You could create an alias for the inbound IPs for SIP/RTC and limit the
source on the NAT rule with that alias. Then your WebRTC users will
be unaffected because their src/dst/port triplet will not match that
NAT.
https://www.twilio.com/docs/api/voice/sip-interface - see IP address
whitelist.
I have an installation with a single public IP address that uses an
Asterisk PBX connected to a Twilio SIP Trunk. The provider does not offer
additional IP addresses.
Right now, in order for the SIP audio to work, I need to forward UDP ports
1-2 to the PBX since Twilio says media can come