructions)
ACL Rules
Basic Requirements
Default firewall rules will typically allow all traffic outbound, and allow traffic inbound in return to outbound traffic. Registration auth trunks will work by default under this ruleset, and often do not require any access to the firewall to deploy. IP auth trunks will require, at minimum, an explicit inbound rule to allow all traffic from our SIP IPs to your SIP device(s). Ensure you allow traffic to/from both of T38Fax's SIP ports: 5060 and 5080.
If needed, make sure you update your rules for our new IP ranges starting September 1st, 2024.
T38Fax (AS396431) owns 8.20.91.0/24, 130.51.64.0/22 and (through AS7324) 8.34.182.0/24, and all of our services operate out of these address blocks. For simplicity, some customers may wish to whitelist these ranges in their firewall or fail2ban as doing so allows all necessary traffic in only ~3 firewall rules. These are the simplest and most permissive rules T38Fax recommends. Opening SIP ports to receive traffic from any and all IPs, namely those outside T38Fax's IP ranges, is not recommended.
Advanced Requirements
Some organization's security policies require the most specific ruleset possible. allow only the traffic from below:
| IPs | Protocol | Ports |
|---|---|---|
| 8.20.91.194 |
SIP |
UDP 5060 + 5080 OR TCP 5060 + 5080 |
| 8.34.182.111 | ||
| 8.34.182.112 | ||
| 130.51.64.200/29 | ||
| 130.51.65.200/29 | ||
| 130.51.66.200/29 | ||
| 130.51.67.200/29 | ||
| 8.34.182.128/26 |
RTP/UDPTL (Media) |
UDP 16384-32768 |
| 8.20.91.128/25 | ||
| 130.51.64.128/25 | ||
| 130.51.65.128/25 | ||
| 130.51.66.128/25 | ||
| 130.51.67.128/25 |
The port ranges here are specific to T38Fax's service, one side of the connection. Your SIP device will have separate port ranges, and typically the port number on the T38Fax side of the connection will not match the port number on the customer side of the connection. To ensure complete connectivity, consult your SIP device vendor's port specification to find out the customer side's requirements. Take both sides of the connection into consideration for firewall rules.
For example, a SR140-based fax server will have a typical port range of UDP 56000-56999. Thus, the firewall must allow UDP 16384-32768 on the T38Fax side to communicate bidirectionally with UDP 56000-56999 on the customer side. In this case, the port number on one side will never match the other as these ranges are mutually exclusive. This is perfectly acceptable and common. Even if the port ranges overlapped exactly, each side would still select their own random port number anyway: the chance of both sides selecting the same random port, even in this case, is rather low. You do not have to adjust your port range to match T38Fax's.
Note as well that SIP and RTP/UDPTL traffic will flow between different IP addresses.
Port Forwarding
When using registration authentication, most devices do not require any port forwarding to work with our service. If you use IP authentication, you will need to forward your SIP port: often UDP port 5060, 5160, or 5080, depending on which port your SIP driver is listening. Only some devices will need to have all their media ports forwarded. Below is a list of many of the most common devices:
- Asterisk-based PBXs: UDP ports 4000-4999 by default (See Asterisk Design Guide).
- Asterisk
- FreePBX
- Grandstream UCM
- Bicom
- 3CX servers: UDP ports 9000-10999 by default.
SIP Trunk Configuration
When defining in your SIP device where to send SIP calls outbound, please follow your SIP device configuration device guide. For the IP, these guides will recommend using the domain sip.t38fax.com instead of static IPs whenever possible. The records on this domain are the source of truth for which servers are prepared to handle production traffic, and may change periodically. For inbound calls, please accept calls from any of the SIP IPs listed in the IP list above (or more generally from all T38Fax IP ranges).
