diff --git a/proxy/lib/snowflake.go b/proxy/lib/snowflake.go
index 8269d61..6891be0 100644
--- a/proxy/lib/snowflake.go
+++ b/proxy/lib/snowflake.go
@@ -114,6 +114,9 @@ type SnowflakeProxy struct {
 	KeepLocalAddresses bool
 	// RelayURL is the URL of the Snowflake server that all traffic will be relayed to
 	RelayURL string
+	// Ephemeral*Port limits the pool of ports that ICE UDP connections can allocate from
+	EphemeralMinPort uint16
+	EphemeralMaxPort uint16
 	// RelayDomainNamePattern is the pattern specify allowed domain name for relay
 	// If the pattern starts with ^ then an exact match is required.
 	// The rest of pattern is the suffix of domain name.
@@ -347,6 +350,18 @@ func (d dataChannelHandlerWithRelayURL) datachannelHandler(conn *webRTCConn, rem
 	d.sf.datachannelHandler(conn, remoteAddr, d.RelayURL)
 }
 
+func (sf *SnowflakeProxy) makeWebRTCAPI() *webrtc.API {
+	settingsEngine := webrtc.SettingEngine{}
+
+	if sf.EphemeralMinPort != 0 && sf.EphemeralMaxPort != 0 {
+		settingsEngine.SetEphemeralUDPPortRange(sf.EphemeralMinPort, sf.EphemeralMaxPort)
+	}
+
+	settingsEngine.SetICEMulticastDNSMode(ice.MulticastDNSModeDisabled)
+
+	return webrtc.NewAPI(webrtc.WithSettingEngine(settingsEngine))
+}
+
 // Create a PeerConnection from an SDP offer. Blocks until the gathering of ICE
 // candidates is complete and the answer is available in LocalDescription.
 // Installs an OnDataChannel callback that creates a webRTCConn and passes it to
@@ -356,9 +371,7 @@ func (sf *SnowflakeProxy) makePeerConnectionFromOffer(sdp *webrtc.SessionDescrip
 	dataChan chan struct{},
 	handler func(conn *webRTCConn, remoteAddr net.Addr)) (*webrtc.PeerConnection, error) {
 
-	s := webrtc.SettingEngine{}
-	s.SetICEMulticastDNSMode(ice.MulticastDNSModeDisabled)
-	api := webrtc.NewAPI(webrtc.WithSettingEngine(s))
+	api := sf.makeWebRTCAPI()
 	pc, err := api.NewPeerConnection(config)
 	if err != nil {
 		return nil, fmt.Errorf("accept: NewPeerConnection: %s", err)
@@ -446,9 +459,7 @@ func (sf *SnowflakeProxy) makePeerConnectionFromOffer(sdp *webrtc.SessionDescrip
 func (sf *SnowflakeProxy) makeNewPeerConnection(config webrtc.Configuration,
 	dataChan chan struct{}) (*webrtc.PeerConnection, error) {
 
-	s := webrtc.SettingEngine{}
-	s.SetICEMulticastDNSMode(ice.MulticastDNSModeDisabled)
-	api := webrtc.NewAPI(webrtc.WithSettingEngine(s))
+	api := sf.makeWebRTCAPI()
 	pc, err := api.NewPeerConnection(config)
 	if err != nil {
 		return nil, fmt.Errorf("accept: NewPeerConnection: %s", err)
diff --git a/proxy/main.go b/proxy/main.go
index 563b3de..a6e6a19 100644
--- a/proxy/main.go
+++ b/proxy/main.go
@@ -1,14 +1,18 @@
 package main
 
 import (
+	"errors"
 	"flag"
-	"git.torproject.org/pluggable-transports/snowflake.git/v2/common/event"
+	"fmt"
 	"io"
 	"io/ioutil"
 	"log"
 	"os"
+	"strconv"
+	"strings"
 	"time"
 
+	"git.torproject.org/pluggable-transports/snowflake.git/v2/common/event"
 	"git.torproject.org/pluggable-transports/snowflake.git/v2/common/safelog"
 	sf "git.torproject.org/pluggable-transports/snowflake.git/v2/proxy/lib"
 )
@@ -28,6 +32,27 @@ func main() {
 	SummaryInterval := flag.Duration("summary-interval", time.Hour,
 		"the time interval to output summary, 0s disables summaries. Valid time units are \"s\", \"m\", \"h\". ")
 	verboseLogging := flag.Bool("verbose", false, "increase log verbosity")
+	var ephemeralPortsRange []uint16 = []uint16{0, 0}
+	flag.Func("ephemeral-ports-range", "ICE UDP ephemeral ports range (format: \"[min]:[max]\")", func(s string) error {
+		ephemeralPortsRangeParts := strings.Split(s, ":")
+		if len(ephemeralPortsRangeParts) == 2 {
+			ephemeralMinPort, err := strconv.ParseUint(ephemeralPortsRangeParts[0], 10, 16)
+			if err != nil {
+				return err
+			}
+
+			ephemeralMaxPort, err := strconv.ParseUint(ephemeralPortsRangeParts[1], 10, 16)
+			if err != nil {
+				return err
+			}
+
+			ephemeralPortsRange = []uint16{uint16(ephemeralMinPort), uint16(ephemeralMaxPort)}
+
+			return nil
+		}
+
+		return errors.New(fmt.Sprintf("Bad range port format: %v", s))
+	})
 
 	flag.Parse()
 
@@ -39,6 +64,8 @@ func main() {
 		BrokerURL:          *rawBrokerURL,
 		KeepLocalAddresses: *keepLocalAddresses,
 		RelayURL:           *relayURL,
+		EphemeralMinPort:   ephemeralPortsRange[0],
+		EphemeralMaxPort:   ephemeralPortsRange[1],
 
 		NATTypeMeasurementInterval: *NATTypeMeasurementInterval,
 		EventDispatcher:            eventLogger,