Network & Firewall Configuration

this page explains exactly what needs to be configured on your firewall so your sip system can make outbound calls (sip → pstn) receive inbound calls (pstn → sip) 1\) ports to open sip signalling (call control) transport port protocol when to use tls (recommended) 443 tcp production use (secure, enterprise friendly) tcp 5070 tcp use only if tls is not enabled media (audio / rtp) type port range protocol purpose rtp / srtp 10000–40000 udp voice media (audio) important if calls connect but audio is missing or one way, this port range is usually blocked 2\) exotel connectivity model exotel connectivity has two independent paths signaling – sip invite / 100 trying / 200 ok media – rtp audio packets both must be allowed for calls to work correctly 3\) signaling endpoints (sip proxy) a) outbound calling (sip → pstn) your sip system sends sip requests to exotel use these fqdns in your trunk / peer configuration use case primary fqdn secondary fqdn notes domestic india edge mum in exotel com edge hyd in exotel com configure both for failover domestic india (single dns) edge in exotel com — dns resolution and retry required failover note your sip system should retry the secondary fqdn if the primary is unreachable b) inbound calling (pstn → sip) exotel sends sip invites to your sip server allow inbound signaling from the following exotel signaling source ips source ip data center 35 154 174 161 aws mumbai 98 130 67 66 aws hyderabad 129 154 231 198 oci(legacy signaling ip) 4\) media ips (rtp audio) these ips send and receive rtp audio during calls media pool region / pop media ips dc / provider india 3 6 59 115, 13 127 39 217, 43 205 221 135, 13 203 184 147, 13 203 182 84, 13 203 81 133, 3 7 34 113, 13 126 206 147, 35 154 177 121, 13 205 31 133, 35 154 118 78 40 192 25 80, 98 130 133 120, 16 112 157 119, 16 112 117 9, 18 61 59 229, 18 61 247 215 aws(mum/hyd) legacy / other media pools region / pop media ips dc / provider west bengal / tn / ka / delhi / gujarat / ap 141 148 205 58, 144 24 101 99, 80 225 231 27, 140 245 21 212, 141 148 216 227 oci karnataka 14 194 10 247, 61 246 82 75, 141 148 205 58, 144 24 101 99, 80 225 231 27 ka dc mumbai dc 14 142 38 122, 182 76 143 61 mum dc madhya pradesh dc 121 242 97 185, 182 73 254 178 mp dc pune 13 203 182 84, 13 203 81 133 aws mum 5\) firewall rules (what to allow) a) inbound calls (pstn → sip) allow inbound traffic to your sip server traffic source destination port / protocol sip signaling exotel signaling ips your sip server 443/tcp or 5070/tcp rtp media exotel media ips your rtp ports 10000–40000/udp b) outbound calls (sip → pstn) allow outbound traffic from your sip system traffic source destination port / protocol sip signaling your sip server exotel edge fqdns 443/tcp or 5070/tcp rtp media your rtp ports exotel media ips 10000–40000/udp 6\) important how inbound firewalling works for inbound calls, source ports are dynamic and must not be fixed what you must configure fixed destination port on your sip server 443 or 5070 udp media port range 10000–40000 allow exotel ips as source what you must not configure do not restrict source ports do not expect a single fixed port from exotel required behavior (inbound signaling) item value destination ip your sip server destination port 443 or 5070 source ip exotel signalling ips source port any protocol tcp example firewall rule (signaling) allow tcp src ip exotel signaling ips src port any dst ip your sip server dst port 443 required behavior (inbound media) item value protocol udp destination ports 10000–40000 source ips exotel media ips source ports any example firewall rule (media) allow udp src ip exotel media ips src port any dst ip your sip server dst port 10000–40000 7\) which ip list should you use? if you only do india domestic calling use signaling edge mum in exotel com + edge hyd in exotel com (or edge in exotel com) media india proposed media ip pool (circle specific) if you are unsure allow exotel signaling ips (for inbound) india proposed media pool any additional country media pool you actively use reachout to support for updated ips