Ringotel mitigates security risks by communicating with your PBX only from the trusted networks. It works as a secure VoIP tunnel that routes voice traffic form remote users to the connected PBX(s).
Ringotel’s unique architecture provides a number of advantages. You can find them on our dedicated How Ringotel Works web page.
Configure Firewall between the PBX and a Ringotel server
Please configure your Firewall/NAT to allow incoming traffic from the Ringotel IP(s) to the SIP (TCP/UDP) and RTP (UDP) ports configured on your PBX. Choose the IP address of the region which you configure when creating an organization in your Ringotel Shell portal (it is not required to white-list all regions).
Region | IP Address |
US West | 54.212.49.175, 44.229.252.175 |
US East | 54.144.152.6, 3.229.25.209 |
Canada (Central) | 15.157.156.24, 35.183.164.141 |
Europe (London) | 35.179.99.238, 3.10.183.230 |
Europe (Frankfurt) | 18.158.192.13, 52.29.63.118 |
Asia Pacific (Singapore) | 175.41.182.209, 13.215.100.9 |
Australia (Sydney) | 52.64.60.63, 3.105.29.244 |
India (Mumbai) | 15.206.18.117, 3.7.21.184 |
Europe (Dublin) | 52.49.236.53 |
South Africa (Cape Town) | 13.244.136.36 |
South America (São Paulo) | 54.232.20.246 |
It is not required to white-list the full list of IPs. Only white-list the regions where you create organisations / users.
This list of IP addresses and regions is occasionally updated.
Configure Fail2Ban
When connecting to FusionPBX, if you have Fail2Ban installed and enabled on the same server, you may need to check if Ringotel IPs were not put in the Fail2Ban “jails”.
You can view the IP addresses blocked by Fail2ban with the following command:
iptables -L -n
Then, check "sip-auth-fail" and "sip-auth-ip" chains in your firewall rules list. For example:
Chain sip-auth-fail (1 references) target prot opt source destination DROP all -- 54.144.152.6 0.0.0.0/0 Chain sip-auth-ip (1 references) target prot opt source destination DROP all -- 54.144.152.6 0.0.0.0/0
If you find Ringotel IPs in the “jail(s)” you will need to delete them from there. If you have only one rule in the chain(s), you can try to flush the "sip-auth-fail" and/or "sip-auth-ip" chains with these commands iptables -F sip-auth-fail and/or iptables -F sip-auth-ip.
In addition, exclude Ringotel IPs so that they aren't blocked by any filters. For this, edit the jails.conf file:
nano /etc/fail2ban/jail.conf
Find ignoreip parameter and add Ringotel IPs that need to be white listed (the list of IPs depends on the regions where you create Ringotel organizations). Restart fail2ban to apply changes to the ignoreip list. For example:
ignoreip = 54.144.152.6, 3.229.25.209
Please refer to the official FusionPBX and Fail2Ban documentation for further details.
Do not add Ringotel IP addresses to your FusionPBX ACL as this may cause outbound calls to not work. For your phone system, Ringotel works like any other SIP endpoint, such as IP phone and softphone.
What ports and IP address should the end-users open in their network to be compatible with Ringotel?
Standard HTTPS Port
Depending on the organisation's region, the users need to communicate on the standard HTTPS port 443 (TCP) with one of the Ringotel servers listed here.
RTP Ports Range
In addition to the standard HTTPS port, it is also important to have the full RTP ports range open for outbound connections to the following IPs:
75.2.52.102, 99.83.156.227, 15.197.206.93, 3.33.240.193
This range includes ports 1024-65535 (UDP) and must be open for users.
Should you need further assistance, feel free to reach out to our support at support@ringotel.co