diff --git a/src/constants.js b/src/constants.js
index 3eba32d1c..ca5db9687 100644
--- a/src/constants.js
+++ b/src/constants.js
@@ -32,6 +32,10 @@ exports = module.exports = {
     DOCKER_PROXY_PORT: 3003,
     USER_DIRECTORY_LDAPS_PORT: 3004, // user directory LDAP with TLS rerouting in iptables, public port is 636
     OIDC_PORT: 3005,
+    TURN_PORT: 3478, // tcp and udp
+    TURN_TLS_PORT: 5349,  // tcp and udp
+    TURN_UDP_PORT_START: 50000,
+    TURN_UDP_PORT_END: 51000,
 
     // docker IPs
     DOCKER_IPv4_SUBNET: '172.18.0.0/16',
diff --git a/src/services.js b/src/services.js
index 02acf6fd6..2b1f9b82d 100644
--- a/src/services.js
+++ b/src/services.js
@@ -1017,9 +1017,9 @@ async function startTurn(existingInfra) {
     const readOnly = !serviceConfig.recoveryMode ? '--read-only' : '';
     const cmd = serviceConfig.recoveryMode ? '/bin/bash -c \'echo "Debug mode. Sleeping" && sleep infinity\'' : '';
 
-    // this exports 3478/tcp, 5349/tls and 50000-51000/udp. note that this runs on the host network because docker's userland proxy
-    // is spun for every port. we can disable this in some future release with --userland-proxy=false
-    // https://github.com/moby/moby/issues/8356 and https://github.com/moby/moby/issues/14856
+    // docker's userland proxy spins a process for every mapped port. this makes exposing port ranges unviable
+    // despite  --userland-proxy=false, docker create a firewall rule for each port in a range. this takes over 20s to start/stop containers
+    // https://github.com/moby/moby/issues/8356 and https://github.com/moby/moby/issues/14856 https://github.com/moby/moby/issues/36214
     const runCmd = `docker run --restart=always -d --name=turn \
                 --hostname turn \
                 --net host \