I finally got port 500 UDP and port 4500 IPSec out of phone support, but I still get a REG99 error from the Amaze attempting to connect from my corporate guest wireless after these ports were opened. I have seen similar reports for this device in other forums, but I'm really looking for confirmation on the port information to make the determination as to whether this is a firewall configuration or device specific issue. WiFi calling works from home network which is also firewalled, but not blocking any outbound traffic.
This thread is apparently long dead, but I think I may know what's going on here. I finally had a day off work and two T-Mobile phones with WiFi calling in the house. I run an enterprise-grade firewall and pulled up logging after setting statically dynamic IP addresses for both phones. After 15 tests, it appears that the following ports and protocols are used:
To auth to the server and report their whereabouts, the following firewall port needs to be open:
For voice connections (establishing call and voice communication) a large port range used:
52000-59999 (UDP) This is a guestimate based on the ports that were established.
I only opened these ports to these specific IPs and to the T-Mobile IP address of the server they're using, they probably have backups, so it wasn't worth posting. Hope this helps.
Outbound connections really never need to be opened unless you run a draconian firewall that bans traffic from getting out to the Internet normally.
I run a "enterprise level" firewall at home as well (for self training purposes), but have never had an issue with my phone connecting for wifi calling. I've never investigated what ports are used or made special allowances. The same phone has no issues getting out from my school where I work over the Cisco wireless through our firewall as well.
This is what I've got in my ASA to make WiFi calling work...
The RTP (I assume?) ports I got from attemping ten phone calls, then taking the lowest port and the highest port. So.. It may not be the full range.. It's definitely not on the standard ports.
It seems that to signal that a call is disconnecting the phone will send an ICMP unreachable to one of T-Mobile's servers. So.. I added that to the firewall as well.
So permitting icmp/unreachable to the TMO2 net range of 18.104.22.168 - 22.214.171.124 seems to work.